Installing Check Point VPN-1FireWall-1 NG on Nokia


Installing Check Point VPN-1/FireWall-1 NG on Nokia

Check Point's Next Generation Enterprise Suite on the Nokia IPSO appliance is a popular combination. Mike Urban, a Professional Services Engineer at Integralis, explained it best when he said, "Nokia gateways are designed using a hardened UNIX OS specifically tuned for firewall performance and security. As such, they outperform general-purpose OS platforms like Solaris or NT when measuring maximum gateway throughput." Nokia provides a Web front-end, which they call Voyager (see Figure 12.68), for easy package management and system configuration, and they have one of the fastest fail-over mechanisms utilizing VRRP and Check Point's state synchronization, with an average fail-over time of just four seconds.

click to expand
Figure 12.68: Nokia's Voyager GUI

The first version of Check Point VPN-1/FW-1 NG to run on the Nokia platform was Feature Pack 1. NG FP1 requires Nokia IPSO 3.4.2 for installation. You can either order a Nokia box with Check Point preinstalled, or you can download the installation package from Check Point (with appropriate login ID) and install it yourself. If you need to upgrade your IPSO, you will need to obtain the IPSO image from Nokia support. It may be necessary to upgrade your boot manager prior to upgrading your IPSO image. Please read all release notes prior to installing new packages or images. It is not recommended to upgrade from 4.1 to NG if you have less than 128MB of memory; instead, do a fresh installation.

Installing the VPN-1/FireWall-1 NG Package

Since the Nokia appliance is already hardened, there is very little you need to do to prepare it for firewall installation. You must configure and test networking and DNS, set up the Host Address Assignment through the Voyager GUI, and you may need to upgrade your IPSO and boot manager.

Upgrading IPSO Images

If you are on an IPSO version prior to 3.3, it is recommended that you upgrade to 3.3 prior to upgrading to IPSO 3.4.2. You can downgrade from IPSO 3.4.2 to IPSO 3.2.1, 3.3, and 3.3.1 and 3.4. If you are upgrading your IPSO from 3.3 or 3.3.1, then you do not need to upgrade your boot manager prior to installing the new image. The newimage command will automatically upgrade the boot manager on IP300, IP600, IP500, IP100, and IP700 series appliances. You can download the 3.4.2 image from https://support.nokia.com (login required). Once you have the image in /var/admin, you can run newimage to install it. The options for newimage are given in Table 12.2.

Table 12.2: newimage Command Line Arguments

Switch for newimage

Description

-k

Enables you to upgrade the IPSO image and keep all currently active packages so they will be started upon reboot.

-R

Sets the new image to be used upon the next reboot.

-l <path to image>

Tells the newimage command where to find the ipso.tgz file, which contains the new image.

-T

Enables you to perform a test boot with the new image.

-I

Sets the newimage command in interactive mode. Use this if you need to FTP the file or use the CD-ROM drive (IP440 only) to upgrade the IPSO image.

-b

Forces upgrade of bootmgr.

Assuming that you have the ipso.tgz file downloaded to /var/admin, and your system is on IPSO 3.3 or 3.3.1, the recommended command to upgrade your IPSO image is as follows:

newimage -k -R -l /var/admin

After updating the image, reboot your system:

sync; sync; reboot

Installing VPN-1/FireWall-1 NG

To install the VPN-1/FW-1 NG package, you must first install the SVN Foundation and then the VPN-1/FW-1 package. You will need to get the software from Check Point or from a Check Point reseller, since Nokia does not provide VPN-1/FW-1 packages on their support Web site any longer. Follow the step-by-step procedure to install the new package. See Table 12.3 for available arguments to the newpkg command.

Table 12.3: newpkg Command Line Arguments

Switch for newpkg

Description

-i

Installs the package, but does not activate it. Prompts you for media type, new packages and old packages that you wish to install or upgrade.

-s <server>

Specifies the FTP server IP address.

-l <username>

Enter the FTP user name (you don't need to enter a username if you will be using anonymous FTP).

-p <password>

Enter the FTP user's password.

-m <CDROM | AFTP | FTP | LOCAL>

Choose the media type. Available options are CDROM, AFTP, FTP or LOCAL.

-d

Prints debug messages.

-v

Verbose mode for FTP.

-n <new package>

Enter the full pathname of the new package you are installing.

-o <old package>

Enter the full pathname of the package you are upgrading from.

-S

This sets the newpkg to install the package silently. If you enable silent mode, you must specify the following arguments: -o, -m, -n and possibly –s and -l, –p if the media type is not LOCAL.

-h

Prints the usage for newpkg (help).

