Checkpoint Application control and URL filtering configuration
Before I am processed, the above diagram that you see, that is my existing Cluster setup.
So click the below links to setup LAB for Cluster Setup First and also Adserver configuration and integration then add the default route to Gateway IP to communicate between HOST machine and the ADServer.
NOTE: Cluster Setup is not necessary for doing this LAB, we can use a Single Gateway or a standalone setup.
We have done the Cluster Setup. So basically we are going to add ADuser in our rule base to block or allow URL so basically we can say that userbase policy.
Before processed see the below details.
IP Address Details
Gateway 1 (Active) IP : Internal (eth0) --> 192.168.1.2/24 | External (eth2) -->172.16.100.121/24 Gateway 2 (Standby) IP : Internal (eth0) --> 192.168.1.3/24 | External (eth2) -->172.16.100.122/24 Cluster VIP (Virtual IP) : Internal --> 192.168.1.5/24 | External --> 172.16.100.125/24 Sync IP : Active Gateway (eth1) ---> 1.1.1.2/24 || Standby Gateway (eth1) ---> 1.1.1.3/24 (NO VIP Required) For DMZ Network(AD Server) : Gateway 1 (Active) IP : Internal (eth3) --> 192.168.50.2/24 | External (eth2) --->172.16.100.121/24 Gateway 2 (Standby) IP : Internal (eth3) --> 192.168.50.3/24 | External (eth2) --->172.16.100.122/24 Cluster VIP (Virtual IP) : Internal --> 192.168.50.5/24 | External --> 172.16.100.125/24 Management Server IP : 192.168.1.10/24 AD Server IP : Internal IP ---> 192.168.50.254/24
Route Configuration
Internal LAN (192.168.1.0/24) ----> Default Gateway (VIP : 192.168.1.5/24) DMZ Network (192.168.50.0/24) -----> Default Gateway (VIP : 192.168.50.5/24) Gateway IP (172.16.100.121/24 & 172.16.100.122/24) ---> Default Gateway (VIP:172.16.100.1/24) Host Machine (Where VMware is installed) ---> 192.168.1.1/24
VMNet Details
VMnet0 : Auto-Bridging : External : 172.16.100.0/24 VMnet1 : Host-Only : Internal : 192.168.1.0/24 VMnet2 : Host-Only : Sync : 1.1.1.0/24 VMnet3 : Host-Only : DMZ Network : 192.168.50.0/24
DNS Server: AD Server (IP : 192.168.50.254/24)
Let’s Start..
STEP 01: Check the HOST machine IP address.
I assign IP address of HOST machine as 192.168.1.100/24.
STEP 02: Check the connectivity between the HOST machine (192.168.1.100/24) to ADServer (192.168.50.254/24). ping 192.168.50.254 (Its communicate).
STEP 03: Check the DNS address of the HOST machine (192.168.1.100/24).
command: CMD>ipconfig /all
Its showing DNS address: 8.8.8.8 and 4.2.2.2 but as we already configure both DNS server and ADServer in windows server with IP:192.168.50.254/24.
STEP 04: Changing the DNS address and give the internal DNS Server address as we already configure in Windows Server.
Ping to DNS Server 192.168.50.254 and getting success.
STEP 05: Did nslookup and also ping checkpointfirewall.com (DOMAIN address of ADSerevr) for verification.
CMD>ping checkpointfirewall.com CMD>nslookup checkpointfirewall.com
Some Additional step.
STEP 06: Add the Domain Name “checkpointfirewall.com” in Host Machine (Windows 7 IP:192.168.1.100). So basically I am adding the Host Machine (Windows 7) to a particular DOMAIN.
Location : System Properties ---> Change Setting ---> Change ---> Domain (checkpointfirewall.com)
STEP 07: Click “OK” to get the Login popup.
Login with username and password that you already create in ADServer.
STEP 08: I am login with username: Chinmaya that I already created in ADSerevr.
If you want to create a user in ADSerevr then check the below link for details.
STEP 09: Added domain successfully.
STEP 10: Restart the windows HOST machine (IP:192.168.1.100).
STEP 11: Login with username: Administrator but I am going to login username: Chinmaya.
STEP 12: Click “Other User”.
STEP 13: Login with Username: Chinmaya.
STEP 14: Enable the “Application Control ” and “URL Filtering” Blade in Cluster.
Location : SmartConsole ---> Cluster Object ---> General Properties
STEP 15: Click “Yes”.
STEP 16: Create a Policy layer for “Application Control and URL Filtering”.
Location : SmartConsole ---> Security Policies ---> Access Control ---> Policy ---> Edit Policy
STEP 17: Click “+” icon and click on “New Layer” for adding the new layer (Application Control and URL Filtering).
STEP 18: Give Object Name: Application Control and URL Filtering
Blades: Application & URL Filtering.
STEP 19: Click on “Advanced” Tab and Select Implicit Cleanup Action as “Accept”.
STEP 20: Showing “Application Control and URL Filtering” layer is added in Access Control.
STEP 21: Still I did not create any rule only give Rule name as “Test_URL_Rule”. so before creating the ” Application Control and URL Filtering ” rule first I will be going to create a rule for Network access rule.
STEP 22: The current rule is having two rule “Accept” and “Drop”.
Create a network access rule to access the internet for LAN network.
STEP 23: Create a network Object I create as :
Object Name : Internal_LAN : 192.168.1.0/24
NAT: Hide
STEP 24: When you do Network address translation then go to NAT section in Network Object
Mark “Add automatic address translation rules”
Translation method “Hide”.
Select: Hide behind the gateway
See the rule.
STEP 25: Go to “Application Control and URL Filtering” and create an access control rule to create a user base rule.
Click “+” icon.
STEP 26: Click “*” icon and select “Access Role…”.
STEP 27: Go to “users” section and click “+” icon.
Select the AD Domain Name and once you select the domain you able to see the user.
STEP 28: See the Domain ” checkpointfirewall.com” and see the user as well.
STEP 29: I am select the user “Chinmaya Naik”.
STEP 30: Added Username : Chinmaya Naik successfully.
See the “Distinguished Name”.
STEP 31: Give a name to the “New Access Role”
I give as “Chinmaya” and click “Ok”.
STEP 32: After added the Source: Chinmaya
Add Destination as “Internet” so select “+” icon in the destination and select “Internet”.
STEP 33: In “Services & Application” add “Social Networking”.
STEP 34: Add action as : Drop and Blocked Message.
STEP 35: Track as “Log”.
NOTE: Also select the Details Logs for logs.
STEP 36: Name : Test_URL_Rule | Source : Chinmaya |Destination : Internet | VPN : Any | Services & Application : Social Networking (category) |Action: Drop/blocked message |Track : Log/Accounting.
STEP 37: Look like this.
See again with Diagram.
STEP 38: Change the engine setting of “Application Control and URL Filtering”.
Mark “Categorize HTTPS websites” and click “Ok”.
Location : Manage & Setting ---> Blades ---> Application Control and URL Filtering ---> Advanced Settings ---> General
NOTE: Make sure that when we enable this option then HTTPS inspection should disable. so basically both “HTTPS Inspection and Categorize HTTPS website”s can’t enable with R80.20/.10/77.30…
STEP 39: Install database.
STEP 40: Install the Access control policy.
STEP 41: See after installed the policy windows Host Machine (192.168.1.100) able to ping google.com.
STEP 42: Websites facebook.com is successfully blocked.
facebook.com comeS under “Social Networking” categorize, that category I already added in Policy.
STEP 43: See the facebook block logs.
STEP 44: Add custom site to block or allow the URL.
Click "+" icon in "Services & Application" section ---> Custom Application/Sites ---> Application/Sites.
STEP 45: Name the new Application/Sites as name such as I give: Custome_Site01 and add URL by click “+” as some format like
*thehackernews* | https://thehackernews.com | www.thehackernews.com
Click “Ok”
STEP 46: Install the Database and install the policy.
STEP 47: Access the URL for testing.
“thehackernews.com”
STEP 48: Site getting block and able to see the Block page, showing block by “Custome_Site01” category.
STEP 49: See the block logs in the tracker.
Select blade “URL Filtering” in Logs Filter.
STEP 50: See the Matched rules.
“Accept” in Access Control policy and “Block” in “Application Control and URL Filtering” policy.
STEP 51: See the Logs.
STEP 52: See the Rule with logs.
STEP 53: See the details of Drop logs.
STEP 54: See the username “Chinmaya Naik” on Drop logs.
No comments:
Post a Comment