Time
4 hours 44 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Hello and welcome to check Point Jump Start
00:04
Module two,
00:06
where we will look at deploying the checkpoint security management solution.
00:11
More than that, What is the security management server? What what does it do?
00:17
We'll talk about secure internal communication,
00:21
which
00:22
is used whenever any checkpoint component
00:25
communicates with any other checkpoint component across a network.
00:32
This is enabled by an internal certificate authority
00:38
that is automatically created and set up
00:41
on the management server.
00:44
We'll also take a quick look at the checkpoint operating system DIA
00:49
and the Web user interface that guy it provides to an administrator
00:54
to configure the device as well as update and maintain the operating system.
01:03
We'll also look at Smart Console, which is a Windows gooey application
01:11
that the administrator uses to manage the checkpoint configuration.
01:15
We'll demonstrate
01:18
the configuration
01:19
of a management server
01:23
in the checkpoint Security Management architecture er
01:30
it's a three tiered architecture,
01:34
and the administrator
01:36
interacts with the smart consul gooey to create security policy, update security policy and so on.
01:47
Administrator then instructs the smart consul application to communicate the changes to the security policy to the management server.
01:57
The management server is sort of the keys to the kingdom. It has the complete and authoritative copy
02:06
of your security policy of your checkpoint configuration.
02:10
And then, when instructed, the security management server
02:15
will send the current
02:17
probably updated security policy
02:21
to each
02:23
installation target, which is each security gateway that this policy needs to be sent to
02:32
security gateways. By default, send log data
02:38
to the management server
02:40
and then, ah,
02:42
larger deployment. You may want to offload the overhead of processing log data from your management server.
02:51
There are options to allow you to do that
02:54
in order for the checkpoint components. In this three tiered architecture to communicate,
03:02
secure internal communication is used, and this is much like
03:08
TLS or SSL
03:10
that we're familiar with. From https. Going to secure websites
03:16
like TLS
03:19
to cure internal communication uses certificates
03:23
to authenticate
03:25
the pier, the other end of the network connection
03:30
to ensure that it's the correct
03:32
Pierre and not an impostor.
03:36
Also, encryption provides
03:39
for confidentiality
03:42
and there are other protections being applied here, such as integrity checks
03:49
must have secure internal communication, set up and working correctly.
03:53
Yeah,
03:54
policy installation to occur for
03:59
log transfer from the security gateway to the management server to occur,
04:04
so
04:05
it depends on the version of Checkpoint that you're using. Current versions of Checkpoint
04:12
have moved to
04:13
TLS and are using modern encryption algorithms such as the advance encryption standard.
04:19
You have
04:20
older legacy checkpoint deployments. They may still be using Triple Dez,
04:27
which, though very dated,
04:30
is generally regarded as
04:34
fairly secure.
04:36
But we should think about upgrading.
04:41
So secure Internal communications uses certificates just like https uses certificates, except that both ends of the conversation
04:50
authenticate their identity using a certificate.
04:56
And so for this toe happen,
04:58
certificates must be digitally signed by a trusted certificate authority
05:04
and in a checkpoint deployment.
05:06
Trusted Certificate Authority is an internal certificate authority that
05:12
was created
05:13
on the management server when the management server was first initialized.
05:18
So the management server will handle
05:21
digitally signing the certificates that it's issuing
05:26
two new checkpoint security gateways that you're deploying or other checkpoint products
05:32
that you're deploying on your network. It also, by default,
05:38
generates digital signatures for VPN,
05:42
including site to site I P sec VPN connections, so that the VPN peers can authenticate each other,
05:49
but also remote access. Phoebe in connection. So an individual
05:54
with a laptop
05:56
who needs toe have secure communications to headquarters to get to say
06:02
their email server
06:04
knows that
06:06
the security gateway they're communicating with is the trusted peer.
06:12
And
06:14
the internal certificate authority can also authenticate the remote user
06:18
using certificate based
06:21
authentication
06:23
to ensure that they are who they claim to be.
06:28
Now the checkpoint product
06:31
is delivered as an appliance. The appliance is running something very similar to Red Hat Enterprise. Lennox's, based on Lennox and it's called Gaia
06:46
Guy is the operating system that checkpoint products run on.
06:51
Kaya provides a command line interface that simplifies the administration of your checkpoint device.
07:02
But
07:02
even better is the Web user interface, the Web User Interface is
07:10
and https Web browser website
07:14
that
07:15
provides
07:17
graphical
07:19
administration capabilities.
07:23
And in the top left, you can see the view mode drop down menu with Advanced selected their two modes in which to view
07:32
the Web user interface Advanced currently is selected. Basic just
07:40
hides some of the less frequently used menu items, so the menu on the left hand side
07:47
is shorter and easier to navigate,
07:50
and you can switch between basic and advanced at any time.
07:57
I talked about the three tier architecture,
08:01
and at the
08:01
top of that is the smart consul application. This is a Windows
08:07
gooey
08:09
application that
08:11
the security administrator uses to
08:15
create and manage security policies, but also to monitor what's going on with your checkpoint deployment.
08:22
You could be notified of software updates that are available and install those.
08:28
You will also use smart console to add new security gateways and other checkpoint
08:35
devices.
08:37
And in a very large deployment if you have the multi domain management server feature,
08:45
smart console seamlessly works with
08:48
multi domain management.
08:50
That's beyond the scope of this course
08:54
inside of Smart Consul.
08:58
On the left hand side, there's
09:01
four major views or or tabs.
09:07
Then, at the very top left corner, there's a main menu that allows you to access additional functionality and smart council.
09:18
Next to that under three
09:20
over three is theon Objects. Menu allows you to create, manage,
09:26
delete and find search for objects that are used in your rules
09:33
to determine if a connection matches the rule
09:37
or not.
09:37
At four is the install policy button,
09:43
and
09:43
you would click on that button when it is time to deploy your updated security policy to selected security gateways.
09:54
When you make changes to your security policy in Smart Consul,
09:58
they are not effective until you have successfully installed policy
10:07
above number five. The session details menu allows you to see details about the current administrator session logged into Smart Consul,
10:18
including
10:20
changes that have been made or whether or not changes have been made
10:24
over. On the right hand side with six
10:28
is ah, configurable view this case objects are being viewed
10:35
that provides another way of interacting with objects, creating,
10:41
modifying and deleting objects
10:46
at the bottom. The management activity bar shows the current administrator who's logged in at the very bottom right. You can see that it's CP Admin, and this administrator currently has no unpublished changes pending. And we'll talk about publishing
11:03
can also see the I P address or host name of the management server that this administrators connected to
11:11
and
11:13
over on the bottom left,
11:16
you can see the status of tasks such as policy installation
11:22
that have been performed, and in this example, two of those tasks were not successful.
11:28
So we can click that message and get more information about
11:33
what wasn't successful on why that
11:37
wasn't successful
11:37
and finally in the left hand side at eight,
11:41
we can access
11:43
command line functions from Smart Consul,
11:48
including Checkpoints Application Programming interface, which allows you to script operations
11:56
that
11:56
perhaps might be just too tedious or labor intensive in the gooey.
12:05
So in Smart Consul, on the left hand side, there are four major views,
12:11
and we've selected the 1st 1 gateways and servers.
12:13
There's also security policies, logs and monitor
12:18
and manage and settings.
12:22
In this gateway and servers view,
12:26
you get an overview of your checkpoint deployment all of the checkpoint products
12:33
that
12:35
this management server is managing,
12:37
and at the bottom you can see a dash SMS. That's the management server itself. It knows about itself.
12:46
And then there's above that. A gateway cluster, which is not a physical appliance. Instead, it's a cluster object that represents
12:56
your high availability cluster that you've deployed. That high availability cluster is implemented by two individual security gateway appliances,
13:07
a gateway 01 and a gateway zero to
13:09
on the left side, you can see the status column, which gives a quick indication as to the health of each checkpoint device.
13:18
So
13:20
the management server has a warning. That's the Yellow Triangle, whereas
13:24
a gateway 01 has a critical issue. That's the
13:30
circle with an extra it
13:33
a gateway zero to has a warning. But the cluster itself
13:37
displays the status of the most severe warning of any cluster member. So, given a warning and a critical issue,
13:45
it's going to display that there is a critical issue. And if you select
13:50
one of the checkpoint devices listed in this status display
13:56
at the bottom of this smart consul window, you will get additional information
14:01
about
14:03
that device. So in this case,
14:05
on a Gateway 01
14:09
we can see that it's
14:11
I p addresses. Stand out. One don't want up to the current policy package that has been installed on this security. Gateway is named based connectivity test, and that was installed on the date shown
14:26
and under license status. If you click on that will bring up a screen that tells you apparently, what's wrong with four software blades, which will discuss
14:35
on a gateways their A one
14:37
and over to the right a little bit. If you click on device and license information,
14:43
you get more information, which you can drill down
14:48
up at number two is a
14:50
search field where you can find a specific, say, security gateway
14:56
by name or by I p address,
15:01
but provides a quick way of locating in a very complicated checkpoint deployment. Many, many hosts the specific coast that you want toe to interact with.
