Setup a Check Point Lab using VirtualBox and GNS3 on Windows

In this lab we implement a basic security architecture. Our network is segmented into four zones:

  1. management
  2. intranet
  3. internet
  4. and dmz

Two security gateways (SG) are management by a single security manager server (SM).

A management PC is configured with Check Point utilities such as: SmartDashboard, SmartUpdate, SmartView Tracker, and PuTTy for remote access to the gateways and manager using SSH.

Three routers emulate the operation of intranet, internet and dmz, are directly connected to both gateways.

The following topology summarizes this implementation:

First, gateways and manager are emulated using Oracle VirtualBox.

We used this .iso image to build our VMs: Check_Point_R77.20_T124_Install.Gaia.iso

Next, on a windows 10 64-bit operating system we create 4 VirtualBox Host-Only Ethernet Adapters that represent each a security zone:

These adapters are represented by the switches: Mgmt, Intranet, Internet and Dmz, in our topology. We configure them with the corresponding .254 ip addresses.

In VirtualBox we map each loopback (adapter) to the corresponding firewall physical interface: MGMT adapter to eth0, INTRANET to eth1, INTERNET to eth2 and DMZ to eth3.

Security gateways and manager need to be configured with ip addresses in the management network form the console at initial install or using this command:

At this stage we could check that all firewall are pingable from the corresponding consoles.

On the management PC we install the Check Point management suite: Check_Point_SmartConsole_and_SmartDomain_Manager_R77.20_T124_Windows.exe

We gain access to SM using SmartDashboard and add our security gateways. In this procedure SIC procedure is used to establish trust between gateways and security manager.

At the gateway level SIC is initiated in expert mode by cpconfig, command.

At the security manager level SIC initialization is done using SmartDashboard:

SIC operation is handled by cpd process and it is based on PKI and SSL/TLS.

The gateways listen on TCP ports 18211. Traffic from the gateways to SM on TCP port 18209 should be also permitted.

Another requirement for SIC to succeed is time synchronization within few minutes.

Also included in SIC procedure:

  1. SM Internal Certificate Authority (ICA) generate both SM and firewall certificates (SMS-cert and FW-cert).
  2. The initial established secure communication tunnel, using the One-Time SIC Activation Key, helps provide the gateways with this information.

We use SmartUpdate to check attached licences:

Evaluation licences could be easily retrieved from Check Point UserCenter in case. They are valid for a month.

Moving to GN3 world…

In GNS3, we add 3 routers: R1, R2, and R3 corresponding to different security zones that are represented by could objects. Each cloud object maps to its corresponding Loopback (previously created).

When adding links from routers to cloud objects we may encounter this error:

A workaround is to apply this command in cmd: sc config npf start= auto, and restart the PC.

Back to our gateways

From SmartDashboard (connected to our SM) we’re ready to get gateway topology information,

and push our first policy (with traceable rules) that allows our management traffic and a test traffic (pings) from dmz router (R1) to intranet (R3) using their directly attached interfaces to zones.

To achieve this we configure our routers with default routes to firewalls.

We could confirm on SamartView Tracker that our traffic is getting through the firewalls:

atlink'admin

Learn More →

Leave a Reply

Translate »