Wednesday, 10 August 2011

Learning about Checkpoint

I looked around the web and couldn't find any how to guide for first timers to learn about Checkpoint. I have some experience with firewalls but nothing that suited my level of knowledge. This post contains my Checkpoint

notes on installing and using Checkpoint in a virtualized environment.

I used VMware (VMware workstation 7.1.4 build-385536) to create three virtual machines. Two of them ran FreeBSD 8.2 and were used as the external and internal hosts. You could have just as easily used Windows/Linux or an OS of your choice. I decided on FreeBSD because I have enough working experience with it and most of the daemons (SSH / Telnet / FTP etc) are already installed.

The third virtual machine was installed with the Checkpoint Secure Platform (SPLAT) image.

The routing and ip addressing is shown in the diagram below:

         <----- Default route

     External                              Internal
Pluto ----- (eth1) CP R75 (eth2)----- Eris

The mapping of the CPR75 interfaces to the VM are:

  • eth0 - vmnet 0 (management network -
  • eth1 - vmnet 1 (
  • eth2 - vmnet 2 (
The ip address allocations are:

  • pluto -
  • eth1 -
  • eth2 -
  • eris -

The installation of CP R75 SPLAT can be followed here. I setup a virtual machine with the following parameters:

  • Memory: 512MB
  • Processors: 1
  • HD: IDE 9G

VMware boot sequence is documented here but you can hit Esc to bring up the boot menu. I set the default password for my virtual machines as below:

Console username / password : admin / adminpass
Security Management Server Admin: cpadmin / cpadmin

The installation of the FreeBSD clients isn't covered here but can be easily googled for if required.

SmartConsole R75 Clients
SmartConsole clients allow you to configure manage monitor and analyze network security features: Firewall, VPN, IPS, Anti-Virus, Anti-Spam, URL Filtering and more.
  • SmartDashboard
  • SmartView Tracker (aka Log viewer)
    Check Point products provide you with the ability to collect comprehensive information on your network activity in the form of logs. You can then audit these logs at any given time, analyze your traffic patterns and troubleshoot networking and security issues. The SmartCenter server makes these logs available for inspection via SmartView Tracker, a comprehensive auditing solution, enabling central management of both active and old logs of all Check Point products. You can conveniently customize searches to address specific tracking needs; integrate the logs with Check Point's SmartView Reporter, or export them to text files or to an external database. Administrators can use SmartView Tracker in order to ensure their products are operating properly, troubleshoot system and security issues, gather information for legal or audit purposes, and generate reports to analyze network traffic patterns. In the case of an attack or other suspicious network activity, administrators can use SmartView Tracker to temporarily or permanently terminate connections from specific IP addresses.  
  • SmartEvent
  • SmartUpdate
  • SecureClient Packging Tool
  • SmartView Monitor - Look at the physical parameters of the firewall. Eg CPU, memory, disk space
    SmartView Monitor shows the complete picture of network and security performance, enabling fast response to changes in traffic patterns or security activities. SmartView Monitor centrally monitors Check Point and OPSEC devices, presenting a complete visual picture of changes to gateways, tunnels, remote users and security activities. This enables administrators to immediately identify changes in network traffic flow patterns that may signify malicious activity.
  • SmartReporter - Generates reports based on the logs issued by Checkpoint products.
  • SmartProvisioning
  • Smart Event Intro
  • Abra Password Reset
Setting the Gateway Topology
This is required so that you can tell the gateway about your internal and external interfaces and network. To set this up click on Application Control -> Gateways and then double click your gateway to edit it.

In the window select topology and then for each interface set the Network type (Internal, DMZ, External) and the topology, ie the networks that reside behind this interface.

Why doesn't this get picked up automatically from the routing table?

    Adding Firewall Rules
    The most interesting thing to note about this is that there is no mention of interfaces. The rules apply to all traffic transiting the box. Otherwise the process is quite standard:

    1) click on the firewall tab
    2) add a new line
    3) fill out out your source/dest and traffic info
    4) push your changes back to gateway

    There are some implicit rules that are configured when you first build a gateway and these can be viewed by clicking on View -> Implied Rules in the Dashboard. You can turn on logging for these by clicking Policy -> Global Properties -> Firewall Tab -> Log implied rules.

    If you are troubleshooting some traffic rules, then fire up the SmartView Tracker and click on the Network and Endpoint tab and select All Records. You can then double click on a log entry and see which rule permitted/denied it.

    Adding NAT Rules
    With NAT rules you need to have a firewall rule that matches in the traffic BEFORE it was translated. Then adding a NAT rule is quite easy:

    1) click on the NAT tab
    2) add a new line
    3) fill out your Original packet details (ie what to match for)
    4) fill our your Net packet details (ie what to change)
    5) push you changes out

    Here is a good description of how the packets transit the box (original source here):

    1. The packet arrives at the inbound interface, and passes Security Policy rules.
    2. If accepted, the packet is entered into the connections table. (See SmartView Tracker and the the Active Tab)
    3. The packet is matched against NAT rules for the destination. The packet is translated if a match is found.

    4. The packet arrives at the TCP/IP stack of the NGX Gateway, and is routed to the outbound interface. The packet is translated, so it is routed correctly without any need to add a static route to the Gateway.
    5. The packet goes through the outbound interface, and is matched against NAT rules for the source.
    6. NAT takes place, if a match is found for translating the source.
    7. The packet leaves the Security Gateway.

    1. The reply packet arrives at the inbound interface of the Gateway.
    2. The packet is passed by the Policy, since it is found in the connections table.
    3. The packet’s destination, which is the source of the original packet, is translated according to NAT information in the tables.
    4. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the outbound interface.
    5. The packet goes through the outbound interface. The packet’s source, the destination of the original packet, is translated according to the information
    in the NAT tables.
    6. The packet leaves the Gateway.

    Content Filtering

    Generic Setup

    To enable, click on Anti-Span & Mail tab and select overview. Then in the Enforcing gateways pick the correct gateway for Anti-Virus and Anti-Spam. Under database updates, click on configure and select the activation tab. Then select "Use the trial license provided by the Security Gateway".

    Then select the Anti-virus and URL Filtering tab and select Database Updates. Click the configure button and again select select the activation tab. Then select "Use the trial license provided by the Security Gateway".

    URL Filtering
    Finally under URL Filtering select URL Filtering Policy and ensure that the Policy mode is on and tacking is set to log for both the blocked and allowed requests.

    You now need to allow outbound requests to the Squid proxy on port 3128 in the firewall tab.Then download the policy to the gateway.

    To test this I installed a Squid Proxy on pluto and then telneted from eris to port 3182 and manually did a request. The log file will now show two entries, one from the firewall product and one from the web filtering product.

    Virus Scanning (FTP downloads)
    Under Anti-Virus & URL Filtering tab select Anti-Virus -> Security Gateways -> FTP and ensure its set to  Block for incoming files. Then click the advanced and log everything.

    Also all firewall rules to allow eris to passive ftp into pluto and get files. On pluto you can follow eicar to create positive test file using vi. When you try to download this file you will see the following error:

    ftp> mget
    mget [anpqy?]? y
    227 Entering Passive Mode (192,168,1,1,209,20)
    150 Opening BINARY mode data connection for '' (69 bytes).
      0% |                                                                                       |     0       0.00 KB/s    --:-- ETA
    450 Content Inspection module rejected the requested resource. Virus found. For more information please contact your system administrator.

    No comments:

    Post a Comment