Professional Documents
Culture Documents
Check Point
Certified Security Administrator R75
LAB MANUAL
3D
SECURITY
Check Point Security Series
Check Poinf
SOFTWARE TECHNOLOGIES INC.
Copyright Check Point Software Technologies
Ltd. All rights reserved.
Primed by Check Point Press
A Division of Check Po int Software Technologies Ltd.
COPYRIGHT NOTICE
No part of this publication may be reproduced, stored in a retrieval system or trans-
mitted, in any form or by any means, photocopying, recording or otherwise, without
prior written consent ofChcck Point Software Technologies Lid. No patent liab ility
is ass umed with respect to the usc of the information contained herein. w hile every
precaution has been taken in the preparation of this publication, Check Point Soft
ware Technologies Ltd. assumes no responsibili ty for errors or omissions. This pub
lication and features described herein arc subjcctto change without notice.
TRADEMARKS
Cl2(0)-2011 Check Point Software Technologies Ltd. All rights reserved. C heck
Point, C heck Point Abrd, AlcnAdvisor, Application Intelligence, Check Point
Application Control Software Blades, Check Point Data Loss Pre vention, C heck
Point DLP, Chcck Point DL PI, Check Point Endpoint Security, Check Point End-
point Security On Dcmand, thc Check Point logo. C heck Point Full Disk Encryp-
tion, Check Point Hori zon Manager, Check Point Identity Awareness, Check Point
IPS, Check Point IPScc VPN, C heck Point Media Encryption, Check Point Mobile.
Check Point Mobile Access, C heck Point NAC, Check Point Network Voyagcr,
Check Point OneChL'Ck, Check Point R75, Check Point Security Gateway, Chcck
Point Upd:uc Scrvice, C heck Point WebChcck, ClustcrX L, Confidcnce Indcxing,
ConnectControl, Conncctra, Connectra Accelerator Card. Coopcrative Enforce-
ment, Cooperative Security Alliance, CoreXL, DcfcnseNet, DynamiclD. Endpoint
Connect VPN C lient. Endpoint Security, Evcntia, Evcntia Analyzer, Eventia
Reporter, Eventia Suite, FireWall-!, FireWall- ! GX, FireWall-1 SccureSclVer,
FloodGate-I, Hacker [0, Hybrid Detection Engine, lMsecure, INSPECT, INSPECT
XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IP
Appliances, IPS-I , IPS Software Blade, IPSO, R75, Software Blade, IQ Engine,
MailSafe, the More, bener, Simpler Security logo, Multi-Domain Security Manage-
ment, MuitiSpect, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Point-
sec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle
Management,Power-l, Provider-! , PureAdvantage, PURE Security, the puresecu-
rity logo, Safe@Home, Safe@Office, Secure Virtual Workspace, SecureClient,
SecureClient Mobile, SecureKnowledge, SecurePlatfonn, SeeurePlatform Pro,
SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Secu-
rity Management Portal, Series 80 Appliance, SiteManager-l, Smart-I, S mart-
Center, SmartCenter Power, SmartCenter Pro, SmanCenter UTM, SmartConsole,
SmanDashboard, SmartDefense, SmartDefensc Advisor, SmartEvent, Smarter
Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning, SmartReponcr,
SmartUpdate, Smart View, Smart View Monitor, Smart View Reporter, SmartView
Status, SmartViewTracker, SmanWorkflow, SMP, SMP On-Demand, SocialGuard,
SofaWare, Software Blade Architecture, the softwareblades logo, SSL Nctwork
Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVeetor,
UserCheck, UTM-\, UTM-I Edge, UTM-I Edge Industrial, UTM-l Total Security,
VPN- l, VPN-! Edge, VPN-I MASS, VPN-I Power, VPN-l Power Multi-core,
VPN-I Power VSX, VPN-I Pro, VPN-J SecureClient, VPN-J SecuRemote, VPNj
SecureSelVer, VPN-I UTM, VPN-I UTM Edge, VPN-J VE, VPN-I VSX,VSX,
VSX-! , Web Intelligence, ZoneAlarm, ZoneAlarm Antivirus, ZoneAlann Data-
Lock, ZoneAlann Extreme Security, ZoneAlarm ForceField, ZoneA lann Free Fire-
wall, ZoneAlann Pro, ZoneAlarm Internet Security Suite, ZoneAlann Security
Toolbar, ZoneAlann Secure Wireless Router, Zone Labs, and the Zone Labs logo
are trademarks or registered trademarks of Check Point Software Technologies Ltd.
or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company.
All other product names mentioned herein are trademarks or registered trademarks
of their respective owners. The products described in this document are protected by
U.S. Patent No. 5,606,668, 5,835,726, 5,987,611,6,496,935,6,873,988,6,850,943 ,
7,165,076,7,540,013, 7,725,737 and 7,788,726 and may be protected by other U.S.
Patents, foreign patents, or pending applications.
DISCLA IM ER OF WARRANTY
Check Point Software Technologies Ltd. makes no representation or warranties,
either express or implied by or with respect to anything in this document, and shall
not be liable for any implied warranties of merchantability or fitness for a particular
purpose or for any indirect special or consequential damages.
International Headquarters: 5 Ha'Solel im Street
Tel Aviv 67897, Israel
Tel: +972 3 753 4555
U.S. Headquarters: 800 Bridge Parkway
Redwood City, CA 94065
Tel: 650 6282000
Fax : 650 654-4233
Technical Support, Education & Profcs- 6330 Commerce Drive, Suite 120
sional Services: Irving, TX 75063
Te l: 972-444-66 12
Fax : 972-506-791 3
E-mail any comments or questions about our
courseware to courseware@us.checkpoint.com.
For questions or comments about other Check
Point documentation, e-mail
CP_ TcchPubJ eedback@checkpointcom .
Document #: DOC-Manual-Lab-CCSA-R 75
Revision: R75
Lab 5: Configure the DMZ ... . ... .... ... .. ......... . . 129
Create DMZ Objeets in SmartDashboard . . . . . . . . . . . . . . . . . . . . . . . .. 130
Create DMZ Aeccss Rule .... . . . . . .... . . . . . . ..... . . . . . .. .. ... . . . .. . . . . 132
Test the Policy . . . . . . ... . . . . . . . .. .... . . . . . .. . . . . ... . ... . ... . . .. 133
Lab 6: Co nfiguring NAT . . .......... . .. . ...... .. . . . . .. . . . .. .. 135
Con fi gure Hide NAT on the Corporate Network . . ... .. ... . . . . . . . . . . ..... 136
Test the Hide NAT Address .................. . .... . ... . ....... . .... .. .... .140
Configure Static NAT on the DMZ Server ........... . ... . .. . ... . . ....... .1 42
Test the Static NAT Address ..... .. . ......... . .................. . . . .... . 143
Observe Hide NAT Traffic Usingfiv monitor .... . ..... . .. ......... .. . .... .144
Confi gure Wires hark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Observe the Traffic ... . .. . ... . ... . ....... ..... . .... . ..... . . . .. . . .. . . 148
Observe Static NAT Traffic Using fw monitor ... . .. .. .. . .. .. . .... ... . .. . .149
Lab 7: Monitoring with Smart View Tracker .. .. ......... . .... . . .. 153
Launch SmartView Tracker .. ... . . . . . . . . ........ . . . . . . ... . ... . . . .. 154
Track by Source and Destination ................. . .. . . ... . ... .. .. 157
Modify the Gateway to Activate SmanView Monitor . .. . . . . . . . . . . . . . .. . .... 160
View Traffic Using SmartView Monitor . . . . . . . . . . ...... 162
Lab 8: Client Authentication . . ..... . . . . .. . . .. . . . . . . . .. . ... . . ... 169
Use Manual Client Authentication with FTP and Local User .............. .. .. . .1 70
ModifY the Rule Base ....................................... . .... . .. .. .. 174
Test Manual Client Authentication ........................... . . ... . . . ... . . . . 178
Use Partially Automatic Client Auth with a Local User ...... . . . .. . ... . . . ..... . . 181
Configure SmartDirectory with LDAP . . ................ ...... . ........... . .186
VerifY SmartDashboard Integration .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Test Active Directory Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Create a Database Revision. . . . . . . . . .. .. . ... .. .. . ... . . . . . . . . .. .... .. 203
Lab 9: Idcntity Awarencss . . . . .. ... . ........................... .. 205
Configuring the Security Gateway .. . . . . . . . . . . . . . . . . . . . . . . .. 206
Defining the User Access Role . . . . .. .. . . .. .. . . . . . .. .. . .. . . . . .211
Applying User Access Roles to the Rule Base . . .215
Testing Identity Based Awareness .......... . .. 218
Prepare Rule Base fo r Next Lab .. ... 220
Lab 10: Site-to-Site VPN Between Corporate and Branch Office .... . . 221
Defi ne the VPN Domain ................................................ .. 222
Create the VPN Community . ... .. ................................... .. . . .. 225
Create the VPN Rule and Modifying the Rule Base ...... . ... ... . . .. . .. .. . . .. 232
Test VPN Connection .. ....... . .. .............. . . .. .. 235
VPN Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Before beginning any labs, you should have been presented with a virtual
environment configured in either VMware Workstation or ESX. Each student
shou ld have the following seven machines configured in the environment:
ADScrver
AT GUI
AT_MGMT
AT GW
AT DMZ
UK GWY
UK_PC
These environments are sel f contained sandbox configurations, meaning that every
student has the same virtual machines to work with, all with identicallP
addressing and interface information. Though internet connectivity is not required
for this class, it may be added by your instructor.
Topology
In the following graphics, pay attention to VM Name versus Host Name, and IP
addressing:
--
I'~' IO.l.1. US/24
OetaultGW: l Q.l.L1
rum., AT_104GM1"
.. ~~~. ~~ ~~.~!:?" :~~
DMZ Addrno: 192.168.1.J.n4
1M Address, 10_1_ I.1/l4
a.m..kGW: l lU9.10U
,"m"'tJ~_GWY
Exl Add.ess: tn.19.109.l/8
InIAdd,QU' :0.l,9.1/14
Dd.ull GW: 172.21.101.1
I'~! IO.1.L10l/l4
0.'-'" GW: lQ.I .L1
PHmot: AT_DMZ
IPAddms:
I ~Addr\.$:10.1,9.109/24
192.151.1.I001l4
Dfofauk GW, 10,1.'1.1
Oel~ GW, 192. 161.1 .1
Atlarltls
Scenario: You are implementing the Check Point Security Gateway in a di stributed
topology. Install SmartConsole on a Windows machine, and the Gateway and
Security Management server on SecurePtatform machines.
Topics:
I. Insert the R75 DVD into your disk drive. Start the AT_MGMT virtual machine
and the R75 Welcome screen appears:
...
.......
-. -
lalclt b,.....111 .",. I U.'"
to t a ~t.r?
.... 1
s..It
6. Tab to OK and press Enter. The system displays the Network Interface
Configuration screen:
II. In the HTTPS Server Configuration screen, select OK and press Enter. The
system displays the Confinnation screen:
Figure 8 - Confirmation
13. After the drive is formatted and the installation is complete, the system
displays the Complete screen:
~ .... ~
~.rlnt t'.
