Security Gateway 80 R71.45 Administration Guide 12 September 2011
2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?id=12228 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date 12 September 2011 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on Security Gateway 80 R71.45 Administration Guide).
Contents Important Information... 3 Introduction... 8 Welcome... 8 Security Gateway 80 Overview... 8 Installation and Deployment... 9 Prerequisites... 9 Step 1: Defining the Security Gateway 80 Object in SmartDashboard... 9 Defining a Single Gateway Object... 9 Step 2: Preparing to Install the Security Policy...14 Viewing the Policy Installation Status...16 Defining a SmartLSM Profile...19 Deploying with SmartProvisioning...20 Deploying from a USB Drive...20 Sample Configuration File...20 Preparing the Configuration Files...20 Deploying the Configuration File - Initial Configuration...20 Deploying the Configuration File - Existing Configuration...21 Viewing Configuration Logs...22 Troubleshooting Configuration Files...22 Using the set property Command...23 Cluster Configuration... 24 Security Gateway 80 Clusters...24 Creating a Cluster for New Gateways...25 Configuring the Security Gateway 80 Appliances...25 Configuring the Cluster Object Using SmartDashboard...26 Converting an Existing Security Gateway 80 to a Cluster...29 Configure the New Appliance...29 Create and Configure a Cluster in SmartDashboard...30 Reconfigure the Existing Security Gateway 80...30 Configure the Cluster in SmartDashboard...30 Viewing Cluster Status in the WebUI...31 Appliance Configuration... 32 Introduction to the WebUI Application...33 The Overview Page...33 The Management Server Page...33 Networking...35 Internet Settings...35 Internet Configuration...35 Internet Connection High Availability...37 Local Network...37 Switch Mode Configuration...40 Bridge Mode Configuration...40 Routing...41 DNS...44 Automatic Topology...45 Implied Rules for Security Gateway 80...46 Administration...47 Backup and Restore...47 Upgrade...49 Factory Defaults...50 Administrators...51 Administrator Access...52
Licensing...54 Security...55 Integrated Anti-Virus Protection...55 URL Filtering...55 Messaging Security...56 Diagnostics...57 Tools...57 Traffic Logs...58 System Logs...58 CLI Reference...59 Using Command Line Interface...59 Supported Linux Commands...60 add admin access...60 add host...61 add interface...61 add ntp...61 add snmp...62 add switch...63 add user...63 backup settings...63 cphaprob...64 cphastop...66 cpinfo...66 cpshell...67 cpstart...67 cpstat...67 cpstop...69 cpwd_admin...69 cpwd_admin config...70 cpwd_admin start stop...71 delete admin access...72 delete ICMP server...72 delete dhcp...72 delete dns...73 delete domainname...73 delete host...74 delete interface...74 delete ntp...75 delete proxy...75 delete snmp...75 delete switch...76 delete user...76 dynamic objects...77 exit...77 fetch certificate...78 fetch license...78 fetch policy...78 fw Commands...79 reboot...80 restore default-settings...80 restore settings...80 revert to factory defaults...81 revert to saved image...81 set admin access...81 set date...82 set dhcp server...82 set dhcp relay...90 set dns...90 set dnsproxy...91
set dns mode...91 set domainname...91 set expert password...92 set ha internet primary...92 set host...92 set hostname...93 set inactivity-timeout...93 set interface...93 set static-route... 101 set proxy... 105 set sic_init... 106 set snmp... 106 set time... 111 set time-zone... 111 set user... 112 set user-lock... 113 shell/expert... 114 show admin access... 114 show backup settings... 115 show clock... 115 show commands... 115 show date... 116 show dhcp... 116 show dns... 117 show domainname... 118 show ha internet... 118 show host... 118 show hostname... 119 show icmp servers... 119 show inactivity-timeout... 119 show interface... 120 show interfaces... 120 show license... 120 show logs... 121 show memory usage... 121 show ntp... 121 show proxy... 122 show restore settings log... 122 show revert log... 123 show route... 123 show rule hits... 123 show saved image... 124 show snmp... 124 show software version... 125 show time... 126 show timezone... 126 show timezone-dst... 126 show upgrade log... 127 show user... 127 show user-lock... 127 show vpn tunnel... 128 upgrade from usb tftp server... 128 vpn... 129 Advanced Configuration... 131 Upgrade Using a USB Drive... 131 Boot Loader... 132 Upgrade Using Boot Loader... 132 Restore Factory Defaults from the Boot Loader Menu... 133 Front Panel... 134
Back Panel... 135 Remote Access VPN... 135 Index... 137
Chapter 1 Introduction Make sure to review the version s release notes (http://supportcenter.checkpoint.com) and the Security Gateway 80 Getting Started Guide (http://supportcontent.checkpoint.com/documentation_download?id=10833), before performing the procedures in this guide. In This Chapter Welcome 8 Security Gateway 80 Overview 8 Welcome Thank you for choosing Check Point s Security Gateway 80. We hope that you will be satisfied with this system and our support services. Check Point products provide your business with the most up to date and secure solutions available today. Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment. For additional information on the Internet Security Product Suite and other security solutions, refer to the Check Point Web site (http://www.checkpoint.com), or call Check Point at 1(800) 429-4391. For additional technical information about Check Point products, consult the Check Point Support Center (http://supportcenter.checkpoint.com). Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs. Security Gateway 80 Overview Check Point's Security Gateway 80 delivers integrated unified threat management to protect your organization from today's emerging threats. Based on proven Check Point security technologies such as Stateful Inspection, Application Intelligence, and SMART (Security Management Architecture), Security Gateway 80 provides simplified deployment while delivering uncompromising levels of security. Security Gateway 80 supports the Check Point Software Blade architecture, providing independent, modular and centrally managed security building blocks. Software Blades can be quickly enabled and configured into a solution based on specific security needs. Page 8
Chapter 2 Installation and Deployment You can deploy a configuration to individual Security Gateway 80s using SmartDashboard and managing a gateway object or a SmartLSM profile. Configure a large number of Security Gateway 80s (massive deployment) using SmartProvisioning or from a configuration file that is stored on a USB drive. To install your Security Gateway 80 appliance, follow the instructions described in the Security Gateway 80 Getting Started Guide (http://supportcontent.checkpoint.com/documentation_download?id=10833). In This Chapter Prerequisites 9 Step 1: Defining the Security Gateway 80 Object in SmartDashboard 9 Step 2: Preparing to Install the Security Policy 14 Defining a SmartLSM Profile 19 Deploying with SmartProvisioning 20 Deploying from a USB Drive 20 Prerequisites To manage the Security Gateway 80 appliance, you must install a Security Management Server and SmartConsole clients that operate with Security Gateway 80. These Security Management Server versions operate with Security Gateway 80: For R70 version R70.40 and higher For R71 version R71.20 and higher R75 and higher versions Note - Currently the new Security Gateway 80 R71.45 features that require central management (Large Scale Management and Provisioning) are only supported with Security Management Server version R71.45. These features will also be supported with R75 Security Management Server in the near future. For installation instructions, see the version s release notes (http://supportcenter.checkpoint.com). Step 1: Defining the Security Gateway 80 Object in SmartDashboard SmartDashboard allows you to define two Security Gateway 80 objects in SmartDashboard: gateways and SmartLSM profiles. Managing these objects in SmartDashboard allows you to provision various network settings such as, DNS, Internet connections and routing. You can use a SmartLSM profile to manage a large number of Security Gateway 80 gateways. Defining a Single Gateway Object You can use SmartDashboard creation wizard to define a Security Gateway 80 before or after configuration of the appliance on site. There are two options to define a gateway object: Page 9
Step 1: Defining the Security Gateway 80 Object in SmartDashboard Management First - Where you define the gateway object in SmartDashboard before you configure and set up the actual appliance on site. This is commonly used for remotely deployed appliances or appliances that connect to the Security Management Server with a dynamic IP (e.g. assigned by a DHCP server or an ISP), as the IP is not known at the time of the configuration of the object in SmartDashboard. You can prepare a policy that the appliance will fetch when it is configured. Gateway First Where you configure and set up the Security Gateway 80 appliance first. It will then try to communicate with the Security Management Server (if this is configured) at 1 hour intervals. If connectivity with the gateway is possible during object creation in SmartDashboard, the wizard can retrieve data from the gateway (such as topology), and then help in configuration. To define a single gateway object: 1. Log in to SmartDashboard using your Security Management credentials. 2. From the Network Objects tree, right click Check Point and select Security Gateway. The Check Point Security Gateway Creation window opens. 3. Select Wizard Mode. The wizard opens to General Properties. 4. Type a name for the Security Gateway 80 object and make sure that the gateway platform is set to CPSG 80 series. 5. Select one of the following options for getting the gateway's IP address: Static IP address - enter the IP address of the appliance. Note that if the Security Gateway 80 appliance has not yet been set up and defined, the Resolve from Name option does not work at this point. Dynamic IP address (e.g. assigned by DHCP server) Click Next. The Trusted Communication window opens. 6. If you specified a static IP address, the Authentication and Trusted Communication sections show (if you specified a dynamic IP address, go to step 7). a) In the Authentication section, select one of the options: Initiate trusted communication securely by using a one-time password - the one-time password is used to authenticate communication between the Security Gateway and the Security Management server in a secure manner. Enter a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates. Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard. Initiate trusted communication without authentication (less secure) - select this option only if you are sure that there is no risk of imposture (for example, when in a lab setting). Installation and Deployment Page 10
