Nokia IPSO IP350 Install Manual
Check Point NG FP3 step-by-step Install guide on NOKIA IPSO By Brandon E. Robrahn INTRO This docum ent is to be used as a refere nce on how to i n stall a NOKIA IP350 with Ch ec k Poin t NG FP3. In this document I have provi ded a step-by-step reference gui de on loading a NOKIA IP35 0 with IPSO version 3.7.1Build 010, and C heck Point versio n NG FP3. V oyager and com mand line we re both use d in this gui de; this is just one way that a NOKIA device can be co nfigured as a Ch eck Point Firewall. Not all of the patches and hot fixes for these versi ons are sho wn in this d ocument. The re was only one patch applied to this device, this was sim ply to show how to apply it to the NOKIA. The two vulnerabilitie s that have to be addressed when using this version of Check Point and IPSO are: 1. Hot fix Accumulator 325 2. Open SSL vulnerability After usin g this docum ent as a reference guide (not a c onfiguratio n guide), you s hould be abl e to put the device in line and conne ct it to a m anagement server with out any issues. This document gui des you from entering in t he hostname of the firewall, and ends with applying the defa ult filter and running CPCONFIG . Good luck with your install and thanks for using this gu id e as a reference on how to configure a Check Point firewall. After the start up script runs you will be prompt to enter a hostname, if you hit enter it will get rid of the text so that you can type the hostname that you choose. Listed below is an a ctual screen shot taken from Secure CRT of how an install is perform ed. I used red text in the areas where you need to type in commands to configure this Firewall. Please choose the host name for this system. This name will be used in messages and usually corresponds with one of the networ k hostnames for the system . Note that only letters, num bers, dashes, and dots (.) are pe rmitted in a host name. Hostname ? fw-test Hostname set to "fw-test", OK ? [ y ] ? y Please enter pa ssword for use r admin: pass word Please re-enter passw ord for confirma tion: password You can configur e your system in two ways: 1) config ure an interface a nd use our We b-based Voya ger via a remot e browser 2) VT100-based Lynx browser Please enter a choice [ 1-2, q ]: 1 Select an interface from the following for configuration: 1) eth1 2) eth2 3) eth3 4) eth4 5) quit this menu Enter choice [1-5]: 1 Enter the IP address to be used for eth 1: 10.0.0.1
Enter the m asklength: 24 Do you wish to set the default route [ y ] ? y Enter the default router to use with eth1: 10.0.0.254 This interface is configured as 10 mbs by default. Do you wish to configure this inter f ace for 100 mbs [ n ] ? y This interface is configured as half dup lex by default. Do you wish to configure this in terface as full duplex [ n ] ? y You have entered the following pa rameters for the et h1 interface: IP address: 10.0.0. 1 m asklength: 24 De fault route: 10.0.0.254 Speed: 100M Duplex: full Is this inform ation correct [ y ] ? y Do you want to configure Vl an for this interface[ n ] ? n You may now configure your interfac es with the Web-based Voy ager by typing in the IP address "131.87 .68.50" at a remote browser. Generating config files for fw-test: ipsr d hosts password group reso lver snmp inetd ttys tz ntp ssmtp skey arp ndp aggrclass acl ddr ef syslog autos upport http d lynx modem cron archive ipse c fmd AAA cluster xm ode ssh iptune done. ifmnetlog: eth4 .. enabling 1 0baseT/UTP port i n half duplex m ode netlog:eth2 .. enabl i n g 1 0ba seT/UTP port in hal f dupl e x mode netlog:eth3 .. enabl i n g 1 0ba seT/UTP port in hal f dupl e x mode netlog:eth1 .. enabling 100baseTX/UTP port in full d uplex m ode done. Apr 28 16:08: 2 0 fw -t est [LO G_ IN FO] kernel: netlog:eth 4 .. enabling 10baseT/UTP port in half duplex m ode Apr 28 16:08: 2 0 fw -t est [LO G_ IN FO] kernel: netlog:eth 2 .. enabling 10baseT/UTP port in half duplex m ode Apr 28 16:08: 2 0 fw -t est [LO G_ IN FO] kernel: netlog:eth 3 .. enabling 10baseT/UTP port in half duplex m ode Apr 28 16: 08:20 fw-t est [LOG_INFO] kernel: netlog: eth1 .. enablin g 100baseTX/UT P port in ful l duplex m ode Wed Apr 28 16:08:23 GMT 2004 IPSO (fw-tes t) (ttyd0) login: ad min Password: pas sword Last login: We d Ap r 28 15:58:11 on tt y d0 Apr 28 16: 09:09 fw -test [LOG_IN FO] login: DIALUP tt yd0, adm in Apr 28 16: 09:09 fw -test [LOG_N OTICE] logi n: ROOT LOG IN (admi n) ON ttyd0 Apr 28 16: 09:09 fw -test [LOG_N OTICE] logi n: ROOT LOG IN (admi n) ON ttyd0 Apr 28 16: 09:09 fw -test [LOG_IN FO] login: login on t tyd0 as adm in IPSO 3.7 -BUILD027 #1215: 0 9.23.2003 052500 Terminal type? [vt100] fw-test[admin] # cd /var/tmp fw-test[admin] # ls -ls total 1 1 -rw-r--r-- 1 root wheel 111 Apr 28 15 :54 dhcpv4c_eth1c0.conf 0 -rw-r--r-- 1 root wheel 0 Apr 28 16: 08 ipsopmdde bu g.t xt 0 -rw-r--r-- 1 root wheel 0 Apr 28 15: 57 ipsopmdde bu g.t xt1 0 lrwxrwxrw t 1 root wheel 40 Apr 28 16:08 present -> IPSO -3.7-BUILD027-0 9.23.2003-052500-121 5 fw-test[admin] #
By typing cd /var/tmp and then typing ls -ls you are ch anging the directory /var/tm p and listin g what is in that directory. This allows you to see what IPSO version you are currently running on your NOKIA device. Since the IPSO version that is shown is not the cu rrent version or the version that we want to use, we are going to change it to the correct version by inst alling a new IPSO image from an FTP serve r using Voyager. Voyager is web based; you are able to conf igure almost everything via Voyager. T o access the Voyager web page, type in http://10.0.0.1 and then enter the user name and password. Any interface that is configured on this NOKIA can be used to get access to Voyager. NOTE: Leave the SSH connection running. The first screen you will see will look like the one sho wn above. Click on the Config button to get started.
Under the section System Configuratio n click on Install New IPSO Image (Upgrade) . The screen that you are on should look like the one sh own a bove. This is where you will need to type in the IP Address of your FTP Server . Since you will have a cross over cabl e hooked to your PC and the other end hooked to the port on the NOKIA that reads ETH-1, you will use the IP Address of your PC. NOTE: make sure that you have an FTP Server loaded on your PC . EXAMPLE: 3COM Ser ver . Make sure that your FTP Server is conf igured fo r Anonymous, that way you donâÂÂt have to type in a user name and password. Type âÂÂftp://10.0.0.2/ipso_3_ 7_1_Build007.tgzâ I am using IPSO 3.7.1 build 00 7 for an example, you use whatever IPSO version that is current or that you want to use. Now click on Apply . Click on the Apply button one more time and the install should start running. This load will take a few minutes, so donâÂÂt click on anything else just let it run. You can also look on your FTP serve r to see the status of your FTP session.
