Installing Check Point VPN-1FireWall-1 NG on Solaris

Installing Check Point VPN-1/FireWall-1 NG on Solaris

Finally, all of your hard work at preparing for the firewall installation is about to pay off. This section is dedicated to installing the Check Point VPN-1/FW-1 NG on Solaris. Hopefully you have read the first section of this chapter "Before you Begin" and are prepared to start with the Check Point software installation. If you did not read the "Before you Begin" section, we suggest that you go back to the beginning of this chapter and read this section before you continue.

Although this section describes a standalone installation, different options are pointed out that allow you to install the firewall on Solaris in a distributed environment. In other words, you will be installing the Management and Enforcement Modules as well as the GUI all on one machine; however, you could install each piece on separate machines (and use different operating systems) if that is what your network design calls for. The distributed installation is not much different from the distributed installation, and you should feel just as comfortable with the latter as you do with the former after reading this section. This section assumes that you are already familiar with the Unix operating system, and know how to navigate the file system and list directories within Solaris.

If you are installing on Solaris 2.7, you need to ensure that it is in 32-bit mode and that you have patch 106327 applied before you start. If you are installing on Solaris 2.8, you can install in either 32- or 64-bit modes, and you must have patches 108434 and 108435 applied before you start installing VPN-1/FW-1 NG. Solaris patches can be obtained from http://sunsolve.sun.com.

Installing from CD

You can obtain a copy of the Check Point Next Generation CD from Check Point by going to www.checkpoint.com/getsecure.html and requesting an evaluation of the software. If you have a login setup with Check Point, then you can download the software and updates from Check Point here www.checkpoint.com/techsupport/downloadsng/ngfp1.html.

The following screenshots depict a new install via CD on a Solaris 2.7 (32-bit mode) system. If you are installing on other versions of Solaris, the procedure is the same.

1. Insert the Check Point Next Generation CD into your computer's CD-ROM drive. If you have the automount daemon running on your Solaris system, the drive will be mounted automatically. If not, mount the CD-ROM drive. using the following syntax. You will need to determine which disk to mount before you type this command. Replace the Xs with the appropriate drive numbers for your system.

   mount -o ro -F hsfs <device> <mount point>

2. Move into the CD-ROM mount point directory by typing cd /cdrom/cpsuite_ng_hf1 and press Enter. The directory name that you are using may be different depending on the version of the CD that you have. For this installation, you are using the Check Point NG HotFix1 CD. There is a file in this directory titled ReadmeUnix.txt, which explains the contents of the CD and how to begin the install process.

   Note

   If you have downloaded the packages to install on Solaris, you must first unzip and untar them to a temporary directory. Once the files are extracted, use pkgadd –d <directory> to install the Check Point VPN-1/FW-1 packages. Problems have been known to occur if these temporary directories are several subdirectories away from the root of the file system. It would be best to extract these packages to /opt or directly to / instead of burying them too far down in the file system hierarchy. If you are in the same directory as the package, type pkgadd –d . to begin the installation. You must install the SVN Foundation package prior to installing any other modules on your system. Make sure you download this package, too, if you want to install VPN-1/FW-1. You can install management clients without the SVN Foundation.

3. When you are ready to start with the installation, type ./UnixInstallScript Enter to initiate the Check Point installation wizard (see Figure 12.47). If you are in the Common Desktop Environment (CDE), you can also use a file manager and double-click the UnixInstallScript file to begin.

   
   Figure 12.47: UnixInstallScript

   After you press Enter, you will be presented with Check Point's welcome screen.

   Note

   If you are installing Check Point NG on Linux, you use the same UnixInstallScript to begin the install process.

4. The Welcome Screen (Figure 12.48) will present you with the options listed. Type n to advance to the next screen.

   
   Figure 12.48: Welcome to Check Point NG

   • V – Evaluation Product Informational page on running this software on an evaluation license.

   • U – Purchased Product Informational page on installing this software if it is a purchased product.

   • N – Next Proceed to the next screen.

   • H – Help To get help with navigating the installation screens.

