Check Point Software Technologies LTD. R77.30 · PDF fileOn a CheckPoint Appliance the following message ... The Gaia Portal is a Check Point utility used to configure the Gaia

9 December 2015

Check Point Software Technologies LTD.

R77.30 Installation Guide

Version1.0

Cla

ssific

atio

n: [R

estr

icte

d]

© 2015 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks.

Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Contents Installing the Gaia Operating System ............................................................................ 4

Console Login ........................................................................................................... 8

Installing the Stand-alone Security Management Server ............................................... 8 Installing HFAs ........................................................................................................ 14 Installation Settings ................................................................................................. 15

Installing the Security Gateway ................................................................................... 15 Installing HFAs ........................................................................................................ 21

Installation Settings ................................................................................................. 22 Evaluation Configuration ............................................................................................. 22 CSfC Evaluation Configurations (enables IPSec protections for inter TOE communication) ........................................................................................................... 26 General Guidance ....................................................................................................... 28

Installing the Gaia Operating System

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 4

Installing the Gaia Operating System 1. Insert the Software Blades R77.30 CD into the CD drive and reboot. After rebooting, on Open

Server the Welcome to Check Point screen appears:

On a CheckPoint Appliance the following message appears:

For a CheckPoint Appliance, this step should take several minutes which in its end a reboot will be required (reboot it by holding Ctrl+C):

After reboot, skip to step 13 (Console Login).

2. Select Enter to confirm the installation. If you do not press Enter within a pre-designated interval, the computer will reboot from the hard disk. Wait while the installation program is loaded. The



installation program checks the hardware platform to verify that it is compatible with Gaia hardware requirements. If the hardware is suitable, the Welcome menu is displayed:

WARNING - Do not continue with the installation if the hardware is found to be unsuitable.

3. The Welcome menu allows the administrator to request additional information on identified hardware devices (Device List), to install additional hardware drivers from a diskette (Add Driver), to abort installation (Cancel) or to proceed with normal installation (OK).

Driver installation may be required for some hardware platforms, as indicated in the hardware configuration guidance. Only install drivers whose origin and integrity can be verified. This can be determined where the drivers are received directly from the hardware vendor using verifiable delivery procedures, or by calculating the driver MD5 or SHA-1 hash and verifying it against valid hashes provided by Check Point or by the hardware vendor.

Note - In any case, do not install network interface card (NIC) drivers. NIC drivers are critical to the correct operation of the evaluated security functionality; installing unevaluated NIC driver code will take the product outside of its evaluated configuration.

4. If the installation is performed using a directly-connected keyboard (instead of a terminal connected to a console port), the Keyboard Selection menu is displayed:

Select keyboard type by using the up and down arrow keys, then use tab to navigate to the OK button and press Enter.



5. The Partitions Configuration menu allows you to change the default partitioning on machine.

6. The Account Configuration menu allows you to set your password.

7. The Networking Device menu is displayed if there are more than one connected network devices. Select the network interface (link) by using the up and down arrow keys, then use tab to navigate to the OK button and press Enter. Select the interface to which you will connect to for later management and configuration of your machine. At this step you must be familiar with your network configuration so you will configure the correct network device as your management interface.

8. Once the correct link was selected you will be prompted to enter additional data for the network interface configuration. In the Network Interface Configuration menu, specify the Management Interface IP address, netmask and default gateway of the network interface, and select OK.

IP address - The IP address assigned to the network interface.

Netmask - The network mask for the IP address.



Default gateway IP - The IP address of the default Gateway assigned to your machine's IP address.

9. The Confirmation screen is displayed. Select OK to proceed:

10. The following installation operations are performed:

Hard drive formatting

Software package installation

File copying procedure

This step can take several minutes, after which the Installation Complete screen is displayed. Select OK to complete the installation:

11. The system will now reboot. Make sure to remove the CD, or diskette that you used during the installation process. On most systems the CD will be ejected automatically after selecting OK in the Installation Complete menu.

12. During the boot process, an option is presented to display a boot menu. There is no need to select this option. If the boot menu is displayed, select the Start in normal mode option.

Installing the Stand-alone Security Management Server


Console Login 1. Login to the Gaia console interface:

First Time Login - If you are logging on for the first time, use admin and your chosen password or admin as both username and password in case of a Check Point Appliance.

Note - The password for the admin account is only used for the installation process. Do not perform a console login once the evaluated configuration is operational.

The password must conform to the following operating system-enforced complexity requirements:

At least 6 characters, in length

A mixture of alphabetic and numeric characters

At least four different characters

Does not use simple dictionary words, or common strings such as “qwerty”

2. On Check Point Appliances there is a need to configure set its IPv4 address:

Type - “set interface <interface> ipv4-address <ip4_address> subnet-mask <netmask>”

3. In order to continue the installation process, we’ll have to define the Gaia Portal on specific port:

Type “set web ssl-port <port_number>”

Type “y” and press “enter” to confirm.

4. Run “save config” and reboot the system.


The Security Management Server and Security Gateway are installed on the same server in this stand-alone deployment.

The Gaia Portal is a Check Point utility used to configure the Gaia operating system. After connecting to the Gaia Portal, the first time wizard is running after installation, it guides the administrator through the various menus.



1. Connect the Gaia portal using HTTPS on the defined port (disregard the security certificate warning if displayed):

The following screen is displayed:

2. Type the user name and password. Click Log In.

Note - The Check Point Appliance default admin password is admin.



3. The Welcome window is displayed and the platform is displayed. Click Next.

4. The Deployment windows is displayed:

Click Next.

5. The Management Connection window is displayed:

Click Next.



6. The Connection to UserCenter window is displayed:

Click Next.

7. The Device Name window is displayed:

Type the desired host name, domain name, and DNS servers. Click Next to continue.

8. The Date and Time Settings window is displayed:

Set the current Date, Time and Time Zone. Click Next.



9. The Installation Type window is displayed:

Click Next.

10. The Products window is displayed:

Select both the Security Gateway and Security Management product. Click Next.

11. The Alert window is displayed:

Click Yes.



12. For the Primary Management server, the Security Management Administrator window is displayed:

Type the Administrator Name and its password. Click Next.

13. The Security Management GUI Clients displayed:

Set the desired GUI clients. Click Next.



14. A Summary window is displayed:

Check that the Summary is OK. Click Finish and approve it by clicking Yes.

15. Run: "fw unloadlocal"

Installing HFAs 1. Install the required addon/HF:

a) Copy the Check_Point_R77_30_T204_Add-on_Gaia.tgz to the machine.

b) Run: “tar xvfz Check_Point_R77_30_Add-on_linux.tgz”

c) Run: “./UnixInstallScript”

d) Reboot

2. Install the required HF:

a) Copy the fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz to the machine.

b) Run: “tar xvfz fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz”

c) Run: “./fw1_wrapper_HOTFIX_R77_30_CERT_HF_990050004_1”

d) Reboot


a) Copy the sim_HOTFIX_R77_30_CERT_HF.tgz to the machine.

b) Run: “tar xvfz sim_HOTFIX_R77_30_CERT_HF.tgz”

c) Run: “./sim_HOTFIX_R77_30_CERT_HF_990050002_1”

d) Reboot


a) Copy the SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz to the machine.

b) Run: “tar xvfz SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”

c) Run: “./SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”

d) Reboot

Installing the Security Gateway


Installation Settings 1. Enter the following commands from the console in expert mode to disable functionality that is not

available in the evaluated configuration (optional):

cpd_config –d avsu

cpd_config –d RemoteLic

cpd_config –d SicUpgrade

cpd_config –d RoamingAdmin

cpd_config –d dlpSync

cpd_config –d PAServerAddon

cpd_config –d PAHBServerAddon

cpd_config –d LSMServerAddon

2. You may now perform any or all of the configuration steps described in the Installation Settings that require Security Management Server console access before you move on to the next step. These steps describe installation settings that have been documented and evaluated as being compatible with the evaluated security policy.

Installing the Security Gateway The Gaia Portal is Check Point utility used to configure the Gaia operating system. After connecting to the Gaia Portal, the first time wizard is running after installation, it guides the administrator through the various menus.

1. Connect the Gaia portal using HTTPS on the defined port (disregard the security certificate warning if displayed):



The following screen is displayed:

2. Type the user name and password. Click Log In.

Note - The Check Point Appliance default admin password is admin.

3. The Welcome window is displayed and the platform is displayed. Click Next.



4. The Deployment windows is displayed:

Click Next.

5. If the Security Gateway is a Check Point Power Appliance, the Authentication Details window is displayed:

Enter your desired password in the fields. Click Next.

6. If the Security Gateway is on an Open Server, the Network Connection window is displayed:



Use the Network Connection menu to configure your management network connection. Configure its IP address, netmask and default GW. Click Next.

7. If the Security Gateway is on an Open Server, the Date and Time Settings window is displayed:

Set the current Date, Time and Time Zone. Click Next.

8. The•Device Name windows is displayed:

Type the desired host name, domain name and DNS servers. Click Next to continue.



9. The Products window is displayed:

Select only the Security Gateway product. Click Next.

10. An Alert window is displayed:

Click Yes.

11. The Dynamically Assigned IP window is displayed:

Click Next.



12. The Secure Internal Communication (SIC) window is displayed:

Type the Activation Key and confirm it. Click Next.

13. For Check Point appliances, the License Activation window is displayed:

Choose Activate later. Click Next.

14. The Summary window is displayed:

15. Check that the Summary is OK. Click Finish and approve it by clicking Yes.




17. A confirmation window is displayed:

For appliances:

For Open Servers:

Press OK for both cases.


Installing HFAs 1. Install the required HF:

a) Copy the fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz to the machine.

b) Run: “tar xvfz fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz”

c) Run: “./fw1_wrapper_HOTFIX_R77_30_CERT_HF_990050004_1”

d) Reboot


a) Copy the sim_HOTFIX_R77_30_CERT_HF.tgz to the machine.

b) Run: “tar xvfz sim_HOTFIX_R77_30_CERT_HF.tgz”

c) Run: “./sim_HOTFIX_R77_30_CERT_HF_990050002_1”

d) Reboot

Evaluation Configuration



a) Copy the SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz to the machine.

b) Run: “tar xvfz SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”

c) Run: “./SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”

d) Reboot

Installation Settings 1. Enter the following commands to disable functionality that is not available in the evaluated

configuration using expert mode:

cpd_config –d avsu

cpd_config –d RemoteLic

cpd_config –d SicUpgrade

cpd_config –d dlpSync

cpd_config –d LSMAgentAddon

cpd_config –d simplePA

sed –i –e 's/.*stormd.*//' $FWDIR/conf/fwauthd.conf

sed –i –e 's/.*sdsd.*//' $FWDIR/conf/fwauthd.conf

sed –i –e 's/.*dlp*.*//' $FWDIR/conf/fwauthd.conf

2. It is highly recommended (though not required) to set up an NTP client on all Security Gateways and on the Security Management Server in order to synchronize clocks with an NTP time server:

# ntp <secret> <interval> <server1> [<server2> [<server3>]]

# ntpstart

(Where <secret> is the NTP server MD5 shared secret, <interval> is the polling interval in seconds, and server1, server2, server3 are IP addresses for NTP servers that are to be polled.)

Note - If you configure NTP, specify a shared secret <secret> to protect NTP communication. Secrets should be chosen out of a sufficiently large range (at least 16 random octets) in order to provide protection against exhaustive search attacks. It is also recommended to periodically change shared secrets.

3. Exit expert mode. Execute the following shell command to disable WebUI:

set web daemon-enable off

4. You may now also perform any or the entire configuration steps described in Installation Settings that require Security Gateway console access before you move on to the next step. These steps describe additional installation settings that have been documented and evaluated as being compatible with the evaluated security policy.

Evaluation Configuration 1. Set routes on the GW, SA and windows machines.

2. Run: "set web daemon-enable off".

3. For automation:

Install the Automation Agent:

a) On /var: tar- zxf SPLAT_AIG_PACKAGE_516.tgz

b) Chsh –s /bin/tcsh root

c) Export LC_ALL=C



d) ./install_splat.csh

e) Edit $FWDIR/conf/defaultfilter.pf file and add below entry:

f) all@all

g) accept (tcp, inbound, (dport = 12321 or sport = 12321) , DEFAULT_RECORD());

h) Run $FWDIR/bin/comp_init_policy to recomplile new initial policy

i) Change /etc/init.d/aigagent

j) Chmod 777 /etc/init.d/aigagent

k) /etc/init.d/aigagent stop; /etc/init.d/aigagent start

l) On /tmp: tar –xvzf FireBall-Agent-0.37.tar.tar

m) Perl install_AIG.pl

n) reboot

o) Fw ver –f check

p) Cat check

q) Mkdir $FWDIR/conf_<build number>

r) Chmod 777 $FWDIR/conf_<build number>

s) Cp –rf $FWDIR/conf/* $FWDIR/conf_<build number>/

t) Touch $FWDIR/conf_<build number>/finishedcopy

4. On the SA run: "fips_mgmt on"

5. For automation: Add to /etc/ntp/keys: 45 M hello

6. For automation: Edit the $FWDIR/conf/fwauthd.conf accordingly:

21 fwssd in.aftpd wait -1.

23 fwssd in.atelnetd wait -1.

25 fwssd in.asmtpd wait -1.

7. Using CLI, execute "expert" and type the administrator password.

8. Run the command "echo export PASSWORD_MIN_LENGTH=15 > /etc/environment".

9. Open GUIDBEdit > set the "enable_internal_user_password_validation" to true, save and exit.

10. Enable GUI timeout on the GUI machine:

a) Run "regedit".

b) HKEY_CURRENT_USER > Software > CheckPoint > Management Clients > 6.4.3 > R77.30 > Check Point Smart Dashboard > General Settings.

c) Create new DWORD entry, name it ExitOnTimeout, set its value to 1 and exit.

11. Uncomment the line below from the $FWDIR/lib/table.def file on both SA and GW:

allowed_ipv6_extension_headers = { <EXTHDR_ROUTING>, <EXTHDR_HOPOPTS>, <EXTHDR_DSTOPTS>, <EXTHDR_AH>, <EXTHDR_MOBILE> };

12. Set host names on the GW, SA and windows machines (CA hostname) using the command:

" echo >> /etc/hosts '10.90.49.202 w2k8ca' "

13. Add an environment variable by editing $CPDIR/tmp/.CPprofile.sh and adding the following line:

"USE_ONLY_GOOD_ENTROPY=1 ; export USE_ONLY_GOOD_ENTROPY"

14. Open Smart Dashboard and edit the SA object (Right Click > Edit), set the IPsec VPN, IPS, and Monitoring blades.



15. Open the Topology tab > Get > Interface with Topology… > Yes > Accept.

16. Create new Security GW object (Right click on Check Point > Security Gateway/Management… > Classic Mode), set the IPsec VPN, IPS, and Monitoring blades.

17. Establish SIC.

18. Create a new Security GW object (Right click on Check Point > Security Gateway/Management… > Classic Mode), set the IPsec VPN, and Monitoring blades.



19. Name it opsec_gw.

20. Establish SIC.

21. Configure and install the (any any any accept log) policy (with access to the CA).

22. Edit the /bin/fips files on SA, GW and opsechost from expert mode > comment the if condition for management, securexl and rtm.

23. Run "fips on" on both GW and SA.

24. Install the policy on the SA1.

CSfC Evaluation Configurations (Enables IPSec protections for inter TOE communication)


25. Define the CA retrieve the certificates from it according to the external CA documentation (disable CRL caching): Global properties > disable: "accept control connections" and "Accept outgoing packets originating from Gateway"


1. Add a rule to the policy:

Any CAWin2K8 Any HTTP Accept Log.

Any Firewalled_gateways Any IKE, IKE_tcp, IKE_NAT_TRAVERSAL, FW1_ica_services, CPMI, CP_rtm, CPD, CPD_amon, tunnel_test, FW1_topo, FW1_amon, FW1_ela, FW1_lea, FW1_log, FW1_ica_pull , FW1_ICA_push and https Accept None.

2. Launch Menu > Manage > Network Objects > New > Network:

Name: Net_10.37.49.x, Network Address: 10.37.49.0, Netmask: 255.255.255.0.

Name: Net_10.37.89.x, Network Address: 10.37.89.0, Netmask: 255.255.255.0.

3. Create these groups: Launch Menu > Manage > Network Objects > New > Group > Simple Group:

Name: encryption_net and add network Net_10.37.49.x.

Name: excluded_net and add host CAWin2k8.



Launch Menu > Manage > Network Objects > New > Group > Group with Exclusion: Name: VPN_Group. In Objects In, select encryption_net. In except, select excluded_net.

4. Issue external certificates for each of the gateways/clusters/VS (according to the External CA documentation).

5. Configure VPN topology with a Site to Site star community topology:

a) Gateway A (SA1): center gateway.

b) Gateway B (GW1): remote gateway (Satellite gateway).

Gateway A is a Central Gateway of a simple star community.

Gateways B is Satellite Gateway member of the same community

6. Click on Manage > VPN Communities > New > Site To Site > Star. In Name, enter Star_Community.

7. Behind gateway A is host A (fw_host), behind gateway B is host B (gw1_host) Create a network object group named Common_Group. Put all gateways and hosts in it.

8. Encryption > select Custom Encryption

The community VPN parameters:

IKE Properties:

Key Exchange Encryption: AES-256.

Data Integrity: SHA-256.

IPSec Properties:

IPSec Data Encryption: AES-256.


9. Change the DH group into group 14.

10. Excluded services tab > add the IKE service to the list.

11. Edit the SA1 object: In Topology, under VPN Domain, selects the Manually defined check-box and Select the VPN_Group.

12. Install the policy on the remote member.

13. Check on the remote member that the policy was installed using "fw stat".

14. Install the policy on the SA1.

---GW SIC established—

15. Edit the GW properties > "IPSec VPN" > add the RA community > "VPN Clients" > set only the "Endpoint Security VPN" and pick the relevant certificate > "Office Mode" > check the "Allow Office Mode to all users" > OK.

16. In Global Properties > Authentication, clear the Authenticate internal users with this suffix only check-box.

17. Assign the SA to the Remote Access community: in IPSec VPN tab > Communities > Right click on Remote Access community > Edit > Participating Gateways tab> Add the Stand Alone Management machine (SA1).

18. Before running the next step (creating external CA) verify that the signature algorithm of your CA server is ECDSA SHA256/SHA384

19. (Optional) Go to your CA machine > open certificate authority client > right click on your CA > properties > general tab > select the certificate #0 > view certificate > Details > make sure signature algorithm value is ECDSA SHA256/SHA384

20. Configure the Stand Alone Management (SA1) to work with the external CA according to the External CA Guide.

21. On the Stand Alone Management (SA1) properties:

a) VPN Clients > Office Mode > Check the box Allow Office Mode for all users and select the default pool.

b) (Optional) Add route on SA1: default office mode network -> connecting machine (192.168.90.202)

General Guidance


22. Enable Visitor Mode on the SA: VPN Clients > Remote Access > Select the Support visitor mode check-box. In Machine Interface drop-down list, select All Interfaces, (Optional) check the Allow Secure Client to route traffic through this gateway

23. In VPN Clients tab, select both EndPoint Security VPN and SSL Network Extender checkboxes.

24. In Global Properties > Authentication, clear the Authenticate internal users with this suffix only check-box.

25. Open Launch menu > Manage > Users and Administrators > New > User Group to create a user group named allow_group > OK

26. Open Launch menu > Manage > Users and Administrators > New > User by Template > Default > Define the User Name as admin_user > Groups tab > Add it to allow_group > OK > Close.

27. IPSec VPN tab> Communities > Right click on RemoteAccess community > Edit > Participant User Groups tab > Add > Select the allow_group user group > OK.

28. "Remote Access" > "VPN - Authentication" > "Edit" > "IKE" tab > set the "Use encryption algorithm" to "AES-128", the "Use Data Integrity" to "SHA256" and the "Diffie-Hellman groups" to "Group 14 (2048 bit)" > "IPSEC Security Association (Phase 2)" tab > set "Encryption Algorithm" to "AES-128" and "Data Integrity" to "SHA-256" > OK , OK.

29. Define and install the policy:

Source= Any, Destination= Any, VPN= Any, Service= IKE, Any Firewalled_gateways Any IKE, IKE_tcp, IKE_NAT_TRAVERSAL, FW1_ica_services, CPMI, CP_rtm, CPD, CPD_amon, tunnel_test, FW1_topo, FW1_amon, FW1_ela, FW1_lea, FW1_log, FW1_ica_pull , FW1_ICA_push and https Accept None.

Allow_group@any Any RemoteAccess Any Accept Log.

Any CAWin2K8 Any HTTP, LDAP Accept Log.

Any Firewalled_gateways Any FW1_topo Accept None.

30. Connect to the SA according to the instructions in the Endpoint_security_guide.

31. Connect using the Smart Dashboard to the SA internal IP address.

---Client SIC established---

General Guidance 1. In order to DISCARD traffic, use a "drop" rule, In order to BYPASS traffic use "accept rule, In

order to PROTECT traffic create a VPN community.

2. For creating a rule, use the "add rule" buttons:

3. In order to change the VPN configuration and algorithms do as follows:

Edit the VPN community > Encryption > select Encryption Method > Select IKEv2 >select Custom Encryption or pick one from the pre-defined list >

The community VPN parameters:

IKE Properties:

Key Exchange Encryption: AES-128/256.

Data Integrity: SHA-256/384.

IPSec Properties:

IPSec Data Encryption: AES-128/256/AES-GCM-128/256.


General Guidance


4. For changing the Phase 1 and Phase 2 rekey edit the VPN community > Advanced Settings > Advanced VPN Properties > change renegotiation for IKE and IPSec.

Documents

Check Point Software Technologies LTD. R77.30 · PDF fileOn a CheckPoint Appliance the following message ... The Gaia Portal is a Check Point utility used to configure the Gaia