getting started guide - check point software€¦ · overview ngx r60 is a check point release that...

Getting Started Guide

NGX (R60)

For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at:

https://secureknowledge.checkpoint.com

See the latest version of this document in the User Center at:

http://www.checkpoint.com/support/technical/documents/docs_r60.html

Print Part No.: 701314CD 1 Part No.: 701342CD 2 Part No.: 701434

May 2005



Table Of Contents

Chapter 1Introduction to Check Point NGX R60 3Overview 3In This Document 4NGX R60 Documentation 4What’s New in NGX R60 5

Unified Security Architecture 5SmartDefense 6Web Intelligence 6VoIP Support 7Centralized Management for Perimeter, Internal Web and Endpoint Security 7SmartPortal 8SmartView Monitor 8SecurePlatform Pro 8Advanced VPN-1 Pro Capabilities 9Integrity End Point Security 9

Check Point Licenses 10Obtaining Software Installation Packages 12

Chapter 2Getting Started with NGX R60 13Terminology 14Minimum Hardware Requirements 15

Windows & Linux Platforms 15Solaris Platforms 17SecurePlatform 19

Minimum Software Requirements 20Solaris Platform 20Windows Platform 21Linux Platform 21

Compatibility Table 22Supported Upgrade Paths and Interoperability 24Licensing NGX R60 24

Obtaining VPN-1/Pro Express Licenses 25Upgrading VPN-1/Pro Express Licenses 26

Chapter 3Performing a Fresh Installation 27Overview 27NGX R60 Fresh Installation on SecurePlatform 29

Install SecurePlatform using NGX R60 CD 29Install VPN-1 on SecurePlatform 31Installing NGX R60 using WebUI 35

NGX R60 Fresh Installation on a Windows Platform 36NGX R60 Fresh Installation on Solaris\Linux 38NGX R60 Fresh Installation on a Nokia Platform 40

Chapter 4Initial Configuration 43Configuration Tool 43Logging into the SmartCenter Server for the First Time 48

Login Process 48Where to From Here? 49

2 Getting Started Guide

CHAPTER1

Introduction to Check Point NGX R60

In This Chapter

OverviewNGX R60 is a Check Point release that revolutionizes security with stronger protection and smarter management, addressing the most challenging security problems.

• Expanded Intelligent Inspection Technologies

With NGX R60, Check Point has expanded intelligent inspection technologies in VPN-1 Pro, incorporating additional complex application support into state of the art Stateful-Inspection and Application Intelligence technology.

Customers’ network and applications are protected from more threats than any other solutions

Overview page 3

In This Document page 4

NGX R60 Documentation page 4

What’s New in NGX R60 page 5

Check Point Licenses page 10

Obtaining Software Installation Packages page 12

3

In This Document

• Fully Integrated Perimeter, Internal and Web Security Management

SmartCenter is now integrated with Connectra, InterSpect and Integrity, allowing for centralized management and monitoring of all security enforcement points. For the first time, IT organizations and executive management now have smartest configuration and visibility into their entire information security environment.

In This DocumentThis document assumes a basic familiarity with Check Point products. It contains an overview of NGX R60 and step by step product installation procedures.

NGX R60 DocumentationTechnical documents are available on your NGX R60 CD-ROM.

These documents can also be found in the following location:


To find out about what’s new in NGX R60, read the What’s New Guide.

For the latest information about this version, read the Release Notes.

Details about working with NGX R60 are available in the Firewall and SmartDefense Guide.

For information about upgrading your current Check Point deployment refer to NGX R60 Upgrade Guide.



Unified Security Architecture

What’s New in NGX R60The following sections offer a small glimpse into the advancements offered by NGX R60. For additional in-depth information refer to the NGX R60 What’s New Guide.

In This Section

Unified Security Architecture

What’s New• Advanced inspection technologies, such as Stateful

Inspection, Application Intelligence and Malicious Code Protector are now available in perimeter, internal, Web and endpoint security.

• Single management architecture to manage and monitor all enforcement points

Unified Security Architecture page 5

SmartDefense page 6

Web Intelligence page 6

VoIP Support page 7

Centralized Management for Perimeter, Internal Web and Endpoint Security page 7

SmartPortal page 8

SmartView Monitor page 8

SecurePlatform Pro page 8

Advanced VPN-1 Pro Capabilities page 9

Integrity End Point Security page 9

Chapter 1 Introduction to Check Point NGX R60 5

What’s New in NGX R60

Customer Benefits• Proven security technology and unified management lower the

risk of vulnerability across the enterprise.

• Enterprise is now equipped to enforce security from top to bottom.

• Unified security management lowers the cost of IT operation.

SmartDefense

What’s New• Added protections for MS RPC, VoIP, DNS Security, Email

Security, and P2P (for non-Web traffic) to state of the art Application Intelligence technology.

• A monitor-only mode that makes it possible to track unauthorized traffic without blocking it

Customer Benefits• Stronger application security that can stop more threats than

any other solutions.

• Advanced application protection without additional expense to acquire and manage IDS/IPS solutions.

Web IntelligenceWeb Intelligence is a Web Application Firewall technology that is tightly integrated to the market dominant VPN-1 Pro.

What’s New• Expanded Web application attack prevention, adding protection

for LDAP injection and directory listing.

• Protect multiple Web servers with different security needs with more granular control over HTTP methods.

Customer Benefits• Web Intelligence shields contain mission critical data from

more Web based application attacks than any other firewalls.


VoIP Support

• Tightly integrated into VPN-1 Pro, Web Intelligence provides strong protection without having to reconfigure the network or relearn a new management interface.

VoIP Support

What’s New• VPN-1 Pro, Express and Edge NGX R60 provide more

VoIP protocol support and enhanced NAT support.

Customer Benefits• Rapid VoIP deployment in head quarters, remote offices

and even home offices without any security measures can put company voice data and infrastructure at risk. Check Point offers instant protections for the VoIP environment by leveraging existing security solutions already deployed.

• VPN-1 Pro helps with regulatory compliance by protecting the integrity and privacy of voice communication.

Centralized Management for Perimeter, Internal Web and Endpoint Security

What’s New• SmartCenter is the only centralized management solution

for perimeter, internal, Web and endpoint security. It offers an easy-to-use graphical interface that allows for centralized object creation and policy definition for all security products in every geography.

Customer Benefits• Reduces administration overhead.

• Ensures consistent security policies across the network.

• Centralized monitoring capability of network and security events.


What’s New in NGX R60

SmartPortal

What’s New• A Web-based user interface to SmartCenter.

• Safely extends security visibility to multiple administrators and managers across diverse IT organizations.

Customer Benefits• IT organizations such as help desk and NOC can now provide

more efficient services with no additional resource required from the security team.

• Foster cooperation among different IT organizations to pro actively secure the enterprise; facilitates forensic investigations.

• Corporate security policy can now be more easily enforced and audited, improving regulatory compliance.

SmartView Monitor

What’s New • A single, real-time monitoring application for networks,

security gateways, VPN tunnels and remote user activities across all geography.

Customer Benefits• Allow timely identification and response to network and

security events.

• Reduces administrative overhead for enterprises with large number of employees and geographically diverse locations and remote users.

SecurePlatform Pro

What’s New• SecurePlatform Pro adds advanced networking and

management capabilities into SecurePlatform, including dynamic routing, centralized authentication and Web management.


Advanced VPN-1 Pro Capabilities

• Combined with dynamic routing and ClusterXL, VPN-1 Pro is the only security gateway to provide “graceful restart” and significantly improve the network uptime compared to alternatives.

Customer Benefits• Dynamic routing capability allows enterprises to manage

large and complex networks more efficiently with fewer resources.

• Customers’ networks now delivers far better availability and reliability.

Advanced VPN-1 Pro Capabilities

What’s New• VPN-1 Pro NGX R60 adds advanced capabilities such as

dynamic routing via the VPN tunnel.

• Route based VPN-1 Pro allows for directional VPN to be defined, instead of static VPN domains.

Customer Benefits • Network management for a distributed environment is

much simplified as routing protocols can be extended to remote VPN locations

• Route based VPN-1 Pro improves network and VPN-1 Pro management efficiency as constant changing network topology (such as, the addition of an internal network, will not require you to reconfigure VPN domains).

Integrity End Point Security

What’s New• Integrity Product Family achieves Total Access

Protection for all PCs that connect to your network. Check Point Integrity endpoint security products ensure that both employee and guest users' PCs are secure before they're granted network access. By stopping worms,


Check Point Licenses

spyware, and hacker attacks, Integrity maintains business continuity, supports regulatory compliance, and protects you against financial loss due to endpoint attacks.

• Integrity client and server software secures all networked PCs by centrally managing proactive defenses and enforcing policy compliance.

• Integrity for Linux offers enterprises easy-to-manage endpoint security for the growing number of Linux workstations, providing sophisticated attack protections coupled with centralized policy deployment and reporting.

• Integrity SecureClient unites the complementary strengths of VPN-1 SecureClient and Integrity to deliver the most advanced remote access, endpoint security, and access policy enforcement.

• Integrity Clientless Security mitigates risks posed by employee and guest endpoints accessing enterprise resources via the Web. It delivers spyware disablement, ensures session confidentiality, and enforces network access policy.

• Integrity Desktop delivers preemptive protection against the latest worms, viruses, spyware, and hacker attacks.

Check Point LicensesCheck Point software is activated with a License Key. You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack, in the Check Point User Center.

The Certificate Key is used in order to receive a License Key for products that you are evaluating.

In order to purchase the required Check Point products, contact your reseller.

Check Point software that has not yet been purchased will work for a period of 15 days. You are required to go through the User Center in order to register this software.


Integrity End Point Security

1 Activate the Certificate Key shown on the back of the media pack via the Check Point User Center at http://www.checkpoint.com/usercenter.

The Certificate Key activation process consists of:

• adding the Certificate Key

• activating the products

• choosing the type of license

• entering software details

Once this process is complete, a License Key is created and made available to you.

2 Once you have a new License Key, you can start the installation and configuration process. During this process, you will be required to:

• read the End Users License Agreement and if you accept it, click Yes.

• import the license that you obtained from the User Center for the product that you are installing.

Licenses are imported via the Check Point Configuration Tool.

The License Keys tie the product license to the IP address of the SmartCenter Server. This means that:

• Only one IP address is needed for all licenses.

• All licenses are installed on the SmartCenter Server.

• Correlation Units are licensed by the number of units that are attached to the SmartCenter Server.


http://usercenter.checkpoint.com

Obtaining Software Installation Packages

Obtaining Software Installation PackagesNGX R60 software installation packages for Solaris, Windows, Linux and SecurePlatform are available on the product CD.

NGX R60 software packages for Nokia IPSO 3.9 are available at the online download center in the following location:

http://www.checkpoint.com/techsupport/downloads.jsp



CHAPTER2

Getting Started with NGX R60

In This Chapter

The following chapter presents information that will help you to successfully install NGX R60.

The NGX R60 CD-ROM can be used for a fresh installation or an upgrade from a version prior to NGX R60.

Terminology page 14

Minimum Hardware Requirements page 15

Minimum Software Requirements page 20

Compatibility Table page 22

Supported Upgrade Paths and Interoperability page 24

Licensing NGX R60 page 24

13

Terminology

TerminologyThe following are useful terms that you need to be familiar with in order to understand this chapter.

• A Security Policy is created by the system administrator in order to regulate the incoming and outgoing flow of communication.

• An Enforcement Module is the VPN-1 Pro engine that actively enforces the organizations Security Policy and a machine that acts as an Enforcement Point\Gateway.

• The SmartCenter Server is the server used by the system administrator to manage the Security Policy. The databases and policies of the organization are stored on the SmartCenter Server, and are downloaded to the Enforcement module.

