Integrating RSF-1 with FireWall-1

Transcription

1

2 Contents 1 INTRODUCTION OVERVIEW REQUIREMENTS HARDWARE / SOFTWARE INFORMATION AT CHECK POINT S REQUEST FIREWALL-1 AND HIGH-AVAILABILITY SYNCHRONISATION...7 FIREWALL-1 SUPPORT IN RSF LIMITATIONS HARDWARE CONFIGURATION TWO NODE FIREWALL-1 & RSF-1 CLUSTER HOW RSF-1 INTEGRATES WITH FIREWALL CONNECTION FILTERING FIREWALL-1 CONFIGURATION TASKS SERVICE CONFIGURATIO N OVERVIEW FIREWALL-1 SUPPORT FILES CLUSTER INSTALLATION AND CONFIGURATION Installing All Packages Configuring RSF Configuring NetMon Configuring ResMon MONITORING POST INSTALLATION CONFIGURATION EXTERNAL ROUTING A TYPICAL EXAMPLE RSF-1 INSTALLATION WITH FIREWALL ADAPTATIONS THE DEMILITARISED ZONE (DMZ) VPN-1, REMOTE ACCESS AND POLICY SERVER CONFIGURING VPN COMMUNITIES CONFIGURING REMOTE ACCESS WITH VPN CLIENTS SUPPORT CONTACT DETAILS...39 Contents

3 1 Introduction 1.1 Overview This document describes how to use RSF-1 to provide High- Availability failover and monitoring of Check Point FireWall-1 gateways. You should also refer to the Check Point FireWall-1 manuals ([2], [3], [1]) for advice on installing and configuring FireWall-1. We assume you are configuring a two node FireWall-1 cluster. However, the general principles are also applicable to larger clusters and the techniques described are easily scaled up. Complete information on configuring RSF-1 can be found in the RSF-1 Administration Guide. Figure 1 shows the logical connections between the various components that make up the integrated solution. fwmon attempts to connect to a remote node and the firewall rule base rejects the packets. This indicates that the firewall is working correctly. If the rule base is changed or the firewall fails then fwmon will detect it and inform ResMon. NetMon probes external devices to verify the status of interfaces. If an interface is broken or is disconnected from the network then NetMon will inform ResMon. RSF-1 can receive commands from ResMon or from an administrator. RSF-1 starts the fwmon process and also informs ResMon if a service is supposed to be active or not. ResMon provides overall logic gathering and processing and also configures the cluster IP addresses used when appropriate. If any interface or the firewall fails the ResMon will remove the IP addresses and inform RSF-1 which will move traffic to the other node. Hardware Configuration Page 4

4 Figure 1 RSF-1 Overview - Logical Connections Hardware Configuration Page 5

5 2 Requirements 2.1 Hardware / Software Two servers of a supported FireWall-1 and RSF-1 platform, each equipped with at least three network interface ports, for the gateways. FireWall-1 NG-AI. This document is written around the R55 release and the Check Point documentation should be referred to for backwards/forwards compatibility with different releases but mixed versions of FireWall-1 within a single cluster are not supported. The SDK version used for ELA integration is OPSEC SDK: version 5000 (patch 1), build FireWall-1 gateway or enterprise product license. Additional firewall module license for alternative server. RSF-1 v2.7 or later with the Firewall Monitoring Agent (FWA), ResMon and NetMon components. Recommend a separate FireWall-1 Management Station. OPSEC certification no requires that applications are tested with FloodGate-1 and this can be used if required but is not mandated by this document. 3 Information at Check Point s Request This information is duplicated at the request of Check Point. FireWall-1 controls IP forwarding. On installation of the firewall it has a default filter that does not allow traffic to pass. During the system boot process traffic is not forwarded until the firewall is operational. This Default Filter system is intended to create a fail safe environment. Hardware Configuration Page 6