Rtt.r ",'DOt. tlNo Cit-10M or lIo.", fI ....U.
In.t,ll,tlon proc....
Ill"
Figure 9 - Complete
Note: You may need to eject your CD manually before the reboot is complete
if the eject does not happen automatically.
R 75 Lab Manual 11
Lab I: Distributed Installation
5. At the prompt, type sysconfig, and the system displays the following message:
6. Click n and press Enter. The system displays the Network Configuration
options:
15. Type I to display the cthO interface settings. Verify the connection info nnation,
and press Enter.
19. Type the number for your region, and click Enter.
20. Type the number of your country, and click Enter.
21. Type the number of your time zone, and cli ck Enter.
24. Type 2 to set the date, and press Enter. Enter the date in the format shown; i.e.,
05-29-2010. Press Enter.
25. Type 3 to set local time. C lick Enter. Enter the time in the 24 hour format.
26. To confirm your settings, type 4 at the prompt and click Enter.
29. Press Enter and the system displays the Welcome screen.
Figure 21 - Welcome
30. Review the Welcome Note and type N to continue. The system displays the
following screen:
31. Review the License Agreement, and click Y. The system displays the
fo llowing screen:
35. Ensure that Primary Security Management is selected for the Security
Management type.
Figure 27 - Validation
37. Confirm your settings on the validation screen. and type N to continue.
38. The installation files will extract and the installation will proceed.
Figure 28 - license
39. Review the infonnation on licences, type R . You will not be adding licenses at
this time.
40. Click Enter and the system prompts you to add a new administrator:
46. A li st of fonnats is provided. To use the LP address fonnat, begin typing the
physical host IP address of the AT_GUI (10.1.1.201) machine at the prompt.
49. You should see a message showing the certificate has been generated.
50. Type n to continue without saving the file and click [otero
51. Type y and press [Rter to start the installation process.
52. Select Exit and press Enter once the installation is complete.
53. Reboot the Sec uri ty Management Server.
,.,.,. .-y _ _
.-._---
---'---"--
", ,_ _ ....)._ ..._ ..........
....
.......""--,............ .................... ....".,-- ........ .. -, ............
,_.~ __
-, ~"'.-
...... M .... _ _'~~-- ~
. . . . ' _ . . . . . . , . _ ' - . . . . . . . " " ' _ _ _ , .. . . . . .
..
. __..., .....,. .a=c""""'
,. ..._t_.""_"
"' ................
. . . "" .,._. . . . ...............
_ .... '0,....""""'
_ ............ _"" ....... <.. n " -......, ........n".,. 'Nl<l' " '_ .
.......................... . . .."......
, .,"'-..-.
..,.T> ............ ""
"-.. _UC_ It "......,..... .... " " ' . , _ , , . . ......v ' ' ' '... " " ...... ,,,,..
--
~
A ..... . . , . " . . . . . _ , , _ _ .... ..". n . .......... _ ..... ..,.. ,..,...., ...... _
... " " I I ............ _ .... _ _, - - . . , - . " " " "oownw"" ....... ,... _
,~"'
-.~
I""I.."*.."I". . ...
~,-------------------------~::::::::::::::::::::::;:::;:r: J5rC:~~ 6~ ..
Figure 36 - License Agreement
;'.J~ _ ~
."
.
SecurePlotfoml" 'V ~
.
~ .
Figure 37 - Login
._-.-._-_.........
."
0 _ _'.,.
.
..........
-
--,-.......' ". ....... ...-,,- .....
- . . . ............... "'....... .....
""~ ..... ,-
.,~ ...
--...-..
.. ,.,,-,---_._,,_
. ...*-,'" ._---- ............. ..-----
..--_._--
--
-~~,..,
~
-
............ .
.~-
.... ,..-::=:1
7. Click Next at the welcome message and the Network Connections page
appears:
.- ...
, ...
0
""' -_ ...-
---~-.-.---
_
_._--
..,.,.,,, .... _ _ _ ""' _ _ _....... 01_
-.Qdo._. . . . . . .
... - ...... - _ ..... _QoII ... _ _ .... , - , -
........,--_.
,
, ..
Figure 39 - Welcome
8. Click Next, and the system displays the Network Connections page:
.. ~ .... -.
_ _ .. CMe ..... c....- _ _ '._.~ _ _ . _ ..
C'WoOt... " ' _ . " . . . - _ . lo _ _ IlOn _ _ cI<* . . . .
--~
_ _ .. e0 ..
-
0 -
e.
'3" 0 - _ - - -
Figure 40 - Network Connections
9. Click on the ethO link, and the Connection Configuration page appears:
:1"".' ,0-, ' 1 .. _,u
SocurePlatform
E-:::'"' J
I
Iw .. ".'
'" 1 ..,.. , . . _ -
.- ... .....
-,_
...
,
I.II.'"'......................
<........ <_\.......... ,~~- ...
.....
-,.-.)II--. j
,<........" .... ,. _ _ _ "'_1..... ... 11 ..
~C _ _ CIIom
1="',__,=,,---,,--
e.
--!If" ....
e_
"'.......
---,.-.,.....
--..
," ..'" ,
..
.~
--.
<-_..-. . . ----. . .......,..,~ . - . l
<...,..... ~,..,. ...... _ _ _ .T....' ' ' ' ' ' ' _ ' ' ' '.........
'- . I _. c--Jr--
- ----
II
r _ ,
".~, . '" ......... o.
r ,..-,.-'
r ,...,....
~"
~
........"... o.
r . U7 .... ' mm
---
-
..... ".... ..,....
"
17. Click Next and the system displays the Routing Table page:
..
~ - A
.'
....... ..-.-
. .- -
r .......
r II....... a.~
(r .......... rH .n..,... ~
r II . .. . _.ns.ns.
,. LI. ....
i ........ _ _ ..
18. To update the Routing Table, click New> Default Route. The system displays
the following page:
_ono .....
_.
-,
<on/IOJI.O"_
- --...
~
_.~
1.:.- l
I.'"
" ....;--
"3"" 0 - -
Figure 45 - Add Default Route
19. To configure the default gateway of AT_GWY, enter the external interface of
the partner gateway, UK_GWY ( 172.29.109.1).
20. Confirm that the Metric is O.
...".............
r'........
r " .......
r "'.'''.1.' n ........... --
rIO"'''
r~_
" ..""'.....
... .... " ..... toU
- -
~.
,.,...... ,
. - ..
, .-......
22. Confirm the change in the routing table, and click Next.
23. Click Next to skip adding a DNS Server.
24. In the Hostname field, type sgatlantis, and for the Domain Name, type
atlantiscorp.cp. Set the management interface to be ethO.
--
..... ~ .....
~ __ .-_,
,~ ...o,<_"~_f'
. h"'" '''.<1
, -.
""_,
...... .
..., .......... _,
Figure 47 - Host and Domain Name
25. Click Next, and the system displays the Device Date and Time Setup page:
SecuroPlatform
First TIm. COoI"I!IQUI'IIIIon WI~"" Dowie. DatI and nm. setup
0
" ....
t._"' .......,,_ ...-... _.,._
-.0'"
..... w ...... ...
_
- ' ' '-
.... _ . - - _ _ J .. _ _ .....
_.-
_._-'
......-
_..... - ' I~~~~~u
'
[ ;, ..-'-_.
.... . . 1I1
26. Select the option Use Network Time Protocol (NTP) to synchronize the clock.
27. Use the following infOiTIlation to configure the NTP Server settings:
Primary NTP Server: 10. 1.1.1
Synchronization 10
Period (Seconds):
Time Zone: Select time-zone for your area.
_-_
...
_,- ... _.,...
- -- -_.___ .,_--
....
...........
' ---.
"'.-... ...... ...... ..
---
-.~
It _T __ '_' . _ . . . -.
....
--
----
.........
-
----
..........
28. Click App ly and verify that the time displayed is correct. Adjust the time-zone
setting as needed.
.........
__.
,......-..
",
.... ....
. ..........,-
-.1': --_. . .-_,..,.-_.-
__
... ,., "" .0"",
--.-...--
..
---_._ ._ -_ c_
_....--
01 .......... ~
_
, _
._ .... _
__
r _ _ ..
...... _-
.....
.....
--.
r __ N
--"--"-'--"-
--_ .. _.
r _ ... _ _ _ _ __ "_n:,,
r_,,_
.......
<.... _ ...... _ ..... _ - - - -_ ......
-- r ~_ ......
, .. ...
I ,0,,,
""~ -~.
Figure 51 - Products
31. In the Products screen , ensure Security Gateway is selected, and uncheck the
Performance Pack option.
32. Click Next and the system displays the Gateway Type page:
..
.... .
0
- -_ ......
_- .
.. _............. .....
r ___ _
.___. _._H_
~
....... .. ...
'
...........
! .. ~.,
; _.
Figure 52 - Gatewa y Type
34. Type vpn 123 as the Activation Key, and confinn to establish SIC. Click Next.
..
" .... ..
Secure I~ I : _ C I I I I : : )
IF-........ -.--~
..... --.,......... _
..... 'k' _ _ .........
..... , _ .. ..-."
w _ .. _...,
..J
::.:......:.~ ...,I !
'til,. 8"' ...... 00..-"',._0<1"" ... -...../ _ _. _ ..
_iM . . ,;",.......,., ,... ""' .. -"" __ "'_....._1Il'
"'''''Il''''' ......"" ""_ .........."'""9 ,.,. ""."._ ...."-'".... <J*....... on"'"
~.
35. Review the infonnation on the Summary page, and click Finish when ready.
....
to _"
~ ..., 0
.---..,
[v-~.
__ ..... -.._ .... _ _ .
'--'- I
I.;... ..................
. .
, -3" 0 _ _
Figure 54 - Summary
36. The system asks if you want to start the configuration process.
37. Click Yes.
38. Once the configuration process has completed, click OK and the system
displays the status page:
,,- ,...
0
-,--- ._.
---,
__..
... -
-
- -- --
~ Df'rict ,,*,,,,,_
C
---
-
-,~
-
.-
........" ".,u,
::-':,nI'_=__
--,
-.- -
"".tt'".,
"u...... """......
IO ..... ",.,.N.:oo ..
,.......,."""..........
,. ".lI
, .--.... -..
Figure 55 - Device Status
Install SmartConsole
I. From your AT GU I, insert the R75 for Windows CD. The Check Point
Introduction screen should display.
5. Cli ck Next, and the system displays the Installation type screen:
Figure 62 - Summary
':)j
5. If you are using the built-in software trial period, a notification screen showing
the days left of the trial period will appear:
o..do.f"OJ1t~""'~"'_"15.
UnW .... ,.... ... t. ............ oooodoIIto.... """" PIcd.d Sui
""'"" ...... ~ --.1rGro et.t ""'" U... c-
- ... . __
..
c:...
__
__
-
_..
_
...
....
__ .-,,-
"
_ ... _to ... _ _ _
__
_.....