• The SmartConsole are different GUI applications that are used to manage different aspects of the Security Policy. For instance SmartView Tracker is a SmartConsole that manages logs.

• SmartDashboard is a SmartConsole GUI application that is used by the system administrator to create and manage the Security Policy.

• A Standalone deployment is performed when the Check Point components that are responsible for the management of the Security Policy (the SmartCenter Server and the Enforcement Module) are installed on the same machine.

• A Distributed deployment is performed when the Enforcement Module and the SmartCenter Server are deployed on different machines.


Windows & Linux Platforms

Minimum Hardware Requirements

In This Section

Windows & Linux Platforms

Minimum Requirements for VPN-1 ProOn Windows and Linux platforms, the minimum hardware requirements for installing a VPN-1 Pro SmartCenter Server or Enforcement Module are:

• Intel Pentium II 300 MHz or equivalent processor

• 300 MB free disk space

• Windows: 256 Mbytes RAM, Linux: 128 Mbytes RAM (256 Mbytes recommended)

• One or more network adapter cards

• CD-ROM Drive

Minimum Requirements for SmartConsoleOn Windows the minimum hardware requirements for installing a SmartConsole, which include SmartDashboard, SmartView Tracker, SmartView Monitor, Eventia Reporter, SmartUpdate, SmartLSM and User Monitor, are:

• Intel Pentium II 300 MHz or equivalent processor


• 256 Mbytes RAM

• One network adapter card

• CD-ROM Drive

• 800 x 600 video adapter card

Windows & Linux Platforms page 15

Solaris Platforms page 17

Solaris Platform page 20

Chapter 2 Getting Started with NGX R60 15


Minimum Requirements for SecuRemote/SecureClientOn Windows and Mac OS-X platforms, the minimum hardware requirements for installing SecuRemote/SecureClient are:


• 128 MB RAM

Minimum Requirements for Eventia ReporterThe following minimum hardware requirements were designed so that Eventia Reporter Server will be able to process a volume of about 3 GB logs per day and generate reports according to the performance numbers limitation. If you have less logs produced per day you can use a machine with less CPU or memory. This may, however, cause degradation in the performance numbers.

In addition, if your machine has less physical memory you will need to change the database cache size. To do this follow the instructions in the Eventia Reporter User Guide under the section Changing the Eventia Reporter Database Cache Size.

On Windows and Linux platforms, the minimum hardware requirements for installing Eventia Reporter are:

• Intel Pentium III 1000 MHz or equivalent processor

• 60 MB disk space for installation

• 40GB disk space for database

• 1GB RAM


• CD-ROM Drive


The following is also recommended:

• Configure the network connection between the Eventia Reporter Server machine and the SmartCenter or the Log server, to the optimal speed.

• Use the fastest disk available with a high RPM (revolutions per minute).

• Increase the machine's memory. It significantly improves performance.


Solaris Platforms

• It is recommended to install a power supply (UPS) that cannot be interrupted for the Eventia Reporter Server machine.

Solaris Platforms

Minimum Requirements for VPN-1 ProOn a Solaris platform, the minimum hardware requirements for installing a VPN-1 Pro SmartCenter Server or Enforcement Module are:

• UltraSPARC II

• 100 MB free disk space for installation

• 128 Mbytes RAM, 256 Mbytes recommended

• One or more network adapter cards

• CD-ROM Drive

Minimum Requirements for SmartConsoleOn a Solaris platform, the minimum hardware requirements for installing a SmartConsole, which include SmartDashboard, SmartView Tracker, SmartView Monitor, Eventia Reporter, SmartUpdate, SmartLSM and User Monitor, are:

• UltraSPARC III

• 100 MB free disk space for installation

• 128 Mbytes RAM


• CD-ROM Drive


Minimum Requirements for Eventia ReporterThe following minimum hardware requirements were designed so that the Eventia Reporter Server will be able to process a volume of about 3 GB logs per day and generate reports according to the performance numbers limitation. If you have less logs produced per day you can use a machine with less CPU or memory. This may, however, cause degradation in the



performance numbers. In addition, if your machine has less physical memory you will need to change the database cache size. To do this follow the instructions in Eventia Reporter User Guide under the section Changing the Eventia Reporter Database Cache Size.

The minimum hardware requirements for installing Eventia Reporter on a Solaris platform are:

• UltraSPARC III 400MHz processor

• 100 MB disk space for installation

• 40GB disk space for database

• 1GB RAM


• CD-ROM Drive


The following is also recommended:

• Configure the network connection between the Eventia Reporter Server machine and the SmartCenter or the Log server, to the optimal speed.

• Use the fastest disk available with a high RPM (revolutions per minute).

• Increase the machine's memory. It significantly improves performance.

• It is recommended to install a power supply (UPS) that cannot be interrupted for the Eventia Reporter Server machine.


SecurePlatform

SecurePlatform

Minimum Requirements for VPN-1 ProOn SecurePlatform, the minimum hardware requirements for installing a VPN-1 Pro SmartCenter Server or Enforcement Module are:

• Intel Pentium III 300+ MHz or equivalent processor

• 4 GB free disk space

• 256 Mbytes (512 Mbytes recommended)

• One or more supported network adapter cards

• CD-ROM Drive (bootable)


For details regarding SecurePlatform on specific hardware platforms, see http://www.checkpoint.com/products/supported_platforms/recommended.html


http://www.checkpoint.com/products/supported_platforms/recommended.html

http://www.checkpoint.com/products/supported_platforms/recommended.html

Minimum Software Requirements

Minimum Software Requirements

In This Section

Solaris Platform

Required Packages• SUNWlibc

• SUNWlibCx

• SUNWter

• SUNWadmc

• SUNWadmfw

Required PatchesCheck Point recommends using the Sun Install Check Tool to check the patch level of your Solaris machines. The Sun Install Check Tool is available on the Sun download site at http://www.sun.com/software/installcheck/download.xml. Use the tool to make sure your Solaris machines have the following or newer patches.

Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC platforms.

Solaris Platform page 20

Windows Platform page 21

Linux Platform page 21

Number System Notes

108528-18 All If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.

110380-03 All

109147-18 All


http://www.sun.com/software/installcheck/download.xml

Windows Platform

Solaris 9: the following patch (or newer) is required on Solaris 9 UltraSPARC platforms:

To verify that you have these patches installed use the command:

showrev -p | grep <patch number>

The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches before installing 64-bit patches.

Windows PlatformThis release requires that Service Packs be applied to Windows 2000 systems. This release supports Windows 2000 Service Packs SP1, SP2, SP3, and SP4. The release also supports Windows 2003 and Windows 2003 SP1.

Linux PlatformThis release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade.

109326-07 All

108434-01 32 bit

108435-01 64 bit

Number System Notes

112233-12 All

112902-07 All

116561-03 All Only if dmfe(7D) ethernet driver is defined on the machine

Number System Notes


http://sunsolve.sun.com

http://sunsolve.sun.com

http://www.redhat.com/support/resources/howto/kernel-upgrade/s1-upgrade.html

http://www.redhat.com/support/resources/howto/kernel-upgrade



Compatibility Table

Compatibility TableWhile performing an upgrade, the process looks for unsupported Check Point products that may already be installed on the targeted computer. If the existing Check Point implementation contains products that are not supported by NGX R60, the NGX R60 wrapper will exit. The following table lists the Check Point products and platforms supported by NGX R60.

TABLE 2-1 Supported NGX R60 Products

ProductRHEL

3.0 Check Point Nokia Mac

8 32/64 bit

9 64 bit

Server 2003

2000 Advanced Server (SP1-4)

2000 Server (SP1-4)

2000 Profes-sional (SP1-4)

XP Home

& Profes-sional

98 SE & ME

Hand-Held PC 2000 & Pocket PC 2003

kernel 2.4.21

Secure Platform

IPSO 3.9

OS X

SmartConsole GUI X 2 X X X X X X X

VPN-1 Pro Module .(including QoS, Policy Server)

X X X X X X X X

SmartCenter Server (incl. VSX) X X X X X X X X 3

SmartPortal X X X X X X X

SecuRemote X X X X X

SecureClient X X X X X X X X

ClusterXL (VPN-1 Pro .Module)

X X X 4 X X X X X 5

UserAuthority .(Management Add-on only)

X X X X X X X X X X

Eventia Reporter - Server X X X X X X X X 7

SmartView Monitor X 6 X X X X X X

VPN-1 Accelerator Driver II X X

VPN-1 Accelerator Driver III X X X X X X X X

Performance Pack X X X

SmartLSM - GUI X X X X X

SmartLSM - Enabled .Management

X X X X X X X X

SmartLSM - Enabled ROBO .Gateways

X X X X X X

SmartLSM - Enabled CO .Gateways

X X X X X X X X

Advanced Routing X X 8

SecureXL Turbocard X 9

SSL Network Extender - Server X X X X X X X X

SSL Network Extender - Client X X X

Provider-1/SiteManager-1 Server X X X X

Provider-1/SiteManager-1 GUI X X X X X X X

OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14

Cisco OS Versions: 9.x, 10.x, 11.x, 12.x

Microsoft WindowsSolaris

UltraSPARC 1


Linux Platform

Notes to Compatibility Table1 See “Minimum Software Requirements” on

page 20 for Solaris platforms.

2 The following SmartConsole Clients are not supported on Solaris UltraSPARC 8 (32- and 64-bit): Eventia Reporter Client, SmartView Monitor, SmartLSM and the SecureClient Packaging Tool.

3 HA Legacy mode is not supported on Windows Server 2003.

4 ClusterXL is only supported in third party mode with VRRP or IP Clustering.

5 Only the Server Add-on of Eventia Reporter is supported on IPSO.

6 SmartView Monitor on Solaris is only supported in 32-bit mode.

7 VPN-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia platform.


Supported Upgrade Paths and Interoperability

Supported Upgrade Paths and Interoperability

NGX R60 upgrade and backward compatibility information:

Upgrading from versions prior to NG (4.0-4.1) is not supported. In order to upgrade FireWall-1 versions 4.0-4.1, upgrade the installed version to VPN-1 NG R55 (refer to the NG with Application Intelligence R55 Upgrade Guide). Once the VPN-1 NG R55 upgrade is complete, perform an upgrade to NGX R60.

Licensing NGX R60Licenses are required for the SmartCenter Server and for the Enforcement Modules. No license is required for the SmartConsole management clients.

Check Point Gateways enforce the license installed on the gateway by counting the number of users that have traversed the gateway. If the limit has been reached, warning messages are sent to the console.

Check Point software that has not yet been purchased, will work for a period of 15 days. You are required to go through the User Center in order to register this software.

TABLE 2-2

Version Upgrade Backward compatibility

NG Supported Not supported

NG FP1 Supported Not supported

NG FP2 Supported Not supported

NG FP3 Supported Supported

NG AI R54 Supported Supported

NG AI R55 Supported Supported

NG R55W Supported Supported

GX 2.5 Supported Supported

VSX NG AI release 2 Supported Supported


Obtaining VPN-1/Pro Express Licenses

Obtaining VPN-1/Pro Express LicensesCheck Point software is activated with a License Key. You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack, in the Check Point User Center https://usercenter.checkpoint.com.

The Certificate Key is used in order to receive a License Key for products that you are evaluating.

In order to purchase the required Check Point products, contact your reseller.

Check Point products certificate keys are activated as follows:

1 Activate the Certificate Key shown on the back of the media pack via Check Point User Center.

The Certificate Key activation process consists of:

• adding the Certificate Key

• activating the products

• choosing the type of license

• entering the software details

2 Once you have a new License Key, you can start the installation and configuration process. During this process, you will be required to:

• read the End Users License Agreement and if you accept it, click Yes.

• import the license that you obtained from the User Center for the product that you are installing.

Licenses are imported via the Check Point Configuration Tool or, using SmartUpdate.

SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses. The License Keys tie the product license to the IP address of the SmartCenter Server. This means that:

• The new license remains valid even if the IP address of the Check Point Gateway is changed.

• Only one IP address is needed for all licenses.


https://usercenter.checkpoint.com

Licensing NGX R60

• A license can be detached from one Check Point Gateway and assigned to another.

Upgrading VPN-1/Pro Express LicensesCustomers with versions prior to NGX R60 will be required to obtain a new license when they upgrade to NGX R60. Check Point NGX R60 software does not work with licenses from previous versions.

The upgrade procedure is free of charge to purchasers of the Software Subscription service (Enterprise Base Support).

Licenses for versions prior to NG cannot be upgraded directly to NGX. You must first upgrade to NG and then upgrade the licenses from NG to NGX.

The license upgrade procedure uses the license_upgrade command line tool, which makes it simple to automatically upgrade licenses without having to do so manually though the Check Point User Center Web site.

For detailed information about upgrading licenses refer to the Upgrading VPN-1 Pro/Express Licenses to NGX R60 chapter of the NGX R60 Upgrade Guide.


CHAPTER3

Performing a Fresh Installation

In This Chapter

OverviewCheck Point software is designed to work across multiple platforms, including Unix, Windows and pre-configured appliances. The “look-and-feel” of each installation differs depending on the platform.

NGX R60 can be deployed as follows:• A standalone deployment, where the Check Point components that

are responsible for the management of the Security Policy (the SmartCenter Server and the Enforcement Module) are installed on the same machine.

• A distributed deployment where the Enforcement Module and the SmartCenter Server are installed on different machines.

In both installations, SmartConsole can be installed on any machine, unless stated otherwise and the following must be performed:

Overview page 27

NGX R60 Fresh Installation on SecurePlatform page 29

NGX R60 Fresh Installation on a Windows Platform page 36

NGX R60 Fresh Installation on Solaris\Linux page 38

NGX R60 Fresh Installation on a Nokia Platform page 40

27

Overview

• install the components that will manage or enforce the Security Policy (for instance SmartCenter Server, Enforcement Module, Log Server).

• install one or more SmartConsole clients to manage different aspects of VPN-1 Pro (that is, Check Point Enterprise). For instance, SmartDashboard is used by the system administrator to manage and create the Security Policy. Any number of SmartConsole GUI applications can be installed on the same machine.

• The TCP/IP network protocol must be installed, properly configured, and operational before you begin the installation process.

The installation proceeds gradually. Several features are installed automatically, such as:• the default filter, which protects the machine until a Security Policy is

defined, as well as • the Unified Package, which is the technological backbone common to all

VPN-1 Pro components.


Install SecurePlatform using NGX R60 CD

NGX R60 Fresh Installation on SecurePlatform

In This Section

Install SecurePlatform using NGX R60 CD1 Insert the SecurePlatform CD into the CD drive and

reboot the computer from the NGX R60 CD.

After rebooting, the Welcome to Check Point screen is displayed.

2 Select Enter to confirm the installation. If you do not press Enter, within a pre-designated interval, the computer will reboot from the hard disk.

At this point, you need to wait while the installation program is loaded. After confirmation, the Welcome menu is displayed.

The following three options appear. To continue with the normal installation go directly to step #3 below.• Device List

If you select Device List, the Hardware Scan Details menu is displayed. You can select an item to get more information.

The Hardware device categories include: OTHER DEVICES, NETWORK DEVICES and AUDIO DEVICES. The information per hardware device includes: class, bus, driver, device, detached, vendor Id, device Id, subVendor Id, subDevice Id and pci Type.

Press Back to return to the Hardware Scan Details menu. You can save the device information to: Floppy, TFTP, or Serial.

Install SecurePlatform using NGX R60 CD page 29

Install VPN-1 on SecurePlatform page 31

Installing NGX R60 using WebUI page 35

Chapter 3 Performing a Fresh Installation 29


• Add Driver

If you select Add Driver, the Devices menu is displayed. You are asked if you have a driver disk.

If you select Yes, you are prompted to insert your driver disk and press OK to continue.

If you select OK again, the driver is installed.

There are cases in which updated hardware is incompatible with the previous version’s driver. You may receive an error at installation because the operating system could not find the appropriate hard disk driver. Alternatively, installation may be completed, but the hardware does not function properly. The Add Driver feature solves this problem by enabling you to add the missing driver, at installation time.

• OK (continues with the normal installation)

3 Select OK to proceed with the installation, or Cancel to abort it.

The System Type window screen appears.

4 Under the question What type of system would you like to install? select one of the following:

• SecurePlatform

• SecurePlatform Pro - including Advanced Routing Suite and additional enhancements (for example, RADIUS authentication of administrators).

The Keyboard Selection menu is displayed.

5 Select a keyboard type and select OK.

6 In the Network Interface Configuration menu, specify the Management Interface IP address, netmask and default gateway of the first network interface (eth0 on most systems), and select OK.

After completing the installation, and rebooting the computer, connect your browser to this IP address and complete the setup. This interface can be used to access the SecurePlatform computer, after the installation is complete.


Install VPN-1 on SecurePlatform

7 In the HTTPS Server Configuration menu, specify whether to enable SecurePlatform to be configured using WEB UI and a specific port number.

8 Select OK to proceed.

The Confirmation menu is displayed.

9 Select OK to proceed, or Cancel to abort the installation process.

Warning - The installation procedure erases all the information on the hard disk.

The following installation operations are performed:

• hard drive formatting

• software package installation

• post installation procedures

This step can take several minutes, after which the Installation Complete screen is displayed.

10 Select OK to complete the installation.

11 The system will now reboot. Make sure to remove the CD, or diskette that you used during the installation process. On most systems the CD will be ejected automatically after selecting OK in the Installation Complete menu.

Install VPN-1 on SecurePlatformAfter the installation from the CD has been completed, and the computer has been rebooted, a first time setup is required in order to:

• configure the network settings

• apply the license

• select which products will be installed

• perform the SmartCenter initial setup, if selected



Perform the first time setup, as follows:1 Install SecurePlatform (perform steps 1 to 11 in Install

SecurePlatform using NGX R60 CD).

2 Reboot the machine.

3 Enter a Username and Password.

Note - If you are logging on for the first time, use Admin as your Username and Password. You will be asked to change this Username and Password.

4 Run the sysconfig command (refer to the NGX R60 SecurePlatform and SecurePlatform Pro User Guide for additional information) from the console to configure SecurePlatform, using a text interface.

A Welcome message appears.

5 The command line setup wizard begins, and guides you through the first-time configuration.

6 Select n to proceed to the next menu, or q to exit the Wizard, and press Enter.

7 If you selected n and pressed Enter, the Network Configuration menu options are displayed. They are:

• Host Name (Set/Show Host Name)

• Domain Name (Set/Show Domain Name)

• Domain Name Servers (Add/Remove/Show Domain Name Servers)

• Network Connections (Add/Configure/Remove/Show Connection)

• Routing (Set/Show Default Gateway)

You must configure the following:

• the computer’s name

• the domain name, and up to three DNS servers

• the computer’s network interfaces

• the default gateway

8 Enter the desired option number and press Enter.

The Choose an action menu operation options are displayed.


Install VPN-1 on SecurePlatform

9 Enter the desired operation option number and press Enter.

Select e and press Enter to return to the previous menu.

10 When you have completed Network Configuration, select n and press Enter to proceed to the next menu, Time and Date Configuration.

The Time and Date screen appears with the following 4 options:

• Set time zone

• Set date

• Set local time

• Show date and time settings

11 Skip to the next step or select one or more of the options.

After every selection, select p and press Enter to return to the previous menu, or select q and press Enter to exit the Wizard.

12 Type N for next, in order to continue the installation.

The Import Check Point Products Configuration screen appears with the following option: Fetch Import file from TFTP Server.

If you select this option follow and answer the questions that appear.

13 Type N for next, in order to continue the installation.

14 A Welcome message appears.

15 Type N for next, in order to continue the installation. A script guides you through the rest of the process.

16 Read the End-User License agreement.

Press the spacebar to continue to the next License Agreement page.

17 To accept the License Agreement type Y and press Enter.

18 Select to install a Check Point Enterprise/Pro or Check Point Express software products.

For Check Point Enterprise/Pro



a. Select New Installation and N.A list of products appears.

b. Select the appropriate products and follow the installation process.

c. At this point a Welcome message is displayed. Press N to continue.

d. Press Enter and the installation process begins

e. Continue with step 19.

For Check Point Express

a. Select New Installation and N.A list of products appears.


c. Press Enter and the installation process begins

d. Continue with step 19.

- VPN-1 Pro

- SmartCenter

- Eventia Reporter

- SmartPortal

- UserAuthority

- Performance Pack

- VPN-1 Express

- SmartCenter Express

- Eventia Reporter Express

- SmartPortal


Installing NGX R60 using WebUI

19 In order to complete the installation process, configure the Enterprise SmartCenter and the Enforcement Module using the Configuration Tool. For more information see “Configuration Tool” on page 43.


Once you reboot the machine, IP forwarding is automatically disabled and a default Security Policy is applied to the Enforcement Module. This default Security Policy forbids all inbound connections, except for control connections (for example, install policy operations, etc.). This policy remains in place until you have installed the first Security Policy.

Installing NGX R60 using WebUIUpon completion of the operating system setup and after the computer has been rebooted, a first time setup is required in order to:

• configure the network settings

• apply the license

• select which products will be installed

• perform the SmartCenter initial setup, if selected

To install NGX R60 products using the Web User Interface, refer to the SecurePlatform and Secure Platform Pro NGX R60 Guide.


NGX R60 Fresh Installation on a Windows Platform

NGX R60 Fresh Installation on a Windows Platform

The installation on a Windows platform is GUI based. The screens that appear during this installation differ according to which Check Point components are installed.

1 Log on as an Administrator and insert the CD.

The Wrapper is launched automatically and a Welcome window is displayed.

2 Review the Evaluation Options and/or select Read More About Installation and click Next.

3 Read the End-Users License Agreement. If you accept the agreement click I accept the terms of the License agreement.

4 Select to install Check Point Enterprise/Pro or Check Point Express.


a. Select New Installation and N.A list of products appears:

b. Select the appropriate products, verify the default directory, or browse to a new location and follow the installation process.

- VPN-1 Pro

- SmartCenter

- Eventia Reporter

- SmartConsole

- VPN-1 Client

- SmartPortal

- UserAuthority



c. After the automatic installation program is complete continue with step 5.



b. Select the appropriate products, verify the default directory, or browse to a new location and follow the installation process.





- VPN-1 Express

- SmartCenter Express

- Eventia Reporter Express

- SmartConsole

- VPN-1 Client

- SmartPortal


NGX R60 Fresh Installation on Solaris\Linux

NGX R60 Fresh Installation on Solaris\Linux

This is a console-based process. It is run from the command line, with a main menu that leads you step-by-step through the installation.

In order to begin the installation, mount the CD on the relevant subdirectory and launch the wrapper as follows:

1 Execute the command ./UnixInstallScript in the mounted directory.

2 Type N for next in order to continue with the installation.

3 Read the End-Users License Agreement.

Press the spacebar to continue to the next License Agreement page.

If you want to go directly to the end of the License Agreement, press q on the keyboard.

4 To accept the License Agreement type Y and press Enter.

5 Select Check Point Enterprise/Pro or Check Point Express by typing their respective numbers and type N.



Solaris Linux

- VPN-1 Pro - VPN-1 Pro

- SmartCenter - SmartCenter

- Eventia Reporter - Eventia Reporter

- SmartPortal - SmartPortal

- Performance Pack - UserAuthority

- UserAuthority












Solaris Linux

- VPN-1 Express - VPN-1 Express

- SmartCenter Express - SmartCenter Express

- Eventia Reporter Express - Eventia Reporter Express

- SmartPortal - SmartPortal


NGX R60 Fresh Installation on a Nokia Platform


Install NGX R60 using a console-based connection or Nokia Network Voyager which is a secure Web-based network-element management application, Then, use a console-based connection to perform the initial configuration.

You can also use Nokia Horizon Manager to install and configure Check Point components on multiple Nokia appliances simultaneously. For more information, see the Nokia Horizon Manager documentation on the Nokia Support Web site: https://support.nokia.com.

NGX R60 software packages for Nokia IPSO 3.9 are available at the online download center in the following location:


1 Copy the IPSO Wrapper to an FTP server on your network.

2 To install the Wrapper with the use of a console-based connection, enter newpkg at the command prompt and follow the on-screen instructions. To install the Wrapper by using Voyager, continue to the next step.

3 From the Voyager home page, choose System Configuration > Manage Installed Packages > FTP and Install Packages.

4 Enter the appropriate information to connect to the FTP site and download the Wrapper, then click Apply.

5 Select the Wrapper from the Site Listing field, then click Apply.

6 Select the relevant package in the Select a package to

unpack area and click Apply.

7 Scroll down and click the install link that appears. This process may take several minutes.

8 Select Yes in the Install box and click Apply.

9 After the installation is complete, connect to the Nokia platform with a console-based connection.


https://support.nokia.com



10 Enter cpconfig at the command line; a script guides you through the rest of the process.


CHAPTER4

Initial Configuration

In This Chapter

Configuration ToolThe Configuration Tool appears automatically at the end of a new installation. It is also used to reconfigure previously installed components.

Configuration Tool SettingsThe Configuration Tool’s settings are carried out step-by-step in order to complete the installation. The configuration settings reflect the Check Point component that is being installed, and may include:

• Licenses, create a license for the SmartCenter Server and Enforcement Module.

• Administrators, create an administrator who has permissions to access the SmartCenter Server. This administrator must be given Read/Write permissions in order to create the first Security Policy.

Configuration Tool page 43

Logging into the SmartCenter Server for the First Time page 48

Where to From Here? page 49

43

Configuration Tool

• GUI Clients, add a resolvable name or IP address to the machine on which the SmartConsole is installed. This is required if the SmartConsole clients are installed on any machine other than the SmartCenter Server.

• Key Hit Session, enter random key strokes in order to create a random seed that is used for various cryptographic purposes. Once the bar is full, the Key Hit session is complete.

• Certificate Authority, the definitions on this window are used to initiate the Internal Certificate Authority which is used in turn to enable secure communication between the SmartCenter Server and its modules.

For some Operating Systems, such as Windows, you must specify the name of the host in which the ICA resides. You may use the default name or supply your own.

The ICA name should be a resolvable name in the format hostname.domain; for example ica.checkpoint.com. It is essential that this name be accurate in order for VPN-1 to work.

• Fingerprint, verifies the identity of the SmartCenter Server the first time you login to the SmartConsole.

Upon login to the SmartConsole, a Fingerprint is displayed. The displayed Fingerprint must match the Fingerprint shown now in the Configuration Tool window in order for authentication to succeed. You may choose to export this Fingerprint, so that you may recall it when you login to the SmartConsole for the first time, for verification purposes.


Using the Configuration ToolTo perform initial configuration of NGX R60 perform the following steps:

1 Open the Configuration Tool.

2 In the Licenses window perform one or both of the following procedures:

Fetch One or More Licenses from a File

A) Click on Fetch from File.

B) Browse to the license file, select it and click Open.

The license(s) that belong to this host are added.

Add a License Manually

A) Click Add to add a license.

The Add License window is displayed.

B) Configure the Add License window.

C) Click OK to add the newly configured license.

3 Click Next.

4 In the Administrators window click Add to specify an administrator.

Add an administrator who is permitted on the SmartConsole side, that is, the administrator who will be allowed to use a SmartConsole to connect to the SmartCenter Server installed on this machine.

Starting from NGX R60, just one administrator can be defined via the Configuration Tool. Additional administrators can be defined using SmartDashboard.

5 Configure the parameters in the Add Administrator

window that appears and click OK.

6 Click Next.

Chapter 4 Initial Configuration 45

Configuration Tool

7 In the GUI Clients window add a GUI Client.

If you do not define at least one GUI Client, you will be able to manage the SmartCenter Server you have just installed only from a GUI Client, running on the same machine.

8 Enter the GUI Client’s name in the Remote hostname field.

9 Click Add to add it to the list of allowed GUI Clients.

You can add GUI Clients using any of the following formats:

• IP address - for example 1.2.3.4

• IP/netmask - A range of addresses, for example 192.168.10.0/255.255.255.0

• Machine name - for example Alice, or Alice.checkpoint.com

• Any - Any IP without restriction

• IP1-IP2 - A range of addresses, for example 192.168.10.8 - 192.168.10.16

• Wild cards - for example 192.168.10.*

10 Click Next.

11 In the Certificate Authority window provide a resolvable name, in the format <hostname>.<domain name> (for instance, <hostname>.checkpoint.com).

This option allows you to initialize an Internal Certificate Authority (ICA) on SmartCenter Server, and to initialize a Secure Internal Communication (SIC) certificate for the SmartCenter Server.

SIC certificates are used to authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC Applications. Note that your components will not be able to communicate with each other until the Certificate Authority is initialized and they have their SIC certificate.

12 Click Next.


13 The Fingerprint window displays the fingerprint of the SmartCenter Server.

The fingerprint is a text string derived from the certificate of the SmartCenter Server. It is used to verify the identity of the SmartCenter Server being accessed via the SmartConsole. You should compare this fingerprint to the fingerprint displayed in the SmartDashboard, the first time a SmartConsole connects to this SmartCenter Server.

Use the Fingerprint to Confirm the Identity of the SmartCenter Server

14 In the Fingerprint window, click Export to file and save the file.

The fingerprint is exported to a text file, which can be accessed from the SMART Client machine(s) to confirm the fingerprint of the SmartCenter Server.

Once you have finished using the Configuration Tool perform the following:

A) From a SmartConsole, perform a first time connection to a SmartCenter Server. The Fingerprint of a SmartCenter Server is displayed.

B) Make sure the SmartCenter Server fingerprint is identical to the fingerprint displayed in the SmartConsole.

Note - You should not perform a first-time connection to a SmartCenter Server from a SmartConsole, unless the SmartCenter Server fingerprint is readily available, and you are able to confirm it is the same as the fingerprint, displayed in the SmartConsole.

15 Close the Configuration Tool.


Logging into the SmartCenter Server for the First Time

Logging into the SmartCenter Server for the First Time

Login ProcessAdministrators connect to the SmartCenter Server via SmartDashboard using a login process that is common to all SmartConsole clients. In this process, the administrator and the SmartCenter Server are authenticated, and a secure channel of communication between them is created. After successful authentication has taken place, the selected SmartConsole is launched.

After the first login, the administrator can create a certificate to be used for the purpose of login. Login with a certificate is considered an authentication process that is more secure than a login process using a user name and password. This certificate can be created at a later stage, see the SmartCenter User Guide.

Authenticating the Administrator and the SmartCenter Server1 Launch SmartDashboard by selecting Start > Programs >

Check Point SmartConsole NGX R60 > SmartDashboard, and login.

2 Login using the User Name and Password defined in the Configuration Tool’s Administrators page during the SmartCenter Server installation.

3 After providing the authentication information, specify the name or IP address of the target SmartCenter Server and click OK.

4 Manually authenticate the SmartCenter Server with the Fingerprint presented during the configuration process in the Configuration Tool. This step only takes place during first-time login, since when the SmartCenter Server is authenticated, the Fingerprint is saved in the SmartConsole machine’s registry.


Login Process

Where to From Here?You have now learned the basics that you need to get you started. The next step is to obtain more advanced knowledge of your Check Point software.

The Check Point documentation elaborates on this information and is available in PDF format on the Check Point CD. Be sure to also use our Online Help when you are working with the Check Point SmartConsole clients.

For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at




Where to From Here?


Index

AAdd Driver 30administrator authentication 48Administrators 43Advanced inspection technology 5Application Intelligence 5authenticating the SmartCenter Server 48authentication

fingerprint 48

Bbackward compatibility 24

Ccentralized management 4, 7Certificate Authority 44Certificate Authority (ICA) 46Certificate Key 25Check Point Configuration Tool 25Check Point Enterprise 28Check Point Enterprise/Pro 33, 36, 38Check Point Express 33, 34, 36, 37, 38, 39Check Point Licenses

Certificate Key 25Check Point’s SecureKnowledge 49

ClusterXL 9Compatibility Table 22Configuration

Enforcement Module 43SmartCenter Server 43

Configuration Tool 35, 37, 39, 43, 44, 47, 48Connectra 4console-based connection 40cpconfig 41

Ddefault filter 28Device List 29Devices 30Distributed deployment 14distributed deployment 27DNS Security 6Dynamic routing 9dynamic routing 9

EEnd Users License Agreement 25Enforcement Module 14, 15, 17, 19, 27, 35, 37, 39, 43Enforcement module 14Enforcement Modules 24Enterprise Base Support 26Enterprise SmartCenter 35, 37, 39Eventia Reporter 15, 16, 17

INDEX 51

FFetch Import file from TFTP Server 33Fingerprint 44, 47fingerprint 48fresh installation 13FTP server 40

GGUI Clients 44

HHardware Scan Details 29HTTPS Server Configuration 31

IICA 44IDS/IPS 6Import Check Point Products Configuration 33Installation

Enforcement Module 43Integrity 4Internal Certificate Authority 44InterSpect 4IP address 44IPSO 15IPSO Wrapper 40IT organizations 8

KKey Hit Session 44

LLDAP injection 6License Key 25Licenses 24, 43Linux 15, 38Linux Platform 21Log server 16, 18Logging on

first time 48Login

authenticating the administrator 48

MMalicious Code Protector 5Minimum Hardware Requirements 15

Windows or Linux 15Minimum Requirements 15MS RPC 6multiple platforms 27

NNAT 7Network Interface Configuration 30Network management 9Nokia Horizon Manager 40

OObtaining Licenses 25OPSEC 46

52 INDEX

RRed Hat Enterprise Linux 3.0 21Required Packages 20Required Patches 20Route based VPN-1 Pro 9

SSecure Internal Communication (SIC) 46SecureClient 16SecuRemote 16SecurePlatform 19, 31SecurePlatform Pro 8Security Policy 14, 28SIC certificate 46Single management architecture 5SMART Client machine( 47SmartCenter 7SmartCenter Server 14, 15, 17, 19, 48

fingerprint 48SmartConsole 14SmartConsole clients 28, 44SmartConsole management 24SmartDashboard 14, 28SmartLSM 15, 17SmartUpdate 15, 17, 25SmartView Monitor 15, 17SmartView Tracker 14, 15, 17Software Requirements 20Solaris 17, 38Solaris 8 UltraSPARC platforms 20Solaris 9 UltraSPARC platforms 21Standalone deployment 14standalone deployment 27Stateful Inspection 5Stateful-Inspection 3Stateful-Inspection and Application Intelligence technology 3

TTCP/IP network protocol 28Technical documents 4Time and Date Configuration 33

Uunified management 6Unified Package 28Unix 27Upgrade 24upgrade 13Upgrading Licenses 26User Center 24User Monitor 15, 17

VVoIP 7VoIP protocol 7VPN tunnels 8VPN-1 on SecurePlatform 31VPN-1 Pro 3, 6, 7, 9, 14, 15, 17, 19, 28

WWeb Intelligence 6, 7WEB UI 31WebUI 35Windows 27Windows or Linux 15Windows Platform 21

INDEX 53

54 INDEX

getting started guide - check point software€¦ · overview ngx r60 is a check point release that...

Documents