Important:
Workflow:
Note - This procedure applies to both Check Point Appliances and Open Servers.
Step 1 of 8: Install the Security Gateway
Step |
Description |
---|---|
1 |
Install the Gaia Operating System: |
2 |
|
3 |
During the First Time Configuration Wizard, you must configure these settings:
|
Step 2 of 8: Configure the Monitor Mode interface in Gaia Portal
Step |
Description |
---|---|
1 |
In your web browser, connect to the Gaia Portal on the Security Gateway. |
2 |
In the left navigation tree, click Network Management > Network Interfaces. |
3 |
Select the applicable physical interface from the list and click Edit. |
4 |
Select the Enable option to set the interface status to UP. |
5 |
In the Comment field, enter the applicable comment text (up to 100 characters). |
6 |
On the IPv4 tab, select Use the following IPv4 address, but do not enter an IPv4 address. |
7 |
On the IPv6 tab, select Use the following IPv6 address, but do not enter an IPv6 address. Important - This setting is available only after you enable the IPv6 Support in Gaia and reboot. |
8 |
On the Ethernet tab:
|
9 |
Click OK. |
Step 2 of 8: Configure the Monitor Mode interface in Gaia Clish
Step |
Description |
---|---|
1 |
Connect to the command line on the Security Gateway. |
2 |
Log in to Gaia Clish. |
3 |
Examine the configuration and state of the applicable physical interface:
|
4 |
If the applicable physical interface has an IP address assigned to it, remove it:
|
5 |
Enable the Monitor Mode on the physical interface:
|
6 |
Configure other applicable settings on the Monitor Mode interface: set interface <Name of Physical Interface> auto-negotiation {on | off} comments "Text" link-speed {10M/half | 10M/full | 100M/half | 100M/full | 1000M/full} mtu <68-16000 | 1280-16000> rx-ringsize <0-4096> tx-ringsize <0-4096> |
7 |
Examine the configuration and state of the Monitor Mode interface:
|
8 |
Save the configuration:
|
Step 3 of 8: Configure the Security Gateway in SmartConsole - Wizard Mode
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this Security Gateway. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Create a new Security Gateway object in one of these ways:
|
4 |
In the Check Point Security Gateway Creation window, click Wizard Mode. |
5 |
On the General Properties page:
|
6 |
On the Trusted Communication page:
|
7 |
On the End page:
Check Point Gateway properties window opens on the General Properties page. |
8 |
If during the Wizard Mode, you selected Skip and initiate trusted communication later:
|
9 |
On the Network Security tab, make sure to enable only the Firewall Software Blade. Important - Do not select anything on the Management tab. |
10A |
On the Network Management page:
|
10B |
Select the Monitor Mode interface and click Edit. Configure these settings:
|
11 |
Click OK. |
12 |
Publish the SmartConsole session. |
13 |
This Security Gateway object is now ready to receive the Security Policy. |
Step 3 of 8: Configure the Security Gateway in SmartConsole - Classic Mode
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this Security Gateway. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Create a new Security Gateway object in one of these ways:
|
4 |
In the Check Point Security Gateway Creation window, click Classic Mode. Check Point Gateway properties window opens on the General Properties page. |
5 |
In the Name field, enter the desired name for this Security Gateway object. |
6 |
In the IPv4 address and IPv6 address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Gateway's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses. |
7 |
Establish the Secure Internal Communication (SIC) between the Management Server and this Security Gateway:
|
|
If the Certificate state field does not show
|
8 |
In the Platform section, select the correct options:
|
9 |
On the Network Security tab, make sure to enable only the Firewall Software Blade. Important - Do not select anything on the Management tab. |
10A |
On the Network Management page:
|
10B |
Select the Monitor Mode interface and click Edit. Configure these settings:
|
11 |
Click OK. |
12 |
Publish the SmartConsole session. |
Step 4 of 8: Configure the Security Gateway to process packets that arrive in the wrong order
Step |
Description |
---|---|
1 |
Connect to the command line on the Security Gateway. |
2 |
Log in to the Expert mode. |
3 |
Modify the |
3A |
Back up the current
Important - If this file does not exist, create it:
|
3B |
Edit the current
Important - This configuration file does not support spaces or comments. |
3C |
Add this line to enable the Passive Streaming Layer (PSL) Tap Mode:
|
3D |
Add this line to enable the Firewall Tap Mode:
|
3E |
Save the changes in the file and exit the Vi editor. |
4 |
Modify the |
4A |
Back up the current
Important - If this file does not exist, create it:
|
4B |
Edit the current
Important - This configuration file does not support spaces or comments. |
4C |
Add this line to enable the Firewall Tap Mode:
|
4D |
Save the changes in the file and exit the Vi editor. |
5 |
Reboot the Security Gateway. |
6 |
Make sure the Security Gateway loaded the new configuration:
|
Notes:
psl_tap_enable
and fw_tap_enable
on-the-fly with the fw ctl set int <parameter>
command (Issue ID 02386641).Step 5 of 8: Configure the required Global Properties for the Security Gateway in SmartConsole
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway. |
2 |
In the top left corner, click Menu > Global properties. |
3A |
Click the Stateful Inspection pane. |
3B |
In the Default Session Timeouts section:
|
3C |
In the Out of state packets section, you must clear all the boxes. Otherwise, the Security Gateway drops the traffic as out of state (because the traffic does not pass through the Security Gateway, it does not record the state information for the traffic). |
4A |
Click the Advanced page > Configure button. |
4B |
Click FireWall-1 > Stateful Inspection. |
4C |
Clear reject_x11_in_any. |
4D |
Click OK to close the Advanced Configuration window. |
5 |
Click OK to close the Global Properties window. |
6 |
Publish the SmartConsole session. |
Step 6 of 8: Configure the required Access Control policy for the Security Gateway in SmartConsole
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway. |
2 |
From the left navigation panel, click Security Policies. |
3 |
Create a new policy and configure the applicable layers:
|
4 |
Create the Access Control rule that accepts all traffic:
|
5 |
We recommend these Aggressive Aging settings for the most common TCP connections:
|
6 |
Publish the SmartConsole session. |
7 |
Install the Access Control Policy on the Security Gateway object. |
Step 7 of 8: Make sure the Security Gateway enabled the Monitor Mode for Software Blades
Step |
Description |
---|---|
1 |
Connect to the command line on the Security Gateway. |
2 |
Log in to the Expert mode. |
3 |
Make sure the parameter fw_span_port_mode is part of the installed policy:
The returned output must show :val (true). |
Step 8 of 8: Connect the Security Gateway to the switch
Connect the Monitor Mode interface of the Security Gateway to the mirror or SPAN port on the switch.
For more information, see the: