This section contains three parts:
The DIGITAL IP Switch Processor includes version 3.0 of the Check Point FireWall-1 product integrated into the IP Switch software platform.
FireWall-1 consists of two primary modules:
The IP Switch Processor includes the FireWall-1 Module, but does not include the Management Console. Elsewhere in your network you will need to set up a Management Console, if you do not already have one. A single Management Console can control one or more FireWall-1 Modules.
The FireWall-1 Module implements the security policy, logs events, and communicates via the network with the Management Console using the FireWall-1 daemons running on the IP Switch Processor.
A FireWall-1 security policy is defined using the GUI on the Management Console. Inspection Code is then generated and installed on the FireWall-1 Modules that will enforce the security policy. The System Administrator defines and maintains the security policy on the Management Console, while the gateways where the FireWall-1 Module is installed enforce the security policy.
Most of the tasks involved in configuring the operation of your FireWall-1 relate to the definition and maintenance of your security policy, and are performed on the Management Console. These tasks are covered in great detail in several printed documents produced by Check Point.
FireWall-1 configuration tasks you perform on the IP Switch Processor include:
Before you configure FireWall-1, you need to have a license for each FireWall-1 Module you purchased. Go to http://license.checkpoint.com
and use the Key from the CD-ROM case to get your valid licenses..
The following instructions tell how to configure the Check Point FireWall-1 with an DIGITAL IP Switch Processor configured as a gateway. Note that:
1. Enter a new key on the Management Console.
Refer to the Check Point documentation to get platform-specific instructions for entering commands on your Management Console.
The format of the command is:
fw putkey <gateway ip address>
Caution: For
<gateway ip address>
, use an IP address that is
an internal interface, meaning an interface that is behind
the firewall.
You will be prompted for a one-time authentication key.
2. Enter a one-time authentication key on the Management Console.
Choose any word of five or more characters. Write down the word to remember it; you'll need to enter it on the IP Switch Processor in a later step.
3. Restart the FireWall-1 Module on the Management Console.
Enter the following commands in order:
fwstop
fwstart
Continue the installation with the IP Switch Processor tasks.
4. On the IP Switch Processor, make sure there is a static host entry for the IP address used in step 1 and the hostname of the IP Switch Processor.
You can do this in clearVISN IP Switch Manager on the Static Host Entries page. For instructions on creating a static host entry, see Adding a Static Host Entry.
5. Telnet to the IP Switch Processor, or use the console, to login as admin on the IP Switch Processor.
6. Edit the .cshrc
file and include /etc/fw/bin
in the PATH statement.
7. Save the .cshrc
file.
8. Enter the following command:
source .cshrc
9. Use the fwconfig
command to enter your license, or use the command:
fw putlic <ip address> <license number> <features>
You must use the same IP address as in step 1. The Check Point license is tracked by this IP address.
10. Repeat step 9 for each Check Point FireWall-1 license.
11. Use the fwconfig
command to add your Management Console IP address.
You will be prompted for a one-time authentication key, which must be the one you used in step 1.
When you exit fwconfig
, you are given the option of restarting FireWall-1.
You may choose y
to verify that authentication worked and that the Management Console and DIGITAL IP Switch Processor are communicating correctly.
Complete the installation by performing the DIGITAL clearVISN IP Switch Manager tasks.
12. Using your web browser, type either of the following URLs in the Location edit box in your browser:
http://<gatewayname>
or
http://<gateway ip address>
13. Press the Enter button on your keyboard.
The clearVISN IP Switch Manager home page for the IP Switch Processor displays.
14. Click on the home page.
15. Click the Check Point Firewall-1 link.
16. On the FireWall-1 Control page, click the Start button, even if the firewall is already running.
If FireWall-1 is already running, error messages display, but in any case this tells FireWall-1 to start up automatically whenever a reboot occurs.
17. Click the Top button.
This takes you to the Config Tool configuration page.
18. Click at the bottom of the Config Tool configuration page to save the configuration.
Caution: You should perform a SAVE on the Config Tool main page
after starting FireWall-1; failing to do this will result in this
node operating with no FireWall-1 following the next
reboot.