Configuring a Single Security Gateway in Monitor Mode

Important:

Note - This procedure applies to both Check Point Appliances and Open Servers.

Procedure:

  1. Step

    Instructions

    1

    Install the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Operating System:

    2

    Follow Configuring Gaia for the First Time.

    3

    During the First Time Configuration Wizard, you must configure these settings:

    • In the Management Connection window, select the interface, through which you connect to Gaia operating system.

    • In the Internet Connection window, do not configure IP addresses.

    • In the Installation Type window, select Security Gateway and/or Security Management.

    • In the Products window:

      1. In the Products section, select Security Gateway only.

      2. In the Clustering section, clear Unit is a part of a cluster, type.

    • In the Dynamically Assigned IP window, select No.

    • In the Secure Internal Communication window, enter the applicable Activation Key (between 4 and 127 characters long).

  2. You can configure the Monitor Mode on an interface either in Gaia PortalClosed Web interface for the Check Point Gaia operating system., or Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

    Step

    Instructions

    1

    With a web browser, connect to Gaia Portal at:

    https://<IP address of Gaia Management Interface>

    2

    In the left navigation tree, click Network Management > Network Interfaces.

    3

    Select the applicable physical interface from the list and click Edit.

    4

    Select the Enable option to set the interface status to UP.

    5

    In the Comment field, enter the applicable comment text (up to 100 characters).

    6

    On the IPv4 tab, select Use the following IPv4 address, but do not enter an IPv4 address.

    7

    On the IPv6 tab, select Use the following IPv6 address, but do not enter an IPv6 address.

    Important - This setting is available only after you enable the IPv6 Support in Gaia and reboot.

    8

    On the Ethernet tab:

    • Select Auto Negotiation, or select a link speed and duplex setting from the list.

    • In the Hardware Address field, enter the Hardware MAC address (if not automatically received from the NIC).

      Caution - Do not manually change the MAC address unless you are sure that it is incorrect or has changed. An incorrect MAC address can lead to a communication failure.

    • In the MTU field, enter the applicable Maximum Transmission Unit (MTU) value (minimal value is 68, maximal value is 16000, and default value is 1500).

    • Select Monitor Mode.

    9

    Click OK.

    Step

    Instructions

    1

    Connect to the command line on the Security Gateway.

    2

    Log in to Gaia Clish.

    3

    Examine the configuration and state of the applicable physical interface:

    show interface <Name of Physical Interface>

    4

    If the applicable physical interface has an IP address assigned to it, remove that IP address.

    • To remove an IPv4 address:

      delete interface <Name of Physical Interface> ipv4-address

    • To remove an IPv6 address:

      delete interface <Name of Physical Interface> ipv6-address

    5

    Enable the Monitor Mode on the physical interface:

    set interface <Name of Physical Interface> monitor-mode on

    6

    Configure other applicable settings on the interface in the Monitor Mode:

    set interface <Name of Physical Interface> ...

    7

    Examine the configuration and state of the Monitor Mode interface:

    show interface <Name of Physical Interface>

    8

    Save the configuration:

    save config

  3. You can configure the Security Gateway object in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. either in Wizard Mode, or in Classic Mode.

    Step

    Instructions

    1

    Connect with SmartConsole to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that should manage this Security Gateway.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Create a new Security Gateway object in one of these ways:

    • From the top toolbar, click the New () > Gateway.

    • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway.

    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.

    4

    In the Check Point Security Gateway Creation window, click Wizard Mode.

    5

    On the General Properties page:

    1. In the Gateway name field, enter the applicable name for this Security Gateway object.

    2. In the Gateway platform field, select the correct hardware type.

    3. In the Gateway IP address section, select Static IP address and configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Gateway's First Time Configuration Wizard.

      Make sure the Security Management Server or Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. can connect to these IP addresses.

    4. Click Next.

    6

    On the Trusted Communication page:

    1. Select the applicable option:

      • If you selected Initiate trusted communication now, enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard.

      • If you selected Skip and initiate trusted communication later, make sure to follow Step 7.

    2. Click Next.

    7

    On the End page:

    1. Examine the Configuration Summary.

    2. Select Edit Gateway properties for further configuration.

    3. Click Finish.

    Check Point Gateway properties window opens on the General Properties page.

    8

    If during the Wizard Mode, you selected Skip and initiate trusted communication later:

    1. The Secure Internal Communication field shows Uninitialized.

    2. Click Communication.

    3. In the Platform field:

    4. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard.