_
-".
1'7 _ _ _
... 1.1 1
m ........
~
~
~
~
~
~
END OF LAB
Scenario: You are implementing the Chec k Po int Security Gateway at a branch
office. To do this, you decide to install only the Security Gateway at the remote site
and manage it from the existing Management Server at the corporate headquarters.
Topics:
1. Insert the R75 CD in the machine designated as the branch office gateway
(UK GWY), and boot from the CD, or boot from an ISO image (check with
your instructor).
2. When prompted, press any key to begin the installation. The system displays
the Welcome screen:
tI,.
'iIIIII ... _ stuted lnatallatlo. of Cltecll 'ot.t
Secura'lat f orM 175 .
Thl. pTOc". " i l l lastall the Ch.ck 'olnt s.cnr.'IAtro~
oparAtlOf systeM and AssociAted Check 'ol.t a"llcAtlo...
VGur hard~ra .... bean .c ne' And foand sult.bln for
In"t.llt,.. SecurePI.trorM.
Do you "Ish to ,roceed "Ith the I tall.tlon of Check
'Dint Sec.rePIAtforM. over"rltlng all datA on this systeM7
Press <OM> to proceed. 'ress <Devices> for cO"pleto devtce
InforMation. Pre.s <Cancel> to abort.
Figure 67 - Welcome
3. Tab to OK and press Enter. The system displays the Keyboard Selection
screen:
Ia.c' ..,......
, . , ~ter7
t",. nee....
hrt ...... t
.......
. . . . 1
I
3,.....
SMI . . rread!
SMI .........
Tuill
5. Press Enter, and the system displays the Networking Device screen:
[ Recheck LInk I
II . Tab to OK and press Enter. The system displays the HTTPS Server
Configuration:
12. Select OK to accept the default port for the HTTPS Server configuration.
Figure 73 - Confiffilalion
15. Select OK and press Enter to reboot your system when the installation is
complete.
....___--'
....
_._--_
,_....... .......
_ . .__ .-..0_.... . -
. .-. . __ . . . _. . . . .-,----
. . _* . ._. . .---,._-- ... . ......... ,-.'c>_
.... .. ........, .... u ... , .... , ...... , ...... _ ..... _ _ ) l. . _
_ ..,_. '"
,_~_""
. . . _._',,-,_
_'0_ . . . .... . . ..... . "_........ . .-_. . . _. ._..... ..,
~
'_,n_ ............
"'. ,....... ~ "'---.~~.,.,""""'
.- ....,
. _ _ ...... _ .. _._ 'H.. -.- ........ ."....,
.........
-_.:-'-....... ,~ .. -=-, - ... ---.- ,_ ..
' ....
5. Click I Accept to continue, and the system displays the login page:
~
~PlaHorm' ~
" ------------------
.-_-~
=
-
Figure 75 - Secure Platform Login
-------"
Note: You may need to allow pop-ups for this site.
6. Type admin for your login name and admin for your password.
, SccurePlltform
, -.~ _ _ _ .I_''''
L:=--;'::::!""-
" ......... -_ . _._,." ..... '""'..-
._ ...... .;:;-... - -, ..... - - - -
___ _-
",~'
.........
....... ",-""._....'-"_._ ... . .. _...
_.,.-".--
.. .. -..-..
............
,.......,-"..... '._
.......... - ...
-,..-.,-.......----
..........
-.- .
"-.-
-. ....-.
... -.-- ..--
_~_-... _ _ .. _ I _ . . . . . . . - _ _ _ . _
................... ,
,~ ~
.. . ~.---
==:~:.
in"''''
-
Fin! TltrM Con!'ogumIo<1 WIz-.l . _ric Connection.
........
0
- - tNt ..~-
~ ta prftWtII """
-""" .....
<_
tIw - - - " ' " " - , II' _
>nnOoC_. To _ ~-- . - . . '"
c........,,_ " --"1
' _ <kJ: 0I't tIw
N~ ConMCbon:-_."....
f"
r _
-- 0 -
-
-"'"
r_
r .
- , ..u
" ' ..... 1
""""I .....
......... o.
O.
- _ _ _ _ ._nau. ) - -
, ....,...-_.
[ 1' \ .... , .
12. Click the ethO link and the system displays the following:
"-'--
r."l Ched\ Pant
.... ,_.
-.
r - _ .. _ . _ _
L
I
-
I....
~._w,,_,
:!I 0 _ _
15. Click Apply. and the system displays the Network Connections page with the
applied settings for ethO:
""'
<,..,.lIIoo\
... ....<_.... tho~
,~
:
---_ .
..... ,....,
\
" ......--"
,., I .
16. Click Next and the system displays the Routing Table page:
.... -
- .
..,....
r'.....
r """
r,o ......
.......
..,....,....... -
19. Click Apply, and the system adds the new default gateway to the
Routing Table:
........
0
"
-
r .........
Ir ,,~ . .
r ~_
H ...........
....... , .... u.u
", a",
I" ........ .. _.
'
22. Click Next, and the system displays the Host and Domain Name page:
,-_.,................-.
'----,
.....
,
1"'-."-,
23. In the Host and Domain Name screen, enter the fo llowing information:
Hostname: sgUK
Domain Name: atlantiscorp.cp
Management
Interface: ethO (172.29. 109.1)
R 75 Lab Manual 73
Lab 2: Brancb Office Security Gateway Installation
24. Click next, and the system displays the following page:
...
, .. ,
"'--'
28. Keep the default settings for Web/SSH clients and click Next. The system
displays the Products page:
- ..
_.
i _ _ .,
_---
i _
1"' _ _ ... . ..
....I"'-~-..
;:-::::..""-:;._-_
cto.dI_._-IIor-....,
----_
_... ... .. _--
--'---'--'-
----
_ _-
... __.... ........
"..,.-,--_.- ....- - .....
0l00<0._ ......_ ' ' ............... _ _ ... ,,-
_' ..... -,~-- . . ....
r _ _ ....... _ ._ _
" .... . .
, .....'~--.
Figure 84 - Products
29. In the Products page, select Security Gateway, and uncheck all other options.
30. Click Next and the system displays the Gateway Type page:
.............
, .
r ____
,.
_
-~-- ...,-.-.,--' ..
. ...... ' _ .. . <>0_
!.. ._...__."
. ,. .,. .
, I
31. Verify that the option in the Gateway Type page is cleared.
Note: The gateway types displayed here are not used in this class.
32. Click Next, and the system di splays the Secure Internal Communication (SlC)
page:
~
.,
i l..-.................
.............:-.-.,-,--- 'K. _
-.... '"'' --.-..0,
.... _ .... t _
i ;:::-.:... . 1 1
.-
MlTl,aIC ........ . . . - " ' ...... _ .... , .......... , _ _, _ ..
_ .. ""trIO"",...,. ........,llaS/'tOO""' .. _ t............ ..,
r ... _ .. _
otf ' ~ ..... ~ ....... ~,_~\. . ""t v._yay , ...... v<'< _ _ ... _
34. Click Next, and the system displays the Summary page:
_
'~ ~
1..- - .....
.....,- - - - -
...._-_.
, (!o .... " .
Figure 87 - Summary
35. Read the Summary and confinn that only Security Gateway is displayed in the
list of products to install.
36. Click Fini sh.
37. Click Yes in the confinnation box to continue with the configuration process.
38. After the configuration process has finished, the Gateway will reboot
automatically. After reboot, a message will infonn you that the process is
complete.
39. Click OK.
ENDOF LAB
Scena rio: Learn commands to perfonn basic operations via the command line on
the Security Gateway. Thi s lab wi ll cover basic administrative tools in the
Command Line Interface (eLi).
Topics:
I. Log into SecurePlatfonn on the corporate gateway (sgatlantis). Then, from the
eLI type the following:
expert
2. When prompted to enter a new password for expert mode, type and confirm the
following:
vpn123
Note: You will not see the password on the screen as you type it.
3. Once in expert mode, you are in a separate shell. Notice the difference in the
prompt when you are logged into expert mode.
4. Type exi t and press Enter, SO that you are at the user login again.
Note: To exit to the login prompt, type exi t again.
5. From the CLI, run the following command:
tcpdump - i ethO
6. Press Enter.
9. From the expert shell, run the following command and press Enter:
tcpdump - i ethO
Figure 90 - Icpdump
,.
" [If-'" '"
,_1
J
, ,
"i' '" :'i!:
"'1
"
, .. ", " "
",I , ,
I'"
,,,'"
", II>'" , I,' d ., I'
"
,- :,. , ,"
", IIi'" , IH "'i' .'i1\
'" " " " ,,,.\ ,
'
-, :'J i -,
"t l ' .'111 ,-,'1'
.. "
", -, -
" I'"
-,
I" '"
"
lil )Hl '-"I
"
[ j,.
1"-'"
" '"'", "t"
'" "'I' i'''! 1
.. ,-, "
,[
,-",-1
1"1
[ F-'I"
" \'1'" ["
"
Figure 91 - Icpdump Slopped
11. Type exit and press Enter, so that you are at the user login again.
I. Type the fo llowing at the command prompt to unload the current Security
Poli cy, and implement the default policy:
fw unloadlocal
Figure 92 - fwunloadlocal
2. Type the following command at the prompt to displ ay the name of the Security
Policy installed on the gateway.
fw stat
Figure 93 - fw stat
3. Type the fo llowing command at the prompt to di splay the gateway vers ion:
fw ver
Note: For more info nnation about each command from the prompt, type the
command name followed by - -help . For example, fw - - help.
Figure 94 - ifconfig
Figure 95 - netstal -m
1. From the CLI in standard mode, type the following command and press
Enter.
adduser sam
2. Enter and continn the password vpn123.
6. To delete the administrator, type the following command and press Enter.
del user sam
Figure 99 - Backup
Note: When pcrfonning a backup on (his version of R75, (hc tcxt reads as
if a snapshot is being pcrfonncd. This is a minor bug in this version,
and may be safely ignored. A backup docs in fact gct perfonned.
2. To view the backup in cxpert mode, type the following and press Enter.
cd /var/CPbackup/backups
Note: You will notice your backup file in this d irectory. This is the default
directory for backups if you do not specify a location.
5. You will be prompted to choose which restore option you would like. Type c to
continue, and press Enter.
END OF LAB
Scenario: You will create a Security Policy by deve loping a Rule Base, or modify
an existing one using newly created network objects and headers, and understand
how to apply global properties.
Topics
. --
Q
Ii>
8 s:..
l"'Iil>I"'I~1
Net-o.OIIj8<k
" '"
II '. -_.",'I.I
II ..
...- -
g ..... _~"'J_~
E3 ~ s......,q.o..t.
Iii <So.c>s _ .,
6tjj~
I!I -Soo.olt) Ufl4.! r.~.
IIiIl _t_'o'SI:
tv'-tWl_ ..
~.
If'S.t_.
E'tIomIII\' "'"'-<I_~"
_t:I.9Ipod..
...........
HoIot. fa .... _ ......... __ 1I"1a,..,) GIobIII
.......... )~~
rQ""I_ .. _ ,..