  1. Put the following package files in /var/admin. This example will be using the NG FP1 packages since they are the most recent as of this writing.

    • SVN Foundation – cpshared_NG_FP1_0022_1_nokia_packages.tgz

    • VPN-1/FW-1 – fw1_NG_FP1_51012_5_nokia_packages.tgz

    Note

    Do not unzip or untar the Nokia packages. When you run the newpkg command, it will do that for you.

  2. From the /var/admin directory, type newpkg –i and press Enter. The newpkg installation program will begin, and will ask you where to install the new package, as shown.

    fwlab1[admin]# newpkg -i     Load new package from the following: 1. Install from CD-ROM. 2. Install from anonymous FTP server. 3. Install from FTP server with user and password. 4. Install from local filesystem. 5. Exit new package installation.     Choose an installation method (1-5):  4 Enter pathname to the packages [ or 'exit' to exit ]: .     Loading Package List     Processing package cpshared_NG_FP1_0022_1_nokia_package.tgz ... Package Description: Check Point SVN Foundation NG Feature Pack 1 (Sun Dec 23 19 :05:20 IST 2001 Build 0022)     Would you like to  :     1. Install this as a new package 2. Upgrade from an old package 3. Skip this package 4. Exit new package installation                  Choose (1-4): 1 

  3. Choose the option for local filesystem (number 4) and press Enter.

  4. When you are prompted for the pathname to the package, type a period (.) for your current directory (which is /var/admin) and press Enter.

  5. The newpkg program will locate any packages located in this directory and begin processing them one by one. The Check Point SVN Foundation NG package will be presented to you. Choose 1 to install this as a new package and press Enter.

    Once the newpkg program has begun, it will process each package in the current directory until it has run through them all. If a package comes up that is already installed, or if you don't want to install it, choose option 3 to skip the package and continue on with the others. You should reboot your Nokia appliance after each new Check Point package that you install; do not install them all simultaneously.

  6. When the installation of SVN is finished, exit the newpkg installation and reboot with the command sync; sync; reboot.

  7. When the system boots up, log in to Voyager and enable the SVN package.

    • Click Manage Installed Packages.

    • Turn on the new NG SVN package.

    • Click Apply then Save.

  8. When done in Voyager, type newpkg –i from the /var/admin directory and press Enter.

  9. Choose the option for localfile system (number 4) and press Enter.

  10. Type a period (.) for your current directory (/var/admin) and press Enter.

  11. If you have an earlier version of VPN-1/FW-1 installed, choose to number 2 to upgrade this package from an old package.

  12. Choose the package you are upgrading from the available choices.

  13. Verify that you want to continue and that the correct packages are being processed by pressing Enter.

  14. When the installation is complete, exit the newpkg installation and reboot by typing: sync; sync; reboot.

Configuring VPN-1/FireWall-1 NG on Nokia

If VPN-1/FW-1 NG is installed on your Nokia appliance, but it hasn't been configured, you must run cpconfig before attempting to start the new package. If you just received your Nokia fresh from the factory, and NG is installed, then you will still need to run cpconfig before the package will run properly. This is because you must accept the license agreement, choose what components you want to run (Management and/or Enforcement Module), and configure licenses, administrators, GUI clients, etc. The configuration options are the same as the options on the Solaris platform. See Figure 12.69 for the output of cpconfig on an NG FP1 Nokia appliance.

click to expand
Figure 12.69: cpconfig on Nokia

After the NG package is installed on your system, you must run cpconfig to configure the package. Follow these steps to configure and activate your VPN-1/FW-1 NG package.

  1. Run cpconfig and go through each screen. It is recommended that you do not enter CTRL + C at any time during the initial cpconfig configuration screens.

  2. When finished with cpconfig, log in to Voyager and enable your NG package (see Figure 12.70).

    click to expand
    Figure 12.70: Managing Installed Packages

    • Click Manage Installed Packages.

    • Turn off the old FW-1 package.

    • Turn on the new NG FP1 package.

    • Click on Apply then Save.

    The Nokia package management makes it simple to back out of an upgrade. As you can see in Figure 12.70, it is easy to toggle back and forth between installed packages. You can also switch back and forth between IPSO images from Voyager's Manage IPSO Images page. After enabling or disabling a package or IPSO image, you must reboot your firewall.

    Note

    Remember to always click Apply and then Save when making changes in the Voyager GUI. If you don't save your changes, they will not be retained on a reboot.

  3. After making changes to the FW-1 packages, you must reboot the system again. You can either restart the system from the Voyager GUI, or exit Voyager and type sync; sync; reboot to restart the box.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net