The objective of this article is to demonstrate how to setup checkpoint trail software on vm- workstation for testing purpose. Below lab scenario we will setup and configure on laptop.
Pre-requisites to setup lab environment are:-
- Software required: –
- Checkpoint iso image
- Vyatta router image
- Checkpoint smart console package
- Laptop with minimum 4 GB ram , recommendation is at least 8 GB
- Loop back adapter with IP address from 192.168.70.x/24 subnet
Lab topology
- Management network – 192.168.70.x/24 – VMNET 0
- Inside network – 136.1.121.1.0/24 – VMNET 1
- DMZ network – 136.1.122.0/24 – VMNET2
IP Schema
- 1. Firewall
- Eth0/1–136.1.121.12/24 – connected to vmware VMNET1
- Eth0/0 – 136.1.122.12/24 – connected to vmware VMNET2
- Eth0/12 – 192.168.70.12/24 – connected to vmware VMNET0
- 2. Router R1
- Eth0 – 136.1.121.1/24 – connected to VMNET1
- Lo1 – 150.1.1.1/32
- 3. Router R2
- Eth0 – 136.1.122.2/24 – connected to VMNET2
- Lo1 – 150.1.2.2/32
- 4. Default gateway
- Ip -> 136.1.122.2
Lab activities – Distributed installation
- Installation of loop back adapter on your laptop
- Installation of vmware workstation 10 and activate using demo license files
- If you do not have required files. Go to
www.training.firm.in/download to download required files
- If you do not have required files. Go to
- Installation of Security gateway
- Initial configuration of security gateway as per topology depicted above
- Installation of security management
- Initial configuration on security management as topology depicted above
- Installation of R1 and R2 as per above mentioned topology and ip schema
- Virtual networking for SG, SM, R1 and R2
- Installation of dashboard and other GUI tools on your laptop
- Initial (test policy) to test if firewall is installed and configured properly
- Test cases
Activity -1 Installation of loop back adapter on your laptop
Go to windows->Run-> and type “hdwwiz” command to launch hardware wizard and click on next
Select hardware from the available list – refer screen below
Select network adapter and click next to install Microsoft loop back adapter
Once installed Microsoft loop back adapter will appear in network connection panels. Rename adapter to lab and assign ip address (192.168.70.15/24)
Activity -2 Installation of vmware workstation 10 and activate using demo license files
Complete the activity by installing VMware workstation executable file and activate with demo license provided to you. In case if you don’t have required files please contact troika systems.
If during installation you face some issues please check with your trainer or else you can google about problem statement for probable solution.
You should have Microsoft loop back adapter and vmware installed on your machine in order to move furth
Activity 3 Installation of Security management virtual appliance
Open vmware workstation and define new folder – checkpoint lab
Navigate checkpoint installation files and right click “Check_Point_SG_R77_VE.ovf”
Name the virtual machine and define installation directory for checkpoint Security management installation and click on import
Once import is successful, your checkpoint virtual security appliance is ready to use. Before you start your virtual machine we need to modify bridge adapter settings
Go to edit-> virtual network adapters and select vmnet0 to bridge with Microsoft loopback adapter. Make sure you follow screen as below else you will not be able to access security management machine from your laptop.
Once you are done with vmnet0 bridge settings you need to assign one of the virtual machine adapters to vmnet0. For security management we are using only one interface “eth0” , only change network settings for eth0 to vmnet0
Go to edit virtual machine settings -> select 1st network adapter -> custom and select vmnet0
Note: for laptops with 8 GB RAM , you can change memory allocation from 1GB to 2GB from same screen, once done power on your virtual appliance.
Login details for checkpoint virtual appliance
Username – admin
Password – admin
Default ip address – 192.168.1.1/24 on eth0
We need to change eth0 ip address from 192.1681.1./24 to 192.168.70.1/24 .. Use below commands to change ip address and view new assigned ip address.
