|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Nokia Installation
Title: RE: [FW1] Nokia Installation I've recently installed FW-1 4.1 SP3 on IPSO 3.3. Basically, what I've done is: 1. Initial configuration of Nokia box thru serial cable connection to the console port. After that, further connections were either via serial console login or via direct ethernet crossover cable, at least until I got HTTPS for Voyager and SSH working. 2. Basic security cleanup: Install SSH for IPSO 3.3 (get the latest package file linked from Nokia Knowledgebase article 1348; if you're not running IPSO 3.3 don't bother, since there are security holes in the earlier versions of SSH for IPSO 3.2.1 and below), disable Telnet, set a password on the 'monitor' account, enable HTTPS/SSL access to Voyager using a self-signed certificate created using Voyager's Certificate Tool. I usually install the packages by downloading them from the Nokia support website (support.nokia.com) to a PC which has an FTP server, then logging into the admin shell on the Nokia, ftping the package from the PC to the /var/admin directory, and running "newpkg -m local -n /var/admin/PACKAGEFILENAME". It's also possible to install packages thru Voyager, as well. 3. Access Voyager via HTTPS. Configure ethernet interfaces in Voyager: internal, external, and DMZ. 4. Add default and static routes in Voyager. 5. Add entry with the name of the firewall to the Voyager hosts table. Put the name in as "foo", not "foo.MyCompany.com" (if the firewall is named "foo") 6. Set DNS pointers, Mail Relay pointers, System Failure Notification email address, Timezone & Time, in Voyager. 7. Install the FW-1 4.1 SP3 package (fw4.1-SP-3-ipso3.3-strong.tgz); reboot. Go into Voyager, Configuration: Security and Access Configuration: Check Point FireWall-1 and set Start Firewall-1 at Boot? Yes; Start Floodgate-1 at Boot? No; Run ifwd? No (per Nokia KB article 1280) 8. Go to license.checkpoint.com, 'Permanent and Evaluation Licenses/Checkpoint Licensing Center', and enter your Certificate Key and other details, and get a license string. 9. Log into the admin shell and run "cpconfig". Choose Stand Alone (I don't have a FW-1 Management Module on another machine). Add the license (enter the "Features" string as exactly as given by license.checkpoint.com, including the "CK-NNNNNNNNNNNN" at the end), add an administrator user and a backup administrator user (in case I lose the regular administor user's password), add GUI client IP addresses, enter external interface name (use the logical name in the form "eth-sNpNc0", not the physical name), take SMTP defaults, do not add group permission, enter random keystrokes, start FW-1? Yes. 10. Download and install the 4.1 SP3 mgmt GUI from support.nokia.com. Launch Policy Editor and start configuring policies. I have encountered one problem so far: Sometimes when I install the security policy from Policy Editor, the count of licensed (internal) hosts seen by FW-1 doubles. I've seen some things that suggest that this will be fixed when IPSO 3.4 comes out. In the meanwhile, the workaround is this: "fwstop; rm $FWDIR/database/fwd.h; rm $FWDIR/database/fwd.hosts; fwstart". "fw tab -t host_table -s" will show the current licensed host count. -Anthony Garcia
Dear All, HELP !.... we've just bought a Nokia box to replace an existing Unix FW1 and now that I've got all the routes / objects and groups sorted out I need to configure it all on the Nokia box. I've got an ethernet connection to the box and I can access it via my web browser. This is where my "expertise" ceases..how do I get to configure the rulebase set up licenses n stuff. A pointer to a "how to install fw-1 on a nokia platform" type document would come in very handy.... Thanks in advance for any help you can give me. Paul Messer
Tel: 01256 813000
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
