ページ1に含まれる内容の要旨
Check Point NG FP3 step-by-step Install guide on NOKIA IPSO
By Brandon E. Robrahn
INTRO
This document is to be used as a reference on how to install a NOKIA IP350 with Check Point NG FP3. In this
document I have provided a step-by-step reference guide on loading a NOKIA IP350 with IPSO version
3.7.1Build010, and Check Point version NG FP3. Voyager and command line were both used in this guide; this is
just one way that a NOKIA device can be configured as a Check Point Firewall. Not al
ページ2に含まれる内容の要旨
Enter the masklength: 24 Do you wish to set the default route [ y ] ? y Enter the default router to use with eth1: 10.0.0.254 This interface is configured as 10 mbs by default. Do you wish to configure this interface for 100 mbs [ n ] ? y This interface is configured as half duplex by default. Do you wish to configure this interface as full duplex [ n ] ? y You have entered the following parameters for the eth1 interface: IP address: 10.0.0.1
ページ3に含まれる内容の要旨
By typing cd /var/tmp and then typing ls -ls you are changing the directory /var/tmp and listing what is in that directory. This allows you to see what IPSO version you are currently running on your NOKIA device. Since the IPSO version that is shown is not the current version or the version that we want to use, we are going to change it to the correct version by installing a new IPSO image from an FTP server using Voyager. Voyager is web based; you are able to configure almost everything
ページ4に含まれる内容の要旨
Under the section System Configuration click on Install New IPSO Image (Upgrade). The screen that you are on should look like the one shown above. This is where you will need to type in the IP Address of your FTP Server. Since you will have a cross over cable hooked to your PC and the other end hooked to the port on the NOKIA that reads ETH-1, you will use the IP Address of your PC. NOTE: make sure that you have an FTP Server loaded on
ページ5に含まれる内容の要旨
If you click on the link highlighted in Blue you should see the status of your install. When the install is finished the screen will look like the one shown below. The install is now complete and you need to reboot your NOKIA device. Before you reboot click on Manage IPSO images (including REBOOT and Next Boot Image Selection) located at the bottom of the page.
ページ6に含まれる内容の要旨
Select the radio button that reads Last Image Downloaded. This is the IPSO version that you just loaded. At the bottom of the page, click on Test Boot. NOTE: Test boot is used incase something happens when you’re rebooting, this way you can revert back to the old version and no harm was done. This is a precautionary measure. After selecting Test Boot you will see the page shown above. Wait about 5 minutes and then hit the Refresh button at the top of the page.
ページ7に含まれる内容の要旨
You will now have to log back in so that you can commit to the test boot. Click on Apply and then click on Logout. You can now switch back to your SSH connection. You will probably need to log back in with a user name and password because the box has been rebooted. Shown below are the steps to install Check Point NG FP3 on this NOKIA device. Follow the steps by typing in the commands shown in red listed below. During this process you will be asked if you w
ページ8に含まれる内容の要旨
IPSO (fw-test) (ttyd0) login: admin Password: xxxxxxxxxxx Last login: Thu May 6 19:28:42 on ttyd0 May 6 20:03:18 fw-test [LOG_INFO] login: DIALUP ttyd0, admin May 6 20:03:18 fw-test [LOG_NOTICE] login: ROOT LOGIN (admin) ON ttyd0 May 6 20:03:18 fw-test [LOG_NOTICE] login: ROOT LOGIN (admin) ON ttyd0 May 6 20:03:18 fw-test [LOG_INFO] login: login on ttyd0 as admin IPSO 3.7.1-BUILD010 #1253: 04.05.2004 185427 Terminal type? [vt100] fw-test[admin]# fw-test[admin]# fw-test[admi
ページ9に含まれる内容の要旨
May 6 21:31:26 fw-test [LOG_CRIT] PKG_INSTALL: INSTALL STARTED at Thu May 6 21:31:26 GMT 2004 May 6 21:31:29 fw-test [LOG_CRIT] PKG_INSTALL: Trying to install CPshrd-50/cpshared_ipso.tgz May 6 21:31:29 fw-test [LOG_CRIT] PKG_INSTALL: Trying to install CPshrd-50/cpshared_ipso.tgz May 6 21:31:53 fw-test [LOG_CRIT] PKG_INSTALL: Trying to install CPfw1-50/fw1_ipso.tgz May 6 21:31:53 fw-test [LOG_CRIT] PKG_INSTALL: Trying to install CPfw1-50/fw1_ipso.tgz May 6 21:32:42 fw-test [LOG_CRIT]
ページ10に含まれる内容の要旨
May 6 21:33:08 fw-test [LOG_CRIT] PKG_INSTALL: /etc/newpkg -S -m LOCAL -i -n CPuag-50/uag_ipso.tgz May 6 21:33:08 fw-test [LOG_CRIT] PKG_INSTALL: ******************************************************* May 6 21:33:08 fw-test [LOG_CRIT] PKG_INSTALL: ******************************************************* May 6 21:33:16 fw-test [LOG_CRIT] PKG_INSTALL: Running /tmp/pkg/CP_FP3_IPSO/CPdtps- 50/POST_INSTALL May 6 21:33:16 fw-test [LOG_CRIT] PKG_INSTALL: Running /tmp/pkg/CP_FP3_IPSO/CPdtps-
ページ11に含まれる内容の要旨
