|
Checkpoint Firewall-1 Installation
-
Before installing Checkpoint Firewall-1 software, make sure that solaris is in 32bit mode (FW1 doesn't support running under 64bit) by setting
the OBP bootprom variable "boot-file" to "kernel/unix". You will need to reboot for this change to take effect.
- Next, edit local /etc/hosts file and add all the IPs/names for the other firewalls. Add an entry for the management station too.
- The FW-1 cdrom image is located on the jumpstart server. NFS mount this and then run the install program.
# mount pr-as-2:/opt/images/fw1 /mnt
# cd /mnt
# ./InstallU
- After installation, reboot the server.
Installing SP3
- NFS mount the fw1 cdrom image again, install the patch and then reboot.
# mount pr-as-2:/opt/images/fw1 /mnt
# cd /mnt/SP3
# patchadd CPFWSP41003-01
- After reboot login and type "fw ver" to show the FW1 version. If SP3 installation has been successful you will see :
This is Check Point VPN-1(TM) & Firewall-1(R) Version 4.1 Build 41814 [VPN + DES]
-
Open the FW1 GUI and install the firewall's policy ( or type fw fetch m-fw-2 from console)
Installing Stonebeat FullCluster
Configure the Cisco switches
- Add static arp entries to Cisco switches
cisco-switch> enable
cisco-switch# configure terminal
cisco-switch# mac-address-table static mmmm.mmmm.mmmm fastEthernet0/x fastethernet0/y
fastethernet0/y2 fastethernet0/y3
This command says that anydata coming from port x with address mmmm.mmmm.mmmm will be sent to ports y, y2 and y3.
eg. Firewall Multicast address is 01:00:5e:8c:d0:21 and the firewalls are plugged into ports 4+5. A web server is plugged into port 1.
mac-address-table static 0100.5e8c.d021 fastethernet0/1 fastethernet0/4 fastethernet 0/5
Configure Firewall-1 for Stonebeat
- Enable firewall-1 state syncronisation by editing /opt/CPfw1-41/conf/sync.conf. Enter the IP address of the other firewall in here.
- Add a line "sbif accept" to /etc/fw.boot/ifdev
- Open fwui on the management station and create gateway cluster objects.
Make sure there are rules for stonebeat connections over control interface.
- On the firewalls, delete the route to the directly connected network through the cluster IP address. Add an rc script "route" to delete
routes on startup.
/etc/routes
# Delete route for stonebeat fullcluster
route delete ip-address ip-address
route delete ip-address ip-address
- Add following to roots profile
SBFCHOME=/opt/fullcluster
export SBFCHOMEi
PATH=${PATH}:${SBFCHOME}/bin
export PATH
- Reboot the server
Installing Stonebeat Packages and running the configuration program
- Install the Stonebeat Fullcluster Packages from the jumpstart server.
# mount pr-as-2:/opt/js /mnt
# cd /mnt/packages/other/StonebeatFullCluster
# pkgadd -d .
- Run sbifconfig to start stonebeat configuration.
# ./sbfcconfig
- First install the licence
1. Generate Keys & Certificates
2. Configure This Node
3. Set Passphrase
4. Install License
5. Exit
Select Option: 4
Enter the licence string: license from checkpoint
[ Copy and paste the license string ]
- Configure Node and Cluster IDs (see xxx)
1. Generate Keys & Certificates
2. Configure This Node
3. Set Passphrase
4. Install License
5. Exit
Select Option: 2
1. Set Node ID
2. Set Cluster ID
3. Set Capacity
4. Set Load Measurement Interval
5. Configure Interfaces
6. Back
Select Option: 1
Enter a Node ID (1-16): 1
1. Set Node ID
2. Set Cluster ID
3. Set Capacity
4. Set Load Measurement Interval
5. Configure Interfaces
6. Back
Select Option: 2
Enter a Cluster ID (1-65535): 1
- Set Capacity
1. Set Node ID
2. Set Cluster ID
3. Set Capacity
4. Set Load Measurement Interval
5. Configure Interfaces
6. Back
Select Option: 3
1. Autoprobe for Capacity Benchmark Value
2. Manually enter Capacity Benchmark Value
Select Option: 1
Executing capacity benchmark program...
