We continue the series of articles on working with the new SMB CheckPoint model range, we recall that in we described the characteristics and capabilities of new models, ways of managing and administering. Today we will consider the deployment scenario for the older model of the series: CheckPoint 1590 NGFW. Here is a summary of this part:
- Unpacking the equipment (description of components, physical and network connection).
- Initial device initialization.
- Primary setup.
- Performance evaluation.
Unpacking Equipment
Acquaintance with the equipment begins with removing the equipment from the box, disassembling the components and installing parts, click on the spoiler, where the process is briefly presented
Delivery of NGFW 1590
Briefly about accessories:
- NGFW 1590;
- Power adapter;
- 2 Wifi Antennas (2.4Hz and 5Hz);
- 2 LTE antennas;
- Booklets with documentation (a short guide on the initial connection, license agreement, etc.)
As for network ports and interfaces, there are all modern features for traffic transmission and interaction, a separate port for the DMZ zone, USB 3.0 for synchronization with a PC are provided.
Version 1590 received an updated design, modern options for wireless communication and memory expansion: 2 slots for working with Micro/Nano SIM in LTE mode. (we plan to write about this option in detail in one of our next articles in the series devoted to wireless connections); SD card slot.
Details about the capabilities of the 1590 NGFW and other new models can be found in from a series of articles about SMB CheckPoint solutions. We will proceed to the initial initialization of the device.
Initialization
Regular readers should already be aware that the 1500 SMB series uses the new 80.20 Embedded OS, which includes an updated interface and improved features.
In order to start initializing the device, you must:
- Provide power to the gateway.
- Connect the network cable from your PC to LAN -1 on the gateway.
- Optionally, you can immediately provide the device with Internet access by connecting the interface to the WAN port.
- Go to the Gaia Embedded Portal:
If the previously announced steps were followed, then after going to the Gaia portal page, you will need to confirm opening the page with an untrusted certificate, after which the portal settings wizard will start:
You will be greeted by a page indicating the model of your device, you must go to the following section:
We will be prompted to create an account for authorization, it is possible to specify high password requirements for the administrator, we indicate the country where we will use the gateway.
The next window concerns the date and time settings, it is possible to set it manually or use the company's NTP server.
The next step involves setting a name for the device and specifying the company domain for the gateway services to work correctly on the Internet.
The next step concerns the choice of the type of NGFW management, here it should be noted:
- local management. This is an affordable option to manage the gateway locally using the Gaia Portal webpage.
- central management. This type of management includes synchronization with a dedicated CheckPoint Management Server, synchronization with Smart1-Cloud or with SMP (management service for SMB).
Within the framework of this article, we will focus on the method of managing Local Management, you can specify the method that is needed. To familiarize yourself with the process of synchronizing with a dedicated Management Server, it is suggested from the CheckPoint Getting Started tutorial by TS Solution.
Next, a window will be presented with the definition of the operation mode of the interfaces on the gateway:
- Switch mode implies the availability of a subnet from one interface to the subnet of another interface.
- The Disable Switch mode accordingly disables the Switch mode, each port routes traffic as for a separate network fragment.
It is also proposed to set a pool of DHCP addresses that will be used when connecting to the gateway's local interfaces.
The next step is to configure the gateway in wireless mode, we plan to analyze this aspect in more detail in one article of the cycle, so we postponed the configuration of the settings. You can also create a new wireless access point, set a password to connect to it, and define the wireless channel operation mode (2.4 Hz or 5 Hz).
The next step is to configure access to the gateway for company administrators. By default, permissions are allowed if the connection comes from:
- Company internal subnet
- Trusted Wireless Network
- VPN tunnel
The option to connect to the gateway via the Internet is disabled by default, this carries great risks and should be justified to be enabled, otherwise it is recommended to leave it as in our example. It is also possible to specify which IP addresses will be allowed to connect to the gateway.
The next window is about license activation, when you first initialize the device, you will be presented with a 30-day trial period. There are two available activation methods:
- If there is an Internet connection, the license will be activated automatically.
- If you activate the license offline, then you need to do the following: download the license from the UserCenter, register your device on a special . Next, for both cases, you will need to import the manually downloaded license.
Finally, the last window in the setup wizard offers to select which blades to enable, note that the QOS blade is enabled only after the initial initialization. You should end up with a completion window that summarizes your settings.
Initial setup
First of all, we recommend checking the status of licenses, further configuration will depend on this. Go to the tab βHOMEβ β βLicenseβ :
If the licenses are activated, we recommend immediately updating to the latest current firmware, to do this, go to the βDEVICEβ β βSystem Operationsβ tab:
System updates are located in the Firmware Upgrade item. In our case, the current and latest firmware version is installed.
Next, I propose to briefly talk about the capabilities and settings of the system blades. Logically, it can be divided into Access level policies (Firewall, Application Control, URL Filtering) and Threat Prevention (IPS, Antivirus, Anti-Bot, Threat Emulation).
Let's go to the Access Policy β Blade Control tab:
By default, the STANDARD mode is used, it allows: outgoing traffic to the Internet, traffic within the local network, but at the same time blocks incoming traffic from the Internet.
As for the APPLICATIONS & URL FILTERING blades, they are set by default to block sites with a high level of danger, block exchange applications (Torrent, File Storage, etc.). Additionally, you can block site categories manually.
Note the option for user traffic βLimit bandwidth consuming applicationsβ with the ability to limit the speed of outgoing / incoming traffic for groups of applications.
Next, open the Policy subsection; by default, the rules are generated automatically according to the previously described settings.
The default NAT subkey runs in Global Hide Nat Automatic, i.e. all internal hosts will be able to access the Internet through the public IP address. It is possible to manually set NAT rules for publishing your web applications or services.
The next section, which deals with User Authentication on the network, offers two options: Active Directory Queries (integration with your AD), Browser-Based-Authentication (the user enters domain credentials in the portal).
Separately, it is worth touching on SSL inspection, the share of total HTTPS traffic in the Global Network is actively growing. Let's look at what features CheckPoint offers for SMB solutions, for this you need to go to the SSL-Inspection β Policy section:
In the settings, it is possible to inspect HTTPS traffic, you will need to import the certificate and install it in the trusted certificate authority on the end user machines.
We consider the BYPASS mode for preset categories to be a convenient option, it saves a lot of time when turning on the inspection.
After configuring the rules at the Firewall / Application level, you should proceed to tuning security policies (Threat Prevention), for this we go to the appropriate section:
On the open page, we see the enabled blades, the statuses of signature and database updates. We are also prompted to select a profile to protect the network perimeter, the corresponding settings are displayed.
A separate section βIPS Protectionsβ allows you to configure the action on a specific security signature.
Not so long ago we wrote on our blog for Windows Server - SigRed. Check for it in Gaia Embedded 80.20 by entering the query βCVE-2020-1350β
An entry was found for this signature, to which one of the actions can be applied. (default Prevent for the severity level is Critical). Accordingly, having an SMB solution, you will not be deprived in terms of updates and support, this is a complete NGFW solution for branch offices up to 200 people from CheckPoint.
Health assessment
Concluding the article, I would like to note the availability of tools for troubleshooting problems after the initial initialization and configuration of the SMB solution. You can go to βHOMEβ β βToolsβ section. Possible options:
- monitoring system resources;
- routing table;
- checking the availability of CheckPoint cloud services;
- CPinfo generation;
Built-in network commands are also available: Ping, Traceroute, Traffic Capture.
Thus, today we reviewed and studied the initial connection and configuration of the NGFW 1590, you will perform similar actions for the entire series of the 1500 SMB Checkpoint series. The available options showed us a high variability for settings, support for modern methods of protecting traffic on the network perimeter.
To date, CheckPoint solutions for protecting small offices and branches (up to 200 people) have a wide range of tools and use the latest technologies (cloud management, support for SIM cards, memory expansion using SD cards, etc.). Keep up to date and read articles from TS Solution, we plan to further release parts about NGFW CheckPoint of the SMB family, see you soon!
. Stay tuned (, , , , ).
Source: habr.com