In this section we will configure 2 Gateways and 1 Management server.

Configure Management server to control all gateways.

For initial setup please follow below link.

https://sanchitgurukul.in/2020/04/10/how-to-install-checkpoint-standalone-firewall/

Configure first Time setup Management server:

1.      Login to Management server

2.      Run Check P

oint first time configuration wizard

3.      Click Next, select deployment Option

4.      Click Next, Setup Mgmt Interface

5.      Click Next, will configure others interfaces later.

6.      Click Next, Configure hostname and DNS server

7.      Click Next, set date and time or setup NTP if you have configured in your organization.

8.      Click Next, here you have to select types of Management servers

a.      Security gateway: Single Management server (Will use this option)

b.      Multi-Domain Server: To manage Multiple Management server or gateways.

9.      Click Next, Here you can select Primary and secondary Management server, however in this case we are going to use single Management server.

10.   Click Next, you can set new user for Management server access.

11.   Click Next, you can also restrict Management server access by limiting GUI Clients.

12.   Click Next and Finish the setup.

First time setup has been completed.

Management server is ready now.

Note: You can also validate the current version, hotfix number and Deployment agent number as below:

In next step, we will setup connectivity from Smart console to Management server. To complete this we have to download latest Smart console software from box or from check point site.

I have already installed the “R80.20 take 114” smart console in my PC.

1.      Validate if Management server is ready or not. Take SSH session

2.      Setup expert password

Note: Sometimes you need to take database override.

3.      Enter to Expert mode

4.      Enter below command to check if Management server is ready or not.

$CPMDIR/scripts/check_cpm_status.sh

Wait for few minutes and you will see CPM server started.

If not, then restart services using cpstop; cpstart.

If issue still persisted then need to troubleshoot further.

Note Smart console will connect to Management server on port 19009. You can take packet capture to analyse further.

5.      Connect through Smart Console.

6.      You will get below window

7.      To check further you need to close this pop-up window and click on gateway

Here you can check this management server utilization and other information.

Now, we will install gateways and connect to Management server.

You can refer my previous article for initial setup.

Installing the gateways:

Skip some steps. you can refer my old article for these steps.

https://sanchitgurukul.in/2020/04/10/how-to-install-checkpoint-standalone-firewall/

1.      Select Installation type – Security gateway

2.      Deselect Security management as this should be only gateway firewall. Select Cluster type ClusterXL (this is recommended type of cluster).

3.      Enter one-time activation key, this will use to establish trust across all check point devices.

4.      Finish the setup and follow the same step for secondary firewall.

Configure IP and other settings on firewall 1 and 2.

1.      Configure eth1 interface as untrust interface to connect with Internet and add ip address.

2.      Configure eth2 interface as trust interface to connect with Internal network and add IP address.

3.      Configure eth4 interface as heartbeat interface. This interface will act as cluster and Sync main link. This link only connected between Firewall 1 and 2.

4.      Validate the configuration on FW 1 and FW2

Now both the firewalls Interfaces are configured and Firewalls are ready to connect with Management server.

Note: As of now both the firewalls not in HA pair and it will show no HA module installed.

To configure Both the gateways or firewalls in HA and connect with Management server please follow below steps.

1.      Open Management console and go to “Gateways and Services” TAB.

2.      Click on Star sign and open Clusters…

We need to select this option as we are going to configure cluster firewalls.

3.      There are two option to configure Clusters i:e Wizard and Classic, We will use Wizard as is a easy method.

4.      Here, have to configure cluster name, IP address (same as gateways Mgmt IP). Need to select Cluster type as following:

a.      High Availability:  In this type firewall will be in active standby and single firewall will take care of 100% traffic.

b.      Load Sharing: In this type both the firewall will be act as active firewall and process traffic on 30:70 Ratio.

We are using High Availability for this article.

5.      Now add both the gateways

Click on add and enter firewall1 details and follow the same for firewall2

Here, need to add activation key (which we enter during gateway configuration) to establish SIC connection.

Click on Initialize to establish trust between gateways and Management server.

Trust established; you can also validate the trust using option Test SIC status.

Follow the same for firewall 2

Now both the firewalls add to Management server, click finish and finish the setup.

6.      Reboot both the gateways. You can reboot firewall from CLI or GUI.

7.      Configure Interfaces, Cluster and Sync interfaces. Click on Cluster

8.      Go to Network Management

9.      Click on get Interfaces with topology

It will fetch interfaces details from both the gateway firewalls.

10.   Now configure virtual IP of each interfaces and cluster sync.

Eth40 – Heartbeat Interface

Eth 0 – Management interface

Interface and Cluster Sync configured and need to apply change on gateways. To apply changes on gateways, need to install policy from Management server to both the gateways.

Note: always install policy on both the gateways at the time to avoid any misconfiguration.

1.      Click on install policy and publish changes. Select correct gateway and install policy.

2.      Now to check the Gateways status

All associate gateways are up and running. Cluster status is also green.

3.      Check each gateways status from Management server

Note: as of now we have not allowed any access rule to access gateways. Need to configure security policies

4.      Go to Security policy TAB and configure security policy

There is only clean-up rule.

Add new rule and publish

Install policy

5.      Check each gateway status from CLI.

Fw1

Fw2

6.      Check logs from logs and Monitor TAB

Deny log

Allow log

 Hope this article is helpful. Suggestions are most welcome.