If you click on the link highlighted in Blue you should s ee the statu s of your install . When the install is finished the screen will look like the one shown below. The install is now complete and you need to rebo ot your NOKIA device. Before you reboot cl ick o n Manage IPSO images (including REBOOT and Next Boot Image Selection) located at the bottom of the page.
Select the radio button that reads Last Image Downloaded . This is the IPSO version that you just loaded. At the bottom of the page, click on Test Boot . NOTE: Test boot is used incase something happens when youâÂÂre r ebooting, this wa y you can revert back to the old version and no harm was done. This is a precautionary measure. After selecting Test Boot you will see the page sho w n above. Wai t about 5 minutes and then hit the Refresh button at the top of the page.
You will now have to log back in so that you can commit to the test boot. Click on Apply and then click on Logout . You can now switch back to your SSH connection. You will probably need to log back in with a user name and password be ca use the box has been rebooted. Shown below are the steps to install Check Point NG FP3 on this NOKIA device. Follow the st eps by typing in the commands shown in red listed below. During this process you wil l be asked if you want to download certain images, hot fixes, or packages. Only choose the one that says â Do you want to download CP_FP3_IPSO.tg zâÂÂ? For all of the other prompts type â n â and wait until they have all been addressed. NOTE: If you are using AI or some other version of Check Point then you will choose the version you want.
IPSO (fw-test) (ttyd0) login: ad min Password: xxxxxxxxxxx Last login: Thu May 6 19:28:42 on ttyd0 May 6 20: 03:18 fw-t est [LOG_INF O] login: DIALUP tty d0, admi n May 6 20: 03:18 fw-t est [LOG_NOTIC E] login: ROOT LOGIN (admi n) ON ttyd0 May 6 20: 03:18 fw-t est [LOG_NOTIC E] login: ROOT LOGIN (admi n) ON ttyd0 May 6 20: 03:18 fw-t est [LOG_INFO] login: l ogin on tt yd0 as admi n IPSO 3.7. 1-BUILD010 #1253: 04.0 5.2004 185 427 Terminal type? [vt100] fw-test[admin] # fw-test[admin] # fw-test[admin] # fw-test[admin] # newpkg -i Load new package from : 1. Install from CD-ROM. 2. Install fr om anonymous FT P server. 3. Install from FTP server with user and pass wo rd . 4. Install from local filesystem. 5. Exit new package installation. Choose an i nstallation m ethod (1-5): 2 Enter IP address of FTP server (0.0.0.0): 10.0.0.2 Enter pathname to the packages [ or 'exit' to exit ]: / Loading Packag e List Do you want to downlo ad cpinfo_ips o_5 50000007.tgz ? ['yes (d efault)' or 'n o' or 'exit']: n Skipping package cp inf o_ipso_550000007.tg z ... Do you want to downlo ad cpshared_NG_ FP3_53267_2_Nok ia.tg z ? ['yes (default)' or 'no ' o r 'exit']: n Skipping package cpshared _NG_FP3_53267_2_ Nokia.tgz ... Do you want t o downloa d CP_FP3_IPS O.tgz ? ['y es (default)' or 'no' or 'exit']: y Processing packag e CP_ FP3_IPSO.tgz ... Package Description: Check Point NG Feature Pack 3 wrapper pac kage Would you like to : 1. Install this as a new pack age 2. Upgrade fr om an old pac kage 3. Skip this pa ckage 4. Exit new package installation Choose (1-4) : 1 Installing CP_FP3_IPSO.tgz CP_FP3_IPSO does not exist previous ly. Proceeding with Installation. Running Pre-install script Running Post-install script May 6 21:31:26 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:31:26 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:31:26 fw-test [LOG_ CRIT] PKG_INSTALL: INSTALL STARTED at Thu May 6 21:31:26 GMT 2004
May 6 21:31:26 fw-test [LOG_ CRIT] PKG_INSTALL: INSTALL STARTED at Thu May 6 21:31:26 GMT 2004 May 6 21: 31:29 fw-test [L OG_CRIT] PK G_INSTALL: Try ing to install CPshrd-50/cp shared_ipso.t gz May 6 21: 31:29 fw-test [L OG_CRIT] PK G_INSTALL: Try ing to install CPshrd-50/cp shared_ipso.t gz May 6 21: 31:53 fw-test [LOG_CRIT] PK G_INSTALL: Tr ying to install CPfw1-50/f w1_ipso.tgz May 6 21: 31:53 fw-test [LOG_CRIT] PK G_INSTALL: Tr ying to install CPfw1-50/f w1_ipso.tgz May 6 21: 32:42 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_FP3 _IPSO/CPfw1- 50/POST _INSTALL May 6 21: 32:42 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_FP3 _IPSO/CPfw1- 50/POST _INSTALL May 6 21: 32:42 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPdt ps- 50/PRE_INSTALL May 6 21: 32:42 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPdt ps- 50/PRE_INSTALL May 6 21: 32:43 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPua g- 50/PRE_INSTALL May 6 21: 32:43 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPua g- 50/PRE_INSTALL May 6 21:32:43 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:32:43 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 32:43 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPfwbc-41/f w-1_ipso.tgz May 6 21: 32:43 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPfwbc-41/f w-1_ipso.tgz May 6 21:32:43 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:32:43 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:32:56 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 32:56 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPdtps-50/ polsrv_ips o.tgz May 6 21:32:56 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 32:56 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPdtps-50/ polsrv_ips o.tgz May 6 21:32:57 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:32:57 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:01 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 33:01 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPfg1-50/f g1_ipso.tgz May 6 21:33:01 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 33:01 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPfg1-50/f g1_ipso.tgz May 6 21:33:01 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:01 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: /e tc/newpkg -S -m LOCAL -i -n CPrtm-50/rtm _ipso.tgz May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: /e tc/newpkg -S -m LOCAL -i -n CPrtm-50/rtm _ipso.tgz May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:08 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 33:08 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPuag-50/ uag_ipso.tgz May 6 21:33:08 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************
May 6 21: 33:08 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPuag-50/ uag_ipso.tgz May 6 21:33:08 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:08 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 33:16 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPdt ps- 50/POST _INSTALL May 6 21: 33:16 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPdt ps- 50/POST _INSTALL May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: *********** *** *****INSTALL/UPGRADE PROCESS COMPLETED********************* May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: *********** *** *****INSTALL/UPGRADE PROCESS COMPLETED********************* May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: Please do the following if the INSTALL/UPGR ADE is Successful: May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: Please do the following if the INSTALL/UPGR ADE is Successful: May 6 21:33:21 fw-test [LOG_CRIT] PKG_ INSTALL: 1) Logout and re-logi n. May 6 21:33:21 fw-test [LOG_CRIT] PKG_ INSTALL: 1) Logout and re-logi n. May 6 21:33:21 fw-test [LO G_CRIT] PKG_INSTALL: 2 ) Run 'cpconfi g' and config ure the firewall . May 6 21:33:21 fw-test [LO G_CRIT] PKG_INSTALL: 2 ) Run 'cpconfi g' and config ure the firewall . May 6 21:33:21 fw-test [LO G_CRIT] PKG_INSTALL: 3) I nstall the new License if re quired. May 6 21:33:21 fw-test [LO G_CRIT] PKG_INSTALL: 3) I nstall the new License if re quired. May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: 4) Reboot the box. May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: 4) Reboot the box. May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: *********** *** *****INSTALL/UPGRADE PROCESS COMPLETED********************* May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: *********** *** *****INSTALL/UPGRADE PROCESS COMPLETED********************* May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** Done installing CP_FP3_IPSO Do you want to downlo ad fw1_NG_FP3_532 25_ 5_Nokia.tgz ? ['yes (default) ' or 'no' or 'exit']: n Skipping packag e fw1_NG_FP3_53225_5_Nok ia.tgz ... Do you want to downloa d IPSO-SHF_ HFA_322.tgz ? ['ye s (default)' or 'no' or ' exit']: n Skipping package IPSO-SH F _H FA _322.tgz ... Do you want to download ipso1.tg z ? ['yes (default)' or 'no' or ' exit']: n Skipping pac kage ipso1.tgz .. . Do you want to download ipso2.tg z ? ['yes (default)' or 'no' or ' exit']: n Skipping pac kage ipso2.tgz .. . Do you want to download ipso3.tg z ? ['yes (default)' or 'no' or ' exit']: n Skipping pac kage ipso3.tgz .. . Do you want to download ipso4.tg z ? ['yes (default)' or 'no' or ' exit']: n Skipping pac kage ipso4.tgz .. .