6 4 FireWall-1 and High-Availability 4.1 Synchronisation FireWall-1 provides a feature called State Table Synchronisation, which enables secured gateways to share connection state information. In the event of a failure, this allows existing connections to migrate to a standby gateway where they can be maintained. However, FireWall-1 does not contain any functionality to support migration of network addresses and routing information. This can be achieved using RSF-1. To use synchronisation, you must have at least two running gateways. 4.2 FireWall-1 Support in RSF-1 RSF-1 support for FireWall-1 consists of several utilities and agents designed to assist in configuring, running and monitoring FireWall-1 related services: FWA: (Firewall Monitoring Agent) continually tests FireWall-1 packet filtering for correct operation and informs ResMon if a firewall failure is detected. Please refer to the RSF-1 Firewall Monitoring Agent guide for more details. ResMon: arbitrates messages received from FWA and NetMon, instructing RSF-1 to failover the firewall IP routes if necessary. Please refer to Chapter 5 in the NetMon Admin Guide for more details. NetMon: continually tests for network connectivity and informs ResMon if a network failure is detected. Please refer to the NetMon Admin Guide for more details. fwa_install: An interactive configuration dialogue to configure firewall services and monitoring for RSF-1, using predefined templates. fwlog: Is a High-Availability.Com binary linked with the OPSEC SDK, ELA components to send our selected logs to the FireWall-1 Management Station. Hardware Configuration Page 7

7 4.3 Limitations (Note: these are limitations of the FireWall-1 software. They may be addressed in future releases of FireWall-1.) FireWall-1 Management Stations cannot be easily failed over. It is possible to failover a dedicated (non-filtering) Management Station using a shared disk in an asymmetric configuration; contact High-Availability.Com for further assistance. Loss of active IKE sessions on a machine that fails is expected even when RSF-1 fails the service over as the IKE daemon is not integrated with Check Point s state table synchronisation. Hardware Configuration Page 8

8 5 Hardware Configuration 5.1 Two Node FireWall-1 & RSF-1 Cluster Figure 2 shows the hardware configuration for a two node FireWall-1 RSF-1 cluster. Hardware Configuration Page 9

9 Figure 2: Hardware Configuration for RSF-1 & FireWall-1 Note that each gateway has three network interfaces in use, for connections to the internal (protected) network, the external network and private for state table synchronisation and RSF-1 heartbeats. They also have a dedicated serial link for RSF-1 heartbeat resilience. Hardware Configuration Page 10

10 6 How RSF-1 Integrates With FireWall Connection Filtering FireWall-1 connection filtering runs continuously on each gateway and is not started or stopped by RSF-1. ResMon controls IP address failover of floating addresses on each side of the gateways; in the event that one gateway fails, ResMon will migrate its floating addresses to the other gateway. The internal and external networks route to each other via the floating addresses. Therefore, when failover occurs it is transparent and the routes are still available. FireWall-1 synchronisation ensures that any open connections are maintained. The floating addresses will be configured and controlled by ResMon under the control of RSF-1. RSF-1 allows symmetric H.A. with FireWall-1; there can be two simultaneously active gateways providing mutual backup to each other. How traffic is routed through these two available paths is a decision for the network administrator: who may choose which route on a per-subnet, per-group or per-application basis. You may also be able to dynamically select a route with the aid of additional intelligent networking devices. For the purposes of OPSEC certification we have chosen to simplify the setup and have use an asymmetric configuration. How RSF-1 Integrates With FireWall-1 Page 11

11 7 FireWall-1 Configuration 7.1 Tasks 1. Before configuring RSF-1, you should complete the following FireWall-1 tasks. Refer to the FireWall-1 Administration Guide and FireWall-1 Reference Guide where necessary. Install and configure FireWall-1 packet filtering modules on both gateways by running cpconfig (see Installing FireWall-1 in the FireWall-1 Administration Guide). You will need a FireWall-1 Management Station. You may choose to use one of the RSF-1 servers for this role, but you will not be able to manage the gateways should this host fail. It is recommended that you use another machine for the management station. 2. To enable state table synchronisation you must answer y as follows when installing the VPN-1 & FireWall-1 kernel module; Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) [n]? y 3. Configure the SIC with and activation key (one time password) that you will use again on the management station. If you skip this or need to redo it, then using cpconfig on the filtering modules begins the process of establishing Secure Internal Communication (SIC) by selecting it from the menu and setting an Activation Key that you will use on the SmartDashboard. If the menu option is not available in the cpconfig menu then you have probably not installed the correct options, or you may be running the management station on the same machine (note this is not recommended) in which case you can skip this step for this machine. If you have used cpconfig, you must exit the cpconfig menu before continuing and the firewall module may be restarted automatically if required. 4. WARNING: if you disable SecureXL from the cpconfig menu you will need to re-install the entire module from scratch. 5. Complete this procedure on all firewall modules before continuing. 6. Create a new Cluster Gateway object on the management station. Add the firewall modules to the Cluster Members list. If you are using FloodGate-1 How RSF-1 Integrates With FireWall-1 Page 12