   • E – Exit To quit the installation and exit.

   The installation will proceed the same, whether you are installing a purchased product or an evaluation version. The only difference between the two is the license you apply during configuration. You can always apply a permanent license to an evaluation system at any time to turn it into a production firewall.

   Note

   While running the UnixInstallScript, keep your eye at the bottom of the screen to see your navigation options. You will enter the letter associated with the menu item to perform the requested action. For example, to exit the system, you see E – exit at the bottom of the screen. Simply press e to exit and end the installation at any time.

5. You will see a message at the top of the screen that says, "Checking the OS Version" and then you will see the license agreement shown in Figure 12.49. Press the spacebar until you reach the end of the agreement. When you reach the end, the program will prompt you to indicate whether you accept the terms in the license agreement, "Do you accept all the terms of this license agreement (y/n) ?" Enter y and press Enter.

   
   Figure 12.49: License Agreement

6. You should now be presented with a screen while the system installs the SVN Foundation. This may take a couple of minutes. This screen reads as follows, "Please wait while installing Check Point SVN Foundation…." Once the SVN installation is complete, you will need to select the products that you want to install from this CD (Figure 12.50). The options are explained in the following list:

   • VPN-1 & FireWall-1 This includes FW-1 Management Module and enforcement point software along with the VPN-1 encryption component.

   • FloodGate-1 Provides an integrated QoS solution for VPN-1/FW-1.

   • Meta IP Integrated IP Management with DNS and DHCP servers.

   • Management Clients The GUI for Check Point including the Policy Editor, Log Viewer, and System Status GUI. Using the Management Clients feature on Solaris requires a Motif license, and you may need to tweak your environment to get them to run, but you can connect with as many remote Windows GUI clients to a Solaris management server as you wish without any additional licenses.

   • UserAuthority A user authentication tool that integrates with FW-1, FloodGate-1, and other e-business applications.

   • VPN-1 SecureClient Policy Server Allows an Enforcement Module to install Granular Desktop Policies on mobile users' SecureClient personal firewalls.

   • Reporting Module An integrated reporting tool that can generate reports, graphs, and pie charts to display information obtained from the VPN-1/FW-1 logs.

   • Real Time Monitor Allows an organization to monitor VPN connections, Internet connections, etc.

   
   Figure 12.50: Select Products to Install

   Type in the number of each package you wish to select. Type the number again to deselect it. If you enter r for Review, you will see a new screen in which to select a product by entering its number, and then pressing r again to get a description of the product. For this installation exercise, enter 1 and 4 to select VPN-1 & FireWall-1 and Management Clients, respectively. Enter n to advance to the next screen.

   Note

   If you are installing the Enforcement Module only, select VPN-1 & FireWall-1.

7. Next, you will need to select the type of firewall installation you want to perform on this server (Figure 12.51). The options are listed next. Use the keyboard to enter the number of the option you want. To change your selection, simply enter the number of the new option. For this installation, enter 1 to select Enterprise Primary Management and Enforcement Module, then press n to continue.

   
   Figure 12.51: Choose the Type of Installation

   • Enterprise Primary Management and Enforcement Module To install both a Primary Management server and VPN-1/FW-1 Enforcement Module.

   • Enforcement Module To install an Enforcement Module only, the management server will be installed on separate hardware.

   • Enterprise Primary Management To install a management server that will be acting in a primary capacity.

   • Enterprise Secondary Management To install a Management server that will be acting in a backup capacity.

8. If you are installing a Management Module, you will be asked if you want to install with or without backward compatibility (Figure 12.52). If you select No, you will only be able to manage other NG modules with this management server. If you select Yes, you will be able to manage version 4.0, 4.1 and NG modules with this management server. Enter 2 for No and press n to continue.

   
   Figure 12.52: Backward Compatibility

   Note

   If you are installing an Enforcement Module only, you will not configure backward compatibility.

9. On the next screen (Figure 12.53) press n to continue. This will be the last screen where you can exit the configuration before the install script will start copying files. While the install script is installing the package and copying files, you will see a progress screen similar to the one in Figure 12.54. The installation could take a few minutes. Next, the firewall will install the VPN-1/FW-1 kernel module and begin the configuration process.

