Receive/Transmit

The SmartCenter server is a key part of the Check Point infrastructure and without one you can’t do very much at all with your firewalls, so it should be one of the first things you set up. It can either be installed on the same hardware as one of your firewalls, or as a dedicated management machine. In this case I’m going to set it up on a dedicated Windows 2003 server.

The install is fairly straightforward, just mount/insert the disc and run the setup. I’ll run through a sample of an R65 SmartCenter install as some of the screens need a little explanation.

Skip past the first two screens until you hit this page:

If you are installing the full firewall product, what you choose here will depend on your licensing. As we are just installing the SmartCenter it doesn’t matter for us. On the next page you can import a config if you have one, or choose a fresh install. After that you come to this page:

This is where you choose the products you want to install. Here I’ve chosen the SmartCenter itself, plus the SmartConsole management tools. If you wanted to install the firewall software, you would choose the top box. On the next page you can choose if this will be a primary, secondary, or log server. You can install two SmartCenter servers in an HA cluster using the primary/secondary options. At this point the installer will run and complete. There are a few more steps before we can use it though.

Firstly it will ask you to install any licenses that you might have. The products come with a 15 day evaluation license if you are just playing around. If you have any license files you can either upload the files directly, or type in the keys manually.

The next step is to create an admin user, which is followed by defining IP ranges which are allowed to access the management software on the server. The default is that any user can manage the server. Although I’ve selected to install the management tools locally on the server, you can also install them separately on another machine, in a similar way to a Microsoft MMC or the Cisco ASDM. Finally you’ll be given a signature key, which is used to verify the identity of the server once we start linking it up to remote firewalls.

At this point your SmartCenter server is up and running, its a fairly painless install. You can have a play with the management tools (they have a nice demo mode with predefined topologies), but until we link up our first firewall the server alone is pretty useless.

As we all know the only thing constant in IT is change and as a result of that I’ve been using Check Point firewalls a lot lately, a departure from my usual ASA and ISA firewalls. I’m going to do a series of posts documenting what I find, as I haven’t seen a good resource which wasn’t either out of date or simply didn’t cover the basics.

With any new product there is always a little confusion, but with Check Point this seems to have been taken to a whole other level and I’ve had a great deal of difficulty working out what it is that they sell, what it actually does and how it all fits together. Check Point appear to have gone through a great deal re-branding, and with a lot of older versions still supported everything now has more than one name depending on which version of the software you are talking about. I’ll try and simplify it here as I understand things. The main thing to remember with Check Point is that, to a much greater extent than with other products, you are looking at two very different and separate things with regards to the hardware and the software.

Hardware

The hardware you choose for your firewalls will determine how fast and big it can go, as you might expect. It also determines which software features you can use on that particular bit of tin (which I’ll talk about shortly). Check Point give you a large number of options for your hardware depending on your needs.

• IP appliances – the appliance formerly known as Nokia. These are the mid to high end firewalls and range from 1Gb to 30Gb of throughput (with the right model and expansion cards). For your money you get a piece of tin with various ports and space for extra modules. This is very much a pure networking appliance with support for all the basics such as VPN, plus support for advanced features like IPS, routing protocols, clustering, QoS and VoIP.
• Power-1 appliances – these are more datacenter oriented, and run from 9Gb up to 30Gb throughput and are again a piece of tin. They support a few more edge defence features than the IP appliances such as URL filtering, antivirus, antispam, antimalware. Apart from this though they look very similar performance-wise to the high-end IP appliances.
• UTM-1 appliances – I see these as the low end version of the Power-1, tin again. Performance is from 1.5Gb to 4.5Gb, but you can get all the features of the Power-1 plus a few extra ones like built in management and monitoring.
• “Open server” – also known as SPLAT (Secure PLATform). This is kind of like Bring Your own Box, you install the Check Point into a standard bit of server hardware. The license determines things like how many cores your server can have and what features you are allowed, but after that the performance is down to your hardware. SPLAT itself is a modified version of Linux into which various Check Point software modules can be installed.

There are a few other variations including a virtualised version, but these are the main ones. For my testing I’ll be using a SPLAT system running in VMware.

Software

Check Point has gone through a lot of different versions of their software. The good news is that every device runs a version of the same software, and is managed through the same tools. Configuring rules on a SPLAT is exactly the same as configuring rules on one of the appliances. The bad news is that due to the number of iterations and the different licensing for them, you can be left scratching your head.

The first bit of confusion is that way back in 1994 when Check Point made their first firewall they decided to name it Firewall-1, and quickly followed with a VPN product called VPN-1. If you fast forward to today you’ll still find references to Firewall-1, VPN-1, and a whole raft of other things called xxx-1. The 1 has nothing to do with the version of the software as you might imagine, its simply the name of the product. It makes more sense if you think of these as identifiers of feature sets.

The way you differentiate between older and newer software is via the version number of the software. Wikipedia has the full details, but the numbering is roughly:

Anything prior to NGX R65 is end of life, NGX R65 itself is nearing end of life, and R75 has just been released. Lots of people are currently in the process of upgrading from NGX R65, and if you have existing licenses Check Point are currently running an upgrade promotion.

If you are looking at NGX products and earlier, you combine a feature set and a version number to label your software. Eg, a VPN-1 UTM NGX R65 has a defined set of features from the VPN-1 UTM label, and is the NGX R65 software version of those features.

With R71 and later Check Point have adopted a software blade architecture. You still have a software version, but the features which you run inside of that are a lot more mix and match and are deployed as virtual blades (providing your hardware supports it).

In Conclusion

With all the different product names and the mix of people on different versions currently, Check Point is very confusing to the newcomer. Over the next few posts I’m going to go through some basic installation and configuration, starting with an NGX R65 set up. Depending on how things go I may throw in some more advanced stuff like the failover clustering and and upgrade to R71.