Checkpoint Quick Start and Architecture

-

CP quick start


VM:
1.Create a VM OS Other version Other 64-bit, SMS:8G RAM, GW:4G RAM, 2 CPU, 50G HDD.
2.Boot with ISO image.
3.Initial setup includes assigning IP address (eth0, management) and admin credential.
4.Once VM installation is completed, reboot to get in Gaia GUI, with First Time Configuration Wizard, Select to install SMS or/and GW on this vm
5.After Gaia installation, reboot and login Gaia GUI again to configure system level info like Internet interface and routing.


Appliance:
1. -initial setup - connect PC to MGMT port
2. Assign PC an IP 192.168.1.2
3. Launch Gaia web https://192.168.1.1
4. Default account: admin/admin
5. First Time Configuration Wizard to configure IP, admin credential, select to install SMS or/and GW on this appliance
6. 5.After Gaia installation, reboot and login Gaia GUI again to configure system level info like interface and routing.

Login SMS Gaia GUI to download SmartConsole to your PC
1. In SmartConsole, Add new GW, use the one time password created during GW Gaia First Time Configuration Wizard.
2. Double Click the GW, in General Properties, review the enabled blades, default on is "Firewall", enable "Monitoring"
3. In Network Management, configure typologies.
4. In NAT, Enable "Hide internal networks behind the Gateway's external IP"
4. In the Security Policy tab, Access Control Policy, enabled logging for the default Clean  rule, add a new rule above to allow MGMT https/ssh access to GW IP, install the policy

Architecture:


GW is managed by SMS, GW and SMS have Gaia GUI interface, where configuration low level info like interfaces and routing.
Smartconsole is downloaded  from SMS Gaia GUI to management station, all polices are configured from Smartconsole, exist in SMS, then be installed to GW.


  • Firewall – Basic security filtering functionality
  • IPSec VPN – functionality for creating IPSec-based Site to Site Virtual Private Networks
  • Mobile Access – SSL and IPSec Endpoint VPN solution
  • Application Control & URL Filtering – Advanced Security solution to control Web URL and Application traffic through the gateway
    https://appwiki.checkpoint.com/appwikisdb/public.htm
  • Data Loss Prevention – Pre-emptively prevent sensitive information from leaving the organization, educate users on proper data handling procedures, and allow remediation in real-time
  • IPS – Intrusion Prevention System
  • Anti-Bot – blade to detect and prevent Advanced Persistent Threats (APT) activity within the protected network
  • Anti-Virus – AVI scanning on the fly for downloads and uploads crossing Security Gateways
  • Threat Emulation – Sandboxing solution for downloads and email attachments
  • Threat Extraction – Unique technique to remove active content from downloads and attachments to prevent incidental malware infections and APT
  • AntiSpam & Email Security – email protection blade
  • Identity Awareness – Provides visibility to the identities of end users and the specific Active Directory host they are connecting from. This allows security policies to be enforced based on any combination of user, specific machine, or network.
  • Content Awareness – Control over specific types of content data files crossing Security Gateways
  • QoS – Quality of Service, traffic shaping and prioritization functionality
  • Monitoring – Real Time Monitoring of performance and traffic indicators for Security Gateways

Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more