Perform security checkup using OpenServer or Appliance

From Notes_Wiki
Revision as of 17:06, 15 January 2017 by Saurabh (talk | contribs)

<yambe:breadcrumb>Checkpoint_Gaia_OS|Checkpoint Gaia OS</yambe:breadcrumb>

Perform security checkup using openserver or appliance

  1. Ensure that device is flashed/freshly installed/reset to factory settings. In case of OpenServer Gaia can be reinstalled. For OpenServer ensure that there are at least two interfaces: one for management and other for monitor mode. USB to ethernet gets detected well for adding a management interface, while on-board interface can be used for monitor mode.
    In case of device connect usb with R77.30 created with help of isomorphic tool. External USB CD Drive would also work. Reboot appliance after connecting to hyperterminal (9600 8N1, no flow control) and after connecting USB. Type 'serial' at boot prompt for flashing.
  2. In first time configuration WebUI wizard (at https://<IP> given) during installation (default 192.168.1.1 on management port), choose 'continue with Gaia R77.30 configuration'.
  3. Create a user for winscp/bash login. Go to https://<IP> and login as admin. Go to User Management -> Users. Create a user with default shell as /bin/bash. Assign both adminRole and monitorRole. Leave UID to 0 for root access.
  4. Download latest Security checkup tools from http://supportcontent.checkpoint.com/file_download?id=24867
  5. Extract the downloaded file. Copy 'Security_Checkup_R77.30_Ver1.204/SmartEventSupplement/Security_Checkup_Supp_R77.30_Ver01.tgz' to '/var/install' on appliance using winscp etc. using user with bash shell. Note rsync wont work, only scp can be used. /var/install may have to be created.
  6. Extract tar and run security checkup installer using:
    cd /var/install
    tar xzf Security_Checkup_Supp_R77.30_Ver01.tgz
    chmod +x security_checkup
    ./security_checkup
    For "Are you sure you want to install this supplement (y/n)?" prompt, choose 'y' and press enter.
    This terminal will hang after some time. Then it can be closed.
    We can use "ps eax | grep sec" on another terminal to verify that "./security_checkup" program has terminated.
    Typical lines near end are:
    SVN Foundation: cpWatchDog stopped
    SVN Foundation: Stopping PostgreSQL Database
    SVN Foundation stopped
    Backup configuration files
    dos2unix: converting file /opt/CPsuite-R77/fw1/log/Checkup_Uploader to UNIX format ...
    nohup: appending output to `nohup.out'
  7. Remove existing SmartConsole (and SmartDashboard) and install the version which came with SecurityCheckup zip file.
  8. Go to usercenter at usercenter.checkpoint.com and from "Winning the Security market" -> Production Evaluation choose "All-in-one evaluation".
  9. Create license for open-server using (This is not necessary for appliance for first two weeks):
    1. Reboot machine after security checkup installation.
    2. Create account on usercenter.checkpoint.com, if necessary
    3. Create license with correct management IP and give own email ID. Keep tab open as it has various commands from which license can be installed via CLI / Gaia web interface, in case email is not received in short time.
    4. Download license file from email.
    5. Start Smart Update. Go to File -> Licenses & Contracts -> Add License -> From File. Choose the downloaded file.
    6. In SmartUpdate, select the Licenses & Contracts tab. Right-click on the Security Gateway object you wish to attach the license to Select Attach, A pop-up menu will appear. Select the license you wish to attach. Click Attach
    7. Reboot gateway for new license to take effect.
    8. Go to Gaia web interface and install all updates/hot-fixes.
  10. Login into GAIA portal and go to "Network Managemet" -> "Network interfaces". Choose the non-management interface and edit it. Click enable. Write comment 'SPAN'. Leave IPv4 address and subnet mask blank. In the 'Ethernet tab' select monitor mode. In CLI an interface can be configured for monitor mode using:
    set interface eth0 monitor-mode on
  11. In "Network management" -> "IPv4 static routes" ensure that correct route is set which can access Internet.
  12. Open Gateway in SmartDashboard and follow further steps
  13. Open SmartEvent from SmartConsole Drop Down from Smart Dashboard.
  14. Go to top-left menu (File menu) and choose View -> Security Checkup
  15. Close and Re-open SmartEvent from Smart Dashboard.
  16. Double click firewall in Dashboard to see its properties
    1. In "Network Security" enable Firewall, IPS, Anti-bot (Detect), Anti-Virus, Monitoring, Application Control, URL Filtering, DLP
    2. In "Management" enabe Logging & Status, Monitoring, Management Portal, Smart Reporter, SmartEvent Server, SmartEvent Correlation Unit and Compliance. Note that enabling SmartEvent Intro disables SmartEvent Server, which is not desired.
    3. After General properties in Topology ensure:
      • Management interface (eg eth0) is external with external topology and correct IP
      • Mirror port is internal with 0.0.0.0/0.0.0.0 IP and "Not defined"
      • Disable anti-spoofing on all interfaces
  17. Configure firewall software blades
    • In Policy add any to any with accept without logging
    • Click on "Install Policy" at top to install this policy. Ignore any warnings for anti-spoofing being disabled.
  18. Using putty login into expert mode. Try
    • ping www.google.co.in.
      Edit /etc/resolv.conf to supply correct DNS, if necessary. Permanent configuration can be done via Gaia web interface "Network Management" -> "Hosts and DNS" option by giving correct Primary and Secondary DNS, as applicable.
    • curl_cli cws.checkpoint.com
  19. Other optimizations:
    • Ensure anti-spoofing is disabled for all interfaces
    • In Firewall -> Policy. Click on "Edit Global Properties" option at top. In SmartDashboard Customisation, click on the Configure button. Then in FireWall-1 -> Stateful Inspection, uncheck "reject_x11_in_any"
    • In "Global Properties" -> Stateful Inspection
      • Set "TCP session timeout" to 60 seconds
      • Set "TCP end timeout" to 5 seconds
      • Turn off Drop out of state TCP and ICMP packets
  20. Install the new policy before proceeding. Ignore any warnings for anti-spoofing being disabled.
  21. Configure "IPS" software blade
    • Edit gateway properties and under IPS ensure that
      • IPS profile is "Recommended_Protection"
      • Perform IPS inspection on all traffic
      • Bypass IPS inspection when gateway in under heavy load.
    • Go to IPS tab. Go to Download Updates and click Update now.
    • Go to IPS tab. Go to Protections -> By Protocol -> IPS Software Blade -> Network Security -> Denial of Service. Select Aggresive aging and set following values:
      • TCP Start Timeout: 5
      • TCP Session Timeout: 55
      • TCP End Timeout: 3
      • Set tracking for the protection to None for both "Default Protection" and "Recommended Protection"
    • In IPS tab select Profiles. Double click "Recommended_Protection" and change IPS mode from prevent to detect.
  22. To prevent some false positives connect to firewall via ssh for expert mode.
    • Open "vi $FWDIR/modules/fwkern.conf" and paste
      psl_tap_enable=1
      fw_tap_enable=1
      Exit from expert mode. Other option is to use:
      cd $FWDIR/modules
      echo "psl_tap_enable=1" > fwkern.conf
      echo "fw_tap_enable=1" >> fwkern.conf
      cat fwkern.conf
  23. Install the new policy and then reboot the security gateway. Ignore any warnings for anti-spoofing being disabled.
  24. After reboot there might be some delay before firewall is accessible. Now activate "Application control and URL filtering blade" as follows:
    • Under policy ensure there is only one rule (delete child protection policy) with destionation any (not Internet) and track log (not extended or complete).
    • Go to Advanced -> Engine settings. Enable
      • Categorize HTTPS sites
      • Enfore safe search in search enginers
      Leave other settings as it is.
  25. Install policy
  26. Enable DLP blade as follows:
    • Use this procedure if users at customer site browse the internet viaproxy:
      1. In SmartDashboard, go to the Objects Tree and select the Services tab.
      2. Edit the TCP service: HTTP_and_HTTPS_proxy.
      3. Click Advanced.
      4. Select Protocol Type, and choose HTTP.
      5. Enable Match for ‘Any’
      6. Click OK
      7. Install Policy
    • In DLP Blade go to "Additional Settings" -> "Advanced" and clear (uncheck) "Log all sent messages" option.
  27. Install policy
  28. Enable "Threat Prevention" as follows:
    • In Threat Prevention blade to profiles and edit "Recommended_profile". Change all protection activation to "Detect".
    • In the same property box go to "Anti-virus settings".
      • Select "Inspect incoming and outgoing files"
      • Choose to process all file types without deep-inspection
      • Enable archive scanning
    • Then "Threat Emulation Settings" change protected scope to "inspect incoming and outgoing files"
  29. Install Policy
  30. Connect the monitor port to mirror/span port and monitor events in SmartEvent


Connectivity issue while trying security checkup using above steps

While using checkpoing GAIA R77.30 with security Checkup V1.204 it is possible that firewall stops accepting incoming connections. Both GAIA access on 443 and smart dashboard access on 18190 stops.

To work around this problem use following steps:

  1. Get a linux machine with SSH server. Enable GatewayPorts in /etc/ssh/sshd_config and restart ssh server
  2. From GAIA KVM access login into expert mode. In expert mode (from CLI) use:
    ssh -g -R 443:127.0.0.1:443 -R 18190:127.0.0.1:18190 root@<linux-ip>
  3. Then from a Windows machine administrator can connect using SmartDashboard or SmartConsole to the Linux laptop IP.

Later it was realized that the issue was due to hard-disk failure on the OpenSystem. Ideally we should not need to use above workaround and access to firewall should not stop.

Refer http://www.fw-1.de/aerasec/ng/ports-ng.html for checkpoint Gaia port information.


<yambe:breadcrumb>Checkpoint_Gaia_OS|Checkpoint Gaia OS</yambe:breadcrumb>