Figure 104 - Classic Mode
SIOCU.'-"I~
~ I CMfio.s~ IIJ""'-
.....
",....-
Hrioooc.IOpon_
N"""""~B'IkIKI SGIIll
:::J V_IR1'5
:::I
:.:1 os'lum-oS
r r...... r; ~c_
r lPSoc VPN Ado..-.:edtl->.-.g
Wc.l:h ~ PIC'' '' ,. .......... ''''
Jj Poicy S.. v .. r ,~ I"'" COI1 .......... hnIoedo 01
"'_Ace...
,......... "
Q O~Ro.h>ge oppicOl ..... , PI_ or<! ...""'...
.... oIlho boo.
0""
IJ UFiL F. "<Ig Ac< ...."""",o..ct"""l
IJ .!o,,,'!<", t s~o
a
M,My".,.
M'Sp"",~
E~Soc"otl'
IJ r W4-1 GX
I
r u~s_
r 0 .. & Lo" p,"~""""
Qt.I""''''~
r U~ W<blc<: ...
.
====--~.1l'
00'_
...."""-
W AA'
I~A"er_
.....,.. r."T,_~~,,-------------
~.IWoonI: ic<otion 1P6<i<bo..J172.211011
1ll1.ogaon;l ~ .. er.
t_ ~ s"""'G __
C~~ ....
c-_E,"-"
00 ........ ..... _"'--'-
--...........
c~ I
H _*/O__ 3
~
,-*-sw" "1'==""-------------- _,~-~"'=.....
y_lro';
"c----::J~
. ",rl~'-"""-::::.;;::;:=-----"013 ~
~BIodoo I~,";;;,~",;;------'::J~
-....
C"""""tControi (t
rr ''''
URL F1Ier"'ll :.cc.I!<....,., lOJctor"'l
r ~NIl' S..,..r l O
r _s-,
_s-...
r r..........,GX I
r u...........,s_
r O~ . Im.I'I _
r .......
r u.........,lN~
~ ..
r __
~F"",,"
8. From the General Properties page of the gateway obj ect, click the
Communication button. The system displays the foll owing:
- - 2!l
--
"u.t~d ( ommuruc:ahon ,;Ii
I r- ~~ '" , - -,
--.. - --;=======-- - - - - --
O..-lmo_....ord
Corl.'"~ pMtwOId Ir-------
_ __ _ _ _ _ _ _ _ _ __
T
.
.
.
.
.
.
.
,
~
"
-
'"
Figure 107 - Trusted Communication
9. Enter and confirm the Acti vation Key entered on the Security Gateway during
setup (vpnl23).
10. Click Initialize, and the system verifies the communication state:
10000_/U'lf.I/""-"' :3
. . . . . . .,""""0 --;::;:;:=====:------
O'MHme p... oword I..... --
Cori. ....... ....:------
~~'_11 "I.~~
T_c-rc""",,_ - - - - - - - - - - - - - -
...
Figure 108 - Establish SIC with AT_GWY
12. Select Topology in the left-hand panel of the Security Gateway object.
13. Click Get> Interfaces with topology, and the system displays the Get
Topology Results window.
14. Click Accept to confirm the topology.
Note: Anti-spoofing is enab led by default wben choosing the Get Interfaces
with Topology opt ion.
15. Click OK to close the Security Gateway object.
__
.
s
-
.
~
Figure 109 - Host Node
2. In the General Properties page of the object, enter the following information:
Name:
IP Address: 10.1.1.201
Comment: Atlantis GUI Client
Color: Blue
,-
_ _ li T_GUt ..
*' ......
Ii-. !AT_GIJ
IP~ I"''';\'i''....
;;-- -
<- "''''''
-............
"F
r. ~
.~.~
. ____~"
r: HIlI n:Wod
3. Click OK.
4. From the main menu, click on Rules > Add Ru le > Top, or click on th e Add
Rule at the Top icon on the toolbar, to add a rul e into the Rule Base.
5. Name this rule. Clean Up by rightclicking in the Name field and selecting
Edit, or double-click the Name cell in the rule.
6. Rightc1ick in the Track column and select Log.
Note: To inscrt a new ru le, right-click on a rule number, and select Add Ru le,
then Above or Below, or use the Add Rule icons from the toolbar. In
addition, you can add any object to a rule base by dragging and dropping
from the objects list pane or from another ru le.
7. Above this rule. add a Management Rule with the following parameters:
Name: Management Rule
Source: AT_GUI
AT_MGMT
Destination: AT GWV
Service: SSH
HTTPS
Action: Accept
Track: Log
Note: When modifying any of the cells within a rule, rightclick in the cell for
specific options. For example, in the Service column, selecting Add
Objects will bring up a select ion box (or elick the plus sign in the cell).
To locate the service you want, begin typing the name of the service, and
the scroll bar will move to that point in the list.
8. Add the Stealth, and Internal Traffic rules to the Rule Base above the C lean-up
rule:
Na me: Stealth Rule Internal Traffic
Source: Any atlantis internal
Destination: AT GWY Any
Service: Any Any
Action: Drop Accept
Track: Log Log
9. To allow Ie MP tra ffi c so you can PING to test connectivity on your network,
cli ck on Poli cy > Global Properties from the main menu.
10.ln the FireWall Implied Rules page, check Accept ICMP requests and select
First from the drop-down box.
II . In the Track section, check Log Implied Ru les:
.---
NAT Ne'-"Adthos
S_"Ic*owIg~ond_ ... _ " , ........... R.JtB_
1<IotU)o _ _
P' """- conIOd.....-
...
UT N! Edgit G- .
IB- R_
""""-
,,"-
"'"
P' ....... 11.-1.- ....... - -
P' """""'s-tJpdoIo~
P' Ac:copIIP'S.'--,_
"'S_tM.,
"
lJ. OIAuIhcdy P' ""'-~,*, .... ~",,"G-.,
--
N~ H9> "'v,
'"'""""'"
OSE o.-S ~E
5-.5.. f'IdoIo B_
"
r _ ...
III Loo and _
r _ _ uoPlOu-<l
Ate"II'~H
R ~r ooll
OPSEC r ~o-..l1 _ _ TO't:onoT''''''1
S~ M ~,
Ir
.....
N"" U_ IPAddHo P' """"" lOt? .........
.-'"*
'"
P' AoetopIWobnlS?l_bG...............-..
P' """,,,,~_IOOHC1>nlDHS _d~
P' Ac:ctpo,..-:""'"'~~"-"'......-.I
P' ",",-VRRf'~ __ ,-a--.
I
::I
:::I
::I
['.'SXIPSOVRAf'l
,...
P' "'-"~~-*"' __
~ P' I,og~~
---- .! I
s ... I c.wI~1
__ ......
aOltl,.,.......,rd~
pMd ... _r_~. To_ ...
go .. v- > Jq:jod FbM&
""*"' ....
bo~
rDor'l'iol.-"- _ _ _
IU II c-..
2. Note the message in the SmartDashboard Warning box about implied rules.
3. Select the option Don't show this message again.
4. Click OK, and the system displays the fo ll owing:
--[iii&'
-_ .....
CO" lntt4iIonjoOd>~~ ......
r
idoo"
r ""'..... ~_~ j,""'do""'~ ... ~"''''",_",
,.
Figure 118 - Install Policy
1.-..-. 1040d0
r. lnoI"on..,:l'loolottj~ .oop....""
r
,--
r ....... on_ooIode::I--.fl~donot ...... on~ ...... _ _
j;7 ,c-o.......
tt_
-:;;."._::;.""'"''"''''''_ __
fCC;:~ ;m l ~1 4301 lJ
_
.---I
c.:.-n: 1CfNIOd",,'-.'
"" ...
Figure 11 9 - Install Policy
i __ ..-~
li'*-I
Figure 120 - Check Point SmartDashboard
R75 IX ""
PI.......
-.
tIo""''''_~~
... _ _ ,1/10.'. ' .1) -- ... . .
Cl .. ,...
.' ,a
~ E'-
-.
SecurePlattorm' ~'" JIrDd
--~
.- -c:::::
.,,-_....-
I
......
~ ml"C
~~"-----------
1',!,dIhn lln2S.109..1
..........
'--
c____ I c-..~ ~
.. ==----------- _':.:_:.:"'=.....
=--'
"-
H.o-.:lol*' _ 3 y.... lro';;~---::I:1
. "I_
;:::=:"'
~---::I:1 -'!'J
s -.....
'"""""'s..... _ "I';;';;
'm"--~::I" loI _ _ _ B~ '1';;';'""
;;"'---::1"
..,.,..,_Conbd
- ...... ...
r r'-ol IJ
r IPS",YPN ~I~"'II
r I'\:IkJoS __ r.~
~1I'.u.~",
"""'-"'_cdcMono_
r "'ot>Io<l.ecest Wob2.0~ ..
r ..
n Ufll F'...,g
"'"""'
A .......... l~
r "..;,M
Anlf.Vru.'
...... e
S..., ... <..:I. O
H",~
r ..nl'S ....... ' r:;; r ...,.. ,l (;X
Emol SOCIBV
r D... L... ~
r U..,.Ao;horO:jo SOlO"
ru~,,\II~ ..
~.
Dnt _ _ _ _ d---,~;:::::::::~-------------
I.....
("'-....-~ ~I..::::.---------
T Mted~o6on"""'" - - - - - - - - - - - -- -- - - -- -- - - - -
.... ,
,.
Figure 124 - Trusted Communication
4. Click on Topology from the left-hand pane, and click Get> Interfaces with
Topology.
5. Click Accept, and the system displays the Get Topology Results window:
The~ __ ~
N_.(a._"'''-I..
n.. t - . g _ _ _ """'''''/W'Jd1a " " _ .........
of$Idobdwld _ _ _ _ ..... ~~
G..tlT~ I IoI""~ 1
'-
" ,-.tI(INdo ......... ~1
("~ .......... -"""'""'I
r
r .. "",.,...HIjI r< n1"'~
r
r _
-
r; e.m-......~bMad ... n.!ocelopolojao
_Sllll<lh1Godoon.Mttl>
r Oon's:hod<PKi"_ ~
~1-
:::;~:3~' --.J
Spool T...ucr. r Ngno r: I.D!I (' tJ.-
8. Click OK.
9. Double-cl ick the internal interface.
10. In the Topology tab, verify that this interface is set to Internal and the options,
Network defined by the interface IP and Net Mask.
II . Verify that the option Perfonn Antispoofiog based 00 interface topology is
checked:
G_f""'I_~1
'-
r E_IIwdo'"U,,,"-!
r. ~~"''''II>t,,,, ..~J
If'~w.r.I'''''''''_
r ~Dojftod
Co
r:~ L:
.. ....=-:':'...=':.:'..~ ~
- ..r:...~.~;:
r w...c. ... "'D"'l
r ..
Note: If prompted to save your existing package, click the button Save and
continue.
2. Enter a name for the branch office gateway poli cy.
3. In the Include the following Policy types sec tion, select the option Firewall ,
Address Translation and Application Control.
4. Click OK, and a blank Rule Base displays with the new package name shown
at the top of the screen.
G.... INAr I
.- 1"___".....
;;;;;;- - -
p~bloi_I'"";;'..;---==:
Ii...oi.. ''''.-
..,"' -==:
......
IW.H_
6. Create a similar Rule Base as you did for the corporate Security Gateway:
Note: Onc way to quickly create a ncw policy is to copy and pastc previo usly
created rules and modify thcm as shown above.
Inslall Poio<y
.........u
""-'on,lold>~~~
r "
r Jf\d ..... ~~~~ 11!"'dor"dnolol""~oI""' ...... _"",,
,-"""
~ -~;;::-;:;,====""""----~
fl...... IBr""""-Pok.,o 201 HI800 15:1'1.32
~ Ic-.dbjo"-'
'"
.
,
Figure 131 - Basic Branch Policy
Note: You can also rightclick on the last rule and cl ick, Paste > Below.
,-- "'---....
"'_OM
"T_OHf
ff]"..,',-
"'-QI,I
Ii",--
.~_OJH(
[!]"..,-
!!l".., 1,...., ........-
Figure 133 - Duplicate Rules
I
Figure 134 - Outgoing Rules
8. Add additional rules to the Rule Base above the Cleanup rule as follows:
Name: Corporate Incoming Branch Incoming
Traffic Rule Traffic Rule
Source: Any Any
Destination: atlantis internal uk_internal
Service: FTP HTTP
Action: Accept Accept
Track: Log Log
lnst.1I On: AT_GWY UK GWY
Note: Remember, you can drag objects between rules, and even re-order rules
by dragging ru les themselves. Click the rule number to drag a rule to
another location.
."" ~..,.,,,- -
........
<D_
8- 101 ...
-,.!--
*-,.1_
....... ....
. . . ..........
..... - __
00"",1,-
G)~I'_ ....
..
<D_
m_
<D_
I!I ...
iii ....
.. r_~
1Ii~-
{!J~-
Iil ... M_Of'I
.... ".---
.... ~..,.,1'-
[!)...,- ... .
~ m_
~
I!I ...
Iil ...
\11<._
-,.!--
Figure 136 - NetBIOS Rule
11 . Right-click rule 4 or the top internal traffic rule, and select Add Section Title >
Above.
12. In the Header box, type the name, Outgoing Rules. Click OK.
13, Create another section title above the incoming traffic rules,
. - ~_tr.rIr
* PtIIoyT .. _
.......... '...,...
.-
Gl-
e. Ii .. * _ ....lM'I
---
.,. .
...
...
.,....
......
Figure 137 -
... . ..
.,.."...
[!] K1'..oOlt
.. ","",'.ljOOt
14. Save and install your Policy on both gateways and create a revision .
_....
Figure 138- lnstall Policy
15. When warned that a gateway has a different policy installed and will be
overwritten, click Yes to continue with the installation.
R15 . . OK
R15 IX
P,ogo...
END OF LAB
Scenario: In this exercise, you will build a DMZ network and set up a rule to
allow traffic to a server on the DMZ. Configure a DMZ interface on the Security
Gateway and configure the Security Policy to permit traffic to DMZ resources.
Topics:
,-
G>e!a!PrcpeMo'
NAT
M.... M... G_.!
Mact.ne
1:1._
"'-'*
101llZ..5_
IP~ 1192.1Gall00
, _ l"'ob.M.. nFTPS..,..
......
Elc~s~
3. Click OK.
4. Right-click Networks, and select Network.
5. Enter the following information for the internal DMZ network:
Name: dmz net
Network \92.\68.1.0
Address:
Net Mask: 255.255.255.0
Comment: De-militarizcd Zone Nctwork
G_ oI 1MT I
._ r.1"'c::-::~:;-----
,_ ...... r.1192.;;;;'~i',;;;,--....::~
,.... I~""'~"~='--
t-f- I D _Zano N........
6. Cli ck OK.
.-. .. .
.
"'.001
"')00-
..tJ~1
~--
..t . _
ffi-I'-
(!]Nor''- -.-- Ill-_
-.-
",--
.., ....
"'-- .... 00-- (!]Nor"_
-- Ill-
Ill-
r. ...
1'"
~,-Qff(
IIII.I<.QI
END OF LAB
Topics:
...,
V..... I01 ....... T'.........
4. Type IP address 172.21 . 1 . 101 (NAT ' d address for the Security Manager)
in the Translate to IP Address field.
5. Install on the corporate gateway (AT_GWY) and check the box: Apply for
Security Gateway control connections:
=====:--- .rJ-"l
"'-
r G......I Proporuo.
'"" ..... "".....,... 1,........... _ _ _ _ _ _ _ _ _ __
'"
~ .o. ", ,,_ ,,
6. Click OK.
7. Double-click the corporate network object (atlantis_internal) and select the
NAT tab.
8. Check Add Automatic Address Translation rules, and select Hide.
9. Choose Hide Behind the Gateway and install on AT_GWY:
S-'" NAT I
""---.1J"
V..... lcrAdO_T..........
P f\dd _ _ .iOdliMSf_*"
Co"'lidr~G,-"
r- Hdt~lPAdrt<m "1----
InNlonG ........
or c..nc.I I
Figure 145 - Hide NAT Configured
12. Review the automatic NAT rules created when you configured Static NAT for
the Security Management Server and Hide NAT:
Figure 146 - NAT Tab Displays Hide and Static NAT Rules
,""""''' "~ , . ,,
,.....""" ",,,..;ao;
'''''4-'''' ;c."",,;.,
,,'....... .." ".O!."
,,...,,,,,,
"'"
m
u ,,,,. ,. , ..
'" ,,'"
"."" " .,,,,,
----
~
.,M."-"'"""
.- . ~ ",
- " ,"" /
'-'-'''''
aq "m """ ."'"
.'."" "'.0''''
--
'''''-'>'I' ', ""' ,.~. -".~ ,
"'.""
"_,:s,, =
,"'."'"
"-
;;:
'"""",,11 ""... '" ., .,,~,.
.~
"-'' ' ' '
'"",,",c'" 00.,,,,,, ""."""
,''''''-''''' ".""",, " "" ".,.;-,
;;:
.'~ ~
'''''''' c''' ~
""'.',""'"
""-'",,,..
"""''''
..".',"..," d
, ,,,,-,,."011 ".G'~~
---
"'"''lI<''' ,.,,,. '-' .""" ~ iI., ')II
w""""'" -,
L~ "
1 ",",,"~'" ''''''.1
''''''''-''' ,,,, . "
'''',. ...
" ,
"c"~'
" -" ~~
~
m
m
m
Cy
..".,
~
5. Locate the ICMP log entries from UK PC where the so urce gateway is
AT GWY. Double-click to open.
6. Note the entries, XlateSrc and XlateSPort information. These indicate the
source address has been NAT'd to the 172.21.1.101 address (i.e., the corporate
gateway).
1 CHlln/o
Pet. l0Aug2011
t_ 100n05
It...... 911
CJ 1111 i201
ID 172.2111(11
I.
- -,......
,
,
AU04Gt.ll (11l111011
s.."",. _1-...1
"'010,,,11 ~.
I04P EdlcI Recp..eoI
......1"". JO,IP T_ 8 J::!g;J
S.....,.P..,
N_ f"n U'oicy
0... \iledql0c&511K201 1
______j~--------------~I
.:J
Figure 148 - Record Oetails of Hide NAT
..- "'.
Figure 149 -
,..,
NAT Rules
-_........ ......
..... (
. -
...,...
--
l<>u Inlo
........
' ....... - .. Act;,." 0 Acc<!p
,
.0._'-- ..
,....
0
....''''
"111:"5.12 Ct.rON"ll R..... N ' - 7.f"ntPoic)o
\OI0I>1r._
00""
AT_Go./"(
,--
o-
m10.19.201
mIn.Zlll0
NAI'.................
......
NAT 0Iddib0m0I ,,.
1
--
S",,,;a,
1111"".,.,
s ....""""'.
"" ...
"'~
" ...
""
_.-
P"'""O.....
"....-
\I,!-.lAl.rgl0lo.37512O"11
P","" w~ AT_MGMT
5. FTP the fw monitor output file to the AT_GUI machine. Use usemame:
anonymous, and press Enter for the password.
6. Open the hide_ nat . out file in Wireshark from the AT_GUt.
Configure Wireshark
Follow these steps to configure Wireshark:
...
i
"
-
"'""
",. '"
"""'''
- - ---:.J'OlJ"
. -
.--"- ., --
- .... <F'~.~''==~
'' I;=
.=''
='-------------c,""
..
Figure 155 - Configure Wireshark Columns
-
Note: This allows you to view the new column you created in between the
Protocol and Info columns. It may be necessary to restart Wireshark for
the column cbangc to take effect.
8. Click OK.
Observe t he Traffic
I. In the Filter section, run ip. addr==<IP address of the destination> (i.e.,
172.31.2.101 if using the instructor machine).
,.t.
~ ..
~ 0.
~.wtI'
ca Q. r!I a ~ .., i;. III
in fc_,
[Coloring Rul. N_' HTT"j
[coloring Rule stcing' http II tq>.port 80]
,
">Il HOnhor 1 .thl ..:110 nh:
. 0 ....
.... . p.
2. Observe the firewall inspection points, i, I, 0, 0 as the SYN packet leaves the
gateway,
Note: On what inspection point does the Hide NAT translate? What is the
source port prior to translation? What is the source port when translation
occurs?
5. From the AT_GWY, open the file static_nat .out in Wireshark. Using the
same filter as in the hide NAT exercise, the capture displays the translation .
.... .. ~
. rcM:M:lp:up]
R"l. N_ : >lnp]
R"l. String: m:~p II '''1' . ..,.. 80]
.1:1"4 rctil \ etl'lC
.. p.t y p.
..... ' _ _ T. _
-
.---
UT .. l idQo G_
_
~
P'I _ _
*1 ...
_1Io.-ot ... , ... _ _ ...
",,~'"
~
III ~-"''''
-
~.
p-.-.;.-
,.
S'-'O' ...... IIJ).I,PI r ~-"'_ISIP~-'
......., ...,.....
-u . ...
.-_-
O S[
& a.>o
~-.-
_
.. _1490',
__
-O_ s-..,E
_ A _ I ....
~,
~ ,--
...........r
r~ " f>I"'l
., ., r
s ..... .. _ .
NaJ ~ "_"
"~
~
!il- s...oo-..d C_
END O F LAB
Scenario: In this lab, you will track the connections from the previous labs using
Smart View Tracker and look at different ways of querying data. In addition, you
will learn how to configure SmartView Monitor to view historical traffic; these
steps are easily applied to viewing real-time traffic.
Topics
,-,
',- -", 11,,,...
,_" II."'''
"....1>'11 l YW.
"".-
u..."*' "", ' ....';...,
'_,\I .......,
..-
'.'....,ll' ".lI." 3'''''
".~"'" ~ ,.~
3 ,,-,,~,.
