Education Services
Check Point
Security Master
Lab Setup Guide
EDUCATION SERVICES
Follow the steps below to configure the virtual machines needed for the students to perform all Security
Administration labs. ATCs may use whatever virtualization software they choose, but Check Point assumes
most Virtual Machines will be created in either a VMware Workstation or an ESX environment. Our tests
were all performed on VMware Workstation 12.
Additional Files
Check_Point_R80.10_T421_Fresh_Install_and_Upgrade_from_R7X.tgz – Install on all Virtual
Machines where a Check Point Security Management Server or Security Gateway system is required. The
build number may change but you will need to build the Check Point VMs with the latest “fresh install”
build of R80.10.
LDAP Information
Configure the virtual machines on the Alpha Internal network to be in the alpha.cp domain. All users
should log into the domain and not the local virtual machine.
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Once the setup is complete, all windows Host and Server machines should be able to reach the internet and
all machines should be able to ping each other and the Router.
3
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
A-GUI
Use the information below to configure the GUI Client virtual machine:
Use the following information to configure the interface for the virtual machine:
IP Address: 10.1.1.201
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
LAN: Management (LAN 1)
WinSCP
Putty
WireShark
2. Configure a folder on the desktop that can be shared with Read/Write privileges to anonymous users.
This will be used to transfer files through FTP.
A-SMS
Use the information below to configure the Alpha Management Server virtual machine:
Use the following information to configure the interface for this virtual machine:
IP Address: 10.1.1.101
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
LAN: Alpha Management (LAN 1)
Username: admin
Password: Chkp!234
2. The server should be fully licensed with licenses obtained from the BCK. This server should contain three
Central licenses. Use SmartUpdate launched from SmartConsole on A-GUI to assign licenses to the two
pre-configured Security Gateways in this environment.
5
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
A-SMS-02
Use the information below to configure the Alpha Management Server virtual machine:
Use the following information to configure the interface for this virtual machine:
IP Address: 10.1.1.102
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
LAN: Alpha Management (LAN 1)
Special instructions for the secondary Alpha Management Server virtual machine:
Username: admin
Password: Chkp!234
2. The server should be fully licensed with licenses obtained from the BCK.
3. This server should be fully configured and ready for the student to use for the lab, but should be powered
off until the lab in which it is required, in order to save resources.
6
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
A-GW-01
Use the information below to configure the first Security Gateway virtual machine:
Use the following information to configure the interfaces for this virtual machine:
IP Address: 192.168.10.2
Subnet Mask: 255.255.255.0
Interface: eth2
Network: Alpha Synchronization (LAN 10)
Special instructions for the Alpha Security Gateway cluster member virtual machine:
1. Configure the server with four cores, each assigned a single processor. Multi-threading will impact
performance in the virtual environment and should be avoided.
2. Create a snapshot with the virtual machine configured with only two cores for the purposes of one of the
labs.
7
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
A-GW-02
Use the information below to configure the second Security Gateway virtual machine:
Use the following information to configure the interfaces for this virtual machine:
IP Address: 192.168.10.3
Subnet Mask: 255.255.255.0
Interface: eth2
Network: Alpha Synchronization (LAN 10)
Special instructions for the Alpha Security Gateway cluster member virtual machine:
3. Configure the server with four cores, each assigned a single processor. Multi-threading will impact
performance in the virtual environment and should be avoided.
4. Create a snapshot with the virtual machine configured with only two cores for the purposes of one of the
labs.
8
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
A-Host
Use the information below to configure a protected host virtual machine:
Name: A-Host
OS: Windows Client
Hard Drive: 20GB
RAM: 2GB
Use the following information to configure the interface for this virtual machine:
IP Address: 192.168.11.201
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Interface: eth0
Network: Alpha Internal (LAN 11)
1. Configure a folder on the desktop that can be shared with Read/Write privileges to anonymous users.
This will be used to transfer files through FTP.
Note: The Mail server is not currently used in the CCSM class but will be used in other courses and may
be used at a later date.