capacity is set to 1002
- Set Load Measurement Interval to 15 (default ; may need more investigation)
1. Set Node ID
2. Set Cluster ID
3. Set Capacity
4. Set Load Measurement Interval
5. Configure Interfaces
6. Back
Select Option: 4
Enter a Load Measurement Interval (15-150): 15
- Configure the Heartbeat Interfaces (HB)
1. Set Node ID
2. Set Cluster ID
3. Set Capacity
4. Set Load Measurement Interval
5. Configure Interfaces
6. Back
Select Option: 5
1. Define Heartbeat Protocol Interface(s)
2. Define Operational Interface(s)
3. Define Control Interface(s)
4. Back
Select Option: 1
Currently available interfaces:
1. hme0 NOT configured. Assigned to ip-address
2. qfe0 NOT configured. Assigned to ip-address
3. qfe1 NOT configured. Assigned to ip-address
4. qfe2 NOT configured. Assigned to ip-address
qfe2: MAC address is [????] and IP address is [????]
Do you want to update or remove this interface (y/N)? n
Enter a multicast MAC address: 01:02:03:04:05:06
Do you want to assign control ip and port (y/N)? y
Enter this host's control IP address: ip-address
Enter a control port number (1025 - 65535): 3002
- Configure the Operational Interfaces (ONIC)
1. Define Heartbeat Protocol Interface(s)
2. Define Operational Interface(s)
3. Define Control Interface(s)
4. Back
Select Option: 2
Currently available interfaces:
1. hme0 NOT configured. Assigned to ip-address
2. qfe0 NOT configured. Assigned to ip-address
3. qfe1 NOT configured. Assigned to ip-address
4. qfe2/sbif0 protocol 01:02:03:04:05:06 (modified)
Select interface: 2
qfe0: MAC address is [????] and IP address is [????]
Do you want to update or remove this interface (y/N)? n
Do you want to use multicast support for this interface (y/N)? y
Enter a multicast IP or MAC address: ip-address
Enter the unicast cluster IP address(es): ip-address
using the following cluster address(es): ip-address
Do you want to add more addresses (y/N)? n
1. Define Heartbeat Protocol Interface(s)
2. Define Operational Interface(s)
3. Define Control Interface(s)
4. Back
Select Option: 2
Currently available interfaces:
1. hme0 NOT configured. Assigned to ip-address
2. qfe0/sbif1 operative (modified)
3. qfe1 NOT configured. Assigned to ip-address
4. qfe2/sbif0 protocol 01:02:03:04:05:06 (modified)
Select interface: 3
qfe1: MAC address is [????] and IP address is [????]
Do you want to update or remove this interface (y/N)? n
Do you want to use multicast support for this interface (y/N)? y
Enter a multicast IP or MAC address: ????
Enter the unicast cluster IP address(es): ????
using the following cluster address(es): ?????
Do you want to add more addresses (y/N)? n
- Save the Configuration and Exit (ONIC)
1. Define Heartbeat Protocol Interface(s)
2. Define Operational Interface(s)
3. Define Control Interface(s)
4. Back
Select Option: 4
1. Set Node ID
2. Set Cluster ID
3. Set Capacity
4. Set Load Measurement Interval
5. Configure Interfaces
6. Back
Select Option: 6
1. Generate Keys & Certificates
2. Configure This Node
3. Set Passphrase
4. Install License
5. Exit
Select Option: 5
Do you want to write configuration information and exit (y/N)? y
Writing node.conf...
Changes take effect after the next boot
- Reboot the server
Settings Tables
Below are the parameters and settings I used to install Firewall-1 and Stonebeat FullCluster on each of the firewall servers.
| Server | Node ID | Cluster ID |
| pr-fw-4 | 1 | 1 |
| pr-fw-7 | 2 | 1 |
| pr-fw-5 | 1 | 2 |
| pr-fw-8 | 2 | 2 |
| pr-fw-6 | 1 | 3 |
| pr-fw-9 | 2 | 3 |
| Firewall Set/Interface | VIP Address | Multicast MAC address |
| Net-A qfe0 | ???? | ???? |
| Net-A qfe1 | ???? | ???? |
| Middle qfe0 | ???? | ???? |
| Middle qfe1 | ???? | ???? |
| Net-B qfe0 | ???? | ???? |
| Net-B qfe1 | ???? | ???? |
|