~- -."' ....
",''-''
'",,,,,,,,II II .." " , ', AT . ;~ .
At,''''
-.----...
'.........'H' ,,'II ....,
'1 ,'"
>T_'"
,-~..""
'-"
'_'H'
" "'"
"",.",
"" ....
" ","*'
S
,,_...'
LY _,~ ,
.,. .T..... '
"--"""
"....,,,!,, ,,"''''
'......."', ,".,
II. "."
" " e"'"
~."'" '0 M _"'"
,,,,,,,.,,',LI ',:>0."
","~~
...
At _....
COIl.""'"
.-
S AT, " ' " ",
" ,.
,-, ".D." "" ......
"." ~ At -"''''
,""",""
-, --- ..-
co"" -::~ , 0
-" ".
IL_ ~
Of,' ....
'~-
, 0IU00_
AT __
,-, .. "--
LI .... ' "
",- ., ......
'-"'''
,-, u.>O."
.t ....'
D_
,-, ".""" ".OJ."
'-""'" ,,"'., " .....
'~At
u" ..
"
"
".-
~
- --
--~
'.
AT "W'
,"-
--,,"-
AT,'''''
4. From the main menu, click View and check Query Properties.
Note: There are many other columns that can be added to help troubleshoot
packets going through the Security Gateway. Two that are very helpful
are the NAT columns to see when the source and desl ination are
translated.
5. Go down to the bottom of the query properties list and check xlate src and
xlate dst.
~,.",., _--". .
,..... ,
,. ". ,
Figure 161 - Add XlateSrc
9. Click Save, and Notice that this creates a query under Custom in the list pane
on the left:
.,.,',., ,...,. __ ...... ,'.....
,", .....
'""."'"
,-,
,-"
,_'u,
, ....~"'t"
"'>I",
".,, 0;, .,_
n ..", ."
,.....,." "."'."' e ,, -
'-" lI'>!'"
_......
.'.e;....
AI .....
.1.....
_, ~
~
--
~
~
""
",
,.
,.
"'-"'"
"--
''''--
"'.'"
.-
.'.""
.,.'''''
."'.c......
-"-"
~
-", ""''''
-'.- .-.
~ ~
~-
n."'.'" ~ <T."'"
,-, II."" ".".., C> .''''''
AI_.....
'I_.;;n
.'.'"
,., _....
~
..... ,,=
,-, "." " ....
A'.' _
.,_..... ~
"."'"
,.....,,, "".J! "--
-- "'"",
" ,.. > ~
,-,
,-,
..,." ".J.".'" A'._
...,-,
,'-"
"",.;.
-,,",,,,
".,."
A'."""
~' ."'~
A' . -
= " "."""....
~'--;'
~
--
---.
""' .......
.,......
, ~~
"'.'A'
(o'~""'~V"II . . NI
r,_
3. On the Source filter screen, choose the AT GWY icon and add to the query:
'oO
4. Click OK, and the system will display all packets sourced from the corporate
gateway:
,-,
,
~
~
~
-
~
".-
".-
A'.~'
."'"'
~l.""
" ,""'-" ".~ ~ A' .......
.'.'..--
,~,
"."'., .T."""
".,,,, ~
.,"."""
.....
,-,
. .T.,"",
....
~
,-" '"' ,." ".,-.v,
..
~ ~
,""""""
,-"""
,_OJ
".-
'", .... ,00
U","
,,",,',",
,u."
"" .""Y
.''''''
a
"
~
'"
.'"....."",
<T _"",,
..
,,,,-"'
..,,, ,,,OJ ".'"'"
--'.
~ 'T."'"
AT.,'''' : "'"'
-"-"
., -''''' "--"""
,_""
U ''\>' OO
!;m,,,
,,-
~ ~
., ......
&l-"'"
-
~
--,
~-
""",,:
.,".""'
.""""
m
-...'" "'" " lr._ :
" ""~ ........
-"_.
...." "..,'" .... : ".-
--'. .-"-
'
-, ., ......
= G- 0 " .'>'<f
"... "
-,
-,
,_.,. ".-
......._'<
!:m_", =G-
,,,,,,,...,
,=-
""
...........
".-
A' .....
'
:"
~
0
"'."'-'
.'."""
.,,-
~ ~
"'"' T."'"
-"
<T._
-
<T.",,' ~
" ",.,
s .. ,__ ....
. ""
Al.", ..~"",
Figure 166 - Source Filter Displays Packet Data from Corporate Gateway
Note: You can also run this filtcr with thc destination.
5. With the source filter in place, add a destination filter for AT GUI , such as
10.1.1.201, (Usc any filter you wish,)
6. Right-click on the destination column and choose Edit filter. In the left-hand
column, enter the specifi c IP and click on Add:
- ~
'-"'"
AUIII'WT
.... ..
. . ......
CP_doId..IJIIice_'
""'-'-
"""~
t,..".,.zono
Figure 167 - Destination Filte r Applied in SmartView Tracker
7. Click OK, and the FTPpackets from the corporate gateway to the AT_GU I are
disp layed:
_u_
." ., ~ . , "D. 1Il
-
Q,._III<_1
...&II1II---
.~ - . - ;;.-
c .. _
11-. __
,.. ' ... .. - !II
_~I " _
~_
"T.fI.
[3 -
8. To clear this filter, right-click the source and destination columns and choose
Clear Filter.
--
""""Ha..;_.. lopon_ iJ
~ s.:u",,~ I"
,~
, ,~
oo'---'::J"
v.tiool.l"'~
~'--::J~
... 05"1'=_="'""""
loI _ _ _
"";::----::J"
a....., r.1'~"~";;---::J"
"
IIPRliql!On CQ!1Iro!
~
5. In the SmartView Monitor page, select the options Traffic Connections, and
Traffic Throughput (Bytes per second):
'---_.
.,--"-
G_aI Propetlie
. ~,
"-~
lbgt-~.
.-- ,,-"--
P DoodtPllr'f .... _foo g CPU_~1>Od<Mtl
c....,., ~_
c-..... E ~
P ltl.t"""""""~~
--
...... '''' ................. T'. . . ''"*'60IflXlllo _ _
6. Click OK.
7. Repeat this procedure for UK GWY.
8. Insta ll the Security Policy.
...-
'"
'" ~ --
~ :=--
......--
~
. e:. _~
0- _ " -_ _
,,_ .. ,....,.,.'
ATJ.'G,\.n
v..- 0"
co
. . '.....,
_...-.or.""
_ _ _ 24_ ....
, , _ Icbom_ I.ootCHJ
e _ , .."",
[" --'v " ' - - - ' ........ ~" ... _ '.ohoos>
- 10111111 1",".kPoont_\l~
...- ---
-,.....-
D o..
__ u-._
r ,\ A
_1101l'i0:_
.,"
--
r,\ ~
_TIqIIIIo_
~.
r..' fit
!! 5ttto<
~.~...2!~~~,--_J
Figure 172 - New Traffic View
3. Select New Traffic View, and the system displays the following:
c_
,~ ------
r: 1\... h""
j<i, - ::J
5. From the Specific Target selection, click the Select button, and the system
displays a list of available targets:
Se"'ct Gate .. ay
,-
~ f'Iaop lor Iof!)III bIII.- ....
(0" SpegljcTOJ!I't ~~
J
,.
Figure 175 - Select Gateway Box
10. Select the option, Common Services on all interfaces, Inbound (bytes per
second):
11. Click Save in the Query Properties window. A line graph will appear
displaying the services along the x-axis, and the amount of traffic displayed
along the y-axis in bytes/sec.
'rlol;"""_
... _-
'101 _~
-<>-
,,-
,.
-<jl ."..., .....
.. m....
t:::"
c-_ _
"
"
"
"
"""
....
..
"
,,
/\
,, ,,
END OF LAB
Scena rio: C urrently, your Security Policy permits all commun ication from your
internal networks to any source. This exercise will configure and test manual and
partially automatic Client Authentication for specific users accessing the DMZ. To
do thi s, you must ta ke into account that Rule Base order is based on the
least-restrictive rule.
Topics
Using Partia lly Auto matic Client Auth with a Local User
,.........
~~~~'I------------~
3. Enter the user name, Testuser, in the User Name field in the General page.
4. Select the Authentication tab and the system displays the following:
-----.IJ"
NoSPKk~
....-
cq.,.. I_ B_ :::J
M-.gliotAdo:le= I
'.. r.1~;----::J"'
10. Add your user into the group by selecting the Testuser from the list of available
members, and clicking Add:
I~_~_~~~::::==~~
Group Properhrs <bent auth '
ti__
~
Cojor
I~~====~~::::~
I_ Block~
l!!Mr-.glalAdlt...- J
11. Click OK, and the new group is displayed in the Users and Groups tree:
..... *-'....
"<*f1__
VPJ<. ! ~ ",""", " "' Med ", _.&.ccess
r n--
f.":"'-c:::~
r I U .!':::ell
1 or """ ...
Figure 183 - legacy User Access
4. In the Legacy User Access window, select the client_auth group and click OK.
S. Add the AT_GUI object to the Destination column.
6. In the Service column, add the ftp service.
7. In the Action column of the rule, right-click and select Legacy > Client Auth:
.- 1!]'*o1_
1<-
1))_
-- ..
!il ...
-...,..,..
-""--
.. "'*Y'''1I'tO
...
... ""-""'" i!!::"~j (D_ Ill ...
A'_(JI'jY
" '-
8. Edit the C lien t AU lh properties by right-cli cking on the Action cell and
choos ing Edit properties or double-cli cking the action.
8---'59'0..
~ S~ (' S""'*'
S""On/!!eIhod 1
("p-..-
~M"""
rF'-_
(' AcIoni: _ _ S9'l0..
r s.vosv<ar.
e_ . ...,. .-"'-
GI-
* """",.,-
Figure 186 - Client Authentication Rules Added
4. Review the logs in Smart View Tracker. Verify that the ftp traffic is passed on
rule 4, the Client Authentication rule by AT_GWY:
.......
""'"...
".-.
lJ....~~~
0 1_
II... ,..
'-" ,,-
,~"
" ....,.
m ~ ~~
".-
, _ _<;oil
,_"
...",,," ... ......
.,".fro
''''''''''''
,...."."
..." ",,0."
,"'"""""
,-
>T._
...... .
"""'-"""
'!.-
~-
..
IJ".',,,,,,
-
~
"'5'" "
".Jw'"
1> . 11'<1
m.l'. ' to ,
., .......,
Of ..... '
.. ........
- -....
~
'"
~
~
~
- ---.-...
~
~
..",..
,.,.
-
lUll tnlo
...
'-- -
.......
...
,...",,,
.-,-
,- 15.2117
1112
iii",
'- "' _r:>W'I
~~:::::.~iiiiio ........oi LU.uw (l::0231!F9-I O!ll..cAII :83-
~s_c.
S1EEEE87AM21
CD 1019201 --"~
_ 1019201
,--
O.oIonaI_
-......
CD ATJ;tJ(1DI1201)
..