9
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
A-LDAP
Use the information below to configure the Alpha LDAP server virtual machine:
Name: A-LDAP
OS: Windows Sever
Hard Drive: 40GB
RAM: 2GB
Use the following information to configure the interface for this virtual machine:
IP Address: 192.168.11.101
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Interface: eth0
Network: Alpha Internal (LAN 11)
2. The following are the required users. Each should be configured with Chkp!234 as their password.
User1
User2
User3
User4
Guest
5. Install and configure the NTP server for the Alpha site.
10
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
A-DMZ
Use the information below to configure the FTP, SMTP, and Web Server virtual machine:
Name: A-DMZ
OS: Windows Server
Hard Drive: 40GB
RAM: 2GB
Use the following information to configure the interface for the FTP and Web Server virtual machine:
IP Address: 192.168.12.101
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.12.1
Interface: eth0
Network: Alpha DMZ (LAN 12)
Note: The Mail server is not currently used in the CCSM class but will be used in other courses and may
be used at a later date.
11
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
A-SMS
A-SMS-02
A-GW-01
A-GW-02
Name: scpAdmin
Password: Chkp!234
Shell: scponly
Roles: adminRole
Define the interfaces for each module, based on the CCSM Classroom Topology.
12
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Define the following static routes on both Security Gateways in the Alpha site:
13
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Alpha-Nets (Group)
14
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Do Not Log
Management
Stealth
DNS
DMZ
Outgoing
LDAP
Cleanup
15
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Configure Hide NAT for all internal Alpha networks. Then, configure the Static NAT objects:
16
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Next, complete the Alpha Security Policy by configuring the following Global Policy settings:
17
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Router
The router may be either a specific virtual machine or you may use the virtualization software’s router
function. In our testing, we use VMware’s Network Editor to configure a NAT address on the
203.0.113.0/24 network that NATs “guest” VM traffic out through the “host” machine’s physical address.
All external interfaces of gateways in the topology should all point to 203.0.113.254 (router) as their default
gateway. Network routes for all internal networks should be placed on both the Alpha and Bravo gateways.
This will allow traffic between the two sites but also traffic to exit the environment and reach the Internet.
Attacker
Use the information below to configure the Attacker virtual machine:
Name: Attacker
OS: IPS Demo Toolkit
Hard Drive: 20GB
RAM: 1GB
Use the following information to configure the interface for this virtual machine:
IP Address: 203.0.113.37
Subnet Mask: 255.255.255.0
Default Gateway: 203.0.113.254
Interface: eth3
Network: External (vmnet8 - NAT)
This information is just for your reference. The actual interface configuration is completed as part of the lab
which uses the Attacker machine.
18
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
B-GW
Use the information below to configure the Bravo Security Gateway virtual machine:
Name: B-GW Install and configure the following Check Point modules
OS: Gaia R80.10
Hard Drive: 80GB Security Gateway
RAM: 10GB Security Management Server
Use the following information to configure the interfaces for the Bravo Security Gateway virtual machine:
Note: The eth2 interface for B-GW is not used in this class but should be configured so that the eth1
connects to the internal network and the eth3 interface connects to the external network. The other interface
(eth2) should not be powered on.
19
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Use the following information to configure the interface for the GUI Client virtual machine:
IP Address: 10.2.2.201
Subnet Mask: 255.255.255.0
Default Gateway: 10.2.2.1
Interface: eth0
Network: Bravo Management (LAN 2)
2. Configure a folder on the desktop that can be shared with Read/Write privileges to anonymous users.
This will be used to transfer files through FTP.
20
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Bravo Host
Use the information below to configure the B-Host virtual machine:
Name: B-Host
OS: Windows Client
Hard Drive: 20GB
RAM: 2GB
Use the following information to configure the interface for this virtual machine:
IP Address: 192.168.21.201
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.21.1
Interface: eth0
Network: Bravo Internal (LAN 21)
1. Configure a folder on the desktop that can be shared with Read/Write privileges to anonymous users.
This will be used to transfer files through FTP.
21
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Name: scpAdmin
Password: Chkp!234
Shell: scponly
Roles: adminRole
Define the interfaces for B-GW, based on the CCSM Classroom Topology.
22
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
23
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Bravo-Nets (Group)
24
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Noise
Management
Stealth
DNS
Outgoing
Incoming
Cleanup
25