    5. Click Initialize.

      Make sure the Certificate state field shows Established.

    6. Click OK.

    9

    On the Network Security tab, make sure to enable only the Firewall Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

    10

    On the Network Management page:

    1. Click Get Interfaces > Get Interfaces With Topology.

    2. Confirm the interfaces information.

    11

    Select the interface in the Monitor Mode and click Edit.

    Configure these settings:

    1. Click the General page.

    2. In the General section, enter a random IPv4 address.

      Important - This random IPv4 address must not conflict with existing IPv4 addresses on your network.

    3. In the Topology section:

      Click Modify.

      In the Leads To section, select Not defined (Internal).

      In the Security Zone section, select According to topology: Internal Zone.

      Click OK to close the Topology Settings window.

    4. Click OK to close the Interface window.

    12

    Click OK.

    13

    Publish the SmartConsole session.

    14

    This Security Gateway object is now ready to receive the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

    Step

    Instructions

    1

    Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this Security Gateway.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Create a new Security Gateway object in one of these ways:

    • From the top toolbar, click the New () > Gateway.

    • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway.

    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.

    4

    In the Check Point Security Gateway Creation window, click Classic Mode.

    Check Point Gateway properties window opens on the General Properties page.

    5

    In the Name field, enter the applicable name for this Security Gateway object.

    6

    In the IPv4 address and IPv6 address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Gateway's First Time Configuration Wizard.

    Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

    7

    Establish the Secure Internal Communication (SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) between the Management Server and this Security Gateway:

    1. Near the Secure Internal Communication field, click Communication.

    2. In the Platform field:

      • Select Open server / Appliance for all Check Point models 3000 and higher.

      • Select Open server / Appliance for an Open Server.

    3. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard.

    4. Click Initialize.

    5. Click OK.

     

    If the Certificate state field does not show Established, perform these steps:

    1. Connect to the command line on the Security Gateway.

    2. Make sure there is a physical connectivity between the Security Gateway and the Management Server (for example, pings can pass).

    3. Run:

      cpconfig

    4. Enter the number of this option:

      Secure Internal Communication

    5. Follow the instructions on the screen to change the Activation Key.

    6. In SmartConsole, click Reset.

    7. Enter the same Activation Key you entered in the cpconfig menu.

    8. In SmartConsole, click Initialize.

    8

    In the Platform section, select the correct options:

    1. In the Hardware field:

      • If you install the Security Gateway on a Check Point Appliance, select the correct appliances series.

      • If you install the Security Gateway on an Open Server, select Open server.

    2. In the Version field, select R81.

    3. In the OS field, select Gaia.

    9

    On the Network Security tab, make sure to enable only the Firewall Software Blade.

    Important - Do not select anything on the Management tab.

    10

    On the Network Management page:

    1. Click Get Interfaces > Get Interfaces With Topology.

    2. Confirm the interfaces information.

    11

    Select the interface in the Monitor Mode and click Edit.

    Configure these settings:

    1. Click the General page.

    2. In the General section, enter a random IPv4 address.

      Important - This random IPv4 address must not conflict with existing IPv4 addresses on your network.

    3. In the Topology section:

      Click Modify.

      In the Leads To section, select Not defined (Internal).

      In the Security Zone section, select According to topology: Internal Zone.

      Click OK to close the Topology Settings window.

    4. Click OK to close the Interface window.

    12

    Click OK.

    13

    Publish the SmartConsole session.

    14

    This Security Gateway object is now ready to receive the Security Policy.

  4. Step

    Instructions

    1

    Connect to the command line on the Security Gateway.

    2

    Log in to the Expert mode.

    3

    Modify the $FWDIR/boot/modules/fwkern.conf file:

    1. Back up the current $FWDIR/boot/modules/fwkern.conf file:

      cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

      If this file does not exist, create it:

      touch $FWDIR/boot/modules/fwkern.conf

    2. Edit the current $FWDIR/boot/modules/fwkern.conf file:

      vi $FWDIR/boot/modules/fwkern.conf

      Important - This configuration file does not support spaces or comments.

    3. Add this line to enable the Passive Streaming Layer (PSL) Tap Mode:

      psl_tap_enable=1

    4. Add this line to enable the Firewall Tap Mode:

      fw_tap_enable=1

    5. Save the changes in the file and exit the Vi editor.

    4

    Modify the $PPKDIR/conf/simkern.conf file:

    1. Back up the current $PPKDIR/conf/simkern.conf file:

      cp -v $PPKDIR/conf/simkern.conf{,_BKP}

      If this file does not exist, create it:

      touch $PPKDIR/conf/simkern.conf

    2. Edit the current $PPKDIR/conf/simkern.conf file:

      vi $PPKDIR/conf/simkern.conf

      Important - This configuration file does not support spaces or comments.