   
   Figure 12.53: Validation Screen

   
   Figure 12.54: Installation Progress

Configuring Check Point VPN-1/FireWall-1 NG on Solaris

Once the required files have been copied by the installation wizard, the system it will begin the configuration process (Figure 12.55). If you have already read the first section of this chapter, you should be prepared to configure the firewall. After this initial configuration, you can always come back to any of these screens by running cpconfig from the root shell. We recommend that you go through all of these screens during the install without canceling; you can always go back in to change your initial configuration settings.

Figure 12.55: Welcome to Check Point Configuration Screen

The initial configuration will take you through the following screens:

• Licenses

• Administrators

• GUI Clients

• SNMP Extension

• Group Permissions

• Certificate Authority Configuration

Licenses

You should have obtained all of your licenses before getting to this step. If you need help getting your license, read the part of this chapter entitled "Before you Begin." If you don't have any permanent licenses to install at this time, you can always request an evaluation license from either Check Point or your Check Point reseller.

Note

The license configuration option will be displayed regardless of which modules you have installed.

Since you have installed a Primary Management Module, you should be installing a local license that was registered with the local management station's IP address. Follow this step-by-step procedure for adding your license(s). You can see the license configuration input and output outlined in the following output.

1. When prompted to add licenses, enter y for yes and press Enter.

2. Enter M to add the license manually and press Enter. Now you will be prompted for each field of the license. The following output shows the following license installed: cplic putlic eval 01Mar2002 aoMJFd63k-pLdmKQMwZ-aELBqjeVX-pJxZJJCAy CPMP-EVAL-1-3DES-NG CK-CP

   • Host The IP address or hostid associated with this license or the word "eval."

   • Date The date that the license expires, which may be "never."

   • String The license string provided by Check Point to validate the license. This key will be unique for each license and IP Address/Host.

   • Features These are the features which this license will enable (e.g. Management and/or 3DES).

   As you can see in the following output, you also have the option of choosing f (Fetch from file). If you select this option, the configuration will prompt you to enter the file name of the file.

3. Enter the values for Host, Date, String, and Features pressing Enter after each entry.

   Configuring Licenses... ======================= The following licenses are installed on this host:     Host             Expiration Features         Do you want to add licenses (y/n) [n] ? y Do you want to add licenses [M]anually or [F]etch from file?: M Host:eval Date:01Mar2002 String:aoMJFd63k-pLdmKQMwZ-aELBqjeVX-pJxZJJCAy              Features:CPMP-EVAL-1-3DES-NG CK-CP

Administrators

If you have installed a Management Module, as soon as you enter a license into the configuration program, you will be prompted to add an administrator. You must define at least one administrator at this time. You can always come back later to add, edit, or delete your administrators.

Note

If you have installed an Enforcement Module only, then you will not configure Administrators.

It is best to use individual admin usernames instead of a generic username like fwadmin. The problem with using a generic login ID is that you cannot properly audit the activities of the firewall administrators. It may be important for you to know who installed the last security policy when you are troubleshooting a problem. This becomes more and more important when there are several people administering a firewall system. The fields that you need to fill in are asfollows:

• Administrator Name Choose a login name for your administrator. This field is case-sensitive.

• Password Choose a good alphanumeric password. It must be at least four characters long and is also case-sensitive.

• Verify Password Repeat the same password entered previously.

• Permissions for all Management Clients (Read/[W]rite All, [R]ead Only All, [C]ustomized)

The following output illustrates the screen for adding an administrator.

Configuring Administrators... ============================= No VPN-1 & FireWall-1 Administrators are currently defined for this Management Station. Administrator name: Cherie Password: Verify Password: Permissions for all Management Clients (Read/[W]rite All, [R]ead Only All, [C]ustomized) w Administrator Cherie was added successfully and has Read/Write permission to all management clients                  Add another one (y/n) [n] ? n 

To add an administrator, follow these steps:

1. Enter the login ID for your Administrator and press Enter. Cherie is used in the previous example.

2. Enter the password for the administrator (Cherie in our example) and press Enter.

3. Confirm the password entered in step 2 and press Enter.

4. Enter w for Read/Write All to give this administrator full permissions to access and make changes to all management clients.

   Setting permissions enables you to define the access level that you will require on an individual basis for each administrator. If you select Read/[W]rite All or [R]ead Only All, then your administrators will have access to all the available GUI client features with the ability to either make changes and updates or to view the configuration and logs (perhaps for troubleshooting purposes). You may also choose to customize each administrator's access so that he or she may be able to update some things and not others. To do this, enter C for Customized and configure each of the following options (see output directly following the bullet list):

   • SecureUpdate This GUI tool enables you to manage licenses and update remote modules.

   • Monitoring This option enables access to the Log Viewer, System Status, and Traffic Monitoring GUI clients.

   Permissions for all Management Clients (Read/[W]rite All, [R]ead Only All, [C]ustomized) c         Permission for SecureUpdate (Read/[W]rite, [R]ead Only, [N]one) w         Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w     Administrator Doug was added successfully and has Read/Write permission for SecureUpdate              Read/Write permission for Monitoring 

GUI Clients

The GUI clients are the management clients you installed earlier. These clients could also be installed on as many desktops as you wish, but before they can connect to the management server, you need to enter their IP addresses into the GUI Clients configuration, as shown in the next set of output. You can use this feature, for example, if you install the GUI clients on your own workstation to enable you to control the management server from your PC. This will enable you to connect remotely to manage the security policy and view your logs and system status. You do not need to configure any clients at all during the install, but if you are already prepared for this step, you may enter as many clients into this window as necessary. This client info will be saved in a file on your firewall under $FWDIR/conf and will be named gui-clients. This file can be edited directly, or you can bring up this GUI Clients window at any time in the future by running cpconfig.

Note

If you have installed an Enforcement Module only, then you will not configure GUI clients.

1. Press c to create a new list of GUI clients.

2. Type in a GUI client IP address and press Enter.

3. Repeat step two for each GUI client you want to add to the list.

4. Press Crtl + D to complete the list.

5. Verify that the list is correct, enter y for yes and press Enter to continue.

Configuring GUI clients... ========================== GUI clients are trusted hosts from which Administrators are allowed to log on to this Management Station using Windows/X-Motif GUI.     Do you want to [C]reate a new list, [A]dd or [D]elete one?: c Please enter the list hosts that will be GUI clients. Enter hostname or IP address, one per line, terminating with CTRL-D or your EOF           character.

When creating the GUI clients list, you may use wildcards as follows:

• Any This will allow anyone to connect without restriction (not recommended).

• Asterisks You may use asterisks in the hostname, e.g. 10.10.20.* means any host in the 10.10.20.0/24 network, or *.domainname.com means any hostname within the domainname.com domain.

• Ranges You may use a dash (-) to represent a range of IP addresses, e.g. 1.1.1.3-1.1.1.7 means the 5 hosts including 1.1.1.3 and 1.1.1.7 and every one in between.

• DNS or WINS resolvable hostnames

The following displays a configured GUI Clients window. It is recommended that you stay away from using hostnames or domain names, however, since this requires DNS to be configured and working on the firewall. Using IP addresses is the best method since it doesn't rely on resolving, and will continue to work even if you cannot reach your name servers from the firewall.

Please enter the list hosts that will be GUI clients. Enter hostname or IP address, one per line, terminating with CTRL-D or your EOF character. *.integralis.com 1.1.1.3-1.1.1.7 10.10.10.2 10.10.10.3 10.10.20.* backwatcher.com noc.activis.com              Is this correct (y/n) [y] ? y 

SNMP Extension

If you wish to utilize external network management tools such as HP OpenView, you can install the Check Point FW-1 SNMP daemon. With the daemon installed and activated, you will be able to query the firewall status. Additionally, you could use a network management tool to monitor the firewall's health and to generate alerts based on certain criteria. The MIB files are located in $CPDIR/lib/snmp. If you will not be using SNMP, then you should not enable it at this time. You can always come back and activate it by running cpconfig in the future. Enter y to activate the SNMP daemon as shown in the following output.

Configuring SNMP Extension... ============================= The SNMP daemon enables VPN-1 & FireWall-1 module to export its status to external network management tools.              Would you like to activate VPN-1 & FireWall-1 SNMP daemon ? (y/n) [n] ? y 

Group Permission

During configuration, you will be prompted to configure groups on your VPN-1/FW-1 module as shown in Figure 12.56. You can either press Enter to accept the default setting of no group permissions, or you can enter the name of a group (defined in the file /etc/group) that you would like to have set on the Check Point directories. You might want to set group permissions so that you can enable a number of firewall operators to execute FW-1 commands without having to grant them superuser privileges to the system. Only one user should have superuser privileges on a Unix system, and that is the root account. Press Enter to set no group permissions. Press Enter again to accept this configuration option.

Figure 12.56: Setting Group Permissions

Certificate Authority Initialization

The management server will be a Certificate Authority for your firewall Enforcement Modules, and will use certificates for SIC. This is the step in the installation process where the management server's CA is configured, and a certificate is generated for the server and its components.

You will be presented with the Key Hit Session configuration option where you are asked to input random text until you hear a beep. The data you enter will be used to generate the certificate, and it is recommended that you also enter the data at a random pace; some keystrokes may be close together and others could have a longer pause between them. The more random the data, the more unlikely that the input could be duplicated. If the system determines that the keystrokes are not random enough, it will not take them as input, and will display an asterisk to the right of the progression bar.

Note

The Key Hit Session screen will also be presented to you if you have installed an Enforcement Module, so that you can generate an internal certificate for SIC.

1. Type random characters at random intervals in the Key Hit Session window until the progress bar is full, and the message "Thank you" appears at the bottom of the window (Figure 12.57).

   
   Figure 12.57: Random Pool

2. The next step is to initialize the internal CA for SIC. It may take a minute for the CA to initialize. Figure 12.58 displays the messages you will receive on the console while configuring the CA. Press Enter to initialize the CA.

   
   Figure 12.58: Configuring Certificate Authority

3. Once the CA is initialized successfully, you will be presented with the fingerprint of the management server. This fingerprint is unique to your CA and the certificate on your server. The first time your GUI clients connect to the management server, they will receive the fingerprint so that they can match it to the string listed here and verify that they are connecting to the correct manager. After the first connection, every time the clients connect to the management server, the fingerprint is verified. If the fingerprints don't match, a warning message will be displayed, and the administrator can decide whether or not to continue with the connection. Type y and press Enter to save the fingerprint to a file.

4. Enter the filename and press Enter. The file will be saved in $CPDIR/conf.

Installation Complete

The configuration program will end, and you may see a few messages on the screen, such as "generating GUI-clients INSPECT code," as the system finishes up the installation of the VPN-1/FW-1 package. Finally, you will receive the following question, "Would You like to reboot the machine [y/n]:" (Figure 12.59). If you select not to reboot, you will exit the installation and go back to a shell prompt. If you choose to reboot, then the system will be restarted.

Figure 12.59: Installation Complete

Warning

If you are connected to this firewall remotely, you will not have access after rebooting. The firewall loads a policy named defaultfilter, which will prevent all access after an install.

1. Enter n for no and press Enter

2. Press Enter again to exit the installation script.

   Once you press Enter, you will be put back to the shell. The last message you received on the console was concerning new environment variables. Let's address these environment variables for a moment. The firewall will create a .profile in root's home directory, which runs the Check Point environment script located at /opt/CPshared/5.0/tmp/.CPprofile.sh (for bourne shell) or .CPprofile.csh (for c shell). This script sets the Check Point variables such as $FWDIR and $CPDIR, among others. See Figure 12.60 for a list of environment variables that are set on an install machine.

