IPSO37

VPN-1/FireWall-1 for Nokia
Getting Started Guide
NG for IPSO Version 3.7
Part Number N451056001 Rev A

Published June 2003
CCOPYRIGHT
©2003 Nokia. All rights reserved.
Rights reserved under the copyright laws of the United States.
RESTRICTED RIGHTS LEGEND

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
IMPORTANT NOTE TO USERS

This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not
limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall
Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or
consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or
profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort
(including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of
such damage.
Nokia reserves the right to make changes without further notice to any products herein.
TRADEMARKS
Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or
registered trademarks of their respective holders.
030114
2 VPN-1/FireWall-1 for Nokia Getting Started Guide

Nokia Contact Information
Corporate Headquarters
Web Site http://www.nokia.com
Telephone 1-888-477-4566 or
1-650-625-2000
Fax 1-650-691-2170
Mail Nokia Inc.

Address 313 Fairchild Drive
Mountain View, California
94043-2215 USA
Regional Contact Information
Americas Nokia Internet Communications. Tel: 1-877-997-9199

313 Fairchild Drive Outside USA and Canada: +1 512-437-7089
Mountain View, CA 94043-2215 email: ipsecurity.na@nokia.com
USA
Europe, Nokia House, Summit Avenue Tel: UK: +44 161 601 8908
Middle East, Southwood, Farnborough Tel: France: +33 170 708 166
and Africa Hampshire GU14 ONG UK email: ipsecurity.emea@nokia.com
Asia-Pacific 438B Alexandra Road Tel: +65 6588 3364

#07-00 Alexandra Technopark email: ipsecurity.apac@nokia.com
Singapore 119968
Nokia Customer Support
Web Site: https://support.nokia.com/
Email: tac.support@nokia.com
Americas Europe
Voice: 1-888-361-5030 or Voice: +44 (0) 125-286-8900

1-613-271-6721
Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666
Asia-Pacific
Voice: +65-67232999
Fax: +65-67232897
021216
VPN-1/FireWall-1 for Nokia Getting Started Guide 3

Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

In This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1 Preparing for Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Basic VPN-1/FireWall-1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Using Nokia Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Distributed and Standalone Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Basic Steps for Installing or Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Determining the VPN-1/FireWall-1 Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Preparing the Nokia IP Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Preparing the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Obtaining Check Point Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Downloading VPN-1/FireWall-1 NG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2 Installing or Upgrading
VPN-1/FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Installation and Upgrade Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Installation and Upgrade: Detailed Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3 Configuring VPN-1/FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Using Nokia Horizon Manager for the Initial Configuration . . . . . . . . . . . . . . . . . . 22
Detailed Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Using the cpconfig Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Re-establishing Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4 Installing SMART Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Testing Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

About This Guide
This guide describes how to install, upgrade, and initially configure Check Point
VPN-1/FireWall-1 NG. This guide focuses on the steps required to bring up VPN-1/FireWall-1
on Nokia IP security platforms; it is not intended to be a complete guide to how to configure or
manage VPN-1/FireWall-1 services. For information about these subjects, see the Check Point
Getting Started Guide and the Check Point FireWall-1 Guide, available from the Check Point
Web site.
This preface provides the following information:
! In This Guide
! Conventions This Guide Uses
! Related Documentation
In This Guide
This guide is organized into the following chapters:
! Chapter 1, “Preparing for Installation and Configuration,” contains an overview of the
installation process and describes how to prepare to install and configure VPN-1/FireWall-1.
! Chapter 2, “Installing or Upgrading VPN-1/FireWall-1,” describes how to use Nokia
Network Voyager or the command-line interface to install the Check Point applications on
your appliance.
! Chapter 3, “Configuring VPN-1/FireWall-1,” describes how to use the cpconfig utility to
perform the initial VPN-1/FireWall-1 configuration.
! Chapter 4, “Installing SMART Clients,” describes how to install the Check Point GUI on a
Microsoft Windows system.
To set up a new installation of VPN-1/FireWall-1 on a Nokia appliance, read all of the chapters
in this guide. If your Nokia appliance comes with the latest version of VPN-1/FireWall-1
installed, you can skip Chapter 2. If you plan to upgrade from an earlier version of the Check
Point software, you can skip Chapter 3.
Note
If you do not know which version of VPN-1/FireWall-1 is on your appliance, see
“Determining the VPN-1/FireWall-1 Version” on page 14.

Conventions This Guide Uses
The following sections describe the conventions this guide uses, including notices, text
conventions, and command-line conventions.
Notices
Note
Notes provide information of special interest or recommendations.
Text Conventions
The following table describes the text conventions this guide uses.
Convention Description
monospace font Indicates command syntax, or represents computer or screen

output, for example:
Log error 12453
bold monospace font Indicates text you enter or type, for example:
# cpconfig
Key names Keys that you press simultaneously are linked by a plus sign (+):
Press Ctrl + Alt + Del.
Menu commands Menu commands are separated by a greater than sign (>):
Choose File > Open.
The words enter and type Enter indicates you type something and then press the Return or
Enter key.
Do not press the Return or Enter key when an instruction says
type.
Italics • Emphasizes a point or denotes new terms at the place where

they are defined in the text.
• Indicates an external book title reference.
• Indicates a variable in a command:
newpkg file_name.tgz

Related Documentation
Related Documentation
For more information about VPN-1/FireWall-1, see the following documents:
! Check Point FireWall-1 User Guide.
! Check Point Getting Started Guide.
The preceding guides are available at the Check Point Product Documentation Web site: http://
www.checkpoint.com.
For more information about how to configure and manage a Nokia IP security platform, see:
! The IPxxx Series Installation Guide for your platform.
! The Nokia Network Voyager Reference Guide for IPSO v3.7.
The preceding documents are available at the Nokia Support Site:
http://support.nokia.com.

1

1 Preparing for Installation and
Configuration
You can run Check Point VPN-1/FireWall-1 NG FP3 and later on platforms running IPSO v3.7.
For more information about specific features and improvements in your version of VPN-1/
FireWall-1, see the Check Point documentation and the Check Point Software Technologies
Web page: http://www.checkpoint.com.
This chapter describes how to prepare to install and configure VPN-1/FireWall-1 NG. The topics
covered are:
! Basic VPN-1/FireWall-1 Components
! Using Nokia Horizon Manager
! Installation Overview
! Determining the VPN-1/FireWall-1 Version
! Preparing the Nokia IP Security Platform
! Preparing the Network
! Obtaining Check Point Licensing
! Downloading VPN-1/FireWall-1 NG
Basic VPN-1/FireWall-1 Components

Check Point VPN-1/FireWall-1 consists of three main components:
! Enforcement Module—consists of the VPN-1/FireWall-1 software.
! SmartCenter Server (Management Server)—maintains the databases of network object
definitions, user definitions, policies, and log files for any number of Enforcement Modules.
! SMART Client (Management Client)—runs the SmartDashboard (Policy Editor), which
provides a GUI interface for the administrator to define network objects, users, and policies.
This document describes how to install and activate the Enforcement Module or the
Enforcement Module and SmartCenter Server on a Nokia appliance. It also describes how to
install the SMART Client on a Microsoft Windows 2000, XP, or NT 4.0 system.

1 Preparing for Installation and Configuration
Note
For information on how to install the VPN-1/FireWall-1 components on other platforms, see
the Check Point Getting Started Guide.
Using Nokia Horizon Manager

Nokia Horizon Manager is a secure GUI-based software-image management application. With
Horizon Manager, you can securely install and upgrade the Nokia proprietary IPSO operating
system and Check Point VPN-1/FireWall-1. Horizon Manager can perform installations and
upgrades on up to 2,500 Nokia IP security platforms, offering administrators the most rapid and
dependable upgrade to Check Point NG.
If you plan to use Horizon Manager to install or upgrade and configure VPN-1/FireWall-1, see
the Nokia Horizon Manager User’s Guide or Knowledge Base Resolution 13448 on the Nokia
Support Site: http://support.nokia.com.
For information about how to obtain Horizon Manager, see the “Nokia Contact Information” on
page 3.
Installation Overview
The installation order of components depends on whether you choose a distributed environment
or a standalone installation.
Distributed and Standalone Installations

If you perform a fresh installation (not an upgrade) or have not performed the initial
configuration of the VPN-1/FireWall-1 software on your system, you can choose between a
distributed environment installation or a standalone installation. In a distributed environment,
the SmartCenter Server and the Enforcement Module are separate nodes. In a standalone
installation, the SmartCenter Server and the Enforcement Module are on a single node.
Note
If you use multiple Nokia appliances in an IP cluster or VRRP configuration, you cannot run
the SmartCenter Server and Enforcement Module on the same appliance.
To perform a distributed environment installation, use the following steps.

1. Install or upgrade and configure the SmartCenter Server.
2. Install the SMART Clients.
3. Install or upgrade and configure the Enforcement Module.

Installation Overview
To perform a standalone installation, use the following steps.

1. Install or upgrade and configure the SmartCenter Server and Enforcement Module.
2. Install the SMART Clients.
If the current version of VPN-1/FireWall-1 is already installed on your Nokia IP security
platform, you do not need to install or upgrade the SmartCenter Server or Enforcement Module,
but you do need to activate the packages and perform the initial configuration.
These high-level steps are described in more detail in the rest of this guide.
Basic Steps for Installing or Upgrading

The following diagram shows the main steps you take to install or upgrade VPN-1/FireWall-1
on your Nokia appliance. You might not need to configure the installed Check Point applications
if you perform an upgrade.
Figure 1 Firewall Installation or Upgrade and Configuration Steps
Determine
installed packages
Current FW-1 FW-1 not installed Older version of

installed FW-1 installed
Download and install Download and upgrade

current software current software
Enable packages Enable packages
Run cpconfig Shaded areas indicate

steps that are automated
by Nokia Horizon Manager
Reboot appliance
After you finish the installation and configuration, you can use the SmartDashboard application
on the SMART Client to define the network objects, users, and Security Policy. For more
information, see the Check Point Getting Started Guide.

Determining the VPN-1/FireWall-1 Version

The software on your appliance determines whether you need to skip the VPN-1/FireWall-1
installation steps, perform an upgrade, or perform a new installation.
To determine what Check Point applications are installed on your appliance, log in to the
appliance by using Voyager. From the Voyager home page, choose System Configuration >
Manage Installed Packages.
The Manage Package page lists the installed packages and the version of each package. If you do
not see any Check Point applications listed, no Check Point products are installed on your
appliance.
Preparing the Nokia IP Security Platform

To prepare your Nokia IP security platform for VPN-1/FireWall-1 NG:
! Make sure you can access the platform from Voyager and from a console or terminal
connection.
! Make sure the version of IPSO your platform is running supports the version of VPN-1/
FireWall-1 you want to use, and upgrade IPSO if necessary.
! If you did not already, configure the platform initial interface and the network interfaces. For
more information, see the IPxxx Series Installation Guide for your IP series platform.
! If you need to install the VPN-1/FireWall-1 software, ensure you have at least 60 MB of free
disk space in the /opt directory.
! Confirm that you have a static host name associated with the external IP address of the
platform.
You cannot install a VPN-1/FireWall-1 license unless the external interface has a static host
name associated with it.
To add a static host name

1. Connect to the platform by using Voyager.
2. From the Voyager home page, choose System Configuration > Host Address
Assignment.
3. To add a new entry, type in the desired name and click Apply.
4. Select on or off as desired; however, do not turn off localhost.
5. Specify the host IP address (for example, 192.168.50.23).
6. Click Apply, then click Save to make the changes permanent.

Preparing the Network
Figure 2 Example Host Address Assignment
Preparing the Network

To prepare your network:
! Ensure your network is properly configured, with special emphasis on routing. Ensure
that each of the internal networks and the gateway can see each other. Log on to each of
the hosts and PING the other hosts in the internal networks.
! If you plan to install the SmartCenter Server and Enforcement Module on separate
platforms, ensure the SmartCenter Server host can PING the external IP address of the
Enforcement Module host, and the reverse.
Obtaining Check Point Licensing

Obtain the appropriate VPN-1/FireWall-1 license from Check Point or your vendor. Start this
process several days before the anticipated installation or upgrade. You cannot complete the
installation and configuration without a Check Point license.
Downloading VPN-1/FireWall-1 NG
Before you begin the installation, download the VPN-1/FireWall-1 software. If your appliance
already has the current VPN-1/FireWall-1 packages installed, skip this section and go to Chapter
3, “Configuring VPN-1/FireWall-1.”
The VPN-1/FireWall-1 software, documentation, and release notes are available on the Check
Point Web site: http://www.checkpoint.com. The Nokia Support Web Knowledge Base on the
Nokia Support site (http://support.nokia.com) also contains a link to the Check Point Software
Downloads Web page.
Download the following files to an FTP server:
! Comprehensive Wrapper/Bundle
Use this file to install the Enforcement Module or SmartCenter Server (or both) on a Nokia
IPSO platform. For some NG releases the wrapper is not available, and you must download
the individual package files. To run VPN-1/FireWall-1, the SVN Foundation and VPN-1/
FireWall-1 packages are required.
! Microsoft Windows SMART Client
To install the Enforcement Module or SmartCenter Server on a non-IPSO platform, download
the appropriate wrapper for that operating system.

You can download and install the Check Point products individually, but Nokia recommends
that you download and install the wrapper package since it contains all of the Check Point
products in a single, comprehensive bundle.

2 Installing or Upgrading
VPN-1/FireWall-1
This chapter covers how to install or upgrade VPN-1/FireWall-1 on a Nokia IP security

platform. The installation and upgrade process is the same whether the platform hosts a
SmartCenter Server, an Enforcement Module, or both.
If you already have the current version of VPN-1/FireWall-1 installed, skip this chapter and
proceed to Chapter 3, “Configuring VPN-1/FireWall-1.”
The procedures in this chapter assume that you prepared your Nokia platform as described in
“Preparing the Nokia IP Security Platform” on page 14 and you downloaded the VPN-1/
FireWall-1 software for the IPSO operating system to an FTP server as described in
“Downloading VPN-1/FireWall-1 NG” on page 15.
The VPN-1/FireWall-1 wrapper contains the two packages that make up VPN-1/FireWall-1.
! The VPN-1/FireWall-1 package
! The SVN Foundation package
When you install by using the wrapper, both packages are installed and enabled. If you install
packages individually, be sure to install both the SVN Foundation and VPN-1/FireWall-1
packages.
Installation and Upgrade Overview

The procedures for installing or upgrading VPN-1/FireWall-1 are as follows:
1. Download, unpack, and install the VPN-1/FireWall-1 wrapper or package files.
You can use the IPSO command line or Voyager to install the Check Point packages. The
steps for doing so are the same as for any IPSO package. You can also use Nokia Horizon
Manager to automate the installation process.
2. Confirm that the VPN-1/FireWall-1 and SVN Foundation packages are installed and
enabled; then log off from the Nokia platform.
These procedures are described in “Installation and Upgrade: Detailed Procedures” on page 18.

2 Installing or Upgrading VPN-1/FireWall-1
The following table lists the Check Point products that the wrapper installs. The table also shows
the status of the package (active or not active) upon installation.
Package Status
Check Point SVN Foundation Active
Check Point VPN-1/FireWall-1 Active
Check Point VPN-1/FireWall-1 4.1 For Not active

Backward Compatibility
Check Point Policy Server Active if a previous version is

installed, otherwise not active.
Check Point FloodGate-1 Active if a previous version is

Check Point UserAuthority Server Active if a previous version is

You must obtain a license for each Check Point application you plan to run on your appliance.
Installation and Upgrade: Detailed Procedures

This section contains detailed procedures for each of the steps described in “Installation and
Upgrade Overview” on page 17. You can use the IPSO command line, Voyager, or Nokia
Horizon Manager to perform the installation.
To install or upgrade VPN-1/FireWall-1 by using the IPSO command line

1. Log in to the appliance with a terminal or console connection.
2. Connect to the FTP server where you downloaded the VPN-1/FireWall-1 wrapper or
package files and copy the wrapper or package files to the hard drive of the Nokia platform.
3. End the connection with the FTP server and, if necessary, change to the local directory
where you copied the wrapper or package files.
4. Install or upgrade the package:
! To install the package, enter:
newpkg -m LOCAL -n file_name.tgz
! To upgrade the package, enter:
newpkg -m LOCAL -n file_name.tgz -o $FWDIR
If you are not using the wrapper to install the packages, repeat step 4 to install additional
packages.
5. Log off, then log back on.

Installation and Upgrade: Detailed Procedures
To install or upgrade VPN-1/FireWall-1 by using Voyager

1. From the Voyager home page, click the System Configuration link, then click the Manage
Installed Packages link.
2. Click the FTP and Install Packages link.
3. Enter the host name or IP address of the FTP site where you downloaded the wrapper or
package files.
4. Enter the directory name where the files reside on the FTP site.
5. Enter the user account and password to use when you connect to the FTP site.
If you leave these fields empty, the anonymous account is used.
Note
If you specify a user account and password, you must re-enter the password whenever
you change the FTP site, FTP directory, or FTP user on future requests.
6. Click Apply.
A list of files from the specified FTP directory appears in the Site Listing field, as shown in
Figure 3.
Figure 3 Entering the FTP Information
7. Select a file from Site Listing, then click Apply.
Note
If you install packages individually, always download, unpack, and install the SVN
Foundation package (cpshared) first.
After the download completes, the package appears in the Select a Package to Unpack box.
8. Select the package, then click Apply.
The package is unpacked into the local file system.
9. Click the “Click here to install/upgrade /opt/packages/file_name.tgz” link.

2 Installing or Upgrading VPN-1/FireWall-1
10. Select one of the following options:

! To perform a fresh installation of VPN-1/FireWall-1, click Yes next to Install.
! To upgrade from a previous version of VPN-1/FireWall-1, click Yes next to Upgrade and
choose a VPN-1/FireWall-1 package to upgrade from.
11. Click Apply.
12. Click the link to return to the manage packages screen.
If you do not see the “Return to Manage Packages screen” link, wait a few seconds, and
click Apply.
Note
On the Manage Packages page, Voyager might report that the package is successfully
installed before the installation process is complete.
For the wrapper installation, a list of installed packages appears on the Manage Packages
page after the installation is complete. If you do not see the full list of packages, wait a few
minutes and click Apply.
If you are installing individual packages, repeat step 7 through step 12 until you have
installed all the desired packages.
To confirm the installation

After you install VPN-1/FireWall-1:
1. Confirm that Check Point SVN Foundation NG appears under the Applications heading and
that On is selected.
If the package is not on, click On, and then click Apply.
2. Confirm that Check Point VPN-1/FireWall-1 NG appears under the Security Applications
heading and that On is selected.
If the package is not on, click On, and then click Apply.
3. Click Logout to log off from the Nokia platform, and then log back in from the Login page.
When you enable the packages, Voyager sets new environmental variables that are necessary
for executing firewall commands. However, they do not take effect until the next time you
log on. This is why you need to log off after you enable the packages.
Note
To run the firewall services, you must have both the VPN-1/FireWall-1 and SVN
Foundation packages enabled. Whenever you enable the packages, enable the SVN
Foundation package first and then the VPN-1/FireWall-1 package.
You are now ready to configure VPN-1/FireWall-1. If you upgraded VPN-1/FireWall-1 from an
earlier version, see Chapter 4, “Installing SMART Clients,” unless you want to change the
configuration.

3 Configuring VPN-1/FireWall-1
This chapter describes how to perform an initial configuration of VPN-1/FireWall-1 on a Nokia

IP security platform.
If you performed a VPN-1/FireWall-1 upgrade, you can skip this chapter. If you performed a
new installation of VPN-1/FireWall-1, or if you have never performed an initial configuration of
VPN-1/FireWall-1, you must specify which Check Point components to run on the appliance
and provide some administrative information about the components you select. You must
complete the procedures described in this chapter before VPN-1/FireWall-1 services are
available.
Configuration Overview
The cpconfig program is an interactive configuration wizard that guides you through the steps of
licensing and configuring the software. You can also use Nokia Horizon Manager to configure
the Check Point products on one or more platforms.
To use cpconfig to configure the VPN-1/FireWall-1 software

1. Confirm that both the VPN-1/FireWall-1 package and the SVN Foundation packages are
enabled.
If they are not, enable them and then log off. For details, see “To enable the VPN-1/
FireWall-1 packages” on page 22.
2. Using a console or terminal connection, log on to the Nokia platform and run cpconfig.
For details on how to respond to cpconfig prompts, see “Using the cpconfig Utility” on page
22.
3. Reboot the system when prompted to do so.
4. If necessary, re-establish connectivity to Voyager.
Note
When the VPN-1/FireWall-1 services start after the host is rebooted, a default security
policy is loaded. The default policy blocks all remote access to the host, except access
by the VPN-1/FireWall-1 SmartCenter Server. If you need to regain Voyager access to
the host before you push a security policy to the firewall, see “Re-establishing Remote
Access” on page 26.

If Voyager is in SSL encryption mode, consult the Check Point VPN-1/FireWall-1

Release Notes on how to maintain a Voyager connection after you run cpconfig.
Using Nokia Horizon Manager for the Initial Configuration

Nokia Horizon Manager can perform the initial configuration of Check Point applications on
multiple Nokia platforms simultaneously. Nokia Horizon Manager also exchanges information
with Check Point SmartCenter Server to keep the Check Point database current with information
about the newly added appliances.
Detailed Procedures
This section contains detailed procedures for each of the major steps for performing the initial
configuration through the cpconfig utility.
To enable the VPN-1/FireWall-1 packages

1. To enable the Check Point SVN Foundation package (listed under Applications), click On,
and then click Apply.
2. To enable the Check Point VPN-1/FireWall-1 package (listed under Security Applications),
click On, and then click Apply.
3. Click Save and then log off.
Use the preceding procedure whenever you enable the VPN-1/FireWall-1 packages. Always
enable the SVN Foundation package first.
When the packages are enabled, environmental variables are set. Log out and then log in for the
environmental variables to take effect.
Using the cpconfig Utility

The following procedures guide you through an initial configuration of VPN-1/FireWall-1.
Please note:
! The configuration options vary according to whether you configure a SmartCenter Server or
an Enforcement Module. The following procedures show all options, as if you were
configuring a standalone installation (SmartCenter Server and Enforcement Module on the
same host).
! The text for the configuration options varies slightly depending on which version of VPN-1/
FireWall-1 is installed.
! Not all options are configured during the initial configuration. For information about
additional options, see the Check Point Getting Started Guide.

Detailed Procedures
To perform an initial configuration

1. Log in to the host from a console connection.
2. At the command prompt, enter cpconfig.
The following text appears:
Welcome to Check Point Configuration Program
=================================================
Please read the following license agreement.
Hit 'ENTER' to continue...
3. Press Enter to read the license agreement, and then enter y to accept it:
Do you accept all the terms of this license agreement (y/n)? y
4. When you are prompted to select an installation type, enter the appropriate number.
Select installation type:
-------------------------
(1) Enforcement Module.
(2) Enterprise SmartCenter.
(3) Enterprise SmartCenter and Enforcement Module.
(4) Enterprise Log Server.
(5) Enforcement Module and Enterprise Log Server.
Enter your selection (1-5/a-abort) [1]: 3
5. Select whether the Enterprise SmartCenter is the primary or secondary Enterprise

SmartCenter.
The secondary Enterprise SmartCenter manages one or more firewall only if the primary
Enterprise SmartCenter fails.
Please select SmartCenter type:
------------------------------
(1) Enterprise Primary SmartCenter.
(2) Enterprise Secondary SmartCenter.
Enter your selection (1-2/a-abort) [1]: 1
After a few minutes, the following output appears.

IP forwarding disabled
Hardening OS Security: IP forwarding will be disabled during boot.
Generating default filter
Default Filter installed
Hardening OS Security: Default Filter will be applied during boot.
This program will guide you through several steps where you
will define your Check Point products configuration.
At any later time, you can reconfigure these parameters by
running cpconfig
6. Enter y to add a license and fill in the license information, or enter n to complete the license
information later.
Configuring Licenses...
=======================

Host Expiration Signature Features
Note: The recommended way of managing licenses is using SmartUpdate.

cpconfig can be used to manage local licenses only on this machine.
Do you want to add licenses (y/n) [y]? y
Do you want to add licenses [M]anually or [F]etch from file: m

IP Address: x.x.x.x
Expiration Date: xxx xxx
Signature Key: xxxxxxxxxxxxxxxxx
SKU/Features: xxxxxxxxxxxxxxxxx
License was added successfully
License will be put into kernel after cpstart
7. Define administrator names, passwords, and permissions.

At this point, you must define at least one administrator with complete access permissions
(option w). You can add additional administrators later by rerunning cpconfig.
Configuring Administrators...
=============================
No Check Point products Administrators are currently
defined for this SmartCenter Server.
Do you want to add administrators (y/n) [y]? y
Administrator name: admin
Password: *******
Verify Password: ********
Permissions for all SMART Clients (Read/[W]rite All, [R]ead Only All, [C]ustomized) w
Permission to Manage Administrators ([Y]es, [N]o) y
Administrator admin was added successfully and has
Read/Write Permission for all SMART Clients with Permission to Manage Administrators
Add another one (y/n) [n]? n
8. Define the SMART Clients that can access the SmartCenter Server.
You may have as many client GUIs on as many desktops as you desire. However, you need
to provide the IP address or name of each client to cpconfig before the clients can access the
SmartCenter Server.
If you do not specify at least one SMART Client, you can manage the SmartCenter Server
only through a client installed on the same host.
You can rerun cpconfig at any time to add additional clients.
When you enter client information:
! You can use asterisks as wild cards in the IP address or name: for example, 10.5.20.* or
*.nokia.com.
! You can use a hyphen to indicate a range of IP addresses. For example, 10.10.10.20 -
10.10.10.22.
! To add individual clients, enter one client per line.
! When you finish entering clients, type the termination character (Ctrl + d) on a separate
line.

Detailed Procedures
Configuring Management Clients...

=================================
Management clients are trusted hosts from which
Administrators are allowed to log on to this Management Station
using Windows/X-Motif GUI.
No Management clients defined
Do you want to add a Management client (y/n) [y] ? y

Please enter the list hosts that will be Management clients.
Enter hostname or IP address, one per line, terminating with CTRL-D or your EOF
character.
192.168.10.34
Is this correct (y/n) [y]? y
9. As part of configuring the certificate authority, type random text at a random pace until you
hear a beep.
The timing latency between your keystrokes is used to generate cryptographic data. The
VPN-1/FireWall-1 uses certificates for secure internal communication (SIC) between the
SmartCenter Server and the Enforcement Modules.
Configuring Random Pool...
==========================
You are now asked to perform a short random keystroke session.
The random data collected in this session will be used in various cryptographic
operations.
Please enter random text containing at least six different characters. You will
see the '*' symbol after keystrokes that are too fast or too similar to preceding
keystrokes. These keystrokes will be ignored.
Please keep typing until you hear the beep and the bar is full.
[....................]
Thank you.
10. Define the fully qualified domain name of the management server and initialize the
Certificate Authority.
Configuring Certificate Authority...
====================================
The FQDN (Fully Qualified Domain Name) of this Management Server

is required for proper operation of the Internal Certificate Authority.
Would you like to define it now (y/n) [y] ? y

The FQDN of this Management Server is nokia-fw.foo.bar.com
Do you want to change it (y/n) [n] ? n
NOTE: If the FQDN is incorrect, the Internal CA cannot function properly,

and CRL retrieval will be impossible.
Press 'Enter' to send it to the Certificate Authority...
Trying to contact CA. It can take up to 4 seconds...

FQDN initialized successfully
The FQDN was successfully sent to the CA

11. To save the fingerprint of the SmartCenter Server to a file, type y and provide the name of
the file.
Configuring Certificate's Fingerprint...
========================================
The following text is the fingerprint of this Management machine:
CRAB GAG SILL HAW ROOM FULL MISS GREW JOEL TOIL LINT FISH
Do you want to save it to a file? (y/n) [n]? y
Please enter the file name [/opt/CPshared-50-02/conf]: fingerprint.txt
The fingerprint will be saved as /opt/CPshared-50-02/conf/fingerprint.txt
Are you sure? (y/n) [n]? y
The fingerprint was successfully saved.
12. When the cpconfig prompt asks if you want to reboot the system, enter y.
generating SMART Clients INSPECT code
initial_management:
Compiled OK.
Hardening OS Security: Initial policy will be applied
until the first policy is installed
In order to complete the installation
you must reboot the machine.
Do you want to reboot? (y/n) [y]? y
cleaning up...
syncing disks... done
Re-establishing Remote Access

VPN-1/FireWall-1 services automatically start after the host reboots. When the services start for
the first time, a default policy loads that blocks all remote access to the firewall, other than
SmartCenter Server access.
You can regain Voyager access by using the SmartDashboard to define a Security Policy and
pushing it to the firewall.
To regain Voyager access to the firewall before you define a new Security Policy, perform the
following procedures.
1. From a console connection, enter cpstop.
2. Connect with Voyager and perform the required administrative functions.
3. Enter cpstart from the console connection to restart the firewall services.

4 Installing SMART Clients
This chapter describes how to install a SMART Client (the Check Point Policy Editor GUI). You
can install SMART Clients on as many Microsoft Windows 2000, XP, or NT 4.0 desktops as
you desire.
To install the SMART Client on a Windows platform

1. Close any Check Point applications running on the Windows platform.
2. Download the VPN-1/FireWall-1 SMART Client software into a temporary folder on the
Windows computer.
The SMART Client software is available at the Check Point Downloads Web site at http://
www.checkpoint.com.
3. Unzip the file, and double click setup.exe.
The Installation Wizard opens. Accept the default values by clicking Next.
4. When the installation sequence is complete, the SmartDashboard logon screen appears.

4 Installing SMART Clients
Testing Connectivity
Before you can connect to the SmartCenter Server with the SmartDashboard, you must specify
the IP address of the Windows host you specified when you configured the SmartCenter Server.
For more information, see step 8 from “Using the cpconfig Utility.”
To test connectivity
1. Enter the administrative username and password you specified when you configured the
SmartCenter Server.
2. In the SmartCenter Server field, enter the IP address of the SmartCenter Server.
Select the Read Only option to allow others access to the SmartCenter Server while you
view information.
3. Click OK.
A successful connection indicates that you installed the SMART Client and SmartCenter
Server correctly.

IPSO37

Uploaded by

Copyright:

Available Formats

You might also like

IPSO37

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPSO37

Uploaded by

Copyright:

Available Formats

VPN-1/FireWall-1 for Nokia

Getting Started Guide

NG for IPSO Version 3.7

Part Number N451056001 Rev A

RESTRICTED RIGHTS LEGEND

IMPORTANT NOTE TO USERS

2 VPN-1/FireWall-1 for Nokia Getting Started Guide

Web Site http://www.nokia.com

Mail Nokia Inc.

Regional Contact Information

Americas Nokia Internet Communications. Tel: 1-877-997-9199

Asia-Pacific 438B Alexandra Road Tel: +65 6588 3364

Nokia Customer Support

Web Site: https://support.nokia.com/

Voice: 1-888-361-5030 or Voice: +44 (0) 125-286-8900

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

VPN-1/FireWall-1 for Nokia Getting Started Guide 3

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1 Preparing for Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4 Installing SMART Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

VPN-1/FireWall-1 for Nokia Getting Started Guide 5

VPN-1/FireWall-1 for Nokia Getting Started Guide 7

monospace font Indicates command syntax, or represents computer or screen

Italics • Emphasizes a point or denotes new terms at the place where

8 VPN-1/FireWall-1 for Nokia Getting Started Guide

VPN-1/FireWall-1 for Nokia Getting Started Guide 9

10 VPN-1/FireWall-1 for Nokia Getting Started Guide

Basic VPN-1/FireWall-1 Components

VPN-1/FireWall-1 for Nokia Getting Started Guide 11

Using Nokia Horizon Manager

Distributed and Standalone Installations

To perform a distributed environment installation, use the following steps.

12 VPN-1/FireWall-1 for Nokia Getting Started Guide

To perform a standalone installation, use the following steps.

Basic Steps for Installing or Upgrading

Current FW-1 FW-1 not installed Older version of

Download and install Download and upgrade

Enable packages Enable packages

Run cpconfig Shaded areas indicate

VPN-1/FireWall-1 for Nokia Getting Started Guide 13

Determining the VPN-1/FireWall-1 Version

Preparing the Nokia IP Security Platform

To add a static host name

14 VPN-1/FireWall-1 for Nokia Getting Started Guide

Figure 2 Example Host Address Assignment

Preparing the Network

Obtaining Check Point Licensing

VPN-1/FireWall-1 for Nokia Getting Started Guide 15

16 VPN-1/FireWall-1 for Nokia Getting Started Guide

This chapter covers how to install or upgrade VPN-1/FireWall-1 on a Nokia IP security

Installation and Upgrade Overview

VPN-1/FireWall-1 for Nokia Getting Started Guide 17

Check Point SVN Foundation Active

Check Point VPN-1/FireWall-1 Active

Check Point VPN-1/FireWall-1 4.1 For Not active

Check Point Policy Server Active if a previous version is

Check Point FloodGate-1 Active if a previous version is

Check Point UserAuthority Server Active if a previous version is

Installation and Upgrade: Detailed Procedures