In this article we are going to install Check Point Security Gateway
| Document ID | CPENG02 |
| Product | Security Gateway |
| Version | R80.10, R80.20, R80.30, R80.40 |
| OS | Gaia |
| Platform / Model | All |
Gateway IP : Internal (eth0) ==> 192.168.1.2/24
Management Server IP : 192.168.1.10/24
VMNet Details:-
VMnet1 : Host-Only : Internal Interface : 192.168.1.0/24
As per the above diagram we are going to setup a Security Gateway with R80.20 ISO.
STEP 01: Download the R80.20 ISO file by refer the sk122485
For R80.30 refer sk144293 and For R80.40 refer sk160736 and follow the same below process
STEP 02: Click on “Clean Install” option because we are not doing GAIA OS version upgrade from any lower version to Higher version . For example from R80.10.to R80.20.
STEP 03: File Name: Check_Point_R80.20_T101_Security_Management.iso.
STEP 04: Verify the MD5 value. I am using the MD5Checker tool to verify, also you can refer any other tools to verify the MD5 value.
STEP 05: Open the MD5Checker and add the R80.20 ISO image by clicking the “Add” icon.
STEP 06: Md5 value is showing “same”.
STEP 07: Check the Network configuration to assign a network address to VMnet (Virtual Network).
To verify the network configuration go to VMWARE —> FILE —> Virtual Network Editor
As per the below diagram I am using Network 192.168.1.0 so it required one VMnet to setup the MGMT server so I change the 10.10.10.0 network to 192.168.1.0/24 where I configure Management Serer IP is 192.168.1.10 and Default Gateway will be 192.168.1.2.
STEP 08: Click on “Change Setting”.
STEP 09: As below I change to 192.168.1.0 Network so for that we add the network address: 192.168.1.0 and Subnet Mask:255.255.255.0.
NOTE: Uncheck the “Use local DHCP service to distribute IP address to VMs” because we are assigning the static IP address.
STEP 10: Verify that what is the IP address of that HOST machine (The Machine where we install/run the VMWARE). So basically by default if I configure the VMnet as 192.168.1.0 then Host machine will getting First host address as 192.168.1.1 but we can use any IP address from on that network segment but on our LAB we are not going to change take as is it.
NOTE: As per my personal experience most of time people are using First host address such as 192.168.1.1 (example IP address ) as Gateway address or Management address so on that scenario we not able to run the GAIA First Time Wizard configuration because HOST machine by default taken the first host address.
Simply verify that what is my machine IP address where my VMWARE setup is running , check in VMnet1.
STEP 11: Create new Virtual Machine click on “Create a New Virtual Machine”.
STEP 12: As Select the ISO Image file, click on “Browse”.
STEP 13: Select the R80.20 ISO image file.
STEP 14: Select the Guest Operating System : Other and select the Version : Other 64-bit because I am using 64-bit OS (GAIA OS 64bit)
STEP 15: Select the location where the VM configuration file is store so on my case I am selecting “D drive”.
NOTE: It is not necessary that you select the “C Drive” only, You can use other drives as well but space should be there.
STEP 16: We are going to use Maximum disk size(GB):100 and select the “Store virtual disk as a single file”
NOTE: As per my personal experience I always recommended using more than 60 GB as disk size.
STEP 17: Select “Customize Hardware” for configure some parameter.
STEP 18: Select the memory (RAM) : 4 GB but as per the below image we can see the minimum memory require is 6 GB for Management Server but because this is my LAB setup so I use 4GB.
STEP 19: Select the total processor core as “2”.
NOTE: For a production, setup need to check with your Check Point local SE for sizing.
STEP 20: Select the Network Adapter: VMnet1 because we are using VMnet: 192.168.1.0 network.
STEP 21: Click “Finish”.
STEP 22: Now we are going to power on the virtual machine.
STEP 23: Select “Install Gaia on the this System”.
STEP 24: Click “OK”.
STEP 25: Click “US” because I am not using US language keyboard.
STEP 26: I modify the default configuration as
System-swap (GB) : 7 %
System-root (GB) : 22 %
Logs (GB): 20% and Backup and upgrade (GB) :50 %
NOTE: It’s all depends on the disk size.
STEP 27: Choose a password for Admin. So by default username is “admin” only.
NOTE: Make sure that NumLk is on.
STEP 28: Assign IP address and as well as Default Gateway.
NOTE: Default Gateway we can assign later also.
STEP 29: Click “OK”.
STEP 30: Reboot the Security Gateway.
STEP 31: Select Login: admin and password:”****” and run the First Time Configuration Wizard.
Then check the interface configuration, like verify the IP address that we configured is properly or not.
STEP 32: Open the Browser like chrome , Mozilla , Internet Explorer, Opera and other supported browser and browse https://192.168.1.10.
NOTE: Not “http://” it should be “https://”
STEP 33: Login with Username: admin and Password: ***** and click “Login”.
STEP 34: Click “Next”.
STEP 35: Select “Continue with R80.20 configuration” and click “Next”.
STEP 36: On below the IP address that we see , that I already configured (Check STEP:32) but still if you want to change the IP address and the Default Gateway then you can able do this also . eth0 is the only interface for Management Server because we have only one VMnet ( VMnet1 : 192.168.1.0) .
NOTE: Default gateway can be configure later.
NOTE: Gateway must have one more interface so on our case we only have one interface But it required a minimum of two interfaces so we can able to install the security policy.
STEP 37: Give a Host Name as per your wish, In my case, I named as “SG” and also assign the Primary and Secondary DNS then click “Next”.
NOTE: Apart from “Host Name” all rest of configuration we can assign later as well.
STEP 38: Select “Set time manually” and choose the Time Zone and after selecting this verify the other parameter such as Date and Time.
STEP 39: Select ” Security Gateway and /or Security Management”
NOTE: In R80.20/R80.30 have separate ISO for Security Gateway and Management Server and only Security Gateway ISO can also use as StandAlone Setup as well as dedicated Security Gateway setup.
STEP 40: As we can see on below image Security Gateway checkbox is already enable because it is a dedicated ISO for Security gateway, Yes we also have an option to enable the “Security Management” so once you enable the “Security Management” then it acts as a StandAlone Setup. So in my case we only setup the security Gateway so no need to enable the “Security Management” checkbox.
Also we can see the option “Clustering” section because this is a Gateway ISO so basically on my case I not going to configure the ClusterXL so I leave it as is it like not mark the checkbox “Unit is a part of a cluster type”.
Select the “Automatically download Blade Contracts and other important data (highly recommended)” and click “Next”.
STEP 41: On my case the Gateway is not have any dynamic assign IP address so select “NO” am click “Next”.
STEP 42: Give a strong Secure Internal Communication (SIC) for establishing SIC between Management and Gateway and click “Next”.
NOTE: Noted down the SIC key it requires when you establish a SIC between Security Management Server and Security Gateway in order to push the policy, etc.
STEP 43: Click “Yes”.
Now processing is starts.
NOTE: System is automatically going to reboot.
STEP 44: As we see below image that on the host machine or the machine where the VMware installed and running, so that machine we unable to ping the gateway address (IP:92.168.1.2) because the default policy is already applied to the Security Gateway. So we need to uninstall the policy to get access.
STEP 45: Set the expert-password for advances access.
STEP 46: Open the command cpview (work on both default mode CLISH and also in Expert mode) to check the System Information.
STEP 47: Power on the “Management Server” VM then open the SmartConsole and create a Gateway Object and establish SIC.
STEP 48: After on the Management Server then log in via CLI and try to ping from the Host Machine where the VMware is installed. So first ping to the Management Server IP if it successful then we open the SmartConsole before that also verify that all services are established (check CPM and FWM).
command:[Expert]#cpwd_admin list
STEP 49: Add the Security Gateway by using SmartCosole.
Location to add Gateway using SmartConsole : R80.20 –> New –> More –> Network Object –> Gateway and Servers –> Gateway
STEP 50: As per the below image we able to see the two option one is Wizard Mode and another is Classic Mode. So we can use any of this option but I always like Wizard Mode because it simple for me. So click on “Wizard Mode”.
STEP 51: Give a name to the Security Gateway Object. I named as “SG” and its an open Server so select “Open Server” so if you add any dedicated Check Point appliance then you need to select that appliance model in that list.
STEP 52: Assign the Gateway IP address on my case IP address is IP:192.168.1.2.
STEP 53: Now we need to put the SIC key that key that we set during the Security Gateway First time Configuration Wizard.(Refer STEP:?) , after assign the One time password (SIC key) click “Next”.
STEP 54: Click “Close”.
STEP 55: Mark “Edit Gateway properties for further configuration” and click “Finish”.
STEP 56: After established the SIC just verify the General Properties.
STEP 57: On the Security Gateway —> “Network Management” click “Get Interfaces” and Click “Get interface with Topology” so anti-spoofing is automatically configured.
STEP 58: Click “Accept”. So on below image we have only one interface is added so we able to see one interface IP address that is eth0.
STEP 59: Install the Database.
STEP 60: Publish and Install.
