Shulou(Shulou.com)06/01 Report--

Check Point SMB

Operation manual

Catalogue

Ready 3

Initialize 4

Configure IP 4

Initialize 5

Check Point 1100 Web configuration 13

Initialize to freestanding 13

Configure IP, Route 13

Enable function 16

Configuration Policy 16

View log 17

Check Point 1100 SC configuration 19

Initialize to distributed 19

Connect to Smart Center 21

Open function module 25

Configure the distribution policy 26

Introduction to application control 27

Introduction to IPS 27

S to S xxxxxxxxx and remote xxx28

Create a * for S to S. twenty-eight

Configuration case 29

600 and R75. Solution to 40 × × configuration problem 37

Establish remote × × 38

Prepare for

First of all, we can take a look at the appearance of the device, which is consistent with the size of the small switch. The appearance is divided into front panel and back panel.

The front panel is mainly used to display the power indicator, status indication and network connection status light of the equipment.

The back panel is mainly used for power Jack, external / intranet Jack, reboot port, reboot button and restore factory button.

Initialization

Configure IP

After the power is turned on, the device is turned on for the first time, any port of the LAN1-LAN8 port of the device is connected with a network cable, and the IP is configured as DHCP.

After being configured as DHCP, you can go to the network card information interface to check whether the IP has been obtained, and if it can be obtained, it proves that the device has been started.

Initialization

Next, we initialize the device through the web interface. The address of the first login is: https://192.168.1.1:4434, the opening page will automatically jump to the initialization interface.

Click Next to proceed to the next step. Set the administrator's account password on this page and select the country you are in.

Click Next to proceed to the next step, set the time, there are two ways, the back is manual and automatic, manual setting is manually set to the specified time. Automatically, time is obtained through the NTP server. Click Next to proceed to the next step and set the device name and domain name. If there is no domain name, you do not need to enter it. Click Next to go to the next step and set the usage mode of the device. 1100 is supported to be managed by Smart Center.

The devices that currently support management 1100 are Smart Center R77 and R75.47. Other versions cannot be perfectly supported for the time being.

(choose distributed management, we use R75.47 to test the management of 1100)

Click Next to go to the next step and set the connection mode of the external network. You can choose to configure it later.

Click Next to proceed to the next step, set the management IP of the private network and whether to set DHCP, including the network segment settings of DHCP.

Click Next to proceed to the next step, choose whether to set the key and name of wifi, and choose to set it later.

Click Next to proceed to the next step, and choose which ways to access the device. You can choose internal network, external network, wireless and × ×. In addition to setting the access method, you can also specify IP access. Click Next to proceed to the next step, there are two ways to activate the device, one is online activation, the other is offline activation, or you can directly click Next without activation, there will be a 30-day trial period.

If you click Next directly, he will remind you that it is not activated, just click OK.

After clicking OK, we need to configure SIC. Since we chose to be distributed before, we need to set a SIC key to connect with Smart Center to facilitate Smart Center management.

Click Next to proceed to the next step, connect to SmartCenter, and we can choose to join the management later. Check the options below and click Next.

After clicking Next, the basic information of the device will appear. Confirm it and click Finsh to complete the initialization.

Check Point 1100 Web configuration

Initialize to standalone

Stand-alone is suitable for offices or enterprises that deploy a device. For some companies with low budgets, you can choose an independent mode to ensure the budget. Of course, it's not that you can't modify it after you choose freestanding. You can choose to initialize to stand-alone mode, and then change the mode to distributed when you need to add a new CP later, as long as you need to purchase a Smart Center or install a Smart Center for management.

Note: Check Point 2200 series and above cannot be modified again after the freestanding is selected for initialization.

Note: in the case of HA, it is strongly recommended to use distribution instead of standalone.

Configure IP, routin

Configure the IP and DHCP servers for the device.

First of all, click on the netgroup you need to modify. By default, each netgroup is equal to one switch. Multiple network groups can be established at the same time in the device. Up to eight network groups can be established at the same time, and eight network groups can be made for the eight interfaces of CP. After the default CP is initialized, the eight lan interfaces are divided into a network group. If you need to create a new network group, You need to separate the interfaces that you need to do separately from the default network group. In addition to being a network group, the interface can also be made into an interface with IP. The gateways of all interfaces in the netgroup point to the ip of the netgroup, while the self-made interfaces are based on their own assigned IP seat gateways.

Example 1, made into a network group:

First, double-click the network port you need to separate, and select Unassigned at Assigned. After separating the required interfaces, click New Switch

Select here the check box in front of the interface you need to join the network group.

Set the IP address of the netgroup.

Whether to turn on the DHCP server. If enabled, set the address field assigned by DHCP and the reserved address.

Click Apply to finish when the configuration is complete.

Example 2, self-made Switch:

Double-click the interface you want to make Switch, and then select Separate Network in Assigned to.

Set the IP address of the network port:

Whether to open the DHCP server of the network port, configure the DHCP network segment and the reserved IP.

Routing configuration

You need to configure a static route to select Device to find the Routing tab under the page.

Click New to add the route.

Set the destination address and source address in the new page that opens

For services and next hop, click Apply to complete the addition.

Turn on function

To turn on the function module in stand-alone mode, you only need to log in to the Security Dashboard under the device's Home interface and select the function you need to turn on. License is imported when the device is purchased. Modules that have not been purchased after import will not be opened.

Configure policy

Configure the policy for CP. First of all, you need to confirm whether the open function module is turned on. You can view the opening method in the previous tutorial or select Blade Contorl under Acces Policy to open the module. The page also integrates the opening and closing of application control and URL control modules.

In Firewall Policy, you can choose Standard standard mode (intercept all incoming data from the public network) or Strict intercept mode (intercept all outbound and inbound data) and select OFF to disable.

After the module is opened, you can then configure Policy. Select the Policy interface and click New to add the policy.

View the log

View the log through the firewall in standalone mode and click Logs & Monitoring to view the Logs.

Click Security Logs to view the firewall access log.

Click System Logs to view the system log

You can see the connection information of the device in Status, including:

Active PC connected to the device

× × channel state

Active connection

3Dreport

You can generate logs under the device in Scurity Report.

Click Reports Dashboard to view hourly, daily, weekly, and monthly reports.

Click Hourly Report\ Daily Report\ weekly Report\ monthly Report and select the Generate Report needle to generate an hourly\ day\ week / month running report on the device.

Check Point 1100 SC configuration

Initialize to distributed

Click Next to go to the next step and set the usage mode of the device. 1100 is supported to be managed by Smart Center.

The devices that currently support management 1100 are Smart Center R77 and R75.47. Other versions cannot be perfectly supported for the time being.

(choose distributed management, we use R75.47 to test the management of 1100)

After clicking OK, we need to configure SIC. Since we chose to be distributed before, we need to set a SIC key or use automatic authentication to connect with Smart Center to facilitate Smart Center management. (here we choose the second one, automatic authentication)

Connect to Smart Center

When Check Point 1100 is selected as stand-alone mode. Logging in to 1100 of the device shows that many options are missing in the interface. And can not turn on the function of the firewall under web. The enable function must be enabled through Smart Center.

Check the connection status of 1100 to Smart Center to see if it is managed in Seurity Dashboard. Or check to see if the connection to Smart Center is normal.

In the picture, we can see that the device is currently disconnected from the Smart Center. Now we begin to dock them. First open Smart Center. Add a firewall to the Firewall interface.

Select Security Gateway/Management … Add devices. Select wizard mode to add devices.

Click Wizard Mode to add devices in wizard mode. The device name is written to Gateway-1100, and the software version of the device is 1100 Appliances. Enter the IP address of the device: 192.168.1.12

Click next to configure the connection information between the device and the Smart Center. Select the connection method. There is no need to connect through SIC. Select the connection Connect to connect. After the connection, the status is changed to:

Click next to open the device function. Only the FireWall function is enabled by default, and no other functions are enabled. You can turn on the corresponding function according to the function module you purchased.

After enabling the required features, click next to configure whether all IP in the private network are automatically NAT.

Finally confirm the configuration information after the configuration is completed.

Turn on the function module

There are two ways that devices managed by Smart Center need to be turned on.

The first is to turn on the required functions when adding a device.

The second is to open the new device in Smart Center. The function can be turned on and off below. Check it on; if unchecked, turn it off

Configure the distribution policy

Marked above is the button to add a firewall rule. On the left is the area that defines various objects, including firewall objects, host objects, network objects, and group objects. The Security option on the right shows the rule base, showing the rules currently defined. Here are all the defined objects and their corresponding properties.

The first time we add a rule, we click the button in the figure, and a default rule appears in the rule base.

Then we refer to the defined objects and make the rules. See the following figure: in the figure, we want to add the corresponding object, right-click in the corresponding bar, and then select the corresponding object in the pop-up dialog box.

After adding the policy. The policy will not be applied to the device until the policy needs to be issued. You need to click on the following policy.

The skip button can be sent to the device.

(application control, URL control, IPS, combined with AD domain and × × please refer to the SmartCenter configuration manual. )

Introduction to application control

The application control of Check Point can be limited to one type of website or application. It is convenient for users to confirm the application or website type by type without knowing the name of the website or the application. Shopping sites such as Taobao, Tmall, JD.com and Yi Xun need to be banned and can only be added one by one. Checkpoint, on the other hand, restricts all shopping sites through signature codes. Both the application and URL control are modified in Fire Wall. 1100 put Firewall and strategy in one place. It is convenient for users to modify.

IPS introduction

IPS is * * defense in Chinese, which can be used to defend against * from public network. Select Threat Prevention in Web to turn on IPS monitoring. When enabled by default, 80% of * * can be blocked without setting.

S to S × × × and remote × × ×

S to S * * is point-to-point × ×. There are two checkpoint firewalls for customers. There are two ways to encrypt them, one is through key and the other is in the form of certificate.

Create a * for S to S.

First of all, you need to enable the module function of Site to Site × ×, and turn it on in lade Control in Site To Site under the interface of × × ×.

Add a site to × × Site after opening it. Open xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

In the interface, we need to configure the name, IP, key or certificate of the peer device and the other party to access the local network segment.

After the setting is completed, add a peer-to-peer device to another segment of the device. Write the name, IP, key or certificate and the peer to participate in the network segment. After the setting is completed, you can view the status of × × establishment in × × Tunnle.

Configuration case

In the configuration, you need to upgrade the default version of the device to R75.20.40 or above. Otherwise, the certificate cannot be imported when it is imported.

Environment:

The fixed IP,IP for a Check Point R75.40 at the opposite end is 10.10.10.1, and the network segment of the intranet is 192.168.1.0.

The local side is SMB 620 device version is R75.20.50, using ADSL to dial. The network segment of the private network is 192.168.168.0

Configuration steps:

First, you need to generate a certificate through Smart Center. It is used for authentication by both parties. Right-click the Check Point window under SC and select UTM-1 Edge Gateway.

Enter the name of the device in the pop-up window. Click Edit Registration Key to automatically generate a key, since 620 does not support being managed, here we click automatically generate key, click OK. Check the bottom External Managed Gateway and select Topology.

Select manually defined in the * × × Domain of the page and select its own private network segment in the check box. Click IPSec * *.

Generate a certificate in this interface. First click Add under Repostory Of Certficates Available to the Gateway and enter the name of the device in the pop-up interface.

Click Generate to generate the certificate, and record the generated data in a text, separated by (,).

Click OK when you have finished recording. Click Matching Crteria when the certificate generation is complete.

Select Internal_ca at the top, check the DN option, and fill in the previously obtained data at the back.

Click OK to save and OK to close this window again, then open it again and jump to the interface and click Export P 12. Set the password for a certificate.

Enter it twice and click OK to select the export path to generate the certificate p12 file.

After generating the certificate, we need to configure the device itself. Select the device of R75.40, select Topology, select manually defined in × × × Domain on this page, and select its own private network segment in the check box. Click IPSec * *.

Next, start to configure the × × site of the couplet at both ends, click the select small lock on the page, double-click the × × × of Site to Site in the site, and configure it in the open interface.

Select Participating Gateways on this page, click Add in the pop-up window to add the gateway that needs to participate in × × ×, and click Advanced Settings when you are finished.

Select Advanced × × Properties and check Disable NAT inside the × × community in the page. Click OK to complete the configuration.

After configuring the site, we need to add a policy to make it pass.

Remember to issue the policy after adding the policy.

After the configuration is completed, we

Turn on the module function of Site to Site × ×, and open it in lade Control in Site To Site under the interface of × × ×.

Add a site to × × Site after opening it. Open xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

In the interface, we need to configure the name, IP, key or certificate of the peer device and the other party to access the local network segment.

After the setting is completed, add a peer-to-peer device to another segment of the device. Write the name, IP, key or certificate and the peer to participate in the network segment. After the setting is completed, you can view the status of × × establishment in × × Tunnle.

600 and R75. Solution to the problem of 40 × × configuration

First Step: Verify the other peer's Certificate name (CRL Distribution address).

To verify the local Certificate's CRL Distribution address, go to: "× ×"-> "Certificates"-> "Internal Certificate" .Under "Internal × × × Certificate" there is the CRL Distribution URL. This is the Local URL address and should be provided to the remote × × peer.

Second Step: Adding a network object that represents the CRL Distribution URL of the Remote × × peer.

This step provides the local gateway with the capability of resolving the remote peer's trusted certificate locally.

On each gateway, there is a need to create a "Network Object" that includes the external IP address of the remote × × × peer, and define the CRL Distribution URL Name as the "Network Object's" Name.

For example: In a scenario where the remote gateway's CRL Distribution is: "http://Samba:182654.ICA1.crl" and the external IP address is: 173.13.64.63On the local gateway, you have to add a" Network object "that includes the remote × × × peer's CRL info:

Type: Single IP

IP address: 173.13.64.63

Object name: SambaMark the option "" Allow DNS server to resolve this Object name ". Click" Apply ".

Third Step: Uncheck the following checkboxes:

"Retrieve CRL From HTTP Server (s)"

"Cache CRL on the Security Gateway" Go to × ×: Under "Certificates", go to "Trusted Certificates". Double-click on the certificate in order to open its Edit window.

Uncheck the following:

O "Retrieve CRL From HTTP Server (s)"

O "Cache CRL on the Security Gateway"

Click "Apply".

Click http://zevercn.com/ to learn more.

Establish remote × × ×

First of all, you need to turn on the module function of Remote × ×, and find the Blade Control in Remote × × under the interface. You can choose the access method at the bottom of the switch. The Check Point client is enabled by default, and there are SSL × × and Windows × × tools that can be enabled. If you need to use these functions, just check to enable them.

After the function and login method are enabled, the next step is to configure remote × × users. Open the Remote Access Users page and click Add to add Remote Access users.

As you can see on the add page, just set the user name and password and check for Remote Access only.

After setting up the user, you can click Advanced to set the IP address and DNS server that the user gets after logging in.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.