....-
,
5_coo "-'
"'"'~""...
l<&<IUJ(1aJll
PoIicp w
__
PoIic,N_
Polio., 0..
F~
\oI.t,l,ugl015:211l2011
ATJ4GM1
!'
.:J
Figure 189 - Oetailed Client Auth Rule TraffIC
....
A'~OIHf
~--
[!JMf"-
~-- ,..., -'*""
Ill_
(i) __
iii ... *-'...
*-'..-
....
,",
*-,..,-
.... [BMr',"r~ ..., @- [!1 Log *_1_1jOI.t
.... .,- .-
. . ..- .-
Ill_ Ill ...
~
-~
~
:P
~'-"'"' 00_1,_ m JIIYIJ (D ~ 101 ... AT~(N<ff
* "-1" __'
Gerw.l1 ... I
.... rl_,.....,....
."..._
~ _
..,..--3
~I :.:J
r __ au. DI1> I o..uc..Ccrip.-. DI*:ra_v...d
............
r. SIoo>doocI r: s-.-.
"'" o..l!IoIhocI
r ......
r.P"""",_~
rF~_
r . . ...-S9>On
,. S.-9tS9>On
4. Click OK.
5. Save and install the Security Policy for both gateways.
6. From the browser on UK]C, HlTP to AT_QUI ( 10.1.1.201). A window
displays prompting you to authenticate.
7. Enter the local user credentials, and click OK. (You will be prompted twice.)
"1 _ _ _ . _
-.
....... ,. " ..."
- ~'--==::':'====================~~~
_ ~
Cl" ......
-_ -. .._--
----_._ - ....- ...........
........-- ... ....... ... . ....
............ _,
..... ~
..
.........._---,
-,"."""'-Gl . . .-_._
...... - ...... _ __
.. -....__
............
_
... ..__
~~-.---
...... _
.....
.',rtoo_._ ,....
,
,-..... .,.... . 00 ... . _ '
.......
, , _ ... ro ........... . _ _ . ...... - . . _
......... . _ _ . 00 ... _ _ ..... _
"""'
-- ~-
cw.. ..
9. Launch SmartView Tracker, and review the logs, noting authorized and
accepted entries:
--
"-
~
~
''''~'*'"''''J_
,.""
, ,.
----
' ~l _ .""
----
'1
" '''''-''
n,,
2 ' "','I"<'
,"""'-"" 2 'w ",..',-
,.,:n,
,""''''''' ,..... " = ~
""
..-..
".)lV
,,>2 '''''-""'''"
"" .,_
".""" ~
,.".,.'
'. ,.,.
1.',""""
lI,",,.
-" ,""''' m
---
,,"
'~ll
..... AT."""
m '" ""
,," II)'..."" " ,
,H"" "=
-
'''''''''''~, LY-'.W'! ~ ,. L .""
'0.' .=
" ......,
.',l':,,", m
'" '001<>~"'"
.
l ""~
" ~
..",
10. Doublec1ick on one ofthe logs displaying the checkrnark to view the details.
.......
lOlllnio
...
,--
.,...,
,...",
.....
.- c - _ ....... _
---...
15:l6.1~ A... .. _
,,~
C 10.15.<01
a ATJiUl{10011.<'l111
""...
!!! ..
"'-
1'
S~UW')PlClp.,ti""
- -SrnortMOII
"""-
rp....-d_et_
,, - u ~
- M.......,....o: H q.A~'
- C<rne<:tOJntroi D"'*"U ..... ON lIl.o!,ln
- OSE -O_ S..,..iy E r. 0"'110.... r~
- SI ....... I""""'1ion
" SJROJIlSM Profile Ba.. P....-dSIretlglft.
[i} lo!IOI'ICIAIorI _~IIot>,;lh~m._.
i- Roportng Tool. r P_ _ _ ~_oMr_
t- OPSEC
i- Sec""y M..---o. r P_ _ ...::Wo,,,,, _ _ ttwIo_
N""U_If' Addoe,
e~ r P..._ _ ~ . lI9t
,~
r P_ _ n::WII.~
s -S_tO",hboatd c..t<
r r(orce.u..foou..~"""""'_'
5. Use the following infonnation to create a host object for the Active Directory
domain controller:
Name: Enterprise_Server
IP Address: 10.1.\.125
Comment: Active Directory Server
6. Click OK to close.
7. Choose Manage > Servers and OPSEC Applications, and the system displays
the fo llowing:
- .....
Figure 197 - Server and OPSEC Applications
8. Click New> LDAP Account Unit, and use the following information to create
the object:
Name: ActiveDirAU
Profile: Microsoft_AD
Domain: atlantiscorp.cp
Account Unit Usage: CRL retrieval
User management
Active Directory Query
:.. ~I"='"~~~
(dot I_ Bid; :3
fIOIit IM~ 3
0-- I--.CII
..... ~
J:;CH.~"
J:;J.I ... ~
J:; .0.:- 0-:..:., 0...,
-..O""""SSO""""'OJO ......
or c...... I
Figure 198 - lDAP Account Unit Properties - ActiveDirAU - General Tab
9. From the Servers tab, click Add. The system displays the LDAP Server
Properties window:
'-
_ _ r l - - - -
Del... pnort,.. n [1 hd>ootJ
o.:kPariG _ _ _ -....d1Cl
10. In the LDAP Server Properties > General tab, add the following infonnation.
Host: Enterprise_Server
Port: 389 (Note: Port will change to 636 if configuring the
Encryption screen.)
Login ON: cn=Administrator,cn=users,DC=atIantiscorp,DC=cp
Password: Administrato r 's password for the Active Directory server
G.... IE.....,.-,I
~oot IC &tetpr-...s.M ::1 .J!!:....J
~ 1m
"_ r.""""",,,=;:;;;-- -
LagnDH I" _ _ .oc~
p~ I
(fJ*M....-I....
Note: In a real-world environment, the Active Directory (or LOAP) team will
create a separate login ror the Active Directory server, specifically to
allow SmartDirectory access.
rl.!.. [~r:;stl
EnaypIIon \lOll r
V'""lftM ...- n..!he kIIooorog F~
r
r
"
Note: If your AD Server is not set up for encryption, skip this step.
13. Click OK to close the LOAP Server Properties and return to the server tab:
_..... -...
---
14. Select the Objects Management tab, and click Fetch Branches to retrieve the
branches on the LDAP server:
.......-
OK c-.r I
Figure 203 - LDAP Account Unit Properties - Objects Management
15. On the Authentication tab, check the option, Default Authentication Scheme,
and select Check Point Password .
---
"
P" OIOd<Pwfe_d
.....
......
"
u-.- doll... v-..
ru.._~
'-t.E~_""""'I . rl-----'
16. Click OK to close the LOAP Account Unit Properties and add the object to the
list of servers:
,- ...... l iD! 1
----
,,~
-
-'- .- .- '-
r .... _
.~
Q-
.-
--"'" . ..., -...... r~ .... -
..-
eO
. . 11--
__
-
~...--
0.0.
"1--_ .
I -~
r""",.
--
---
-~
~---~~--"'
~_~, .oc_.oc _
--
I~ ~~'"'_,oc _
I - ~ -. """"""'-.-.....-.,~ .D<-<>
I - ~ .......,"""--','"'_.0<-0>
_-.. ~L-. , ~~ OC _ , ()( _
_ ....... ~a-.,a,..o.-. , oc_..."
,
Figure 207 - ActiveDirAU User Information
5. From the objects tree, right-click LDAP Groups, and se lect New LDAP Group.
6. Name the group, LDAPAccess, and select the ActiveDirAU object from the
Account Unit drop-down box.
_ _ ::I
1.:.- -, :::J
or C-* I
Figure 208 - LDAP Group Properties - LDAP Access
7. Click OK. The new group is added to the obj ects tree.
,o.
"""' ,.
Figure 209 - Legacy User Access
....
.... ....
.. _ -
4. Check with your instructor for your Active Directory login name and
password.
5. From AT_aUI, use HTTP to connecllo DMZ_Server (192.168.1.100) using
the AD credentials acquired from your instructor:
..- I
ra-.,.~
r c- . .- _ _ ICIO'I ....... I \ I I q _
r tIo _ _ ,,_oId,.._
-
TG-"_.weo.not _ _ t ........ a'Id""*""""' ........ _~
,.
Figure 212 - Database Revision Control
2. From the Database Revision Control window, se lect Create, and the Create
New Database Version window displays.
3. Type Standard Policy with Client Auth in the Name field. and comment as
desired.
4. Select the option Keep this version from being deleted automaticall y.
5. Click OK, then Close after the revision has been created.
END O F LAB
Scenario: In this lab, you will be provide restricted access to resources in the
DMZ. Using the Client Auth group configured in a previous lab, restrict access to
the Web server on the DMZ to users of this group.
Topics
--
~ '- .-
E!J-W.T
--
--- ,MO ecp-I. .....
,~
.~,~_~~------------ ::::J
....... 1112211U11 s-toe_N_ r. o,.-lrdIMoo
~s-..bI.
~ Jilli=*s-.ut,G-.
E!J - ~ardlol "'I...
Copady ~
Coopeo .... Erioo ......
E!J A""~
......
""""-10_ _ 3 v.-tr.I';;
~'---:::I" '" "1.;;:::
.,.";;;;;=-----::1:1
""" ~
-. ....
N..... SoocuitIlI1odoo< ..
I ,,~,~;---::I~
r. . _..... 01"='' ~"'''"""--::I:1
",
r
....
lPSocYPN
r _",,",
_......,tl....,..."11 \lloott. _ _ _ _
r.I ~s.... r ,~ hi can _ lorded. '"
r ...x. Ao:>::eu ~ .. _ a r d _
r ,,, ~R"""""II O
ConnoeICOtM 0
.u.-d-lhe boo.
r
r
r
_. ....... .,.
URL ~h.ng
_V'c.~
_Sp"1
~ ...."'"""
$",,~ O
o..'tet"'l
r F.......... l{j"
I
E..... SoclOi)o
r r u.-......."s......
F7
0... Lo.. PI....,."""
""""-..;I
r u~\II_.
..
2. Below the Network Security tab of the General Properties page, select the
Identity Awareness option, and the system displays the configuration wizard:
J_il:y _ _ ~ne .. (onflQla'at_ ~
---- ---- -
-~~~ . ~\~.'~.~
F7 AD Q_ r c....-...p.....
- ...... ...
T... ~ ....... -. ~
_AI;tro;o~ ocfoI!o
........ - ~.. ~.-
~-
'""""-
....
I_~y A ..... ~. (anI_.to""
~,,~~,--~
(BD II
Figure 217 - Integration with Active Directory
5. Select the option I do not wish to configure an Active Directory at this time:
P... , _ r.1'~"~"~'~":---=::::;
Sa II If.." I c-...
Eo.
Note: The system selects the external interface of the gateway by default.
7. In the Main URL drop-down li st, select the internal interface (10.1.1.1):
.-
.......,aw.- ;. '- onobIocI cn~AT _GW't.
~~too~.....".
a.:to.. O..aooyO...., .................... qo
_
......
oN eIll 1 ----------_
n V_ logo
.-
_ r~==~;;~~~~~~~~~~~~I.~"~-~=====~~'
Q H.-. ~ u...1 M..t..o!- _ _ I ..-
r- Q,er.-
r ~$Podic _
II
II
.- loMZ...np
~ !AeoIl"Cted .,.,... .. FTP_ ...... DIIIZ
(,obla Ot_
llllI
.:J
C "'T _GJI
I~
10.1.1.201
--
3 "
!ifl~UWV 172.21.10 1.1
I
Ii:,;I,o.Tj1GMT 10.1.1.101
a>_dof"'_f.ffite-""""'_~..PQ<II 17.1:.16.10.0
I;l ~-",," 192.168.1.100
I;l---...... 1!I.I.1.125
1iII"'-~ IT.I.2'l. I09.1
,,--'*
10.1.1.0
! otI...c!sfi......
19Z.I68 .1.0
L" """""
10.1.'.0
100bjocll. )
.
I I
-I
" """'
Figure 223 - Access Roles - Object Selection Options
.tI_" IOMZ..fTP
..-
~ IA _ _ _ IOFtP_ .. ,..D\04Z
\;IN....... - 0_1
8 ~ OMZ..fTP
r Q,Mo"""""* B g N....,....
-
r- ~iPetliI:.-.u
..y.._..r-....
_ ::---..... a
1011 a
u,.-..
mS ..... ....
m ...... .....tw.
tI._ I~np
~ 1~_IO""'ob_"hDM2
.. !O~ ....,_
--
D
D
......- --
II ......, , ..;o.tt
.~ @-
..., , ~T.o;t>'
.!l..,T'....
~""'T'_
-.M
;I:.t fWI._,
..,
ID_
tD 0<a0II
@-
jJ",
>I ...
i1 ...
1I",....,.1 .. ~
'" "'*1'1."..
.~l._
~, !l_t",..
.-
.~ ID_ Ol ... . """"
... ,,--"'""
~-
Al_?Ii"I
... .- ~_T'_
3. From the Action column of the new rule, Right-click the Accept icon.
4. Select Edit Properties, and the system displays the Action properties window:
,-"""
--x
r
-
Rdodhttp~"'''~ __ {<~)poItII,
_ , ~ . . """ O:U' t tho oao.r<. IJ'. _&061' """""" to.
II or (oral
-- !!I_r....,
,.
,I . .r_<1WV
"",~/II'((
.o.T3NO'<
_""_OWI'
[!]_f...""
OOAfftn_
!!.I Nor f.OI""
-
..,.
<Il_
12fW1~_ tD~
-
Ill"
iii ,~
1iI~
.. --y'."'"
--
.., [!l"""l,..",
.-.- <Il_ 1iI~ -."",_",w
Ii~
...
Figure 228 -
.-
Web Traffic Rule Disabled
."" oo . . . f'_ -.,. '.-
<il_ l!< ..
Ill""
" .._(o.w
.. __yf......
.- ~Jhtl"""" a'"
-- .. . .....,.'
,. .....,. f.\IIOh
'.I,"'.INV'
.....J'w.
:BJhtT'""",
.-
M'I~_ $ - i:LAt
e- '"
'" "",,:yT
.- .- '''' -'*'_QoW
Nlltwork Login
Check PoInt
- '- ''''
....
Figure 230 - Network Access l ogin
3. Click OK. The Security Gateway confinns that the user is authorized to visit
this netw ork by displaying the following confirm ation message:
.....
Network Login
Check Point
_. - --~
-"'..
---\II'-.. . - .
....-
CI<:O _ _ _ _ _ _
,~-.
'. __......__....
Figure 23 1 - Network Access Granted
4. Click Finish.
* I'*'Y'_
ENDOF LAB
In this lab, you will be defining a site-to-site VPN between the corporaw and
branch office Gateways . This is an example of a certi fi cate VPN based on the
SmartCenter's Internal Certificate Authority (CA).
Topics
Troubleshooting a VPN
,_
-...--...
~~~
BnoM_N_
C4>o
r: o,.-..t<IoIoto
j_ rNbod. :::J
S""'O~(lO""1
IoIorioo"'ll SoII>oor. t>.
~ond M ..... S.... lrUmoI~
_....
~OptorUot ....
~lc.o.tfi.o.otStWITIUot~
.....
1.. SI(S.....
C-_E .....c""'
~ s-..o,lll~pl
R '_
F 1PSec:_
r ~1:cNcI .".""
~--
!ioP-....:I t..o -'" Ii> _ _
r M_ _
r _~
r om SO'-s.. VPH.., ..... '*'-
r ,~
o..-P.u.~ O
[..-_0
--u.g--.
v-' '''VF'N~.
.....
-- -
r ~..... ~t[l.. ,_.:1
r _, ~ .
r _s_,
E.... S.adjl r h....,... lf..: I
",.....
r u~s_
r O... lonPr--. r u.............., . . . ~..
...... ..
.......,-
r __
.!I
3. Click on the Topology tab. In the VPN Domain section, choose Manually
defined and choose your corporate internal network object:
,-. _... ..
III
--
, -~
~ ............
1PS~\IPN
SawAJiooc1co, f.llN1
~ 5 _~
iI logo" JUster.
~'
...,
~,
-
,,~
ln111011
10.1 11
121611.1 1
-"'.
:'>'00
2S5.lS5.2S5.0
,
,,r-,,
..
~~
C -..... ErIorceono
.!J
I!I .t.a.an::ed
EO. ,-
4, C lick OK,
5. Repeat the above steps for the branch office Security Gateway object, but
select the branch office internal network on the Topology page:
.t/
,- -
1!I-IPSecWN
o- loQaqo-....::..on
S.-J~ UW'l
w~ S"""- til.
1B - Lng.~W ......
Cai>od!o~_
c-... E'"""c....
IB-Adionced
Note : Take a moment to save this policy package that identifies it as a VPN
Policy. Be sure to save it again before pushing Policy later in thi s lab.
c.n.. G " , -
__
.... - - .1I.!!l
"-
S ~ "' . G
'-
I ........ M~ <--
1Il_......:I Solti-ogt
.,., 1
r.."....
=----oT::J
2. In the Star Community Properties screen, enter a name for this community, i.e.,
branch office.
1Jx
UIhe~_It>oG-"bobo..-.lIhoS_
~ . . bot~OId
P""""*,,G .. _
- --.lJ.
Thoc...w._t..~_
or I c...,. I
Figure 238 - Add Center Gateways
7. Select Satellite Gateways and add the branch office Security Gateway as the
satellite:
.tiE
8. From the left-hand pane, click Advanced Settings > Advanced VPN
Properties.
9. Select Disable NAT inside the VPN community. This is very important if you
have objects that are set to Static NAT.
,-,
Certeo Got_
SotelleG ......,. 11( If'I-l1
'-
T......t M........-
B-MYancodSetI:i1os
u"'~_
Note: Review the defau lt settings for VPN Properties and Tunnel Management.
What is the default setting for Tunnel Management? What are the default
encryption methods and data integrity of Phase 1 and Phase 2? Review
the properties of the Advanced Settings. What is the default VPN routing
method? Why don't you need to define a pre-shared secret for this VPN?
10. Click OK to exit the Star Community Properties screen. Notice a new star
community object is created in the IPSec VPN tab.
,
~ '.' --*
, .. ,n",
I
00.
~
-
...... itii'i'.!-.
CO' Mi..... O;; ..~
(" !)+ _ _ ~ ..... s.....u.YRt(........,.
or c...,. I li", I
Figure 243 - VPN Match Conditions
5. In the VPN Match Conditions box, select the option Only connections
encrypted in speci fic VPN Communities.
6. Click Add and the Add Community window appears:
~ ---
:.-
II Of.' H Croc: I
7. Select the branch office star community you created earlier, and click OK. The
system adds the selected community to the conditions window:
...........
{!] r~......- ....... a..'"~
~ r 1Mo.......-..~ .... S~IMIc-nw
or c-.. I t!$ I
Figure 245 - VPN Match Cond itions
Figure 246 - Added VPN Rule
10. Save and install the Security Policy on both Security Gateways.
Note: Ensurc your time and date settings on your gateways and Security
Management Server are synchronized. If time settings arc not
synchronized, Phase I of the encryption process can not takc place. See
the troubleshooting section latcr in this lab.
I. Open a PuTTY session from the branch office client to the IP of AT_MGMT.
and the following appears:
,-
.-
8 ~"""
-~
,......
I,.........,.,
""',
-,..,..
. c..-
Op
,
III SS M
S. .
Note: You can launch PuTTY eitber from the command line, oron the Windows
desktop. From Windows. double-click putty. exe.
2. Click Open.
3. Click Yes, if prompted to accept the security fingerprint, and a eLi window
appears.
4. Log into your Security Management Server using your login credentials:
6. Locate the logs with keys representing pbase I and phase 2 completed, and the
accepted SSH session with a lock indicating that encryption and decryption is
occurnng.
~
~
1 ~
Gi!'f!
,".!"..'
10.'."""
"'."' '''
'''-"'"
,,'1m
,,-
" -q~"
".T_."""
"'"
" TJ!!!tt
l.,.I"'o
n __
s.c..G-.,.M---,
,
1~47.25
"~
-
C - I I... _
11..... _
5r.oL",*,_Wt(
..... !Yt
Ill ... U_
"'-"'"
Io.toe "'" UID I8AUS5<MII1oW1C-M&I
~'lM1 96EriCJ
.-~
D", _ _ r:J 10.1 '-2m
~ boa"dt.db
r:J AT_ME>MT pO-111m) -,..-.5'-" [iJ1KE
.......
-
,~- M'22! IE -,..-. ...... ESI'"J>E.Sl28Sl-llt.1
...... "''''
Go",'
VPltJ>..S-., AUiWYI172.211111 1)
S~ OYPtl
5_... P..t VPMr_
'''' 1___
\f'N
___.t ....
f".....f't:IIicJ__
"*111-
,...,. ..--.
PoIiqo D '''''q1l1SQI621F11
A'JI6M'
8. Using the slide bar, move to the far right to the Infonnation column.
9. Locate the messages that phase 1 and phase 2 completed.
~,"-"'., ' -
..... ..................
--
---
Figure 251 - Information Column
VPN Troubleshooting
There are several tools avai lable for troubleshooting a VPN connection. The first is
the VPN tu utility. This is a CLl tool on the Security Gateway.
Note: This option shows all phasel negotiations to all peer Gateways.
6. Choose option 2 and the system displays the [PSec SAs for all peers:
7. Choose option 7, to delete both IKE and IPSec SAs for the branch office:
8. Next, try the PuTIY test again between the Security Management Server and
the branch office client. (It will take some time for phase I and phase 2 to
re-establish.)
Note: Re-inslalling the Policy will also fe-establish phase I and 2.
ENDOF LAB
www.checkpoint.com
ISBN-13: 978-1-935862-12-3
PIN: 704736 ~, Check Poinf
SOFTWARE TECHNOLOGIES LTD.