Você está na página 1de 14

An Introduction to Checkpoint Firewall

This paper is an introduction to Checkpoints Firewall version 4.1. In this paper you will learn the basics of
what Checkpoint is and how it works. You will also see a graphical installation of Checkpoint on an T 4
server as well as creating a generic set of rules that would apply to a s!all business or ho!e user. Through
out !y years of using Checkpoint" I have never seen #$owTo instructions on Checkpoint like this other than
what is taught in the Checkpoint classes. %t the very end of this docu!ent" you will find so!e useful links to
sites I have found helpful over the years. &lease keep in !ind that this is not !eant to be a co!prehensive"
all'inclusive tutorial on Checkpoint" but si!ply a (uick get up to speed s!all business paper.
A brief overview of Firewalls
There are ) basic types of Firewall syste!s used today*
&acket Filtering
%pplication +ateway &ro,y
-tateful Inspection
% &acket Filtering Firewall e,a!ines each packet that passes through it up to the network layer. This !eans
that the upper four layers .%pplication" &resentation" -ession" and Transport/ are allowed into an internal
network. The &acket Filtering Firewall looks at each packet and deter!ines what to do with it based on a
rulebase you define. This type of Firewall techni(ue is popular because its ine,pensive" transparent to
applications and is (uicker than !ost application layer gateways. $owever" it provides low security" has a
li!ited ability to !anipulate infor!ation" is difficult to configure" and is sub0ect to I& -poofing. The types of
Firewalls can usually be found on routers.
%pplication 1ayer +ateway" or better known as &ro,ies" function on the application level. &ro,ies are being
challenged today in that outside networks are continually growing and introducing new protocols" services
and applications all the ti!e. %s this happens" the &ro,y has a difficult ti!e handling these e,tre!e
co!!unications on networks.
&ro,y Firewalls re!ain popular today because they offer a decent level of security" are relatively ine,pensive
and provide full application'layer awareness. $owever" each service re(uires its own application layer
gateway" !eaning scalability is horrible. 2unning at the application level is critical to perfor!ance and they
are vulnerable to operating syste! and application level bugs and e,ploits.
-tateful Inspection is the third type of firewall used today. -tateful Inspection gathers" stores" and
!anipulates infor!ation pertaining to all co!!unication layers and fro! other applications. In other words"
i!agine a giant spreadsheet. 3very packet that is allowed through the firewall is entered into that spreadsheet
and kept there for a pre'deter!ined a!ount of ti!e" creating a 4-tateful Inspection Table. The benefits of
this are e,cellent security" full application'layer awareness" high perfor!ance and scalability.
What is Checkpoint?
Checkpoint Firewall'1 uses the stateful inspection technology. Checkpoint analy5es all packet
co!!unication layers and e,tracts the relevant co!!unication and application state infor!ation. Firewall'1
has an inspection !odule that lives in the operating syste! kernel. This is below the network layer at the
lowest software level. This is the !ost ideal location because" by analy5ing all traffic at this level" the
Inspection 6odule inspects all traffic before they reach the 7-. This saves the 7-s processing ti!e and
resources. %lso" a final note" by placing its kernel !odule between the etwork Interface Cards and the
TC&8I& stack itself" Firewall'1 protects the TC&8I& stack.
Preparing an NT 4.0 server
For this paper" I focus on installing the Checkpoint Firewall'1 software on an T 4 server. I do this because
!ost s!all businesses have T. 9hen using Checkpoint software on an T server" I reco!!end you !ake
two different drives" for e,a!ple a C* drive and :* drive. The reason for this is to !aintain the firewall logs.
7ne of the !ost i!portant features of a firewall is the logs it generates. These logs will grow and grow as
traffic is accepted" denied or re0ected on you firewall. %s these logs grow" they take up !ore and !ore space"
and can fill up your entire drive. This would crash your 9indows T bo, and cause the firewall to fail. The
end result here being no !ore connectivity through that firewall.
%fter you have created two drives" I reco!!end for!atting both with the T File -yste! .TF-/. This
brings a level of security on the bo, up and allows you to look it down even tighter. ot only do you have to
consider the rulebase to protect your network" you should consider the physical location of the firewall. 9ho
will have access to it; 9ho will know the %d!inistrators password; TF- will help you secure the bo,
fro! a casual e!ployee or friend fro! co!ing over and 4playing with your configurations.
I reco!!end installing your 7perating -yste! .7-/" on the C* drive. Then install Checkpoint on the :*
6ake the Checkpoint Firewall server a standalone server. It should not be part of a do!ain.
Installing Checkpoint
9hen installing Checkpoint" it is i!portant to have a clear understanding of what you need first" before you
begin. I have created a s!all checklist of ite!s I used to create this paper*
Checkpoint 4.1 !edia
Checkpoint 1icense fro! Checkpoint
1egal I& address for e,ternal interface
< or !ore etwork cards
%n T server
%n internet connection
Four port hub
I also reco!!end that you create a network diagra! before !aking any rules. This helps in creating a
rulebase. =elow is the network we will configure for*
In this e,a!ple" we will connect a s!all ho!e8office to the internet using Checkpoint Firewall'1. The
network will connect to a hub" which connects to an internal etwork Interface Card .IC/ on the Firewall
server. The second IC on the Firewall will be our e,ternal IC and will connect to our Cable !ode! and
that in turn connects to the internet.
ow insert your !edia and we are ready to begin. There are < pieces that you need to install* The Firewall
and the 6anage!ent Console. For this installation" we will install both on the sa!e !achine. $owever" if
the firewall is in an inconvenient location" or you will be !onitoring it often or !aking rule changes" it !ay
!ake !ore sense to install the !anage!ent console closer to you. The !anage!ent console allows you to
configure" add" re!ove rules" create ob0ects" e,a!ine the logs" and check the status of the 1ogs.
9e will first install the Firewall 6odule. 9hen we launch the setup progra! for this" the first screen we see
is the 1icense agree!ent as shown in Figure 1.
Figure 1*1icense %gree!ent
9e click 4Yes to accept the agree!ent and we are presented with a 49elco!e to Checkpoint screen.
The ne,t screen we see is 49elco!e to Checkpoint screen. I will not show you this screen here but it is very
i!portant you read and understand these pages. In this screen" Checkpoint advises you to close all progra!s
that !ay be running in the background. It is reco!!ended that you close all applications" especially
%ntivirus progra!s" -yste! >tilities and etc.
Clicking the ne,t button brings up the first setup page where we begin to select and tell the software what we
want" and where we want it. In this screen" we are presented with two options as shown in figure <. This is
where we tell the software where we plan on installing the !odules. For e,a!ple" in this e,ercise" we are
installing both" the 6anage!ent -oftware and the Firewall on the sa!e server" also known as 4-tand %lone.
$owever" if we wanted to install those two pieces on separate servers" then we would select the 4:istributed
Figure <*-etup -creen
%fter !aking the selection" our ne,t screen is where we specify which ?&8Firewall8-erver !odule we wish
to install. In this version" we have ) options as shown in Figure ). $ere" you have to look at the license you
have fro! Checkpoint and select the option you are licensed for. If you select an option you do not have a
license for" it will not work. 6ake your selection and click ne,t.
Figure )*6odule -election
The ne,t screen is asks us if we have older Checkpoint Firewalls we will want to inter'operate with. If you
have a Checkpoint Firewall'1 version 4.@ or ).," and you want this firewall and !anage!ent software to work
with those" then you would select the backwards co!patibility option. For this e,ercise" we will select no
backwards co!patibility as we have no previous firewalls to !anage.
If we click the ne,t button" we are taken to the 4Choose :estination 1ocation screen. $ere is where we select
a directory to install the Firewall !odule on. This is where we change the option fro! the C* drive to the :*
drive for our de!onstration. 2e!e!ber the logging can fill up your partition" so choose a partition that does
not contain your 7-.
Finally" after selecting our directory in which we want Checkpoint installed in" we click ne,t" and the software
begins its installation process. You will see a status bar showing you the installation and when it is finished"
you are presented with a configuration screen.
In this screen" you will input your license that you received fro! Checkpoint. This screen can be seen in
Figure 4.
Figure 4*1icense
%fter installing you license" you will be pro!pted to tell the Firewall who the %d!inistrators are that will
access it. You !ust add at least one ad!inistrator here. You !ay also add users and assign li!ited rights to
the!. For e,a!ple" if you have a helpdesk and you want the! to only be able to view logs" but not add or
!odify rules" this is where you will identify these users.
%fter co!pleting this step" the ne,t screen asks you for the I& address found in the syste! hosts file. Input
that in here and click ne,t. +ui client configuration is the ne,t screen. $ere you will assign I& addresses that
will connect to this Firewall 6odule and !anage it or !onitor it. &lease note" even if you install both" the
Firewall 6odule and the 6anage!ent Client on the sa!e syste!" you !ust include the I& address of this
syste! here" or you will not be able to connect to the Firewall with the 6anage!ent tool. %fter co!pleting
this" click ne,t.
