The Best Damn Firewall Book Period

Since the Nokia appliance is already hardened, there is very little you need to do to prepare it for firewall installation. You must configure and test networking and DNS and set up the Host Address Assignment through the Voyager GUI, and you might need to upgrade your IPSO and boot manager.

Ensure that you have the following ready before you begin configuring Check Point FireWall-1:

• Get your Check Point licenses.

• Configure routing and test network interface cards (NICs).

• Ensure IP forwarding is enabled (ipsofwd on admin).

• Configure Host Address Assignment.

• Ensure you have at least 128MB of memory and 40MB of free disk space on /opt.

• Read the Release Notes.

• Verify that your IPSO is compatible with VPN-1/FireWall-1 (see Table 18.1).

  Table 18.1: FireWall-1/IPSO Compatibility

  IPSO Version	VPN-1/FireWall-1 Compatibility
  IPSO 3.2.x	4.0 any service pack and 4.1 up to SP2
  IPSO 3.3 FCS3	4.1 SP2 and SP3
  IPSO 3.3 FCS6, FCS8 (not to be used with IP530)	4.1 SP3
  IPSO 3.3E FCS4 (not to be used with IP530)	4.1 SP3
  IPSO 3.3.1 FCS7 (IP530 only)	4.1 SP3
  IPSO 3.4	4.1 SP4
  IPSO 3.4.1 FCS5a	4.1 SP5
  IPSO 3.4.1 FCS10-FCS12	4.1 SP5a and SP6
  IPSO 3.4.2	NG FP1
  IPSO 3.5 FCS3	4.1 SP5a
  IPSO 3.5 FCS6-FCS8	4.1 SP5a, SP6 and NG FP2
  IPSO 3.5 FCS10	4.1 SP5a, SP6, NG FP2 and FP3
  IPSO 3.6	NG FP2 and FP3

For the most recent FireWall-1/IPSO compatibility matrix, look up Nokia Resolution 11253.

Obtaining Licenses

Check Point licenses have changed (again) with the Next Generation release. This means that you cannot use an old 4.1 license when installing NG. If you have 4.1 licenses, don't worry—you can get your 4.1 cert keys upgraded to NG for no additional charge. In order to obtain licenses, you can either go through your Check Point value-added reseller (VAR) or use the Check Point User Center to license your products at http://usercenter.checkpoint.com.

You have two options when it comes to licensing your firewall modules. You can either have them tied to their individual IP addresses (external interface recommended), as with previous versions, or you can tie them all to the management station's IP address. These licenses are called local or central, respectively. In NG, the SecureUpdate management tool can be used to maintain all licenses on the management console.

The management module itself must have a local license based on its own IP address. The nice thing about using central licenses for the enforcement modules is that you can change their IP addresses without needing to replace the license, and you can easily move a license from one module to another.

It is always best to obtain your licenses before you install the firewall software. The program will ask you for your license details during the configuration procedure. If you cannot obtain your permanent license prior to the install, you should ask for an evaluation license. Check Point's eval licenses have full functionality for almost all VPN-1/FireWall-1 features. They are usually valid for one month, and the product is not crippled in any way while running on eval.

Configuring Your Host Name

If you followed the instructions for initial configuration of your Nokia Security Platform, you should already have your host name configured for FireWall-1. If, however, you have jumped to this chapter, you need to know that your VPN-1/FireWall-1 configuration requires that you have your host name mapped to your external IP address in the Host Address Assignment configuration screen, which you can access from the Voyager main Configuration screen under the System Configuration section. If this function is not configured ahead of time, your license installation will fail.

To add a new host name, enter either the fully qualified domain name (FQDN) or the simple hostname in the field Add new hostname. We are using the name gatekeeper, which was the name assigned to this Nokia during initial system configuration. Next, click Apply, and then type in the IP address associated with gatekeeper. This should be the IP address that you will use if licensing the FireWall-1 product on your Nokia as well, and it is typically the external IP address of the firewall. Click Apply again and then click Save to complete the host address assignment. See Figure 18.1 for the completed configuration.

Figure 18.1: Host Address Assignment

Understanding FireWall-1 Options

The following Check Point Next Generation packages are available:

• VPN-1 & FireWall-1 Includes FireWall-1 Management module and enforcement point software along with the VPN-1 encryption component.

• FloodGate-1 Provides an integrated QoS solution for VPN-1/FireWall-1.

• UserAuthority A user authentication tool that integrates with FireWall-1, FloodGate-1, and other e-business applications.

• VPN-1 SecureClient Policy Server Allows an enforcement module to install granular desktop policies on mobile users' SecureClient personal firewalls.

• Reporting Module An integrated reporting tool that can generate reports, graphs, and pie charts to display information obtained from the VPN-1/FireWall-1 logs.

• Real Time Monitor Allows an organization to monitor its VPN connections, Internet connections, and so on.

• 4.1 Backward Compatibility Allows you to support version 4.1 firewalls from an NG management server.

The VPN-1/FireWall-1 component options are:

• Enforcement Module Select this to install an enforcement module only; the management server will be installed on a separate host.

• Enterprise Management Select this to install a management server only, which will be acting in either a primary or backup capacity.

• Enterprise Management and Enforcement Module Used to install both a VPN-1/FireWall-1 enforcement module and management module (stand-alone install).

• Enterprise Log Server Select this to install a management module that will be used as a log server only.

• Enforcement Module and Enterprise Log Server Use this option to install both a VPN-1/FireWall-1 enforcement module as well as a management module that will be used only as a log server.

After the Check Point cpconfig utility sets up the type of installation you have chosen, it will run through a number of configuration screens. The screens that you can prepare for in advance are:

• Licenses You should read the section on licenses if you need help getting licenses. You will fill in the following fields:

  • Host/IP Address The IP address associated with this license or eval.

  • Expiration Date The date that the license expires, which may be never.

  • SKU/Features The features this license enables (for example, management or 3DES).

  • String/Signature Key The license string provided by Check Point to validate the license. This key will be unique for each license and IP address.

  Note

  If you are installing just an enforcement module, you will have no administrators or GUI clients to configure.

• Administrators You will need to configure at least one administrator during install.

  • Administrator Name Choose a login name for your admin. This field is case sensitive.

  • Password Choose a good alphanumeric password. It must be at least four characters long.

  • Confirm Password Repeat the same password entered in the previous step.

• Management Clients These are the IP addresses of the GUI clients that your administrators will use when connecting to this management module. You might need to configure static IP addresses for your administrators. You can add as many management clients as you'd like or you may enter none, it's up to you. See the following discussion for your Management Client options.

• SIC Password If you are installing an enforcement module only, you will be prompted for a password to initialize SIC. This password must also be entered in the configuration for the firewall object in the Policy Editor.