In 2015, ends support for MS TMG, so many are looking for a replacement. One of these can be Checkpoint. This article demonstrates step by step deployment Checkpoint as a proxy server with basic settings to begin further testing.
Also immediately tried to take into account some mistakes deployment:
Not ping/not telnet 8080 the cluster IP - disable anti-spoofing
Find mac-address for cluster IP
Rules "URL filtering" are not working - replace Destination from Internet to Any
1. Download "Check_Point_Install_and_Upgrade_R77.Gaia.iso" (http://supportcontent.checkpoint.com/file_download?id=41337)
2. Think of your topology, eg 2 gateways, 2 managment, 2 ISP
3. Choose IP addresses, eg
2 checkpoint gateways
nic1 (DMZ1) 1.1.1.2, 1.1.1.3 and cluster 1.1.1.4
nic2 (DMZ2) 2.1.1.2, 2.1.1.3 and cluster 2.1.1.4
nic3 (Internal) 10.0.0.2, 10.0.0.3 and cluster 10.0.0.4
nic4 (Managment and Sync) 10.0.1.2, 10.0.1.3
2 checkpoint managment
nic1 (Managment) 10.0.1.4, 10.0.1.5
4. Install Gaia on 2 gateways:
for system partition more or equal 15 Gb
assign IP for nic4 (Managment and Sync) 10.0.1.2, 10.0.1.3, managment default gateway 10.0.1.1
5. Install Gaia on 2 managment:
for system partition more or equal 15 Gb
assign IP for nic1 (Managment) 10.0.1.4, 10.0.1.5, managment default gateway 10.0.1.1
6. Login to 2 checkpoint gateways with https://10.0.1.2, https://10.0.1.2
enter name, domain, dns servers
choose "Secure Gateway", "ClusterXL"
generate and remember "Activation Key" - then the password will be used for communication between nodes
assign all IPs for NICs
change static route:
add route for Internal: 10.0.0.0 mask 255.255.0.0 gateway 10.0.0.1
change route for External: 0.0.0.0 mask 0.0.0.0 gateway 1.1.1.1
if you lost connection to GUI, you can do it from console (suffix on - add command, off - delete command)
7. Login to 2 checkpoint managment with https://10.0.1.4, https://10.0.1.5
enter name, domain, dns servers
choose "Primary Managment", "Secondary Managment"
8. Install updates:
login to Checkpoint with browser, open policy, choose "Automatic" in "Download Hotfix"
Also immediately tried to take into account some mistakes deployment:
Not ping/not telnet 8080 the cluster IP - disable anti-spoofing
Find mac-address for cluster IP
Rules "URL filtering" are not working - replace Destination from Internet to Any
1. Download "Check_Point_Install_and_Upgrade_R77.Gaia.iso" (http://supportcontent.checkpoint.com/file_download?id=41337)
2. Think of your topology, eg 2 gateways, 2 managment, 2 ISP
3. Choose IP addresses, eg
2 checkpoint gateways
nic1 (DMZ1) 1.1.1.2, 1.1.1.3 and cluster 1.1.1.4
nic2 (DMZ2) 2.1.1.2, 2.1.1.3 and cluster 2.1.1.4
nic3 (Internal) 10.0.0.2, 10.0.0.3 and cluster 10.0.0.4
nic4 (Managment and Sync) 10.0.1.2, 10.0.1.3
2 checkpoint managment
nic1 (Managment) 10.0.1.4, 10.0.1.5
4. Install Gaia on 2 gateways:
for system partition more or equal 15 Gb
assign IP for nic4 (Managment and Sync) 10.0.1.2, 10.0.1.3, managment default gateway 10.0.1.1
5. Install Gaia on 2 managment:
for system partition more or equal 15 Gb
assign IP for nic1 (Managment) 10.0.1.4, 10.0.1.5, managment default gateway 10.0.1.1
6. Login to 2 checkpoint gateways with https://10.0.1.2, https://10.0.1.2
enter name, domain, dns servers
choose "Secure Gateway", "ClusterXL"
change static route:
add route for Internal: 10.0.0.0 mask 255.255.0.0 gateway 10.0.0.1
change route for External: 0.0.0.0 mask 0.0.0.0 gateway 1.1.1.1
show configuration static-route show route set static-route default nexthop gateway address 1.1.1.1 on set static-route 10.0.0.0/16 nexthop gateway address 10.0.0.1 on
enter name, domain, dns servers
choose "Primary Managment", "Secondary Managment"
8. Install updates:
install updates
9. Download and install "Smart Console" on managment pc
10. Open "Smart Console" connect to primary managment server
11. Create Cluster: Network Objects - Check Point - Security Cluster - Check Point Appliance/Open Server
ClusterXL, Load Sharing
add members, enter Activation Key
choose network type, eg
nic1, nic2, nic3 - representing a cluster interface (enter cluster ip)
nic4 - cluster synchronization
12. Change Cluster Properties
open "Topology", click Edit
check IPs, change type External/Internal, rename interface name (one name for one ISP - for ISP Redundancy).
Next find mac-address for internal cluster IP/disable anti-spoofing: click on internal cluster IP, click edit
click Advanced
copy mac-address
goto "Topology" tab, unmark "Perform Anti-Spoofing based on interface topology"
Close Interface Properties, goto "HTTPS/HTTPS Proxy": mark "Use this gateway as an HTTP/HTTPS Proxy"
Click "Advanced": mark "X-Forward-For header (original client source IP address)"
Goto "Identity Awareness": mark "Detect users located behind http proxy using X Forward-For header"
Goto "General Properties" - mark/unmark Blades
Open "ISP Redundancy" - mark "Support ISP Redundancy" (It works only when a Checkpoint Default Gateway)
Next click Add in "ISP Links", enter name (such as interface name) and choose interface
Close "Cluster Properties"
13. Create "Test" Firewall policy
14. Create Application & URL Filtering policy. You must change Destination to Any.
15. "Save Settings" and "Install Policy"
16. Open router configuration and add cluster virtual IP, mac, eg cisco
arp 10.0.0.4 0100.0100.0100 ARPA
mac-address-table static 0100.0100.0100 vlan 2 interface Port-channel1 Port-channel2 Port-channel3
17. Add DNS A record:
cp.blogspot.com A 10.0.0.4
18. Configure browser for new proxy and try go to Internet
This comment has been removed by a blog administrator.
ReplyDelete