Dear United Way Campaign Volunteer_

Report as inappropriate Your report has been received

Shared by: yaoyufang

Tags

Stats

views:: 29
posted:: 10/9/2011
language:: English
pages:: 10

Public Domain

Document Sample

CHECK POINT SOFTWARE TECHNOLOGIES
Education Services

Application Control
Lab Setup Procedures
EDUCATION SERVICES

Application Control Lab Setup Procedures

 Check Point Software Technologies
www.CheckPoint.com
courseware@checkpoint.com
8333 Ridgepoint Dr., Suite 150, Irving, TX 75063
A P P L I C A T I O N C O N T R O L L A B S E T U P P R O C E D U R E S

Configuring the Lab Environment
The Application Control class topology was designed as a “sandbox” environment. With the exception of the
external interfaces of the Gateways, all virtual machines at the student sites have the same set of IP addresses.
Each student’s network will connect to the Internet through bridged interfaces that connect to a router. The
private networks will be hidden behind the gateway’s external.

Follow the steps below to configure the four virtual machines per site needed for the students to perform all
Application Control labs. Virtual Machines may be created in either a VMware Workstation or ESX
environment. This configuration was tested using VMware Workstation. Additional steps or a different
configuration may be required when working with ESX.

Configuring Virtual Machine Settings
All virtual machines should be configured with the following options:

 Snapshots – Just Power off
 VMware Tools – Installed
 Time Synchronization – Synchronization between Guest and Host should be active.

DNS Configuration
Configure the ADSever machine to point to the DNS server used by the classroom router.

Domain Information
Each student site must be configured with an Active Directory sever managing access to the
atlantiscorp.cp domain. When having the students log into AT_GUI and ADServer, make sure they are
logging into the atlantiscorp.cp domain. This is vital to the success of one of the later labs.

1
A P P L I C A T I O N C O N T R O L L A B S E T U P P R O C E D U R E S

Lab Topology
Configure each student machine with one of the following virtual environments:
A P P L I C A T I O N C O N T R O L L A B S E T U P P R O C E D U R E S

Configuring the Virtual Machines
Configure each of the virtual machines listed below on all student machines.

Atlantis GUI Client
Use the information below to configure the Atlantis GUI Client virtual machine:

Name: Atlantis_GUI Check Point Modules Installed:
OS: Windows 2003 Server
SP2/SP3  SmartConsole
Hard Drive: 10GB
RAM: 768MB

Use the following information to configure the interface for the Atlantis GUI Client virtual machine:

IP Address: 10.1.1.201
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
LAN: LAN 1

Special instructions for the Atlantis GUI Client virtual machine:

1. Install TimeTools NTP Server. Under Options, enable “Serve NTP to Clients” and set the NTP
stratum and NTP Polling frequency to 1.

2. Add TimeTools NTP Server to the startup group so that it starts when the virtual machine is
powered on.

3. Install SmartConsole R75.

3
A P P L I C A T I O N C O N T R O L L A B S E T U P P R O C E D U R E S

Atlantis Security Management Server
Use the information below to configure the Security Management Server virtual machine:

Name: AT_MGMT Check Point Products Installed:
OS: SecurePlatform R71.20  Security Management
Hard Drive: 15GB
RAM: 1GB  SmartEvent and SmartReporter Suite

Use the following information to configure the interface for the Security Management Server
virtual machine:

IP Address: 10.1.1.101
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
LAN: LAN 1

Special instructions for the first Security Management Server virtual machine:

1. Configure NTP to act as a Client with Atlantis_GUI (10.1.1.201) acting as the NTP Server.

4
A P P L I C A T I O N C O N T R O L L A B S E T U P P R O C E D U R E S

Atlantis Security Gateway
Use the information below to configure the Security Gateway virtual machine:

Name: AT_GWY_1 Check Point Products Installed:
OS: SecurePlatform R71.20  Security Gateway
Hard Drive: 15GB
RAM: 512MB

Use the following information to configure the interfaces for the Security Gateway virtual machine:

IP Address: 172.n.n.1 IP Address: 10.1.1.1
Subnet Mask: 255.0.0.0 Subnet Mask: 255.255.255.0
Default Gateway: 172.n.n.2 Interface: eth1
Interface: eth0 LAN: LAN 1
LAN: Bridged to Host

Use the chart below to determine the site’s external IP:

Classroom External Default Gateway
Site Number IP Address IP Address
Site 1 172.21.101.1 172.21.101.2

Site 2 172.22.102.1 172.22.102.2

Site 3 172.23.103.1 172.23.103.2

Site 4 172.24.104.1 172.24.104.2

Site 5 172.25.105.1 172.25.105.2

Site 6 172.26.106.1 172.26.106.2

Site 7 172.27.107.1 172.27.107.2

Site 8 172.28.108.1 172.28.108.2

Special instructions for the Security Gateway virtual machine:

1. Configure NTP to act as a Client with Atlantis_GUI (10.1.1.201) acting as the NTP Server.
A P P L I C A T I O N C O N T R O L L A B S E T U P P R O C E D U R E S

Active Directory Server
Use the information below to configure the Active Directory Server virtual machine:

Name: ADServer
OS: Windows 2003 Server
SP2/SP3
Hard Drive: 15GB
RAM: 512MB

Use the following information to configure the interface for the Active Directory Server virtual machine:

IP Address: 10.1.1.125
Subnet Mask: 255.255.255.0
Interface: eth0
LAN: LAN 1

Special instructions for the Active Directory Server virtual machine:

1. Configure the following rules in the Manage Your Server applet:

 Active Directory Server

2. Create the OUs and add the users for Atlantis Corp’s Active Directory implementation using the scripts
in AD_Setup_Scripts.zip.

3. The Active Directory must be configured with the following two users:

Username: Administrator Username: joeroberts
Password: P@ssword1 Password: vpn123

Note: In the labs when instructed to log into a virtual machine, verify that the user is logging into the
domain and not just logging in locally. SmartEvent uses this domain information to populate some of
the logs.

6
A P P L I C A T I O N C O N T R O L L A B S E T U P P R O C E D U R E S

Configure the Security Policy
The following objects should be configured prior to beginning the Application Control labs:

 AT_GWY (Gateway)

 AT_MGMT (Management Server)

 atlantis_net (Network)

Configure the following rules:

 NBT Rule > Any > Any > Any Traffic > NBT > drop > None > Policy Targets

 Stealth Rule > Any > AT_GWY > Any Traffic > Any > drop > drop > Log > Policy Targets

 Web Traffic Rule > Any > Any > Any Traffic > http, dns > accept > Log > Policy Targets

 Cleanup Rule > Any > Any > Any Traffic > Any > drop > Log

Configure the AT_GWY to perform Hide NAT, hiding the internal network behind the external interface of
the gateway.
A P P L I C A T I O N C O N T R O L L A B S E T U P P R O C E D U R E S

Configuring Active Directory Server in SmartDashboard
1. From SmartDashboard, open the Security Gateway object and select the Identity Awareness
branch.

2. Uncheck and then check again the Enable Identity Awareness option. The system displays a
wizard.

3. Select the AD Query option.

4. Choose the option Create new domain.

5. Use the following information to configure the Identity Awareness Configuration screen:

Domain Name: atlantiscorp.cp

Username: Administrator

Password: P@ssword1

Domain Controller: 10.1.1.125

Note: The username and password must match the Administrator of the Active Directory server.

6. Click Connect and close the wizard.

7. From Users & Administrators, double-click the new LDAP account unit to verify receives a list of
users from the AD.