Testing the Configuration | The Best Damn Firewall Book Period

Now that the FireWall-1 package is configured and you have rebooted your Nokia, it's time to test access to the firewall so you can configure and install security policies. We want to make sure that our firewall is installed and configured correctly, and testing the basic administrative firewall tasks is an easy way to verify that fact. This is particularly important after we have performed an upgrade between major versions (such as 4.1 to NG). We will test GUI client access as well as defining and installing a basic policy. For the sake of completeness, we will test both the pushing and fetching of our security policy.

Testing GUI Client Access

After you have the Check Point packages installed, enabled, and configured, you can begin configuring a security policy for your Nokia firewall. Even if the InitialPolicy is loaded, you should be able to connect with a GUI client and push a policy. If you have any trouble with this process, unload the default filter with fw unloadlocal (prior to NG FP2, the command was fw unload localhost). You can run the management clients on the following operating systems:

Windows 98/ME
Windows XP (Home or Professional)
Windows 2000 SP1 or SP2 (Professional, Server, or Advanced Server)
Windows NT SP6a (Workstation or Server)
Solaris 8 (32 or 64 bit—note that running the GUI on Solaris requires a Motif license)

If you are running a firewall prior to NG FP3, you will be logging in to the Check Point Policy Editor to manage security policies. In NG FP3, the name of the editor has been changed to SmartDashboard. The FP3 SmartDashboard doesn't look much different from the FP2 interface, so we will use the FP3 smart clients in our examples. On Windows, begin by going to Start | Programs | Check Point SMART Clients | SmartDashboard NG FP3. You will be presented with a login prompt like the one in Figure 18.14.

Figure 18.14: SmartDashboard Login

To log in the first time, enter your username, password, and management server IP address. If you are connecting to the Nokia as the management server, enter the IP address of the interface that is closest to you (it could be the internal IP or SSN IP) in the Management Server box. As the client connects, you will be presented with the management server's fingerprint that was generated during the initial configuration procedure. You should match the fingerprint in the client to the fingerprint on the management server to verify that you are connecting to the correct machine (see Figure 18.15). If it matches, click the Approve button to continue logging in to the management server.

click to expand
Figure 18.15: Fingerprint Identification

Note

In NG FP2 and FP3, you can now select a check box to log in to your management clients in demo mode. Previously, you would need to log in with the management server field set to *local to run the demo. Also new in FP3 is the ability to select a management server from a pull-down list. This is a really nice feature if you normally manage multiple management servers, since each time you type in a new server, it is added to the list.

If the fingerprint changes because you reinstalled the management server software, put in new hardware as a replacement for the old management server, or regenerated the ICA certificate, you will receive a warning similar to the one shown in Figure 18.16. Again, you should verify the fingerprint before accepting the new one.

click to expand
Figure 18.16: Fingerprint Warning

As long as the fingerprint remains the same, you will get no message after the first acceptance. Behind the scenes, Check Point will verify that the fingerprint matches. After you pass authentication and accept the fingerprint, you will see the SmartDashboard window, as shown in Figure 18.17. From here you can view and manage your network objects and policies. Initially, you will have a single object configured to represent your firewall, which NG creates for you during installation (see Figure 18.18).

click to expand
Figure 18.17: Check Point SmartDashboard

click to expand
Figure 18.18: Check Point Gateway Object

You should verify that your firewall object is configured properly before you try to push a policy. To edit your firewall object, click Manage in the main menu and select Network Objects. Highlight the firewall object and click Edit. Check that the correct IP address is entered in the General Properties tab. The IP entered here should correspond to the external IP address of your firewall, which is the same IP address that you use for a local license on the firewall. Modify the Check Point products installed to include the options that the installation didn't select for you, such as VPN-1, FloodGate-1, and so on. Also verify that the Topology tab is configured with the correct information about your firewall.

Note

If you have a distributed installation, you need to create the firewall object for you Nokia. It will not be created for you as it was in our previous example.

When you are finished editing your firewall object, click OK. Now you can begin creating all the other network objects that you will need to use in your Security Policy. Using these network objects, you will create a rule base in the Security tab of the SmartDashboard. Here we put in a simple "accept-all" policy to show you the procedure. Do not use an accept-all policy on your firewall, since a policy like this will provide you with no protection.

Begin by clicking the Rules menu option and select Add Rule | Top. This will enter the default rule, any source, destination, or service to drop without logging. Right-click the Action cell and select Accept. Then, right-click the Track cell and select Log.

Now choose the File menu and Save the policy. The policy is named Standard by default and is defined in Figure 18.17.

Pushing and Fetching Policy

Now you are ready to test pushing a policy to your Nokia firewall. From the SmartDashboard, click the Policy menu and choose Install. Your objects, rules, and users will be saved at this time. If this is the first time you are installing a policy, you will receive a warning message like the one shown in Figure 18.19 until you click the box to stop showing the message. This message simply informs you that there are some rules that are defined through the Global Properties that can be configured through the Policy menu. These rules are "implicit" rules and are not visible in your Security Policy window. You can make these rules visible by selecting Implied Rules from the View menu. Check the box so that you don't see this message again, and click OK to continue.

Figure 18.19: SmartDashboard Warning

Next you will receive a policy install window where you need to select the type of policy you will install on certain Check Point objects (see Figure 18.20). If you have multiple firewalls, they will all be displayed in this window. If you are installing to a stand-alone Nokia, accept the default values and click OK to begin the installation process. (By stand-alone we mean a VPN-1/FireWall-1 management server and enforcement module installed on a single platform—in other words, the opposite of a distributed installation.)

click to expand
Figure 18.20: Policy Installation Targets

Now your management server will verify the rule base, compile the security policy, and push the policy to the firewall module. An installation process status window will be displayed, similar to the one in Figure 18.21. Now you must wait for the installation to complete. When the installation is done, the Close button will light up and the status will change to a green check mark if the install was successful. There could be warnings associated with the policy installation, and in that case a red exclamation point (!) will accompany the check mark, as shown in Figure 18.22. This installation window is new in NG FP3.

click to expand
Figure 18.21: Installation Process

click to expand
Figure 18.22: Installation Succeeded

If you receive warnings or errors on the installation, you can view these messages by clicking the button labeled Show Warnings, as shown in Figure 18.22. If you have not yet configured antispoofing on your gateway's interfaces, you will always receive these warnings on a policy install. You could also have a warning about your license, if it will expire in less than a week. See the errors from the install in Figure 18.23.

click to expand
Figure 18.23: Verification and Installation Errors

Other status options may be displayed in the Installation Process window. On this page Check Point provides a Legend button that pops up a quick explanation on each of the possible status icons you could receive (see Figure 18.24).

Figure 18.24: Status Icon Legend

If the policy installation was successful, you are done. You can continue to modify and install your policy as many times as is necessary to completely define a security policy for your organization. If policy installation fails for some reason, try some of these steps:

Verify that the firewall process is running on the module with the command ps –auxw | grep fw.
Try unloading the policy from the console with the command fw unloadlocal, and then try reinstalling the policy from the management server.
Ensure that there is network connectivity between the management server and the module. Check cables and test with ping.
Check that SIC is configured properly. Look at http://support.checkpoint.com/kb/docs/public/firewall1/5_0/pdf/sic.pdf for assistance.

Once you are set up to push a policy successfully, you will want to verify that the firewall can fetch a policy from the management station. The Nokia will attempt to fetch a policy on system startup or whenever the firewall module is restarted. To force the Nokia to fetch a policy, use the fw fetch command. Available switches for this command are listed in Table 18.3. Type fw fetch localhost to load the last policy installed, or fw fetch master1 to fetch from the management host defined as master1 in the $FWDIR/conf/masters file.

Table 18.3: fw fetch Syntax
Switch	Description
-n	Fetches a policy from the management server and only loads the policy if it is different from the current policy loaded.
-f <filename>	Fetches a policy from the management server listed in <filename>. If no filename is specified, uses the $FWDIR/conf/masters file.
-i	Ignores the SIC information, such as SIC names.

FireWall-1 Command Line

The following are some other useful FireWall-1 commands that you might find handy while configuring Check Point on your Nokia firewall. Some of these have been discussed throughout the chapter:

cpstop Stops all Check Point products and the SVN Foundation.
cpstart Starts the SVN Foundation and all Check Point products.
cplic print Prints the currently installed licenses.
cplic put Adds a license.
fw tab –t connections –s Lists the number of connections in the FireWall-1 connections table.
fw ver Displays the version of VPN-1/FireWall-1. Use the –k switch to see the kernel version.
fw stat Lists the currently loaded policy, date the policy was last installed, and the interface and direction that the security policy is enforcing.
fw unloadlocal Unloads the current security policy so that no policy is loaded.
fw load When run on the management console, this can push a policy from command line to a remote module.
fw lichosts Displays the hosts that are protected by your firewall, when a limited license is installed.
fwstop –default Stops all VPN-1/FireWall-1 services and loads the default filter into the kernel.
fwstop –proc Stops all VPN-1/FireWall-1 services, but keeps the policy loaded in the kernel. Only simple accept, drop, and reject control decisions will be made.
fwstart –f Starts the VPN-1/FireWall-1 services.