Step 1: Defining the Security Gateway 80 Object in SmartDashboard b) In the Trusted Communication section, select one of the initialization options: Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time - trust will be established when the Gateway will connect for the first time. Initiate trusted communication now and click Connect. A status window appears. Use this option only if you have already set up the appliance. The Trust state field displays the current trust status. Click Next and go to step 8. 7. If you specified a dynamic IP address, the Gateway Identifier and Authentication sections show. a) Select one of the identifiers: Gateway name enter the same name that you will give the appliance during its initial configuration. MAC address enter the MAC address that is on the sticker on the appliance or on the box. First to connect means that this Gateway will be the first appliance to connect. Note - For your convenience, if the gateway name matches, the Security Management Server will identify the gateway regardless of its MAC address. b) In the Authentication section, select one of the options: Initiate trusted communication securely by using a one-time password - the one-time password is used to authenticate communication between the Security Gateway and the Security Management server in a secure manner. Enter a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates. Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard. Initiate trusted communication without authentication (less secure) - select this option only if you are sure that there is no risk of imposture (for example, when in a lab setting). Installation and Deployment Page 11
Step 1: Defining the Security Gateway 80 Object in SmartDashboard Click Next. 8. In the Blade Activation window, select the security and software blades that you want to activate and configure. To configure blades now: a) Make sure that the Activate and configure software blades now option is selected. b) Select the check boxes next to the blades you want to activate and configure. To configure blades later: Select the Activate and configure software blades later option. Do this later by editing the object from the Network Objects tree. Click Next. 9. If you selected to activate and configure software blades now, configure the required options: For NAT, the Hide internal networks behind the Gateway s external IP check box is selected by default. Clear it, if you do not want to use this feature. For IPSec VPN: Make sure that the VPN community has been predefined. If it is a star community, Security Gateway 80 is added as a satellite gateway. Installation and Deployment Page 12
Step 1: Defining the Security Gateway 80 Object in SmartDashboard Select a VPN community that the Gateway participates in from the Participate in a site to site community list. For IPS: Select a profile from the Assign IPS Profile list or click Manage to create/edit an IPS profile. For URL Filtering, Anti-Spam and Email Security, Anti-Virus and Anti-Malware, there are no other settings to configure. Click Next. 10. If you selected IPSEC VPN, configure VPN Encryption Domain settings. To hide the VPN domain, select Hide VPN domain behind this gateway's external IP. The VPN domain contains network objects behind this gateway. Instead of defining the network topology behind this gateway, it is possible to use this option, which sets the VPN domain to be this gateway s external IP address. This option is only applicable if you chose to hide all internal networks behind this gateway s external IP (see gateway s NAT settings). All outgoing traffic from networks behind this gateway to other sites that participate in VPN community will be encrypted (including replies, of course). Note - If you choose this option, connections that are initiated from other sites that are directed to hosts behind this gateway will not be encrypted. If you require access to hosts behind this gateway, either choose other options (define VPN topology) or, if possible, make sure all traffic from other sites is directed to this gateway s external IP and define corresponding NAT port-forwarding rules, such as: Translate the destination of incoming HTTP connections that are directed to this gateway s external IP to the IP address of a web server behind this gateway. To create a new VPN domain group, go to step 11. To select a predefined VPN domain, go to step 12. 11. To create a new VPN domain group: a) Make sure that the Create a new VPN domain option is selected. b) In the Name field, enter a name for the group. c) From the Available objects list, select the applicable object(s) and click. The objects are added to the VPN domain members list. d) If necessary, create a new object by pressing New. 12. To select a predefined VPN domain: Installation and Deployment Page 13
Step 2: Preparing to Install the Security Policy a) Choose the Select an existing VPN domain option. b) From the VPN Domain list, select the domain. Click Next. 13. In the Installation Wizard Completion window, you can view a summary of the configuration parameters you set and can perform further actions. Select Edit Gateway properties for further configuration if you want to continue configuring the Security Gateway. When you click Finish, the General Properties window of the newly defined object opens. Click Finish. Step 2: Preparing to Install the Security Policy This step lets you prepare the policy for automatic installation once the gateway connects. Installation and Deployment Page 14
Step 2: Preparing to Install the Security Policy Note - If Security Gateway 80 has been physically set up and configured, upon successful completion of this step, the policy will be pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status (on page 16). When you use the "Management First" installation path, at the end of the Install Policy process, the policy's status for a Security Gateway 80 that has not yet been set up is "waiting for first connection". This implies that trusted communication has not yet been established between the Security Management server and the Security Gateway 80. Once the gateway connects, it establishes trust and attempts to install the policy automatically. 1. Click Policy > Install from the SmartDashboard menu. 2. In the Install Policy window, choose the installation targets the Security Gateway 80 Security Gateways on which the policy should be installed and the policy components (Network Security, QoS, etc.). By default, all gateways that are managed by the Security Management server are available for selection. 3. In the Installation Mode section, select how the security policy should be installed: On each selected gateway independently On all selected gateways, if it fails do not install on gateways of the same version Note - If the gateway is part of a VPN community, the policy should be installed on other members of the community in order to establish a VPN tunnel between them. In a star community, policy installation is required only on the center gateways of the community. 4. Click OK. The Installation Process window displays the status of the Network Security policy for the selected target. Important - If the Security Gateway 80 object is defined but the appliance is not set up and it is in the "Waiting for first connection" status, you will see a message that says "Installation completed successfully". This means that the policy is successfully prepared for installation. 5. Continue tracking the status of the security policy installation with the Policy Installation Status window and the status bar ("Viewing the Policy Installation Status" on page 16). Note - When you use the "Gateway First" installation path, trust is already established in Step 1: Defining the Security Gateway 80 Object in SmartDashboard. In this case, the policy will be pushed to the gateway from the Security Management Server and you won't see a "Waiting for first connection" message. Installation and Deployment Page 15
Step 2: Preparing to Install the Security Policy Important - Once trust has been established with a gateway, even if a gateway loses connectivity for some reason (Internet connection issues, or a change of IP in the case of a DAIP appliance that is not updated in the Security Management Server, then as before, during policy installation, an installation completed successfully message is shown, meaning that the policy has been successfully prepared, even if it was not installed yet on the gateway, but it is pending a connection from the gateway. Viewing the Policy Installation Status You can view policy installation status in SmartDashboard with the: Status bar Status popup notification balloon Policy Installation Status window SmartDashboard Status Bar You can view the installation status of managed gateways via the status bar that appears at the bottom of the SmartDashboard window. The status bar shows how many gateways are in Pending or Failed mode. Pending - gateways that are either in the waiting for first connection status or are in the pending status (see below for detailed explanations). Failed - gateways that have failed to install the policy. If there are no failures, that is shown. The status bar is updated dynamically each time a gateway attempts to install a policy or attempts to connect to the Security Management server. SmartDashboard Status Popup Notification Balloons The result of gateway attempts to install a policy or connect to the Security Management Server also appear in SmartDashboard popup notification balloons that appear upon the occurrence of such events. For example: Trusted Communication (SIC) establishment from the gateway (when using the "Management First" installation path. Installation and Deployment Page 16
Step 2: Preparing to Install the Security Policy Policy installation fetch from the gateway (as the Security Gateway 80 can periodically attempt to fetch the policy from its Security Management Server which is useful in DAIP appliances). SIC attempts from an unknown gateway/host. This may indicate incorrect configuration (for example, configuring a gateway first and attempting to connect to a Security Management Server before creating the gateway object in SmartDashboard). Click Settings in a balloon to configure the display and occurrence settings of the balloons. SmartDashboard Policy Installation Status Window To track the status of the last policy installed on each gateway, you can use the Policy Installation Status window. The window has two sections. The top section shows a list of gateways and status information regarding the installed policy. You can use the filter fields to focus on certain policies of interest and hide other data by defining the appropriate criteria per field. Once you have applied the filtering criteria, only entries matching the selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar appears below the filter fields. Installation and Deployment Page 17
Step 2: Preparing to Install the Security Policy The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, clicking Show details shows the details of unknown gateways attempting to connect to the Security Management Server. These statuses can appear in this window: Icon Policy status Succeeded Succeeded Waiting for first connection Waiting for first connection Policy installation succeeded. Policy installation succeeded but there are verification warnings. Communication settings were set up on the Gateway object; waiting for first connection with the appliance to establish trust and if a policy has been prepared, it will attempt to install it. If connection settings were set up for a Security Gateway 80 appliance, but a policy was not prepared, the Policy Type column shows "No Policy Prepared" and upon first connection only trust will be established. Same as above but there are warnings that indicate attempts to establish trust that failed or there are verification warnings. Installation and Deployment Page 18
Defining a SmartLSM Profile Icon Policy status Pending The policy remains in the pending status until the Gateway successfully connects to the Security Management server and retrieves the policy. This status appears when the Security Management server has problems connecting to the Gateway. For example, if the Gateway is unavailable for receiving communication, as in behind NAT. Note that this status is applicable only if the first or previous install policy operation was successful. Pending Warning Information Failed Failed Same as above but there are verification warnings. Warning. Information. Policy not installed due to a verification error. Policy installation failed. You can access the Policy Installation Status window in the following ways: From the menu bar - click Policy > Policy Installation Status. From the toolbar - click the Policy Installation Status icon. From the status bar - click on either the Failed or Pending link. The contents of the Policy Installation Status window are shown filtered according to the link clicked. From notification balloons - click the See Details link in the balloon. Note - If there is a yellow status bar in the Policy Installation Status window, clicking Show details shows the details of unknown gateways attempting to connect to the Security Management Server. Defining a SmartLSM Profile Use SmartDashboard to define a single SmartLSM profile for Security Gateway 80. To define a single SmartLSM profile Security Gateway 80: 1. Log in to SmartDashboard using your Security Management credentials. 2. Open the Security Policy that you want to be enforced on the Security Gateway 80 SmartLSM Security Gateways. 3. From the Network Objects tree, right-click Check Point and select SmartLSM Profile > 80 Series Gateway. The SmartLSM Security Profile window opens. 4. Define the SmartLSM security profile using the navigation tree in this window. To open the online help for each window, click Help. 5. Click OK and then install the policy. Note - To activate SmartProvisioning functionality, a security policy must be installed on the LSM profile. Installation and Deployment Page 19
Deploying with SmartProvisioning Deploying with SmartProvisioning You can use SmartProvisioning to manage security profiles that are deployed to Security Gateway 80 gateway objects. Configure these appliances using the First Time Wizard or a USB drive configuration file before you manage them with SmartProvisioning. For more information about massive deployment using SmartProvisioning, see the SmartProvisioning R71.45 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=12229). Deploying from a USB Drive You can deploy Security Gateway 80 configuration files using a USB drive and quickly configure many appliances without using the First Time Wizard. The configuration file lets you configure more settings and parameters then are available in the First Time Wizard. You can deploy configuration files in these conditions: An appliance with default settings is not configured at all An appliance that already has an existing configuration Security Gateway 80 starts, automatically mounts the USB drive, and checks the root directory for a configuration file. Sample Configuration File This is a sample Security Gateway 80 configuration file for USB deployment. set hostname Demo1 set interface WAN internet primary ipv4-address 66.66.66.11 mask-length 25 set interface SWITCH ipv4-address 192.168.5.1 subnet-mask 255.255.255.0 delete switch port LAN4 set interface LAN4 ipv4-address 4.4.4.4 mask-length 24 add host name WebServer ipv4-address 192.168.5.4 set time-zone Eastern-Time(US-and-Canada) set ntp server pool.ntp.org set ntp active on set sic_init password aaaa fetch certificate mgmt-ipv4-address 66.66.66.91 fetch policy mgmt-ipv4-address 66.66.66.91 add user admin2 password-hash $1$vqtaGOkr$Xhb.fj14RzIvNa5BSwmZL0 Preparing the Configuration Files The Security Gateway 80 Massive Deployment configuration files are composed of CLIsh commands. These are the file names that can be used: autoconf.clish autoconf.xx-xx-xx-xx-xx.clish You can create multiple configuration files for different Security Gateway 80 appliances. Name each file according to the MAC address of each Security Gateway 80 appliance. Security Gateway 80 first searches for a configuration file with the same MAC address. If there is no file that matches the MAC address of the appliance, the autoconf.clish configuration file is loaded. Deploying the Configuration File - Initial Configuration This section describes how to deploy a configuration file on a USB drive to Security Gateway 80. The file must be correctly configured and formatted before being deployed. The USB drive can be inserted in the front or the rear USB port. Installation and Deployment Page 20
Deploying from a USB Drive You can deploy the configuration file to Security Gateway 80 when the appliance is off or when it is powered on. Important - Do not remove the USB drive or insert a second USB drive while the Security Gateway 80 configuration script is running. Otherwise, it is possible that Security Gateway 80 does not configure and run correctly. To deploy the configuration file from a USB drive for the initial configuration: 1. Insert the USB drive into Security Gateway 80. Security Gateway 80 is OFF - Turn on the appliance. The Power LED comes on and is green. Security Gateway 80 is ON - The appliance automatically detects the USB drive. The USB LED comes on and is solid orange. 2. Security Gateway 80 locates the USB configuration file and begins running the script. The USB LED blinks green while the script is running. 3. The configuration script finishes. Security Gateway 80 USB LED is solid green and the screen displays: System Started. 4. Remove the USB drive from Security Gateway 80. Note - The USB LED blinks red when there is a problem running the configuration script. Turn off Security Gateway 80 and confirm that the configuration files are formatted correctly ("Preparing the Configuration Files" on page 20). For more information about errors with configuration files, see Troubleshooting Configuration Files (on page 22). Deploying the Configuration File - Existing Configuration This section describes how to deploy a configuration file on a USB drive to Security Gateway 80 to edit or update the existing configuration. Use the set property command to set the appliance to use a configuration file on a USB drive. The USB drive can be inserted in the front or the rear USB port. You can deploy the configuration file to Security Gateway 80 either when the appliance is off or when it is powered on. Important - Do not remove the USB drive or insert a second USB drive while the Security Gateway 80 configuration script is running. Otherwise, it is possible that Security Gateway 80 does not configure and run correctly. To deploy the configuration file from a USB drive to a configured appliance: 1. From the CLI, enter the command: set property USB_auto_configuration once. The appliance is set to use a configuration script from a USB drive. 2. Insert the USB drive in the appliance. The appliance is ON - The appliance automatically detects the USB drive. The appliance is OFF - Turn on the appliance. The Power LED comes on and is green. The USB LED comes on and is solid orange. 3. The appliance locates the USB configuration file and begins running the script. The USB LED blinks green while the script is running. 4. The configuration script finishes. The USB LED is solid green and the screen displays: System Started. 5. Remove the USB drive from the appliance. Note - The USB LED blinks red when there is a problem running the configuration script. Turn off the appliance and confirm that the configuration files are formatted correctly ("Preparing the Configuration Files" on page 20). For more information about errors with configuration files, see Troubleshooting Configuration Files (on page 22). Installation and Deployment Page 21