    3. Add this line to enable the Firewall Tap Mode:

      fw_tap_enable=1

    4. Save the changes in the file and exit the Vi editor.

    5

    Reboot the Security Gateway.

    6

    Make sure the Security Gateway loaded the new configuration:

    1. Examine the status of the PSL Tap Mode:

      fw ctl get int psl_tap_enable

      Output must show:

      psl_tap_enable = 1

    2. Examine the status of the Firewall Tap Mode:

      fw ctl get int fw_tap_enable

      Output must show:

      fw_tap_enable = 1

    Notes:

    • This configuration helps the Security Gateway process packets that arrive in the wrong or abnormal order (for example, TCP [SYN-ACK] arrives before TCP [SYN]).

    • This configuration helps the Security Gateway work better for the first 10-30 minutes when it processes connections, in which the TCP [SYN] packets did not arrive.

    • This configuration is also required when you use a TAP device or Mirror / Span ports with separated TX/RX queues.

    • This configuration will make the Mirror Port on Security Gateway work better for the first 10-30 minutes when processing connections, in which the TCP-SYN packet did not arrive.

    • It is not possible to set the value of the kernel parameters "psl_tap_enable" and "fw_tap_enable" on-the-fly with the "fw ctl set int <parameter>" command (Known Limitation 02386641).

  5. Step

    Instructions

    1

    Connect with SmartConsole to the Security Management Server or Target Domain Management Server that manages this Security Gateway.

    2

    In the top left corner, click Menu > Global properties.

    3

    From the left tree, click the Stateful Inspection pane and configure:

    1. In the Default Session Timeouts section:

      1. Change the value of the TCP session timeout from the default 3600 to 60 seconds.

      2. Change the value of the TCP end timeout from the default 20 to 5 seconds.

    2. In the Out of state packets section, you must clear all the boxes.

      Otherwise, the Security Gateway drops the traffic as out of state (because the traffic does not pass through the Security Gateway, it does not record the state information for the traffic).

    4

    From the left tree, click the Advanced page > click the Configure button, and configure:

    1. Click FireWall-1 > Stateful Inspection.

    2. Clear reject_x11_in_any.

    3. Click OK to close the Advanced Configuration window.

    5

    Click OK to close the Global Properties window.

    6

    Publish the SmartConsole session.

  6. Step

    Instructions

    1

    Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway.

    2

    From the left navigation panel, click Security Policies.

    3

    Create a new policy and configure the applicable layers:

    1. At the top, click the + tab (or press the CTRL T keys).

    2. On the Manage Policies tab, click Manage policies and layers.

    3. In the Manage policies and layers window, create a new policy and configure the applicable layers.

    4. Click Close.

    5. On the Manage Policies tab, click the new policy you created.

    4

    Create the Access Control ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that accepts all traffic:

    No

    Name

    Source

    Destination

    VPN

    Services & Applications

    Action

    Track

    Install On

    1

    Accept All

    *Any

    *Any

    Any

    *Any

    Accept

    Log

    Object of
    Security Gateway
    in Monitor Mode

    5

    Best Practice

    We recommend these Aggressive Aging settings for the most common TCP connections:

    1. In the SmartConsole, click Objects menu > Object Explorer.

    2. Open Services and select TCP.

    3. Search for the most common TCP connections in this network.

    4. Double-click the applicable TCP service.

    5. From the left tree, click Advanced.

    6. At the top, select Override default settings.

      On Domain Management Server, select Override global domain settings.

    7. Select Match for 'Any'.

    8. In the Aggressive aging section:

      Select Enable aggressive aging.

      Select Specific and enter 60.

    9. Click OK.

    10. Close the Object Explorer.

    6

    Publish the SmartConsole session.

    7

    Install the Access Control Policy on the Security Gateway object.

  7. Step

    Instructions

    1

    Connect to the command line on the Security Gateway.

    2

    Log in to the Expert mode.

    3

    Install the default policy on the VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. object:

    Make sure the parameter fw_span_port_mode is part of the installed policy:

    grep -A 3 -r fw_span_port_mode $FWDIR/state/local/*

    The returned output must show:

    :val (true)

  8. On the Security Gateway, connect the interface in the Monitor Mode to the mirror or SPAN port on the switch.

For more information, see the: