Author: DK
Date: 01-11-2015
Identification of all Networks/Subnet Masks/VLANS/Interfaces of existing firewalls
Rack & Stack new pair appliances in Cabinet, Powered up
Identification of all Networks/Subnet Masks/VLANS/Interfaces
Interfaces Wired to appropriate VLANS and Console access
Install Checkpoint R77 Gaia Modules on Firewall Gateway
Web User Interface access connect to https://192.168.1.1:4434
========================================================================
6 IP Addresses/Subnet Mask (2 Inside, 2 Outside, 1 Inside VIP, 1 Outside VIP)
Host Name: siteuse-fwa
Host Name: siteuse-fwa
Domain Name:
DNS Primary:
DNS Secondary:
NTP Primary:
NTP Secondary:
Activation Key:(SIC):
Default Route:
Static Routes:
DHCP Scope
1. 10.114.64.0/19
2. default internal is 10.115.249.113
FWA Cabinet
-----------
External Switch Port:
Internal Switch Port:
Reardon Term Server:
FWB Cabinet:
-----------
External Switch Port:
Internal Switch Port:
Reardon Term Server:
Outside Interface
- IP Address/Subnet Mask/Broadcast
- Speed/Duplex
- Cluster VIP
Inside Interface
- IP Address/Subnet Mask/Broadcast
- Speed/Duplex
- Cluster VIP
Sync Interface
- IP Address/Subnet Mask/Broadcast
- Speed/Duplex
--------------------------------------------------------------------------------------
Disable Management Interface
Set Internal Interface for Management
Disable all unused Interfaces
Add Static Routes
Add Default Routes
Disable Dynamic Routing
License File
Set Management Interface
Disable all unused Interfaces
cat /etc/sysconfig/external.if
Set and verify Admin Password
Set and Verify Enable Password
----------------------------------------------------------------------------------------
Example
----------------------------------------------------------------------------------------
Reardon https://10.115.37.52
port 33 - myvpn-fwa
port 34 - myvpn-fwb
4 total fiber cables
me15p01svr01 – FF24 (cabinet) - Label VPN FWL1
me16p02svr02 – FF25 (cabinet) - Label VPN FWL2
three meter cable in FE24 – Labeled VPN FWL 1
three meter cable in FE25 – Labeled VPN FWL 2
--------------------------------------------------------------------------------------------------
BB##p01extswt te1/10
BB##p02extsw t te1/10
bbe##p02cor01 port 3/10
bbe##p02cor02 port 3/10
--------------------------------------------------------------------------------------------------
myvpn-clust myvpn-fwa myvpn-fwb (SIC -ok from management, routes added)
Internet Interface ETH3-01 ETH3-01
216.18.19.77(80) 216.18.19.78 216.18.19.79
255.255.255.128 255.255.255.128 255.255.255.128
Core ETH3-04 ETH3-04
10.105.229.116 10.105.229.117 10.105.229.118 (Manage Interface) 10gb-SR (Port 3/10 on 7K)
255.255.255.240 255.255.255.240 255.255.255.240
SYNC SYNC
192.168.15.1 192.168.15.2
255.255.255.248 255.255.255.248
External IP
1. 216.118.199.180 = VIP
2. 216.118.199.178 = FW 1
3. 216.118.199.179 = FW 2
4. 216.118.199.12 = Default Gateway
Internal FW IPs 10.15.249.112/28 (VLAN 14)
1. 10.15.249.116 = VIP
2. 10.15.249.117 = FW 1
3. 10.15.249.118 = FW 2
4. 10.15.249.113 = Core HSRP
DHCP Scope
1. 10.114.64.0/19
2. default internal is 100.15.249.113
1. Set computer IP to 100.15.249.133 -255.255.255.248 (29bits)
2. WebUI Access https://100.15.249.117, https://100.15.249.118
3. Next hop route to core 100.15.249.113
4. Default route to Internet: 216.18.19.20
------------------------------------------------------
Work to do (all completed)
------------------------------------------------------
set ntp active on
set ntp server primary 16.18.76.16 version 1
set ntp server secondary 10.25.10.16 version 1
set dns suffix mydomain.com
set dns primary 216.18.76.16
set dns secondary 10.5.10.16
set domainname mydomain.com
set ospf area backbone off
set interface Mgmt ipv4-address 192.168.1.1 mask-length 24 off
set interface Mgmt state off
set management interface eth3-04 state on
set static-route default nexthop gateway address 192.168.1.254 off
set static-route default nexthop gateway address 216.118.190.2 on
set static-route 10.10.7.0/24 nexthop gateway address 10.5.49.113 on
set static-route 10.10.2.0/24 nexthop gateway address 10.5.49.113 on
set static-route 216.18.76.0/21 nexthop gateway address 10.5.49.113 on
-------------------------------------------------------------------------------
How To
System Hardware Info
show sysenv all
show asset all
cpstat os –f raidInfo
Reboot: Shut down the system and then immediately restart it.
Halt: Shut down the system.
BACKUP System
-------------
To create and save a backup locally:
add backup local
To create and save a backup on a remote server using FTP:
add backup ftp ip VALUE username VALUE password plain
To create and save a backup on a remote server using TFTP:
add backup tftp ip VALUE
To save a backup on a remote server using SCP:
add backup scp ip VALUE username VALUE password plain
RESTORE
-------
Restoring a Configuration
Description Use these commands to restore the system's configuration from a backup file.
Syntax To restore a backup from a locally held file:
set backup restore local <TAB>
To restore a backup from a remote server using FTP:
set backup restore ftp ip VALUE file VALUE username VALUE password plain
To restore a backup from a remote server using TFTP:
set backup restore tftp ip VALUE file VALUE
To restore a backup from a remote server using SCP:
set backup restore scp ip VALUE file VALUE username VALUE password plain
Monitoring Backup Status
-------------------------
To monitor the creation of a backup:
show backup status
To show the status of the last backup performed:
show backups
Configure Interfaces
---------------------
set interface eth2 ipv4-address 40.40.40.1 subnet-mask 255.255.255.0
set interface eth2 mtu 1500
set interface eth2 state on
set interface eth2 link-speed 1000M/full
Add Static Route
-----------------
set static-route 192.0.2.100 nexthop gateway address 192.0.2.155 on
set static-route 192.0.2.100 nexthop gateway address 192.0.2.18 off
set static-route 192.0.2.0/24 off
NTP
------
show ntp active
show ntp current
show ntp servers
To add a new NTP server:
set ntp active [On|Off]
set ntp server primary VALUE version VALUE
set ntp server secondary VALUE version VALUE
To delete an NTP server:
delete ntp server <IP>
-------------------------------------------------------------------------------
CHECKLIST
-------------------------------------------------------------------------------
a. Boot on Correct Image
1. Admin password
2. enable password
3. Interface definations
4. Hostname
5. DNS Name
6. NTP IPs
7. Do Nike Pobulon's Custom Config ( set interface to broadcast)
[Expert@myvpn-fwa:0]# cphaconf set_ccp broadcast
8. Routes
9. Interface, Subnet Mask, Broadcast Address,
10. Liciense
11. Disable Mngt Interface
12. Enable Core interface for Management
13. Disable dynamic routing (Mike Pobulim email)
14. Establish SIC
14. Install Database
---------------------------------------------------
Day of Cutover
----------------------------------------------------
1. cphaconf set_ccp broadcast
2. create database Revision on MGT station to use to backout
3. Apply licenses to both gateway
5. Re-Establish SIC in GUI Cluster object for both firewalls
6. Fetch Interfaces from Cluster Object Topology (set anti-spoofing on Lan2)
7. Confirm All Interfaces/Sync are populated with correct IP address and Subnet Masks
8. Set Platform Hardware/Version/OS (General Properity of Gateway Cluster)on Management Server
Enable Firewall/ClusterXL
9. Push Policy to cluster
10. Install Database for log server
11. create user scp with bash
12. Static-Routes
13. Reardon access out of band management
-------------------------------------------------------------
Checkpoint Configuration Files:
--------------------------------------------------------------
1. local.arp ($FWDIR/config) local arps /opt/CPsuite-R77/fw1/conf/local.arp
2. fwkern.conf - ($FWDIR/modules) Magic Mac Number
3. sdconf.rec (/var/ace)
4. netconf.C (/etc/sysconfig) Network interfaces/Routes
5 external.if (/etc/sysconfig)
. ifcfg-eth1 (/etc/sysconfig/network-scripts/)
-----------------------------------------------------------------
Validate Firewall Functionality
-----------------------------------------------------------------
1. Firewall managemement access via SSH/HTTPS
2. Interfaces are up and in Correct VLANs ifconfig -a
3. Interfaces do not have errors netstat -i
4. ClusterXL functioning cphaprob stat
5. Check # of connections on firewall fw tab -t connections -s
6. License cplic print
7. Validate Routes netstat -nr | wc -l
8. validate arps - fw ctl arp
9. Validate Sync is ESTABLISHED netstat -an | grep 2010
10. Validate Logs are Flowing to Logger and observe it for any errors
11. Test Cluster-XL HA Sync Failover by Rebooting the Primary Firewall and validate if traffic goes to Secondary without interrupting the Ping Test to
12. Reboot Secondary and make sure it came back into the cluster. Firewall overall health Checks
13. validate firewall is not dropping any packets fw ctl zdebug + drop
14. uptime
15. fw ver
ver
df -h
cphaprob –a if
cphaprob list
cphaprob stat
fw ctl pstat
fw tab –t connections –s
cat /etc/sysconfig/ntp
netstat –i
ethtool –i eth0 (please enter all active interfaces – this will let us know what version of NIC driver is running) vmstat 1 10 free ps auxwww
vmstat 1 10
free
ps auxwww
------------------------------------------------------------------------
Troubleshooting
------------------------------------------------------------------------
clusterXL to start sync - fync -d ctl setsync start
OSPF issue -
[Expert@myvpn-fwa:0]# drouter stop
[Expert@myvpn-fwa:0]# drouter start
[Expert@myinet-fwb]# more /etc/sysconfig/ntp
INTERVAL=120
SERVER1=216.118.176.160
SERVER2=216.118.190.230
USE_NTP=true
[Expert@myvpn-fwa:0]#
to check ntp running we´re using "tcpdump -i eth4 port 123"...