Deploying from a USB Drive Viewing Configuration Logs After Security Gateway 80 is successfully configured from a USB drive, a log is created. The log file is called autonconf.<mac>.<timestamp>.<log> The log file is created in the USB root directory and in /tmp on the appliance. Troubleshooting Configuration Files This section discusses the scenario where the configuration file fails and the Security Gateway 80 is not fully configured. Configuration File Error If there is an error and the configuration file fails, the appliance is not fully configured and is no longer in the initial default condition. The commands in the configuration file that appear before the error are applied to the appliance. You can examine the configuration log to find where the error occurred. When there is a not fully configured appliance, the First Time Wizard is displayed in the Web UI. However, not all of the settings from the failed configuration file are displayed in the First Time Wizard. Check Point recommends that you should not use the First Time Wizard to configure an appliance when the configuration file fails. Note - You should restore the default settings to a partially configured appliance before using the First Time Wizard to ensure that the appliance is configured correctly. Suggested Workflow - Configuration File Error This section contains a suggested workflow that explains what to do if there is an error with the configuration file on a USB drive. Use the set property USB_auto_configuration ("Using the set property Command" on page 23) command when you are running a configuration file script on a configured appliance. 1. The USB drive with the configuration file is inserted into a USB port on Security Gateway 80. 2. The USB LED on the front panel blinks red. There is a problem with the configuration file script. Sample console output displaying an error Booting Check Point RD-6281-A User Space... INIT: Entering runlevel: 3...sd 2:0:0:0: [sda] Assuming drive cache: write through sd 2:0:0:0: [sda] Assuming drive cache: write through... System Started... Start running autoconfiguration CLI script from USB2... Error. autoconf.00-1c-7f-21-07-94.2011-07-21.1248.log was copied to USB2 3. The log file is created and contains the configuration details. The log file is called autonconf.<mac>.<timestamp>.<log> The log file is created in the USB root directory and in /tmp on the appliance. 4. Analyze the log file to find the problem. 5. If you cannot repair the configuration file: a) Remove the USB drive. b) Run the CLI command: restore default-settings. c) Connect to the Web UI and use the First Time Wizard to configure the appliance. 6. If you can repair the configuration file: a) Remove the USB drive. b) Run the CLI command: restore default-settings. Installation and Deployment Page 22
Deploying from a USB Drive c) Insert the USB drive and run the configuration script again. Sample Configuration Log with Error This is a sample configuration log file for a configuration script that fails. set hostname Demo1 set hostname: Setting hostname to 'Demo1' OK set interface WAN internet primary ipv4-address 66.66.66.11 Error: missing argument 'subnet-mask' for a new connection Autoconfiguration CLI script failed, clish return code = 1 Using the set property Command The set property CLI command controls how Security Gateway 80 runs configuration scripts from a USB drive. These commands do not change how the First Time Wizard in the Web UI configures the appliance. set propert USB_auto_configuration off - The appliance does not run configuration scripts from a USB drive. set propert USB_auto_configuration once - The appliance only runs the next configuration script from a USB drive. set propert USB_auto_configuration any - The appliance always runs configuration scripts from a USB drive. Installation and Deployment Page 23
Chapter 3 Cluster Configuration In This Chapter Security Gateway 80 Clusters 24 Creating a Cluster for New Gateways 25 Converting an Existing Security Gateway 80 to a Cluster 29 Viewing Cluster Status in the WebUI 31 Security Gateway 80 Clusters A Security Gateway 80 security gateway cluster is a group of 2 members each representing a separate Security Gateway 80 appliance on which High Availability software has been installed. ClusterXL is the Check Point clustering solution. Third party OPSEC Certified clustering products are not supported. High Availability High Availability allows organizations to maintain a connection when there is a failure in a cluster member. Only one machine is active (Active/Standby operation) in this configuration. Load sharing is not supported in this configuration. Prerequisites General overview of the process - During Cluster configuration only a "Gateway First" installation path is supported. Therefore, the gateways must be configured first using their actual IPs. Only afterwards should the cluster object be created in SmartDashboard, and the following policy installation from the Security Management Server will alert the gateways to the fact that they are configured as cluster members. Before you define a Security Gateway 80 cluster: Make sure you have defined all of the network interfaces in use for each of the Security Gateway 80 gateways. The interfaces must be defined within the same subnet. To verify definitions, access the WebUI of the appliance. The following is only required in order to work with the Cluster Wizard in SmartDashboard: Make sure a cable is connected between the two LAN2/SYNC ports of both appliances. You do not need to assign them IPs as they will be created automatically later. If you do assign them, make sure the LAN2/SYNC interfaces use the same subnet. You can use a different SYNC interface other than LAN2. Refer to sk52500 (http://supportcontent.checkpoint.com/solutions?id=sk52500) for details (you will be able to use the Cluster Wizard in SmartDashboard but you will need to make further adjustments to the cluster object before policy installation). The Cluster Wizard assumes that the WAN interface will be part of the cluster. Make sure the WAN interfaces in each of the gateways are configured with a static IP of a matching subnet. When configuring the appliances that will be used in the cluster, make sure to set both of the appliances with the same one-time password used for authenticating and establishing trusted communication. Without this you will not be able to use the Cluster Wizard in SmartDashboard, and you will need to create the cluster object using Classic Mode. Trusted communication without authentication is not supported on Security Gateway 80 cluster members. Page 24
Creating a Cluster for New Gateways Creating a Cluster for New Gateways Configuring the Security Gateway 80 Appliances Full instructions on setting up and connecting the Security Gateway 80 appliance appear in the Security Gateway 80 Quick Start Guide. Below is the general workflow: 1. Connect your computer to the Security Gateway 80 appliance on its LAN1 interface. 2. Configure your computer to obtain an IP address automatically. 3. Launch your Web browser, and connect to http://my.gateway Note - When you configure two Security Gateway 80 appliances from your web browser, do so by connecting only one to a power source, configuring it according to the below instructions and then disconnecting it from the power source. Then do the same for the second appliance and reboot it at the end. If you do not do these instructions, you will not be able to use the http://my.gateway URL correctly and you will need to connect using the gateway's actual IP address (which is initially 192.168.1.1 on LAN1 before configuring it otherwise with the First Time Wizard). After you configure and connect both appliances to a power source, install a policy and renew the dynamic IP of the computer. You can then use http://my.gateway to access the active member of the cluster. First Time Wizard Configuration 1. Provide a password and continue to the next step. 2. Set the Internet connection Protocol to Static IP if you want to connect to the Security Management Server through this interface. 3. Configure the IP address, subnet mask, default gateway and DNS server. Click Next. Note - Configure the same subnet for the WAN interface on the second cluster member if you want the WAN interface to be part of the cluster. This is also the assumption in the Cluster Wizard in SmartDashboard. In the Local Network configuration step: 4. Disable the switch on the LAN port by clearing the Enable Switch on LAN ports checkbox. 5. Set the IP address and subnet mask for the LAN1 interface. Note - Configure same the subnet for the LAN1 interface on the second cluster member if you want LAN1 to be a part of the cluster. In the LAN settings, if you want to set up DHCP, set a different range for each member. The active member will provide the addresses to the clients. 6. Select the option Initiate trusted communication securely by using a one-time password. 7. Set the one-time password. Configure the same password for the second cluster member so it will be able to use the Cluster Wizard in SmartDashboard later. 8. Select the Connect to the Security Management server later option. 9. Click Next to continue and complete the wizard. 10. Configure the cluster SYNC interface on the same subnet as the SYNC interface on the second cluster member (use a cross Ethernet cable for SYNC interface connection). Cluster Configuration Page 25
Creating a Cluster for New Gateways Note - When you use the SmartDashboard cluster wizard, the LAN2 interface serves as the SYNC interface between cluster members. You do not have to configure an IP on LAN2 at any stage of the gateway side configuration. If you do not configure them, LAN2 SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. To set a different SYNC interface (not LAN2), refer to sk52500 (http://supportcontent.checkpoint.com/solutions?id=sk52500). Remember the one-time password. You will need it to configure the cluster in SmartDashboard. It must be the same on both clusters. IP addresses need to be configured on both cluster members before you open SmartDashboard and run the Cluster configuration wizard. If you want to configure IPs in interfaces other than WAN and LAN1, do so in each gateway s WebUI application with the Internet/Local Network pages. Make sure that for each interface that needs to be part of the cluster you configure an IP in the same subnet as the second cluster member. Configuring the Cluster Object Using SmartDashboard To create a cluster for two new Security Gateway 80 gateways, use the SmartDashboard Security Gateway 80 Cluster wizard. 1. Log in to SmartDashboard using your Security Management credentials. 2. From the Network Objects tree, right click Check Point and select Security Cluster > 80 Series. The Check Point Security Gateway Cluster Creation dialog box opens. 3. Select Wizard Mode. The wizard opens to General Properties. 4. Type a name for the Security Gateway 80 cluster. 5. Click Next. The wizard opens to Cluster Members. 6. In the First Member and Second Member sections, type a Member name and Member IP address for each of the members. 7. Clear the Define the second cluster member now check box if you want to complete the wizard definitions for the first member only so that you can check that communication and connectivity is in order. Cluster Configuration Page 26
Creating a Cluster for New Gateways 8. Type and confirm the One-time password that is used for establishing initial trust. Once established, trust is based on security certificates. This password must be identical to the same one-time password defined for both members (the same one-time password must be defined for both members in their corresponding appliances' First Time Configuration Wizard or WebUI). 9. Click Next. The wizard opens to Cluster Interface Configuration. See the section ("Cluster Interface Configuration" on page 28) for details. 10. To enable High Availability on the interface, select the Enable High Availability on <name> interface checkbox, where <name> shows the network interface defined in the Security Gateway 80 appliance. 11. When High Availability is selected, enter a virtual IP Address and Net Mask for the cluster. The virtual IP will be applied in the next policy installation. 12. Click Next. 13. Repeat steps 10-12 for each defined interface. Cluster Configuration Page 27
Creating a Cluster for New Gateways Note - The Cluster Wizard in SmartDashboard assumes the common scenario of High Availability on the WAN interface. When reaching the screen of the WAN interface, you will not be able to disable High Availability on the WAN interface (other configurations can be configured later by editing the Cluster object). Note - If the WAN interface was not defined, edit the Cluster object in SmartDashboard following the wizard and choose a correct main IP for the cluster object (this IP is used for example in VPN as one of the Link selection options). 14. Upon completion, click Finish or select Edit Cluster in Advanced mode to further configure the cluster. Cluster Interface Configuration In this window you define whether a network interface on the Security Gateway 80 participates in the security gateway cluster. This window appears for each of the network interfaces that have been configured in the Security Gateway 80 appliance. The total number of interfaces configured for the gateway appears in the window title. For example, if 3 interfaces have been configured for the gateway, a total of 3 windows will require configuration. The first window will display (1 of 3 interfaces). The name of the interface you are currently configuring appears in the Interface column. Each network interface (on both members) has a unique IP address. If High Availability is enabled on the interface, then the cluster itself requires an additional unique virtual IP address. This IP address is visible to the network and ensures that failover events are transparent to all hosts in the network. When High Availability is not enabled, the interface is considered not-monitored private (i.e. it is not cluster related). You can configure High Availability for all network interfaces except for the WAN interface. By default, the WAN interface is always part of the cluster. If you do not want the WAN interface to participate in the cluster, you can edit this setting by double-clicking on the Security Gateway 80 security gateway cluster object, and selecting Topology node > Edit Topology. If the WAN interface was not defined, edit the Cluster object in SmartDashboard following the wizard and choose a correct main IP for the cluster object (this IP is used for example in VPN as one of the Link selection options). The graphic breadcrumb depiction at the top of the window shows you the interface you are currently configuring. You do not configure the LAN2 interface as it is automatically configured by the wizard and is Cluster Configuration Page 28
Converting an Existing Security Gateway 80 to a Cluster used exclusively for the SYNC interface. Make sure a cable is connected between the two LAN2/SYNC ports of both appliances. The graphic depiction at the bottom of the page indicates whether the interface is set for High Availability or not. When you configure High Availability, the physical IPs of both members meet at a point indicated by the cluster's virtual IP address. To configure other, more advanced options for interfaces, click "Edit Cluster in Advanced mode" at the end of the wizard, edit the topology of the cluster and make the necessary adjustments. Converting an Existing Security Gateway 80 to a Cluster Do the following procedures to allow an existing Security Gateway 80 to become part of a cluster. Note - The procedures require some downtime. Terms used: SG80GW - represents the existing Security Gateway 80 gateway object that has already established trust and has an installed policy. SG80Cluster - represents the new Security Gateway 80 cluster object that you will create. SG80GW_2 - represents the new cluster member object that will join the existing gateway. Configure the New Appliance Configure the new appliance SG80GW_2 with the First Time Configuration Wizard: 1. Make sure to set the actual IP addresses that you want to use and not the virtual IP addresses that you will use later (as used by the existing gateway SG80GW). Cluster Configuration Page 29
Converting an Existing Security Gateway 80 to a Cluster 2. The default switch configuration is not supported in a cluster configuration. In the event that you did not change this setting (clear the Enable switch on LAN ports checkbox), it will be automatically removed during the cluster's first policy installation. However, it is more secure to remove the switch configuration before initial policy installation. 3. The LAN2 port is used for cluster synchronization. It is recommended to keep it unassigned, so that automatic IP addresses are assigned to the SYNC interfaces. If you want to control all of the IP addresses in the system, you can however configure a static IP address. 4. Do not fetch the policy from the Security Management Server. Create and Configure a Cluster in SmartDashboard 1. Create a new Security Gateway 80 cluster using the wizard. Define its IP address as the IP used by the existing gateway SG80GW. 2. Define the first member with SG80GW_2's IP address. Important - Do not define the second member using the wizard. 3. Establish trusted communication and then define the various IP addresses of the clustered interfaces. Use the existing gateway SG80GW IP address as the virtual IP of the cluster where needed. 4. At the end of the wizard, select the Edit the cluster in Advanced Mode checkbox. 5. In Advanced Mode, copy to the cluster object all relevant configuration settings from SG80GW. Reconfigure the Existing Security Gateway 80 1. Go to the SG80GW and connect to it using the WebUI. 2. Reconfigure the IP addresses of the clustered interfaces with the actual IP addresses that will be used by the gateway as a member of the cluster. Important - Downtime starts. Configure the Cluster in SmartDashboard 1. Change the main IP and the IPs that appear in the topology table of the SG80GW object. 2. Install policy on SG80Cluster. Important - Downtime ends. At this point, the cluster contains only one member, SG80GW_2. 3. Edit the SG80Cluster object. Go to Cluster Members tab > Add > Add existing gateway. 4. If SG80GW does not appear in the list, press Help and make sure SG80GW doesn't match any of the categories that prevent it from being added to a cluster. Note - You can use the information on this Help page to determine if there are any configuration settings you might want to copy to the new SG80Cluster object. 5. Edit the topology of the SG80Cluster object. Click Topology > Get Topology under the new SG80GW object. Make corrections if needed. 6. Install policy on SG80Cluster. Cluster Configuration Page 30
Viewing Cluster Status in the WebUI Viewing Cluster Status in the WebUI After you complete policy installation on the Security Gateway 80 gateway and the gateway works as a cluster member, you can view cluster status in the WebUI application (Appliance > Cluster). Cluster Configuration Page 31
Chapter 4 Appliance Configuration This chapter contains instructions that help you configure the Security Gateway 80 appliance and understand special Security Gateway 80 issues. In This Chapter Introduction to the WebUI Application 33 The Overview Page 33 The Management Server Page 33 Networking 35 Implied Rules for Security Gateway 80 46 Administration 47 Security 55 Diagnostics 57 CLI Reference 59 Page 32
Introduction to the WebUI Application Introduction to the WebUI Application Security Gateway 80 uses a web application to configure the appliance. You currently cannot configure the appliance through the command line. After you use the First Time Configuration Wizard (see the Security Gateway 80 Getting Started Guide (http://supportcontent.checkpoint.com/documentation_download?id=10833)), when you connect to the appliance with a browser (with the appliance s IP or, if using the appliance as a DNS proxy or DHCP server, to "my.gateway"), it redirects the web page to a secure https site and asks for administrator credentials. Logging in correctly opens the Overview page of the WebUI application. The left pane lets you navigate between the different configuration pages. The Overview Page The Overview page gives you system and network information. It also gives status information about the software blades installed on the appliance. Two traffic monitors show real-time packet rate and throughput data on the machine. For each activated blade, additional further information is shown (for example, for the Firewall blade how many packets are dropped, number of current connections, etc.). You can also see in this page a summary of the current connectivity state with the Security Management Server. For more information see the Management Server page. The Management Server Page This page lets you: Test connection status with the Security Management Server (this is also done periodically by the appliance). Reinitialize trusted communication (when you click the Advanced link). Appliance Configuration Page 33