Show interfaces all
Show interface eth0
Set interface eth0 ipv4-address 192.168.70.1 mask-length 24
You can now take web access to checkpoint security management from your laptop at https://192.168.70.12
We are done with installation of security management virtual appliance.
Activity 6 – Initial configuration on security management as topology depicted above
Login to checkpoint web console using username ‘admin’ and password ‘admin’ for initial configuration. Initial configuration includes
- Change default password
- Hostname configuration
- Installation type – standalone or distributed
- Security management administrator configuration
- GUI client access control configuration
Click on next and change default password from ‘admin’ to ‘admin123’. Click on next and validate the management interface configuration
Click on next to change the host name of the security management appliance. Change the name and click on next for date and time configuration.
Note: please ensure you check on time settings.. if not correct change time zone and set it manually. If not defined correctly, you may encounter issues while logging from smart dashboard.
Click next to continue and select the installation type. For this lab our deployment scenario is distributed. Select only security management and do not change rest of configuration settings.
Click on next to configure security management administrator and GUI client access control (administrator ip address to be allowed to access security management from smart dashboard)
Click next to finish the initial configuration
Congratulations we have successfully installed and configured checkpoint security management virtual appliance.
Activity 7 Installation of Security gateway virtual appliance
Open vmware workstation and define new folder – checkpoint lab
Navigate checkpoint installation files and right click “Check_Point_SG_R77_VE.ovf”
Name the virtual machine and define installation directory for checkpoint Security management installation and click on import
Once import is successful, your checkpoint virtual security appliance is ready to use. Before you start your virtual machine we need to modify bridge adapter settings
Change interface settings as per lab topology diagram and ip schema and assign adapters to respective virtual switches (Vmnets)
“Make sure virtual adapter to be assigned to Vmnets as depicted above else you may encounter issues in lab”
Note: for laptops with 8 GB RAM , you can change memory allocation from 1GB to 2GB from same screen, once done power on your virtual appliance.
Login details for checkpoint virtual appliance
Username – admin
Password – admin
Default ip address – 192.168.1.1/24 on eth0
Assign management ip address on eth2 from CLI using below commands
Delete interface eth0 ipv4-address
Set interface eth2 ipv4-address 192.168.70.12 mask-length 24
Set interface eth2 state on
Show interface eth2
You can now take web access to checkpoint security gateway from your laptop at https://192.168.70.12
We are done with installation of security gateway virtual appliance.
Activity 8 – Initial configuration on security management as topology depicted above
Login to checkpoint web console using username ‘admin’ and password ‘admin’ for initial configuration. Initial configuration includes
- Change default password
- Hostname configuration
- Installation type – standalone or distributed
- Security gateway administrator configuration
- SIC configuration
Click on next and change default password from ‘admin’ to ‘admin123’. Click on next and validate the management interface configuration
Click next to continue and select the installation type. For this lab our deployment scenario is distributed. Select only “security gateway”and do not change rest of configuration settings.
For DIAP configuration select no and click on next to configure SIC key , define admin123 SIC key. Configuration is required to initialize SG-SM configuration
Click finish to complete initial configuration of security gateway
Congratulations we have successfully installed and configured checkpoint security gateway virtual appliance
Configure eth1 and eth0 and routing as per topology layout and IP schema..
Define routing ad per lab topology and ip schema. Default gateway should point towards 136.1.122.2 in this scenario
Go to network management -> ipV4 Static Routes -> edit default route
Congratulations we have successfully configured checkpoint security gateway virtual appliance as per our lab topology.
Activity -7 installation of R1 and R2 as per above mentioned topology and ip schema
Go to vmware workstation dashboard and navigate File-> New Virtual Machine, select typical installation type and provide path to vyatta_router iso file.
Click on next to define virtual machine parameters including name, disk size, hardware resources allocation (if any) and power on the virtual machine
Once powered on we need to install vyatta OS on the disk for persistence usage. Login with username “vyatta” and password “vyatta” and type “install system” command to install vyatta OS
While installation make sure you go ahead with default parameters and before installation is successful wizard will ask you to keep new password for vyatta user. Provide new password and keep note of it.
Once installed assign vyatta VM network adapter to vmnet1.. Refer topology for more details on this configuration item.
Perform initial configuration on R1 as per lab topology and ip schema.. Basic configuration does include assignment of
- Ip address – 136.1.121.1/24
- Default gateway – 136.1.121.12 (firewall ip address)
- Enable basic services on Router (telnet, web server etc..)
Use below commands to perform this activity. Make sure you run all these commands from operational mode.
“Set interfaces ethernet eth0 address 136.1.121.1/24” — assign ip address on interface
“Set interfaces loopback lo address 150.1.1.1/24” — assign ip address on interface
“Set system gateway-address 136.1.121.12” – set default gateway
“Set service telnet” – enable telnet on router
“commit” – commit the candidate configuration
“save” – save candidate configuration
Use show commands to verify your configuration on R1
For R2 installation, power off your R1 virtual machine then right click r1 in vmware workstation and create clone for R2
Select clone from current state in virtual machine and click next and then select create linked clone
Name the virtual machine and finish clone wizard to finish R2 installation
Power on R2 and Perform initial configuration on R2 as per lab topology and ip schema.. Basic configuration does include assignment of
- Ip address – 136.1.122.2/24
- Default gateway – 136.1.122.12 (firewall ip address)
- Enable basic services on Router (telnet, web server etc..)
Use below commands to perform this activity. Make sure you run all these commands from operational mode.
“Set interfaces ethernet eth0 address 136.1.122.2/24” — assign ip address on interface
“Set interfaces loopback lo address 150.1.2.2/24” — assign ip address on interface
“Set system gateway-address 136.1.122.12” – set default gateway
“Set service telnet” – enable telnet on router
“commit” – commit the candidate configuration
“save” – save candidate configuration
Once installed assign vyatta VM network adapter to vmnet1.. Refer topology for more details on this configuration item.
Activity9 -Installation of dashboard and other GUI tools on your laptop
Take webui access from SG or SM and download smart console package
Double click smart console.exe file to install checkpoint GUI tools, for this installation we will install
- Smart dashboard
- Smart view tracker
- Smart update
- Smart view monitor
Note: For additional packages you can re-run this utility to activate other modules. Make sure your machine has dot.net framework and Microsoft visual c++ packges installed else you may encounter issues accessing security management from smart dashboard
Launch smartdashbaord from your laptop and connect to security management on 192.168.70.1 using same user name and password you configured during initial configuration of SM.. Refer SM initial configuration steps (if required) for further details.
On successful login you can see default objects including security management object, double click security management and look for default roles SM has
Activity10 – SIC configuration, Initial (test policy) to test if firewall is installed and configured properly
In order to proceed further define security gateway object and establish trust relationship between SG and SM using secure internal communication.
On dashboard, right click checkpoint object and define security gateway object
Select classic mode for security gateway definition and SIC configuration. Use below information to define security gateway object and to establish trust between SG and SM
Name – fw
Ip address – 192.168.70.1
SIC key – admin123
Click on ok checkpoint SM will talk to SG and fetch topology information. Accept the default settings and close the dialog box. Based on network requirements you may need to modify topology. For this lab scenario no changes are required.
Define test policy any->any->any-> allow->log to verify if SG and SM modules are installed and working properly
Install security policy on security gateway and make sure policy installation is successful on security gateway.
Test security policy by initiating ICMP traffic from R1 to R2 and R2 to R1.Since we have enforces allow all security policy you should able to ping R1->R2 and vica-versa. You can further verify the logs in smart view tracker to ensure that traffic is screened through firewall.
If you can see the ping response from R2 , this implies you have successfully installed and configured checkpoint firewall modules and same lab can be used for further simulation for NAT, VPN, HA and troubleshooting.
Add Comment