12 you will need to have installed the appropriate modules on the management station (and firewall modules) and then also tick the QoS option for the cluster. Experience has shown that the management station may need to be rebooted for this to work!! How RSF-1 Integrates With FireWall-1 Page 13

13 7. Then establish the SIC by selecting Communication and then enter the Activation Key you set earlier, then press Initialize. How RSF-1 Integrates With FireWall-1 Page 14

14 8. Configure the Cluster Member s Topology. 9. If using FloodGate-1 then you must now define an interface that will have a QoS policy. Edit the hme0 (external) interface and define a policy. For example; 10. Setup the 3 rd Party Configuration. Disable the Hide Cluster Members outgoing traffic behind the Cluster s IP How RSF-1 Integrates With FireWall-1 Page 15

15 Address as this serves no useful purpose and more explicit NAT rules should be added to the NAT rule base. You may optionally enable Support non-sticky connections but we do not recommend it. RSF-1 does not provide active load balancing so does not need to track these connections. How RSF-1 Integrates With FireWall-1 Page 16

16 11. Enable state table synchronisation for the cluster members and the appropriate network. 12. Create a network object definition for the remote node FWA will use to test FireWall-1 packet filtering is operating correctly. Please refer to the RSF-1 Firewall Monitoring Agent guide for more details. How RSF-1 Integrates With FireWall-1 Page 17

17 13. Create network object definitions for both the internal (protected) and external networks. 14. Create service definitions for ports required for RSF-1 communication (See 'Services' in the FireWall-1 Administration Guide, for more information). Service definitions for RSF-1 network based heartbeats; How RSF-1 Integrates With FireWall-1 Page 18

18 Service definition for RSF-1 UDP based control; Service definition for RSF-1 TCP based control (requires advanced setting uncheck Match for Any ); This will generate the following warning and you should click Yes to continue. How RSF-1 Integrates With FireWall-1 Page 19

19 Service group definition of RSF-1 protocols 15. If you have chosen to install FloodGate-1 on the modules then you must create a new Policy Package that includes the QoS policy options. 16. If you don t have this already then select File->New; 17. Create your FireWall-1 rule base. 18. Add a rule to allow RSF-1 traffic between the Cluster nodes. How RSF-1 Integrates With FireWall-1 Page 20

20 Optionally, modify the rule to allow RSF-1 connections from a separate management console, as shown below with MyMgmtStations. 19. Add a rule for the fwmon process to test FireWall-1 packet filtering is operating correctly, suggested port is echo. The rule Action should be reject. 20. IP Pool addresses are needed for SecuRemote connections that can failover to the other FireWall-1 gateway. To make IP Pool addresses you must enable IP Pools in the security policy. This is under Global Properties. How RSF-1 Integrates With FireWall-1 Page 21

21 21. Install the policy on the gateway cluster members. You will note that by default the policy will only be installed if it can be installed on all nodes. You are advised not to change this setting to ensure all gateway cluster members are running the same policy at all times. 22. Restart FireWall-1 on both gateways. 23. Use cphaprob stat on all nodes to verify that the synchronisation is correctly configured; Cluster Mode: Sync only (OPSEC) Number Unique Address Firewall State (*) 1 (local) active (*) FW-1 monitors only the sync operation and the security policy You may also use fw tab t connections on all nodes to compare the current connections 24. For each firewall module, create an OPSEC Application object. How RSF-1 Integrates With FireWall-1 Page 22

22 25. Initialise the Communication on the management machine the authorisation code will be used in the next step and is shown as xxxxxx. 26. The next step requires an OPSEC SDK component that is shipped by vendors like High-Availability.Com rather than direct from Check Point. The opsec_pull_cert binary is included in the HACfwa package but the other packages should also be installed at this point. Refer to the High-Availability.Com documentation for further information on this process if required. Install all of the supplied components in this way; pkgadd -d./hacbase-solaris-5.6-sparc pkg pkgadd -d./hacrsf-1-solaris-5.6-sparc pkg pkgadd d./hacnetmon-solaris-5.6-sparc pkg pkgadd -d./hacresmon-solaris-5.6-sparc pkg pkgadd d./ HACfwa-solaris-5.6-sparc.2.7.3p pkg 27. Add the following directories to root s PATH and re-login if required; /opt/hac/bin /opt/hac/rsf-1/bin /opt/hac/netmon/bin /opt/hac/resmon/bin /opt/hac/rsf-1/agents/fwa/bin How RSF-1 Integrates With FireWall-1 Page 23

23 28. On each firewall module, pull the certificate; opsec_pull_cert -h sixty -n RSF-1_HASSU201 -p xxxxxx The full entity sic name is: CN=RSF-1_HASSU201,O=sixty..sw9i5p Certificate was created successfully and written to "/opt/cpshrd-r55/conf/opsec.p12". If the file already exists you will get an error message to that effect just delete it and try again. If the management server has not been correctly initialised then you may get this message; Opsec error. rc=-1 err=-93 The referred entity does not exist in the Certificate Authority If so, then reset the communication using the SmartDashboard and re-initialise it and try again. 29. Add a rule to allow ELA connections to the management server. 30. Edit /opt/hac/rsf-1/agents/fwa/etc/fwlog.conf and create a configuration like this. Your configuration file will need to be changed to reflect the local names etc.. ela_client ip localhost ela_client auth_port ela_client auth_type sslca ela_client opsec entity_sic_name "CN=HASSU201,O=sixty..sw9i5p" ela_server ip ela_server auth_port ela_server auth_type sslca opsec_sic_name "CN=RSF-1_HASSU201,O=sixty..sw9i5p" ela_server opsec_entity_sic_name "CN=cp_mgmt,O=sixty..sw9i5p" opsec_shared_local_path /var/opt/cpshrd-r55/conf opsec_sslca_file "opsec.p12" opsec_sic_policy_file /var/opt/cpshrd-r55/conf/sic_policy.conf 31. On each firewall module, create a sic_policy.conf if it does not already exist. We have found on the clients (firewall modules) that set_isp_link_stat may need to be commented out from the standard version. 32. On the management server create a configuration /opt/cpshrd-r55/conf/cp_cprid.conf with a configuration like this. Again you will need to modify the contents for local names etc.. ela_client ip ela_client auth_port ela_server ip ela_server auth_port ela_server auth_type sslca opsec_sic_name "CN=cp_mgmt,O=sixty..sw9i5p" ela_server opsec_entity_sic_name "CN=cp_mgmt,O=sixty..sw9i5p" opsec_shared_local_path /var/opt/cpshrd-r55/conf opsec_sslca_file opsec.p12 opsec_sic_policy_file /var/opt/cpshrd-r55/conf/sic_policy.conf 33. Verify on all nodes that the sic_policy.conf allows sslca for ELA (18187) connections. Refer to the Check Point documentation for further information on this topic. HACfwa includes an example of one that works. How RSF-1 Integrates With FireWall-1 Page 24

24 34. Modify the root user s environment setting adding something like; setenv OPSECDIR /opt/cpshrd-r55/conf The appropriate path and syntax will need to be modified for your environment. How RSF-1 Integrates With FireWall-1 Page 25

25 35. FireWall-1 does take care of some of the gateway cluster ARP issues but not in a satisfactory way. Uncheck Automatic ARP Configuration ; 36. Add hide NAT rules for appropriate networks/devices in the normal way. For example; How RSF-1 Integrates With FireWall-1 Page 26

26 37. Add static NAT rules for appropriate devices in the normal way. 38. Copy S11arp to the RSF-1 service directory if you are using static NAT rules. Then link to a kill script. Now edit the file and change the ext_int name to reflect the name of the external interface and edit the nat_list to list all addresses the are NAT d using the static method. For example :- cp /opt/hac/rsf-1/agents/fwa/scripts/s11arp /opt/hac/rsf-1/etc/rc.fw-1.d ln s /opt/hac/rsf-1/etc/rc.fw-1.d/s11arp /opt/hac/rsf-1/etc/rc.fw-1.d/k89arp vi /opt/hac/rsf-1/etc/rc.fw-1.d/s11arp How RSF-1 Integrates With FireWall-1 Page 27

27 #!/bin/sh # $Id: S11arp,v /07/01 13:33:30 giles Exp $ # # Script: S11arp # # Description: Add/Delete static ARP entries for Static FW-1 NAT rules # # Author: High-Availability.Com Ltd #. /opt/hac/bin/rsf.sh service=${rsf_service:-"fw-1"} # edit for pre-1.3 releases script="`basename $0`" ext_int='hme0' # the name of the firewall's external interface nat_list=' ' # list (space separated) of IP addresses that are NAT'd behined this FW # # args: <start stop> # state=$1 # starting or stopping? # # decide action based on first argument # case "${state}" in 'start') dated_echo "Adding ARP entries for Static NAT rules" /opt/hac/rsf-1/agents/fwa/bin/fwlog "Adding ARP entries for Static NAT rules" # # startup commands here # macaddr=`ifconfig ${ext_int} awk '/ether/ { print $2 }'` for i in $nat_list ; do /usr/sbin/arp -s $i $macaddr pub done ;; 'stop') dated_echo "Deleting ARP entries for Static NAT rules" /opt/hac/rsf-1/agents/fwa/bin/fwlog "Deleting ARP entries for Static NAT rules" for i in $nat_list ; do /usr/sbin/arp -d $i done ;; *) echo "Usage: $0 <start stop>" exit ${RSF_WARN} # warning code ;; esac exit ${RSF_OK} # OK code (default) 39. Reboot all the nodes and then re-install the policy on the firewall modules. How RSF-1 Integrates With FireWall-1 Page 28

28 8 Service Configuration 8.1 Overview Recent releases of RSF-1 include additional support for FireWall-1 and other firewall setups. This support consists of template scripts and configurations, and simple setup scripts to edit and install them appropriately. 8.2 FireWall-1 Support Files FireWall-1 service template files, installed in /opt/hac/rsf- 1/agents/fwa/scripts/. Even if you do not run the setup scripts, you may wish to review and use these files as a basis for your services. Some of them are automatically linked during installation to the RSF-1 service directories. 8.3 Cluster Installation and Configuration Installing All Packages Configuring RSF-1 Add the appropriate PATHs to the login shell and re-login as directed in post install messages and the documentation. Now install licenses which you have been given or obtain the DEMO licenses from the web automatically by running; rsf_install netmon_install Then setup the config files in accordance with the RSF-1 administration guide. Note that the RSF-1 config files must be identical binary not just look the same, we strongly recommend a file transfer. The config file is located at; /opt/hac/rsf-1/etc/config How RSF-1 Integrates With FireWall-1 Page 29

29 The following is an example config file for the example used throughout. REALTIME 0 POLL_TIME 1 # # MACHINE & heartbeat definitions # MACHINE HASSU201 NET HASSU202 HASSU202-priv NET HASSU202 HASSU202-int SERIAL HASSU202 /dev/ttyb MACHINE HASSU202 NET HASSU201 HASSU201-priv NET HASSU201 HASSU201-int SERIAL HASSU201 /dev/ttyb # # SERVICE definitions # SERVICE FW-1 fw-1 " FireWall-1 Service" INITTIMEOUT 60 RUNTIMEOUT 20 IPDEVICE "NONE" SERVER HASSU201 # primary SERVER HASSU202 # secondary 1. Create an RSF-1 service, called FW -1 as shown above. The main timeouts can be as low as 3 (but 20 seconds is recommended as a safe minimum) seconds if you reduce the heartbeat poll time to 1 second in RSF-1 2.x (the initial timeouts should allow for host reboot times). The heartbeat poll time can be adjusted by setting the POLL_TIME parameter in the RSF-1 config file. The precise timeout that is safe is a function of the maximum load (traffic, rule base, user processes etc) that your machine could be subjected to and the power of the machine. If you have ensured that you use FloodGate-1 policies such that the machine will not be overloaded then you may use shorter timeouts safely. 2. HACfwa creates a subdirectory in /opt/hac/rsf-1/etc, called rc.fw-1.d. It also copies the firewall template service scripts from /opt/hac/rsf-1/agents/fwa/scripts to this directory. Edit the variables as required to fit your hostnames, interfaces, etc. Remember that the FireWall-1 gateway modules themselves are run continuously and are not under the control of RSF Run rsfklink to create the service shutdown links if you add any scripts to the service. 4. Copy the service config files and scripts to the other RSF-1 server. Then restart RSF-1 on both nodes which can also be achieved by rebooting the machines. How RSF-1 Integrates With FireWall-1 Page 30

30 8.3.3 Configuring NetMon The config file is located at; /opt/hac/netmon/etc/config RESMON PIPE /opt/hac/netmon/etc/pipe NET_THRESHOLD 99 DEFAULT_METHOD ping POLL_TIME 0.1 # # WebFront options OPTION WEBFRONT-PORT OPTION WEBFRONT-ENABLE TRUE OPTION WEBFRONT-SERVER-NAME WEBFRONT-NETMON OPTION WEBFRONT-DEFAULT-REFRESH 1 OPTION WEBFRONT-AS-USER root OPTION WEBFRONT-AS-UID 0 OPTION WEBFRONT-AS-GID 0 INTERFACE hme0 MACHINE INTERFACE qfe1 MACHINE Because of the way that Check Point s filters work NetMon must be started after FireWall-1. Move the start script as follows; mv /etc/rc2.d/s98netmon /etc/rc3.d/s99netmon Configuring ResMon The config file is located at; /opt/hac/resmon/etc/config PIPE /opt/hac/netmon/etc/pipe RESOURCE hme0 RESOURCE qfe1 RESOURCE FW-1-active INTERFACE_GROUP public { REQUIRES hme0 } INTERFACE_GROUP private { REQUIRES qfe1 } SERVICE firewall { REQUIRES hme0 AND qfe1 AND FW-1-active RESUME /opt/hac/resmon/actions/resmon_rsfcli resume FW- 1 FAIL /opt/hac/resmon/actions/resmon_rsfcli stop FW-1 } IPADDRESS { REQUIRES public AND private AND FW-1-active INTERFACE_GROUP private ALIASNO 1 } IPADDRESS { How RSF-1 Integrates With FireWall-1 Page 31

31 REQUIRES public AND private AND FW-1-active INTERFACE_GROUP public ALIASNO 1 } 8.4 Monitoring The default failure action for both the monitoring agents is to stop the running RSF-1 services. This will normally cause them to failover to the other gateway, assuming their switchover modes are set to automatic. The default resume action is to reset the switchover modes for all services to automatic, allowing the gateway to take over services if necessary. FWA logs to /opt/hac/rsf-1/agents/fwa/log/fwa.log ResMon logs to /opt/hac/resmon/log/resmon.log NetMon logs to /opt/hac/netmon/log/ netmon.log How RSF-1 Integrates With FireWall-1 Page 32

32 9 Post Installation 9.1 Configuration Configure your clients and routers to route traffic via the virtual IP addresses attached to the gateways. (N.B. Your operating system, may show the physical interface addresses in the routing table; this will not affect failover.) You can balance your traffic across both gateways by routing different subnets through each. Your external router(s) must be correctly configured to route return traffic via the same path. 9.2 External Routing Please note that routing through the firewalls must be configured in a symmetric way. That is traffic which travels through one firewall in one direction and returns through the same firewall. This will ensure that IKE sessions will work, as these are not synchronised with state table synchronisation. Note that because of the FireWall-1 limitation, it is possible that IKE sessions will not failover (i.e. break) if the cluster should switch nodes for any reason. How RSF-1 Integrates With FireWall-1 Page 33

33 10 A Typical Example 10.1 RSF-1 Installation with FireWall-1 Figure 2 shows a specific example; HASSU201 and HASSU202 are firewalling gateways in an asymmetric RSF-1 configuration. They are connected via switches or routers to the internal and external networks. HASSU201 is the primary server for FW-1. The Firewall Monitoring Agent on HASSU201 and HASSU202 are testing (remote_1) with echo, should they receive a reply from remote_1 the gateway is marked as down. Internally, the firewalls are accessed via the virtual IP address , controlled by RSF-1. Externally, the firewalls are reached via the virtual IP addresses , configured within the service scripts. The gateways exchange state information and RSF-1 heartbeats via a private network link on the x network corresponding to HASSU201-priv and HASSU202-priv. See local hosts file for more details. Firewall Monitoring Agent (FWA) Configuration file; (create /opt/hac/rsf-1/agents/ fwa/etc/config) # Configuration file for HACfwa # The ip address and port of the machine to monitor MONHOST="remote_1" # host to check MONPORT="7" # port to check # The following are names of scripts that are to be called upon failure # These scripts must exist within fwa/actions FWAFAIL="fwa-fail" # execute on failure FWARESUME="fwa-resume" # execute on resumption # The name of the fwmon executable in fwa/bin FWA="fwmon" # Any additional options to call fwa with (Usually left blank) FWAOPTS="-l" # general options How RSF-1 Integrates With FireWall-1 Page 34

34 Local Hosts File (/etc/hosts) # # Internet host table # localhost router HASSU HASSU fw-1-ext fw remote_ HASSU201-int HASSU202-int fw-1-int remote_ HASSU201-priv HASSU202-priv ga21p sixty ela_server loghost 11 Adaptations 11.1 The Demilitarised Zone (DMZ) Many sites possess an additional network hanging off their gateway, called the demilitarised zone (DMZ), for corporate web servers and gateways. When using two H.A. gateways, you should connect both to the DMZ and route via third floating interfaces on that network. The S30interface script can be copied and renamed for each extra interface required- S31... S32 etc. or the ResMon configuration may be revised. 12 VPN-1, Remote Access and Policy Server 12.1 Configuring VPN communities Check Point VPN-1/ FireWall-1 NG s management tools provide VPN setup ability. VPN-1, Remote Access and Policy Server Page 35

35 Go to the VPN Manager tab and choose the VPN community meshed object (or create a new community by right clicking the mouse-> New Community -> Meshed ) Choose the participating gateways in this community. VPN-1, Remote Access and Policy Server Page 36

36 If you are configuring the VPN community with an externally managed module you will need to add a pre-shared secret for this module as well, in the Shared Secret tab. Now go back to the Security Policy tab and configure the security rule you want. Notice that the Action should be set to accept, not Encrypt. The IF VIA section should be configured with the VPN Community you just configured Configuring Remote Access with VPN Clients Configuring remote access (SecuRemote, SecureClient) is done in a similar way to VPN Communities. VPN-1, Remote Access and Policy Server Page 37

37 Go to the VPN Manager tab and choose the RemoteAccess start object (or create a new community by right clicking the mouse-> New Community -> Start ) Choose the Participating Cluster object that all remote users will connect to. In the Security Policy configure the remote access rule. VPN-1, Remote Access and Policy Server Page 38

38 If you re using SecureClient you ll need to install a Desktop Policy for the users. Inbound and Outbound rules. 13 Support 13.1 Contact Details Further support and information can be obtained directly from High-Availability.Com Ltd: Tel No: Fax No: support@high-availability.com. See for additional support information. VPN-1, Remote Access and Policy Server Page 39