Table of Contents

Check Point R75 Installation

Check Point R75 Pocket Guide
Check Point R75 Creating Rules, Nat and Pat
Check Point R75 Application Control
Check Point R75 Identity Awareness
Check Point R75 Cluster Setup

Table of Contents

Check Point R75 SecurePlatform Installation Part 1

Check Point R75 SecurePlatform Installation Part 2
Check Point R75 SecurePlatform Installation Part 3

his 3 part tutorial guide will show you how to install Check Point R75 Secure Platform.
I’m using this image file for the install – Check_Point_R75.Splat.iso which can be
downloaded from the Check Point website and is fully operational for 15 days for you to
evaluate. The good thing about the Check Point installations is that they are very similar
between versions. So you can also follow this guide for earlier version. Let’s begin!

1. Insert the DVD or boot the ISO image and boot the server. You will be presented with
the Check Point SecurePlatform installation.
2. In between the previous step and this step your hardware would of been scanned
and either found suitable or unsuitable for Check Point SecurePlatform. You can also
add drivers by clicking on Add Driver. Click Ok.
3. Select your keyboard type and click Ok.
4. In this lab I have two network cards connected to my Check Point gateway. eth0 is for
outside or untrusted networks and eth1 is for internal or trusted networks. I want to
configure the internal network card at this stage. Select your internal network card and
click Ok.
5. Enter the IP address and subnet mask. Only enter inthe default gateway information
if you are configuring the external interface, as I’m configuring the internal interface I will
leave the Default Gateway blank. Click Ok.
6. I want to turn on the HTTPS secure web server and have it run on port 443. This is
the default setting. Click Ok.
7. Your hard drives will now be formatted and the SecurePlatform operating system
installed. Click Ok.
8. The install is now complete. As you can see you can login to the secure web server
by browsing to https://192.168.10.50 which we will use later. Click Ok and the server will
be rebooted.
9. When the server has rebooted you are presented with the login prompt at the
console. The default username and password is admin and admin. Once you type this
in you are prompted to change the password. Enter in a new password.
10. You have the option to change the admin username as well. In this tutorial I will be
changing it to cpadmin.
11. The username has now been changed and you are prompted to run sysconfig to
further configure the gateway and install Check Point products. Please continue
onto Part 2 of this Installation series.
If you have any technical questions about this tutorial or any other tutorials on this site,
please open a new thread in the forums and the community will be able to help you out.

We will now continue on with Part 2 of the Check Point R75 Installation tutorial where
we will configure the rest of the gateway settings and install the Check Point products.

