Installing Check Point VPN-1FireWall-1 NG on Windows


Installing Check Point VPN-1/FireWall-1 NG on Windows

Finally, all of your hard work in preparing for the firewall installation is about to pay off. This section is dedicated to installing the Check Point VPN-1/FW-1 NG on Windows. Hopefully you have read the previous section "Before you Begin" and are prepared to start with the Check Point software installation. If you did not read the "Before you Begin" section, we suggest that you go back to the beginning of this chapter and read this section before you continue.

Although this section describes a standalone installation, different options are pointed out that allow you to install the firewall on Windows in a distributed environment. In other words, you will be installing the Management and Enforcement Modules as well as the GUI all on one machine; however, you could install each piece on separate machines (and use different operating systems) if that is what your network design calls for. The distributed installation is not much different from the distributed installation, and you should feel just as comfortable with the latter as you do with the former after reading this section.

Installing from CD

You can obtain a copy of the Check Point Next Generation CD from Check Point by going to www.checkpoint.com/getsecure.html and requesting an evaluation of the software. If you have a login set up with Check Point, you can download the software and updates from Check Point here: www.checkpoint.com/techsupport/downloadsng/ngfp1.html.

The screenshots throughout this section depict a new installation via CD on a Windows 2000 Professional server. If you are installing on Windows NT, the procedure is the same.

  1. Insert the Check Point Next Generation CD into the CD-ROM drive on your firewall system. The Check Point NG Welcome Screen will appear (Figure 12.3). If the Welcome screen does not appear after inserting the CD, then you may start it manually from the CD's wrappers\windows folder by running demo32.exe. From this screen you may choose to read the important information regarding evaluation licenses, purchased products, and the contents of the CD.

    click to expand
    Figure 12.3: Welcome Screen

  2. If you are ready to continue the installation, select Next to start the installation wizard. You will be presented with the License Agreement shown in Figure 12.4.

    click to expand
    Figure 12.4: License Agreement

  3. You must accept the license agreement in order to continue with installation. Select Yes when you are ready to continue. Otherwise, select No to exit the installation wizard.

  4. The next screen, displayed in Figure 12.5, provides you with the Product Menu so that you can choose which Check Point products to install. You have two options:

    click to expand
    Figure 12.5: Product Menu

    • Server/Gateway Components (Default) Choose this option if you wish to install one or more of the following components from the Next Generation Suite:

      • VPN-1 & FireWall-1 This includes FW-1 Management Module and enforcement point software along with the VPN-1 encryption component.

      • FloodGate-1 Provides an integrated QoS solution for VPN-1/FW-1.

      • Meta IP Integrated IP Management with DNS and DHCP servers.

      • Management Clients The Graphical User Interface for Check Point including the Policy Editor, Log Viewer, and System Status GUI.

      • UserAuthority A user-authentication tool that integrates with FW-1, FloodGate-1, and other e-business applications.

      • VPN-1 SecureClient Policy Server Allows an Enforcement Module to install Granular Desktop Policies on mobile users' SecureClient personal firewalls.

      • Reporting Module An integrated reporting tool that can generate reports, graphs, and pie charts to display information obtained from the VPN-1/FW-1 logs.

      • Real-Time Monitor Allows an organization to monitor their VPN connections, Internet connections, etc.

    • Mobile/Desktop Components If you just want to install client software on your mobile users or desktops in the office as described in the following list, then choose this option.

      • VPN-1 SecuRemote Client Encryption software loaded on your mobile clients.

      • VPN-1 SecureClient Client Encryption software with Desktop Security (personal firewall) features.

      • Session Authentication Agent This agent is installed on desktop computers where your users will need to authenticate with Session Authentication.

  5. Make sure that the Server/Gateway Components option is selected, and click Next.

    Note

    During the installation process, use the Back button at any time to move to the previous screen, use the Next button to advance to the next screen, use the Exit option to exit the installation at any time, and use the elevator buttons along the side of the page to scroll up and down.

  6. The next screen is the Server/Gateway Components (see Figure 12.6), which provides you with the various options for the individual Check Point components you can install. We will select VPN-1 & FireWall-1 and Management Clients to install the Management and Enforcement Modules as well as the Graphical User Interface. If you place your mouse pointer over each item (without clicking), you will see a detailed description displayed on the right-hand side.

    click to expand
    Figure 12.6: Server/Gateway Components

    Note

    If you wish to install the Management Module only, your selections here will be the same. If you wish to install the Enforcement Module only, then you will only select VPN-1 & FireWall-1.