15:15
In the security policies tab,
15:18
you have one or mawr tabs, and in this case, only one tab is really displayed. This
15:24
tabs labeled standard.
15:26
That's the name of a policy package which will talk about.
15:33
And that's the default policy package that's created when you deploy your management server.
15:37
This standard policy package contains both access control policy and threat prevention policy. We've highlighted
15:48
one of the access control policies, and you can see that that policy consists of one rule,
15:54
and it's named the clean Up a room. We'll talk about the cleanup rule a little bit.
16:00
The cleanup rule is a best practice rule. That
16:03
checkpoint automatically adds to
16:07
new policy packages.
16:10
The cleanup rule
16:11
always matches all of the matching columns. Such a source and destination and services
16:18
are set to any or the equivalent of any.
16:22
So
16:23
when we evaluate your rules,
16:26
if we get to the cleanup rule, it will always match
16:32
in the way that checkpoint evaluates rules is it starts at the first rule. Rule number one does it match? If so, I'll do what that rule says. Then I'll stop evaluating the rules in this layer, and we'll talk about that. If a dozen match will go to rule number two, does it match? And we'll keep doing that until we find a rule that matches
16:52
function of the cleanup rule is to be the very last rule in your policy.
16:59
So
17:00
before the cleanup rule is encountered, we had to evaluate
17:03
and not match all of your other rules.
17:07
The cleanup rule should always match, so it's the last stop,
17:15
and its action should be to drop traffic.
17:19
So this
17:21
provides a default. Deny security policy.
17:26
If we don't have a rule, it matches that
17:30
explicitly allows a connection,
17:33
then we will drop through all of our rules till we get to the cleanup rule. That rule will always match, and so it will deny dropped the connection
17:44
and you can't see it. But over on the right past, the action column is a track column.
17:49
Best practices. The track column should be set toe log connections that have matched the cleanup rule.
17:59
Because if you get to the cleanup, a rule that implies that
18:03
you did not match any of the rules above,
18:07
which really means that the traffic that
18:10
match the cleanup rule was unanticipated,
18:12
anticipated traffic
18:15
be right rules for So this would be traffic that we weren't expecting.
18:19
And it's useful to know, Are we getting traffic that we weren't expecting?
18:25
And in order to know that you have to log the rule,
18:30
talk about logging in another module.
18:36
Also number three. You can see a couple of buttons toe ad rules. We can add a rule at the top of our
18:45
rule set. We can have a rule at the bottom, or if we've selected a rule, we can add a rule above it or below it.
18:52
And then in four, you can see additional tools. Some of these may open up a related gooey application
19:00
to control whatever functionality you've selected.
19:06
Then on the left hand side, if we select the logs and monitor tab again, our logs and monitor view again, we get tabs.
19:14
In this case, there are three tabs displayed and the one that selected is General overview
19:19
and this General Overview Tabs actually
19:23
showing you information from,
19:27
ah feature a product named Smart Event. Smart Event
19:32
analyzes
19:33
incoming security logs from your gateways, but also from other things, such as Microsoft servers or network infrastructure,
19:44
and does event analysis to determine. Okay, the logs I'm seeing.
19:49
Is there something significant here? Something a human should be aware of?
19:56
Smart event makes really easy to prioritize your attention.
20:02
For instance,
20:03
events are categorized by severity, critical, high all the way down to very low severity,
20:11
and so you would typically react first to the critical severity event.
20:17
Also, smart event will tell you
20:21
what specific types of attacks or malware
20:26
got through your policy
20:26
because you matched a rule that said, Allow or you don't have some functionality enabled that would have stopped it. This is something we recognized, but it got through
20:40
the Logs Tab, which isn't selected here, shows you firewall logs and we'll talk about that
20:45
in a future module
20:48
and then on the left hand side. The Manage and Settings view
20:53
has
20:56
the list of checkpoint administrators, and you can see that there's five displayed here
21:03
with the 1st 1 admin selected the admin administrators actually special. It's
21:10
automatically created
21:11
when you're management server is initialized.
21:15
And then you would launch Smart Consul and authenticate as the admin administrator,
21:23
and four additional administrators have been created. Walter, Saul, Jesse and Skyler
21:32
additional administrators
21:33
can be assigned to different administrator permission profiles. And in this case, everyone has been assigned the Super User Profile, which has reading right access everything.
21:48
But the principle of lease privilege says you should give Onley the access on Lee, the permissions
21:56
necessary
21:56
or an individual administrator to do their job duties and nothing more.
22:02
So, for instance, Skylar, maybe a help desk technician
22:06
who doesn't need to be able to modify your security policy. They just need to be able to look at logs, and that's it.
22:14
So you can create an administrator permission profile
22:17
or say help desk technicians that limits their access to read Onley views of your logs. Nothing more.
22:26
In addition to the smart consul gooey application, which is your main interface
22:34
into the checkpoint
22:37
product,
22:38
there are also other related
22:42
Windows applications that are installed
22:45
with smart consul
22:47
that handle more specialized things, such as the smart Event client, which allows you to configure this smart event product,
22:56
for instance,
22:57
configure event policy. What should cause an event to be logged in? What should we not bother with
23:06
smart view monitor, which allows you to see
23:08
what
23:10
is going on on. Ah, Security Gateway in real time with detail. For instance. What sort of traffic
23:17
is my security gateway processing?
23:19
Is it
23:19
https? Is it Windows file sharing?
23:25
It also allows you to see
23:26
which users are remotely VP end into the security gateway. Where they coming from?
23:33
What client are they using?
23:37
Smart Dashboard is sort of the legacy predecessor to smart Consul,
23:42
and as such,
23:44
it is still invoked by smart consul toe handle some functionality
23:48
that is either considered legacy or that smart consul doesn't implement, such as configuring https inspection policy.
23:57
When should
24:00
check point
24:00
intercept int decrypt https traffic and when should it? Not
24:08
now, when you log in to smart Consul,
24:12
you are authenticating
24:15
as a checkpoint administrator.
24:18
There is one
24:21
built in default administrator account with by default to user name admin
24:27
and in production, you're not gonna have all of your firewall administrators logging into the same account
24:36
principle of lease privilege and other security concerns
24:40
mean that as a best practice, you should have individual accounts for each checkpoint administrator.
24:47
And those accounts are assigned permission profiles,
24:49
which limit their privileges to just what they need to do their job.
24:56
For instance,
24:57
a given checkpoint administrator may not require
25:02
the privilege of changing other checkpoint administrators passwords,
25:07
so a permission profile could be applied. That doesn't
25:11
permit that
25:12
when you log in to smart consul as an administrator, a session is created, and that session tracks
25:19
what you have done. Thus, for
25:23
if for some reason you are disconnected from the management server,
25:29
smart consul will tell you, and it will exit.
25:33
But if you reconnect
25:36
and log in as the same checkpoint administrator, you can resume that session. And so all changes
25:42
that you have made thus far will still be there.
25:47
On the other hand, if you say, leave yourself logged in
25:51
with your Checkpoint administrator account on your
25:53
work desktop
25:56
and then
25:57
it's Evening Europe home, and something arises that you have to sign in.
26:03
So you start up your work laptop
26:07
and connect via smart dashboard over the VPN
26:11
to the management server as the same checkpoint administrator it will tell you there's already an administrator with an existing session who's currently connected,
26:21
and you can take over that session disconnecting the administrator who's logged in from your
26:26
desktop.
26:27
Or you can
26:30
log in, read only or abort the connection
26:33
so
26:36
each checkpoint administrator can Onley be
26:38
logged in once. Only have one session.
26:41
On the other hand,
26:44
if you have multiple checkpoint administrators defined,
26:48
those administrators can all have their own session,
26:53
and they can all be making changes simultaneously
26:59
on the top
27:00
screenshot here, the D M Z Rule
27:03
has a pencil icon.
27:07
What that indicates is
27:10
the administrator
27:11
who is
27:12
logged into that display. Dan, in this example,
27:17
has made some change to the D. M Z rule.
27:21
And so the pencil icon means that you have an unpublished change here.
27:26
Other administrators who were looking at the same part of Smart Consul
27:33
they will see ah, padlock icon
27:36
at the D. M zero. The D M Z rule cannot be edited by them
27:41
because it's locked for edits by the first administrator who made a change in this case, Dan.
27:48
Now, when Dan publishes his changes,
27:52
other administrators will see those changes. So for instance, in this example, Dan changed the action of the D M Z rule
28:02
from dropped to accept, and Dan could see that because, well, it was done in his session.
28:07
But since Dan hasn't yet published that change,
28:11
other administrators such as Mike
28:14
we'll see the original
28:15
status of the rule. In this case, it has an action of drop,
28:19
and they will see a padlock icon, which means somebody else is working on this rule, but they haven't published it.
28:26
That's a significant feature that are 80 added the ability to have multiple read right
28:33
concurrent
28:34
administrators logged in simultaneously.
28:41
I'll demonstrate how to install
28:45
a management server and
28:48
download and install Smart Consul
28:52
and then log in to the management server via Smart Consul.
28:57
So in this scenario,
29:00
I have a brand new management server appliance
29:04
that
29:06
has not yet been configured except
29:08
it has an I P address.
29:11
And it has
29:12
operating system administrator credentials
29:18
using the default built in
29:19
operating system administrator
29:22
admin.
29:26
I'm now going to open up the Web user interface
29:30
and note. I get
29:32
an https warning here
29:36
that the certificate authority is invalid.
29:38
And that's not surprising considering that I'm talking to an https Web server
29:45
on Lenox host
29:48
that just initialized itself. So it created its own certificate authority, unrelated
29:55
the internal certificate authority that Checkpoint management server software creates.
30:00
This is just a Web server,
30:03
certificate authority
30:06
and the Web server certificate. Authorities signed the digital certificate for this https Web server,
30:14
but I don't know that certificate authority. So I get this https warning,
30:21
and I'm going to do what
30:22
pretty much every user does and just
30:25
click through the warning.
30:26
But I would say a best practice in production is you do not want to routinely be doing sensitive administration
30:34
operations
30:37
over untrusted https connections. It's unlikely that you're talking to
30:45
a man in the middle or or other malicious actor who is attempting, for instance, to steal your user name and password.
30:53
But
30:55
why not be sure? So you might want to look into either
31:00
Adding the appliance
31:03
Web Server Certificate Authority is a trusted certificate authority, which is
31:07
easy enough to do or having your Web server certificates on your appliances digitally signed.
31:15
I a trusted certificate authorities such as, perhaps maybe your active directory
31:21
certificate authority,
31:22
something that your Web browsers
31:26
well trust
31:26
do all of that is beyond the scope of this jump start training
31:30
is mentioned. It is something you might consider.
31:34
So when I first installed this management server appliance,
31:40
as I said, I used the built in administrator account, the default administrator account that it presents,
31:47
and I set a password.
31:48
And
31:51
actually there is very little password complexity checking done. It does want you to choose a reasonably secure password,
31:59
and here I'm using an eight character password with both
32:04
letters and numbers and even some punctuation.
32:07
But still eight characters is kind of short.
32:10
You may want to choose a more secure password,
32:15
so this management server appliance
32:20
has been installed. It has an operating system,
32:23
but it has not yet had the first time wizard
32:29
run.
32:30
And so
32:31
when I log in to the Web user interface, it's going to require that
32:37
I go through this first time configuration wizard.
32:43
No,
32:44
no, I'm installing the are 80 dot dirty version of the checkpoint product,
32:49
and I'm going to click through some of these options.
32:53
So now it wants me to configure the management connection to management interface that I'll be using to manage this
33:01
management server and I'm just going to take all of the defaults these defaults come from. When I first installed the operating system on this appliance,
33:13
I gave it
33:14
an I P address a sub net mask and told it Which network interface to use
33:21
now here with the host name.
33:23
Choose wisely. You don't want tohave to ever change this host name. It's certainly possible, but it's something of a pain to do so
33:31
and so I'm just going to use an example. Host. Name a SMS.
33:37
You'll see that
33:37
throughout the checkpoint training material. If you attend our
33:45
CCS a checkpoint certified Security Administrator course, which I strongly recommend,
33:51
you'll see a dash SMS used there.
33:54
Domain name is optional that's used for DNS.
34:00
What we do need DNS servers.
34:04
So I'm gonna type in a couple
34:07
just one, I think.
34:14
And if you have a Web proxy that must be used to get out to the Internet, you can configure that here.
34:22
Best practice would be toe. Use the network time protocol NTP
34:30
and set the time zone correctly. This is a trap. If you're in the United States, for instance, the time zone looks like it's right, but it's actually the time zone for central Canada.
34:43
I'm going to go ahead and for this demonstration, set the time manually, and we'll call this time good
34:51
and
34:52
going to go ahead and choose the time zone appropriate for me. It doesn't really matter that much
35:00
where you are. Just choose the time zone for where you are That way. The times are all correct.
35:10
Now, here on a management server, I have to tell it, Are you going to be just a regular management server
35:19
or a multi domain server?
35:22
Multi domain servers
35:24
allow a large
35:27
organization or ah,
35:30
hosting company or what have you.
35:32
You have
35:35
essentially virtual management servers for their customers.
35:39
One for company A one for Company B one for companies. See
35:43
that are all running on the same physical appliance
35:46
than company. A. Can have their administrators
35:50
log into there
35:52
a virtual management server
35:55
and manage their appliances so it can company being company C.
36:00
If you don't know what I'm talking about, you're not using multi domain. If you are using multi domain,
36:07
I'm not going to go into the details of multi domain.
36:10
But most of what I demonstrate is still applicable
36:16
and starting with our 80
36:19
you have to
36:20
have the correct operating system or the type of appliance this is gonna be in. If you purchase a checkpoint appliance, don't worry about it. It's already done.
36:31
I'm not actually using a checkpoint appliance. I'm using a virtual machine, so called open server.
36:39
And so I had to download the are 80.30 management installation image, which is distinct from the R a d 0.30 security gateway image.
36:51
Because of that, security gateway is not an option here.
36:54
Also, since this is not a security gateway, clustering is not relevant.
36:59
But
37:00
I have to define this management server as one of three choices Primary secondary or log server smart of it.
37:10
Unless you already have a management server, you'll always want to use the default. Primary
37:16
secondary is when you want to do so. Called management. High availability where you have
37:22
to management servers. Only one is read. Write only one is active at a time.
37:29
But
37:30
if one of your management server suffers, say, a hard drive failure,
37:35
you don't lose everything
37:37
because it automatically replicates changes that you make to the primary or active management server.
37:44
Do a secondary management server.
37:46
Well, I don't have any management servers deployed at this point, so I'm going to stay with the default
37:52
primary,
37:53
then a check box here automatically download blade contracts and other important data. We're just gonna leave that
38:01
then for the checkpoint level configuration. Let me let me just
38:07
backtrack a little bit.
38:09
Checkpoint has two levels of configuration bit
38:14
surprising.
38:15
Once you wrap your mind around it, you can work with it. There's operating system level configurations such as the i P address of a network interface routes that you've defined,
38:28
and there are operating system level users.
38:31
So when I signed into this Web user interface, I signed in as the operating system level user admin
38:40
with the password for that operating system level admin.
38:44
But this screen is asking me is we need to create that
38:47
default checkpoint administrator
38:52
built in that sometimes referred to administrator
38:57
and
38:58
by default here, I can just use the operating system administrator, user name
39:05
and password, which is convenient. Now. I don't have two different admin accounts, perhaps two different passwords. If I ever want to change
39:14
password for the admin account, don't have to worry about doing it in two places.
39:17
When I sign in to the management server using
39:22
Smart Consul,
39:23
I will use my checkpoint administrator credentials, but
39:29
it lets them be the same as the operating system administrator credentials,
39:32
which is convenient. But if I don't want to do that, that I can use a different user name with unique
39:38
password.
39:45
Also, we can restrict which I P addresses can log in to the management server. Using the gooey clients such as Smart Consul
39:55
and Best Practice would be to restrict
39:59
the list of I P addresses to at least a sub net.
40:02
You can also just give a specific range of I P addresses when I 2.168 dot 1.12 through 17
40:14
for the ease of this demonstration,
40:15
going to ignore best practice and say any I P address.
40:19
Now your management servers should be behind a security gateway, and your security gateway should not be allowing, say, the Internet to connect
40:28
to your management servers. I p address.
40:30
This is another layer of security, and we like having multiple layers of security in case one layer is breached.
40:37
So
40:38
this product, this device that I'm going to be installing is going to be installed as a management server. A primary management server.
40:49
There's another check box here improved product experience by sending data to checkpoint.
40:54
So
40:55
if you want more information, you can click on the provided link.
40:59
But this allows checkpoint to track, for instance, issues that are happening.
41:06
I'm just gonna go ahead and leave that checked and click finish.
41:09
I get prompted to make sure I want to continue with the first time wizard configuration. I do,
41:17
and it will run. I'll go ahead and pause while this configuration runs its course.
41:25
So the first time wizard has successfully completed
41:30
and
41:30
the management server is
41:34
ready for use.
41:36
This were a security gateway. It would have to restart the operating system,
41:39
but, um, management server doesn't need to do that.
41:45
So now the first time wizard being completed,
41:49
we'll get the regular Web user interface.
41:53
And
41:54
again you can see the
41:58
you mo dropped down here.
42:00
If we change it to basic really just hides.
42:06
Oh,
42:07
the point.
42:07
It is not completely finished loading, so I'm just gonna let it completely finish loading.
42:17
All right. It was just sort of slow to load the basic view because it's a virtual machine.
42:23
But you can see that the left hand menu has
42:28
shrunk, not as many things listed.
42:30
So what is listed are the most usual things that an administrator would need to access.
42:37
Switch it back to the
42:40
full advanced view,
42:43
and
42:45
but it reload the Web page.
42:47
And then we'll talk a little bit about some of the functionality that the Web user interface provides,
42:54
so you can manage the network hardware on the appliance
43:00
and on a management server. There's not usually a whole lot to manage. Management server typically has a management interface,
43:07
and
43:08
that's already set up
43:10
so that you can access the Web user interface in the first place.
43:16
One thing I'm going to do, just for my ease of use is here under system management session.
43:24
The Web user interface will automatically time out after 10 minutes of no activity, and I'm just going to ramp that up to some unreasonable value.
43:35
And if I log in to the command line interface of the guy operating system,
43:39
that too has a time out defaulting toe. 10 minutes. I'm gonna set that to something completely unreasonable as well. In production in the real world. You would not do this. He would choose a more sensible in activity time out.
43:53
Maybe 10 or 15 minutes isn't long enough, so we'll set it to 30 minutes or an hour. But
44:00
multiple days is probably not reasonable.
44:04
You need to apply your changes
44:07
for them to be effective. And so what we can apply just did was send my changes as essentially
44:15
cli
44:15
to this guy, a host, the management server,
44:20
and it applied. My changes through the CLI
44:23
saved the changes. So they're permanent.
44:28
My changes air now in production and their permanent. They'll survive a reboot
44:37
and also configure users. And in this example,
44:42
on a brand new server, there are two administrators by default,
44:47
okay,
44:49
admin account and the monitor account. The monitor account is actually
44:52
disabled,
44:55
but
44:57
the admin account
45:01
as
45:02
assigned to it
45:05
a role.
45:07
So the
45:08
roles this is role based access control
45:12
determine what privileges
45:15
an account has.
45:16
I have
45:17
Onley the privileges assigned to the admin role, which, as it turns out, is all privileges but again, principle of lease privilege.
45:27
If
45:28
I have an application or an employee who needs to be able to log into either the CLI or the Web user interface of a checkpoint host.
45:37
They don't need all privileges. I can create a role
45:44
that,
45:45
specifically with
45:45
granularity,
45:47
defines what that
45:51
administrator can dio.
45:52
I define the role that I create the administrator account for that employees,
45:58
and I assigned the administrator role to that account.
46:01
Now, some things here great out because this is the built in admin account, which
46:07
you're not allowed to mess with.
46:09
One thing that I can mess with is the show.
46:14
By default, the administrator account is given what
46:17
checkpoint calls the Cle show command line interpreter shell.
46:22
And this is a restricted shell that,
46:24
among other things, doesn't really do file pass. It allows you to do the administration be the CLI,
46:32
but for a lot of things. I want regular command line access
46:38
so you can change the shell of the administrator account to be the standard linen show bash the born Again show.
46:47
You can also create an additional account, a new account, a sign at the admin role and give that account
46:57
bash as it show.
46:59
Third option is in Cle Shell. There's an expert mode command in a few type expert in Cle show
47:07
it will prompt for a password and then, once successful, will just give you a bash show. And if you exit out of the bath shell, you're back in cle show. That's another option.
47:22
Ah, this no log in here at the bottom is one way to disable an account.
47:30
Another thing I wanted to point out here under upgrades
47:35
is CP. Use CPI use is fairly recent
47:40
addition. The Checkpoint Upgrade service engine
47:45
allows a checkpoint host like this management server to reach out to checkpoint servers
47:53
and discover if there are any patches or hot fixes or new operating system versions
48:00
that are available that are appropriate for this host. And if so, they'll be listed here.
48:07
You can configure the behavior to not automatically go out and check instead. Check when I tell you to.
48:15
It will not install
48:17
updates until you tell it to. With one exception
48:22
by default updates
48:24
to the CPI use
48:27
module itself are automatically installed as their encountered,
48:32
and you can disable that if you want to. But best practice is allow that to happen, and CP use will always be the latest version.
48:45
So the default is we're not gonna download. We're not gonna install anything. You can tell CP use. It's OK to download, but you do not install
48:53
and that sometimes useful That way you don't the wait for the download to complete
49:00
next. I want to install Smart Consul. I could download Smart Consul from Checkpoints website.
49:06
It's also available here in the Web User interface.
49:09
Oh,
49:10
I'll just do that.
49:14
I'm gonna go ahead and pause while the download is running, because that will take a bit. This is a big execute herbal
49:22
and will continue as soon as it's done.
49:29
At this point, the smart console execute herbal file has been downloaded
49:35
from the management server to my Windows desktop.
49:38
Not a small files 450 meg or so
49:44
and I started the installer.
49:47
And as part of the start up process of the installer,
49:53
it's detected that there are several prerequisites that I do not currently have installed.
50:00
That's pretty common,
50:01
so I'm going to go ahead and allow the installer to run
50:06
and then we'll resume.
50:09
So Smart Consul has successfully installed all the prerequisites and then the application suite itself,
50:17
and I told it
50:19
to continue launching.
50:21
So now it's presenting me with a long in screen. And so I have to provide the user name of the checkpoint administrator, and I'm using the built in admin
50:34
password for that administrator account
50:37
and the first time also have to provide the I P address or host name of your management server.
50:44
Now, when I click log in
50:46
Smart Consul, initiate a sick connection
50:51
to the management server.
50:52
Smart console doesn't have a certificate at this point, so it will use the password to authenticate
51:00
pause while I'm waiting for my virtual machine, too.
51:05
Finish connecting.
51:07
The smart console has successfully connected to the management server.
51:13
The management server provides
51:16
a certificate for its side of sick,
51:20
but at this point it's signed by the internal certificate authority that exists on the management server, which my smart consul application
51:30
doesn't know about.
51:30
So I'm prompted to verify the fingerprint, which is a set of short words that are derived from the digital values of the certificate authority
51:45
and what one would do
51:46
would be you would
51:50
log in to the sea ally of the management server
51:53
and
51:55
bring up the fingerprint of the certificate authority and compare is what I'm seeing on the management server, the same string of words that I'm seeing here.
52:06
That's the old school way of verifying the certificate fingerprint.
52:12
With our 80 you can sign into the management servers Web user interface
52:17
and the certificate authority
52:21
fingerprint is available there on the left hand side menu
52:25
management server only.
52:30
So this point Smart Council has successfully launched for the first time,
52:36
and it brings up a what's new window,
52:38
which you can dismiss.
52:42
But you can also get back
52:45
by clicking down here on what's new.
52:50
And
52:51
that concludes the demonstration for setting up a management server.
52:54
Thank you.
52:59
So in this module we talked about management
53:02
and Checkpoint's security management architecture, which again has three tears. The
53:07
Do We
53:08
Smart Consul application, which communicates with
53:13
a security management server
53:15
and that security management server in turn installs security policy
53:21
on your security gateways. Your firewalls when instructed,
53:24
and all of this is accomplished over secure internal communication,
53:30
which provides
53:32
well secure communications between any two checkpoint devices across the network.
53:39
Secure internal communication relies on the internal certificate authority
53:45
that is created on your management server.
53:49
We also looked at Guiana. The checkpoint operating system briefly and the Web user interface
53:55
that guy have provides toe. Make it easier to administrate your guy on operating system
54:04
and Smart Consul, the
54:06
Windows gooey application that allows you to administer your checkpoint configuration.
54:13
Thank you very much for attending this module of jump start training.

Up Next

Check Point Jump Start

In this course brought to you by industry leader Check Point, they will cover cybersecurity threats and elements of Check Point's Security Management architecture. This course will prepare you for their exam, #156-411, at Pearson Vue.

Instructed By

Instructor Profile Image
CheckPoint
Instructor