7n the ne,t screen" you define 43nforce!ent 6odules. =ecause this is a sa!ple for you to follow" and I
consider 3nforce!ent 6odules advanced" I will not cover this here. $owever" for further infor!ation" please
see www.phoneboy.co! for additional infor!ation. Click ne,t.
This screen is critical to a secure Firewall 6odule. $ere we are asked if we want to control I& forwarding.
You should allow Checkpoint to handle this. 9hat this !eans is that when a security policy is not installed"
or active" like when you are booting the syste! or pushing a new policy through" no packets will be allowed
through the network interfaces. ot having this checked" !akes your syste! vulnerable to attacks when a
policy is not loaded. &lease note that that so!e progra!s and applications will fail if you have this enabled
and you push a new policy. The ne,t screen is the -6T& settings screen that I will not cover and the key
creation screen" where you are asked to type rando! nu!bers and letters to create a uni(ue string. Finally"
when you are co!plete" you will be pro!pted to reboot your firewall and it is now co!plete.
Installing the anage!ent Client
ow that you have installed the Firewall on your server" you !ust install a !anage!ent client to !anage the
Firewall. The first screen you see after launching the setup e,ecutable is the 9elco!e screen. Click ne,t.
The ne,t screen is where you choose a destination to install the 6anage!ent +ui. The ne,t screen provides
you with the !anage!ent !odules you can install. In figure A" we can see the choices we have.
Figure )*Co!ponent installation
&olicy 3ditor is where you will create ob0ects and services. You will then create rules and !anage the ob0ects
and services. The 1og ?iewer is where you will view the Checkpoint 1ogs. Finally -yste! -tatus. $ere you
can view the status of your firewall" the ti!e and date of the last policy installation and packet counts that
have hit the Firewall. The 2eal Ti!e 6onitor will not be covered here.
9e select the three !ain co!ponents and click ne,t. The !anage!ent !odule installs and will pro!pt you
when co!plete. ow you have successfully installed Checkpoint on a 9indows T server.
Creating "b#ects
Checkpoint works in )s like I said earlier. 9hen you create a rule" there are ) key pieces of infor!ation you
need to know* The source I&" the :estination I& and the port or service that needs to be opened for the
application that the rule applies to. 9e will get !ore specific on this" but lets start with the ob0ect
!anage!ent. 7b0ects are anything physical" like a workstation or server" or non'physical like a network I&
address range. In order to create a rule specific to the!" you need to create the!.
1ets launch the +>I to !anage our rulebase. It can be launched by the e,a!ple in Figure B.
Figure B*-tart !enu
9e will select the &olicy 3ditor option. The &olicy 3ditor will open up with a deny all policy as shown in
figure C.
Figure C*=lank &olicy
$ere we see a policy with no rules. $owever" it is i!portant that Checkpoint" by default denies everything"
even if there are no rules. $ow do I know this; -i!ple" click on the 4?iew option at the top and select
4I!plied 2ules. You will see that there is a rule present that enforces the following* %ny -ource to %ny
:estination using any -ervice is to be dropped. Therefore" when we create our policy" we will have to create
rules that %1179 co!!unication through the Firewall" versus denying traffic.
2eferring to the network that I outlined above" we will want to !ake 4 rules in the policy and 4 %T rules.
First" I need to create ob0ects for the following* The Firewall" The 6%I1'93= -erver" and the Internal 1%.
I have included snapshots of the Firewall ob0ect .Figure D/ and the Internal 1an ob0ect.Figure E/.
Figure D*Firewall 7b0ect Figure E*Internal 1% 7b0ect
9ith the internal 1%" I had to %T it using a techni(ue called $I:3. To do this" you select the ob0ect" and
click on the tab that says %T at the top. Then you choose the option $I:3 and input your routable Internet
I& address. Checkpoint will then auto!atically create %T rules for you. Its that easyF
The final ob0ect is the 6ail'9eb server. For this pro0ect" I have < I& addresses fro! !y I-&. The first one I
gave to !y 6ail'9eb server and the second I gave to !y Firewall. Then I created an ob0ect called
4!ailGweb. I gave it an assigned it an internal I& address. Then I selected the %T tab and assigned it a
static %T hidden behind !y &ublic I& fro! !y I-&. This helps ensure that attackers cant directly access
!y e!ailGweb server. Its %Ted for e,tra security.
Creating a $%lebase
ow that we have created ob0ects" lets assign the! in rules. In the &olicy 3ditor" you can add rules by
clicking 43dit and 4%dd 2ule. In !ost Checkpoint Firewall 2ulebases" there are < co!!on rules. 1ets add
the! first. The first rule is called a -tealth 2ule. Its purpose is to hide the Firewall. It does this by not
allowing %Y traffic to it specifically. The other rule that is in should be in every Checkpoint Firewall
2ulebase is a rule at the end that says* drop all traffic that did not !eet any of the other rules. 3arlier I
!entioned that Checkpoint has an I!plied rule that does this sa!e thing" a deny all policy. =ut the reason we
add this rule" and the only reason" is that the i!plied rule does not log. 9e create this rule" with logging
enabled" so that we can see attacks or traffic that did not !eet our rules and was dropped. %nother point I
want to !ake here is that it is reco!!ended that you :27& as opposed to :3Y traffic. If you :27&
traffic" then an attacker wont see you and think that I& is not operational. $owever" if you :3Y traffic"
then the attackers will get a notice back fro! you saying you are up.
ow that we have created the < !ost basic rules" we will create our ne,t rule that will allow any I& address on
!y internal network" 1E<.1BD.@.@ network" to use %T and the e,ternal I& address of our Firewall. 9e do this
by creating a rule as in Figure 1@.
Figure 1@*Internal 1an 2ule
In figure 1@" we see that the Internal 1an can go anywhere" using any service.
Finally" the last rule we will create is one for our 9ebG6ail server. This can go out to the internet but we also
want people to be able to browse our web site and send us e!ail. -o we create a rule that allows outside
people to connect to it using pre'defined services.
%n entire rule set is shown in Figure 11 and the corresponding %T table can be seen in Figure 1<.
Figure 11* rulebase
Figure 1<* %T Table
1. Insert the Checkpoint CD into the computers CD Drive.
2. You will see a Welcome to Checkpoint SecurePlatform screen. It will prompt you to
press any key. Press any key to start the installation,otherwise it will aort the
!.You will now receive a messa"e sayin" that your har#ware was scanne# an# foun#
suitale for installin" secureplatform. Do you wish to procee# with the installation of
Checkpoint SecurePlatform.
$f the four options "iven, select $%, to continue.
&.You will e "iven a choice of these two'
Secure Platform ( Secure Platform Pro
Select Secure platform Pro an# enter ok to continue.
). *e+t it will "ive you the option to select the keyoar# type. Select your %eyoar#
type ,#efault is -S. an# enter $% to continue.
/.0he ne+t option is the *etworkin" Device. It will "ive you the interfaces of your
machine an# you can select the interface of your choice.
1.0he ne+t option is the *etwork Interface Confi"uration. 2nter the IP a##ress, sunet
mask an# the #efault "ateway.
3or this tutorial, we will set this IP a##ress as 2)).2)).2)).4 an# the #efault
"ateway as which will e the IP a##ress of your upstream router or 5ayer !
6.0he ne+t option is the 700PS Server Confi"uration. 5eave the #efault an# enter $%.
8.*ow you will see the Confirmation screen. It will say that the ne+t sta"e of the
installation process will format your har# #rives. Press $% to Continue.
14.Sit ack an# rela+ as the har# #isk is formate# an# the files are ein" copie#.
$nce it is #one with the formattin" an# copyin" of ima"e files, it will prompt you
reoot the machine an# importantly 92:$;2 072 I*S0<55<0I$* CD. Press 2nter to
*ote' Secureplatform #isales your *um 5ock y over ri#in" System =I$S settin"s, so
you press *um 5$ck to enale your *um 5ock.
3or the 3I9S0 0ime 5o"in, the lo"in name is a#min an# the passwor# is also a#min.
11.Start the firewall in *ormal :o#e.
12.Confi"urin" Initial 5o"in'
2nter the user name an# passwor# as a#min, a#min.
It will prompt you for a new passwor#. Chose a passwor#.
2nter new passwor#' check>12!
2nter new passwor# a"ain' check>12!
You may choose a #ifferent user name'
2nter a user name'fwa#min
*ow it will prompt you with the ?cpmo#ule@A prompt.
1!. 0he ne+t step is to launch the confi"uration wiBar#. 0o start the confi"uration
wiBar#, type Csysconfi"C.