1. We have now completed the previous Part 1 of the tutorial and have just changed the
admin username from admin to cpadmin and were prompted to run sysconfig for system
and product configuration. Type sysconfig and press enter.
2. The wizard begins. Type n and press enter to proceed to the next screen.
3. First up we are presented with some network configuration options.
4. Press 1 for Host Name configuration and set a host name for the Check Point
gateway. When you are finished type e and press enter to go back to the previous
screen.
5. Press 2 and set a domain name for the Check Point gateway. When you are finished
type e and press enter to go back to the previous screen.
6. Press 3 to setup DNS server for name resolution. When you are finished type e and
press enter to go back to the previous screen.
7. Press 4 to enter into the Network configuration options. Since we have only
configured the internal interface with an ip address, we’ll need to configure our external
interface. Type 2 and press enter to configure a connection, select eth0 and configure
your external ip address, subnet mask and default gateway. When you are finished type
e and press enter to go back to the previous screen.
8. Pressing 5 and entering into the routing configuration menu allows you to either set a
new default gateway or show the current default gateway. When you are finished type e
and press enter to go back to the previous screen.
9. Type n and press enter to proceed to the next screen. In this screen we can set our
time zone, date, local time and display the current time settings. Set this as per your
location. When you are finished type n and press enter to proceed to the next screen.
10. As this is a brand new installation we do now have any import configuration files, so
we can just press n for next.
11. We have finished with the SecurePlatform side and now we can start installing the
Check Point products we will be using. It is important to note that you don’t need to
install all the products in this step, you can come back at a later stage, type sysconfig
and install the software that you wish to use. Press n for next.
12. Press y to access the License Agreement.
13. Select New Installation and press n for next.
14. In this tutorial we will just be installing Security Gateway, Security Management,
SmartEvent and SmartReporter Suite, Management Portal and Mobile Access. Press n
for next.
15. As this is the first Gateway we will select Primary Security Management. Press n for
next.
16. We will just be installing SmartReporter and SmartEvent Server. Press n for next.
17. You are now displayed a brief summary of what products you have chosen to install.
If you are happy press n for next otherwise feel free to go back and make changes.
18. The installation begins.
19. Once the installation is finished there are just a few more settings that are needed
before the gateway is ready. If you have a license I would wait to use SmartUpdate later
on to install them. I will not be adding any licenses now. Press n.
20. Yes we will want to add an administrator to this Security management server. Press
y.
21. Type the new administrators username and password.
22. Yes we will want to define GUI clients to be able to manage this gateway. Press y.
23. I would like to add my internal subnet as a GUI client. I type in
192.168.10.0/255.255.255.0, press enter, then press ctrl-D. Lastly confirm this is correct
by pressing y.
24. The Fingerprint of the Security Management Server is displayed. This can be used
to verify that you are connecting to the correct server. You have an option to save this to
a file. I won’t be saving this so I’ll type n.
25. The installation is now complete. You must reboot to put the settings into effect.
Press Enter.
26. Type reboot and Y to confirm. Once your firewall has booted up, you can continue
onto Part 3, which will show you how to install the management tools and connect to the
firewall.
If you have any technical questions about this tutorial or any other tutorials on this site,
please open a new thread in the forums and the community will be able to help you out.

We are now at the final part in this installation series. In this tutorial we will be
connecting to the SecurePlatform HTTPS web server, downloading the Management
tools, installing the management tools and connecting to the gateway.

1. Log into your management station or desktop and browse to the management
interface of the Check Point firewall. In this tutorial we will browse to
https://192.168.10.50. Click Yes to accept the certificate.
2. Login with your SecurePlatform user credentials. In this case i’ll login with the
account cpadmin.
3. On the left hand side browse to Product Configuration – Download SmartConsole
and click Download. Either save it to a location or click run.
4. Click Run.

5. The installation wizard begins. Click Next.

6. Click Yes to accept the License Agreement.
7. Click Next to accept the default destination folder.

8. I’m going to install all products. Click Next.

9. I’d like to Add SmartConsole shortcuts to the desktop, so i’ll select that option and
click Finish.
10. Start up the Check Point Smart Dashboard program. Enter in your username,
password and the management IP address of the Check Point gateway.
11. You will be presented with the Fingerprint. Click Approve.

12. You have now successfully connected to the firewall and ready to further configure
your firewall rules, nat, IPS, Application Control, Anti-spam, etc
If you have any technical questions about this tutorial or any other tutorials on this site,
please open a new thread in the forums and the community will be able to help you out.
Here are a few Check Point CLI commands that i’ve put together for reference as a
Pocket Guide. I will continuously add to this list

General Commands
sysconfig (System Config – i.e. Host Name, DNS, Time, Networking)
cpconfig (Check Point config – i.e. Licenses, SNMP, SIC, cluster membership,
SecureXL, Automatic Start of Check Point Products)
cpstop (Stop all Check Point Services)
cpstart (Start all Check Point Services)
vi /var/log/opt/CPsuite-R75/fw1/vpnd.elg (Performed in Expert mode to view the vpn log
file)
fwm unload firewall_name (Unloads the last applied firewall policy for example fwm
unload cpmodule)
fw unloadlocal (unloads firewall policy in Gaia)
fw ctl zdebug drop (show dropped packets from the firewalls cli)
cpprod_util CPPROD_GetKeyValues products 0 (Lists installed products)
idle timeout (sets the cli idle timeout)