   
   Figure 12.60: Environment Variables

   Without setting these variables, various firewall commands will fail. For example, if you log in to the system as the standard user and type su to root instead of su –, you will maintain the standard user's environment; then when you try to run fw unload localhost to unload the defaultfilter, for example, you will receive the following error message: "ld.so.1: /etc/fw/bin/fw: fatal: libkeydb.so: open failed: No such file or directory Killed."

3. When you are ready to restart the server, type sync; sync; reboot and press Enter.

Unload defaultfilter Script

If you are performing a remote upgrade or install, you may run into trouble when you reboot at the end of the installation. Before a security policy is loaded, the system will install a default policy, called defaultfilter, which will block all access to the VPN-1/FW-1 host computer. You can log in to the console and verify that the filter is loaded with the 'fw stat' command:

# fw stat HOST      POLICY     DATE localhost defaultfilter  8Feb2002 16:51:48 :  [>hme1] [<hme1]

If you have access to the console, log in as root and unload the filter with the following command:

# fw unload localhost Uninstalling Security Policy from all.all@NGtest Done.

If you do not have access to the console, you could write a shell script to unload the filter and enable it in cron. Here's a sample unload.sh script that can be used for v4.1 firewalls:

#!/bin/sh /etc/fw/bin/fw unload localhost

Unfortunately, this isn't enough in NG. The various environment variables in the $CPDIR/tmp/.CPprofile.sh have to be defined. To do this, simply copy the contents of the .CPprofile.sh file into the middle of the unload.sh script. Even before you reboot, you can test that the script works.

1. To enter the script in cron, first verify that you have enabled execute permissions on the file:

   chmod +x unload.sh

2. Set your EDITOR environment variable to vi:

   EDITOR=vi; export EDITOR

3. Edit cron with the following command:

   crontab -e

4. Finally, enter the following line into your crontab file:

   0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/local/bin/unload.sh > /dev/null 2>&1

   This command tells the system to run the unload.sh script every five minutes and redirect all output to /dev/null.

Now you can safely reboot the system and log back into it within a five-minute period from the time it is booted. Don't forget to remove (or at least comment out) the crontab entry once you are back in the firewall.

Getting Back to Configuration

Now that the installation is complete, you may need to get back into the Configuration screens that you ran through at the end of the installation. You can add, modify, or delete any of the previous configuration settings by running cpconfig.

If you did not log in as root or login and type su – to gain root access, your Check Point environment variables may not be set, and you could receive the following errors displayed as follows:

# /opt/CPshared/5.0/bin/cpconfig You must setenv CPDIR before running this program # CPDIR=/opt/CPshared/5.0; export CPDIR # /opt/CPshared/5.0/bin/cpconfig ld.so.1: /opt/CPshared/5.0/bin/cpconfig_ex: fatal: libcpconfca.so: open failed: No such file or directory              Can not execute cpconfig

If this happens, simply login with su –. The dash is an optional argument to su, which provides you with the environment that you would have, had you logged in directly as root. See Figure 12.61 for the output of cpconfig on Solaris.

Figure 12.61: cpconfig

There are two options listed here that did not come up during the initial installation process. Number 5 configures a PKCS#11 Token, which enables you to install an add-on card such as an accelerator card, and number 7 enables you to configure the automatic start of Check Point modules at boot time.

If you installed Enforcement Module Only, the cpconfig screens will be a little different (see Figure 12.62). The two new choices are as follows:

Figure 12.62: Secure Internal Communication Configuration

• Secure Internal Communication Enables a one-time password that will be used for authentication between this Enforcement Module and its management server as well as any other remote modules that it might communicate with.

• High Availability Allows Enables this Enforcement Module to participate in a Check Point High Availability configuration with one or more other Enforcement Modules. This tab will not show up in this chapter's exercise installation since you cannot have a Management Module installed on an Enforcement Module in a CPHA cluster.

Figure 12.63 illustrates the High Availability option available from the cpconfig menu. If you enable high availability here, you will need to set up state synchronization between the firewalls that will be participating in the CPHA cluster.

Figure 12.63: High Availability Configuration