The Management Server Page See the status of the latest attempt to install a policy on the appliance. Manually fetch the policy from the Security Management Server. View the status of the Internet connection. Appliance Configuration Page 34
Networking Networking Internet Settings The WebUI Internet page lets you set and enable the Internet network connection. The Internet table displays all available Internet connections. To set an Internet network connection: 1. Click the Edit link in the relevant Primary or Secondary row. 2. Configure the parameters in the Internet Configuration page that opens and click Apply. 3. Enable the configured connection; click the checkbox in the Enabled column. Internet Configuration The Internet Configuration page lets you configure the properties of the primary or secondary Internet connection and define it as either a WAN or DMZ interface. Types of connections available: Static IP - A fixed (non-dynamic) IP address. DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network. PPPoE - a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and in plain Metro Ethernet networks. PPTP - the Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy. Bridge - connects multiple network segments at the data link layer (Layer 2). One LAN WAN bridge is supported. To configure Internet connections: 1. Select a Network Interface. 2. Select a Connection Type. 3. For bridges, select an interface from the Assign Interface list. 4. Enter IP address, Subnet Mask and Default Gateway details. 5. Enter DNS Server details (for the PPPoE, PPTP, L2TP and DHCP protocols). 6. For the various dialer connection types, enter the ISP Login user Name, ISP Password and Server Host Name or IP when needed. 7. Click Apply. Advanced Configuration Options For all connection types, you have the option to configure additional advanced settings: ICMP monitoring configuration enables the appliance to better monitor the connection s health. Mostly relevant for Internet Connection High Availability configuration, see below. Advanced dialer settings (for applicable connection types), such as the ability to configure whether the connection will be up all the time, or only connect on demand. Port Settings - MTU, Link speed and MAC address changes. Appliance Configuration Page 35
Networking Note - MTU changes cause a momentary loss of connectivity as the interface resets with the new MTU. In a DMZ interface, the momentary loss of connectivity is in the LAN interfaces as well (hardware limitation). MAC address changes are mostly relevant when the appliance is designed to replace an existing appliance whose MAC address is used by various devices in its environment. To configure advanced configuration options: 1. Click the Advanced link. 2. To use ICMP requests to monitor the connection, select the checkbox and click Configure. a) Click Add to add a server. b) Select or clear the Send ICMP requests to default gateway checkbox. c) Set the values for Interval between requests, Failover after and Resume requests after parameters. d) Click OK. WAN Port Settings 1. Set the MTU size. Note that for a DMZ interface the MTU value is applied to all LAN ports. 2. Select which MAC address clone method to use. 3. Select the Link Speed. 4. Click Apply. Important Notes Bridge Only one bridge is supported. It always includes the WAN port and one LAN port (or the switch). When working in bridge mode, Internet Connection in High Availability is not supported. You can configure the DMZ interface as "standard DMZ" but not as a secondary Internet connection. Dialers ISP details (login and password) are provided by your service provider. In case of authentication failure contact your service provider. If PPPoE connection is disconnected by your service provider, the following message appears: "PPPoE server unavailable". If connection was disconnected due to timeout on Link Control Protocol the following message appears: "PPP Link Control Protocol timed out (no response from server). Contact your service provider." If PPTP connection is disconnected by your service provider, this message appears: "Internet connection was disconnected by your service provider". In case of disconnection, the appliance will try to connect again every 30 seconds. You can set the IP address of your dialer connection statically by specifying "Tunnel IP assignment- >Use the following IP Address" under Advanced (while editing the Internet connection). For PPTP and L2TP it is possible to set the IP address of your local tunnel network. These connection monitoring methods are supported: For dialers - define Link Control Protocol (LCP) interval and max number of attempts. Gateway will send LCP echo request every X seconds and if no reply arrived after Y attempts, the status of your connection will become "PPP Link Control Protocol timed out (no response from server). Contact your service provider." and in case Internet High Availability is enabled, the other connection will become active. For all connection types (except bridge): It is possible to set one or more servers to which the appliance sends ICMP Echo replies periodically. If no reply arrived after Y attempts the status of your connection will become "Destination server is unreachable (no reply for ICMP requests)" and in case Internet High Availability is enabled, the other connection will become active. Setting MTU Appliance Configuration Page 36
Networking For dialers - the value of the field you enter is actually X bytes more than the effective MTU on the dialer interface. For example: when set to a default of 1500 bytes, the MTU of the PPP interface in case of PPPoE will effectively be 1492, and in case of L2TP 1460. If you wish to set the MTU to X, you need to set it to X+Y (Y=8 for PPPoE and Y=40 for L2TP). Internet Connection High Availability These are the Internet Connection High Availability options: You can configure two different internet connections, where only one will be active and is used for the default route of the appliance into the internet. This is most commonly used in ISP redundancy cases. You can configure two separate connections on separate interfaces of the WAN and DMZ interfaces. In this case the appliance will try to connect the two connections, but at a given time only one is considered the active connection and is used as the default route. You can configure two connections on the same interface, and the appliance will try to connect with the other connection details each time the existing connection is considered down. The first row in the table is the primary connection. When you click the Internet Connection High Availability link you can configure the option to Revert to Primary connection when possible, thus giving the primary connection a priority over the secondary connection. Conditions for a failover: The appliance checks the link status of each interface to see if a cable is disconnected. Also, in dynamic IP connection types, the appliance also verifies that it has an IP. Other than that, you can configure ICMP monitoring that tests the connection s health against known servers or the default gateway. This configuration gives you additional control over the Internet Connection High Availability configuration. Internet Connection High Availability is not supported in bridge mode and when using the "connect on demand" dialer advanced option. Local Network The Local Network WebUI page lets you set and enable the local network connections, LAN switch or WAN- LAN bridge that you configure. Appliance Configuration Page 37
Networking The Network table displays all available network connections that are not external. For the DMZ interface, this page lets you configure it as a DMZ interface (as opposed to an external interface to the Internet, that you can configure in the Internet page). LAN Switch You can configure a port based switch between several LAN ports. Only one switch is supported, and the LAN1 port will always be a part of it. Switch configuration between all LAN ports is the default configuration set during the appliance s First Time Configuration wizard and can be removed during the wizard, or configured more accurately in the WebUI application. The LAN Switch has an IP through which you can connect to the WebUI application. Traffic between switch ports is neither inspected nor included in the traffic counters within the different Check Point software blades. Switch configuration is not available when you configure the appliance as a cluster member according to the policy installed on it from the Security Management Server. If a LAN switch is configured during policy installation that changes the appliance s status to be a cluster member, the switch will automatically dismantle, as its IP is assigned to LAN1, and the rest of the interfaces that were part of the cluster become unassigned. To set or edit a local network connection: 1. Click the Edit link in the Action column of the related row. a) If you want to configure a switch, configure the parameters in the LAN Switch Configuration page that opens and click Apply. Appliance Configuration Page 38
Networking b) If you do not want to configure a switch, configure the parameters in the Interface Configuration page that appears and click Apply. 2. To enable the configured connection, click the Enabled checkbox. Note - A LAN switch is created by default. It appears below the Networks list with its corresponding details. To remove the switch, click Unassign all ports in the Action column. This will detach all ports from the switch and remove the switch configuration. To create a VLAN (according to the IEEE 802.1q Standard) on one of the interfaces: 1. Click New VLAN. 2. Configure the parameters in the Interface Configuration page and click Apply. To create a switch (not available when the appliance is set as a cluster member): 1. Click Create Switch. 2. Configure the parameters in the LAN Switch Configuration page and click Apply. To create a WAN-LAN bridge (available only when no Internet connection is set): 1. Click Create Bridge. 2. Configure the parameters in the Internet Configuration page and click Apply. Appliance Configuration Page 39
