Professional Documents
Culture Documents
IPSO37
IPSO37
IPSO37
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Nokia reserves the right to make changes without further notice to any products herein.
TRADEMARKS
Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or
registered trademarks of their respective holders.
030114
Telephone 1-888-477-4566 or
1-650-625-2000
Fax 1-650-691-2170
Europe, Nokia House, Summit Avenue Tel: UK: +44 161 601 8908
Middle East, Southwood, Farnborough Tel: France: +33 170 708 166
and Africa Hampshire GU14 ONG UK email: ipsecurity.emea@nokia.com
Email: tac.support@nokia.com
Americas Europe
Asia-Pacific
Voice: +65-67232999
Fax: +65-67232897
021216
2 Installing or Upgrading
VPN-1/FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Installation and Upgrade Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Installation and Upgrade: Detailed Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3 Configuring VPN-1/FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Using Nokia Horizon Manager for the Initial Configuration . . . . . . . . . . . . . . . . . . 22
Detailed Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Using the cpconfig Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Re-establishing Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
This guide describes how to install, upgrade, and initially configure Check Point
VPN-1/FireWall-1 NG. This guide focuses on the steps required to bring up VPN-1/FireWall-1
on Nokia IP security platforms; it is not intended to be a complete guide to how to configure or
manage VPN-1/FireWall-1 services. For information about these subjects, see the Check Point
Getting Started Guide and the Check Point FireWall-1 Guide, available from the Check Point
Web site.
This preface provides the following information:
! In This Guide
! Conventions This Guide Uses
! Related Documentation
In This Guide
This guide is organized into the following chapters:
! Chapter 1, “Preparing for Installation and Configuration,” contains an overview of the
installation process and describes how to prepare to install and configure VPN-1/FireWall-1.
! Chapter 2, “Installing or Upgrading VPN-1/FireWall-1,” describes how to use Nokia
Network Voyager or the command-line interface to install the Check Point applications on
your appliance.
! Chapter 3, “Configuring VPN-1/FireWall-1,” describes how to use the cpconfig utility to
perform the initial VPN-1/FireWall-1 configuration.
! Chapter 4, “Installing SMART Clients,” describes how to install the Check Point GUI on a
Microsoft Windows system.
To set up a new installation of VPN-1/FireWall-1 on a Nokia appliance, read all of the chapters
in this guide. If your Nokia appliance comes with the latest version of VPN-1/FireWall-1
installed, you can skip Chapter 2. If you plan to upgrade from an earlier version of the Check
Point software, you can skip Chapter 3.
Note
If you do not know which version of VPN-1/FireWall-1 is on your appliance, see
“Determining the VPN-1/FireWall-1 Version” on page 14.
Notices
Note
Notes provide information of special interest or recommendations.
Text Conventions
The following table describes the text conventions this guide uses.
Convention Description
bold monospace font Indicates text you enter or type, for example:
# cpconfig
Key names Keys that you press simultaneously are linked by a plus sign (+):
Press Ctrl + Alt + Del.
Menu commands Menu commands are separated by a greater than sign (>):
Choose File > Open.
The words enter and type Enter indicates you type something and then press the Return or
Enter key.
Do not press the Return or Enter key when an instruction says
type.
Related Documentation
For more information about VPN-1/FireWall-1, see the following documents:
! Check Point FireWall-1 User Guide.
! Check Point Getting Started Guide.
The preceding guides are available at the Check Point Product Documentation Web site: http://
www.checkpoint.com.
For more information about how to configure and manage a Nokia IP security platform, see:
! The IPxxx Series Installation Guide for your platform.
! The Nokia Network Voyager Reference Guide for IPSO v3.7.
The preceding documents are available at the Nokia Support Site:
http://support.nokia.com.
You can run Check Point VPN-1/FireWall-1 NG FP3 and later on platforms running IPSO v3.7.
For more information about specific features and improvements in your version of VPN-1/
FireWall-1, see the Check Point documentation and the Check Point Software Technologies
Web page: http://www.checkpoint.com.
This chapter describes how to prepare to install and configure VPN-1/FireWall-1 NG. The topics
covered are:
! Basic VPN-1/FireWall-1 Components
! Using Nokia Horizon Manager
! Installation Overview
! Determining the VPN-1/FireWall-1 Version
! Preparing the Nokia IP Security Platform
! Preparing the Network
! Obtaining Check Point Licensing
! Downloading VPN-1/FireWall-1 NG
Note
For information on how to install the VPN-1/FireWall-1 components on other platforms, see
the Check Point Getting Started Guide.
Installation Overview
The installation order of components depends on whether you choose a distributed environment
or a standalone installation.
Note
If you use multiple Nokia appliances in an IP cluster or VRRP configuration, you cannot run
the SmartCenter Server and Enforcement Module on the same appliance.
Determine
installed packages
Reboot appliance
After you finish the installation and configuration, you can use the SmartDashboard application
on the SMART Client to define the network objects, users, and Security Policy. For more
information, see the Check Point Getting Started Guide.
Downloading VPN-1/FireWall-1 NG
Before you begin the installation, download the VPN-1/FireWall-1 software. If your appliance
already has the current VPN-1/FireWall-1 packages installed, skip this section and go to Chapter
3, “Configuring VPN-1/FireWall-1.”
The VPN-1/FireWall-1 software, documentation, and release notes are available on the Check
Point Web site: http://www.checkpoint.com. The Nokia Support Web Knowledge Base on the
Nokia Support site (http://support.nokia.com) also contains a link to the Check Point Software
Downloads Web page.
Download the following files to an FTP server:
! Comprehensive Wrapper/Bundle
Use this file to install the Enforcement Module or SmartCenter Server (or both) on a Nokia
IPSO platform. For some NG releases the wrapper is not available, and you must download
the individual package files. To run VPN-1/FireWall-1, the SVN Foundation and VPN-1/
FireWall-1 packages are required.
! Microsoft Windows SMART Client
To install the Enforcement Module or SmartCenter Server on a non-IPSO platform, download
the appropriate wrapper for that operating system.
You can download and install the Check Point products individually, but Nokia recommends
that you download and install the wrapper package since it contains all of the Check Point
products in a single, comprehensive bundle.
The following table lists the Check Point products that the wrapper installs. The table also shows
the status of the package (active or not active) upon installation.
Package Status
You must obtain a license for each Check Point application you plan to run on your appliance.
Note
If you specify a user account and password, you must re-enter the password whenever
you change the FTP site, FTP directory, or FTP user on future requests.
6. Click Apply.
A list of files from the specified FTP directory appears in the Site Listing field, as shown in
Figure 3.
Figure 3 Entering the FTP Information
Note
If you install packages individually, always download, unpack, and install the SVN
Foundation package (cpshared) first.
After the download completes, the package appears in the Select a Package to Unpack box.
8. Select the package, then click Apply.
The package is unpacked into the local file system.
9. Click the “Click here to install/upgrade /opt/packages/file_name.tgz” link.
Note
On the Manage Packages page, Voyager might report that the package is successfully
installed before the installation process is complete.
For the wrapper installation, a list of installed packages appears on the Manage Packages
page after the installation is complete. If you do not see the full list of packages, wait a few
minutes and click Apply.
If you are installing individual packages, repeat step 7 through step 12 until you have
installed all the desired packages.
Note
To run the firewall services, you must have both the VPN-1/FireWall-1 and SVN
Foundation packages enabled. Whenever you enable the packages, enable the SVN
Foundation package first and then the VPN-1/FireWall-1 package.
You are now ready to configure VPN-1/FireWall-1. If you upgraded VPN-1/FireWall-1 from an
earlier version, see Chapter 4, “Installing SMART Clients,” unless you want to change the
configuration.
Configuration Overview
The cpconfig program is an interactive configuration wizard that guides you through the steps of
licensing and configuring the software. You can also use Nokia Horizon Manager to configure
the Check Point products on one or more platforms.
Note
When the VPN-1/FireWall-1 services start after the host is rebooted, a default security
policy is loaded. The default policy blocks all remote access to the host, except access
by the VPN-1/FireWall-1 SmartCenter Server. If you need to regain Voyager access to
the host before you push a security policy to the firewall, see “Re-establishing Remote
Access” on page 26.
Detailed Procedures
This section contains detailed procedures for each of the major steps for performing the initial
configuration through the cpconfig utility.
3. Press Enter to read the license agreement, and then enter y to accept it:
Do you accept all the terms of this license agreement (y/n)? y
4. When you are prompted to select an installation type, enter the appropriate number.
Select installation type:
-------------------------
(1) Enforcement Module.
(2) Enterprise SmartCenter.
(3) Enterprise SmartCenter and Enforcement Module.
(4) Enterprise Log Server.
(5) Enforcement Module and Enterprise Log Server.
6. Enter y to add a license and fill in the license information, or enter n to complete the license
information later.
Configuring Licenses...
=======================
8. Define the SMART Clients that can access the SmartCenter Server.
You may have as many client GUIs on as many desktops as you desire. However, you need
to provide the IP address or name of each client to cpconfig before the clients can access the
SmartCenter Server.
If you do not specify at least one SMART Client, you can manage the SmartCenter Server
only through a client installed on the same host.
You can rerun cpconfig at any time to add additional clients.
When you enter client information:
! You can use asterisks as wild cards in the IP address or name: for example, 10.5.20.* or
*.nokia.com.
! You can use a hyphen to indicate a range of IP addresses. For example, 10.10.10.20 -
10.10.10.22.
! To add individual clients, enter one client per line.
! When you finish entering clients, type the termination character (Ctrl + d) on a separate
line.
9. As part of configuring the certificate authority, type random text at a random pace until you
hear a beep.
The timing latency between your keystrokes is used to generate cryptographic data. The
VPN-1/FireWall-1 uses certificates for secure internal communication (SIC) between the
SmartCenter Server and the Enforcement Modules.
Configuring Random Pool...
==========================
You are now asked to perform a short random keystroke session.
The random data collected in this session will be used in various cryptographic
operations.
Please enter random text containing at least six different characters. You will
see the '*' symbol after keystrokes that are too fast or too similar to preceding
keystrokes. These keystrokes will be ignored.
Please keep typing until you hear the beep and the bar is full.
[....................]
Thank you.
10. Define the fully qualified domain name of the management server and initialize the
Certificate Authority.
Configuring Certificate Authority...
====================================
11. To save the fingerprint of the SmartCenter Server to a file, type y and provide the name of
the file.
Configuring Certificate's Fingerprint...
========================================
The following text is the fingerprint of this Management machine:
CRAB GAG SILL HAW ROOM FULL MISS GREW JOEL TOIL LINT FISH
Do you want to save it to a file? (y/n) [n]? y
Please enter the file name [/opt/CPshared-50-02/conf]: fingerprint.txt
The fingerprint will be saved as /opt/CPshared-50-02/conf/fingerprint.txt
Are you sure? (y/n) [n]? y
The fingerprint was successfully saved.
12. When the cpconfig prompt asks if you want to reboot the system, enter y.
generating SMART Clients INSPECT code
initial_management:
Compiled OK.
Hardening OS Security: Initial policy will be applied
until the first policy is installed
In order to complete the installation
you must reboot the machine.
Do you want to reboot? (y/n) [y]? y
cleaning up...
syncing disks... done
This chapter describes how to install a SMART Client (the Check Point Policy Editor GUI). You
can install SMART Clients on as many Microsoft Windows 2000, XP, or NT 4.0 desktops as
you desire.
Testing Connectivity
Before you can connect to the SmartCenter Server with the SmartDashboard, you must specify
the IP address of the Windows host you specified when you configured the SmartCenter Server.
For more information, see step 8 from “Using the cpconfig Utility.”
To test connectivity
1. Enter the administrative username and password you specified when you configured the
SmartCenter Server.
2. In the SmartCenter Server field, enter the IP address of the SmartCenter Server.
Select the Read Only option to allow others access to the SmartCenter Server while you
view information.
3. Click OK.
A successful connection indicates that you installed the SMART Client and SmartCenter
Server correctly.