You have to enter n for ne+t an# D for Euit. 2nter n for ne+t.
1&.Confi"urin" 7ost name' Press 1 to enter a host name. Press 1 a"ain to set the host
2nter host name' checkpointfw
You can either enter an ip a##ress of leave it lank to associate an IP a##ress with this
hostname. 5eave it lank for now.
Press 2 to show host name. It now #isplays the name of the firewall as checkpointfw.
Press e to "et out of that section.
1).Confi"urin" the Domain name.
Press 2 to enter the confi" mo#e for confi"urin" the #omain mo#e. Press 1 to set the
#omain name.
2nter #omain name'your#omain.com
2nter #omain name' checkpointfw.com
You can press 2 to show the #omain name.
1/. Confi"urin" Domain *ame Servers.
You can press 1 to a## a new #omain name server.
2nter IP <##ress of the #omain name srever to a##' 2nter your #omain name server IP
<##ress 7292.
Press e to e+it.
*etwork Connections.
11. Press & to enter the *etwork Connections parameter.
2nter 2 to Confi"ure a new connection.
Your Choice'
1. eth4 2. eth1 !. eth2 &. eth!
Press 2 to confi"ure eth1. ,We will confi"ure this interface as the insi#e interface with
an IP a##ress of 182.1/6.1.1 an# a sunet mask of 2)).2)).2)).4. 0he #efault
"ateway will e confi"ure# as
Press 1. Chan"e IP settin"s.
2nter IP a##ress for eth1 ,press c to cancel.' 182.1/6.1.1
2nter network :ask for interface eth2 ,press c to cancel.' 2)).2)).2)).4
2nter roa#cast a##ress of the interface eth2 ,leave empty for #efault.' 2nter
Pres 2nter to continue....
Similarly confi"ure the eth2 interface, which will e actin" as a D:F in this case with 2)).2)).2)).4.
Press e to e+it the confi"uration menu.
16.Confi"urin" the Default Gateway Confi"uration.
2nter ) which is the 9outin" section to enter information on the #efault "ateway
1.Set #efault "ateway.
2.Show #efault "ateway.
Press 1 to enter the #efault "ateway confi"uration.
2nter #efault "ateway IP a##ress'
18. Choose a time an# #ate confi"uration item.
Press n to confi"ure the timeBone, #ate an# local time.
0his part is self e+planatory so you can #o it yourself.
0he ne+t prompt is the Import Checkpoint Pro#ucts Confi"uration. You can n for ne+t
to skip this part as it is not nee#e# for fresh installs.
24. *e+t is the license a"reement. You have the option of ; for evaluation pro#uct, -
for purchase# pro#uct an# * for ne+t. If you enter n for ne+t. Press n for ne+t.
Press Y an# accept the license a"reement.
21. 0he ne+t section woul# show you the pro#uct Selection an# Installation option
Select Checkpoint 2nterpriseHPro.
Press * to continue.
22. Select *ew Installation from the menu.
Press * to continue.
2!. *e+t menu woul# show you the pro#ucts to e installe#.
Since this is a stan#alone installation confi"uration e+ample, select
;P* Pro an# Smart center
Press * for ne+t
2&.*e+t menu "ives you the option to select the Smartcenter type you woul# like to
Select Primary Smartcenter.
Press n for ne+t.
< vali#ation screen will e seen showin" the followin" pro#ucts'
;P*I1 Pro an# Primary Smart center.
Press n for ne+t to continue.
*ow the installation of ;P*I1 Pro *GJ 9/4 will start.
2). 0he set of menu is as follows'
Do you want to a## license ,yHn.
You can enter Y which is the #efault an# enter your license information.
2/. 0he ne+t prompt will ask you to a## an a#ministrator. You can a## an
21.0he ne+t prompt will ask you to a## a G-I Client. 2nter the IP <##ress of the
machine from where you want to mana"e this firewall.
26. 0he final process of installation is creation of the IC<. It will promtp you for the
creation of the IC< an# follow the steps. 0he IC< will e create#. $nce the ran#om is
confi"ure# , you #ont have to #o anythin"., the IC< is initialiBe#.
<fter the IC< initialiBe#, the fin"erprint is #isplaye#. You can save this fin"erprint
ecause this will e later use# while connectin" to the smartcenter throu"h the G-I.
0he two fin"erprints shoul# match. 0his is a security feature.
0he ne+t step is reoot. 9eoot the firewall.