Resumo do conteúdo contido na página número 1
Check Point NG FP3 step-by-step Install guide on NOKIA IPSO
By Brandon E. Robrahn
INTRO
This document is to be used as a reference on how to install a NOKIA IP350 with Check Point NG FP3. In this
document I have provided a step-by-step reference guide on loading a NOKIA IP350 with IPSO version
3.7.1Build010, and Check Point version NG FP3. Voyager and command line were both used in this guide; this is
just one way that a NOKIA device can be configured as a Check Point Firewall. Not al
Resumo do conteúdo contido na página número 2
Enter the masklength: 24 Do you wish to set the default route [ y ] ? y Enter the default router to use with eth1: 10.0.0.254 This interface is configured as 10 mbs by default. Do you wish to configure this interface for 100 mbs [ n ] ? y This interface is configured as half duplex by default. Do you wish to configure this interface as full duplex [ n ] ? y You have entered the following parameters for the eth1 interface: IP address: 10.0.0.1
Resumo do conteúdo contido na página número 3
By typing cd /var/tmp and then typing ls -ls you are changing the directory /var/tmp and listing what is in that directory. This allows you to see what IPSO version you are currently running on your NOKIA device. Since the IPSO version that is shown is not the current version or the version that we want to use, we are going to change it to the correct version by installing a new IPSO image from an FTP server using Voyager. Voyager is web based; you are able to configure almost everything
Resumo do conteúdo contido na página número 4
Under the section System Configuration click on Install New IPSO Image (Upgrade). The screen that you are on should look like the one shown above. This is where you will need to type in the IP Address of your FTP Server. Since you will have a cross over cable hooked to your PC and the other end hooked to the port on the NOKIA that reads ETH-1, you will use the IP Address of your PC. NOTE: make sure that you have an FTP Server loaded on
Resumo do conteúdo contido na página número 5
If you click on the link highlighted in Blue you should see the status of your install. When the install is finished the screen will look like the one shown below. The install is now complete and you need to reboot your NOKIA device. Before you reboot click on Manage IPSO images (including REBOOT and Next Boot Image Selection) located at the bottom of the page.
Resumo do conteúdo contido na página número 6
Select the radio button that reads Last Image Downloaded. This is the IPSO version that you just loaded. At the bottom of the page, click on Test Boot. NOTE: Test boot is used incase something happens when you’re rebooting, this way you can revert back to the old version and no harm was done. This is a precautionary measure. After selecting Test Boot you will see the page shown above. Wait about 5 minutes and then hit the Refresh button at the top of the page.
Resumo do conteúdo contido na página número 7
You will now have to log back in so that you can commit to the test boot. Click on Apply and then click on Logout. You can now switch back to your SSH connection. You will probably need to log back in with a user name and password because the box has been rebooted. Shown below are the steps to install Check Point NG FP3 on this NOKIA device. Follow the steps by typing in the commands shown in red listed below. During this process you will be asked if you w
Resumo do conteúdo contido na página número 8
IPSO (fw-test) (ttyd0) login: admin Password: xxxxxxxxxxx Last login: Thu May 6 19:28:42 on ttyd0 May 6 20:03:18 fw-test [LOG_INFO] login: DIALUP ttyd0, admin May 6 20:03:18 fw-test [LOG_NOTICE] login: ROOT LOGIN (admin) ON ttyd0 May 6 20:03:18 fw-test [LOG_NOTICE] login: ROOT LOGIN (admin) ON ttyd0 May 6 20:03:18 fw-test [LOG_INFO] login: login on ttyd0 as admin IPSO 3.7.1-BUILD010 #1253: 04.05.2004 185427 Terminal type? [vt100] fw-test[admin]# fw-test[admin]# fw-test[admi
Resumo do conteúdo contido na página número 9
May 6 21:31:26 fw-test [LOG_CRIT] PKG_INSTALL: INSTALL STARTED at Thu May 6 21:31:26 GMT 2004 May 6 21:31:29 fw-test [LOG_CRIT] PKG_INSTALL: Trying to install CPshrd-50/cpshared_ipso.tgz May 6 21:31:29 fw-test [LOG_CRIT] PKG_INSTALL: Trying to install CPshrd-50/cpshared_ipso.tgz May 6 21:31:53 fw-test [LOG_CRIT] PKG_INSTALL: Trying to install CPfw1-50/fw1_ipso.tgz May 6 21:31:53 fw-test [LOG_CRIT] PKG_INSTALL: Trying to install CPfw1-50/fw1_ipso.tgz May 6 21:32:42 fw-test [LOG_CRIT]
Resumo do conteúdo contido na página número 10
May 6 21:33:08 fw-test [LOG_CRIT] PKG_INSTALL: /etc/newpkg -S -m LOCAL -i -n CPuag-50/uag_ipso.tgz May 6 21:33:08 fw-test [LOG_CRIT] PKG_INSTALL: ******************************************************* May 6 21:33:08 fw-test [LOG_CRIT] PKG_INSTALL: ******************************************************* May 6 21:33:16 fw-test [LOG_CRIT] PKG_INSTALL: Running /tmp/pkg/CP_FP3_IPSO/CPdtps- 50/POST_INSTALL May 6 21:33:16 fw-test [LOG_CRIT] PKG_INSTALL: Running /tmp/pkg/CP_FP3_IPSO/CPdtps-
Resumo do conteúdo contido na página número 11