Networking Switch Mode Configuration The Security Gateway 80 appliance is initially configured in switch mode. The default switch contains all LAN ports. You can change this default option within the First Time Configuration Wizard or within the Local Network page in the WebUI. The LAN Switch Configuration page lets you configure the LAN switch parameters. To configure LAN switch parameters: 1. In Network Interfaces: a) To add an interface, select an interface from the Available Interfaces list and click Add. b) To remove an interface, select an interface from the Selected Interfaces list and click Remove (or edit the interface and choose a different IP assignment for it "unassigned" or "Static IP"). 2. Enter IP address and Subnet Mask details. 3. In DHCP Server, select whether to enable, disable or use DHCP Relay. Click Apply. When DHCP Server is enabled, supply the first and last IP addresses in the range. You can also add a DHCP Exclude list. To do that, supply the range of the exclude list. When DHCP Relay is enabled, supply the DHCP Server IP address. If you click the Advanced link, you can: Change the MTU used by the LAN ports (this change also applies to all LAN ports not in the switch as well as the DMZ interface). Change the MAC address that the interface uses. Bridge Mode Configuration The Security Gateway 80 appliance can operate in switch mode and bridge mode. In switch mode - where some or all of the LAN ports are connected to the same network. Appliance Configuration Page 40
In bridge mode that connects between two different networks at the layer 2 level. Networking You can configure a bridge in Security Gateway 80 alongside a switch and the appliance will operate as a router between them. The bridge is always between the WAN interface and one of the LAN interfaces. It is possible to bridge between the WAN and LAN Switch itself. Check Point Software Blades inspect and count with the different counters the traffic that goes through the bridge. You can configure this functionality on the appliance with the First Time Configuration Wizard (only between WAN and LAN1) and also the WebUI for advanced configuration settings. When you configure the object in the Topology node in SmartDashboard and select the Manually defined on the Security Management server, based on the below Topology Table option to determine the networks behind the gateway, you cannot calculate the topology using the Get topology option, rather it is necessary to define the topology manually. In Security Gateway 80 bridge configuration is not supported on cluster members. For bridge and cluster limitations, refer to the Security Gateway 80 Known Limitations SK (http://supportcontent.checkpoint.com/solutions?id=sk52180). Notes - 1. Only one bridge is supported. It always includes the WAN port and one LAN port (or the switch). 2. When working in bridge mode, Internet Connection in High Availability is not supported. You can configure the DMZ interface as "standard DMZ" but not as a secondary Internet connection. Routing The Routing page shows a routing table with the routes on your appliance. You can add new routes from here. Table Columns Destination The destination host or network the route leads to. Appliance Configuration Page 41
Networking Table Columns Destination Mask The mask of the destination host or network. The mask must match the destination IP. For example: the mask for destination IP 10.0.0.1 must be set to 255.255.255.255. To define a route to the entire class C network 10.0.0.0/24, use the corresponding network mask 255.255.255.0 Next Hop Interface Metric Action The IP of the default gateway for this route. Not applicable on manually created advanced routing rules through a specific interface. For more details, see sk53000 (http://supportcontent.checkpoint.com/solutions?id=sk53000). The physical network interface through which this route is accessible: LAN, WAN, DMZ or LAN Switch. Can either be resolved automatically or manually chosen. When it is manually chosen, the next hop is not mandatory and can be N/A (see sk53000 (http://supportcontent.checkpoint.com/solutions?id=sk53000)). Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is chosen. The edit/delete action of a user's manually configured routes. The Routing page shows the routing rules that the operating system configures automatically according to the IPs defined on the various interfaces and the default route you configure. However, through this page it is also possible to add more routing rules. The default route and the routing rules you configure manually are shown in bold, and it is possible to edit/delete the rules you manually configure. To add a new route: 1. On the Routing Table page, click New Route. The Route Configuration page appears. 2. Configure the parameters in the page that opens. Appliance Configuration Page 42
Networking To edit an existing route: Click Edit in the specific route's Action column. To delete a route: Click Delete in the specific route's Action column. Route Configuration The Route Configuration page lets you configure information for each route. To add a new route: 1. Supply the: Destination IP Address Destination Subnet mask Next Hop (Default gateway) Metric (0-100) Interface (from the drop-down box) 2. Click Apply. Important notes for when you add a new route: Make sure the destination IP address which is normally a network address matches the destination subnet mask. Normally, the next hop belongs to one of the directly attached networks, and the appliance can resolve automatically through which interface the traffic is sent. However, you can configure a specific interface through which the traffic is sent. To do this, click on the combo box next to the Interface option. Once you configure a specific interface, when you type 0.0.0.0, the relevant traffic is routed through the interface without using a next hop. For more details, see sk53000 (http://supportcontent.checkpoint.com/solutions?id=sk53000). Note - Choosing a specific interface through which to send traffic is an advanced option make sure the network the appliance is connected to, is configured correctly to prevent connectivity issues. This page does not support adding a specific interface with a next hop which is not in the interface s same subnet. Appliance Configuration Page 43
Networking Other Important notes: You cannot add a default route from this page. The default route of the system is inherited from Internet connection settings. To change the default route, edit the relevant Internet connection and set its "default gateway" (next hop) to the desired IP. If Internet Connection High Availability is set, the default route will change automatically upon failover (according to the active Internet connection). When a network interface is disabled, all routes leading to this interface become "inactive". In such cases, the system routes traffic according to active routing rules (typically, to the default route). Route will appear as inactive in routing page, and will automatically become active once interface is enabled. When no default route is active (e.g. when there is no active Internet connection) the following note appears: Note: There is no default route since no Internet connection is enabled. DNS In the DNS page, you can configure the DNS server configuration and add a new host. You need to configure DNS for the appliance to enable it to resolve names and for users who configure or receive through DHCP the appliance as its DNS server. In the second option, Security Gateway 80 acts as a DNS proxy, and resolves incoming DNS requests when it uses its configured DNS servers. Configuring Security Gateway 80 as the DNS server (in fact proxy), manually or receiving it through the appliance s DHCP service, lets users connect through a browser to the "my.gateway" URL. This is an alternative to manually entering the appliance s IP for easier management of the appliance. With this page you can also manually add hosts through which the gateway will resolve DNS requests, without consulting its configured DNS servers. To configure DNS: 1. Choose if you want to define up to three DNS servers that are applied to all Internet connections or use the DNS configuration provided by the active Internet connection (Primary). When you select Set DNS server configuration, make sure that you enter correct IP addresses. Typically you use the first option (global DNS settings) if your DNS servers are located in the headquarters office. In this case, all DNS requests from this branch office will be directed to these DNS servers. The second option gives a more dynamic definition of DNS servers. The gateway will use the DNS settings of the currently-active Internet connection (for static IP the DNS manually entered under Appliance Configuration Page 44
Networking "Internet Connection"-> Edit, for DHCP / Dialers the DNS automatically given by the ISP). If Internet Connection High Availability is enabled, the DNS servers will switch automatically when there is failover. 2. The Security Gateway 80 appliance functions as your DNS proxy by default. It provides DNS resolving services to internal hosts behind it if this option is set. This option is global and applies to all internal ports (including DMZ if not configured as a secondary Internet connection). To obtain IP addresses directly from the DNS proxy, select the Enable DNS Proxy - resolves local DNS requests checkbox. 3. Click Apply. To add a new host: 1. Click New Host. The Host Configuration page appears. 2. Configure the parameters in the page that opens and click Apply. To delete a host: Click Delete in the row of the host. To edit a host: 1. Click Edit in the row of the host. 2. In the Host Configuration page, make your changes and click Apply. Automatic Topology Anti-Spoofing and other security features are based on the topology table you configure when you edit the gateway object in SmartDashboard. You can manually configure the topology table or get the topology from the gateway automatically. Each time the topology changes, it is necessary to get the topology and install the policy again. Security Gateway 80 introduces a new mode called "Automatic Topology", where the configured topology table is not necessary for features that do not involve other gateways. This option lets those features to continue to work, based on the gateway s routing table, when the network configuration changes on the gateway side. When you use "Automatic Topology" it is not necessary to install a policy when changes occur. When you select the Automatically calculated by the gateway option that is based on the Security Gateway 80's operating system's routing table, these features functional automatically: Anti-Spoofing Anti-Virus Directional scan Appliance Configuration Page 45