  7. Click Next when you are ready to begin the install process.

  8. The Check Point installation wizard will start the InstallShield Wizard program to begin the installation based on the options you've chosen thus far. Figure 12.7 illustrates the screen that you should see next. Select Next when you are ready to continue. The InstallShield Wizard will start installing the Check Point SVN Foundation. You should note that this is always the first piece installed on a Next Generation system. It will also be the last piece if you uninstall. A progress window will pop up, as shown in Figure 12.8. You should see the window similar to Figure 12.9 when the SVN installation is complete.

    click to expand
    Figure 12.7: Selected Products


    Figure 12.8: Progress Window

    click to expand
    Figure 12.9: VPN-1 & FW-1 Installation

  9. Immediately following this screen, another window will pop up prompting you to choose specific components of VPN-1/FW-1 to install:

    • Enterprise Primary Management To install a Management server only that will be acting in a primary capacity.

    • Enterprise Secondary Management To install a Management server only that will be acting in a backup capacity.

    • Enforcement Module & Primary Management (Default) To install both a Primary Management server and VPN-1/FW-1 Enforcement Module.

    • Enforcement Module To install an Enforcement Module only, the Management server will be installed on separate hardware.

    Select Enforcement Module & Primary Management, as shown in Figure 12.10, and click Next.

    click to expand
    Figure 12.10: VPN-1/FW-1 Product Specification

    Note

    If you wish to install the management module only, select Enterprise Primary Management. If you wish to install the enforcement module only, select Enforcement Module.

  10. The next screen (Figure 12.11) gives you the option of installing with or without backward compatibility. If you choose to install without backward compatibility, you will only be able to manage NG Enforcement Modules, and you will not be able to manage VPN-1/FW-1 v4.0 nor v4.1 firewalls from this management station. Choosing to install with backward compatibility support will enable you to manage these older versions of the product. Since we will not be managing any older versions of the product with this management server, choose the default option to Install without backward compatibility, and click Next.

    click to expand
    Figure 12.11: Backward Compatibility Screen

  11. Next, Check Point will ask you where you want to install the product files. The default folder location in Windows is c:\winnt\fw1\5.0. If you wish to install to a different folder, choose Browse; otherwise, select Next to accept the default location and continue. Whatever value you choose for the firewall's installation directory will be the value of the $FWDIR environment variable, which will be used throughout this book when referencing this directory. This is the last screen before VPN-1/FW-1 files are copied to your hard drive (Figure 12.12). Now the system copies files and installs the software. You should see a screen similar to the one in Figure 12.13 as the install program shows you its progress. You may click the Cancel button on the bottom right-hand side of this screen if you wish to stop the installation at this point.

    click to expand
    Figure 12.12: Choose Destination Location

    click to expand
    Figure 12.13: Copying Files

  12. Once the system has finished copying files, you may see some messages pop up such as "Installing FW-1 kernel," "Installing FW-1 Service," "Setting Permissions" (NTFS only), and "Register product add-ons…." These windows appear whenever you are installing an enforcement module. The installation wizard will then display a final pop-up window from VPN-1/FW-1 explaining that the installation will complete upon reboot (as shown in Figure 12.14). Click OK.


    Figure 12.14: Setup Information

  13. The system will not reboot after you select OK. Instead, it will begin installing the Check Point management clients. You will see a window like the one in Figure 12.15 asking if you wish to install the management clients in the default folder C:\Program Files\CheckPoint\Management Clients. You can either accept the default or click on Browse… to choose a new target for the files. Accept the default folder location and click Next to continue.

    click to expand
    Figure 12.15: Management Client Location

  14. Now you will need to choose which of the management clients you will install. Figure 12.16 displays the window you will see with the available options, which are as follows:

    • Policy Editor Used to configure the rule base, Network Address Translation, FloodGate-1 QoS policy, and SecureClient Desktop Security Policies.

    • Log Viewer Used to view your VPN-1/FW-1 security logs, accounting logs, and audit logs.

    • System Status Used to view the status of the remote enforcement points connected to your management server.

    • SecureClient Packaging Tool Used to create custom packages for SecuRemote/SecureClient mobile users.

    • Traffic Monitoring Used to monitor an interface, QoS rule, or virtual link in real time. The display is in the form of a line or bar graph.

    • SecureUpdate Used for managing licenses and doing remote software updates of the remote enforcement points connected to your management server.

    • Reporting Tool Used to generate reports with graphs and pie charts from the data in the VPN-1/FW-1 logs.

    click to expand
    Figure 12.16: Select Management Clients to Install

    Accept the default values (Policy Editor, Log Viewer, System Status, and SecureUpdate) and click Next. This is the last screen before the Check Point installation wizard begins copying files to your system (Figure 12.17).

    click to expand
    Figure 12.17: Management Clients Copying Files

  15. When the system is done copying files, the installation process is nearly complete. You can now click on any of the icons in the Check Point Management Clients folder. You can also open the management clients by selecting Start | Programs | Check Point Management Clients. Click OK to finish the installation (Figure 12.18) and begin the configuration process.

    click to expand
    Figure 12.18: Setup Complete

Configuring Check Point VPN-1/FireWall-1 NG on Windows

Once the system is done copying files during the installation procedure, it will begin to display the configuration screens. If you read the first section of this chapter, you should be prepared to configure the firewall. After this initial configuration, you can always come back to any of these configuration screens by selecting Start | Programs | Check Point Management Clients | Check Point Configuration NG.

The initial configuration will take you through the following screens:

  • Licenses

  • Administrators

  • GUI Clients

  • Certificate Authority Configuration

Licenses

You should have obtained all of your licenses before you get to this step. If you didn't, don't worry. There is even a link to the Check Point User Center, where you can get your licenses, right in the Licenses window. If you need help with your license, read the first part of this chapter, entitled "Before you Begin." If you don't have any permanent licenses to install at this time, you can always request an evaluation license from either Check Point or your Check Point reseller.

Since you have installed a Primary Management Module, you should be installing a local license that was registered with the local management station's IP address. Follow this step-by-step procedure for adding your license(s).

  1. Click Add, as shown in the Licenses configuration window in Figure 12.19.

    click to expand
    Figure 12.19: Licenses

  2. Once you click Add, you will see a pop-up window like the one illustrated in Figure 12.20. In this window you can either select Paste License or enter the license details into the appropriate fields. Figure 12.20 shows the following license installed: cplic putlic eval 01Mar2002 aoMJFd63k-pLdmKQMwZ-aELBqjeVX-pJxZJJCAy CPMP-EVAL-1-3DES-NG CK-CP. In addition you will see the following fields:

    • IP Address The IP address associated with this license or "eval."

    • Expiration Date The date that the license expires, which may be "never."

    • SKU/Features These are the features that this license will enable (e.g. Management or 3DES).

    • Signature Key The license string provided by Check Point to validate the license. This key will be unique for each license and IP address.

    click to expand
    Figure 12.20: Adding a License

    Enter the license details in the Add License window, and click Calculate to verify that the information you entered is correct. Match the Validation Code that you receive in this field to the Validation Code on the license obtained from the Check Point User Center. You can also copy the entire cplic putlic command into your clipboard, and then click the Paste License button at the top of the screen to fill in all the fields. Click OK to continue, and if you entered everything correctly you should see the license entered into the main Licenses window (Figure 12.21).

    click to expand
    Figure 12.21: License Added Successfully

    Note

    The license configuration window will be displayed when you are installing the Management or the Enforcement Module in a distributed install as well.

  3. Click Next to continue. The next screen deals with the Check Point configuration of the Management Module.

Note

If you have saved your license(s) to a file with a .lic extension (e.g. licenses.lic), then you could alternatively use the Fetch from File… button, which would enable you to browse your file system for the file. Once you've located the *.lic file, select Open, and the license details will be imported into the Licenses configuration window.

Administrators

After installing your licenses, you will be presented with another configuration window (see Figure 12.22) in which you need to configure your firewall administrators. You will need to define at least one administrator during this time. You can always come back to this window later to add, edit, or delete your administrator(s).

click to expand
Figure 12.22: Configuring Administrators

  1. The first step to configuring your administrators is to click Add…

  2. You will be presented with another window similar to the one in Figure 12.23, where you can define the attributes for one administrator. It is best to use individual admin usernames instead of a generic username like fwadmin. The problem with using a generic login ID is that you cannot properly audit the activities of the firewall administrators. It may be important for you to know who installed the last security policy when you are troubleshooting a problem. This becomes more and more important when there are several people administering a firewall system. The fields that you need to fill in are listed as follows. Fill in the required fields in the Add Administrator Window and select Read/Write All for the permissions. Click on OK to finish adding the administrator.

    click to expand
    Figure 12.23: Adding an Administrator

    • Administrator Name Choose a login name for your admin. This field is case sensitive.

    • Password Choose a good alphanumeric password. It must be at least four characters long and is also case-sensitive.

    • Confirm Password Repeat the same password entered previously.

    The section labeled Permissions enables you to define the access level that you will require on an individual basis for each administrator. If you select Read/Write All or Read Only All, your administrator will have access to all the available GUI client features with the ability to either make changes and updates or view the configuration and logs (perhaps for troubleshooting purposes), respectively. You may also choose to customize each administrator's access so that he or she may be able to update some things and not others. To do this, select Customized and configure each of these options:

    • SecureUpdate This GUI tool allows administrators to manage licenses and update remote modules.

    • Objects Database This tool is used to create new objects to be used in the security policy.

    • Check Point Users Database This tool is used to manage users for firewall authentication purposes.

    • LDAP Users Database This tool is used to manage LDAP users.

    • Security Policy This tool is used to create and manage a rule base using the Policy Editor GUI.

    • Monitoring This option enables access to the Log Viewer, System Status, and Traffic Monitoring GUI clients.

  3. When you finish adding an administrator, you will be brought back to the main Administrators configuration window. The administrator should now be listed in the Administrator's Permissions window. From here you may choose to Add…, Edit…, or Delete administrators from this list (see Figure 12.24). When you are done adding administrators, click Next to continue with the configuration of the Check Point Management Module.

    click to expand
    Figure 12.24: Administrators

GUI Clients

The GUI Clients are the management clients installed earlier. These clients could also be installed on as many desktops as you wish, but before they can connect to the management server, you need to enter their IP addresses into the GUI Clients configuration window shown in Figure 12.25. You can use this feature, for example, if you install the GUI clients on your own workstation to enable you to control the management server from your PC. This will enable you to connect remotely to manage the security policy and view your logs and system status. You do not need to configure any clients at all during the install, but if you are already prepared for this step, you may enter as many clients into this window as necessary. This client information will be saved in a file on your firewall under $FWDIR/conf and will be named gui-clients. This file can be edited directly, or you can bring up this GUI Clients window at any time in the future.

click to expand
Figure 12.25: GUI Clients Configuration Window

Note

If you have installed an Enforcement Module only, you will not configure GUI clients.

For our example installation, we are not going to enter any GUI Clients. Select Next to continue on with the Check Point Management Module installation and read the next section. When you enter GUI Clients, you type their hostnames or IP addresses into the Remote hostname: field, then click Add to insert the clients to the window on the right. You are allowed to use wildcards as follows:

  • Any If you type in the word "Any," this will allow anyone to connect without restriction (not recommended).

  • Asterisks You may use asterisks in the hostname, e.g. 10.10.20.* means any host in the 10.10.20.0/24 network, or *.domainname.com means any hostname within the domainname.com domain.

  • Ranges You may use a dash (-) to represent a range of IP addresses, e.g. 1.1.1.3-1.1.1.7 means the 5 hosts including 1.1.1.3 and 1.1.1.7 and every one in between.

  • DNS or WINS resolvable hostnames

Figure 12.26 displays an example of the configured GUI Clients window with various options that you can use for your GUI client entries. We recommend staying away from using hostnames or domain names, however, since it requires DNS to be configured and working on the firewall. Using IP addresses are the best method since it doesn't rely on resolving, and will continue to work even if you cannot reach your name servers from the firewall.

click to expand
Figure 12.26: GUI Clients Configuration Window Sample Configuration

Certificate Authority Initialization

Your Management server will be a Certificate Authority (CA) for your firewall Enforcement Modules, and will use certificates for SIC. This is the step in the installation process where the Management Server's CA is configured, and a certificate is generated for the server itself.

You will be presented with a Key Hit Session window where you will be prompted to enter random text until you hear a beep. The data you enter will be used to generate the certificate, and it is recommended that you also enter the data at a random pace; some keystrokes may be close together and others could have a longer pause in between them. The more random the data, the more unlikely that the input could be duplicated. If the system determines that the keystrokes are not random enough, it will not take them as input, and will display a bomb icon under Random Characters, but if the input is good, then it will display a yellow light bulb.

Note

The Key Hit Session screen will also be presented to you if you have installed an Enforcement Module so that you can generate an internal certificate for SIC.

  1. Type random characters at random intervals in the Key Hit Session window until the progress bar is full, and the message "Thank you!" appears at the bottom of the window, as seen in Figure 12.27.

    click to expand
    Figure 12.27: Key Hit Session

  2. Click Next to continue with the CA configuration.

  3. You will be presented with a window titled Certificate Authority (Figure 12.28). This window simply informs you that the CA is not yet configured and that it will be initialized when you select Next. Click Next to initialize the Management Module's Certificate Authority. You should receive a message that the initialization completed successfully, as shown in Figure 12.29.

    click to expand
    Figure 12.28: Certificate Authority Initialization


    Figure 12.29: CA Initialized Successfully

  4. Click OK.

  5. Click Finish on the Fingerprint window (shown in Figure 12.30) to exit the configuration. This window will be the last one in the set of configuration screens during the install process. This window displays the fingerprint of the Management Server's CA. You will be able to bring this window up again after the installation through the Check Point Configuration NG Tool, described later in the section titled "Getting Back to Configuration." When a GUI client first connects to the management server, it will be asked to verify the fingerprint to ensure that the client connecting to the right machine. After that, the client software will compare the management server's fingerprints at each connect. If the fingerprints do not match, the client will be warned and asked if to the session should continue. The fingerprint can also be exported to a file also that the GUI clients would have access to.

    click to expand
    Figure 12.30: Management Server Fingerprint

Installation Complete

Congratulations! You have now successfully installed and configured a Check Point VPN-1/FW-1 firewall on a Windows system. All you need to do now is navigate your way out of the Check Point Installation program and reboot your computer. Check Point will thank you for using their SVN Integrated installation suite (see Figure 12.31) and ask you if you wish to reboot now or reboot later (Figure 12.32).

click to expand
Figure 12.31: NG Configuration Complete

click to expand
Figure 12.32: Reboot Computer

  1. To finish the installation process, click OK.

  2. From the InstallShield Wizard dialog box illustrated in Figure 12.32, choose Yes, I want to restart my computer now and click Finish. Your computer will be shut down and restarted.

Getting Back to Configuration

Now that installation is complete, you may need to get back into the Configuration screens that you ran through at the end of the install. You can add, modify, or delete any of the previous configuration settings by running the Check Point Configuration NG GUI.

  1. Select Start | Programs | Check Point Management Clients | Check Point Configuration NG. This will bring up the Configuration Tool displayed in Figure 12.33. As you can see, all of the configuration options that were displayed during the installation are available through the various tabs at the top of the Configuration Tool window. The tabs you can configure using this tool are listed :

    click to expand
    Figure 12.33: Check Point Configuration Tool

    • Licenses

    • Administrators

    • GUI Clients

    • PKCS#11 Token—Used to configure an add-on card, like a VPN accelerator card, for example.

    • Key Hit Session

    • Fingerprint

    If you are just reading the chapter at this point, see the top of this section "Configuring the Management Module" to get a walk-through of each of these screens and your options.

  2. When you have completed making changes to the firewall configuration, click OK to exit the tool.

If you installed the Primary Management Module only, the tabs on the Configuration Tool NG will be exactly the same as in Figure 12.33 without the tab for PKCS#11 Token. If you installed an Enforcement Module only, the Configuration Tool screens will be a little different (see Figure 12.34). The two new tabs are as follows:

click to expand
Figure 12.34: Enforcement Module Configuration Tool

  • Secure Internal Communication Enables you to initialize an Enforcement Module for communication. You must enter the same password here as you entered in the Policy Editor GUI (Figure 12.35).

    click to expand
    Figure 12.35: Secure Internal Communication

  • High Availability Enables this Enforcement Module to participate in a Check Point High Availability (CPHA) configuration with one or more other Enforcement Modules. This tab, illustrated in Figure 12.36, will not show up in your installation since you cannot have a Management Module installed on an Enforcement Module in a CPHA cluster.

    click to expand
    Figure 12.36: High Availability




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net