Do you want to download ipso_3_7_1_Build007.tgz ? ['yes (default)' or 'no' or 'exit']: n Skipping package ipso_3_7_1_Build007.tgz ... Do you want to download ipso_3_7_1_Build010.tgz ? ['yes (default)' or 'no' or 'exit']: n Skipping package ipso_3_7_1_Build010.tgz ... Do you want to download RSNS_NokiaRelease_7_0_2003_62.tgz ? ['yes (default)' or 'no' or 'exit']: n Skipping package RSNS_NokiaRelease_7_0_2003_62.tgz ... End of new package installation cleaning up ..done Use Vo
Resumo do conteúdo contido na página número 12
The 2 applications (packages) turned on by default are the only ones that need to be turned on. Nothing needs to be done, you’re just checking to make sure they’re turned on. If you click on UP it will take you back to the Configuration screen. NOTE: If you are going to be using VPNs you will also need to click on the first radio button underneath Applications. Click on SNMP and make sure that it is turned off. If you click on UP it will take you back to the Configurat
Resumo do conteúdo contido na página número 13
Under Security and Access Configuration click on SSH (Secure Shell), make sure that SSH is enabled. If you click on UP it will take you back to the Configuration screen. NOTE: This is important that this is turned on so that you can manage your NOKIA box via SSH. Under Security and Access Configuration click on SSL Certificate Tool, here is where you configure your SSL certificate. After clicking on SSL Certificate Tool, you should see the screen shown below. E
Resumo do conteúdo contido na página número 14
After all of the information has been added click on Apply. This will bring up a screen that has a certificate and a private key in it; you need to copy the entire text that is listed. After highlighting the entire certificate right click and select “copy”. After you have copied the certificate scroll to the bottom of the screen and click on the Voyager SSL certificate page that is shown below.
Resumo do conteúdo contido na página número 15
When the Voyager SSL Certificate page comes up, Paste the copied certificate into the box that is labeled “New server certificate”. Now click on the BACK button of the IE page that you are on, I have noticed that if you click on up rather then back your certificate will disappear. It is a lot easier to just click on back, this way you don’t get lost as to what you are doing. Now you should be back to the page where you can copy the “Private Key” this is the one below the Server
Resumo do conteúdo contido na página número 16
If you click on UP it will take you to the screen shown below. This is where you will choose the required encryption for the using SSL. Choose the radio button that reads 128-bit key or stronger. After selecting the radio button click on Apply and Save. You should still see that same screen shown above, if you click on UP you will get the error message “The page cannot be displayed”. You are getting this error message because you need to change the URL to use HTTPS rather then
Resumo do conteúdo contido na página número 17
You know need to create the “Default filter”, this is used to deny any access to the NOKIA device except for SSH or other connections. This all depends on how you create the default filter; I will be creating the default filter that only allows SSH connections to the NOKIA device. Shown below are the steps that need to be taken to apply the default filter. NOTE: The default filter is really a default policy on the NOKIA device. A policy will be applied to the device when it is pushed via
Resumo do conteúdo contido na página número 18
---------- 1 owner group 21039771 Apr 28 14:10 SHF_HFA_325.ipso.tgz # 226 Closing data connection ftp> get SHF_HFA_325.ipso.tgz local: SHF_HFA_325.ipso.tgz remote: SHF_HFA_325.ipso.tgz 200 PORT command successful. 150 File status OK ; about to open data connection 100% |**************************************************| 20546 KB 00:00 ETA 226 File transfer successful. 21039771 bytes received in 5.79 seconds (3.47 MB/s) ftp> bye 221 Service closing control connection fw-test[admi
Resumo do conteúdo contido na página número 19
This End-user License Agreement (the "Agreement") is an agreement between you (b oth the individual installing the Product and any legal entity on whose behalf s uch individual is acting) (hereinafter "You" or " Your") and Check Point Softwar e Technologies Ltd. (hereinafter "Check Point"). TAKING ANY STEP TO SET-UP OR INSTALL THE PRODUCT CONSTITUTES YOUR ASSENT TO AND ACCEPTANCE OF THIS END USER LICENSE AGREEMENT. WRITTEN APPROVAL IS NOT A PREREQU ISITE TO THE VALIDITY OR ENFORCEABILITY
Resumo do conteúdo contido na página número 20
keystrokes will be ignored. Please keep typing until you hear the beep and the bar is full. [....................] Thank you. Configuring Secure Internal Communication... ============================================ The Secure Internal Communication is used for authentication between Check Point components Trust State: Uninitialized Enter Activation Key: xxxxxxxxxx Again Activation Key: xxxxxxxxxx The Secure Internal Communication was successfully initialized ini