IPS (that protects only incoming connections) After you configure automatic topology for the first time, an install policy is necessary. Note - Automatic topology is exposed to errors that are defined in the routing table that can occur for example when an interface is disabled. Implied Rules for Security Gateway 80 If it is not necessary to use the automatic topology feature, you can configure topology manually. Select the Manually defined on the Security Management Server option. When you use VPN, automatic topology limits the options to define VPN tunnels as other gateways need to know the topology and IPs of the gateway. The only scenario that supports VPN and automatic topology is when NAT is configured. In this case, the only data that is encrypted is outgoing traffic from behind the gateway to other members of the VPN community. Other gateways will only recognize the gateway s primary IP as this is configured in SmartDashboard regardless of the topology table. For more information, see Step 1: Defining the Security Gateway 80 Object in SmartDashboard. Implied Rules for Security Gateway 80 These implied rules apply only to Security Gateway 80 gateways and not to other gateways except for the outgoing Internet connections rule. This rule existed for DHCP only and still allows outgoing DHCP traffic from Dynamic Address IP modules that are not Security Gateway 80: Accept Dynamic Address modules' outgoing Internet connections - lets the appliance connect to the Internet if it needs traffic to set itself up (for example, as necessary in DHCP and PPTP). There is no need to add an explicit rule in the Security Policy in SmartDashboard in order to allow this access. If you wish to override this, go to SmartDashboard > Firewall Implied Rules section and clear the checkbox. Accept incoming traffic to DHCP and DNS services of Gateway - gives access to the appliance s provided services to the internal interfaces (DNS and DHCP). There is no need to add an explicit rule in the Security Policy in SmartDashboard in order to allow this access. If you wish to override this, go to SmartDashboard > Firewall Implied Rules section and clear the checkbox. Accept Web and SSH connections for Gateway's administration - lets administrators access the appliance. For more information, see Administrator Access (on page 52). Appliance Configuration Page 46
Administration Administration The System Operations page lets you manage the settings and image as well as reboot the appliance. Backup and Restore Backup The backup file you create in the WebUI contains these elements: System settings Security policy (if you select this option) SIC certificate - see below machine replacement notes License - since each license is per MAC address, when you restore to a different machine you need a new license. The backup file does not include the actual software image. Note - All content in the appliance is deleted when you do a backup. You commonly back up your settings so that you can restore them later if necessary on the same appliance. Note - You can use the backup file to restore your settings if you replace your appliance. In this case you do not need to reinitialize trust (SIC) with the Security Management Server, but you will need to reactivate the licenses, as they are configured according to MAC addresses. For more information see the Restore section. You do have the option to copy your settings to other appliances, but in that case you will need to reinitialize trust with the Security Management Server as well as reactive the licenses. Appliance Configuration Page 47
Administration Restore You can restore your appliance settings from a backup file you create. You can restore different back up versions if the restore function supports the version being backed up. To restore an appliance with a backup file from another appliance, do these steps on the new appliance: 1. Open the First Time Wizard (login to http://my.gateway). 2. Set a one-time password and click Next. 3. Click Cancel. 4. Save the settings and continue. 5. Open the WebUI (http://my.gateway). Appliance Configuration Page 48
Administration 6. Go to the System Operations page and click Restore. 7. Select the Settings File and click Upload File. 8. Enter the License page in the WebUI. 9. Activate the license on the new appliance. This is mandatory as the new appliance has a unique MAC address that requires a new license (the backup file contains the license from the other appliance). Upgrade There are three methods you can use to upgrade the Security Gateway 80 appliance: Upgrade using WebUI Upgrade using a USB drive (on page 131) Upgrade using boot loader (on page 132) Upgrade Using WebUI When you do an upgrade with the WebUI, an upgrade wizard prompts you to upload the new image. Regardless of whether you save the current image before the upgrade, the system does the upgrade on a separate flash partition, and your current-running partition is not affected. If for some reason, you cannot access the appliance after upgrade, or the appliance does not start up properly from boot, disconnect the power cable and reconnect it. The appliance will automatically revert to the previous image. To upgrade the appliance from the WebUI: 1. Select Appliance > System Operations and click Upgrade. The Software Upgrade Wizard opens. 2. Click Next. 3. Click Browse and select the new software image file. 4. Click Upload. The software image file is uploaded to the appliance. 5. Click Next. In the upgrade wizard, before the actual upgrade process begins, you also have an option to save a local image with the Image Backup option. You can manually return to it at any time by clicking Revert to Previous Version in the System Operation page in the WebUI. Appliance Configuration Page 49
Administration 6. Select Save a local backup, if you want to save a local image. 7. Click Next. The wizard shows a progress bar that indicates the upgrade stages. Image backup and the actual upgrade process each take several minutes. Upon successful completion, the appliance reboots. The browser application shows a message regarding the upgrade status while the appliance is down. Once the appliance is back up, the browser redirects to the login page. 8. Press CTRL+F5 to refresh the browser. Note - After a successful system upgrade, it is recommended to clear your browser s cache to delete previous version files from the browser cache. Note - Each appliance also contains a factory default image (not to be confused with the saved backup image that you can save during an upgrade). The upgrade process through the WebUI does not replace the saved factory defaults on the appliance. However, when you upgrade with other available methods (used mainly in factory and distribution hubs) such as upgrade from USB or a bootp server, the upgrade process creates a new factory default image that is saved on the appliance. For more information regarding upgrade from USB or upgrade from bootp server, see Advanced Configuration (on page 131). Factory Defaults The Security Gateway 80 appliance contains a default factory image. When the appliance is turned on for the first time, it loads with the default image. As part of a troubleshooting process, you can restore the Security Gateway 80 appliance to its factory default settings if necessary. You can restore a Security Gateway 80 appliance to the factory default image with the WebUI, Boot Loader or a button on the back panel. Appliance Configuration Page 50
Administration Important - When you restore factory defaults, you delete all information on the appliance and it is necessary to run the First Time Configuration Wizard as explained in the Security Gateway 80 Quick Start Guide. If you upgraded your appliance in the past using the WebUI, you must upgrade it again. To restore factory defaults with the WebUI: 1. In the Security Gateway 80 WebUI, click Appliance > System Operations. The System Operations pane opens. 2. In the Appliance section, click Factory Defaults. 3. In the pop-up window that opens, click OK. 4. While factory defaults are being restored, all LAN Link and Activity LEDs blink orange and green alternately to show progress. This takes some minutes. When this completes, the appliance reboots automatically. To restore factory defaults with the button on the back panel: 1. Press the Factory defaults button with a pin and hold it for at least 3 seconds. 2. When the Power and Notice LEDs are lit red, release the button. The appliance reboots itself and starts to restore factory defaults immediately. 3. While factory defaults are being restored, all LAN Link and Activity LEDs blink orange and green alternately to show progress. This takes some few minutes. When this completes, the appliance reboots automatically. To restore the Security Gateway 80 appliance to its default factory configuration using the Boot loader menu, see the Advanced Configuration (on page 131) section. Administrators The Administrators page in the WebUI lists the Security Gateway 80 Administrators, lets you create new administrators and lets you configure account security settings. Administrators have the permission to access the WebUI application and also log in through SSH to the restricted cpshell. Appliance Configuration Page 51
Administration Administrator Accounts To create a Security Gateway 80 Administrator and configure security settings: 1. On the Administrators page, click New. The Administrator Account page appears. 2. Configure the parameters in the page that opens. To change a password: 1. Click Change Password for the relevant administrator. 2. Configure the parameters in the page that opens. Account Security Settings 1. Set the Session Timeout value. 2. To Enable Login Restrictions, click the checkbox and set the parameters: Lock Account After Failed Login Attempts Unlock Account After minutes. 3. Click Apply. Administrator Account Configuration 1. Provide an Administrator Name and a Password for the Security Gateway 80 Administrator. 2. Confirm the password. 3. Click Apply. Change Password 1. Enter the Old Password for the Security Gateway 80 Administrator. 2. Enter the New Password. 3. Confirm the password. 4. Click Apply. Administrator Access In the Admin Access page, a list of client IPs is shown if you configure specific IP addresses. Only the client IPs that you configure are permitted to access the Security Gateway 80 appliance. You can add or remove a Web/SSH client and set the access ports. Appliance Configuration Page 52