SSL Network Extender (SSL VPN)

webui disable (Disables the webui)
webui enable (Enabled the webui)
webui enable port_number (Changes the webui port for SSL VPN. For example webui
enable 4434)

ClusterXL
cphaprob state (Monitors the Cluster Status)
cphaprob -a if (Checks the status of the cluster member interfaces)
cphaprob list (To see a list of critical devices on a cluster member and all other
machines in the cluster)
cphastart (Activates ClusterXL on the member. Does not initiate a full synchronization)
cphastop (Stops the member from passing traffic, state synchronization also stops)
cpstart (initiates a full synchronization)
fw ctl pstat (Basic Synchronization Statistics at the end)
cphaprob syncstat (In depth Synchronization Statistics. Use cphaprob -reset syncstat to
reset the stats)
cphaconf set_ccp multicast (Sets Cluster Control Protocol to Multicast)
cphaconf set_ccp broadcast (Sets Cluster Control Protocol to Broadcast)

Smart Event
evtop (stops the smart event service)
evstart (starts the smart event service)
evconfig (enters into the config menu, enables or disables components of Smart Event)
Check Point R75 Creating Rules NAT and PAT
In this tutorial we will look at creating a simple rulebase from a fresh install of Check
Point R75. We will create a basic rule that will allow the internal network access to all
services outbound and also enable NAT to hide behind the external IP address of the
firewall. Following this rule we will create another rule that will PAT remote desktop
3389 from the external interface ip to my Windows 2008 server called server2k8. The
lab is setup as follows:
Creating NAT and PAT Rules with Check Point R75

1. Open up the Check Point SmartDashboard and login to your firewall management
station.
2. First up we’ll be creating a network object that will represent the internal network
subnet. Right click on the Network Folder and select Network.
3. Type in a Name, the network address and subnet mask. For the colours of object I
like to use red for external, green for internal and orange for dmz. If you expand the
colours and click manage you can add in red and green.
4. Add in red and green.
5. For my internal lan i’ve selected green.
6. Now we’ll click on the NAT tab and tick the Add Automatic Address Translation rules,
select Hide, and select Hide behind Gateway. This will hide the internal network subnet
behind the external interface of the gateway. If you are using a dmz interface, it will also
NAT behing the DMZ interface.
7. Now that we’ve created an object lets create a few rules. Click on the Rules Menu
and select Add Rule.
8. Under the source column where it says Any, right click and select Network Object. As
you can see we can also add a User or other objects as the source.
9. Select Internal-Lan as our source.
10. Under the Action column, right click and select accept.
11. Under the Track column select Log so we can see the traffic passing through.
12. Right click in under the comment column and select edit. You can type any
comment you like to help remember what the rule is for.
13. Now add in another rule which must always be at the bottom. This rule will drop
packet that does not match a rule and also log it. The Check Point rules are always
process from top to bottom.
14. To help organise our Check Point Rule Base a little better we can add in section
titles. Right click on the rule where you would like to add a section title above and select
Add Section title – Above.
15. As you can see I’ve added two section titles to my Check Point Rule Base which
makes it is much easier to organize rules.
16. If we click on the NAT tab we can see that the NAT we added earlier in step 6 has
been automatically added to the NAT rule base for Internal-Lan.
17. Lets add a resource for a single server. Right click on Nodes and select Node –
Host.
18. enter in the Name, IP address and an optional comment. I’ve select green colour for
internal objects. Click Ok.
19. I’ll create another object that will represent the PAT’d ip address that i’ll be using to
remote desktop from the internet to my internal host.
20. Now let’s create a PAT rule. Under the NAT tab click on the Rules menu and add a
new rule at the top.
21. Lets add a destination ofr External-192-168-1-2, service Remote_Desktop under the
Original Packet column. Under the Translated Packet column lets add server2k8 for
destination and Remote_Desktop for service. So any ip that tries to use Remote
Desktop to 192.168.1.2 will get translated to our internal host server2k8 192.168.10.10
for Remote_Desktop 3389.
22. After creating the PAT rule we now need to create the firewall rule. Click on the
firewall tab, add a new section title of External-Internal and make the destination
External-192-168-1-2, service Remote_Desktop, Action Accept, and Track Log.
23. Click on the box that says Verify Policies. Your Check Point Rule Base will be
checked for any errors or misconfiguration before applying.
24. Click Ok.
25. Click Save and continue.
26. Click Ok.
27. Policy Verification is Ok. Click Ok.
28. Now it’s time to Install our policy. Click Install Policy.
29. Click Ok.
30. The policy was install successfully. Click Close.
31. Click on the Window menu and select SmartView Tracker.
32. The Check Point SmartView Tracker is where all the logging happens. To
demonstrate accessing a webpage from my server2k8 server I simply browsed to
www.google.com.au which produced the following logs.
33. You can double click on a log entry and display more information.
34. Now let’s try our remote desktop rule. I will remote desktop from a pc out on the
internet to 192.168.1.2.
35. As you can see in the log the packet is allowed and I can connect via remote
desktop to the server.
If you have any technical questions about this tutorial or any other tutorials on this site,
please open a new thread in the forums and the community will be able to help you out.
This tutorial will provide you with the necessary steps to setup Check Point
Application Control Software Blade.

Setting up Check Point R75 Application Control

1. Log in to Check Point SmartDashboard and edit your Gateway Object. In General
Properties select Application Control as you can see in the image below.
2. Once we have activated the Check Point Application Control software blade, click on
the Application & URL Filtering tab above. Expand Advanced and select updates. Click
Update Management to update the Application Control database.
3. Click on Policy on the far left. I have added rule one to allow my Windows Active
Directory Server, named server-ad1, access to everything. Rule 2 I’ve created a rule for
all computers on the internal_lan 192.168.10.x/24 to be blocked if they try to access
facebook. The third rule i’ve created is to then allow the internal_lan access to
everything else.
4. If we now click on our Firewall tab, you can see I have one rule that allows full access
for my winxp-test and server-ad1 machines. My winxp-test machine has an ip address
of 192.168.10.22 and my server-ad1 server has an ip address of 192.168.10.80.
5. Going back to the Check Point Application and URL Filtering tab, we can also be a
little more specific in our blocking rule. In rule two we are only blocking facebook
games, such as farmville, mafia wars, zynga poker, etc
6. When I log into my Windows XP machine and browse to facebook, i’m able to log in,
though as soon as I try to access a facebook game such as mafia wars, the Application
Control blocks me immediately.
7. Check Point Application Control can also be tied in with Identity Awareness, which
provides URL and Application blocking based on users and groups. See my tutorial
here for Identity Awareness with Application Control.

If you have any technical questions about this tutorial or any other tutorials on this site,
please open a new thread in the forums and the community will be able to help you out.
This tutorial will provide you with the necessary steps to install and configure
Check Point Identity Awareness Software Blade along with Microsoft Active
Directory.

Setting up Check Point R75 Identity Awareness

1. We will be configuring Check Point Identity Awareness with Application Control. You
must of enabled Application Control to complete this tutorial successfully. Log
into Check Point SmartDashboard and edit your gateway object.

2. Select the Identity Awareness Software Blade and the Identity Awareness
Configuration wizard will begin. Select AD Query and click Next.
3. Select your Domain Name and enter in a username and password that has Domain
Admin access to your Active Directory.
4. Click Connect. You will see a Successfully Connected as displayed below. Click
Next.
5. A notification window is displayed that shows your Check Point Identity Awareness
Software Blade is Now Active. Click Finish.
6. Edit your gateway again and under Software Blades. Select the management tab.
7. Below Logging & Status select Identity Awareness. This will add identity information
to logs. Click Next.
8. The information will be pre-populated from step 4 above.
9. Click Connect. The connection is successful. Click Next.
10. Logs for Check Point Identity Awareness is Now Active. Click Finish.
11. Click on the Application and URL Filtering Tab. In rule 2 in the image below I’m
currently blocking facebook from anyone coming from a source IP address of
Internal_Lan (192.168.10.x/24). I will now change this to use Identity Awareness. Right
click on the source box at rule number 2 and select Add User/Access Rule. I’m going to
be blocking an Active Directory user called user1. I’ll type in User1 in the Name field
and then select the Users Tab. Click the green + sign which will bring up your Active
Directory. I will select user1 and click Ok.
12. You can now see that for rule 2 my source is user1. When user1 tries to browse to
facebook he will be blocked.
13. Install the new policy to apply the Identity Awareness settings and rules.
14. If we open up SmartEvent Intro, we can see some real interesting statistics on
URL’s and Application tied in with Check Point Identity Awareness.
15. Click on the Charts Tab, and you will be presented with a nice pie graph of the
amount of time spent on each site.
If you have any technical questions about this tutorial or any other tutorials on this site,
please open a new thread in the forums and the community will be able to help you out.
Check Point R75 Cluster Setup

In this tutorial we will explore setting up a Check Point R75 Cluster consisting of 1
management server and 2 gateways.
Setting up a Check Point R75 Cluster

1. First up, connect to your management server with smartdashboard. My management

status is called cpmgmt. Right click on the Check Point object on the right hand side
and select Security Cluster – UTM-1/Power-1/Open Server Cluster/IP series…
2. Let’s select the Wizard Mode below.
3. Give your cluster a name. I will call mine CPCLUSTER and I will assign the cluster
the ip address 10.10.10.1. You will see later where this is set. Select Check Point
ClusterXL and select High Availability. Click Next.
4. We now add in the gateways that we would like to participate in our cluster. Click Add
and select New Cluster Member. I’m select this option because I don’t have any
gateways belonging to the management server yet. If you already have your gateways
being managed by your management server you can select Add Existing Gateway.
5. Type in the IP address of your Check Point Gateway. The IP address of my first
gateway called cpgw1 is 10.10.10.2 Type in the activation key that you setup during
installation of your gateway and click initialize. You should see Trust Established in the
Trust State field. Click Ok.
6. Do the same for gateway 2. My second gateway is called cpgw2 and has an ip
address of 10.10.10.3. Click Ok.
7. The 2 gateways are now added. Click Next.
8. In this section we will configure the topology of the cluster. I have left out the external
interface on purpose so I can show you how to add it manually later. Click Next.
9. The first network I’ll setup is the Cluster Synchronization. Select Primary under
Clsuter Synchronization. Click Next.
10. The next interface i’ll setup is my internal network. Here i’ll set the cluster ip to
10.10.10.1 with a net mask of 255.255.255.0 Click Next.
11. The cluster is now setup. Click Finish.
12. As you can see on the right hand side, I have my cluster named CPCLUSTER with
the 2 gateway members cpgw1 and cpgw2.
13. If you right click on the properties of the CPCLUSTER, you can see the ClusterXL
settings that are available.
14. While still in the CPCLUSTER properties click on Topology.
15. Click Edit Topology. As you can see in this screen shot, I have already setup the
internal network with the cluster ip 10.10.10.1 and i’ve also setup the Sync network.
16. Now I will add another NIC to my gateways which i’ll use for the external interface.
After adding the NIC I will click on Get – All Members’ Interfaces with topology…
17. The third network is added in. However under the CPCLUSTER column I will need
to add the cluster IP address for the external network. Here I will add 192.168.1.101
with a subnet mask of 255.255.255.0. I’ve also changed the name of the interface to
Outside. I’ve also changed the name for the internal interface to inside. If you right click
on the 192.168.1.101 address and select edit, you can set the topology to External.
Click Ok.
18. Once your cluster is setup you must install the policy.
If you have any technical questions about this tutorial or any other tutorials on this site,
please open a new thread in the forums and the community will be able to help you out.