[Expert@myvpn-fwa:0]# ntpstat
ntp is running
[Expert@myvpn-fwa:0]# drouter stop;drouter start
[Expert@myvpn-fwa:0]# history
1 netstat -rn|grep 192.100.
2 netstat -rn|wc -l
3 cphaprob stat
4 routerd stop;routerd start
5 routed stop;sleep 1;routed start
6 router stop
7 ps -fax | grep route
8 cphaprob list
9 route
10 router
11 find / -name router
12 find / -name routed
13 netstat -nr | wc -l
14 cphaprob state
15 router stop
16 routerd stop
17 route
18 router
19 cphaprob stat
20 cphaprob stop
21 cphaprob stat
22 droute stop
23 drouter stop
24 drouter start
29 netstat -nr | wc -l - Check for OSPF routes
30 cphaprob state
46 netstat -nr | wc -l
47 fw stat
48 fw tab -t connections -s
49 cphaprob list
50 netstat -rn
51 history
[Expert@myvpn-fwa:0]# #
---- -------------------------------------------------------------------
Typical Commands
set domainname mydomain.com
set dns suffix bcbsma.com
set dns primary 216.18.176.160
set dns secondary 10.251.210.160
set ntp active on
set ntp server primary 216.18.176.160 version 3
set ntp server secondary 10.25.210.16 version 3
set static-route default nexthop gateway address 192.168.1.254 on
set static-route default nexthop gateway address 192.168.1.254 off
set static-route default nexthop gateway address 172.130.25.133 on
set management interface eth2-01
set interface Mgmt state offset interface Mgmt state on
set interface Mgmt auto-negotiation on
set interface Mgmt ipv4-address 192.168.1.1 mask-length 24
set interface Sync link-speed 1000M/full
set interface Sync state on
set interface Sync ipv4-address 192.168.25.17 mask-length 28
set interface eth1-03 comments "Server-Backend"
set interface eth1-03 state on
set interface eth1-03 auto-negotiation on
set interface eth1-03 mtu 1500
set interface eth1-03 ipv4-address 216.18.85.130 mask-length 25
set interface eth3-02 state off
set interface eth3-03 state off
set interface eth3-04 state off
Config OSPF
1. network Namager Network interface WebUI
2. Configure Ethernet Internface and Assign IP Address to Interfcae
3. Open Advance Router > OSPF page of WebUI
4. Define other Global Setting including RouterID
5. Optional
show interface Mgmt
if there is a blank group for interfaces - when you click ok and get back into edit topoloy it will dissappear.
-------------------------------------------------------------------------------------------------
Add User SCP
-------------------------------------------------------------------------------------------------
R77.20 Gaia - How to Add a new user via CLISH
add user scp uid 0 homedir /home/scp
set user scp password
add rba user scp roles adminRole
bos0105fwm01> add user dk01 uid 0 homedir /home/dk01
WARNING Must set password and a role before user can login.
- Use 'set user USER password' to set password.
- Use 'add rba user USER roles ROLE' to set a role.
myfwm01> set user dk01 password
New password:
Verify new password:
myfwm01>
myfwm01> add rba user dk01 roles adminRole
myfwm01>
--------------------------------------------------------------------------------------------------
Print Static-Routes
netstat -nr | grep -v D
netstat -rn |grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort >routes.txt
netstat -rn |grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort | wc -l
