setting up a nokia ip300 series firewall - help!!! 2

[walruz]

hi i have a nokia ip350/380 firewall

i nered some help getting it set up i have little or no docs/sw as i got it second hand

i got a copy of the checkpoint management clients
(\fw41_sp3_w32_gui)

i basically need to get the initial setup of say the first eth1 to a lan ip, i think

i hav connected a com session to it and have done the
(mv /config/active /config/active1.old) to reset it

and then did the /etc/overpw to reset the admin password

so i now should have eth1 set to 10.10.1.254/8
vlan: 2

my lan is 10.10.1.0, a ISA box is the main router at mo 10.10.1.1

i set the FW hostname to hades

but when i try to ping 10.10.1.254 from 10.10.1.1 i get no reply and yet see activity on the eth1 LED of the FW

i get request timed out

any ideas anyone?

 

[Lou0686]

Hi,

Checkpoint, by default, will not allow you to ping it. You will need to allow it with a rule or under the properties tab.

If you do allow ping to the firewall, I recommend that you limit it to your PC only. The reason FW-1 does not allow traffic to it by default is so that it is not easily discovered by would be hackers.

Lou

 

[Piloria]

try on the box using
fw unloadlocal
or fw unload (i think if its an older version)

then try an http connection to the box (the easiest method of configuring a nokia is using voyager which is an http(s) interface (once you are in change to use https)
voyager is reasonably self explanatory but if not then a book (Nokia network Security from syngress ISBN 1-931836-70-1) is very good at setting up a secure Nokia box

once you are at that point then start looking at trying to set up checkpoint.

 

[walruz]

Q1:does that book show everything from start to finish on how to setup a nokiaip box with checkpoint?

the scenario i want to setup is:

eth1 - 10.10.1.250 ----> Dual Speed Ethernet Hub ---> LAN (10.10.1.0/8)
eth 2 - - 192.168.0.250(static) ----> ADSL Router (DLINK) (192.168.0.1/24) , DHCP is running)

eth3 - 20.20.1.250/8 -----> WIFI WAP (22mbps) 20.20.1.200

eth 4- 30.30.1.25/8-----> DMZ HUB



AT moment i hav eth1 configed as 10.10.1.250 and can use a browser to use voyager

my existing LAN/inet conx are: a ISA box 10.10.1.1 (DNS,DHCP) with a second card (192.168.0.3) connected to a port on on ADSL router

the adsl router has 192.168.0.3 set as dmz host, that way the ISA box NAT, etc.. will work properly

so in summary both the ISA firewall (10.10.1.1) and CP firewall (10.10.1.250) are connected to the 4port adsl router.

i plan to rebuild the isa firewall server as a win2003 AD server (dns,dhcp, etc..)

Q2: so what should i set as the default route on the CP FW for eth1? at moment it is 10.10.1.1

Q3: now that CP FW has 10.10.1.250 shouldi be able to connect to it with the policy editor or is there something that needs to be done first?

Q4: is it possible to get my dhcp server which will be 10.10.1.1 to give out IP addresses to WAP clients on eth3 20.20.1.250, ?

should i set the WAP to dhcp and let it relay the dhcp server details to WAP CLients?

i currently have the WAP conected to my LAN hub so it gets a dhcp ip address which i reserved for its mac address, and it then will let new WAP clients see the dhcp server info so that they can get IP addresses for 10.10.1.0 starting at 10.10.1.30

Thanks again to all who have posted replies and any help will be greatly appreciated

I think I've covered everything


oh would it make any difference if i changed my eth nets to:

e.g.
port 1 - eth1 - LAN - 10.10.1.0/8

port 2 - eth2 - ROUTER TO/FROM FIREWALL - 20.20.1.0/8

PORT 3- eth3 - WIFI WAP & CLIENTS - 30.30.1.0/8

port 4 - eth4 - DMZ HUB - 40.40.1.0/8

 

[Piloria]

1st rule with checkpoint is get your routing working first.

Q1 - It is a book about the Nokia IP line and is good for setting up SSH, HTTPS interfaces, logging, upgrading and so on. it includes how to install CP FW-1 but doesnt give any information on rules and object creation (you can get that here )

Q2 your default route i would assuee is your connection to the internet so for the Nokia the default route is 192.168.0.1

Q3 you will need to run cpconfig on the Nokia and set up Gui Clients (these are machines that can connect to the CP policy editor) you can also set up an administrator account from here.

Q4 That will be a rules issue and you will have to create a rule that allows DHCP from the WIFI net to the ADSL Router (WIFI security becomes an issue here) for the rule you need we can get to that after you have CP GUI fixed

Q5 i would use reserved addresses on ALL interfaces and not go down 10.... 20.... 30... 40... route this will cause you problems in the long run.
You have
eth1 - 10.10.1.250 ----> Dual Speed Ethernet Hub ---> LAN (10.10.1.0/8)
why are you using an 8bit mask? with a network of 10.10.1.0
you can use a 16 bit or 24 bit (255.255.0.0 or 255.255.255.0) this would then allow you to use
10.20.0.0/16
10.30.0.0/16
10.40.0.0/16
for the other networks

 

[walruz]

Q2/A2: ok so I should make eth1 the 192.168.0.250 and set its default route to 192.168.0.1

Q3/A3: i take it cpconfig is run in a serial console conx
or is there a voyager page to config gui client connections



