Installing FireWall-1 NG FP3

Previous page
Table of content
Next page


We start the practical side of our clustering discussion by running through installation of the Check Point enforcement modules that will form our cluster. This process is not exceptionally different from installing on an ordinary module, but we highlight the areas of the installation that are relevant to clustering. It's also a good refresher to make sure that you have not forgotten to do something important! We are assuming that we have a healthy management station already running.

Checking the Installation Prerequisites

Follow these steps to check the installation prerequisites:

  1. Ensure that your OS meets the requirements documented in the Check Point release notes. On the Windows 2000 platform, make sure that SP2 or SP3 is installed. On Solaris, make sure that the latest cluster patch its installed (for example, solaris8_Recommended.zip—about 80MB). Make sure that the SUNWter package is installed on Solaris. You need this package before you can run UnixInstallScript from the NG FP3 CD or wrapper.

  2. On the Nokia platform, download the latest version of IPSO that is compatible with NG FP3.

  3. It strongly recommended that you have all your interfaces configured and working on the firewall modules and your management server before you install FireWall-1 NG FP3. Make sure that you have tested that each interface is up and running.

  4. Make sure that the member clocks are synchronized; see the sidebar "The Importance of Time."

  5. Carefully read the Check Point NG FP3 release notes before proceeding. This is important!

Warning

It is important to ensure that the correct time, date, and time zone are set on each of the cluster members and on the management module. The time on the cluster members needs to be synchronized as accurately as possible for the purposes of state synchronization and cluster control protocols. The time needs to be in step with the management module as the trust relationships between modules (SIC) is certificate based and time sensitive. The logs seen in SmartView Tracker are time-stamped with the local module's time, so these logs can be misleading if time settings are incorrect.

You should also take into account daylight savings time. If your platform does not automatically adjust for daylight savings (IPSO included), make sure that you set the time for the "unadjusted" time zone. This does mean that your local module time appears "wrong" by an hour during the summer months. SmartView Tracker will adjust the displayed time correctly, based on the time zone of the management station.

Given the importance of time synchronization, it should be automated using standard NTP. Obtain details of how to configure NTP on the platform chosen for your modules from your OS provider. (In the case of IPSO, this is configurable via Voyager.) When you're configuring NTP, it is recommended that only one of the cluster members synchronizes its time with an external source, whereas other members synchronize with that selected "master" member. This is because the priority is to ensure that all members are time synchronized with each other, rather than synchronized with an external source. Finally, don't forget to allow NTP as required in your FireWall-1 security policy.

Installation Options

Before installation, you need to be aware of some of the questions that you will be asked during the install. You need to have made a decision about the following points before starting the installation so that you answer correctly:

  1. Each module needs to have VPN-1 SecureClient Policy Server installed if you want to use VPN-1 SecureClient later.

  2. FloodGate-1 can be installed on the management and modules if required.

  3. During installation of the enforcement module, you are asked if you would like to install a Check Point clustering product (CPHA, CPLS, or state synchronization). Answer yes to this option, even if you're installing a third-party clustering solution, because it is required for state synchronization.

Installation Procedure

The installation procedure is slightly different depending on which operating system you are running. With Windows, the installation procedure is a more visual experience, whereas with UNIX, it is a text-based installation. The UNIX installations are reasonably similar in the types of questions you will be asked and at what point you will be asked them.

To begin the installation:

  • Windows Insert the FP3 CD. The installation wrapper should automatically launch. Alternatively, download the FP3 wrapper package and run setup.exe.

  • Solaris/Linux Use the appropriate commands to mount the CD. Change directory to the mount point, and at the root of the CD, you should find a script called UnixInstallScript. Run this script: ./UnixInstallScript.

  • IPSO Use the newpkg command to install FP3 from an FTP server, CD, or the local file system.

  • SecurePlatform Insert the FP3 CD and reboot.

In our example, we assume you are installing FireWall-1 NG FP3 on a Solaris host, but the screens are similar to what you would expect while installing on all platforms. On Windows the same procedure applies but via an installation GUI.

The first screen you will see when running the UNIX wrapper is shown in Figure 21.4.

start figure 

Check Point Software Technologies Ltd.                      Welcome to Check Point Next Generation Feature Pack 3 Enterprise Suite!          We recommend that you close all other applications while running  this installation program.      This product is protected by copyright law and all unauthorized  reproduction is forbidden.     V-Evaluation Product U-Purchased Product N-Next H-Help E-Exit

end figure

Figure 21.4: Introduction Screen When Running UnixInstallScript

Press U for purchased product. All this means is that you will be asked for the license during install, but you can install the license later on NG FP3. (It will work for 15 days with a fully featured evaluation license.)

Pressing U will display the next stage of installation, which is shown in Figure 21.5.

start figure 

Check Point Software Technologies Ltd.                      Purchased Products.      Before you continue, please ensure you have obtained a license.      You can obtain license from your reseller or from  www.Check Point.com/usercenter                       N-next B-go back C-contact information H-help E-exit

end figure

Figure 21.5: The Purchased Product Screen

Press N to go to the next screen, shown in Figure 21.6, which will install the Secure Virtual Network (SVN) foundation. Note that just before the SVN foundation install, the installation scripts checks to make sure that the prerequisite patches are installed.

start figure 

Check Point Software Technologies Ltd.                      Please wait while checking Check Point products installed...          Installing Check Point SVN Foundation NG FP3...                                Please wait!

end figure

Figure 21.6: SVN Foundation Installation

Once the SVN installation is complete, the next screen will display (see Figure 21.7).

start figure 

 Check Point Software Technologies Ltd.                      The following products are included on this CD. Select product(s)      1.[*] VPN-1 & FireWall-1.  2.[*] FloodGate-1.  3.[ ] SMART Clients.  4.[*] VPN-1 SecureClient Policy Server.  5.[*] UserAuthority.  6.[ ] SmartView Monitor.  7.[ ] Performance Pack.          N-Next C-Contact information R-Review of products H-Help E-Exit

end figure

Figure 21.7: Selecting Products to Install

After the SVN has installed, select the packages that you would like to install (using the numeric keys) as shown in Figure 21.7. Option 1 is mandatory for a firewall module, but all the others are optional. Press N for the next screen.

The next screen asks if the installation will be a firewall module, a management station only, a management and module, and so on (see Figure 21.8).

start figure 

Check Point Software Technologies Ltd.                      Installation type          1.(*) Enforcement Module.  2.( ) Enterprise Management.  3.( ) Enterprise Management and Enforcement Module.  4.( ) Enterprise Log Server.  5.( ) Enforcement Module and Enterprise Log Server.                                  N-next B-go Back H-help E-exit

end figure

Figure 21.8: Module or Management Installation Screen

Select Enforcement module only. The installation script will then display a validation screen to confirm the options you have selected before proceeding with the install. This process is shown in Figure 21.9.

start figure 

Check Point Software Technologies Ltd.                      Validation      You have selected the following products for installation:  * VPN-1 & FireWall-1 Enforcement Module  * FloodGate-1 Enforcement Module  * VPN-1 SecureClient Policy Server  * UserAuthority                                       N-next B-go Back H-help E-exit

end figure

Figure 21.9: Verifying Your Selections So Far

Press N for the next screen. This will move you onto the screen shown in Figure 21.10. The installation script will then start installing the products you selected.

start figure 

Check Point Software Technologies Ltd.                      Check Point Installation Program          Installing VPN-1 & FireWall-1 NG FP3...                                               Please wait!

end figure

Figure 21.10: Products Installing…

Wait while the installation completes (see Figure 21.11).

start figure 

Welcome to Check Point Configuration Program =================================================     **************** VPN-1 & FireWall-1 kernel module installation **********     Installing VPN-1 & FireWall-1 kernel module...  Done.         **************** Interface Configuration ****************     Scanning for unknown interfaces... Would you like to install a Check Point clustering product (CPHA, CPLS or     State Synchronisation)? (y/n) [n] ? y

end figure

Figure 21.11: Initial Configuration

When installation has completed, you will be prompted to choose whether you would like to install the Check Point Clustering product, as shown in Figure 21.11. Answer y. Following this screen, you'll see a number of configuration questions that you should be familiar with from a standard FireWall-1 installation.

You will be prompted to supply a secret key password that will be used to communicate with the firewall management station. This password will be used when you define the cluster object in SmartDashboard. Make a note of your chosen password! The installation will then complete, and you will be asked if you want to reboot. Answer y.

Now repeat the installation procedure for the other members of the cluster.


Previous page
Table of content
Next page
The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240
Authors: Cherie Amon, Thomas W. Shinder, Anne Carasik-Henmi
BUY ON AMAZON
CISSP Exam Cram 2
Systematic Software Testing (Artech House Computer Library)
Cisco IOS Cookbook (Cookbooks (OReilly))
Twisted Network Programming Essentials
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy