Ccsa r75 Lab

j7}, Check Poinf
SOFTWARE TECHNOLOGIES LTD.
We Secure the Internet.
Check Point
Certified Security Administrator R75
LAB MANUAL
3D
SECURITY
Check Point Security Series
Check Point Certified Security Administrator

R 75 Lab Manual
PiN: 704736
Check Poinf
SOFTWARE TECHNOLOGIES INC.
Copyright Check Point Software Technologies
Ltd. All rights reserved.
Primed by Check Point Press
A Division of Check Po int Software Technologies Ltd.
RESTRICTED RIGHTS LEGEND:

Usc, duplicat ion, or disclosure by the government is subjcct to restrictions as sel fonh in
subparagraph (e)( I )(ii) ofthc Righ ts in Tcc hnical Data and Computer Software clause al
DFARS 252.227-7013 and FAR 52.227-19.
C 2()())20 11 Check Point Software Technologies Ltd.
COPYRIGHT NOTICE
No part of this publication may be reproduced, stored in a retrieval system or trans-
mitted, in any form or by any means, photocopying, recording or otherwise, without
prior written consent ofChcck Point Software Technologies Lid. No patent liab ility
is ass umed with respect to the usc of the information contained herein. w hile every
precaution has been taken in the preparation of this publication, Check Point Soft
ware Technologies Ltd. assumes no responsibili ty for errors or omissions. This pub
lication and features described herein arc subjcctto change without notice.
Copyright 10 Chcck Point Software Technologies Ltd. All rights reserved .
TRADEMARKS
Cl2(0)-2011 Check Point Software Technologies Ltd. All rights reserved. C heck
Point, C heck Point Abrd, AlcnAdvisor, Application Intelligence, Check Point
Application Control Software Blades, Check Point Data Loss Pre vention, C heck
Point DLP, Chcck Point DL PI, Check Point Endpoint Security, Check Point End-
point Security On Dcmand, thc Check Point logo. C heck Point Full Disk Encryp-
tion, Check Point Hori zon Manager, Check Point Identity Awareness, Check Point
IPS, Check Point IPScc VPN, C heck Point Media Encryption, Check Point Mobile.
Check Point Mobile Access, C heck Point NAC, Check Point Network Voyagcr,
Check Point OneChL'Ck, Check Point R75, Check Point Security Gateway, Chcck
Point Upd:uc Scrvice, C heck Point WebChcck, ClustcrX L, Confidcnce Indcxing,
ConnectControl, Conncctra, Connectra Accelerator Card. Coopcrative Enforce-
ment, Cooperative Security Alliance, CoreXL, DcfcnseNet, DynamiclD. Endpoint
Connect VPN C lient. Endpoint Security, Evcntia, Evcntia Analyzer, Eventia
Reporter, Eventia Suite, FireWall-!, FireWall- ! GX, FireWall-1 SccureSclVer,
FloodGate-I, Hacker [0, Hybrid Detection Engine, lMsecure, INSPECT, INSPECT
XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IP
Appliances, IPS-I , IPS Software Blade, IPSO, R75, Software Blade, IQ Engine,
MailSafe, the More, bener, Simpler Security logo, Multi-Domain Security Manage-
ment, MuitiSpect, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Point-
sec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle
Management,Power-l, Provider-! , PureAdvantage, PURE Security, the puresecu-
rity logo, Safe@Home, Safe@Office, Secure Virtual Workspace, SecureClient,
SecureClient Mobile, SecureKnowledge, SecurePlatfonn, SeeurePlatform Pro,
SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Secu-
rity Management Portal, Series 80 Appliance, SiteManager-l, Smart-I, S mart-
Center, SmartCenter Power, SmartCenter Pro, SmanCenter UTM, SmartConsole,
SmanDashboard, SmartDefense, SmartDefensc Advisor, SmartEvent, Smarter
Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning, SmartReponcr,
SmartUpdate, Smart View, Smart View Monitor, Smart View Reporter, SmartView
Status, SmartViewTracker, SmanWorkflow, SMP, SMP On-Demand, SocialGuard,
SofaWare, Software Blade Architecture, the softwareblades logo, SSL Nctwork
Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVeetor,
UserCheck, UTM-\, UTM-I Edge, UTM-I Edge Industrial, UTM-l Total Security,
VPN- l, VPN-! Edge, VPN-I MASS, VPN-I Power, VPN-l Power Multi-core,
VPN-I Power VSX, VPN-I Pro, VPN-J SecureClient, VPN-J SecuRemote, VPNj
SecureSelVer, VPN-I UTM, VPN-I UTM Edge, VPN-J VE, VPN-I VSX,VSX,
VSX-! , Web Intelligence, ZoneAlarm, ZoneAlarm Antivirus, ZoneAlann Data-
Lock, ZoneAlann Extreme Security, ZoneAlarm ForceField, ZoneA lann Free Fire-
wall, ZoneAlann Pro, ZoneAlarm Internet Security Suite, ZoneAlann Security
Toolbar, ZoneAlann Secure Wireless Router, Zone Labs, and the Zone Labs logo
are trademarks or registered trademarks of Check Point Software Technologies Ltd.
or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company.
All other product names mentioned herein are trademarks or registered trademarks
of their respective owners. The products described in this document are protected by
U.S. Patent No. 5,606,668, 5,835,726, 5,987,611,6,496,935,6,873,988,6,850,943 ,
7,165,076,7,540,013, 7,725,737 and 7,788,726 and may be protected by other U.S.
Patents, foreign patents, or pending applications.
DISCLA IM ER OF WARRANTY
Check Point Software Technologies Ltd. makes no representation or warranties,
either express or implied by or with respect to anything in this document, and shall
not be liable for any implied warranties of merchantability or fitness for a particular
purpose or for any indirect special or consequential damages.
International Headquarters: 5 Ha'Solel im Street
Tel Aviv 67897, Israel
Tel: +972 3 753 4555
U.S. Headquarters: 800 Bridge Parkway
Redwood City, CA 94065
Tel: 650 6282000
Fax : 650 654-4233
Technical Support, Education & Profcs- 6330 Commerce Drive, Suite 120
sional Services: Irving, TX 75063
Te l: 972-444-66 12
Fax : 972-506-791 3
E-mail any comments or questions about our
courseware to courseware@us.checkpoint.com.
For questions or comments about other Check
Point documentation, e-mail
CP_ TcchPubJ eedback@checkpointcom .
Document #: DOC-Manual-Lab-CCSA-R 75
Revision: R75
Content: Mark Hoefle , Steven Luc, Joey Witt
Graphics: Jeffery Holder, Chunmi ng Jia

Contributors Alpha & Beta Testing
Allen Land, Austin Stubblefield, Carl os
Moreira, Charles SingiclOn, Francine Nguyen,
John Michcalson, Justin Sowder, Kim
Winfield, Ron Brace, Sara Jones
Test Development:
Ken Finley - Check Poin!
Cheek Point Te<:hnicaJ Publications Team:
Rochelle Fisher, Daly Yam, Eli Har-Even,
Micky Sapir, Paul Grigg, Richard Levine, Shira
Rosenfield, Yankov Simon
C heck Point Tet:hnical Review:
Allen Land, Austin Stubblefield, Carlos
Moreira, Charles Singleton, Francine Nguyen.
John Michcalson, Justin Sowder, Ron Brace,
Sara Jones
Contents
Preface .... . . ..... . .................. . ..... ... . . . . .. ... .. . .. I

Topology. ... . . . . . . . . ........ ........ . .. . . .. . ... . ... .. . .. . . . . .. . . . . .... 2
Lab I: Distributed Installation ... . . . ... . . . ..... . ..... .. . ... . 3
Install Security Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .. . 4
Configure Securi ty Management Server Using sysconfig .... . . . . . . . . . . ...... 12
Install SccurePlatfonn on the Corporate Security Gateway . ... ....... . . . . . .. .. 28
Configure the Corporate Security Gateway using the WcbUI . . . . ...... ... . . ...... 30
Install SmartConsolc . . . . . .. .... ... ................ ...... . .... . . . . . . .. . . 50
Lab 2: Branch Office Security Gateway Install ation .. . ... . . .. .... . . . . 57
Install Securc Pl atform on the Branch Gateway. ... ... . . .... .. ..... .. . 58
Configure the Branch Gateway via the WebUI .. . ..... . . . . . . . . . ... ...... . 64
Lab 3: eLI Tools . ... . .. . .............................. ......... 79
Set Ex pcn Password. . . .... ..... . .. ... . .... . .. ... ... . . .. . . .. 80
Apply Other Useful Commands ...... . . ... ... . . .. ... .. ... .. ...... . . .. ... 83
Add and Delete Administrators via the CLI . . . . . . ... . . . . . . . . ..... .... ..... .. 86
Perfonn backup and restore ........ . . .. ..... . . .. . . . .. . . . .. .. . . . . 88
Lab 4: Building a Security Policy ............. . . . ....... ....... . 91
Create Securi ty Gateway Object .... ............ .. . . ......... ...... ..... 92
Create GUI Client Objcct . . ... . ........ . ..... . . .. .... .. . .. . .. . . . . . . . ...... 100
Crcate Rules for Corporate Gateway ...... . .. . .. .. . . . . .. . . . .. . . . .. . . . ....... 102
Save the Po licy .. . . . . . . . .. . ....... ....... . ........ . ............ . ....... 106
Install the Policy . . . .. ..... ........... .. ............ ...... .. . .... .. ..... 107
Test the Corporate Policy . ................. . . . . . ... . .. . . . . . . . . ...... 110
Create the Remote Security Gateway Object ..... . . . . . .... . . . . . . . . . ...... 1 I I
Creatc a Ncw Policy for the Branch Office ...... . ... .......... . ........ . . I 17
Combine and Organize Sccurity Policics ............... . . . ......... . ....... 121
R75 Lab Manual

Table of Contents
Lab 5: Configure the DMZ ... . ... .... ... .. ......... . . 129
Create DMZ Objeets in SmartDashboard . . . . . . . . . . . . . . . . . . . . . . . .. 130
Create DMZ Aeccss Rule .... . . . . . .... . . . . . . ..... . . . . . .. .. ... . . . .. . . . . 132
Test the Policy . . . . . . ... . . . . . . . .. .... . . . . . .. . . . . ... . ... . ... . . .. 133
Lab 6: Co nfiguring NAT . . .......... . .. . ...... .. . . . . .. . . . .. .. 135
Con fi gure Hide NAT on the Corporate Network . . ... .. ... . . . . . . . . . . ..... 136
Test the Hide NAT Address .................. . .... . ... . ....... . .... .. .... .140
Configure Static NAT on the DMZ Server ........... . ... . .. . ... . . ....... .1 42
Test the Static NAT Address ..... .. . ......... . .................. . . . .... . 143
Observe Hide NAT Traffic Usingfiv monitor .... . ..... . .. ......... .. . .... .144
Confi gure Wires hark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Observe the Traffic ... . .. . ... . ... . ....... ..... . .... . ..... . . . .. . . .. . . 148
Observe Static NAT Traffic Using fw monitor ... . .. .. .. . .. .. . .... ... . .. . .149
Lab 7: Monitoring with Smart View Tracker .. .. ......... . .... . . .. 153
Launch SmartView Tracker .. ... . . . . . . . . ........ . . . . . . ... . ... . . . .. 154
Track by Source and Destination ................. . .. . . ... . ... .. .. 157
Modify the Gateway to Activate SmanView Monitor . .. . . . . . . . . . . . . . .. . .... 160
View Traffic Using SmartView Monitor . . . . . . . . . . ...... 162
Lab 8: Client Authentication . . ..... . . . . .. . . .. . . . . . . . .. . ... . . ... 169
Use Manual Client Authentication with FTP and Local User .............. .. .. . .1 70
ModifY the Rule Base ....................................... . .... . .. .. .. 174
Test Manual Client Authentication ........................... . . ... . . . ... . . . . 178
Use Partially Automatic Client Auth with a Local User ...... . . . .. . ... . . . ..... . . 181
Configure SmartDirectory with LDAP . . ................ ...... . ........... . .186
VerifY SmartDashboard Integration .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Test Active Directory Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Create a Database Revision. . . . . . . . . .. .. . ... .. .. . ... . . . . . . . . .. .... .. 203
Lab 9: Idcntity Awarencss . . . . .. ... . ........................... .. 205
Configuring the Security Gateway .. . . . . . . . . . . . . . . . . . . . . . . .. 206
Defining the User Access Role . . . . .. .. . . .. .. . . . . . .. .. . .. . . . . .211
Applying User Access Roles to the Rule Base . . .215
Testing Identity Based Awareness .......... . .. 218
Prepare Rule Base fo r Next Lab .. ... 220
Lab 10: Site-to-Site VPN Between Corporate and Branch Office .... . . 221
Defi ne the VPN Domain ................................................ .. 222
Create the VPN Community . ... .. ................................... .. . . .. 225
Create the VPN Rule and Modifying the Rule Base ...... . ... ... . . .. . .. .. . . .. 232
Test VPN Connection .. ....... . .. .............. . . .. .. 235
VPN Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Check Point Certified Security Administrator

Preface
Before beginning any labs, you should have been presented with a virtual
environment configured in either VMware Workstation or ESX. Each student
shou ld have the following seven machines configured in the environment:
ADScrver
AT GUI
AT_MGMT
AT GW
AT DMZ
UK GWY
UK_PC
These environments are sel f contained sandbox configurations, meaning that every
student has the same virtual machines to work with, all with identicallP
addressing and interface information. Though internet connectivity is not required
for this class, it may be added by your instructor.
R75 Lab Manual

Prerace
Topology
In the following graphics, pay attention to VM Name versus Host Name, and IP
addressing:
--
I'~' IO.l.1. US/24
OetaultGW: l Q.l.L1
rum., AT_104GM1"
.. ~~~. ~~ ~~.~!:?" :~~
DMZ Addrno: 192.168.1.J.n4
1M Address, 10_1_ I.1/l4
a.m..kGW: l lU9.10U
,"m"'tJ~_GWY
Exl Add.ess: tn.19.109.l/8
InIAdd,QU' :0.l,9.1/14
Dd.ull GW: 172.21.101.1
I'~! IO.1.L10l/l4
0.'-'" GW: lQ.I .L1
PHmot: AT_DMZ
IPAddms:
I ~Addr\.$:10.1,9.109/24
192.151.1.I001l4
Dfofauk GW, 10,1.'1.1
Oel~ GW, 192. 161.1 .1
Atlarltls
Figure 1 - Lab Topology
2 Cheek Point Certified Security Expert

Lab 1: Distributed Installation
Scenario: You are implementing the Check Point Security Gateway in a di stributed
topology. Install SmartConsole on a Windows machine, and the Gateway and
Security Management server on SecurePtatform machines.
Topics:
Installin g the Security Management Server
Configu re Security Management Server using sysconfi g
Installi ng SecurcPlatform on the Corporate Security Gateway
Configuring the Corporate Security Gateway. using the WebUI

Installing SmartConsole
Launching the SmartDashboard
R75 Lab Manua l 3

Install Security Management Server

Install the R75 Management Sever blade on the AT_MGMT (10.1.1.101) virtual
machine. The management server will manage the corporate and branch gateways
install ed in a later lab.
I. Insert the R75 DVD into your disk drive. Start the AT_MGMT virtual machine
and the R75 Welcome screen appears:
Figure 2 - Welcome Screen
2. Click the Enter kcy within 90 seconds to launch the install.
4 Check Point Certified Securi ty Adm inistrator

Inslall Security Management Server
3. The system displays the Check Point SecurePlatform Installation screen:
'ICMI ,... . . .hrt" tM i .... lldio. of Chaek Poi.t

s.e.r.PI.tfor" 175 .
Thil procHI .. III I . . tall tN CHek 'oln.
s.c..rePl.tfon.
oper.tts, 'YltaM and .llocl.t.d Chack PoI.t ."lle I....
YocIr IwIr'",,,, MI bee e ....'. . . . . fos" I.. ltl. tor
, teill .. Sec_re'l.tror".
10 yDII wi to JrOCeed wit. t.e 1 t.ll.tlo. of Check
'01 SecllraPla.forM. overwrl.lnt . 11 D 1. IYlt~
'real <OJ> to proc.... 'rll. <Device.> for e~l.t. 'eYlel
l.forMetl... Preis <Canc.l> to abor
Figure 3 - SecurePlatform Installation Screen
R75 Lab Manual 5

Lab I: Dist..-ibuted Installation
4. Tab to OK and press Enter. The following screen appears:
...
.......
-. -
lalclt b,.....111 .",. I U.'"
to t a ~t.r?
.... 1
s..It

Figure 4 - Keyboard Selection
5. Select the keyboard to suit your region.
6 Check Point Certified Security Admini strator

6. Tab to OK and press Enter. The system displays the Network Interface
Configuration screen:
192 1(;8 I 1 ___ _

55 ?55 ?5o; 9
Figure 5 - Network Interface Configuration
R75 Lab Manual 7

Lab I: Distributed Installation
7. Use the following information to configure the Network Interface

Configuration screen:
IP Address: 10.1.1.101
Netmask: 255.255.255.0
Default
Gateway (IP): 10.1.1.1
8. Select OK and press Enter. The system displays the product selection screen:
Figure 6 - SecurePlatform Installation
9. Select Security Gateway / Management.
8 Check Point Cenified Security Adminislrator

10. Tab to OK and press Enter. The following screen appears:
SecaMt'l.Uor.. HTTP3 sec:ure _II s.rver .11_ svat_

eofttt,.ratioft via Mell lI~er.
If ln4polat Securltv S.ru.r Is to be ploved. seJect a
port a&Mber otber t"R 443 to auo'. ,0s.III co.rllet.
IHMmtJi.Mi@' t Hd -Y " ..",,,,11m
List Oft port ~ ~
Figure 7 - HTTPS Server Configuration
R75 Lab Manual 9

Lab t: Distributed Installation
II. In the HTTPS Server Configuration screen, select OK and press Enter. The
system displays the Confinnation screen:
r.. xt st.,_ or the Inst.llstlo. ,ruc

will fOrMat yuer r. 4rlY8(.).
Pr <OK) to proce811 or <t.lM:.I) to ....rt
Figure 8 - Confirmation
12. In the Confinnation screen, select OK and press Enter to proceed.
\0 Check Point Ccnificd Security Administrator

Install Sec:urity Management Server
13. After the drive is formatted and the installation is complete, the system
displays the Complete screen:
~ .... ~
~.rlnt t'.
Rtt.r ",'DOt. tlNo Cit-10M or lIo.", fI ....U.
In.t,ll,tlon proc....
Ill"
To co",I.'. t .. flr.t tlHB ceatl,.r,tlon 01 vo-r s.c.r.',.tforM

~ .... Iu: lo,'n a.'''I'..,.' a r - r tD ... U,.:,," .. l.l.lI" Dr
'III'" 1", tit. co.. ol . u.. t ... lotln ..... "'.Mln" ..........r
....Mh IDr til. lint tlHB lot In.
Figure 9 - Complete
Note: You may need to eject your CD manually before the reboot is complete
if the eject does not happen automatically.
14. Select OK and press Enter to reboot your system.
R 75 Lab Manual 11
Config ure Security Management Server Using sysconfig

FoUow these steps to activate the 15-day triaJ license. Your instructor will provide
aJrernate directions, if you use other licenses.
I. Log into AT_MGMT with the following credentials:

Login: admin
Password: admin
2. You will be prompted to enter a new password. Enter vpn 123 at the prompt.
Figure 10 - Enter and Confirm New Password <splat password change>
3. Re-enter the password, when asked to confinn it. Press Enter.

4. Type the following when prompted to define a new user:
fwadmin
12 Check Point Cenified Security Administrator

Configure Security Management Server Using sysconfig
5. At the prompt, type sysconfig, and the system displays the following message:
Figure 11 - Initial Configuration Wizard
6. Click n and press Enter. The system displays the Network Configuration
options:
Figure 12 - Network Configuration
7. Type I to set the host name, and press Enter.
Figure 13 - Network Configuration - Host Name Options
8. Type I to set the host name and press Enter.

9. At the prompt, type AT_ MGMT and press Enter.
R75 Lab Manual IJ

10. Press Enter to accept the automatic IP assignment.

II. Type 2 to show and verify the host Ilame is set correctly.
12. Type e to exit, then press Enter. The network configuration screen appears.
Figure 14 - Network Connections configuration
13. Type 4 to configure network connections. Press Enter.

14. Type 5 to show the connection configuration:
Figure 15 - Network Connection list
15. Type I to display the cthO interface settings. Verify the connection info nnation,
and press Enter.
Figure 16 - Connection Display
14 Check Point Ccn ificd Security Administrator

16. Type e to exit the network connection screen.

17. Type n to continue, and the following options appear:
Figure 17 - Time and Date
18. Type 1 to set the time zone, and click Enter.
Figure 18 - Choose a Region
19. Type the number for your region, and click Enter.
20. Type the number of your country, and click Enter.
21. Type the number of your time zone, and cli ck Enter.
R75 Lab Manual 15

22. Confirm your settings, and if correct type 1.

23. Click Enter, and the system displays the following options:
Figure 19 - Set Date
24. Type 2 to set the date, and press Enter. Enter the date in the format shown; i.e.,
05-29-2010. Press Enter.
25. Type 3 to set local time. C lick Enter. Enter the time in the 24 hour format.
26. To confirm your settings, type 4 at the prompt and click Enter.
Figure 20 - Confinn Settings
27. Type n to continue, and click Enter.

28. Type n to continue at the next screen.
Note: You will NOT import a file from a TFTPserver.
16 Check Point Certified Security Administrator

29. Press Enter and the system displays the Welcome screen.
Figure 21 - Welcome
R75 Lab Manual 17

30. Review the Welcome Note and type N to continue. The system displays the
following screen:
Figure 22 - License Agreement
18 Check Point Ccnified Security Administrator

31. Review the License Agreement, and click Y. The system displays the
fo llowing screen:
Figure 23 - New Installation
R75 Lab Manual 19

32. Ensure that New Installation is selected. and type N to continue.
Figure 24 - Select Products
20 Check Point Certifi ed Security Administrator

33. Type 3, to se lect the Security Management option.
Figure 25 - Security Management Selected
R75 Lab Manual

L.ab I: Distributed Installation
34. Type N to continue and the system displays the following:
Figure 26 - Security Management Type
35. Ensure that Primary Security Management is selected for the Security
Management type.

36. Type N to continue and the system displays the following:
Figure 27 - Validation
37. Confirm your settings on the validation screen. and type N to continue.
R75 Lab Manual 23

38. The installation files will extract and the installation will proceed.
Figure 28 - license
39. Review the infonnation on licences, type R . You will not be adding licenses at
this time.
40. Click Enter and the system prompts you to add a new administrator:
Figure 29 - Add Administrator
41. Type y to add an administrator and click Enter.

42. Enter the following credenti als:

Administrator Name: admin
Password: vpn123
Figure 30 - Administrator Configured
43. Verify the password by retyping it.

44. Press Enter, and the system displays the following:
Figure 31 - Configure AT_GUt
45. Type y, and clic k Enter.
R75 Lab Manual 25

46. A li st of fonnats is provided. To use the LP address fonnat, begin typing the
physical host IP address of the AT_GUI (10.1.1.201) machine at the prompt.
Figure 32 - Enter Host IP
47. Type Ctrl-d after entering the IP Address.

48. Type y to confirm, and click Enter.
26 Cheek Point Certified Security Administrator

49. You should see a message showing the certificate has been generated.
Figure 33 - Configuring Certificate's Fingerprint
50. Type n to continue without saving the file and click [otero
51. Type y and press [Rter to start the installation process.
52. Select Exit and press Enter once the installation is complete.
53. Reboot the Sec uri ty Management Server.
R7S Lab M anual 27

Install SecurePlatform on the Corporate Security Gateway

I. Insert the R75 DVD into your disk drive. Start the AT GWY virtual machine
and the R75 Welcome screen appears.
2. Press Enter within 90 seconds to launch the install.
3. From the lnstallation screen, tab to OK and press Enter to continue.
4. Select your keyboard type with the arrow keys, tab to OK.
5. Press Enter, and the system displays the Networking Device screen:
..... _ _ _ ltt,l. _t_,.......tcn oe t ...

..... t_. Latd _ I ' ~ II to .....7
' t hl! [ I , nk " I

.t1il1 tllek _,I
.tll2 (II e,1
Figure 34 - Network Devices
6. Select eth 1 as your networking device.

7. Tab to OK, and press Enter.
8. Configure eth 1 using the intemallP address of 10.1.1.1/24 (internallP address
of AT _GWY). Do not configure the defau lt gateway for this interface.
28 Check POlnt Certified Security Administrator

Install SecurePlatform on the Corporate Security Gateway
9. Tab to OK and press Enter. The system displays the SecurePlatfonn

Installation screen:
The rallawlng pra4uc1s a r e

aval l abl. In this verslall.
PI.as. s.lect product:
IIcurlty G"teNdY / H""0'10l1ont
I'III l tl - Bot.ln Secllrlty "" ..." ..... t
Figure 35 - SecurePlatform Installation screen
10. Verify that the Security Gateway/Management option is selected.

II. Tab to OK and press Enter. The system displays the HTTPS Server
Configuration screen.
12. Tab to OK, and press Enter to accept the default HTTPS port for the
management console.
13. Tab to OK and press Enter when the installation completes, to reboot.
R75 Lab Manual 29

Configure the Corporate Security Gateway using the WebUI

I. From the AT_GUI, open a browser and type:
https:\\lO.l .l. l
2. Click OK or Yes when prompted by your browser's Security Alert messages.
The system displays the License Agreement page:
,.,.,. .-y _ _
.-._---
---'---"--
", ,_ _ ....)._ ..._ ..........
....
.......""--,............ .................... ....".,-- ........ .. -, ............
,_.~ __
-, ~"'.-
...... M .... _ _'~~-- ~
. . . . ' _ . . . . . . , . _ ' - . . . . . . . " " ' _ _ _ , .. . . . . .
-."."'...,.-, ....... ""'"""-"" .. ~.,.=,~"""" ......... ...,-

""" .. , . - . " . ........... - . - ....... - - . . , ..,.. ...... q. ...... ...,--,.~
_._"....,
"""' ....... ....... ""._.._<,........."........
.., """""0""""''''' ..,".........""._"""
""""
...... -. .. ._
..
..
. __..., .....,. .a=c""""'
,. ..._t_.""_"
"' ................
. . . "" .,._. . . . ...............
_ .... '0,....""""'
_ ............ _"" ....... <.. n " -......, ........n".,. 'Nl<l' " '_ .
.......................... . . .."......
, .,"'-..-.
..,.T> ............ ""
"-.. _UC_ It "......,..... .... " " ' . , _ , , . . ......v ' ' ' '... " " ...... ,,,,..
--
~
A ..... . . , . " . . . . . _ , , _ _ .... ..". n . .......... _ ..... ..,.. ,..,...., ...... _
... " " I I ............ _ .... _ _, - - . . , - . " " " "oownw"" ....... ,... _
... -, ..... -,,'.- ...... . -. - ., ...........

_~"",,'
'..-..... "" .. _ "'''_'''T> "'" ........O;I""T> ....

. ... ......
~.,...,. .~, . . . . . . ...
,~"'
-.~
I""I.."*.."I". . ...
~,-------------------------~::::::::::::::::::::::;:::;:r: J5rC:~~ 6~ ..
Figure 36 - License Agreement

3. Click I Accept and the system displays the login page:
;'.J~ _ ~
."
.
SecurePlotfoml" 'V ~
.
~ .
Figure 37 - Login
4. Login using your firsHime credentials:

Login Name: admin
Password: admin
R75 Lab Manual 31

5. In step 2 of the Password Recovery Login Token page, configure a new

administrator using the following infonnation:
Administrator Name: admin
New Password: vpnl23
Confinn New Password: vpn123
._-.-._-_.........
."
0 _ _'.,.
.
..........
-
--,-.......' ". ....... ...-,,- .....
- . . . ............... "'....... .....
""~ ..... ,-
.,~ ...
,_. . _Oh . . . . ,____ .__ . __-..o._... __ .

__ -_ _--
~_ l o9n _ _ __
--...-..
.. ,.,,-,---_._,,_
. ...*-,'" ._---- ............. ..-----
..--_._--
--
-~~,..,
~
-
............ .
.~-
.... .. ....._... ......... .

"._' ,._... - ........-.... _.
........ _-..... -- ........... -....
--_
.......... -
,
.... ,..-::=:1
Figure 38 - Set Password
6. Click Save and Log in.

7. Click Next at the welcome message and the Network Connections page
appears:
FIM non. COl'!tl~n W1:rn WD:oml
.- ...
, ...
0
...... _-- .._....

WllkQftl. to ChKJT Po""
8tcurtPI<llform RT5
""' -_ ...-
---~-.-.---
_
_._--
..,.,.,,, .... _ _ _ ""' _ _ _....... 01_
-.Qdo._. . . . . . .
... - ...... - _ ..... _QoII ... _ _ .... , - , -
........,--_.
,
, ..
Figure 39 - Welcome
R75 Lab Manual 33

8. Click Next, and the system displays the Network Connections page:
.. ~ .... -.
_ _ .. CMe ..... c....- _ _ '._.~ _ _ . _ ..
C'WoOt... " ' _ . " . . . - _ . lo _ _ IlOn _ _ cI<* . . . .
--~
_ _ .. e0 ..
-
0 -
e.
----- _ .... , .~ ....
'3" 0 - _ - - -
Figure 40 - Network Connections
34 Cheek Point Certifi ed Security Admi nistrator

Configure the Corporate Security Gateway using the WebUi
9. Click on the ethO link, and the Connection Configuration page appears:
:1"".' ,0-, ' 1 .. _,u
SocurePlatform
"'_ .... _--~I

r_"_" _ _ I"""'"
E-:::'"' J
I
Iw .. ".'
'" 1 ..,.. , . . _ -
Figure 41 - Connection Configuration
R75 Lab Manual 35

10. Use the following infonnation to configure the Connecti on Configuration

screen:
IP Address: 172.21.101.1
Subnet Mask: 255.0.0.0
II. Click Apply and the Network Connections screen appears, showi ng ethO
configured:
.- ... .....
-,_
...
,
I.II.'"'......................
<........ <_\.......... ,~~- ...
.....
-,.-.)II--. j
,<........" .... ,. _ _ _ "'_1..... ... 11 ..
~C _ _ CIIom
1="',__,=,,---,,--
e.
--!If" ....
e_
"'.......
---,.-.,.....
--..
," ..'" ,
12. Select eth I from the Network Connections list.

13 . Verify that the connection is configured as follows:
Netmask: 255.255.255.0
36 Check Point Cert ifi ed Security Administrator

Configure the Corporate Sec:urity Gateway using the WebUi
14. Select eth2 from the Network Connections list.

15. Use the following information to configure eth2:
IP Address: 192.168.1.1
Netmask: 255.255.255.0
16. Verify that the three interfaces are configured as follows:
..
.~
--.
<-_..-. . . ----. . .......,..,~ . - . l
<...,..... ~,..,. ...... _ _ _ .T....' ' ' ' ' ' ' _ ' ' ' '.........
'- . I _. c--Jr--
- ----
II
r _ ,
".~, . '" ......... o.
r ,..-,.-'
r ,...,....
~"
~
........"... o.

r . U7 .... ' mm
---
-
..... ".... ..,....
"
Figure 43 - All Networ1< Connections Configured
R75 Lab Manual 37

17. Click Next and the system displays the Routing Table page:
FItII T1mo COf'I/\pdon Wllard Routing T~
..

~ - A
.'
....... ..-.-
. .- -
r .......
r II....... a.~

(r .......... rH .n..,... ~
r II . .. . _.ns.ns.
,. LI. ....
i ........ _ _ ..
Figure 44 - Routing Table

18. To update the Routing Table, click New> Default Route. The system displays
the following page:
_ono .....
_.
-,
<on/IOJI.O"_
- --...

~
_.~
1.:.- l
I.'"
" ....;--
"3"" 0 - -
Figure 45 - Add Default Route
19. To configure the default gateway of AT_GWY, enter the external interface of
the partner gateway, UK_GWY ( 172.29.109.1).
20. Confirm that the Metric is O.
R75 Lab Manual 39

21. Click Apply, and the system displays the following:
First Tml ConIIQ"-" W1lrd Roullng TabkI

0
'> .... ".'
...".............
r'........
r " .......
r "'.'''.1.' n ........... --

rIO"'''
r~_
" ..""'.....
... .... " ..... toU
- -
~.
,.,...... ,
. - ..
, .-......
Figure 46 - Routing Table Configured
22. Confirm the change in the routing table, and click Next.
23. Click Next to skip adding a DNS Server.

24. In the Hostname field, type sgatlantis, and for the Domain Name, type
atlantiscorp.cp. Set the management interface to be ethO.
Fim TIme Cont\crumI011 wtz.-.l . Hoot and Domllk1 NvM

0
.... . .. Q..oo
--
..... ~ .....
~ __ .-_,
,~ ...o,<_"~_f'
. h"'" '''.<1
, -.
""_,
...... .
..., .......... _,
Figure 47 - Host and Domain Name
R75 Lab Manual 41

25. Click Next, and the system displays the Device Date and Time Setup page:
SecuroPlatform
First TIm. COoI"I!IQUI'IIIIon WI~"" Dowie. DatI and nm. setup
0
" ....
t._"' .......,,_ ...-... _.,._
-.0'"
..... w ...... ...
'" ....... _.__ ._--

...... _ _ _ .... ~-.....
_
- ' ' '-
.... _ . - - _ _ J .. _ _ .....
_.-
_._-'
......-
_..... - ' I~~~~~u
'
[ ;, ..-'-_.
.... . . 1I1
Figure 48 - Dale and lime
Note: If using VMware, it is recommended that you designate an NTP server to

ensure that your gateways and Security Management Server arc
synchronized.
26. Select the option Use Network Time Protocol (NTP) to synchronize the clock.

Configure the Corporate Set:urity Gateway using the WebUI
27. Use the following infOiTIlation to configure the NTP Server settings:
Primary NTP Server: 10. 1.1.1
Synchronization 10
Period (Seconds):
Time Zone: Select time-zone for your area.
_-_
...
_,- ... _.,...
- -- -_.___ .,_--
....
...........
' ---.
"'.-... ...... ...... ..
---
-.~
It _T __ '_' . _ . . . -.
....
--
----
.........
-
----
..........
." ......... _-.

..-
Figure 49 - Device Date and Time Setup
28. Click App ly and verify that the time displayed is correct. Adjust the time-zone
setting as needed.
R75 Lab Manual 43

29. Click Next and the Web/SSH Client page appears:
Fnt TIme Conft....tIon W1zar<l _W,b .." SSH C~ntI

.........
__.
,......-..
",
Figure 50 - Web and SSH Clients
44 Cheek Poin! Ccnilied Security Administrator

30. Click Next, and the Products page appears.
.... ....
. ..........,-
-.1': --_. . .-_,..,.-_.-
__
... ,., "" .0"",
--.-...--
..
---_._ ._ -_ c_
_....--
01 .......... ~
_
, _
._ .... _
__
r _ _ ..
...... _-
.....
.....
--.
r __ N
--"--"-'--"-
--_ .. _.
r _ ... _ _ _ _ __ "_n:,,
r_,,_
.......
<.... _ ...... _ ..... _ - - - -_ ......
-- r ~_ ......
, .. ...
I ,0,,,
""~ -~.
Figure 51 - Products
31. In the Products screen , ensure Security Gateway is selected, and uncheck the
Performance Pack option.
R75 Lab Manual 45

32. Click Next and the system displays the Gateway Type page:
..

.... .
0
- -_ ......
_- .
.. _............. .....
r ___ _
.___. _._H_
~
....... .. ...
'
...........
! .. ~.,
; _.
Figure 52 - Gatewa y Type
33. Click Nex t to skip settin g the Gateway type.

Configure the COl'"porale Secul'"ity Gateway using the WebUI
34. Type vpn 123 as the Activation Key, and confinn to establish SIC. Click Next.
I'htllml ConIIgunUon W\J:.d . Sec ... lnt.rTIII Communl~1IIon (SIC) letup
..
" .... ..
Secure I~ I : _ C I I I I : : )
IF-........ -.--~
..... --.,......... _
..... 'k' _ _ .........
..... , _ .. ..-."
w _ .. _...,
..J
::.:......:.~ ...,I !
'til,. 8"' ...... 00..-"',._0<1"" ... -...../ _ _. _ ..
_iM . . ,;",.......,., ,... ""' .. -"" __ "'_....._1Il'
"'''''Il''''' ......"" ""_ .........."'""9 ,.,. ""."._ ...."-'".... <J*....... on"'"
~.
Figure 53 - Secure Internal Communication (SIC) Setup
R75 Lab Manual 47

35. Review the infonnation on the Summary page, and click Finish when ready.
FIm TIme c~" Wlurd Summary
....
to _"
~ ..., 0
......... ,o_ ... ~,.""""~ .""_."""''"" ...,_.... _

""',.,. _ _ _ ""._"-'<0_ (SIC) lor _ ............... " ..........
1 . , ...... .,.... ~ ... 'M F .. ' r.... ConI9l."'" .... "",
.... .,..,_ ..,.,-"""'.-.. ................

oil .. JUC<.O<'' ' ' ....
. _.
,~ ~ IS .... "'" """"" ... .......,.,
.---..,
[v-~.
__ ..... -.._ .... _ _ .
'--'- I
I.;... ..................
. .
, -3" 0 _ _
Figure 54 - Summary
36. The system asks if you want to start the configuration process.
37. Click Yes.

38. Once the configuration process has completed, click OK and the system
displays the status page:
,,- ,...
0
-,--- ._.
---,

__..
... -
-

- -- --
~ Df'rict ,,*,,,,,_
C
---
-
-,~
-
.-
........" ".,u,
::-':,nI'_=__
--,
-.- -
"".tt'".,
"u...... """......
IO ..... ",.,.N.:oo ..
,.......,."""..........
,. ".lI
, .--.... -..
Figure 55 - Device Status
R75 Lab M anual 49

Lab I: Dist..-ibuted Installation
Install SmartConsole
I. From your AT GU I, insert the R75 for Windows CD. The Check Point
Introduction screen should display.
Figure 56 - Check Poinllntroduction
2. Click Next and the system displays the License Agreement:
Figure 57 - Check Point License Agreement

3. Accept the terms of the license before continuing.

4. Click Next and the New Installation option appears:
Figure 58 - New Installation Option
5. Cli ck Next, and the system displays the Installation type screen:
Figure 59 - Installation Type
R75 Lab Manual 51

6. Select Custom in the installation type screen.
Figure 60 - Custom Selection <custom>
7. Ensure only SmartConsoJe is checked.

8. Click Next, and the system displays the installation destination screen:
Figure 61 - SmartConsole Destination

9. Accept the default destination folder.

10. Click Next and confinn that only SmartConsole is designated to install in the
summary screen:
Figure 62 - Summary
II. Click Next to install.

12. Cl ick Finish after installation is complete.
R75 Lab Manual 53

Lab l: Distributed Installatloo
Launch SmartDas hboard

I. From the Start menu, click All Programs > Check Point SmartConsole R75 >
SmartDashboard and the system displays the login screen:
':)j
Figure 63 - SmartDashboard l ogin Window
2. Use the following information to configure the login window:

User Name: admin
Password: vpn123
SmartCenter
Server: 10.1.1.101
3. Cl ick the OK button, and the system displays the fingerprint.

4. Click the Approve button, to approve the fingerprint.
54 Chec k Point Certified Security Administrator

5. If you are using the built-in software trial period, a notification screen showing
the days left of the trial period will appear:
o..do.f"OJ1t~""'~"'_"15.
UnW .... ,.... ... t. ............ oooodoIIto.... """" PIcd.d Sui
""'"" ...... ~ --.1rGro et.t ""'" U... c-
rD.o""' ....... _ ICOOI

Figure 64 - Check Point Trial Period Screen
6. Check the box Do not show this again.

7. Click OK and the SmartDashboard R75 Overview screen displays:
SmartOashboartf lim ~ -_.

Chad< Point

- ... . __
..
c:...
__
__
-
_..
_
...
....
__ .-,,-
"
_ ... _to ... _ _ _
__
_.....
_
-".

denliry- A_ _ . Ott_ ~ ~ 1* .... -1I""'P MMI-mn. KtOd 11M F........ ~

CcnrDI Sec:unty Gat....,. bbda aid It.. ~ ..d SmartE.-.nI s.a..y ~ bIadn
1'7 _ _ _
Figure 65 - SmartDashboard R75 Overview
8. Clear the option Show at startup.
R75 Lab Manual 55

9. Click Close, and the Check Point R75 SmartDashboard displays:
... 1.1 1
m ........
~
~
~
~
~
~
Figure 66 - Check Point SmartDashboard
END OF LAB

Lab 2: Branch Office Security Gateway
Installation
Scenario: You are implementing the Chec k Po int Security Gateway at a branch
office. To do this, you decide to install only the Security Gateway at the remote site
and manage it from the existing Management Server at the corporate headquarters.
Topics:
Installing SccurcPlatform on thc Branch Gateway
Configuring the Branch Gateway via the WebUI
R75 Lab Manual 57

Lab 2: Branch Office Security Gateway Installation
Install SecurePlatform on the Bran ch Gateway

Follow these instructions to install the SecurePlatform OS.
1. Insert the R75 CD in the machine designated as the branch office gateway
(UK GWY), and boot from the CD, or boot from an ISO image (check with
your instructor).
2. When prompted, press any key to begin the installation. The system displays
the Welcome screen:
tI,.
'iIIIII ... _ stuted lnatallatlo. of Cltecll 'ot.t
Secura'lat f orM 175 .
Thl. pTOc". " i l l lastall the Ch.ck 'olnt s.cnr.'IAtro~
oparAtlOf systeM and AssociAted Check 'ol.t a"llcAtlo...
VGur hard~ra .... bean .c ne' And foand sult.bln for
In"t.llt,.. SecurePI.trorM.
Do you "Ish to ,roceed "Ith the I tall.tlon of Check
'Dint Sec.rePIAtforM. over"rltlng all datA on this systeM7
Press <OM> to proceed. 'ress <Devices> for cO"pleto devtce
InforMation. Pre.s <Cancel> to abort.
Figure 67 - Welcome
58 Check Point Ccrtified Security Administrator

Install SecurePJatform on the Branch Gateway
3. Tab to OK and press Enter. The system displays the Keyboard Selection
screen:
Ia.c' ..,......
, . , ~ter7
t",. nee....
hrt ...... t
.......
. . . . 1
I
3,.....
SMI . . rread!
SMI .........
Tuill

Figure 68 - Keyboard Selection
4. Make your keyboard selection and select OK.
R75 Lab Manual 59

5. Press Enter, and the system displays the Networking Device screen:
Yea ........ ttl,l t ... rk ..,Ic tlilis

.".t_ . .... Ie. _ I i ~ lib to ?
[ Recheck LInk I
Figure 69 - Networking Devices
6. Select the interface eth I.

7. Tab to OK and press Enter.
S. Use the following infonnation to configure the Network Interface
Confi guration for eth I of the branch office Security Gateway (UK_G WY):
Netmask: 255.255.255.0
Note: Do not assign a default gateway for this interface.
60 Check Point Cenificd St.'Curity Administrator

Install Setur-ePlatform on the Branch GalewllY
9. Tab to OK and press Enter. The system displays the SecurePlatform

Installation screen:
TIle ro l l_I .. ,......&1.....

~(I.'I. I. t~l. uerslo.
1. . . . . . Iect P""Iect:
,,,ur,ly Gdl".."I.''/ rt"'''''J" ...,,,t
Figure 70 - SecurePlatform Installation
10. Select Security Gateway I Management.
R75 Lab Manual 61

II . Tab to OK and press Enter. The system displays the HTTPS Server
Configuration:
S.c.r.rIAtfo~ HTTP! .c.~ ~. I.~ AII~ 1~lt8ft

co.'I,_rAtloe ~IA ~_ 'row..r.
If IJMlpo"l S.:llrtty Sarver t. 10 . . deployed elttCt A
port ~Hber ot"r thA. 443 to evol. pos.ible con'llct.
1H1 m ilJiMi'Q II'U.JQ.la JillliiiJiIiil"Ii

L 1st ... Oft port; ~
Figure 71 - HITPS Server Configuration
12. Select OK to accept the default port for the HTTPS Server configuration.

Install SecurePlatform on the Branch Gateway
n. .....'''' or tile l . . t.II I . . ,'--11

Mill rerMat ~r ..,. .rl~( . ).
rr-. <01> ......... lin' <Ca.ul) to "'ar.
Figure 72 - Confi rma tion
R75 Lab Manual 63

14. Select OK, and press Enter.
Ca.,r.t.l.tl.... tn I..toll.tl .. I. c~lo'o.
rr... <lilta" t. rdoot ~r .".,t_.

_Nor reIIoot. ~ t .. C8-1Ott 01" flo"" .lIt.U. ~ ....
llarl .. tn I . .b l l d t _ .roc....
fo COttpl.t. tM Unt tJ_ co"U,.raU_ or yoa.r hc;u.I"IIPlottOMl

0" ,.._nI
IleYlca: I.,i" , . . . . . . . 81"_01" to "')tt,.:;... 1 . 1.9.1 ..... or
1.,.lIt 1., tM c _ I ...... Uta I. . to __ ".IIHI. a
"O'M'." tor t .. tint tiMe IOfI .
Figure 73 - Confiffilalion
15. Select OK and press Enter to reboot your system when the installation is
complete.
Configure the Branch Gateway via the WebUI

Configuring the branch gateway in this exercise via the WebUI is optional. You
may elect instead to use sysconfig.
l. Open a browser window on UK_PC, and type:

HTTPS ,// lO . 1.9.1
2. Press Enter.
3. Click OK or Yes when prompted by your browser security alert messages.

Configure the Branch Gateway via the WebUi
4. The system displays the SecurePlatfonn license page:
....___--'
....
_._--_
,_....... .......
_ . .__ .-..0_.... . -
. .-. . __ . . . _. . . . .-,----
. . _* . ._. . .---,._-- ... . ......... ,-.'c>_
.... .. ........, .... u ... , .... , ...... , ...... _ ..... _ _ ) l. . _
_ ..,_. '"
,_~_""
.1i.'~ 'O J . . , ..... " .. """"""<_Tt"'\J''''_''~'' '0_

DO _ ............ " 11"" _ "" -..,<0,,,,,,.' _ ""' ....,,, _ .....
..:". . ""'" G' .... , ......... ......... _ _ .. 00"
... _ _ . . .
..... .,..."". T'O " " - " ' I n
.,. .......... """' ........... , _ ,. _ ..... _ _ , ",' ... _ . _ . 1I.ou _
. . . _._',,-,_
_'0_ . . . .... . . ..... . "_........ . .-_. . . _. ._..... ..,
~
_ .... T .... _ . " _ .. .,.. . . . _ _ ............... '" . - " '.. ...

""....,""'" "" ........ . - .. ' __ '0._".,_ "" ....... _ .. T9 , ........ . .
-- ........ '----., ....,......-.., ............. '""-....- ,-
_ _ _ _ ....... .,. .. _ '""",,-0 .. _ ... , '............ ,_
...........
,,~.
'_,n_ ............
"'. ,....... ~ "'---.~~.,.,""""'
.- ....,
. _ _ ...... _ .. _._ 'H.. -.- ........ ."....,
.........
-_.:-'-....... ,~ .. -=-, - ... ---.- ,_ ..
' ....
Figure 74 - SecurePlatfonn License

--
R75 Lab Manual 65

5. Click I Accept to continue, and the system displays the login page:
~
~PlaHorm' ~
" ------------------
.-_-~
=
-
Figure 75 - Secure Platform Login
-------"
Note: You may need to allow pop-ups for this site.
6. Type admin for your login name and admin for your password.
Mi Check Point Certified Security Administrator

Configure the Branch Gateway via the WebUi
7. Click Login and the system displays the following:

" '" , .,., ,"_ t .. ,
, SccurePlltform
, -.~ _ _ _ .I_''''
L:=--;'::::!""-
" ......... -_ . _._,." ..... '""'..-
._ ...... .;:;-... - -, ..... - - - -
___ _-
",~'
.........
....... ",-""._....'-"_._ ... . .. _...
_.,.-".--
.. .. -..-..
............
,.......,-"..... '._
.......... - ...
-,..-.,-.......----
..........
-.- .
"-.-
-. ....-.
... -.-- ..--
_~_-... _ _ .. _ I _ . . . . . . . - _ _ _ . _
................... ,
,~ ~
.. . ~.---
==:~:.
in"''''
Figure 76 - SecurePlatform Iniliallogin
8. Set your pennanent password on step 2 by entering the following:

Administrator Name: fwadmin
New Password: vpnl23
9. Click Save and Login.
10. Read the Welcome Message and follow the instructions.
R75 Lab Manual 67

11. Click Next, and the Network Connections page appears:
-
Fin! TltrM Con!'ogumIo<1 WIz-.l . _ric Connection.
........
0
- - tNt ..~-
~ ta prftWtII """
-""" .....
<_
tIw - - - " ' " " - , II' _
>nnOoC_. To _ ~-- . - . . '"
c........,,_ " --"1
' _ <kJ: 0I't tIw
N~ ConMCbon:-_."....
f"
r _
-- 0 -
-
-"'"
r_
r .
- , ..u
" ' ..... 1
""""I .....
......... o.
O.
- _ _ _ _ ._nau. ) - -
, ....,...-_.
[ 1' \ .... , .

12. Click the ethO link and the system displays the following:
"-'--
r."l Ched\ Pant
.... ,_.
-.
r - _ .. _ . _ _
L
I
-
I....
~._w,,_,
:!I 0 _ _
13. Select the option Use thc following configuration.

14. Use the following information to configure the connection:
IP Address: 172.29.109.1
Netmask: 255.0.0.0
R75 Lab Manual 69

Lab 2: Branch Office Security Gateway lnstallation
15. Click Apply. and the system displays the Network Connections page with the
applied settings for ethO:
FIrM TIm. Cconftguratlon Wln.1II ,...two<!< C.,.,.,..;tl ......

""'
<,..,.lIIoo\
... ....<_.... tho~
,~
.g....." ..... .......

tho
~
.. _,IP_. . . ""-..
cotWIOC"",",. t. _ ,, _ _ _.....-.,D_~
_ t:II<l "" tho I
~===-,,--
" .H .... .], .......... ...
0.l.U no ........ . e ..
'"".O.J, no...... .".
:
---_ .
..... ,....,
\
" ......--"
,., I .

16. Click Next and the system displays the Routing Table page:
First Tlmf C~n Wlurd RoutiI>Q Tab!.
.... -
- .
..,....
r'.....
r """
r,o ......
.......
..,....,....... -

Figure 80 - Routing Table
17. Click New> Default Route.

18. Use the following information to configure the default route:
Gateway: 172.21.101.1
Metric: o
R75 Lab Manual 71

19. Click Apply, and the system adds the new default gateway to the
Routing Table:
Fim nm. CC>r1IIgUl'lOIIon 'MIwd R<wllnu Tobie
........
0
"
r ......... ,.. ......

,........ .. .---- -"
-
r .........
Ir ,,~ . .
r ~_
H ...........
....... , .... u.u
", a",
I" ........ .. _.
'
Figure 81 - Add Default Route
20. Confirm the new route is displayed correctly.

21. Click Next to continue. Do not define DNS servers.

22. Click Next, and the system displays the Host and Domain Name page:
,-_.,................-.
'----,
.....
,
1"'-."-,
Figure 82 - Host and Domain Name
23. In the Host and Domain Name screen, enter the fo llowing information:
Hostname: sgUK
Domain Name: atlantiscorp.cp
Management
Interface: ethO (172.29. 109.1)
R 75 Lab Manual 73
Lab 2: Brancb Office Security Gateway Installation
24. Click next, and the system displays the following page:
--_ _.- .....

0
.... ",," ... _..

.....-_." __ --
_....... .-..-..--
... ..........-..
...... _._-(...,. - . . .......
---
-_._,_.
----
.......
i~~~~~
..,.""'.-
..
_,
...
, .. ,
"'--'
Figure 83 - Device Date and Time Setup
25. Select the option Use Network Time Protocol.

26. Enterthe infonnation for UK PC (10.1.9. 109) to be the ti me server for this
gateway, including the time zone setting for your locati on.
Note: When using YMwarc, it is recommended that you designate an NTP
server to ensure that your gateways and Security Management Server are
synchronized.
27. Cli ck Next.
74 Check Poin! Ccnifi cd Security Administrator

28. Keep the default settings for Web/SSH clients and click Next. The system
displays the Products page:
- ..
_.
i _ _ .,
_---
i _
1"' _ _ ... . ..
....I"'-~-..
;:-::::..""-:;._-_
cto.dI_._-IIor-....,
----_
_... ... .. _--
--'---'--'-
----
_ _-
... __.... ........
"..,.-,--_.- ....- - .....
0l00<0._ ......_ ' ' ............... _ _ ... ,,-
_' ..... -,~-- . . ....
r _ _ ....... _ ._ _
" .... . .
, .....'~--.
Figure 84 - Products
29. In the Products page, select Security Gateway, and uncheck all other options.
R75 Lab Manual 75

30. Click Next and the system displays the Gateway Type page:
.............
, .
r ____
,.
_
-~-- ...,-.-.,--' ..
. ...... ' _ .. . <>0_
!.. ._...__."
. ,. .,. .
, I
Figure 85 - Gateway Type
31. Verify that the option in the Gateway Type page is cleared.
Note: The gateway types displayed here are not used in this class.
76 Check Point Cenificd Security Administrator

Configure the Branch Gateway via Ihe WebUl
32. Click Next, and the system di splays the Secure Internal Communication (SlC)
page:
~
.,
I ........ lnt...... ~'8 I C'
i l..-.................
.............:-.-.,-,--- 'K. _
-.... '"'' --.-..0,
.... _ .... t _
i ;:::-.:... . 1 1
.-
MlTl,aIC ........ . . . - " ' ...... _ .... , .......... , _ _, _ ..
_ .. ""trIO"",...,. ........,llaS/'tOO""' .. _ t............ ..,
r ... _ .. _
otf ' ~ ..... ~ ....... ~,_~\. . ""t v._yay , ...... v<'< _ _ ... _
Figure 86 - Secure Intemal Communication (SIC)
33. Enter and confinn vpn 123 as the Activation Key.
R75 Lab Manual 77

Lab 2: Branch Office Security Gateway Inslallation
34. Click Next, and the system displays the Summary page:
Flmnm. COf'!I\gUrwI!on Wlurd Summory

, 0
....... Q.oo
'" __ ,........ _ , --v. y.... -.. ...,.",. ,....... ""~ . , - -

""".,_ ~ ""...... c -...... ($Ie) by _"""" tho.- >.e""~_
'0' ,h4. ....... ~ .. t .... rnt T_ ~...... _.-d
.o.n... _ ....., .... __ ._h.... 'J ...... , ..... .. _
_
'~ ~
,'", un ..... ' ... _ " 0 - . - .s..',
1..- - .....
.....,- - - - -
...._-_.
, (!o .... " .
Figure 87 - Summary
35. Read the Summary and confinn that only Security Gateway is displayed in the
list of products to install.
36. Click Fini sh.
37. Click Yes in the confinnation box to continue with the configuration process.
38. After the configuration process has finished, the Gateway will reboot
automatically. After reboot, a message will infonn you that the process is
complete.
39. Click OK.
ENDOF LAB

Lab 3: eLi Tools
Scena rio: Learn commands to perfonn basic operations via the command line on
the Security Gateway. Thi s lab wi ll cover basic administrative tools in the
Command Line Interface (eLi).
Topics:
Settillg Expert Password
Applying Other Use fu l Commands

Adding and Deleting Administrators via the eLI
Perfonning backup and restore
R75 Lab Manual 79

Lab 3: eLi Tools
Set Expert Password

SecurePlatfonn has two passwords. In order to run most eLi commands, you must
be in expert mode.
I. Log into SecurePlatfonn on the corporate gateway (sgatlantis). Then, from the
eLI type the following:
expert
2. When prompted to enter a new password for expert mode, type and confirm the
following:
vpn123
Note: You will not see the password on the screen as you type it.
3. Once in expert mode, you are in a separate shell. Notice the difference in the
prompt when you are logged into expert mode.
Figure 88 - Expert Mode
Here is an example of a command that must be run in expert mode.

Set Expert Password
4. Type exi t and press Enter, SO that you are at the user login again.
Note: To exit to the login prompt, type exi t again.
5. From the CLI, run the following command:
tcpdump - i ethO
6. Press Enter.
Figure 89 - Unknown Command
7. Notice the error message "unknown command".

8. Enter expert mode.
R75 Lab Manual 81

Lab 3: eLi Tools
9. From the expert shell, run the following command and press Enter:
tcpdump - i ethO
Figure 90 - Icpdump
Note: This runs a packet sniff on elhO.

10. Click Control-C to stop:
:11,.-1 ~ ., "'I' Pi ,.: ,."1 .,,' I" ,",
'"
'"'" , d, " .
~, 1" ,,' ',-1
" " ",! -, 1'"
,.
" [If-'" '"
,_1
J
, ,
"i' '" :'i!:
"'1
"
, .. ", " "
",I , ,
I'"
,,,'"
", II>'" , I,' d ., I'
"
,- :,. , ,"
", IIi'" , IH "'i' .'i1\
'" " " " ,,,.\ ,
'
I.! ;'11 ".j I", II',

'1-10" I
" '" I" . ,
" '" , ,, ,,: :,-" ..
.11 '>1 "'i' ,,: I'
"
"
-,- ,,' '"- -,
", ['F'" 'l'Iil'I,\
-, :'J i -,
"t l ' .'111 ,-,'1'
.. "
", -, -
" I'"
-,
I" '"
"
lil )Hl '-"I
"
[ j,.
1"-'"
" '"'", "t"
'" "'I' i'''! 1
~pt ,-p , ,-, ... ,,' , ; [t.,,

"" I''''1''' ~..t ,t'''I'I''
"
.. ,-, "
,[
,-",-1
1"1
[ F-'I"
" \'1'" ["
"
Figure 91 - Icpdump Slopped
11. Type exit and press Enter, so that you are at the user login again.
82 Ch~ k POlnt Ccnificd Security Administrator

Apply Olher Useful Commands
Apply Other Useful Commands

There are many commands commonly used in troubleshooting on the gateway.
Commands to try are those beginning with fw.
I. Type the fo llowing at the command prompt to unload the current Security
Poli cy, and implement the default policy:
fw unloadlocal
Figure 92 - fwunloadlocal
2. Type the following command at the prompt to displ ay the name of the Security
Policy installed on the gateway.
fw stat
Figure 93 - fw stat
3. Type the fo llowing command at the prompt to di splay the gateway vers ion:
fw ver
Note: For more info nnation about each command from the prompt, type the
command name followed by - -help . For example, fw - - help.
R75 Lab Manual 83

Lab 3: eLi Tools
4. Type the following command to display interface details.

ifconfig
Figure 94 - ifconfig
Note: More commands worth noting are shutdown, reboot.
84 Check Point Certified Sel;urity Administrator

Apply Other Useful Commands
5. Type the following command to display the routing table:

netstat -rn
Figure 95 - netstal -m
6. Review the cp commands in the Appendix at the back of the courseware

manual. For example, cps top, cps tart, and cprestart commands stop,
start or restart respectively the services running on the gateway.
R75 Lab Manual 85

Lab 3: eLi Tools
Add and Delete Administrators via the eLi

Secure Platform supports multiple administrators to the regular shell. This is
important for audit purposes. In the following steps, you will create user "sam"
with password "vpnI23".
1. From the CLI in standard mode, type the following command and press
Enter.
adduser sam
2. Enter and continn the password vpn123.
Figure 96 - New User <add user>
3. Type ex! t and logout of the regular shell.

4. At the login prompt, enter sam as the usemame and vpn123 as the password.
Figure 97 - Show New User <sam login>
5. Type exit from the CLI and log back in as admin.

Add and Delete Administrators via the eLi
6. To delete the administrator, type the following command and press Enter.
del user sam
Figure 98 - Delete User
7. To show all users, type:

showusers
8. Verify that Sam is no longer in the list of configured users.
R75 Lab Manual 87

Lab 3: eLi Tools
Perform backup and restore

1. From the CLI, type the following command and press Enter.
backup - f yourname_backup
Figure 99 - Backup
Note: When pcrfonning a backup on (his version of R75, (hc tcxt reads as
if a snapshot is being pcrfonncd. This is a minor bug in this version,
and may be safely ignored. A backup docs in fact gct perfonned.
2. To view the backup in cxpert mode, type the following and press Enter.
cd /var/CPbackup/backups

Perform backup and rest ore
3. Then, the following fro m the eLi and press Enter.

type 19
Figure 100 - View Backup Directory
Note: You will notice your backup file in this d irectory. This is the default
directory for backups if you do not specify a location.
R75 Lab Manual 89

Lab 3: eLi Tools
4. To restore from backup, simply type, restore - f backupjilename from the

CLI. You do not have to be in the backup directory to run this command.
Figure 101 - Restore
5. You will be prompted to choose which restore option you would like. Type c to
continue, and press Enter.
Figure 102 - Restore Options
END OF LAB

Lab 4: Building a Security Policy
Scenario: You will create a Security Policy by deve loping a Rule Base, or modify
an existing one using newly created network objects and headers, and understand
how to apply global properties.
Topics
Creati_ng Security Gateway Object
Creating GUlclicnt Object
Creating Ru les for Corporate Gateway
Saving the Policy

Installing the Policy
Testing the Corporate Policy
C reati ng the Remote Security Gateway Object
Creati ng a New Policy for the Branch Office

Combining Polic ics
R75 Lab Manual 91

Create Secu rity Gateway Object

A Security Policy is made up of Security Gateway settings, and explicitly and
implicitly defined rules. Each rule is made up of objects and actions that define
how the Gateway treats each connection. To define a Security Policy, you must
fi rst define the objects that represent your current network topology.
I. From the AT GU I, open SmartDashboard.

2. From the Objects tree in SrnartDashboard, right-click and choose Security
Gateway.
. --
Q
Ii>
8 s:..
l"'Iil>I"'I~1
Net-o.OIIj8<k
" '"
II '. -_.",'I.I

II ..
...- -
g ..... _~"'J_~
E3 ~ s......,q.o..t.
Iii <So.c>s _ .,
6tjj~
I!I -Soo.olt) Ufl4.! r.~.
IIiIl _t_'o'SI:
tv'-tWl_ ..
~.
If'S.t_.
E'tIomIII\' "'"'-<I_~"
_t:I.9Ipod..
Figure 103 - SmartOashboard

Create Security Gateway Object
3. The system displays the creation dialog window.
...........
HoIot. fa .... _ ......... __ 1I"1a,..,) GIobIII
.......... )~~
rQ""I_ .. _ ,..
Figure 104 - Classic Mode
4. Choose Classic mode to edit the Securi ty Gateway properties.
R75 Lab Manual 93

5. Click OK, and the system displays the following:
SIOCU.'-"I~
~ I CMfio.s~ IIJ""'-
.....
",....-
Hrioooc.IOpon_
N"""""~B'IkIKI SGIIll
:::J V_IR1'5
:::I
:.:1 os'lum-oS
M--"SWo:; ISM1 1X13
r r...... r; ~c_
r lPSoc VPN Ado..-.:edtl->.-.g
Wc.l:h ~ PIC'' '' ,. .......... ''''
Jj Poicy S.. v .. r ,~ I"'" COI1 .......... hnIoedo 01
"'_Ace...
,......... "
Q O~Ro.h>ge oppicOl ..... , PI_ or<! ...""'...
.... oIlho boo.
0""
IJ UFiL F. "<Ig Ac< ...."""",o..ct"""l
IJ .!o,,,'!<", t s~o
a
M,My".,.
M'Sp"",~
E~Soc"otl'
IJ r W4-1 GX
I
r u~s_
r 0 .. & Lo" p,"~""""
Qt.I""''''~
r U~ W<blc<: ...
.
Figure 105 - General Properties
94 Check Point Ccnificd Security Administrator

6. Use the infonnation below to configure the Gateway object:

Name: AT_GWY
IP Address: 172.21.101.1
Comment: Atlantis Security
Gateway
Color: Colors> FireBrick
OS: SecurePlatform
Check Point
Products : Firewall
R75 Lab Manual 95

7. Verify that the object is configured as follows:
====--~.1l'
00'_
...."""-
W AA'
I~A"er_
.....,.. r."T,_~~,,-------------
~.IWoonI: ic<otion 1P6<i<bo..J172.211011
1ll1.ogaon;l ~ .. er.
t_ ~ s"""'G __
C~~ ....
c-_E,"-"
00 ........ ..... _"'--'-
--...........
c~ I
H _*/O__ 3
~
,-*-sw" "1'==""-------------- _,~-~"'=.....
y_lro';
"c----::J~
s..... 8bdK r.1,,:m;'m;;---~::J~

='___J
. ",rl~'-"""-::::.;;::;:=-----"013 ~
~BIodoo I~,";;;,~",;;------'::J~
'""""" s....tr111j "'-'-

~" I _ __
",-
r __
'''-r:
r lPSocYPN
""*'v~ ......
M.~lt ....."."'II
""-'-11 - --"-
r '~ IN! ............ l'udeds 01
r ~ QbIoAcc_ O yr>ern<; R ~"Il (t oppiut""". 10"""'"' .,." ,.., ;.,..
~ .."..". boo.
-....
C"""""tControi (t
rr ''''
URL F1Ier"'ll :.cc.I!<....,., lOJctor"'l
r ~NIl' S..,..r l O
r _s-,
_s-...
r r..........,GX I
r u...........,s_
r O~ . Im.I'I _
r .......
r u.........,lN~
~ ..
r __
~F"",,"
Figure 106 - Gateway Configuration
96 Cheek Poin! Certified Security Administralor

Create Stturity Gateway Object
8. From the General Properties page of the gateway obj ect, click the
Communication button. The system displays the foll owing:
- - 2!l
--
"u.t~d ( ommuruc:ahon ,;Ii
I r- ~~ '" , - -,
--.. - --;=======-- - - - - --
O..-lmo_....ord
Corl.'"~ pMtwOId Ir-------
_ __ _ _ _ _ _ _ _ _ __
T
.
.
.
.
.
.
.
,
~
"
-
'"
Figure 107 - Trusted Communication
9. Enter and confirm the Acti vation Key entered on the Security Gateway during
setup (vpnl23).
R75 Lab Manual 97

10. Click Initialize, and the system verifies the communication state:

10000_/U'lf.I/""-"' :3
. . . . . . .,""""0 --;::;:;:=====:------
O'MHme p... oword I..... --
Cori. ....... ....:------
~~'_11 "I.~~
T_c-rc""",,_ - - - - - - - - - - - - - -
...
Figure 108 - Establish SIC with AT_GWY
11. Click Close after trust is established.

12. Select Topology in the left-hand panel of the Security Gateway object.
13. Click Get> Interfaces with topology, and the system displays the Get
Topology Results window.
14. Click Accept to confirm the topology.
Note: Anti-spoofing is enab led by default wben choosing the Get Interfaces
with Topology opt ion.
15. Click OK to close the Security Gateway object.
R75 Lab Manual 99

Create GUt Client Object

I . From the Objects tree in the SmartDashboard. right-cli ck Nodes and select
Node> Host. The system displays the following:
__
.
s
-
.
~
Figure 109 - Host Node
Note: In SmartDashboard, objects and policy names cannol contain spaces.
100 (,heck Poinl ('ertified SecuriTY Arl ministraTor

Create GUI Client Object
2. In the General Properties page of the object, enter the following information:
Name:
Comment: Atlantis GUI Client
Color: Blue
,-
_ _ li T_GUt ..
G..... ~ "ottM . . G_oI~.
*' ......
Ii-. !AT_GIJ
IP~ I"''';\'i''....
;;-- -
<- "''''''
Figure 11O - AT_GUI
3. Click OK to accept the changes and cl ose General Properties.
R75 Lab Manual 101

Crea te Rules for Corporate Gateway

1. Right-click Networks and choose Network.
2. Use the followin g information to configure the Network object.
Name: atlantis internal
Network
Address: 10.1 . 1.0
Net Mask: 255.255.255.0
-............
"F
r. ~
.~.~
. ____~"
r: HIlI n:Wod
Figure 111 -Inlernal COI"porale Network
3. Click OK.
4. From the main menu, click on Rules > Add Ru le > Top, or click on th e Add
Rule at the Top icon on the toolbar, to add a rul e into the Rule Base.
102 Check Point Cen ified Security Administrator

Create Rules for Corporate Gateway
5. Name this rule. Clean Up by rightclicking in the Name field and selecting
Edit, or double-click the Name cell in the rule.
6. Rightc1ick in the Track column and select Log.
Figure 112 -Add Rule
Note: To inscrt a new ru le, right-click on a rule number, and select Add Ru le,
then Above or Below, or use the Add Rule icons from the toolbar. In
addition, you can add any object to a rule base by dragging and dropping
from the objects list pane or from another ru le.
7. Above this rule. add a Management Rule with the following parameters:
Name: Management Rule
Source: AT_GUI
AT_MGMT
Destination: AT GWV
Service: SSH
HTTPS
Action: Accept
Track: Log
Figure 113 - Management Rule
Note: When modifying any of the cells within a rule, rightclick in the cell for
specific options. For example, in the Service column, selecting Add
Objects will bring up a select ion box (or elick the plus sign in the cell).
To locate the service you want, begin typing the name of the service, and
the scroll bar will move to that point in the list.
R75 Lab Manual 103

8. Add the Stealth, and Internal Traffic rules to the Rule Base above the C lean-up
rule:
Na me: Stealth Rule Internal Traffic
Source: Any atlantis internal
Destination: AT GWY Any
Service: Any Any
Action: Drop Accept
Track: Log Log
Figure 114 - Corporate Rule Base
9. To allow Ie MP tra ffi c so you can PING to test connectivity on your network,
cli ck on Poli cy > Global Properties from the main menu.

Create Rules for Corporate Gateway
10.ln the FireWall Implied Rules page, check Accept ICMP requests and select
First from the drop-down box.
II . In the Track section, check Log Implied Ru les:
.---
NAT Ne'-"Adthos
S_"Ic*owIg~ond_ ... _ " , ........... R.JtB_
1<IotU)o _ _
P' """- conIOd.....-
...
UT N! Edgit G- .
IB- R_
""""-
,,"-
"'"
P' ....... 11.-1.- ....... - -
P' """""'s-tJpdoIo~
P' Ac:copIIP'S.'--,_
"'S_tM.,
"
lJ. OIAuIhcdy P' ""'-~,*, .... ~",,"G-.,
--
N~ H9> "'v,
'"'""""'"
OSE o.-S ~E
5-.5.. f'IdoIo B_
"
r _ ...
III Loo and _
r _ _ uoPlOu-<l
Ate"II'~H
R ~r ooll
OPSEC r ~o-..l1 _ _ TO't:onoT''''''1
S~ M ~,
Ir
.....
N"" U_ IPAddHo P' """"" lOt? .........
.-'"*
'"
P' AoetopIWobnlS?l_bG...............-..
P' """,,,,~_IOOHC1>nlDHS _d~
P' Ac:ctpo,..-:""'"'~~"-"'......-.I
P' ",",-VRRf'~ __ ,-a--.
I
::I
:::I
::I
['.'SXIPSOVRAf'l
,...
P' "'-"~~-*"' __
~ P' I,og~~
Figure 115 - Global Properties
12. Click OK.
R75 Lab Manual lOS

Save the Policy

I. From the main menu, click File> Save As.
2. Type a name for this Po licy Package in the Save Policy Package As box, (i.e. ,
Corp_Standard):
---- .! I
s ... I c.wI~1
Figure 116 - Save Policy Package As
Note: Remember, no spaces in Policy or object names.

3. Click Save.
4. Confirm that the name of the Policy Package is di splayed at the top of the
screen.

Install the Policy
Install the Policy

1. Push policy by clicking on the Install Policies icon in the toolbar or click
Policy > Install from the main menu. The system displays the following:

__ ......
aOltl,.,.......,rd~
pMd ... _r_~. To_ ...
go .. v- > Jq:jod FbM&
""*"' ....
bo~
rDor'l'iol.-"- _ _ _
IU II c-..
Figure 117 - SmartDashboard Waming
2. Note the message in the SmartDashboard Warning box about implied rules.
3. Select the option Don't show this message again.
4. Click OK, and the system displays the fo ll owing:
--[iii&'
-_ .....
CO" lntt4iIonjoOd>~~ ......
r
idoo"
r ""'..... ~_~ j,""'do""'~ ... ~"''''",_",
,.
Figure 118 - Install Policy
R75 Lab Manual 107

Lab 4: Building a Secu rity Policy
5, Note the AT GWY object is selected as a target. In the Revision Control

section, check the box, Create database version:
1.-..-. 1040d0
r. lnoI"on..,:l'loolottj~ .oop....""
r
,--
r ....... on_ooIode::I--.fl~donot ...... on~ ...... _ _
j;7 ,c-o.......
tt_
-:;;."._::;.""'"''"''''''_ __
fCC;:~ ;m l ~1 4301 lJ
_
.---I
c.:.-n: 1CfNIOd",,'-.'
"" ...
Figure 11 9 - Install Policy
108 Cheek Point Cenificd Security Administrato r

Install the Policy
6. Name the revision, Basic Policy and comment as desired.


i __ ..-~
li'*-I
Figure 120 - Check Point SmartDashboard
8. Click OK, and the policy installation begins automatica lly.
_ In"",.. h.... f'ro<~.. (orp '>IondMd
R75 IX ""
PI.......
Figure 121 - Basic Policy Revision Creation
9. Click Close when complete.
R75 Lab Manual 109

Lab 4: Building a Set:urity Policy
Test the Corporate Po licy

I. Open a browser on the AT GUI, and access the WebUI of the corporate
Security Gateway by typing HTTPS://10.1.1 . 1. Verify you have
connectivity when the browser displays the login screen:
-.
tIo""''''_~~
... _ _ ,1/10.'. ' .1) -- ... . .
Cl .. ,...
.' ,a
~ E'-
-.
SecurePlattorm' ~'" JIrDd
--~
.- -c:::::
.,,-_....-
I
. . . ,. '- .... _ ..... . . T _ . . . . . . . .,
------------------ Q J!I .O_ .....

Figure 122 - Web UI Login

Creale Ihe Remote Security Gateway Object
Create the Remote Sec urity Gateway Object

I. Highlight Network Objects in the objects tree pane.
2. Select New > Security Gateway in Classic mode.
3. Use the following infonnation to configure a Security Gateway object for the
branch office (UK _GWY):
Name: UK GWY
IP Address: 172.29.109.1
Comment: Security Gateway for the hranch office in the UK
R75 Lab Manual 111

Lab 4: Building a Sec:urity Policy
4. Verify that the obj ect is configured as follows:
......
~ ml"C
~~"-----------
1',!,dIhn lln2S.109..1
..........
'--
c____ I c-..~ ~
.. ==----------- _':.:_:.:"'=.....
=--'
"-
H.o-.:lol*' _ 3 y.... lro';;~---::I:1
. "I_
;:::=:"'
~---::I:1 -'!'J
s -.....
'"""""'s..... _ "I';;';;
'm"--~::I" loI _ _ _ B~ '1';;';'""
;;"'---::1"
..,.,..,_Conbd
- ...... ...
r r'-ol IJ
r IPS",YPN ~I~"'II
r I'\:IkJoS __ r.~
~1I'.u.~",
"""'-"'_cdcMono_
r "'ot>Io<l.ecest Wob2.0~ ..
r ..
n Ufll F'...,g
"'"""'
A .......... l~
r "..;,M
Anlf.Vru.'
...... e
S..., ... <..:I. O
H",~
r ..nl'S ....... ' r:;; r ...,.. ,l (;X
Emol SOCIBV
r D... L... ~
r U..,.Ao;horO:jo SOlO"
ru~,,\II~ ..
Figure 123 - Gateway Properties
5. In the Network Security tab, check Firewall.
112 Check Point Certified Sccuritv Adm inistrator

Create the Remote Security Gateway Object
Establ ish SIC with the Branch Office

I. C lick the Communication button and enter the Activation Key.
2. C lick Initialize:
~.
Dnt _ _ _ _ d---,~;:::::::::~-------------
I.....
("'-....-~ ~I..::::.---------
T Mted~o6on"""'" - - - - - - - - - - - -- -- - - -- -- - - - -
.... ,
,.
Figure 124 - Trusted Communication
3. Once tru st is established, click Close.
R75 Lab Manual 11 3

Lab 4: Building a Seturity Policy
4. Click on Topology from the left-hand pane, and click Get> Interfaces with
Topology.
5. Click Accept, and the system displays the Get Topology Results window:
The~ __ ~
N_.(a._"'''-I..
n.. t - . g _ _ _ """'''''/W'Jd1a " " _ .........
of$Idobdwld _ _ _ _ ..... ~~
Figure 125 - Gel Topology

C ...eate the Remote Secul'"ity Gateway Objec:t
6. To confirm anti-spoofing settings, double-click the external interface.

7. From the Topology tab of the Interface Properties window, verify that this
interface is set to External and Perfonn Anti-Spoofing based on interface
topology is checked.
G..tlT~ I IoI""~ 1
'-
" ,-.tI(INdo ......... ~1
("~ .......... -"""'""'I
r
r .. "",.,...HIjI r< n1"'~
r
r _
-
r; e.m-......~bMad ... n.!ocelopolojao
_Sllll<lh1Godoon.Mttl>
r Oon's:hod<PKi"_ ~
~1-
:::;~:3~' --.J
Spool T...ucr. r Ngno r: I.D!I (' tJ.-
Figure 126 ~ External Anti-Spoofing
8. Click OK.
9. Double-cl ick the internal interface.
R75 Lab Manual li S

10. In the Topology tab, verify that this interface is set to Internal and the options,
Network defined by the interface IP and Net Mask.
II . Verify that the option Perfonn Antispoofiog based 00 interface topology is
checked:
G_f""'I_~1
'-
r E_IIwdo'"U,,,"-!
r. ~~"''''II>t,,,, ..~J
If'~w.r.I'''''''''_
r ~Dojftod
Co
r:~ L:
.. ....=-:':'...=':.:'..~ ~
- ..r:...~.~;:
r w...c. ... "'D"'l
Figure 127 - Internal An ti-Spoofing
12. Click OK.

13. Click OK aga in to create the object.
116 Check Point Ccnificd Security Ad m ini .~trlHor

Create a New POlicy ror the Branch Office
Create a New Policy for the Branch Office

I. Click on File > New from the main menus, and the system displays the
following window:
r ..

Figure 128 - New Policy Package
Note: If prompted to save your existing package, click the button Save and
continue.
2. Enter a name for the branch office gateway poli cy.
3. In the Include the following Policy types sec tion, select the option Firewall ,
Address Translation and Application Control.
4. Click OK, and a blank Rule Base displays with the new package name shown
at the top of the screen.
R75 Lab Manual 11 7

5. Create an obj ect for the branch internal network.
G.... INAr I
.- 1"___".....
;;;;;;- - -
p~bloi_I'"";;'..;---==:
Ii...oi.. ''''.-
..,"' -==:
......
IW.H_
Figure 129 - Network Properties
6. Create a similar Rule Base as you did for the corporate Security Gateway:
I Name Source DestinatIon ServIce Action Track 1

Management AT_MG MT UK GWY SSH Accept L og
Ru le AT_GU! HTT PS
Stealth Rulc Aoy UK GWY Aoy Drop Log
Internal UK_internal Aoy Aoy Accept Log
Traffic Rule
Cleanup Rule Aoy Aoy Aoy Drop Log
Note: Onc way to quickly create a ncw policy is to copy and pastc previo usly
created rules and modify thcm as shown above.
118 Check Point Certifi ed Security Ad ministrator

Create a New Policy for the Brancb Office
7. Verify your Rule Base resembles the following:
Figure 130 - Branch Office Rule Base
Note: The global properties for ICMP arc already enforced.
8. Click File > Save to save this Policy Package.

9. Click the Install Policies icon in the toolbar or click Policy > Install from the
main menu.
10. Uncheck the AT GWY installation target in the lnstall Policy window, so that
this Policy does not install on your corporate Security Gateway.
R75 Lab Manual 119

La b 4: Building a Security Policy
II. Create a database version of this Policy.
Inslall Poio<y
.........u
""-'on,lold>~~~
r "
r Jf\d ..... ~~~~ 11!"'dor"dnolol""~oI""' ...... _"",,
,-"""
~ -~;;::-;:;,====""""----~
fl...... IBr""""-Pok.,o 201 HI800 15:1'1.32
~ Ic-.dbjo"-'
'"
.
,
Figure 131 - Basic Branch Policy
12. Click OK.

13. Once the system indicates successful policy installation, test the Security
Policy on the branch office gateway.

Combine and Organize Security Policies
Combine and Organ ize Security Policies

I . From SmartDashboard and with the branch office Policy open, select Rule I ,
then hold down the SHIFT key and click Rule 4 to highlight all the rules in the
Policy.
2. From the main menu, click Edit> Copy, then switch to your corporate gateway
Policy (File > Open).
3. With the corporate Policy open, highlight the last rule, and click Edit > Paste
Rule > Below:
Figure 132 - Copy/Paste Rules
Note: You can also rightclick on the last rule and cl ick, Paste > Below.
R75 Lab Manual 121

4. Note that you have duplicate rules in the Rule Base:
,-- "'---....
"'_OM
"T_OHf
ff]"..,',-
0-'- .....-... Q_ l!Ii.<II
"'-QI,I
Ii",--
.~_OJH(
[!]"..,-
!!l".., 1,...., ........-
Figure 133 - Duplicate Rules
5. Edit the Rule Base to eliminate duplicate rules, i.e., Clean-up.

6. Edit the Management and Stealth rules by deleting one of each, and adding the
missing gateway objects to the destination fields.
7. Rename the Internal Traffic rules for each gateway and in the Install On
column of the Rule Base, designate AT_GWY as the target for the Corporate
Internal rule, and UK_GWY as the target for the Branch Internal rule.
I
Figure 134 - Outgoing Rules
r h ~k Po; nt Icrl ;fi ccl Securil v A<im;nisTraTnr

Combine and Organize Surity Policies
8. Add additional rules to the Rule Base above the Cleanup rule as follows:
Name: Corporate Incoming Branch Incoming
Traffic Rule Traffic Rule
Source: Any Any
Destination: atlantis internal uk_internal
Service: FTP HTTP
Action: Accept Accept
Track: Log Log
lnst.1I On: AT_GWY UK GWY
9. Review and verify the resu lting Rule Base:
Figure 135 - Edited Rule Base
Note: Remember, you can drag objects between rules, and even re-order rules
by dragging ru les themselves. Click the rule number to drag a rule to
another location.
R75 Lab Manual 123

10. Add the following rule above the Management Rule:

Name: NetBIOS Rule
Source: Any
Destination: Any
Service: NOT
bootp
udp-high-ports
Action: drop
Track: None
Install On: Policy Targets
."" ~..,.,,,- -
........
<D_
8- 101 ...
-,.!--
*-,.1_
....... ....
. . . ..........
..... - __
00"",1,-
G)~I'_ ....
..
<D_
m_
<D_
I!I ...
iii ....
.. r_~
1Ii~-
{!J~-
Iil ... M_Of'I
.... ".---
.... ~..,.,1'-
[!)...,- ... .
~ m_
~
I!I ...
Iil ...
\11<._
-,.!--
Figure 136 - NetBIOS Rule
11 . Right-click rule 4 or the top internal traffic rule, and select Add Section Title >
Above.
12. In the Header box, type the name, Outgoing Rules. Click OK.
124 Check Point Cenificd Security Administrator

13, Create another section title above the incoming traffic rules,
. - ~_tr.rIr
* PtIIoyT .. _
.......... '...,...

.-
Gl-
e. Ii .. * _ ....lM'I
---
.,. .
...
...
.,....
......
Figure 137 -
... . ..
.,.."...
[!] K1'..oOlt
Section Titles Added to Rule Base

... Ii ...
.~_OHI
.. ","",'.ljOOt
R75 Lab Manual 125

14. Save and install your Policy on both gateways and create a revision .
_....
Figure 138- lnstall Policy
Check Point Ccn ificd Security Administrator

15. When warned that a gateway has a different policy installed and will be
overwritten, click Yes to continue with the installation.
R15 . . OK
R15 IX
P,ogo...
Figure 139 - Successful Policy Installation
16. Click Close.

17. Test your Policy by openin g an FTPsession from UK_PC to the AT_GUI.
Note: Before proceeding, it is recommended that you save this package version
of the Security Policy. Consider doing this whenever committing any
change in the Policy, even ifn ot expl ici tly instructed. You can always go
baek to thi s poliey vers ion at a later time.
END OF LAB
R75 Lab Manual 127

128 Check Point Certi fi ed Security Adminislmlor

Lab 5: Configure the DMZ
Scenario: In this exercise, you will build a DMZ network and set up a rule to
allow traffic to a server on the DMZ. Configure a DMZ interface on the Security
Gateway and configure the Security Policy to permit traffic to DMZ resources.
Topics:
Creating DMZ Objects in SmartDashboard
Creating DMZ Access Rule
Testing the Policy
R75 Lab Manual 129

Create DMZ Objects in SmartDashboard

I. From SmartDashboard, right-click Nodes, then select Node> Host.
2. Use the following infonnation to configure the Host Node object:
Name: DMZ_Server
IP Address: 192.168.1.100
,-
G>e!a!PrcpeMo'
NAT
M.... M... G_.!
Mact.ne
1:1._
"'-'*
101llZ..5_
IP~ 1192.1Gall00
, _ l"'ob.M.. nFTPS..,..
......
Elc~s~
130 Check Point Ccnified Security Administrator

Create DMZ Objects in SmartDashboard
3. Click OK.
4. Right-click Networks, and select Network.
5. Enter the following information for the internal DMZ network:
Name: dmz net
Network \92.\68.1.0
Address:
Net Mask: 255.255.255.0
Comment: De-militarizcd Zone Nctwork
G_ oI 1MT I
._ r.1"'c::-::~:;-----
,_ ...... r.1192.;;;;'~i',;;;,--....::~
,.... I~""'~"~='--
t-f- I D _Zano N........
Figure 141 - DMZ Networ\(
6. Cli ck OK.
R75 Lab Manual 13 1

Creat e DMZ Access Rule

t. Right.c1ick the Corporate Incoming Traffic Rule, and select Add Rule >
Below.
2. Use the fo llowing infonnation to modify the rule:
Name: Web Traffic Rule
Source: Any
Destination: DMZ Server
Service: HTTP
HTTP_and_H TTPS_Proxy
Action: Accept
Track: Log
Install On: AT_GWY
3. Verify your Rule Base:
'- ..., --... . ----

'It ..........,...
.-. .. .
.
"'.001
"')00-
..tJ~1
~--
..t . _
ffi-I'-
(!]Nor''- -.-- Ill-_
11- .... .......

Poky'orvu
-.-
",--
.., ....
"'-- .... 00-- (!]Nor"_
-- Ill-
Ill-
r. ...
1'"
~,-Qff(
IIII.I<.QI
Figure 142 - Web Rule
4. Insta ll the Policy.

Test the Policy
Test the Policy

I. From UK_PC, open a browser to the following location:
http,//192.168.1.100
2. Verify that a Web page displays with the Web server 's background image.
END OF LAB
R75 Lab Manual I JJ

134 Check Point Cenified Security Admin istrator

Lab 6: Configuring NAT
Scenario: This exercise focuses on understanding the behavior of Network

Address Translation in a network. You will first configure both static and hide
NAT, then observe their behavior using packet captures.
Topics:
Confi guring Hide NAT on the Corporate Network
Testing the Hide NAT Address
Configuring Static NAT on the DMZ Server
Testing the Static NAT Address
Observing Hide NAT Traffic Using fw monitor
Observing Static NAT Traffic Using fw monitor
R7 S Lab Manual 135

Configure Hide NAT on the Corporate Network

I. Double-click the Security Management object (AT_ MGMT) to bring up the
General Properties window.
2. Select the NAT option from the left-hand pane:
(t~kPoontHo.1 AT_'tGMT ~ ._~
...,
V..... I01 ....... T'.........
r ""'*:j""'""* ....... T'..-. ....

~-~::J
Figure 143 - Check Point Host - NAT
3. Check Add A utomatic Address Translation rules, and select Static.

4. Type IP address 172.21 . 1 . 101 (NAT ' d address for the Security Manager)
in the Translate to IP Address field.
5. Install on the corporate gateway (AT_GWY) and check the box: Apply for
Security Gateway control connections:
=====:--- .rJ-"l
"'-
r G......I Proporuo.
'"" ..... "".....,... 1,........... _ _ _ _ _ _ _ _ _ __
'"
~ .o. ", ,,_ ,,
Iil- lo9o....,., ~ .......

P Md......--Ad<bn 1,. . - . ....
-~~ "__ "1....

:::----3":1
Figure 144 - Static NAT Configuration
Note: It is necessary to usc static NAT on the Security Management Server in

order for Hide NAT on the network to functio n properly.
R75 Lab Manual 137

6. Click OK.
7. Double-click the corporate network object (atlantis_internal) and select the
NAT tab.
8. Check Add Automatic Address Translation rules, and select Hide.
9. Choose Hide Behind the Gateway and install on AT_GWY:
S-'" NAT I
""---.1J"
V..... lcrAdO_T..........
P f\dd _ _ .iOdliMSf_*"
Co"'lidr~G,-"
r- Hdt~lPAdrt<m "1----
InNlonG ........
or c..nc.I I
Figure 145 - Hide NAT Configured
10. Click OK.

II. Select the NAT tab in Smart Dashboard.

12. Review the automatic NAT rules created when you configured Static NAT for
the Security Management Server and Hide NAT:
Figure 146 - NAT Tab Displays Hide and Static NAT Rules
13. Save and install the Policy.
R75 Lab Manual 139

Test the Hide NAT Address

1. If your Policy pushed successfully, your Security Management Server static
NAT configuration is working.
2. Test your Hide NAT settings by pinging 172.21.1.101 from UK]C
(10.1.9.109).
3. You can launch Smart View Tracker from within the SmartDashboard
application. In SmartDashboard. go to Window > SmartView Tracker.
4. Click the blue down-arrow icon on the toolbar to view the last entries in the
log base:
,""""''' "~ , . ,,
,.....""" ",,,..;ao;
'''''4-'''' ;c."",,;.,
,,'....... .." ".O!."
,,...,,,,,,
"'"
m
u ,,,,. ,. , ..
'" ,,'"
"."" " .,,,,,
----
~
.,M."-"'"""
.- . ~ ",
"'''4-'''' :c...,," m A'."""

;ft . ;; ~ ~
",.."",On ,,,,,",," m " "'

,,,,,~,,, ,,
A T .' ~' ~
>l." m "--"'" ,,-"""

~
'''''''-'''' ,'", "'." ,

,..
~
,", ,,",'
"", .-. ~ "!,., Lll
" 5 '' '''

-- -
.... ~"' n 5
"."""
m "5""
.' ''-'.>0
""~."
,""" m
.-"'~'"
" '"
,_,'ll t':C,,,,.,,
~
_ N L
"
,.
'-"----~.'"
"'-~"" ""'''',,''' "

"."""/
' -"'" '''''...,
.''''",' " .-.
., .~.~
" 1. '-'''
",..",,,,,, "...,.", m ~-
,_ p it ;; ,;:0;
",.,.,:,,,, ".'-"." "
.---
~- . to '- ,
- " ,"" /
'-'-'''''
aq "m """ ."'"
.'."" "'.0''''
--
'''''-'>'I' ', ""' ,.~. -".~ ,
"'.""
"_,:s,, =
,"'."'"
"-
;;:
'"""",,11 ""... '" ., .,,~,.
.~
"-'' ' ' '
'"",,",c'" 00.,,,,,, ""."""
,''''''-''''' ".""",, " "" ".,.;-,
;;:
.'~ ~
'''''''' c''' ~
""'.',""'"
""-'",,,..
"""''''
..".',"..," d
, ,,,,-,,."011 ".G'~~
,.." ,",, "' e
---
"'"''lI<''' ,.,,,. '-' .""" ~ iI., ')II
w""""'" -,
L~ "
1 ",",,"~'" ''''''.1
''''''''-''' ,,,, . "
'''',. ...

" ,
"c"~'
" -" ~~
~
m
m
m
Cy
..".,
~
Figure 147 - ICMP Connection from NArd Address
5. Locate the ICMP log entries from UK PC where the so urce gateway is
AT GWY. Double-click to open.
140 Check Point Certified Security Adm inistrator

Test the Hide NAT Address
6. Note the entries, XlateSrc and XlateSPort information. These indicate the
source address has been NAT'd to the 172.21.1.101 address (i.e., the corporate
gateway).
1 CHlln/o
Pet. l0Aug2011
t_ 100n05
It...... 911
CJ 1111 i201
ID 172.2111(11
I.
- -,......
,
,
AU04Gt.ll (11l111011
s.."",. _1-...1
"'010,,,11 ~.
I04P EdlcI Recp..eoI
......1"". JO,IP T_ 8 J::!g;J
S.....,.P..,
N_ f"n U'oicy
0... \iledql0c&511K201 1
______j~--------------~I
.:J
Figure 148 - Record Oetails of Hide NAT
Note: We will discuss how to analyze NAT later in this lab.
R75 Lab Manual 141

Config ure Static NAT on the DMZ Server

1. In SmartDashboard, double-click to open the DMZ object (DMZ_Server).
2. Select NAT from the left-hand pane and check Add Automatic Address
Translation rules, and choose Static.
3. Enter the static address of your corporate city's DMZ machine as:
172.21.1.10
4. In the Install on Gateway drop-down box, select the corporate gateway
(AT GWY).
5. Click OK.
6. Click the NAT tab and confinn the rule changes.
...,... ,.., ,..,

..., .....
..,
,..,
- -
. ....... .-
.,..,.., ...... 1-
...,...
..- "'.
Figure 149 -
,..,
NAT Rules
-_........ ......
..... (
. -
...,...
7. Install the Policy.

Tesl the Stalic NAT Address
Test the Static NAT Address

I. From UK_ PC, open a browser and type:
HTTP , //172.21.1.10
2. Verify the browser displays the corporate DMZ homepage.
3. Open SmartView Tracker. Click the down-arrow on the toolbar to view the last
entries in the log-base.
4. Locate the HTTP logentriesfromyourUK_PCtotheDMZmachinewhere
the originating gateway is AT_ GWY. Double-click to open.
5. Note the entry, XlateDst information.
--
l<>u Inlo
........
' ....... - .. Act;,." 0 Acc<!p
,
.0._'-- ..
,....
0
....''''
"111:"5.12 Ct.rON"ll R..... N ' - 7.f"ntPoic)o
\OI0I>1r._
00""
AT_Go./"(
,--
o-
m10.19.201
mIn.Zlll0
NAI'.................
......
NAT 0Iddib0m0I ,,.

1
--
S",,,;a,
1111"".,.,
s ....""""'.
"" ...
"'~
" ...
""
_.-
P"'""O.....
"....-
\I,!-.lAl.rgl0lo.37512O"11
P","" w~ AT_MGMT
Figure 150 - Static NAT Log Entry
R75 Lab Manual 143

Lab 6: Configul'"ing NAT
Observe Hide NAT Traffic Using fw monitor

[n this section, you will use the fw moni tor packet filter and Wireshark Network
Protocol Analyzer on the corporate Security Gateway to view the Hide NAT
configuration.
1. Login to the corporate Security Gateway (AT_GWY) in expert mode.

2. Type the following command from the expert mode prompt, and press Enter:
fw monitor -0 hide nat.out
Figure 151 - Start fw monitor Packet Capture

Observe Hide NAT Traffic Using fw monitor
3. From a browser on your AT_ GUI, connect to UK_PC using HTIP.

4. After you have connected to a website, type CTRL-C on the Security Gateway
to stop the packet capture.
Note : The number at the bottom left-hand comer of the screen is the number o f
packets collected from the capture.
Figure 152 - fw monitor Packet Captures
5. FTP the fw monitor output file to the AT_GUI machine. Use usemame:
anonymous, and press Enter for the password.
Figure 153 - FTPProceduretoTransferPacketCapture File
6. Open the hide_ nat . out file in Wireshark from the AT_GUt.
R75 Lab Manual 145

Lab 6: C onfiguring NAT
Configure Wireshark
Follow these steps to configure Wireshark:
1. From the main menu, click on Edit > Preferences.
...
i
"
-
"'""
",. '"
"""'''
Figure 154 - Wires hark Preferences Option
2. Choose Protocol s > Ethernet and check Attempt to Interpret as FirewaJl- I

monitor file.
3. Cli ck Apply. While still in the Preferences window, go to
User Interface > Columns.
4. Cli ck the Add button at the bottom of the view.
5. In the New Column field, enter FW Chain.
6. From the drop-down menu, select FW-l Monitor if/direction.
Note: These instructions are for WireShark 1.2.4. The method for adding the
protocol may differ in the version you are using.
146 Cheek Point Cen ifi ed Security Administrator

Configure Wireshark
7. Drag FW Chain up one level in the fonnatting window:
- - ---:.J'OlJ"
. -
.--"- ., --
- .... <F'~.~''==~
'' I;=
.=''
='-------------c,""
..
Figure 155 - Configure Wireshark Columns
-
Note: This allows you to view the new column you created in between the
Protocol and Info columns. It may be necessary to restart Wireshark for
the column cbangc to take effect.
8. Click OK.
R75 Lab Manual 147

Lab 6: Conl1gu..-ing NAT
Observe t he Traffic
I. In the Filter section, run ip. addr==<IP address of the destination> (i.e.,
172.31.2.101 if using the instructor machine).
,.t.
~ ..
~ 0.
~.wtI'
ca Q. r!I a ~ .., i;. III
in fc_,
[Coloring Rul. N_' HTT"j
[coloring Rule stcing' http II tq>.port 80]
,
">Il HOnhor 1 .thl ..:110 nh:
. 0 ....
.... . p.
Figure 156 - Wireshark Display of Packet Capture
2. Observe the firewall inspection points, i, I, 0, 0 as the SYN packet leaves the
gateway,
Note: On what inspection point does the Hide NAT translate? What is the
source port prior to translation? What is the source port when translation
occurs?

Observe Static NAT Traffic Using fw monitor

I. Login to expert mode on the corporate Security Gateway.
2. Run the following command at the prompt:
fw monitor -0 static nat.out
3. From UK]C, FTP to the Static NAT address for DMZ_Server. You may FTP
via the command line, or use an FTP client of your choice.
4. Type CTRL-C on AT_GWY to stop the packet capture and FTPthefile
static nat.out to the AT GUI.
Figure 157 - FTPthePacketCaptureOutputDataloAT_GUI
R75 Lab Manual t49

5. From the AT_GWY, open the file static_nat .out in Wireshark. Using the
same filter as in the hide NAT exercise, the capture displays the translation .
.... .. ~
. rcM:M:lp:up]
R"l. N_ : >lnp]
R"l. String: m:~p II '''1' . ..,.. 80]
.1:1"4 rctil \ etl'lC
.. p.t y p.
Figure 158 - Wireshark Slatic NAT Packet Captures

6. Analyze the inspection points i, I. o. 0 on the corporate gateway.

Note: On what inspection point does NAT take place? Does the source port
change? This static NAT exercise was an example of client-side NAT.
This means that translation occurs closest to the client. which you
observed in Wireshark. Client-side NAT is the default setting in R75.
This setting can be found under Policy > Global Properties > NAT.
..... ' _ _ T. _
-
.---
UT .. l idQo G_
_
~
P'I _ _
*1 ...
_1Io.-ot ... , ... _ _ ...
",,~'"
~
III ~-"''''
-
~.
p-.-.;.-
,.
S'-'O' ...... IIJ).I,PI r ~-"'_ISIP~-'
......., ...,.....
-u . ...
.-_-
O S[
& a.>o
~-.-
_
.. _1490',
__
-O_ s-..,E
_ A _ I ....
~,
~ ,--
...........r
r~ " f>I"'l
., ., r
s ..... .. _ .
NaJ ~ "_"
"~
~
!il- s...oo-..d C_
Figure 159 - Global Properties - NAT
7. Close SmartView Tracker before continuing with the next lab.
END O F LAB
R75 Lab Manual 151

Lab 6: Configul'"ing NAT

Lab 7: Monitoring with SmartView Tracker
Scenario: In this lab, you will track the connections from the previous labs using
Smart View Tracker and look at different ways of querying data. In addition, you
will learn how to configure SmartView Monitor to view historical traffic; these
steps are easily applied to viewing real-time traffic.
Topics
Launching SmartView Tracker
Tracking by Source and Destination

Modifying the Gateway to Activate SmartVicw Monitor
Viewing Traffic Using Smart View Monitor
R75 Lab Manual 153

Launch SmartView Tracker

I. Launch SmartView Tracker by clicking on the SmartVlew Tracker icon on
your desktop.
2. Enter the SmartConsole user name and password.
Note: This is the same login used for SmartDashboard.
3. View the columns displayed in the log.
,-,
',- -", 11,,,...
,_" II."'''
"....1>'11 l YW.
"".-
u..."*' "", ' ....';...,
'_,\I .......,
..-
'.'....,ll' ".lI." 3'''''
".~"'" ~ ,.~
3 ,,-,,~,.
~- -."' ....
",''-''
'",,,,,,,,II II .." " , ', AT . ;~ .
At,''''
-.----...
'.........'H' ,,'II ....,
'1 ,'"
>T_'"
,-~..""
'-"
'_'H'
" "'"
"",.",
"" ....
" ","*'
S
,,_...'
LY _,~ ,
.,. .T..... '
"--"""
"....,,,!,, ,,"''''
'......."', ,".,
II. "."
" " e"'"
~."'" '0 M _"'"
L<'",*'", " >C." "

'''''''''''0
.
,,,,,,,.,,',LI ',:>0."
","~~
...
At _....
COIl.""'"
.-
S AT, " ' " ",
" ,.
,-, ".D." "" ......
"." ~ At -"''''
,""",""
-, --- ..-
co"" -::~ , 0
-" ".
IL_ ~
Of,' ....
'~-
, 0IU00_
AT __
,-, .. "--
LI .... ' "
",- ., ......
'-"'''
,-, u.>O."
.t ....'
D_
,-, ".""" ".OJ."
'-""'" ,,"'., " .....
'~At
u" ..

"
"
".-
~
- --

--~
'.
AT "W'
,"-
--,,"-
AT,'''''
Figure 160 - Columns
4. From the main menu, click View and check Query Properties.
Note: There are many other columns that can be added to help troubleshoot
packets going through the Security Gateway. Two that are very helpful
are the NAT columns to see when the source and desl ination are
translated.

Launch SmartView Tracker
5. Go down to the bottom of the query properties list and check xlate src and
xlate dst.
~,.",., _--". .
,..... ,
,. ". ,
Figure 161 - Add XlateSrc
6. Uncheck Query Properties from View > Query Properties.

7. Click Query > Save As.
8. In the Save To Tree box, type a name for this query:
Figure 162 - Save Query Dialog Box
R75 Lab Manual 155

La b 7: Monitoring with Smart View Tracker
9. Click Save, and Notice that this creates a query under Custom in the list pane
on the left:
.,.,',., ,...,. __ ...... ,'.....
,", .....
'""."'"
,-,
,-"
,_'u,
, ....~"'t"
"'>I",
".,, 0;, .,_
n ..", ."
,.....,." "."'."' e ,, -
'-" lI'>!'"
_......
.'.e;....
AI .....
.1.....
_, ~
~
--
~
~
""
",
,.
,.
"'-"'"
"--
''''--
"'.'"
.-
.'.""
.,.'''''
."'.c......
-"-"
~
-", ""''''
-'.- .-.
~ ~
~-
n."'.'" ~ <T."'"
,-, II."" ".".., C> .''''''
AI_.....
'I_.;;n
.'.'"
,., _....
~
..... ,,=
,-, "." " ....
A'.' _
.,_..... ~
"."'"
,.....,,, "".J! "--
-- "'"",
" ,.. > ~
,-,
,-,
..,." ".J.".'" A'._
...,-,
,'-"
"",.;.
-,,",,,,
".,."
A'."""
~' ."'~
A' . -
= " "."""....
~'--;'
~
--
---.

""' .......
.,......
, ~~
"'.'A'
,_ .... ", ,,''',1Ii -. &I."'"

-,,~' . "
''''"'~
" .. ... .,_.....-
".~~" ,""."",,,
L""""",,
" ., .""'- ' ' .><>-
.
a " _ _ ""
. ,, ~
",,),.,
~
~
., ..'i....
Figure 163 - Custom Query Results Displayed
Check Poi nt Certifi ed Security Adminislralor

Track by Source and Destination
Track by Sou rce and Destinatio n

I . To track a packet by source, put the mouse over Source column and right-click.
2. Choose Edit filter, and the system displays the following:

(o'~""'~V"II . . NI
r,_
Figure 164 - Custom Filter
3. On the Source filter screen, choose the AT GWY icon and add to the query:
'oO
Figure 165 - Source Filter Applied in SmartView Tracker
R75 Lab Manual 157

4. Click OK, and the system will display all packets sourced from the corporate
gateway:
,-,
,
~
~
~
-
~
".-
".-
A'.~'
."'"'
~l.""
" ,""'-" ".~ ~ A' .......
.'.'..--
,~,
"."'., .T."""
".,,,, ~
.,"."""
.....
,-,
. .T.,"",
....
~
,-" '"' ,." ".,-.v,
..
~ ~
,""""""
,-"""
,_OJ
".-
'", .... ,00
U","
,,",,',",
,u."

"" .""Y
.''''''
a
"
~
'"
.'"....."",
<T _"",,
..
,,,,-"'
..,,, ,,,OJ ".'"'"
--'.
~ 'T."'"
AT.,'''' : "'"'
-"-"
., -''''' "--"""
,_""
U ''\>' OO
!;m,,,
,,-
~ ~
., ......
&l-"'"
-
~
--,
~-
""",,:
.,".""'
.""""
m
-...'" "'" " lr._ :
" ""~ ........
-"_.
...." "..,'" .... : ".-
--'. .-"-
'
-, ., ......
= G- 0 " .'>'<f
"... "
-,
-,
,_.,. ".-
......._'<
!:m_", =G-
,,,,,,,...,
,=-
""
...........
".-
A' .....
'
:"
~
0
"'."'-'
.'."""
.,,-
~ ~
,....""" "."'" A'."'" ~
"'"' T."'"
-"
<T._
-
<T.",,' ~
" ",.,
s .. ,__ ....
. ""
Al.", ..~"",
'........."" I':"':'.., ~ ..~
Figure 166 - Source Filter Displays Packet Data from Corporate Gateway
Note: You can also run this filtcr with thc destination.
5. With the source filter in place, add a destination filter for AT GUI , such as
10.1.1.201, (Usc any filter you wish,)

Track by Source and Destination
6. Right-click on the destination column and choose Edit filter. In the left-hand
column, enter the specifi c IP and click on Add:
- ~
'-"'"
AUIII'WT
.... ..
. . ......
CP_doId..IJIIice_'
""'-'-
"""~
t,..".,.zono

Figure 167 - Destination Filte r Applied in SmartView Tracker
7. Click OK, and the FTPpackets from the corporate gateway to the AT_GU I are
disp layed:
_u_
." ., ~ . , "D. 1Il
-
Q,._III<_1
...&II1II---
.~ - . - ;;.-
c .. _
11-. __
,.. ' ... .. - !II
_~I " _
~_
"T.fI.
[3 -
.. \1"_ __"", ..,.. . BB .,."", ".-

".-....t."""-
,_" ,, _'_ u "",
.. IS _ _
. m_ ~
,-.;0" ",v_II II! B ., "'"
t _ _ _ ,_,,, ""," .8 ., ',;..'
.. $ _
,. .r,--
31 9 __ _
A , _ _ __
. ..... _ , "". ,. lei E
,.....""
,,~,_
"_." "' l.:G .'_"'" .,-

Figure 168 - Destination Filter Displays Packet Data to AT_GUI
8. To clear this filter, right-click the source and destination columns and choose
Clear Filter.
R75 Lab Manual 159

Modify the Gateway to Activate SmartView Monitor

1. From SmartDashboard, double-click the AT_GWY object.
2. In the Software Blades section of the General Properties page, select the
Monitoring Software Blade:
heckPOUltGatew"y ATJ.WY -
.....,- "ji,,-"""';;;------- ~. j. F.ebnc:k ::.:J

IPAd<i-.l m .21 1cr11 .B._~"",tl_ r Il!;tw<IicAOio ...
~. jAi OrIIIO Stocuty G.-.
S...... lnt_~
~.I ~Slate. "IT_;;;;;~~_~~'~"'----- _'~"~'=<~'=_=--,
--
""""Ha..;_.. lopon_ iJ
~ s.:u",,~ I"
,~
, ,~
oo'---'::J"
v.tiool.l"'~
~'--::J~
... 05"1'=_="'""""
loI _ _ _
"";::----::J"
a....., r.1'~"~";;---::J"
"
IIPRliql!On CQ!1Iro!
~
r IPSecVl'tl A,J'.ned Nct""'<' >g sq,.. .. e-basedgo..... """*<IIoi

r
11 P()k'l' S" ..... rM t _ oIlrtemet.opploc.olionton:l
," obieAcc= O'A\OI"fIi<n,.,,,,,,c WeI>2.0 ....dgelt.
r,~ c,., ......,'n .."' (}
r UAL Fileri-IQ
r IIr<i-V..,. ,
IIr<i-M.......,
"".",
r IIr<i-Spom '
EmoiIS.."ny n r."W..... l l~ :
ru,~s"","
I
r U,~Wob\="
Figure 169 - logging & Status Software Blade Selection
3. The product Monitoring Software Blade appears in the li st on the left.

4. Select the Monitoring Software Blade branch in the options list.

Modify the Gateway 10 Activate SmartView Monitor
5. In the SmartView Monitor page, select the options Traffic Connections, and
Traffic Throughput (Bytes per second):
'---_.
.,--"-
G_aI Propetlie
. ~,
"-~
lbgt-~.
.-- ,,-"--
P DoodtPllr'f .... _foo g CPU_~1>Od<Mtl
c....,., ~_
c-..... E ~
P ltl.t"""""""~~
tM'-doI_.~"'IN~. H.... ..,..,

1III:-....1hlt _ _ '4>to:!0104B
--
...... '''' ................. T'. . . ''"*'60IflXlllo _ _
Figure 170 - SmartView Monitor Page
6. Click OK.
7. Repeat this procedure for UK GWY.
8. Insta ll the Security Policy.
R75 Lab Manual 161

View Traffic Using SmartView Monitor

I. From the main menu, select Window> Smart View Monitor:
'-_....._..
..
,,,-,,,., ,.....
...-
'"
'" ~ --
~ :=--
......--
~
. e:. _~
0- _ " -_ _
,,_ .. ,....,.,.'
ATJ.'G,\.n
v..- 0"
co
. . '.....,
_...-.or.""
_ _ _ 24_ ....
, , _ Icbom_ I.ootCHJ
e _ , .."",
[" --'v " ' - - - ' ........ ~" ... _ '.ohoos>
Figure 171 - SmartView Monitor

2. From the list on the left, right-click Custom:
- 10111111 1",".kPoont_\l~
...- ---
-,.....-
D o..
__ u-._
r ,\ A
_1101l'i0:_
.,"
--
r,\ ~
_TIqIIIIo_
~.
r..' fit
!! 5ttto<
~.~...2!~~~,--_J
Figure 172 - New Traffic View
3. Select New Traffic View, and the system displays the following:
c_
,~ ------
r: 1\... h""
j<i, - ::J
Figure 173 - Query Properties
4. In the Query Properties window, select History and Specific Target.
R75 Lab Manual 163

5. From the Specific Target selection, click the Select button, and the system
displays a list of available targets:
Se"'ct Gate .. ay
Figure 174 - Select Gateway
6. In the Select Gateway box, select AT_GWY.

View Traffic Using Smart View Monitor
7. Click OK, to add the target:
,-
~ f'Iaop lor Iof!)III bIII.- ....
(0" SpegljcTOJ!I't ~~
J
,.
Figure 175 - Select Gateway Box
8. Select th e Traffic History tab.

9. For immediate results, se lect the option Last hour from the Time Frame
drop-down box. Otherwise, choose Last Day, but a message box will appear
explaining that 15 minutes is required for initial resuhs.
R75 Lab Manual 165

Lab 7: Mon itoring with SmartView Tracker
10. Select the option, Common Services on all interfaces, Inbound (bytes per
second):
Figure 176 - Traffic History Tab

11. Click Save in the Query Properties window. A line graph will appear
displaying the services along the x-axis, and the amount of traffic displayed
along the y-axis in bytes/sec.
'rlol;"""_
... _-
'101 _~
-<>-
,,-
,.
-<jl ."..., .....
.. m....
t:::"
c-_ _
"
"
"
"
"""
....
..
"
,,
/\
,, ,,
Figure 177 - Line Graph Displaying Common Traffic on AT_GWY
Note: In the test environment, it may be necessary to generate traffic before

seeing the chart populate with data.
END OF LAB
R75 Lab Manual 167


Lab 8: Client Authentication
Scena rio: C urrently, your Security Policy permits all commun ication from your
internal networks to any source. This exercise will configure and test manual and
partially automatic Client Authentication for specific users accessing the DMZ. To
do thi s, you must ta ke into account that Rule Base order is based on the
least-restrictive rule.
Topics
Using Manua l Client Authentication with FTP and Local User
Modifying the Rule Base
Testing Manual Client Authentication
Using Partia lly Auto matic Client Auth with a Local User
Co nfigure SmurtD ircctory with LDAP
Veri tying Smart Dashboard Integration
Testing Active Directory Authentication

.. C reating a Database Revision
R75 Lab Manual 169

Use Manual Client A uthentication with FTP and Local User

1. Using the objects tree pane in SmartDashboard, click on the Users icon to open
the Users and Administrators tree.
2. Right-click Users and select New User > Default, and the followin g window
appears:
,.........
~~~~'I------------~
Figure 178 - Add New User
3. Enter the user name, Testuser, in the User Name field in the General page.

Use Manual Client Authentication with FTPand Local User
4. Select the Authentication tab and the system displays the following:
-----.IJ"
NoSPKk~
Figure 179 - User Properties - Authentication
5. Choose Check Point password from the drop-down box.

6. Enter and confirm vpn 123 as the password.
7. Click OK, and the user is added to the objects tree.
R75 Lab Manual 171

Lab 8: Client Authentlcalion
8. Right-click User Groups and select New Group:
....-
cq.,.. I_ B_ :::J
M-.gliotAdo:le= I
'.. r.1~;----::J"'
Figure 180 - Group Properties
9. Name your group c1ient_auth.

Use Manual Client Authentication with FTPand Local User
10. Add your user into the group by selecting the Testuser from the list of available
members, and clicking Add:
I~_~_~~~::::==~~
Group Properhrs <bent auth '
ti__
~
Cojor
I~~====~~::::~
I_ Block~
l!!Mr-.glalAdlt...- J
Figure 181 - Add User Group
11. Click OK, and the new group is displayed in the Users and Groups tree:
--.. * .... ,.....
..... *-'....
Figure 182 - Users Group Added

-- ..... f~ ....
R75 Lab Manual 173

Modify the Rule Base

I. Right-click the Stealth Rule, and select Add Rule > Above.
2. Name the new rule Client Auth Rule.
3. Right-click in the Source field and select Add Objects > Add legacy Users
Access. The system displays the following window:
"<*f1__
VPJ<. ! ~ ",""", " "' Med ", _.&.ccess
r n--
f.":"'-c:::~
r I U .!':::ell
1 or """ ...
Figure 183 - legacy User Access
4. In the Legacy User Access window, select the client_auth group and click OK.
S. Add the AT_GUI object to the Destination column.
6. In the Service column, add the ftp service.

Modiry the Rule Base
7. In the Action column of the rule, right-click and select Legacy > Client Auth:
.- 1!]'*o1_
1<-
1))_
-- ..
!il ...
-...,..,..
-""--
.. "'*Y'''1I'tO
..., "~1 ..""

__
-- Ill ...
",
...
... ""-""'" i!!::"~j (D_ Ill ...
A'_(JI'jY
" '-
... .- ... ...

........... i!l",",'rM'll:. ~ 1))_ Ill ... "U'...fNr{
00","," -'" I!J ...

Figure 184 - Client Aulh Rule
8. Edit the C lien t AU lh properties by right-cli cking on the Action cell and
choos ing Edit properties or double-cli cking the action.
R75 Lab Manual 175

9. In the Client Authentication Action Properties window, verify Manual is

selected:
~cuce; 1fP5if j'i! MN :::J

12_1 :.:1
r ~B""~'Oookl<l!>~_O _ _ \l..-..:I
8---'59'0..
~ S~ (' S""'*'
S""On/!!eIhod 1
("p-..-
~M"""
rF'-_
(' AcIoni: _ _ S9'l0..
r s.vosv<ar.
Figure 185 - Manual Sign
10. Click OK.

11. [n the Track column, specify Log.
12. Add another rule above the Client Auth Rule that allows and logs any source to
AT_ GWY using the FW 1_ clntauth_telnet service.
13. Disable rule 6, the Corporate Internal Traffic Rule, so that the more restrictive
client authentication rules will not be bypassed. Right.click on the rule
number, and select, Disable Rule.
176 Cheek Point Ccnified Security Administrator

Modify the Rule B ase
14. Veri fy your rules resemble the fol1owing:
e_ . ...,. .-"'-
.... 1!l,.".,'.- .... e_ Ill"' ,.,,1.-_

... iii _Trw/ftC
.... [!I loR
IilAU/IIW
GI-
........ ".-- ~..,... 1!l....." ......

--
_....
~,,",-I j
Ill_
Q_OJt A'j:JNi
.... 0 ...... '-

1!l ..... t....,. .... ...
~ Ill ...
I!i "'
II.~J~NI
* """",.,-
Figure 186 - Client Authentication Rules Added
15. Save and insta ll the Policy on both Securi ty Gateways.
R75 L ab Manual 177

Test Manual Client Authentication

I. With manual client authentication, you must first telnet to the gateway on port
259. On UK]C, type the following at the prompt:
te1net 172.21.101.1 259
2. Enter your local user account credentials created in SmartDashboard (i.e., user:
Testuser, password; vpn 123), then choose Standard Sign On, option 1.
3. FIP the AT GUI IP address (10.1.1.20 I). Enter the FIP credentials for the
FTPserver. (Check with your instructor.)
Figure 187 - Connect Manually using Telnet
178 Check POint Certified Security Administrator

Test Manual C lient Authentication
4. Review the logs in Smart View Tracker. Verify that the ftp traffic is passed on
rule 4, the Client Authentication rule by AT_GWY:
.......
""'"...
".-.
lJ....~~~
0 1_
II... ,..
'-" ,,-
,~"
" ....,.
m ~ ~~
".-
, _ _<;oil
,_"
...",,," ... ......
.,".fro
''''''''''''
,...."."
..." ",,0."
,"'"""""
,-
>T._
...... .
"""'-"""
'!.-
~-
..
IJ".',,,,,,
-
~
'-" "", ". J ';I;)J

I ~"
t\,::;'"
" 5k~
"'5'" "
".Jw'"
1> . 11'<1
m.l'. ' to ,
., .......,
Of ..... '
.. ........
- -....
~
'"
~
~
~
- ---.-...
~
~
..",..
,.,.
Figure 188 - FTPlogonAT_GWY
R75 Lab Manual 179

5. Double-click the client auth traffic to view the detailed log:
-
lUll tnlo
...
'-- -
.......
...
,...",,,
.-,-

,- 15.2117
1112
iii",
'- "' _r:>W'I
~~:::::.~iiiiio ........oi LU.uw (l::0231!F9-I O!ll..cAII :83-
~s_c.
S1EEEE87AM21
CD 1019201 --"~
_ 1019201
,--
O.oIonaI_
-......
CD ATJ;tJ(1DI1201)
..
....-
,
5_coo "-'
"'"'~""...
l<&<IUJ(1aJll
PoIicp w
__
PoIic,N_
Polio., 0..
F~
\oI.t,l,ugl015:211l2011
ATJ4GM1
!'
.:J
Figure 189 - Oetailed Client Auth Rule TraffIC
6. No tice the usemame displayed in the User field .
180 Check Point Certi fi ed Security Administrator

Use Partially Automatic Client Auth with a Local User

I. Modify the Client Authentication rule by adding AT_ GWY and UK_ GWY to
the Destination field.
Note: When using partially automatic client authentication with HITP, port 80
traffic must be penniued to the Security Gateway.
2. Add the HTTP service in the Service field :
....
A'~OIHf
~--
[!JMf"-
~-- ,..., -'*""
Ill_
(i) __
iii ... *-'...
*-'..-
....
,",
*-,..,-
.... [BMr',"r~ ..., @- [!1 Log *_1_1jOI.t
.... .,- .-
. . ..- .-
Ill_ Ill ...
.... , ---- '-

ffi-"- Ill_ 10 ...
~
-~
~
:P
~'-"'"' 00_1,_ m JIIYIJ (D ~ 101 ... AT~(N<ff
...."" "........... ...

Figure 190 - Add HITP to Rule
00....,.1'..,
[!]....".-
-* Ill_
e-
Ill ...
I!I ...
UC~(Jffl
* "-1" __'
R75 Lab Manual tSI

3. Double-click on the Client Auth action and choose Partially automatic:

Gerw.l1 ... I
.... rl_,.....,....
."..._
~ _
..,..--3
~I :.:J
r __ au. DI1> I o..uc..Ccrip.-. DI*:ra_v...d
............
r. SIoo>doocI r: s-.-.
"'" o..l!IoIhocI
r ......
r.P"""",_~
rF~_
r . . ...-S9>On
,. S.-9tS9>On
Figure 191 - Partially Automatic Option
4. Click OK.
5. Save and install the Security Policy for both gateways.
6. From the browser on UK]C, HlTP to AT_QUI ( 10.1.1.201). A window
displays prompting you to authenticate.
182 Check Poin! Ccnificd Security Administmtor

7. Enter the local user credentials, and click OK. (You will be prompted twice.)
"1 _ _ _ . _
-.
....... ,. " ..."
- ~'--==::':'====================~~~
_ ~

Cl" ......
-_ -. .._--
----_._ - ....- ...........
........-- ... ....... ... . ....
............ _,
..... ~
..
.........._---,
-,"."""'-Gl . . .-_._
...... - ...... _ __
.. -....__
............
_
... ..__
~~-.---
...... _
.....
.',rtoo_._ ,....
,
,-..... .,.... . 00 ... . _ '
..._.11' '_ ..... .... _'' '(I..0I0) _

--_.............. ...
' .... m .... .. _
'v...
. ._. , ....
...r_
_ __ _
..-
.......... (I'.).
'_
. ... ' ........
,_ ,_ ..
"" _
.... .... ...-._ _ .._

_M
----............'-_-.-....
----_
----_
_
.......
, , _ ... ro ........... . _ _ . ...... - . . _
......... . _ _ . 00 ... _ _ ..... _
"""'
-- ~-
cw.. ..
. - ......... - - - ' _ ... . . 1 ... .

''', TU''', KT1,O.
"""' .......lOt<>. _ ..... _ _
Figure 192 - Browser Authentication
8. The browser displays the AT_GUl's homepage.
R75 Lab Manual 183

9. Launch SmartView Tracker, and review the logs, noting authorized and
accepted entries:
--
"-
~
~
''''~'*'"''''J_
,.""
, ,.
----
' ~l _ .""
'" 2 '0.1.' ' '1

'" 2 "......
."
".
2
2 .~ '.,_
-""'-
........
,"
.B
2
2 "'-"""
''','','.101
It "
" ..
"
<I'
"'-. 1-..:011
,,"
".
tI)"""""
ll)'''_''
"...
~
,,
,.,.,_""
..""
,,.,
IIlI.' ""
"'" '"""""'" 2 , ~"

..,.-;,,.
.."..
~ ~
"" ' '''''~'1'It
-,
----
'1
" '''''-''
n,,
2 ' "','I"<'
,"""'-"" 2 'w ",..',-
,.,:n,
,""''''''' ,..... " = ~
""
..-..
".)lV
,,>2 '''''-""'''"
"" .,_
".""" ~
,.".,.'
'. ,.,.
1.',""""
lI,",,.
-" ,""''' m
---
,,"
'~ll
..... AT."""
m '" ""
,," II)'..."" " ,
,H"" "=
-
'''''''''''~, LY-'.W'! ~ ,. L .""
'0.' .=
" ......,
.',l':,,", m
'" '001<>~"'"
.
l ""~
"<>- ". ''''''='' ,","""

,-, ,-,, _0_
~
'" "',1""
'"'
ii fO _ ""---,;(fI " ]S, ,","
" ~
..",
Figu re 193 - l og Results in SmartView Tracker
IS4 Check Point Cenified Security Administrator

10. Doublec1ick on one ofthe logs displaying the checkrnark to view the details.
.......
lOlllnio
...
,--
.,...,
,...",
.....
.- c - _ ....... _
---...
15:l6.1~ A... .. _
,,~
'- 00 ... "-

' ATSN't
C 10.15.<01
a ATJiUl{10011.<'l111
""...
!!! ..
"'-
1'
Figure 194 - Record Details of Authorized HTTP Access log
R75 Lab Manual 185

Configure SmartDirectory with LDAP

We will use the same partially automatic authentication rule configured in the
previous section. The only difference is that you will authenticate through an
LOAP server instead of as a local user.
I. Open Policy > Global Properties, and select SmartOirectory (LOAP):

,
S..tf)iredorJ (lDAF')
r U... ~ ~foo Soc:.djlG _ _ ~1f<)OdJ
S~UW')PlClp.,ti""
~ E...... pao_,*-_ . IIIf(.N:JH.Oi"'*"Y~_
'__ %.M,I 1-.1 "" cacIwMIlMfta:
- -SrnortMOII
"""-
rp....-d_et_
,, - u ~
- M.......,....o: H q.A~'
- C<rne<:tOJntroi D"'*"U ..... ON lIl.o!,ln
- OSE -O_ S..,..iy E r. 0"'110.... r~
- SI ....... I""""'1ion
" SJROJIlSM Profile Ba.. P....-dSIretlglft.
[i} lo!IOI'ICIAIorI _~IIot>,;lh~m._.
i- Roportng Tool. r P_ _ _ ~_oMr_
t- OPSEC
i- Sec""y M..---o. r P_ _ ...::Wo,,,,, _ _ ttwIo_
N""U_If' Addoe,
e~ r P..._ _ ~ . lI9t
,~
r P_ _ n::WII.~
s -S_tO",hboatd c..t<
r r(orce.u..foou..~"""""'_'
Figure 195 - Global Properties - SmartDireclory (lDAP)
2. Check Use SmartDirectory (LOAP) for Security Gateways.

3. Click OK.
4. From the left-hand pane, select Nodes > Node > Host.

5. Use the following infonnation to create a host object for the Active Directory
domain controller:
Name: Enterprise_Server
IP Address: 10.1.\.125
Comment: Active Directory Server
6. Click OK to close.
R75 Lab Manual 187

Lab 8: Clienl AUlhentication
7. Choose Manage > Servers and OPSEC Applications, and the system displays
the fo llowing:
- .....
Figure 197 - Server and OPSEC Applications

8. Click New> LDAP Account Unit, and use the following information to create
the object:
Name: ActiveDirAU
Profile: Microsoft_AD
Domain: atlantiscorp.cp
Account Unit Usage: CRL retrieval
User management
Active Directory Query
:.. ~I"='"~~~
(dot I_ Bid; :3
fIOIit IM~ 3
0-- I--.CII
..... ~
J:;CH.~"
J:;J.I ... ~
J:; .0.:- 0-:..:., 0...,
-..O""""SSO""""'OJO ......
or c...... I
Figure 198 - lDAP Account Unit Properties - ActiveDirAU - General Tab
R75 Lab Manual 189

9. From the Servers tab, click Add. The system displays the LDAP Server
Properties window:
'-
_ _ r l - - - -
Del... pnort,.. n [1 hd>ootJ
o.:kPariG _ _ _ -....d1Cl
P"B.... CWO ....... _

"'~CWOIo ... _
Figure 199 - lDAP Server Properties

10. In the LDAP Server Properties > General tab, add the following infonnation.
Host: Enterprise_Server
Port: 389 (Note: Port will change to 636 if configuring the
Encryption screen.)
Login ON: cn=Administrator,cn=users,DC=atIantiscorp,DC=cp
Password: Administrato r 's password for the Active Directory server
G.... IE.....,.-,I
~oot IC &tetpr-...s.M ::1 .J!!:....J
~ 1m
"_ r.""""",,,=;:;;;-- -
LagnDH I" _ _ .oc~
p~ I
(fJ*M....-I....
Ooood- Pbo\t6~ _ _ ...
P' fiMd cIou_ ... _

P loi.o.d4UIo Im ..wo
Figure 200 - LDAP Server Properties - General
Note: In a real-world environment, the Active Directory (or LOAP) team will
create a separate login ror the Active Directory server, specifically to
allow SmartDirectory access.
R75 Lab Manual 191

II. Select the Encryption tab:

lIMP 5~rver Prope.-t .... ,
G...... E ~I
rl.!.. [~r:;stl
EnaypIIon \lOll r
V'""lftM ...- n..!he kIIooorog F~

r
r
"
Figure 201 - lDAP Server Properties - Encryption
12. Use the following infonnation to configure the encryption tab:

Use Encryption SSL: Enable
MiniMax: Strong (both)
Note: If your AD Server is not set up for encryption, skip this step.

13. Click OK to close the LOAP Server Properties and return to the server tab:
_..... -...
---
Figure 202 - LDAP Account Unit Pro~rties - Servers
R 75 Lab Manual 193

14. Select the Objects Management tab, and click Fetch Branches to retrieve the
branches on the LDAP server:
.......-
OK c-.r I
Figure 203 - LDAP Account Unit Properties - Objects Management
\94 Check Point Certifi ed Securi ty Administrator

Configure SmartDireclory with LDAP
15. On the Authentication tab, check the option, Default Authentication Scheme,
and select Check Point Password .
DAI' " .. aunt U!ut ", .."...tlro A,lInDlr1W I" .1JX
---
"
P" OIOd<Pwfe_d
.....
......
"
u-.- doll... v-..
ru.._~
'-t.E~_""""'I . rl-----'
Figure 204 - Authentication Tab
R75 Lab M an ual 195

16. Click OK to close the LOAP Account Unit Properties and add the object to the
list of servers:
,- ...... l iD! 1
Figure 205 - Server and OPSEC Applications
17. Close the Servers and OPSEC Applications window.

Verify SmartDashboard Integration
Verify SmartDashboa rd Integ ra tion

1. In SmartDashboard, se lect the Users tab in the Objects Tree pane.
2. Doubleclick the ActiveDirAU object. This expands the Windows Server 2003
Acti ve Directory tree.
3. A li st of users di splays under the Users list in the Active Directory tree:
r,... - [ij ....

----
,,~
0('. -.-.. ,~' __ r ~

.- -.- ... . - .-
".-
".- [
-
-'- .- .- '-
r .... _
.~
Q-
.-
--"'" . ..., -...... r~ .... -
Figure 206 - Active DirectOf)' Tree
R75 Lab Manual 197

4. Double-click users, to view user infonnation displayed in a separate pane

below the Rule Base.
..-
eO
. . 11--
__
-
~...--
0.0.
"1--_ .

I -~
r""",.
--
---
-~
~---~~--"'
~_~, .oc_.oc _
--
I~ ~~'"'_,oc _
I - ~ -. """"""'-.-.....-.,~ .D<-<>
I - ~ .......,"""--','"'_.0<-0>
_-.. ~L-. , ~~ OC _ , ()( _
_ ....... ~a-.,a,..o.-. , oc_..."
~-."-O. . . ~-.""""'OwnoN..~ , oc _ _ '"'_

-..
..., .... . . , " " " " <;1WI,.OO ....
~.~. ()( ---",,-
"'_-.'OC_,"""'"
_'" ~.C-...~OC_,OC_
.......
~'J """--~" """""" _""'_'~~ _ _ .oc_
""""-~_'J""""_~'J """"""'_~".~',oc_
rn._ "," In._~ , oc-_,", _
,
Figure 207 - ActiveDirAU User Information
5. From the objects tree, right-click LDAP Groups, and se lect New LDAP Group.
198 Check Point Ccnified SecurilY Adm inistrator

Veriry SmartDashboard Integration
6. Name the group, LDAPAccess, and select the ActiveDirAU object from the
Account Unit drop-down box.
_ _ ::I
r.: ~S\b '_I\cIobonoIproIooI t...-.:h t
1.:.- -, :::J
or C-* I
Figure 208 - LDAP Group Properties - LDAP Access
7. Click OK. The new group is added to the obj ects tree.
R7S Lab Manual 199

Lab 8: Clienl Aulhenlication
Test Active Directory Authentication

I. Right-click the Source column in the Client Authentication rule, select Add
Objects> Add Legacy Users Access, and select LDAPAccess;
,o.
"""' ,.
Figure 209 - Legacy User Access

Test Active Directory Authentication
2. Click OK and review the configured policy:
t"ll., ........, I .....
....
.... ....
.. _ -
Figure 210 - Security Policy with Client Auth Rules
3. Save and install the Policy.
R75 Lab Manual 201

4. Check with your instructor for your Active Directory login name and
password.
5. From AT_aUI, use HTTP to connecllo DMZ_Server (192.168.1.100) using
the AD credentials acquired from your instructor:
..- I
ra-.,.~
Figure 211 - User Prompted for Credentials
6. Review the connection in SmartView Tracker.
202 Chec k Point Cenified Security Administrator

Create a Database Revision
Create a Database Revision

Do not skip this section. You will restore this version in a later lab.
1. From the main menu in SmartDashboard. click Fi le > Database Revision

Control.
r c- . .- _ _ ICIO'I ....... I \ I I q _
r tIo _ _ ,,_oId,.._
-
TG-"_.weo.not _ _ t ........ a'Id""*""""' ........ _~
,.
Figure 212 - Database Revision Control
2. From the Database Revision Control window, se lect Create, and the Create
New Database Version window displays.
R 75 Lab Manual 203

3. Type Standard Policy with Client Auth in the Name field. and comment as
desired.
Figure 213 - Create New Database Version
4. Select the option Keep this version from being deleted automaticall y.
5. Click OK, then Close after the revision has been created.
END O F LAB

Lab 9: Identity Awareness
Scenario: In this lab, you will be provide restricted access to resources in the
DMZ. Using the Client Auth group configured in a previous lab, restrict access to
the Web server on the DMZ to users of this group.
Topics
Configuring the Security Gateway
Defining the User Access Role

Applying User Access Roles to the Rule Base
Testing Identi fy Awareness Connection
R75 Lab Manual 205

Lab 9: Identity Awa reness

1. In SrnartDashboard, open the corporate Security Gateway:
rn,ckPOlntG<lt~'Ml '''_'W'I' . "
--
~ '- .-
E!J-W.T
--
--- ,MO ecp-I. .....
,~
.~,~_~~------------ ::::J
....... 1112211U11 s-toe_N_ r. o,.-lrdIMoo
~s-..bI.
~ Jilli=*s-.ut,G-.
E!J - ~ardlol "'I...
Copady ~
Coopeo .... Erioo ......
E!J A""~
......
""""-10_ _ 3 v.-tr.I';;
~'---:::I" '" "1.;;:::
.,.";;;;;=-----::1:1
""" ~
-. ....
N..... SoocuitIlI1odoo< ..
I ,,~,~;---::I~
r. . _..... 01"='' ~"'''"""--::I:1
",
r
....
lPSocYPN
r _",,",
_......,tl....,..."11 \lloott. _ _ _ _
r.I ~s.... r ,~ hi can _ lorded. '"
r ...x. Ao:>::eu ~ .. _ a r d _
r ,,, ~R"""""II O
ConnoeICOtM 0
.u.-d-lhe boo.
r
r
r
_. ....... .,.
URL ~h.ng
_V'c.~
_Sp"1
~ ...."'"""
$",,~ O
o..'tet"'l
r F.......... l{j"
I
E..... SoclOi)o
r r u.-......."s......
F7
0... Lo.. PI....,."""
""""-..;I
r u~\II_.
..
Figure 214 - Check Point Gateway - General Properties
206 Check Point Certi fi ed Security Adm inistrator

Configuring the Sec:urity Gateway
2. Below the Network Security tab of the General Properties page, select the
Identity Awareness option, and the system displays the configuration wizard:
J_il:y _ _ ~ne .. (onflQla'at_ ~
---- ---- -
-~~~ . ~\~.'~.~
F7 AD Q_ r c....-...p.....
- ...... ...
T... ~ ....... -. ~
_AI;tro;o~ ocfoI!o
........ - ~.. ~.-
~-
'""""-
Figure 215 - Methods for Acquiring Identity
3. De-select AD Query and select Captive Portal:
r""",," po c....-... Port"

T"'oaI_ ~
.-.tnd __
ocIo<dio>.a.......
0-"",
~ __
11'--.:1.........
~
"'"""- """"'-
Figure 216 - Methods for Acquiring Identity Configured
R75 Lab Manual 207

4. Click Next, and the system displays the following:
....
I_~y A ..... ~. (anI_.to""
~ ' ... _dl .... W~h...... h... D~ ._
~,,~~,--~
(BD II
Figure 217 - Integration with Active Directory
5. Select the option I do not wish to configure an Active Directory at this time:
P... , _ r.1'~"~"~'~":---=::::;
Sa II If.." I c-...
Figure 218 - Integration with Active Directory Configured
208 Check Point Ccnified Security Adminislrator

6. Cli ck Next and the system displays the fo llowing:
~.......-. _ .. IF' ..,.INAI8d .. . .... ... be ...na.:t lei;

~ "' l/RL 1~:lI1nl1 . 1 m . l/""""" ::oJ
Eo.
90ci lit IJ<IOO) c.uI
Figure 219 - Captive Portal Settings
Note: The system selects the external interface of the gateway by default.
7. In the Main URL drop-down li st, select the internal interface (10.1.1.1):
~ ~p ,.."..., I. 1Iom .. lP..,. _to... . . .

~ "' l.!AL: Ihr:l;Io:/IlQ l 1 11.........,'
be '""OCIe<! 10.
3
Figure 220 - Captive Portal Settings Configured
R75 Lab Manual 209

Lab 9: Identity Awa reness
8. Click Next and the system displays the fo llowing:

Idrftloly ............. (onf.......... _ ,
Identity Awareness is Now A ctive!
.-
.......,aw.- ;. '- onobIocI cn~AT _GW't.
~~too~.....".
a.:to.. O..aooyO...., .................... qo
_
......
oN eIll 1 ----------_
n V_ logo
~ AddAcc: ... RoIoIOIhe Seo..f)o Pdicy
< Bad II tn>io c-..
Figure 221 - Identity Awareness Configuration
9. Click the Fin ish button.

10. Click OK.
210 Cheek Point Certified Security A dministrator

Defining the User Access Role
Defi ning t he User Access Role

I. From the Users and Administrators tree in SmartDashboard, right-click
Access Roles.
2. Select New Access Role, and the system displays the following:
.-
_ r~==~;;~~~~~~~~~~~~I.~"~-~=====~~'
Q H.-. ~ u...1 M..t..o!- _ _ I ..-
r- Q,er.-
r ~$Podic _
II
II
Figure 222 - Access Role
3. Use the following information to configure the Access Ro le:

Name: DMZ HTTP
Color: Orange
Comment: Restrict access to the Web server in the DMZ.
4. In the Networks tab, select the option Specific Networks.
R75 Lab Manual 211

5. Click the green + icon to add a network to the role:
.- loMZ...np
~ !AeoIl"Cted .,.,... .. FTP_ ...... DIIIZ
(,obla Ot_
llllI
.:J
t;! N_. - u.... 11 M_l oJ- ............... I

.Q-.
AdeP,_
El ~ DIIIZ.JTP
r '>(,&..-
,-a ~ ",
ir.~- ....... 1 iD-. ~-
C "'T _GJI
I~
10.1.1.201
--
3 "
!ifl~UWV 172.21.10 1.1
I
Ii:,;I,o.Tj1GMT 10.1.1.101
a>_dof"'_f.ffite-""""'_~..PQ<II 17.1:.16.10.0
I;l ~-",," 192.168.1.100
I;l---...... 1!I.I.1.125
1iII"'-~ IT.I.2'l. I09.1
,,--'*
10.1.1.0
! otI...c!sfi......
19Z.I68 .1.0
L" """""
10.1.'.0
100bjocll. )
.
I I
-I
" """'
Figure 223 - Access Roles - Object Selection Options
Check Point Certi fied Securitv Administrator

Defining tbe User Access Role
6. Select atlantis_internal from the list of available options .
.tI_" IOMZ..fTP
..-
~ IA _ _ _ IOFtP_ .. ,..D\04Z
\;IN....... - 0_1
8 ~ OMZ..fTP
r Q,Mo"""""* B g N....,....
-
r- ~iPetliI:.-.u
..y.._..r-....
_ ::---..... a
1011 a
u,.-..
mS ..... ....
m ...... .....tw.
Figure 224 - Access Role - Networks
R75 Lab Manual 213

7. Select the Users tab.

8. Select the Specific user/groups option and add the client_auth group to the list:
........ 11'* .~
tI._ I~np
~ 1~_IO""'ob_"hDM2
'" ' -.:ICll:-::lI 104.a-.! ,,~ ~I

rlC ,"_
r a.... jdon:iIiod ...... .
.. !O~ ....,_
--
D
D
Figure 225 - Access Role - Users
Note: You must select an interna l user group.

9. Click OK to create the new Access Role.
214 Check Point Certifi ed Security Adm inistrator

Applying User Access Roles 10 the Rule Base
Applyi ng User Access Ro les to the Rule Base

1. Add a new rule above the Corporate Incoming Rule.
2. Use the following information to configure the Restricted Access Rule:
Name: Restricted Access Rule
Source: DMZ_HTTP
Destination: DMZ Server
Service: HTTP
Action: Accept
Track: Log
lnstall On: AT GWY
......- --
II ......, , ..;o.tt
.~ @-
..., , ~T.o;t>'
.!l..,T'....
~""'T'_
-.M
;I:.t fWI._,
..,
ID_
tD 0<a0II
@-
jJ",
>I ...
i1 ...
1I",....,.1 .. ~
'" "'*1'1."..
.~l._
.... ..fl ......

.
.
~--
~
~, !l_t",..
.-
.~ ID_ Ol ... . """"
... ,,--"'""
~-
...... .... . ._- :.Ml.:;""" :!J_T._

..
~T.7ffl
Al_?Ii"I
... .- ~_T'_
it1 ..... T' .... .~

ID-
e-
JJ'"
li ...
.I..O<_?M'
11 PdICl't._
Figure 226 - Restricted Access Rule
R75 LabManuai 215

Lab 9: r dentity Awareness
3. From the Action column of the new rule, Right-click the Accept icon.
4. Select Edit Properties, and the system displays the Action properties window:
,-"""
--x
r
-
Rdodhttp~"'''~ __ {<~)poItII,
_ , ~ . . """ O:U' t tho oao.r<. IJ'. _&061' """""" to.
II or (oral
Figure 227 - Action Properties
5. Select the Captive Portal option and click OK.

6. Disable the Web Traffic rule:
-- !!I_r....,
,.
,I . .r_<1WV

"",~/II'((
.o.T3NO'<
_""_OWI'
[!]_f...""
OOAfftn_
!!.I Nor f.OI""
-
..,.
<Il_
12fW1~_ tD~
-
Ill"
iii ,~
1iI~

.. --y'."'"
..... "'JR ....

~--
--
.., [!l"""l,..",
.-.- <Il_ 1iI~ -."",_",w
Ii~
...
Figure 228 -
.-
Web Traffic Rule Disabled
."" oo . . . f'_ -.,. '.-
<il_ l!< ..
Ill""
" .._(o.w
.. __yf......

Applying User Access Roles to the Rule Base
7. Locate the Corporate Internal Traffic Rule.

8. Modify this rule by adding dmz net to the Destination column.
9. Negate the dmz_net object:
.- ~Jhtl"""" a'"
-- .. . .....,.'
,. .....,. f.\IIOh
'.I,"'.INV'
.....J'w.
:BJhtT'""",
.-
M'I~_ $ - i:LAt
e- '"

'" "",,:yT
.- .- '''' -'*'_QoW
Figure 229 - Object Negated in Corporate Intemal Traffic Rule
10. Install the Security Policy_
R75 Lab Manua l 217

Lab 9: I dentity Awa reness
Testing Identity Based Awareness

L From AT_GU I, attempt an HTTPconnection to DMZ_Server ( 192. 168. 1.I 00).
The system displays the following login page:
Nlltwork Login
Check PoInt
- '- ''''
" _IO_IO""_,~ .... ",,,,_
....
Figure 230 - Network Access l ogin
2. Use (he fo ll ow ing infonnation to enter the login in fo nnati on:

Usemame: Tcstuser
Password : vpnl23
2 t8 Check Point Cenificd Security Administrator

Testing Identity Based Awareness
3. Click OK. The Security Gateway confinns that the user is authorized to visit
this netw ork by displaying the following confirm ation message:
.....
Network Login
Check Point
_. - --~
-"'..
---\II'-.. . - .
....-
CI<:O _ _ _ _ _ _
,~-.
'. __......__....
Figure 23 1 - Network Access Granted
4. Click Finish.
R75 Lab Manual 219

Prepare Rule Base for Next Lab

1. Remove the negated object from the Corporate Internal Traffic rule.
2. Enable the Web Traffic rule.
3. Delete the Restricted Access Rule.
4. Verify your Rule Base appears as follows:
* I'*'Y'_
'0' "", . _ [illtlg
Figure 232 - Rule Base - Identity Based Awareness Removed
ENDOF LAB

Lab 10: Site-to-Site VPN Between
Corporate and Branch Office
In this lab, you will be defining a site-to-site VPN between the corporaw and
branch office Gateways . This is an example of a certi fi cate VPN based on the
SmartCenter's Internal Certificate Authority (CA).
Topics
Defining the VPN Domain
Creating the V PN Community
Creating the VPN Rule and Modifying the Rule Base
Testing VPN Connection
Troubleshooting a VPN
R75 Lab Manual 221

Lab to: Sile-Io-Slte VPN Between Corporate and Branch Office
Define the VPN Domain

I . In SmartDashboard. open the corporate Security Gateway.
2. In the Network Security tab of the General Properties page. select the IPSEC
VPN blade option:
,_
-...--...
~~~
BnoM_N_
C4>o
r: o,.-..t<IoIoto
j_ rNbod. :::J
S""'O~(lO""1
IoIorioo"'ll SoII>oor. t>.
~ond M ..... S.... lrUmoI~
_....
~OptorUot ....
~lc.o.tfi.o.otStWITIUot~
.....
1.. SI(S.....
C-_E .....c""'
H_ _ IO!>on _ O!l ...........r.I'''",--..,::J~ os I~
~ s-..o,lll~pl
R '_
F 1PSec:_
r ~1:cNcI .".""
~--
!ioP-....:I t..o -'" Ii> _ _
r M_ _
r _~
r om SO'-s.. VPH.., ..... '*'-
r ,~
o..-P.u.~ O
[..-_0
--u.g--.
v-' '''VF'N~.
.....
-- -
r ~..... ~t[l.. ,_.:1
r _, ~ .
r _s_,
E.... S.adjl r h....,... lf..: I
",.....
r u~s_
r O... lonPr--. r u.............., . . . ~..
...... ..
.......,-
r __
.!I
Figure 233 - Check VPN
222 Check Poi nt Ccnified Security Administrator

Define the VPN Domain
3. Click on the Topology tab. In the VPN Domain section, choose Manually
defined and choose your corporate internal network object:
,-. _... ..
III
--
, -~
~ ............
1PS~\IPN
SawAJiooc1co, f.llN1
~ 5 _~
iI logo" JUster.
~'
...,
~,
-
,,~

ln111011
10.1 11
121611.1 1
-"'.
:'>'00
2S5.lS5.2S5.0
,
,,r-,,
..
~~
C -..... ErIorceono
.!J
I!I .t.a.an::ed
EO. ,-
Figure 234 - Corporate VPN Domain
4, C lick OK,
R75 Lab Manual 223

Lab 10: Site-to-Site VPN Between Corporate and Branch Office
5. Repeat the above steps for the branch office Security Gateway object, but
select the branch office internal network on the Topology page:
.t/
,- -
1!I-IPSecWN
o- loQaqo-....::..on
S.-J~ UW'l
w~ S"""- til.
1B - Lng.~W ......
Cai>od!o~_
c-... E'"""c....
IB-Adionced
Figure 235 - Branch VPN Domain
Note : Take a moment to save this policy package that identifies it as a VPN
Policy. Be sure to save it again before pushing Policy later in thi s lab.

Create tbe VPN Community
Create the VPN Commun ity

I. From SmartDashboard, select the IPSec VPN tab. In this space, right-click and
choose New Community> Star:
c.n.. G " , -
__
.... - - .1I.!!l
"-
S ~ "' . G
'-
I ........ M~ <--
1Il_......:I Solti-ogt
.,., 1
r.."....
=----oT::J
c-.., T,oIIIe "--..I Nt,jt

r~ .. ~b.
, . . Tho .... _ _ ..... ~~.-...._
laT . . . . ~ .. GIoboI~t.-.T. ,...
Figure 236 - Create Star Community
2. In the Star Community Properties screen, enter a name for this community, i.e.,
branch office.
R75 Lab Manual 225

Lab 10: Site-to-Site VPN Between Cor porate and Branch Office
3. Click Center Gateways from the left-hand pane:
1Jx
UIhe~_It>oG-"bobo..-.lIhoS_
~ . . bot~OId
P""""*,,G .. _
Figure 237 - Star Community Properties - Center Gateways

Create the VPN Community
4. Click Add and the system displays the following:
- --.lJ.
Thoc...w._t..~_
or I c...,. I
Figure 238 - Add Center Gateways
5. Select AT_GWY as the center gateway.
R7S Lab Manual 227

Lab 10: Site-io-Site VPN Between Corporale and Branch Office

M{............otyl'f1ll><'tl .... br....m_... r""
Figure 239 - Star Community Properties - Center Gateways

Create the VPN Community
7. Select Satellite Gateways and add the branch office Security Gateway as the
satellite:
.tiE
Figure 240 - Choose Satellite Gateway
8. From the left-hand pane, click Advanced Settings > Advanced VPN
Properties.
R75 Lab Manual 229

Lab 10: Site-to-Site VPN Between Cor porate and Branch Office
9. Select Disable NAT inside the VPN community. This is very important if you
have objects that are set to Static NAT.

,-,
Certeo Got_
SotelleG ......,. 11( If'I-l1
'-
T......t M........-
B-MYancodSetI:i1os
u"'~_
'-- VPN Aa..u.;.

:'- MEP(M ~Eoo_
- E""Wed S",,",=
Figure 241 -Advanced VPN Properties
Note: Review the defau lt settings for VPN Properties and Tunnel Management.
What is the default setting for Tunnel Management? What are the default
encryption methods and data integrity of Phase 1 and Phase 2? Review
the properties of the Advanced Settings. What is the default VPN routing
method? Why don't you need to define a pre-shared secret for this VPN?

Cr-eate the VPN Community
10. Click OK to exit the Star Community Properties screen. Notice a new star
community object is created in the IPSec VPN tab.
,
~ '.' --*
, .. ,n",
I
Figure 242 - Star Community Members
R75 Lab Manual 231

Create the VPN Rule and Modifying the Rule Base

l. Cli ck the Firewall tab to return to the Rule Base.
2. Add a new rule below the Stealth Rule using the following infonnatio n to
begin configuration:
Name: VPN Rule
Source: uk internal
atlantis internal
Desti nation: atlantis_internal
ukJnternal
Service: Any
Action: Accept
Track: Log
Install On : Policy Targets
3. For the VPN column, right-click the VPN cell in the rule.
4. Select Edit Ce ll and the VPN Match Conditions window appears:
00.
~
-
...... itii'i'.!-.
CO' Mi..... O;; ..~
(" !)+ _ _ ~ ..... s.....u.YRt(........,.
:": r a.._~ ........ W ' N C -
or c...,. I li", I
Figure 243 - VPN Match Conditions
232 Check Poi nt Ccnifi ed Security Administrator

Create the VPN Rule and Modifying the Rule Base
5. In the VPN Match Conditions box, select the option Only connections
encrypted in speci fic VPN Communities.
6. Click Add and the Add Community window appears:
... otir .............. ylo .... - - .II>
~ ---
:.-
II Of.' H Croc: I
Figure 244 - Add Community 10 Rule
7. Select the branch office star community you created earlier, and click OK. The
system adds the selected community to the conditions window:

...........
{!] r~......- ....... a..'"~
~ r 1Mo.......-..~ .... S~IMIc-nw
* t:" a..,_.....,.,... .. pcflclMlr--
or c-.. I t!$ I
Figure 245 - VPN Match Cond itions
8. Click OK again to retum to the Rule Base.

Note : Since you arc creating only one rule for both gateways, you wi ll leave the
Install on cell to Policy Targets.
R75 Lab Manual 233

9. Verify your Rule Base resembles the following:

Figure 246 - Added VPN Rule
10. Save and install the Security Policy on both Security Gateways.
Note: Ensurc your time and date settings on your gateways and Security
Management Server are synchronized. If time settings arc not
synchronized, Phase I of the encryption process can not takc place. See
the troubleshooting section latcr in this lab.

Test VPN Connection
Test VPN Connection

Use PuTTY to conduct a VPN test. Verify that it is availab le on your UK_ PC
virtual machine.
I. Open a PuTTY session from the branch office client to the IP of AT_MGMT.
and the following appears:
,-
.-
8 ~"""
-~
,......
I,.........,.,
""',
-,..,..
. c..-
Op
,
III SS M
S. .
Figure 247 - Putty Cooflguralion
Note: You can launch PuTTY eitber from the command line, oron the Windows
desktop. From Windows. double-click putty. exe.
2. Click Open.
3. Click Yes, if prompted to accept the security fingerprint, and a eLi window
appears.
R 75 Lab Manual 235

4. Log into your Security Management Server using your login credentials:
Figure 248 - PunY Session from Branch Office to 8M Server
5. Open SmartView Tracker to view the VPN communication.

Note: From the left-hand pane in SmartViewTraeker, expand Network Security
Blades > IPSEC VPN Blade, then select VPN. This will fi Iter out all other
traffic othcr than VPN traffic.

Test VPN Connection
6. Locate the logs with keys representing pbase I and phase 2 completed, and the
accepted SSH session with a lock indicating that encryption and decryption is
occurnng.
~
~
1 ~
Gi!'f!
,".!"..'
10.'."""
"'."' '''
'''-"'"
,,'1m
,,-
" -q~"
".T_."""
"'"
" TJ!!!tt
Figure 249 - VPN Logs in SmartView Tracker
R75 Lab Manual 237

Lab 10: Site-to-Slte VPN Between Corporate and Branch Office
7. Double-click an SSH log to view the details:
l.,.I"'o
n __
s.c..G-.,.M---,
,
1~47.25
"~
-

C - I I... _
11..... _
5r.oL",*,_Wt(
..... !Yt
Ill ... U_
"'-"'"
Io.toe "'" UID I8AUS5<MII1oW1C-M&I
~'lM1 96EriCJ
.-~
D", _ _ r:J 10.1 '-2m
~ boa"dt.db
r:J AT_ME>MT pO-111m) -,..-.5'-" [iJ1KE
.......
-
,~- M'22! IE -,..-. ...... ESI'"J>E.Sl28Sl-llt.1
...... "''''
Go",'
VPltJ>..S-., AUiWYI172.211111 1)
S~ OYPtl
5_... P..t VPMr_
'''' 1___
\f'N
___.t ....
f".....f't:IIicJ__
"*111-
,...,. ..--.
PoIiqo D '''''q1l1SQI621F11
A'JI6M'
Figure 250 - SSH Log
238 Check Point Certifi ed SecurilY Adminislralor

Test VPN Connection
8. Using the slide bar, move to the far right to the Infonnation column.
9. Locate the messages that phase 1 and phase 2 completed.
~,"-"'., ' -
..... ..................
--
---
Figure 251 - Information Column
Note: This can be very he lpful in lroubleshooling a VPN problem.
R75 Lab Manual 239

VPN Troubleshooting
There are several tools avai lable for troubleshooting a VPN connection. The first is
the VPN tu utility. This is a CLl tool on the Security Gateway.
I. Log in to the CLI on the corporate Security Gateway.

2. Type the following command at the prompt:
vpn tu
Figure 252 - vpn tu

VPN Troubleshooting
4. Choose option 1 for List all IKE SAs.

5. Press En ter, and the system displays the following:
Figure 253 - VPN tu Option 1
Note: This option shows all phasel negotiations to all peer Gateways.
R75 Lab Manual 241

Lab 10: Sile-Io-Sile VPN Between Corporate and Branch Office
6. Choose option 2 and the system displays the [PSec SAs for all peers:
Figure 254 - VPN tu Option 2
Note: W hen troubleshooting a VPN problem, you can delete phase 1

and/or phase 2 keys for a given peer to reset the VPN and force a new
key exchange.

VPN Troubleshooting
7. Choose option 7, to delete both IKE and IPSec SAs for the branch office:
Figure 255 - Clear SAs
8. Next, try the PuTIY test again between the Security Management Server and
the branch office client. (It will take some time for phase I and phase 2 to
re-establish.)
Note: Re-inslalling the Policy will also fe-establish phase I and 2.
9. Check logs and there will be new keys exchanged.
ENDOF LAB
R75 Lab Manual 243


Become an IT Security Guru!
Training & Certification

Get Prepared
Check Point offers a variety of methods to help you
achieve your Check Point Certification goals.
Attend training
Download study guides
Challenge practice exams
Interact with technical communities
Challenge the Exam

Exam content
80% course materials
20% real world experience
Requires product experience
Multiple choice and scenario questions
Visit: www.vue.com/checkpoint to schedule your exam.
www.checkpoint.com
ISBN-13: 978-1-935862-12-3
PIN: 704736 ~, Check Poinf
SOFTWARE TECHNOLOGIES LTD.
We Secure the Internet.

Ccsa r75 Lab

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ccsa r75 Lab

Uploaded by

Copyright:

Available Formats

j7}, Check Poinf

SOFTWARE TECHNOLOGIES LTD.

We Secure the Internet.

Check Point Certified Security Administrator

RESTRICTED RIGHTS LEGEND:

C 2()())20 11 Check Point Software Technologies Ltd.

Copyright 10 Chcck Point Software Technologies Ltd. All rights reserved .

Content: Mark Hoefle , Steven Luc, Joey Witt

Graphics: Jeffery Holder, Chunmi ng Jia

Preface .... . . ..... . .................. . ..... ... . . . . .. ... .. . .. I

R75 Lab Manual

Check Point Certified Security Administrator

R75 Lab Manual

Figure 1 - Lab Topology

2 Cheek Point Certified Security Expert

Installin g the Security Management Server

Configu re Security Management Server using sysconfi g

Installi ng SecurcPlatform on the Corporate Security Gateway

Configuring the Corporate Security Gateway. using the WebUI

Launching the SmartDashboard

R75 Lab Manua l 3

Install Security Management Server

Figure 2 - Welcome Screen

2. Click the Enter kcy within 90 seconds to launch the install.

4 Check Point Certified Securi ty Adm inistrator

3. The system displays the Check Point SecurePlatform Installation screen:

'ICMI ,... . . .hrt" tM i .... lldio. of Chaek Poi.t

Figure 3 - SecurePlatform Installation Screen

R75 Lab Manual 5

4. Tab to OK and press Enter. The following screen appears:

Figure 4 - Keyboard Selection

5. Select the keyboard to suit your region.

6 Check Point Certified Security Admini strator

192 1(;8 I 1 ___ _

Figure 5 - Network Interface Configuration

R75 Lab Manual 7

7. Use the following information to configure the Network Interface

Figure 6 - SecurePlatform Installation

9. Select Security Gateway / Management.

8 Check Point Cenified Security Adminislrator

10. Tab to OK and press Enter. The following screen appears:

SecaMt'l.Uor.. HTTP3 sec:ure _II s.rver .11_ svat_

Figure 7 - HTTPS Server Configuration

R75 Lab Manual 9

r.. xt st.,_ or the Inst.llstlo. ,ruc

12. In the Confinnation screen, select OK and press Enter to proceed.

\0 Check Point Ccnificd Security Administrator

To co",I.'. t .. flr.t tlHB ceatl,.r,tlon 01 vo-r s.c.r.',.tforM

14. Select OK and press Enter to reboot your system.

Config ure Security Management Server Using sysconfig

I. Log into AT_MGMT with the following credentials:

Figure 10 - Enter and Confirm New Password <splat password change>

3. Re-enter the password, when asked to confinn it. Press Enter.

12 Check Point Cenified Security Administrator

Figure 11 - Initial Configuration Wizard

Figure 12 - Network Configuration

7. Type I to set the host name, and press Enter.

Figure 13 - Network Configuration - Host Name Options

8. Type I to set the host name and press Enter.

R75 Lab Manual IJ

10. Press Enter to accept the automatic IP assignment.

Figure 14 - Network Connections configuration

13. Type 4 to configure network connections. Press Enter.

Figure 15 - Network Connection list

,_. . _Oh . . . . , . . -..o._... __ .