Deploy Check Point R8040 Management Server

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 22 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> [MUSIC]
00:00
Welcome to the Jumpstart CloudGuard deployment lab.
00:00
In the previous exercise,
00:00
we deployed an Azure virtual network with two subnets.
00:00
That was done in
00:00
preparation to set up a cloud guard gateway.
00:00
In this second exercise,
00:00
we're going to deploy at checkpoint management station,
00:00
and the management station could be
00:00
deployed in various locations
00:00
at the customer premise in
00:00
another VBC or another Cloud environment.
00:00
But to show you the scope of CloudGuard,
00:00
we are going to deploy to Management Station also in
00:00
this Azure Cloud within the same VNet,
00:00
we're going to place the Management Station
00:00
in a frontend subnet.
00:00
Let me show you how to deploy it in
00:00
a frontend subnet of your VPC. Let's get started.
00:00
Again, connect to your Azure account.
00:00
There are a few ways to deploy it,
00:00
go to the home menu and select, Create a resource.
00:00
In the marketplace,
00:00
you can search for the product that you want,
00:00
in this case we're going to type CloudGuard,
00:00
then we hit the 'Enter key',
00:00
to search through the marketplace.
00:00
We find two products with that name.
00:00
The search results shows
00:00
us the CloudGuard and network security firewall,
00:00
enter it to Prevention Product.
00:00
Let's select this product,
00:00
if this is your first time installing this product,
00:00
I suggest you spend a few moments to review it.
00:00
You can read a little bit about
00:00
>> this product if you like,
00:00
>> regarding some of the benefits,
00:00
deployment plans and also
00:00
some of the support information.
00:00
I covered most of this already in the previous video,
00:00
but it might be a nice refresher.
00:00
Now let's take a look at the plans that you can deploy,
00:00
select the pull down menu.
00:00
Checkpoint offers five different deployment plans.
00:00
They can be grouped into two categories,
00:00
we have the management station and the gateway.
00:00
In the management station,
00:00
we have two kinds deployments.
00:00
We have a standard
00:00
single Checkpoint Security Management,
00:00
and we also have the CloudGuard Multi-Domain Server,
00:00
which are for large enterprises.
00:00
In the gateway category,
00:00
we have the Single Gateway and also
00:00
a cluster high availability solution that
00:00
offers resiliency and redundancy, and third,
00:00
and finally, we offer
00:00
>> the CloudGuard Scale Set solution,
00:00
>> which is for dynamic and scalable platform solutions
00:00
that can scale up and down as your business demands,
00:00
needs increase and decrease.
00:00
In this exercise, we will
00:00
install the Checkpoints Security Management,
00:00
so make sure you select it and then hit "Create."
00:00
We now need to fill the fields as follows.
00:00
The subscription stays the
00:00
same your resource group has to be a new one,
00:00
one that does not have any resources attached to it.
00:00
Notice the error when I select the first one,
00:00
that's because we already use that
00:00
>> in the first exercise.
00:00
>> It is already been assigned to my VNet and the subnets,
00:00
so let's select the second one in my case
00:00
but in your case,
00:00
if your accounts and
00:00
subscription permissions are different,
00:00
you might need to create a new one.
00:00
We will keep the region the same, East US.
00:00
You can select your region,
00:00
the same region that you selected
00:00
>> in the first exercise.
00:00
>> Now we need to give this a server name,
00:00
I will call mine CPMng,
00:00
which is short for Checkpoint Management Server.
00:00
Now we need to define a password.
00:00
This is the Gaia SmartConsole login password.
00:00
There are special security requirements
00:00
that your password must meet.
00:00
The password, must not include
00:00
reserved words or unsupported characters.
00:00
The password must be
00:00
a minimum of 12 characters are longer.
00:00
The password must contain three of the following,
00:00
either one lowercase character,
00:00
one uppercase character, one number,
00:00
or a special character.
00:00
The more complex, the better, but obviously,
00:00
it should be something
00:00
that you will be able to remember,
00:00
and you will to need retype
00:00
it every time when logging into the Management Station,
00:00
you need to confirm your password.
00:00
This is a nice sanity check,
00:00
all software do this now.
00:00
Select "Next" to change
00:00
the Check Point Security Management Server Settings.
00:00
We're going to make a few modifications
00:00
>> from the default.
00:00
>> Let's select R80.40 version.
00:00
For the license, we will
00:00
select the pay-as-you-go license.
00:00
It will give us a 30-day eval license,
00:00
and it is also the cheaper one to test with.
00:00
The virtual machine size will keep the defaults.
00:00
There is no need to change it,
00:00
and also it has been optimized to work with CloudGuard.
00:00
The installation type is Management Station.
00:00
Allowed clients, we will leave it as is for now,
00:00
but it would be best to lock this
00:00
down to your gui clients,
00:00
network or IP address.
00:00
The rest will keep the defaults,
00:00
and now let's hit Next for network settings.
00:00
We're going to place this
00:00
>> CloudGuard Management Station.
00:00
>> We're going to select
00:00
the VPC that we created in Exercise 1,
00:00
my VNet, and we're going to attach
00:00
it to the frontend subnet that
00:00
>> we created in Exercise 1.
00:00
>> Select next to review and create.
00:00
The Azure or software,
00:00
will verify that all your changes are fine.
00:00
If we forgot anything,
00:00
we would get an error and be
00:00
prompted to fix any discrepancies.
00:00
We got validation passed,
00:00
this is a green light to continue.
00:00
Let's select create.
00:00
The Azure Software will now deploy
00:00
our new CloudGuard Management Station in
00:00
my account within my subscription in the US region,
00:00
in my VNet virtual network,
00:00
and we'll attach it to the frontend subnet.
00:00
This deployment can take a few minutes,
00:00
I'm going to fast-forward to the completion.
00:00
Notice some of the resources that it is creating.
00:00
Notice that we never added an IP address,
00:00
it's going to use
00:00
the first IP address in the frontend subnet.
00:00
>> [MUSIC] Now, the deployment is completed,
00:00
at least from the Azure interface perspective
00:00
but in the background,
00:00
it is still installing and
00:00
configuring the Gaia and Check Point Software.
00:00
Let's select "Go to resource".
00:00
I am looking for the IP address.
00:00
We need to select the resource of
00:00
CP Management Virtual Machine. Let's click on it.
00:00
In overview page,
00:00
notice there is two IP addresses,
00:00
a private IP address and a public IP address.
00:00
Notice that it added a public IP address.
00:00
The public IP is the routable IP.
00:00
Microsoft Azure gives it to
00:00
you when you deploy the resources in
00:00
their Cloud so your virtual machine's resources
00:00
will be accessible from the Internet.
00:00
Let's select "Copy IP address" and now
00:00
let's open a browser and
00:00
connect to the public IP address,
00:00
https://1382.196207 or whatever IP
00:00
address that has been provided to you.
00:00
Hit "Enter". We get
00:00
the standard certificate cannot be verified,
00:00
which is normal because it's a self-signed certificate.
00:00
Select, "Proceed to continue".
00:00
Great. We get the Gaia browser login page.
00:00
We need to provide the username and password.
00:00
This is the password that we created before.
00:00
In the deployment step,
00:00
select the "Log on" icon.
00:00
Notice we've got message
00:00
that the system is still being configured,
00:00
please try again later.
00:00
We have to wait a few more minutes,
00:00
even though we have deployed
00:00
the management on Azure or Cloud,
00:00
the operating system is still being hardened
00:00
and the Check Point Software is being configured.
00:00
This is the longest time to wait,
00:00
but we can take a look at
00:00
the Azure Console to see what is going on.
00:00
Scroll to the Serial Console,
00:00
which is a new feature in Azure.
00:00
It takes a few moments to connect.
00:00
You can see that it's still booting.
00:00
Let's time lapses forward.
00:00
Still not ready.
00:00
Eight minutes later. There we go,
00:00
We have the Gaia portal access.
00:00
The Management Station is now fully loaded.
00:00
From here, we can download
00:00
SmartConsole, select "Download Now".
00:00
Let's quickly take a look at
00:00
a few things while we are here.
00:00
Let's go to the Network Interface tab.
00:00
Notice that even though we never entered
00:00
an IP address during the deployment,
00:00
two IP addresses have been configured.
00:00
There is a private IP address, 10.0.0.4 on Eth0.
00:00
This is the first IP address in the front end subnet,
00:00
that we gave it a range of 10.0.0.0/24.
00:00
Remember our VPC was a slash 16.
00:00
The slash 24 was a subnet range for the front end.
00:00
It selected the first available IP in a slash 24 range.
00:00
Dot zero is reserved for the network,
00:00
which is the same in traditional networks.
00:00
Dot one is reserved for the gateway.
00:00
The gateway is implied in Microsoft Azure.
00:00
You don't need to create it.
00:00
It automatically implicitly gets created for you.
00:00
Dot two and dot three and are also
00:00
reserved for the Azure fabric.
00:00
Dot four is the first available IP,
00:00
10.0.0.4 is the Check Point management station IP.
00:00
Notice that it also created an alias
00:00
on Eth0:1 with the public IP address.
00:00
This is the IP that we're using in the browser.
00:00
Now, let's take a look at the static routes.
00:00
Notice the default route.
00:00
In Microsoft Azure, you
00:00
don't explicitly create the default gateway.
00:00
It is implicitly created for
00:00
you when you define a subnet.
00:00
In this case, the front end subnet.
00:00
10.0.0.1, this is the first IP
00:00
in our slash 24 front and subnet range,
00:00
even though we never created
00:00
an explicit gateway with this IP address.
00:00
All routing will be sent to this gateway IP,
00:00
which sits within the Azure fabric and
00:00
all routing will be done by and
00:00
>> through the Azure fabric.
00:00
>> The other two routes were created
00:00
by the Azure and they will
00:00
be used by the Azure software
00:00
and are not relevant to us now.
00:00
[MUSIC] Now,
00:00
let's open a PuTTY session to the management station.
00:00
I need to run some commands and
00:00
>> also show you the status.
00:00
>> Again, we need to log in with
00:00
our admin username and password.
00:00
We're in. Two things.
00:00
First, we are going to enable
00:00
CloudGuard with the command CloudGuard on.
00:00
You need to run this command to make sure it is
00:00
a CloudGuard Management Station or
00:00
else it is just a standard management station.
00:00
I will show you that in a moment.
00:00
CloudGuard IaaS is successfully enabled.
00:00
CloudGuard IaaS is the code name
00:00
for CloudGuard network security
00:00
and threat prevention product.
00:00
The second command that I'm going to
00:00
run is just to show you what the first command did,
00:00
CPWD underscore admin space list
00:00
shows us a Check Point processes that are running.
00:00
The command CloudGuard on
00:00
has started the CloudGuard process,
00:00
which is the controller process.
00:00
This VM is a management station,
00:00
but it's also a controller which will
00:00
make adaptive security easy,
00:00
as explained before in the explanation video.
00:00
SmartConsole has finished downloading.
00:00
You can now start the installation of SmartConsole.
00:00
For time constraints, I will skip
00:00
the installation details in this video.
00:00
I assume you have done it before,
00:00
If not just accept all the default settings.
00:00
Once SmartConsole is installed,
00:00
let's launch it and now we need to log in.
00:00
Again, we provide a username and
00:00
password and also the IP address
00:00
of the management station.
00:00
Select "Proceed" to accept the fingerprint,
00:00
connecting, initializing, launching.
00:00
Almost there. We have lift off.
00:00
Now, you can browse through
00:00
the console to get a feel for it.
00:00
If this is the first time viewing R80.40,
00:00
I will let you explore it on your own.
00:00
Before ending this video,
00:00
let's just recap what we did in this lab.
00:00
In Exercise 2, we deployed
00:00
a CloudGuard Management Station.
00:00
We deployed the Management Station in
00:00
our Azure Virtual Network called myVNET.
00:00
We attached the Management Station directly to
00:00
the front end subnet, 10.0.0.0/24.
00:00
The Azure software assigned
00:00
an IP address of 10.0.0.4/24,
00:00
which is the first IP address
00:00
in a front end subnet range.
00:00
The Azure software also assigned us
00:00
>> a public IP address,
00:00
>> which will be routable from the Internet.
00:00
In my case, it assigned it an IP of 13.82.196.207.
00:00
The Azure software also deployed
00:00
an implied gateway of 10.0.0.1.
00:00
This is a default gateway for myVNET virtual network.
00:00
After installing the Management Station,
00:00
we turn on the controller process
00:00
with the command CloudGuard on.
00:00
We also downloaded and installed
00:00
the SmartConsole client on my office PC.
00:00
After the Management Station was fully installed,
00:00
we then connect it through a SmartConsole
00:00
from the office to the Azure Cloud.
00:00
This now concludes the end of Exercise 2.
00:00
In the next exercise,
00:00
we're going to deploy the CloudGuard Gateway.
00:00
I'll see you there. [MUSIC]
Up Next