Do you want to downloa d ipso_3_7 _1_Build0 07.tgz ? [' yes (default )' or 'no' o r 'exit' ]: n Skipping package ipso_3_7_1_Build007.t gz ... Do you want to downloa d ipso_3_7 _1_Build0 10.tgz ? [' yes (default )' or 'no' o r 'exit' ]: n Skipping package ipso_3_7_1_Build010.t gz ... Do you want to downlo ad RSNS_NokiaRelease_7_0_20 03_62.tgz ? ['yes (default) ' or 'no' or 'exit']: n Skipping package RSNS_Nokia Release_7_0_2003_62.t gz ... End of new package installation cleaning up ..done Use Voyager to activate pack ages fw-test[admin] # You can now log back into Voyager by typing http ://10.0.0.1, if you click on Config then clic k on Manage Installed Packages under System Confi guration, your screen should look like the one sh own below.
The 2 applications (packag es) tu rned on by default are the only ones that need to be turned on. Nothing needs to be done, youâÂÂre just checking to make sure theyâÂÂre turned on. If you click on UP it will take you back to the Configuration screen. NOTE: If you are going to be using VPNs you will also need to click on the first radio butt on underneath Applications. Click on SNMP and make sure that it is tu rned off. If you click on UP it will take you back to the Configuration screen. NOTE: Your configuration may be different fro m the guide if you need SNMP enabled. This is up to you if you want to use it. Under Security and Acce ss Configuration click on Network Access and Services , make sur e that Telnet and FTP are turned off. If you click on UP it will take you back to the Configuration screen. NOTE: Your configuration may be different fro m the guide if you need FTP & Telnet enabled. This is up to you if you want to us e it.
Under Security and Acce ss Configuration click on SSH (Secure Shell) , make sure that SSH is ena bled. If you click on UP it will take you back to the Configuration screen. NOTE: This is important that this is turned on so that you can manage your NOKIA box via SSH. Under Security and Acce ss Configuration click on SSL Certificate Tool , here is where you configure your SSL certificate. After clicking on SSL Certificate Tool , you should se e the screen shown below. Enter the sa me data shown below into the configuratio n for your cert ificate you are creating. The pass phrase can be whatever you choose. When
After all of the information has been added click o n Apply . This will bring up a screen that has a certificate and a private key in it; you need to copy the entire text that is listed. After highlighting the entire certificate right click and select âÂÂcopyâÂÂ. After you have copi ed the certificate scroll to the bottom of the screen and click on the Voy ager SSL certificate page that is shown below.
When the Voyager SSL Certificate page comes up, Paste the co pied certificat e into the box that is labeled âÂÂNew server certif icateâÂÂ. Now click o n the BACK button of the IE page that you are on, I have noticed that if you click on up rather then back your cert ificate will disappear. It is a lot easier to just click on back, this way you donâÂÂt get lost as to what you are doing. Now you should be back to the page where you can c opy the âÂÂPrivate Keyâ this is the one below the Server Certificate. After you copy the key click on the green arro w t hat allows you to advance to the previous page in IE, Netscape or whatev er you are u sing. Now that you are back to the area shown below, paste the Private Key in the area that reads Associated Private Key . You will then need to type in the âÂÂPass phraseâ that you created earl ie r. After entering the pass phrase, click on Appl y and the screen will show âÂÂApply Successful â at the top of the page.
If you click on UP it will take you to the screen shown belo w. This is where you will choose the requi red encryption for the using SSL. Choose the radio button that reads 128-bit key or stronger . After selecting the radio button click on Apply and Save. You should still see that same sc reen shown above, if you click on UP you will get the error message âÂÂThe page cannot be displ ayedâÂÂ. You are getting this error message becau se you need to change the URL to use HTTPS rather then HTTP. As so on a s you put an âÂÂSâ behind HTTP and hit enter you will be back to the Voyager configuration page.
You know need to create the âÂÂDefault filterâÂÂ, this is used to deny any access to the NOKIA device except for SSH or other connections. This all depen ds o n how you create the default f ilter; I will be creating the default filter that only allows SSH connections to the NOKIA device. Shown below are the steps that need to be taken to apply the default filter. NOTE: The default filter is really a default policy on the NOKI A device. A policy will be applied to the device when it is push ed via the management server. fw-test[admin] # cd $FWDIR/lib fw-test[admin] # cp defaultfilter.ipso $FWDIR/conf/defaultfilter.pf fw-test[admin] # fw defaultgen Generating default filter defaultfilter: Compiled OK. fw-test[admin] # cd $FWDIR/state fw-test[admin] # ls -ls total 1 1 -rw-rw-r-- 1 root 80 736 May 21 17:41 defa ult.bin fw-test[admin] # cp default.bin $FWDIR/boot fw-test[admin] # cd $FWDIR/boot fw-test[admin] # ls -ls total 59 1 -rw-r--r-- 1 roo t 80 41 Sep 19 2002 boot.conf 1 -rw-rw- r-- 1 ro ot 80 73 6 May 21 1 7:41 defaul t.bin 56 -rwxr -xr-x 1 roo t 80 57344 Sep 19 2002 fwboot 1 drwxr- xr-x 2 root 80 512 M ay 6 21:3 3 modules fw-test[admin] # Now that the default filter is created you can move on to the second to last step of the configuration. All of the appropriate patches and hot fixes should be a p plied at this time. I will demonstrate one for you; it is best to use the directory /var/tmp . NOTE: Make sure that your FTP server is running f or this porti on. You can get all of the current patches and hot fixes on Check PointâÂÂs website. fw-test[admin] # cd /var/tmp fw-test[admin] # ls -ls total 2 1 -rw-rw-r w- 1 root wheel 107 Ma y 6 19: 34 fetchout 0 -rw-r--r -- 1 root wheel 0 M ay 21 14:47 i psopmddebu g.txt 0 -rw-r--r -- 1 root wheel 0 M ay 6 22:10 i psopmdde bug.txt1 1 -rw-rw-r w- 1 root wheel 438 Ma y 6 19: 35 newima geout 0 lrwxrwxrw t 1 root wheel 42 May 21 15:4 4 pr esent -> IPSO-3.7.1-BUILD010-0 4.05.2004-185427-1253 fw-test[admin] # ftp 10.0.0 .2 Connected to 131.87.68.1 30. 220 3Com FTP Server Versi on 1.1 Name (131. 87.68.130: admin): 331 User nam e ok, need pass word Password: 230 User l ogged in Remote system type is Windows/NT. ftp> hash Hash mark printing on (1024 bytes/h a sh mark ). ftp> bin 200 Type set t o I. ftp> dir 200 PORT command successful. 150 File st atus OK ; about t o open data c onnection D--------- 1 o w ner group 0 Apr 15 11:19 . D--------- 1 o w ner group 0 Apr 15 11:19 .. ---------- 1 owner group 32330013 O ct 21 10:05 CP_FP3_IPSO.tg z ---------- 1 owner group 37908646 Apr 27 19:41 ipso_3_7_1_ Build010.tgz ---------- 1 owner group 285169 Apr 16 18:5 2 OpenSSL_HF_mar_20 04_fp3_hf2_ip so.tgz
---------- 1 owner group 21039771 A pr 28 14:10 SH F_HFA_325.ipso.tgz # 226 Closi ng data con nection ftp> get SHF_HFA _325.ipso.t gz local: SHF_HFA_325.ipso.tgz re mote: SHF_HFA_325.ipso.tgz 200 PORT command successful. 150 File st atus OK ; about t o open data c onnection 100% |******* *** *************** *************** **********| 2054 6 KB 00:00 ETA 226 File transfer success ful. 21039771 bytes received in 5.79 sec onds (3.47 MB/s) ftp> bye 221 Service cl osing control connection fw-test[admin] # pwd /var/tmp fw-test[admin] # gunzip SHF_HF A_325.ipso.tgz fw-test[admin] # tar -xvf SHF_HFA_325 .ipso.tar cpshared_HO TFIX_HFA_325_332 553963_1 fw1_HOTFIX_ HFA_325_332553950_1 fw-test[admin] # ./cpshared_HOTFIX_HFA_325_3325 53963_1 Do you want to procee d wi t h instal l a ti on of C heck Point SVN Foundation NG FP3 Suppor t HFA 325 for Check Point SVN Foundation NG FP3 on this computer? If you choose to proceed, installation will perform CPSTOP. (y-yes, else no): y SVN Foundat ion: cpd i s not runnin g SVN Foundat ion: cpWat chDog is not running SVN Foundation stopp ed ************* *************** *************** *************** *************** ** Check Point SVN Found ation NG FP3 Check Point SVN Found ation NG FP3 Support HF A 325 installation completed successfu lly. ************* *************** *************** *************** *************** ** fw-test[admin] # ./fw1_HOTFIX_HFA_325_33255 3950_1 Do you want to procee d wi t h instal l a ti on of C heck Po int VPN-1/FireWall-1 NG FP3 Support HFA 325 fo r Check Point VPN-1 & FireWall-1 NG FP3 on this com puter? If you choose to proceed, installation will perform CPSTOP. (y-yes, else no): y SVN Foundat ion: cpd i s not runnin g SVN Foundat ion: cpWat chDog is not running SVN Foundation stopp ed Launching post-hotfix utility ************* *************** *************** *************** *************** ** Check Point VPN-1 & FireWall-1 NG FP3 Check Point VPN-1/FireWall-1 NG FP3 Support HFA 325 installatio n completed successfully. ************* *************** *************** *************** *************** ** fw-test[admin] # The very last step to configuring this fire wall is to ru n a cpconfig . When you run a cpconfig you are setting up what type of Check Point product you wish to run. We are going to choose an âÂÂenforcement moduleâ or firewall. The second part to this is setting your one time password for SIC (Secure Internal Communication). You are also a ble to put your license on at this time as well; we are going to put our license on later. NOTE: Check Point gives you a 15 day trial license so you donâÂÂt have to apply the license right away. fw-test[admin]# cpconfig Welcome to Check Point Configuration Program ================================================= Please read the following license a greement. Hit 'ENTER' to continue...
This End-user License Agreem ent (the "Agr eem ent") is an agreement between you (b oth the individual installing th e Product and any legal entity o n whose behalf s uch individ ual is acting) ( hereinafter "Y ou" or " Your" ) and Check Point Softwar e Technologies Ltd. (hereinafter "Chec k Point"). TAKING ANY STEP TO SET- UP OR IN STALL THE PRODUCT CO NST ITU TES YO UR ASSENT TO AND ACCEPTANCE OF T HIS END USER LICENSE AGREEMENT. WRIT TEN APPROVAL IS NOT A PREREQU ISITE TO THE V ALIDITY OR ENF ORCEABILITY OF TH IS AGREEMENT AND NO SOLICITATI ON OF ANY SUCH WRITTEN APPRO VAL BY OR ON BEHALF OF YOU SHALL BE CONSTRU E D AS AN INFER ENCE TO THE CONTRAR Y. IF YOU H AVE ORDERED T HIS PRODUCT A ND SUCH ORDER IS C ONSID ERED AN OFFER BY YOU, CHEC K POINT'S ACCEPTANCE OF YOUR OFFER IS EX PRESSLY CONDIT IONAL ON Y OUR ASSENT TO T H E TERMS OF THIS AGREEMENT, T O THE EXCLUSION OF ALL OT HER TERMS. IF THESE TE RMS ARE CONSIDERED AN OFFER BY CHECK POIN T, YO UR ACCEPTA N CE IS EXPRESSLY LIMITED T O THE TERMS OF THIS AGREEME NT. IF YOU DO NOT AGRE E WIT H ALL THE T ERMS OF THIS AGRE EMENT, YOU M UST RETURN THIS PR ODUCT WITH T HE ORIGINA L PACKAGE AND THE PR OO F OF PA Y M ENT TO TH E PLACE YO U OBTA IN ED IT FOR A FULL REFUN (Hit Space bar until end of license agreement) Do you accept all the terms of this license agreement (y/n) ? y Select installation type: ---------- ---------- ----- (1) Enforcem ent Module. (2) Enterprise Managem ent. (3) Enterprise Managem ent and Enforcement Module. (4) Enterprise Log Se rver. (5) Enforcem ent Module and Enterprise Lo g Server. Enter your selection (1-5/a-abort) [1]: 1 Would you like to install a Check Poin t clustering product (CPHA, CPLS or State Synch ronization) ? (y/n) [n] ? n IP forwarding disable d Hardening OS Security: IP forward i ng will be disab led during boot. Generating default filter Default Filter installed Hardening OS Security: Default Filter will be applied during boot. This program will guide you through sev eral step s where you will define your Check Point products configuration. At any later time, you can reconfigur e these parameters by running c pconfig Configuring Licenses... ======================= Host Expiration Signature Features Note: The rec ommended way of managing licenses is using SmartUpdate. cpconfig can be used to manage lo cal licenses only on this machine. Do you want t o add licenses (y/n) [y] ? n Configuri ng Random Pool... ========================== You are n ow asked to perform a short random keystroke sessi on. The random data collected in this session will be used in various cry ptographic o perations. Please enter rand om text cont aining at least si x different characters. You will see the '*' symbol after ke ystro kes that are too fast or too sim ilar to preceding keystrokes. These
keystrokes will be ignored. Please keep typing until you hear th e beep and the bar is full. [.......... ..........] Thank you. Configuri ng Secure Inter nal Comm unication... ============================================ The Secure Internal Communication is used for auth entication between Check Point c omponents Trust State: Uninitialized Enter Activation Key: xxxxx xxxxx Again Activation Key: xxxx xxxxxx The Secure Internal Communication was successfully initialized initial_module: Compiled OK. Hardening OS Security: Initial policy will be applied until the first policy is installed In order to complete the installation you must re boot the machine. Do you wan t to reboot? (y/n) [y] ? y After the reboot is completed you ca n log back in an d type in the command shutdow n now . This will shut the device down properly and you can the n hit the power button in the past. If you donâÂÂt shut it down like this you run the risk of putting the device into Single User Mode . You are all set to connect this device to your network and get the management server configured in orde r to apply a license and push a policy to this device. About the Author Brandon E Robrahn, CCSA, is a Firewall Administrator for a fast growing company that supports the Federal Government. His area of infosec expertise include intrusion detection, firewall administration, and antivirus. He has been providing support for the Federal Government for over 2 years, and has been in the IT field for over 4 years. Before providing support to the Federal Government, he was serving his country in the United States Army for 3 years. In his spare time he enjoys spending time with his family, and spending time outdoors.
Enter the m asklength: 24 Do you wish to set the default route [ y ] ? y Enter the default router to use with eth1: 10.0.0.254 This interface is configured as 10 mbs by default. Do you wish to configure this inter f ace for 100 mbs [ n ] ? y This interface is configured as half dup lex by default. Do you wish to configure this in terface as full duplex [ n ] ? y You have entered the following pa rameters for the et h1 interface: IP address: 10.0.0. 1 m asklength: 24 De fault route: 10.0.0.254 Speed: 100M Duplex: full Is this inform ation correct [ y ] ? y Do you want to configure Vl an for this interface[ n ] ? n You may now configure your interfac es with the Web-based Voy ager by typing in the IP address "131.87 .68.50" at a remote browser. Generating config files for fw-test: ipsr d hosts password group reso lver snmp inetd ttys tz ntp ssmtp skey arp ndp aggrclass acl ddr ef syslog autos upport http d lynx modem cron archive ipse c fmd AAA cluster xm ode ssh iptune done. ifmnetlog: eth4 .. enabling 1 0baseT/UTP port i n half duplex m ode netlog:eth2 .. enabl i n g 1 0ba seT/UTP port in hal f dupl e x mode netlog:eth3 .. enabl i n g 1 0ba seT/UTP port in hal f dupl e x mode netlog:eth1 .. enabling 100baseTX/UTP port in full d uplex m ode done. Apr 28 16:08: 2 0 fw -t est [LO G_ IN FO] kernel: netlog:eth 4 .. enabling 10baseT/UTP port in half duplex m ode Apr 28 16:08: 2 0 fw -t est [LO G_ IN FO] kernel: netlog:eth 2 .. enabling 10baseT/UTP port in half duplex m ode Apr 28 16:08: 2 0 fw -t est [LO G_ IN FO] kernel: netlog:eth 3 .. enabling 10baseT/UTP port in half duplex m ode Apr 28 16: 08:20 fw-t est [LOG_INFO] kernel: netlog: eth1 .. enablin g 100baseTX/UT P port in ful l duplex m ode Wed Apr 28 16:08:23 GMT 2004 IPSO (fw-tes t) (ttyd0) login: ad min Password: pas sword Last login: We d Ap r 28 15:58:11 on tt y d0 Apr 28 16: 09:09 fw -test [LOG_IN FO] login: DIALUP tt yd0, adm in Apr 28 16: 09:09 fw -test [LOG_N OTICE] logi n: ROOT LOG IN (admi n) ON ttyd0 Apr 28 16: 09:09 fw -test [LOG_N OTICE] logi n: ROOT LOG IN (admi n) ON ttyd0 Apr 28 16: 09:09 fw -test [LOG_IN FO] login: login on t tyd0 as adm in IPSO 3.7 -BUILD027 #1215: 0 9.23.2003 052500 Terminal type? [vt100] fw-test[admin] # cd /var/tmp fw-test[admin] # ls -ls total 1 1 -rw-r--r-- 1 root wheel 111 Apr 28 15 :54 dhcpv4c_eth1c0.conf 0 -rw-r--r-- 1 root wheel 0 Apr 28 16: 08 ipsopmdde bu g.t xt 0 -rw-r--r-- 1 root wheel 0 Apr 28 15: 57 ipsopmdde bu g.t xt1 0 lrwxrwxrw t 1 root wheel 40 Apr 28 16:08 present -> IPSO -3.7-BUILD027-0 9.23.2003-052500-121 5 fw-test[admin] #
By typing cd /var/tmp and then typing ls -ls you are ch anging the directory /var/tm p and listin g what is in that directory. This allows you to see what IPSO version you are currently running on your NOKIA device. Since the IPSO version that is shown is not the cu rrent version or the version that we want to use, we are going to change it to the correct version by inst alling a new IPSO image from an FTP serve r using Voyager. Voyager is web based; you are able to conf igure almost everything via Voyager. T o access the Voyager web page, type in http://10.0.0.1 and then enter the user name and password. Any interface that is configured on this NOKIA can be used to get access to Voyager. NOTE: Leave the SSH connection running. The first screen you will see will look like the one sho wn above. Click on the Config button to get started.
Under the section System Configuratio n click on Install New IPSO Image (Upgrade) . The screen that you are on should look like the one sh own a bove. This is where you will need to type in the IP Address of your FTP Server . Since you will have a cross over cabl e hooked to your PC and the other end hooked to the port on the NOKIA that reads ETH-1, you will use the IP Address of your PC. NOTE: make sure that you have an FTP Server loaded on your PC . EXAMPLE: 3COM Ser ver . Make sure that your FTP Server is conf igured fo r Anonymous, that way you donâÂÂt have to type in a user name and password. Type âÂÂftp://10.0.0.2/ipso_3_ 7_1_Build007.tgzâ I am using IPSO 3.7.1 build 00 7 for an example, you use whatever IPSO version that is current or that you want to use. Now click on Apply . Click on the Apply button one more time and the install should start running. This load will take a few minutes, so donâÂÂt click on anything else just let it run. You can also look on your FTP serve r to see the status of your FTP session.
If you click on the link highlighted in Blue you should s ee the statu s of your install . When the install is finished the screen will look like the one shown below. The install is now complete and you need to rebo ot your NOKIA device. Before you reboot cl ick o n Manage IPSO images (including REBOOT and Next Boot Image Selection) located at the bottom of the page.
Select the radio button that reads Last Image Downloaded . This is the IPSO version that you just loaded. At the bottom of the page, click on Test Boot . NOTE: Test boot is used incase something happens when youâÂÂre r ebooting, this wa y you can revert back to the old version and no harm was done. This is a precautionary measure. After selecting Test Boot you will see the page sho w n above. Wai t about 5 minutes and then hit the Refresh button at the top of the page.
You will now have to log back in so that you can commit to the test boot. Click on Apply and then click on Logout . You can now switch back to your SSH connection. You will probably need to log back in with a user name and password be ca use the box has been rebooted. Shown below are the steps to install Check Point NG FP3 on this NOKIA device. Follow the st eps by typing in the commands shown in red listed below. During this process you wil l be asked if you want to download certain images, hot fixes, or packages. Only choose the one that says â Do you want to download CP_FP3_IPSO.tg zâÂÂ? For all of the other prompts type â n â and wait until they have all been addressed. NOTE: If you are using AI or some other version of Check Point then you will choose the version you want.
IPSO (fw-test) (ttyd0) login: ad min Password: xxxxxxxxxxx Last login: Thu May 6 19:28:42 on ttyd0 May 6 20: 03:18 fw-t est [LOG_INF O] login: DIALUP tty d0, admi n May 6 20: 03:18 fw-t est [LOG_NOTIC E] login: ROOT LOGIN (admi n) ON ttyd0 May 6 20: 03:18 fw-t est [LOG_NOTIC E] login: ROOT LOGIN (admi n) ON ttyd0 May 6 20: 03:18 fw-t est [LOG_INFO] login: l ogin on tt yd0 as admi n IPSO 3.7. 1-BUILD010 #1253: 04.0 5.2004 185 427 Terminal type? [vt100] fw-test[admin] # fw-test[admin] # fw-test[admin] # fw-test[admin] # newpkg -i Load new package from : 1. Install from CD-ROM. 2. Install fr om anonymous FT P server. 3. Install from FTP server with user and pass wo rd . 4. Install from local filesystem. 5. Exit new package installation. Choose an i nstallation m ethod (1-5): 2 Enter IP address of FTP server (0.0.0.0): 10.0.0.2 Enter pathname to the packages [ or 'exit' to exit ]: / Loading Packag e List Do you want to downlo ad cpinfo_ips o_5 50000007.tgz ? ['yes (d efault)' or 'n o' or 'exit']: n Skipping package cp inf o_ipso_550000007.tg z ... Do you want to downlo ad cpshared_NG_ FP3_53267_2_Nok ia.tg z ? ['yes (default)' or 'no ' o r 'exit']: n Skipping package cpshared _NG_FP3_53267_2_ Nokia.tgz ... Do you want t o downloa d CP_FP3_IPS O.tgz ? ['y es (default)' or 'no' or 'exit']: y Processing packag e CP_ FP3_IPSO.tgz ... Package Description: Check Point NG Feature Pack 3 wrapper pac kage Would you like to : 1. Install this as a new pack age 2. Upgrade fr om an old pac kage 3. Skip this pa ckage 4. Exit new package installation Choose (1-4) : 1 Installing CP_FP3_IPSO.tgz CP_FP3_IPSO does not exist previous ly. Proceeding with Installation. Running Pre-install script Running Post-install script May 6 21:31:26 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:31:26 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:31:26 fw-test [LOG_ CRIT] PKG_INSTALL: INSTALL STARTED at Thu May 6 21:31:26 GMT 2004
May 6 21:31:26 fw-test [LOG_ CRIT] PKG_INSTALL: INSTALL STARTED at Thu May 6 21:31:26 GMT 2004 May 6 21: 31:29 fw-test [L OG_CRIT] PK G_INSTALL: Try ing to install CPshrd-50/cp shared_ipso.t gz May 6 21: 31:29 fw-test [L OG_CRIT] PK G_INSTALL: Try ing to install CPshrd-50/cp shared_ipso.t gz May 6 21: 31:53 fw-test [LOG_CRIT] PK G_INSTALL: Tr ying to install CPfw1-50/f w1_ipso.tgz May 6 21: 31:53 fw-test [LOG_CRIT] PK G_INSTALL: Tr ying to install CPfw1-50/f w1_ipso.tgz May 6 21: 32:42 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_FP3 _IPSO/CPfw1- 50/POST _INSTALL May 6 21: 32:42 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_FP3 _IPSO/CPfw1- 50/POST _INSTALL May 6 21: 32:42 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPdt ps- 50/PRE_INSTALL May 6 21: 32:42 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPdt ps- 50/PRE_INSTALL May 6 21: 32:43 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPua g- 50/PRE_INSTALL May 6 21: 32:43 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPua g- 50/PRE_INSTALL May 6 21:32:43 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:32:43 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 32:43 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPfwbc-41/f w-1_ipso.tgz May 6 21: 32:43 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPfwbc-41/f w-1_ipso.tgz May 6 21:32:43 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:32:43 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:32:56 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 32:56 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPdtps-50/ polsrv_ips o.tgz May 6 21:32:56 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 32:56 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPdtps-50/ polsrv_ips o.tgz May 6 21:32:57 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:32:57 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:01 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 33:01 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPfg1-50/f g1_ipso.tgz May 6 21:33:01 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 33:01 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPfg1-50/f g1_ipso.tgz May 6 21:33:01 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:01 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: /e tc/newpkg -S -m LOCAL -i -n CPrtm-50/rtm _ipso.tgz May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: /e tc/newpkg -S -m LOCAL -i -n CPrtm-50/rtm _ipso.tgz May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:04 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:08 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 33:08 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPuag-50/ uag_ipso.tgz May 6 21:33:08 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************
May 6 21: 33:08 fw-test [LOG_CRIT] PK G_INSTALL: /e tc/newpkg -S - m LOCAL -i - n CPuag-50/ uag_ipso.tgz May 6 21:33:08 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21:33:08 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** ************ May 6 21: 33:16 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPdt ps- 50/POST _INSTALL May 6 21: 33:16 fw-test [LOG_CRIT] PKG_INSTALL: R unning /tm p/pkg/CP_F P3_IPSO/CPdt ps- 50/POST _INSTALL May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: *********** *** *****INSTALL/UPGRADE PROCESS COMPLETED********************* May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: *********** *** *****INSTALL/UPGRADE PROCESS COMPLETED********************* May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: Please do the following if the INSTALL/UPGR ADE is Successful: May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: Please do the following if the INSTALL/UPGR ADE is Successful: May 6 21:33:21 fw-test [LOG_CRIT] PKG_ INSTALL: 1) Logout and re-logi n. May 6 21:33:21 fw-test [LOG_CRIT] PKG_ INSTALL: 1) Logout and re-logi n. May 6 21:33:21 fw-test [LO G_CRIT] PKG_INSTALL: 2 ) Run 'cpconfi g' and config ure the firewall . May 6 21:33:21 fw-test [LO G_CRIT] PKG_INSTALL: 2 ) Run 'cpconfi g' and config ure the firewall . May 6 21:33:21 fw-test [LO G_CRIT] PKG_INSTALL: 3) I nstall the new License if re quired. May 6 21:33:21 fw-test [LO G_CRIT] PKG_INSTALL: 3) I nstall the new License if re quired. May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: 4) Reboot the box. May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: 4) Reboot the box. May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: *********** *** *****INSTALL/UPGRADE PROCESS COMPLETED********************* May 6 21:33:21 fw-test [LOG_ CRIT] PKG_INSTALL: *********** *** *****INSTALL/UPGRADE PROCESS COMPLETED********************* May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** May 6 21:33:21 fw-test [LOG_ CRIT] PKG_ INSTALL: ************* *************** *************** *************** *************** Done installing CP_FP3_IPSO Do you want to downlo ad fw1_NG_FP3_532 25_ 5_Nokia.tgz ? ['yes (default) ' or 'no' or 'exit']: n Skipping packag e fw1_NG_FP3_53225_5_Nok ia.tgz ... Do you want to downloa d IPSO-SHF_ HFA_322.tgz ? ['ye s (default)' or 'no' or ' exit']: n Skipping package IPSO-SH F _H FA _322.tgz ... Do you want to download ipso1.tg z ? ['yes (default)' or 'no' or ' exit']: n Skipping pac kage ipso1.tgz .. . Do you want to download ipso2.tg z ? ['yes (default)' or 'no' or ' exit']: n Skipping pac kage ipso2.tgz .. . Do you want to download ipso3.tg z ? ['yes (default)' or 'no' or ' exit']: n Skipping pac kage ipso3.tgz .. . Do you want to download ipso4.tg z ? ['yes (default)' or 'no' or ' exit']: n Skipping pac kage ipso4.tgz .. .
Do you want to downloa d ipso_3_7 _1_Build0 07.tgz ? [' yes (default )' or 'no' o r 'exit' ]: n Skipping package ipso_3_7_1_Build007.t gz ... Do you want to downloa d ipso_3_7 _1_Build0 10.tgz ? [' yes (default )' or 'no' o r 'exit' ]: n Skipping package ipso_3_7_1_Build010.t gz ... Do you want to downlo ad RSNS_NokiaRelease_7_0_20 03_62.tgz ? ['yes (default) ' or 'no' or 'exit']: n Skipping package RSNS_Nokia Release_7_0_2003_62.t gz ... End of new package installation cleaning up ..done Use Voyager to activate pack ages fw-test[admin] # You can now log back into Voyager by typing http ://10.0.0.1, if you click on Config then clic k on Manage Installed Packages under System Confi guration, your screen should look like the one sh own below.
The 2 applications (packag es) tu rned on by default are the only ones that need to be turned on. Nothing needs to be done, youâÂÂre just checking to make sure theyâÂÂre turned on. If you click on UP it will take you back to the Configuration screen. NOTE: If you are going to be using VPNs you will also need to click on the first radio butt on underneath Applications. Click on SNMP and make sure that it is tu rned off. If you click on UP it will take you back to the Configuration screen. NOTE: Your configuration may be different fro m the guide if you need SNMP enabled. This is up to you if you want to use it. Under Security and Acce ss Configuration click on Network Access and Services , make sur e that Telnet and FTP are turned off. If you click on UP it will take you back to the Configuration screen. NOTE: Your configuration may be different fro m the guide if you need FTP & Telnet enabled. This is up to you if you want to us e it.
Under Security and Acce ss Configuration click on SSH (Secure Shell) , make sure that SSH is ena bled. If you click on UP it will take you back to the Configuration screen. NOTE: This is important that this is turned on so that you can manage your NOKIA box via SSH. Under Security and Acce ss Configuration click on SSL Certificate Tool , here is where you configure your SSL certificate. After clicking on SSL Certificate Tool , you should se e the screen shown below. Enter the sa me data shown below into the configuratio n for your cert ificate you are creating. The pass phrase can be whatever you choose. When
After all of the information has been added click o n Apply . This will bring up a screen that has a certificate and a private key in it; you need to copy the entire text that is listed. After highlighting the entire certificate right click and select âÂÂcopyâÂÂ. After you have copi ed the certificate scroll to the bottom of the screen and click on the Voy ager SSL certificate page that is shown below.
When the Voyager SSL Certificate page comes up, Paste the co pied certificat e into the box that is labeled âÂÂNew server certif icateâÂÂ. Now click o n the BACK button of the IE page that you are on, I have noticed that if you click on up rather then back your cert ificate will disappear. It is a lot easier to just click on back, this way you donâÂÂt get lost as to what you are doing. Now you should be back to the page where you can c opy the âÂÂPrivate Keyâ this is the one below the Server Certificate. After you copy the key click on the green arro w t hat allows you to advance to the previous page in IE, Netscape or whatev er you are u sing. Now that you are back to the area shown below, paste the Private Key in the area that reads Associated Private Key . You will then need to type in the âÂÂPass phraseâ that you created earl ie r. After entering the pass phrase, click on Appl y and the screen will show âÂÂApply Successful â at the top of the page.
If you click on UP it will take you to the screen shown belo w. This is where you will choose the requi red encryption for the using SSL. Choose the radio button that reads 128-bit key or stronger . After selecting the radio button click on Apply and Save. You should still see that same sc reen shown above, if you click on UP you will get the error message âÂÂThe page cannot be displ ayedâÂÂ. You are getting this error message becau se you need to change the URL to use HTTPS rather then HTTP. As so on a s you put an âÂÂSâ behind HTTP and hit enter you will be back to the Voyager configuration page.
You know need to create the âÂÂDefault filterâÂÂ, this is used to deny any access to the NOKIA device except for SSH or other connections. This all depen ds o n how you create the default f ilter; I will be creating the default filter that only allows SSH connections to the NOKIA device. Shown below are the steps that need to be taken to apply the default filter. NOTE: The default filter is really a default policy on the NOKI A device. A policy will be applied to the device when it is push ed via the management server. fw-test[admin] # cd $FWDIR/lib fw-test[admin] # cp defaultfilter.ipso $FWDIR/conf/defaultfilter.pf fw-test[admin] # fw defaultgen Generating default filter defaultfilter: Compiled OK. fw-test[admin] # cd $FWDIR/state fw-test[admin] # ls -ls total 1 1 -rw-rw-r-- 1 root 80 736 May 21 17:41 defa ult.bin fw-test[admin] # cp default.bin $FWDIR/boot fw-test[admin] # cd $FWDIR/boot fw-test[admin] # ls -ls total 59 1 -rw-r--r-- 1 roo t 80 41 Sep 19 2002 boot.conf 1 -rw-rw- r-- 1 ro ot 80 73 6 May 21 1 7:41 defaul t.bin 56 -rwxr -xr-x 1 roo t 80 57344 Sep 19 2002 fwboot 1 drwxr- xr-x 2 root 80 512 M ay 6 21:3 3 modules fw-test[admin] # Now that the default filter is created you can move on to the second to last step of the configuration. All of the appropriate patches and hot fixes should be a p plied at this time. I will demonstrate one for you; it is best to use the directory /var/tmp . NOTE: Make sure that your FTP server is running f or this porti on. You can get all of the current patches and hot fixes on Check PointâÂÂs website. fw-test[admin] # cd /var/tmp fw-test[admin] # ls -ls total 2 1 -rw-rw-r w- 1 root wheel 107 Ma y 6 19: 34 fetchout 0 -rw-r--r -- 1 root wheel 0 M ay 21 14:47 i psopmddebu g.txt 0 -rw-r--r -- 1 root wheel 0 M ay 6 22:10 i psopmdde bug.txt1 1 -rw-rw-r w- 1 root wheel 438 Ma y 6 19: 35 newima geout 0 lrwxrwxrw t 1 root wheel 42 May 21 15:4 4 pr esent -> IPSO-3.7.1-BUILD010-0 4.05.2004-185427-1253 fw-test[admin] # ftp 10.0.0 .2 Connected to 131.87.68.1 30. 220 3Com FTP Server Versi on 1.1 Name (131. 87.68.130: admin): 331 User nam e ok, need pass word Password: 230 User l ogged in Remote system type is Windows/NT. ftp> hash Hash mark printing on (1024 bytes/h a sh mark ). ftp> bin 200 Type set t o I. ftp> dir 200 PORT command successful. 150 File st atus OK ; about t o open data c onnection D--------- 1 o w ner group 0 Apr 15 11:19 . D--------- 1 o w ner group 0 Apr 15 11:19 .. ---------- 1 owner group 32330013 O ct 21 10:05 CP_FP3_IPSO.tg z ---------- 1 owner group 37908646 Apr 27 19:41 ipso_3_7_1_ Build010.tgz ---------- 1 owner group 285169 Apr 16 18:5 2 OpenSSL_HF_mar_20 04_fp3_hf2_ip so.tgz
---------- 1 owner group 21039771 A pr 28 14:10 SH F_HFA_325.ipso.tgz # 226 Closi ng data con nection ftp> get SHF_HFA _325.ipso.t gz local: SHF_HFA_325.ipso.tgz re mote: SHF_HFA_325.ipso.tgz 200 PORT command successful. 150 File st atus OK ; about t o open data c onnection 100% |******* *** *************** *************** **********| 2054 6 KB 00:00 ETA 226 File transfer success ful. 21039771 bytes received in 5.79 sec onds (3.47 MB/s) ftp> bye 221 Service cl osing control connection fw-test[admin] # pwd /var/tmp fw-test[admin] # gunzip SHF_HF A_325.ipso.tgz fw-test[admin] # tar -xvf SHF_HFA_325 .ipso.tar cpshared_HO TFIX_HFA_325_332 553963_1 fw1_HOTFIX_ HFA_325_332553950_1 fw-test[admin] # ./cpshared_HOTFIX_HFA_325_3325 53963_1 Do you want to procee d wi t h instal l a ti on of C heck Point SVN Foundation NG FP3 Suppor t HFA 325 for Check Point SVN Foundation NG FP3 on this computer? If you choose to proceed, installation will perform CPSTOP. (y-yes, else no): y SVN Foundat ion: cpd i s not runnin g SVN Foundat ion: cpWat chDog is not running SVN Foundation stopp ed ************* *************** *************** *************** *************** ** Check Point SVN Found ation NG FP3 Check Point SVN Found ation NG FP3 Support HF A 325 installation completed successfu lly. ************* *************** *************** *************** *************** ** fw-test[admin] # ./fw1_HOTFIX_HFA_325_33255 3950_1 Do you want to procee d wi t h instal l a ti on of C heck Po int VPN-1/FireWall-1 NG FP3 Support HFA 325 fo r Check Point VPN-1 & FireWall-1 NG FP3 on this com puter? If you choose to proceed, installation will perform CPSTOP. (y-yes, else no): y SVN Foundat ion: cpd i s not runnin g SVN Foundat ion: cpWat chDog is not running SVN Foundation stopp ed Launching post-hotfix utility ************* *************** *************** *************** *************** ** Check Point VPN-1 & FireWall-1 NG FP3 Check Point VPN-1/FireWall-1 NG FP3 Support HFA 325 installatio n completed successfully. ************* *************** *************** *************** *************** ** fw-test[admin] # The very last step to configuring this fire wall is to ru n a cpconfig . When you run a cpconfig you are setting up what type of Check Point product you wish to run. We are going to choose an âÂÂenforcement moduleâ or firewall. The second part to this is setting your one time password for SIC (Secure Internal Communication). You are also a ble to put your license on at this time as well; we are going to put our license on later. NOTE: Check Point gives you a 15 day trial license so you donâÂÂt have to apply the license right away. fw-test[admin]# cpconfig Welcome to Check Point Configuration Program ================================================= Please read the following license a greement. Hit 'ENTER' to continue...
This End-user License Agreem ent (the "Agr eem ent") is an agreement between you (b oth the individual installing th e Product and any legal entity o n whose behalf s uch individ ual is acting) ( hereinafter "Y ou" or " Your" ) and Check Point Softwar e Technologies Ltd. (hereinafter "Chec k Point"). TAKING ANY STEP TO SET- UP OR IN STALL THE PRODUCT CO NST ITU TES YO UR ASSENT TO AND ACCEPTANCE OF T HIS END USER LICENSE AGREEMENT. WRIT TEN APPROVAL IS NOT A PREREQU ISITE TO THE V ALIDITY OR ENF ORCEABILITY OF TH IS AGREEMENT AND NO SOLICITATI ON OF ANY SUCH WRITTEN APPRO VAL BY OR ON BEHALF OF YOU SHALL BE CONSTRU E D AS AN INFER ENCE TO THE CONTRAR Y. IF YOU H AVE ORDERED T HIS PRODUCT A ND SUCH ORDER IS C ONSID ERED AN OFFER BY YOU, CHEC K POINT'S ACCEPTANCE OF YOUR OFFER IS EX PRESSLY CONDIT IONAL ON Y OUR ASSENT TO T H E TERMS OF THIS AGREEMENT, T O THE EXCLUSION OF ALL OT HER TERMS. IF THESE TE RMS ARE CONSIDERED AN OFFER BY CHECK POIN T, YO UR ACCEPTA N CE IS EXPRESSLY LIMITED T O THE TERMS OF THIS AGREEME NT. IF YOU DO NOT AGRE E WIT H ALL THE T ERMS OF THIS AGRE EMENT, YOU M UST RETURN THIS PR ODUCT WITH T HE ORIGINA L PACKAGE AND THE PR OO F OF PA Y M ENT TO TH E PLACE YO U OBTA IN ED IT FOR A FULL REFUN (Hit Space bar until end of license agreement) Do you accept all the terms of this license agreement (y/n) ? y Select installation type: ---------- ---------- ----- (1) Enforcem ent Module. (2) Enterprise Managem ent. (3) Enterprise Managem ent and Enforcement Module. (4) Enterprise Log Se rver. (5) Enforcem ent Module and Enterprise Lo g Server. Enter your selection (1-5/a-abort) [1]: 1 Would you like to install a Check Poin t clustering product (CPHA, CPLS or State Synch ronization) ? (y/n) [n] ? n IP forwarding disable d Hardening OS Security: IP forward i ng will be disab led during boot. Generating default filter Default Filter installed Hardening OS Security: Default Filter will be applied during boot. This program will guide you through sev eral step s where you will define your Check Point products configuration. At any later time, you can reconfigur e these parameters by running c pconfig Configuring Licenses... ======================= Host Expiration Signature Features Note: The rec ommended way of managing licenses is using SmartUpdate. cpconfig can be used to manage lo cal licenses only on this machine. Do you want t o add licenses (y/n) [y] ? n Configuri ng Random Pool... ========================== You are n ow asked to perform a short random keystroke sessi on. The random data collected in this session will be used in various cry ptographic o perations. Please enter rand om text cont aining at least si x different characters. You will see the '*' symbol after ke ystro kes that are too fast or too sim ilar to preceding keystrokes. These
keystrokes will be ignored. Please keep typing until you hear th e beep and the bar is full. [.......... ..........] Thank you. Configuri ng Secure Inter nal Comm unication... ============================================ The Secure Internal Communication is used for auth entication between Check Point c omponents Trust State: Uninitialized Enter Activation Key: xxxxx xxxxx Again Activation Key: xxxx xxxxxx The Secure Internal Communication was successfully initialized initial_module: Compiled OK. Hardening OS Security: Initial policy will be applied until the first policy is installed In order to complete the installation you must re boot the machine. Do you wan t to reboot? (y/n) [y] ? y After the reboot is completed you ca n log back in an d type in the command shutdow n now . This will shut the device down properly and you can the n hit the power button in the past. If you donâÂÂt shut it down like this you run the risk of putting the device into Single User Mode . You are all set to connect this device to your network and get the management server configured in orde r to apply a license and push a policy to this device. About the Author Brandon E Robrahn, CCSA, is a Firewall Administrator for a fast growing company that supports the Federal Government. His area of infosec expertise include intrusion detection, firewall administration, and antivirus. He has been providing support for the Federal Government for over 2 years, and has been in the IT field for over 4 years. Before providing support to the Federal Government, he was serving his country in the United States Army for 3 years. In his spare time he enjoys spending time with his family, and spending time outdoors.