Perform security checkup using OpenServer or Appliance
From Notes_Wiki
<yambe:breadcrumb>Checkpoint_Gaia_OS|Checkpoint Gaia OS</yambe:breadcrumb>
Perform security checkup using openserver or appliance
- Ensure that device is flashed/freshly installed/reset to factory settings. In case of OpenServer Gaia can be reinstalled. For OpenServer ensure that there are at least two interfaces: one for management and other for monitor mode.
- In case of device connect usb with R77.30 created with help of isomorphic tool. External USB CD Drive would also work. Reboot appliance after connecting to hyperterminal (9600 8N1, no flow control) and after connecting USB. Type 'serial' at boot prompt for flashing.
- In first time configuration WebUI wizard (at https://<IP> given) during installation (default 192.168.1.1 on management port), choose 'Quick Standalone setup' instead of default 'continue with Gaia R77.30 configuration'. On R77.30 on openserver 'Quick standlone setup' option is not present.
- Create a user for winscp/bash login. Go to https://<IP> and login as admin. Go to User Management -> Users. Create a user with default shell as /bin/bash. Assign both adminRole and monitorRole. Leave UID to 0 for root access.
- Download latest Security checkup tools from http://supportcontent.checkpoint.com/file_download?id=24867
- Extract the downloaded file. Copy 'Security_Checkup_R77.30_Ver1.204/SmartEventSupplement/Security_Checkup_Supp_R77.30_Ver01.tgz' to '/var/install' on appliance using winscp etc. using user with bash shell. Note rsync wont work, only scp can be used. /var/install may have to be created.
- Extract tar and run security checkup installer using:
- tar xzf Security_Checkup_Supp_R77.30_Ver01.tgz
- chmod +x security_checkup
- ./security_checkup
-
- This terminal will hang after some time. Then it can be closed.
- We can use "ps eax | grep sec" on another terminal to verify that "./security_checkup" program has terminated.
- Typical lines near end are:
- SVN Foundation: cpWatchDog stopped
- SVN Foundation: Stopping PostgreSQL Database
- SVN Foundation stopped
- Backup configuration files
- dos2unix: converting file /opt/CPsuite-R77/fw1/log/Checkup_Uploader to UNIX format ...
- nohup: appending output to `nohup.out'
- Remove existing SmartConsole (and SmartDashboard) and install the version which came with SecurityCheckup zip file.
- Go to usercenter at usercenter.checkpoint.com and from "Winning the Security market" -> Production Evaluation choose "All-in-one evaluation".
- TODO Some steps related to license
- Login into GAIA portal and go to "Network Managemet" -> "Network interfaces". Choose the non-management interface and edit it. Click enable. Write comment 'SPAN'. Leave IPv4 address and subnet mask blank. In the 'Ethernet tab' select monitor mode. In CLI an interface can be configured for monitor mode using:
- set interface eth0 monitor-mode on
- In "Network management" -> "IPv4 static routes" ensure that correct route is set which can access Internet.
- Open Gateway in SmartDashboard and follow further steps
- Open SmartEvent from SmartConsole Drop Down from Smart Dashboard.
- Go to top-left menu (File menu) and choose View -> Security Checkup
- Close and Re-open SmartEvent from Smart Dashboard.
- Double click firewall in Dashboard to see its properties
- In "Network Security" enable Firewall, IPS, Anti-bot, Anti-Virus (Detect), Monitoring, Application Control, URL Filtering, DLP
- In "Management" enabe Logging & Status, Monitoring, Management Portal, Smart Reporter, SmartEvent Server, SmartEvent Correlation Unit and Compliance. Note that enabling SmartEvent Intro disables SmartEvent Server, which is not desired.
- After General properties in Topology ensure:
- Management interface (eg eth0) is external with external topology and correct IP
- Mirror port is internal with 0.0.0.0/0.0.0.0 IP and "Network defined by IP/mask"
- Disable anti-spoofing on all interfaces
- Configure firewall software blades
- In Policy add any to any with accept without logging
- Click on "Install Policy" at top to install this policy. Ignore any warnings for anti-spoofing being disabled.
- Using putty login into expert mode. Try
- ping www.google.co.in.
- Edit /etc/resolv.conf to supply correct DNS, if necessary. Permanent configuration can be done via Gaia web interface "Network Management" -> "Hosts and DNS" option by giving correct Primary and Secondary DNS, as applicable.
- curl_cli cws.checkpoint.com
- ping www.google.co.in.
- Other optimizations:
- Ensure anti-spoofing is disabled for all interfaces
- In Firewall -> Policy. Click on "Edit Global Properties" option at top. In SmartDashboard Customisation, click on the Configure button. Then in FireWall-1 -> Stateful Inspection, uncheck "reject_x11_in_any"
- In "Global Properties" -> Stateful Inspection
- Set "TCP session timeout" to 60 seconds
- Set "TCP end timeout" to 5 seconds
- Turn off Drop out of state TCP and ICMP packets
- Install the new policy before proceeding. Ignore any warnings for anti-spoofing being disabled.
- Configure "IPS" software blade
- Edit gateway properties and under IPS ensure that
- IPS profile is "Default protection"
- Perform IPS inspection on all traffic
- Bypass IPS inspection when gateway in under heavy load.
- Go to IPS tab. Go to Protections -> By Protocol -> IPS Software Blade -> Network Security -> Denial of Service. Select Aggresive aging and set following values:
- TCP Start Timeout: 5
- TCP Session Timeout: 55
- TCP End Timeout: 3
- Set tracking for the protection to None for both "Default Protection" and "Recommended Protection"
- In IPS tab select Policies. Double click "Recommended_Policy" and change IPS mode from prevent to detect.
- Edit gateway properties and under IPS ensure that
- To prevent some false positives connect to firewall via ssh for expert mode.
- Open "vi $FWDIR/modules/fwkern.conf" and paste
- psl_tap_enable=1
- fw_tap_enable=1
-
- Exit from expert mode
- Open "vi $FWDIR/modules/fwkern.conf" and paste
- Install the new policy and then reboot the security gateway. Ignore any warnings for anti-spoofing being disabled.
- After reboot there might be some delay before firewall is accessible. Now activate "Application control and URL filtering blade" as follows:
- Under policy ensure there is only one rule (delete child protection policy) with destionation any (not Internet) and track log (not extended or complete).
- Go to Advanced -> Engine settings. Enable
- Categorize HTTPS sites
- Enfore safe search in search enginers
- Leave other settings as it is.
- Install policy
- Enable DLP blade as follows:
- Use this procedure if users at customer site browse the internet viaproxy:
- In SmartDashboard, go to the Objects Tree and select the Services tab.
- Edit the TCP service: HTTP_and_HTTPS_proxy.
- Click Advanced.
- Select Protocol Type, and choose HTTP.
- Enable Match for Any
- Click OK
- Install Policy
- IN DLP Blade go to "Advanced Settings" -> "Advanced" and uncomment "Log all sent messages" option.
- Use this procedure if users at customer site browse the internet viaproxy:
- Install policy
- Enable "Threat Prevention" as follows:
- In Threat Prevention blade to profiles and edit "Recommended_profile". Change all protection activation to "Detect".
- In the same property box go to "Anti-virus settings".
- Select "Inspect incoming and outgoing files"
- Choose to process all file types without deep-inspection
- Enable archive scanning
- Then "Threat Emulation Settings" change protected scope to "inspect incoming and outgoing files"
- Install Policy
- Connect the monitor port to mirror/span port and monitor events in SmartEvent
<yambe:breadcrumb>Checkpoint_Gaia_OS|Checkpoint Gaia OS</yambe:breadcrumb>