Do you want to download ipso_3_7_1_Build007.tgz ? ['yes (default)' or 'no' or 'exit']: n Skipping package ipso_3_7_1_Build007.tgz ... Do you want to download ipso_3_7_1_Build010.tgz ? ['yes (default)' or 'no' or 'exit']: n Skipping package ipso_3_7_1_Build010.tgz ... Do you want to download RSNS_NokiaRelease_7_0_2003_62.tgz ? ['yes (default)' or 'no' or 'exit']: n Skipping package RSNS_NokiaRelease_7_0_2003_62.tgz ... End of new package installation cleaning up ..done Use Vo
ページ12に含まれる内容の要旨
The 2 applications (packages) turned on by default are the only ones that need to be turned on. Nothing needs to be done, you’re just checking to make sure they’re turned on. If you click on UP it will take you back to the Configuration screen. NOTE: If you are going to be using VPNs you will also need to click on the first radio button underneath Applications. Click on SNMP and make sure that it is turned off. If you click on UP it will take you back to the Configurat
ページ13に含まれる内容の要旨
Under Security and Access Configuration click on SSH (Secure Shell), make sure that SSH is enabled. If you click on UP it will take you back to the Configuration screen. NOTE: This is important that this is turned on so that you can manage your NOKIA box via SSH. Under Security and Access Configuration click on SSL Certificate Tool, here is where you configure your SSL certificate. After clicking on SSL Certificate Tool, you should see the screen shown below. E
ページ14に含まれる内容の要旨
After all of the information has been added click on Apply. This will bring up a screen that has a certificate and a private key in it; you need to copy the entire text that is listed. After highlighting the entire certificate right click and select “copy”. After you have copied the certificate scroll to the bottom of the screen and click on the Voyager SSL certificate page that is shown below.
ページ15に含まれる内容の要旨
When the Voyager SSL Certificate page comes up, Paste the copied certificate into the box that is labeled “New server certificate”. Now click on the BACK button of the IE page that you are on, I have noticed that if you click on up rather then back your certificate will disappear. It is a lot easier to just click on back, this way you don’t get lost as to what you are doing. Now you should be back to the page where you can copy the “Private Key” this is the one below the Server
ページ16に含まれる内容の要旨
If you click on UP it will take you to the screen shown below. This is where you will choose the required encryption for the using SSL. Choose the radio button that reads 128-bit key or stronger. After selecting the radio button click on Apply and Save. You should still see that same screen shown above, if you click on UP you will get the error message “The page cannot be displayed”. You are getting this error message because you need to change the URL to use HTTPS rather then
ページ17に含まれる内容の要旨
You know need to create the “Default filter”, this is used to deny any access to the NOKIA device except for SSH or other connections. This all depends on how you create the default filter; I will be creating the default filter that only allows SSH connections to the NOKIA device. Shown below are the steps that need to be taken to apply the default filter. NOTE: The default filter is really a default policy on the NOKIA device. A policy will be applied to the device when it is pushed via
ページ18に含まれる内容の要旨
---------- 1 owner group 21039771 Apr 28 14:10 SHF_HFA_325.ipso.tgz # 226 Closing data connection ftp> get SHF_HFA_325.ipso.tgz local: SHF_HFA_325.ipso.tgz remote: SHF_HFA_325.ipso.tgz 200 PORT command successful. 150 File status OK ; about to open data connection 100% |**************************************************| 20546 KB 00:00 ETA 226 File transfer successful. 21039771 bytes received in 5.79 seconds (3.47 MB/s) ftp> bye 221 Service closing control connection fw-test[admi
ページ19に含まれる内容の要旨
This End-user License Agreement (the "Agreement") is an agreement between you (b oth the individual installing the Product and any legal entity on whose behalf s uch individual is acting) (hereinafter "You" or " Your") and Check Point Softwar e Technologies Ltd. (hereinafter "Check Point"). TAKING ANY STEP TO SET-UP OR INSTALL THE PRODUCT CONSTITUTES YOUR ASSENT TO AND ACCEPTANCE OF THIS END USER LICENSE AGREEMENT. WRITTEN APPROVAL IS NOT A PREREQU ISITE TO THE VALIDITY OR ENFORCEABILITY
ページ20に含まれる内容の要旨
keystrokes will be ignored. Please keep typing until you hear the beep and the bar is full. [....................] Thank you. Configuring Secure Internal Communication... ============================================ The Secure Internal Communication is used for authentication between Check Point components Trust State: Uninitialized Enter Activation Key: xxxxxxxxxx Again Activation Key: xxxxxxxxxx The Secure Internal Communication was successfully initialized ini