Q4/A4: I think i explained the wifi scenario wrong

what i was trying to say is , should i put my WIFI Access Point on say the 3rd port eth3 with a network address range of 20.20.1.0 to 254 and setup on my dhcp server 10.10.1.1
the 20.20.1.20 - 50 range and serve to wifi clients connecting to the WIFI WAP , is that even possible

maybe i'd be better off leaving it on the 10.10.1.0 net as it is working at moment (WEP is currently off/unconfigured)



Q5/A5: hmm, for no particular reason i know of that was the inital lan setup

so your saying i should make the lan 10.10.1.0/16 and then use 10.20.0.0/16 for eth2 etc..


one thing to note is that the main LAN clients will only have a max of maybe 20 servers/pcs/laptops.

and some times the laptops for example will be undocked and they will use wifi cards to access the network, currently only 1-2 PCs use wifi cards

 

[Piloria]

Q2 it isnt that important which interface has the default route. the default route is over all ports (the Nokia is just acting as a router) this is the route that if no other static routes say otherwise then the destination will be down the default route (usualy the internet connection)

Q3 cpconfig is a command line so is run from an OS prompt on the Nokia

Q4 1st thing i would do is get the WIFI off your internal LAN and yes put it into the 3rd interface. your WIFI stuff will send a DHCP Request that should be broadcast through the firewall as long as you hae a rule allowing it.

Q5 you can use a 24 bit mask 255.255.255.0 instead if you want but dont use 20.20.x.x and 30.30.x.x as these are real IP addresses always use 10.x.x.x 192.168.x.x or 172.16.0.0 - 172.31.0.0
these are private addresses and will never appear on the internet

 

[walruz]

thanks , i'l all this later this evening when i get a chance

q4 : WIFI

assuming i use 10.30.0.250 for eth3, should i set a static ip on the WAP (10.30.0.251)and then config the wifi clients with static 10.30.0.10-20 ips and mask 255.255.255.0, gateway 10.30.0.250 (WAP)


ok so then assuming all above is ok and works

i then create a rule allowing 10.30.0.0/24 to access to say individual servers (fileserver, etc.) on 10.10.0.0/24 (LAN)
with specified protocols (mail server - imap/ldap etc)

 

[Piloria]

sounds good -
set the default route on the WAP (250) to the firwall ip (251)
clients default gateway WAP(250)
as for rules yes

i wont go into wifi security now but i would recomend some form of authentication for all wireless users.
idealy you would have the WIFI network as an external network and have them use secureremote or client to authenticate through the firewall. (this is a little complex to go into now)

 

[walruz]

ok so now setup is as:

adsl router (10.10.0.1/24) ----> nokiaip CP/FW (10.10.0.254/24 eth1)

router has 10.10.0.254 set as dmz host (i had that previously for the isa box to NAT

eth2 10.20.0.254 firewall

pc prometheus/10.20.0.30 (static)


now i think i need to start the CP and config it

when igo into the browser voyager i see this under installed apps

Security Apps: Status OFF
Checkpoint VPN-1/FW-1 NG Feature Pack 3 (/opt/CPfw1-50-03)

Applications : Status OFF for all

CP VPN-1/FW-1 4.1 for backward compatibility (/opt/CPFireWall-1BC.41-00

/CP policy server ng FP3

/CP Flood Gate-1 ng FP3

/cp Smart view Monitor ng FP3

/cp svn foundation ng fp3


/cp user authority server ngfp3


i tried to get the digital ebook version of that book you mentioned but the stupid website (amazon.com)won't let EU customers purchase the e-book, their loss!

 

[Piloria]

ok you will need to start the cp modules
click on the security apps and enable cpfw1
and the svn foundation
then reboot

or

on a command line
cpconfig and chose automatic start of products

 

[walruz]

ok i 'll try that later this evening, btw i did try the console conx where it boots into Bootmgr , logged in and typed cpconfig but just got a invalid command.

seemed like something .or service wasnt running maybe?

 

[walruz]

ive' started the fw and svn thru voyager

then went into console -hyperterminal
and ran cpconfig

now the thing is i have registered the nokia box on their site but how do i get or retrieve a licence for the checkpoint,

should it not be on it already

the bag i got with it (docs/cds) didnt have anything that looked like a licence cert

---------------

if it turns out i have to pay a ridiculous fee
then i'd rather replace the nokia os with linux 9 and its firewall or better yet windows 2000/2003 server running isa server as i have both of them!



should i be able to get a licence from the checkpoint site by registering or what?

will they charge me even though i do have a valid copy

 

[Piloria]

could be tough

on the box type
cplic print
this will give ou the current license on the box and its ip address
in order to register your product on
usercenter.checkpoint.com
you will need the signiture key (not sure where you will get this)it may be worth opening another question on the board.

 

[Piloria]

create an account on
usercenter.checkpoint.com
and try
add product
using Certificate key & Mac address
The certificate key you will get from
cplic print
on the command line
the mac address you will get from voyager
Configuration - ARP
and you should get the interface MAC addresses

i wouldnt hold out too much hope but its worth a try.

 

[walruz]

ok i try that when i get a chance

what about the linux/windows idea is that possible?

 

[Piloria]

You are asking the wrong person.
I am a CP FW1 person. i have used isa and find its ok but i have never done so in a live enviroment. never used the linux firewall.
I would say CP is the better option by far but if you have to pay for a full licence then it may not fit into your budget

 

[jbead]

have you registed the sw? I had problems until it was registered unless you are using a trial copy

JBead