Install Checkpoint Security Gateway R80.20 on VMware Workstation

VMware Workstation Version : 12 PRO

IP Address Details

Gateway 1 (Active) IP : Internal (eth0) –> 192.168.1.2/24

Management Server IP : 192.168.1.10/24

VMNet Details

VMnet1 : Host-Only : Internal : 192.168.1.0/24

As per the above diagram we are going to setup Security Gateway with R80.20 ISO.

STEP 01: Download the R80.20 ISO file by refer the sk122485.

STEP 02: Click on “Clean Install” option because we are not doing any GAIA OS version upgrade from any GAIA OS from lower version to Higher version. For example from R80.10.to R80.20.

STEP 03: File Name: Check_Point_R80.20_T101_Security_Management.iso

STEP 04: Verify the MD5 value.

I am using MD5Checker tool to verify, also you can refer other tools to verify the MD5 value.

STEP 05: Open the MD5Checker and add the R80.20 ISO image by clicking the “Add” icon.

STEP 06: Md5 value is showing “same”.

STEP 07: Check the Network configuration to assign network address to VMnet (Virtual Network), so to verify the network configuration go to VMWARE —> FILE —> Virtual Network Editor

As per the below diagram I am using Network 192.168.1.0 so it required one VMnet to setup the MGMT server so I change network 10.10.10.0 to 192.168.1.0/24 where I configure Management Server IP as 192.168.1.10 and Default Gateway as 192.168.1.2.

STEP 08: Click on “Change Setting”.

STEP 09: As below image I change to 192.168.1.0 Network so basically I add the network address: 192.168.1.0 and Subnet Mask:255.255.255.0.

NOTE: Uncheck the “Use local DHCP service to distribute IP address to VMs” because we assign static IP address.

STEP 10: Verify that what is the IP address of that HOST machine (The Machine where we install/run the VMWARE). So basically by default, if I configure the VMnet as 192.168.1.0 then Host machine will getting First host address as 192.168.1.1 but we can use any IP address from on that network segment but on our LAB we are not going to change, take as is it.

NOTE: As my personal experience most of the time people are using First host address such as 192.168.1.1 (example IP address ) as Gateway address or Management address so on that scenario we not able to run the GAIA First Time Wizard configuration because HOST machine by default took the first host address.

STEP 11: Create a new Virtual Machine click on “Create a New Virtual Machine”.

STEP 12: Select the ISO Image file, click on “Browse”.

STEP 13: Select the R80.20 ISO image file.

STEP 14: Select the Guest Operating System: Other because it not on the list and select the Version: Other 64-bit because I am using 64-bit OS.

STEP 15: Select the location where the VM configuration file is store so I select my “D drive”.

NOTE: It is not necessary that you select the “C Drive” only, You can use other drives as well but space should be there.

STEP 16: We are going to use Maximum disk size(GB):100 and select the “Store virtual disk as a single file”

NOTE: As per my personal experience I always recommended to use more than 60 GB as disk size.

STEP 17: Select “Customize Hardware” for configure some parameter.

STEP 18: Select the memory (RAM): 4 GB but as per the below image we can see the minimum memory required is 6 GB for Management Server but because this is my LAB setup so I use 4GB.

STEP 19: Select the total processor core as “2” .

NOTE: As on Live setup need to check with your checkpoint local SE for sizing.

STEP 20: Select the Network Adapter: VMnet1 because we are using VMnet:192.168.1.0

STEP 21: Click “Finish”.

STEP 22: Power on the virtual machine.

STEP 23: Select “Install Gaia on the this System”.

STEP 24: Click “OK”.

STEP 25: Click “US” because I am not using any other language keyboard.

STEP 26: I modify the default configuration as

System-swap (GB) : 7 %

System-root (GB) : 22 %

Logs (GB): 20% and Backup and upgrade (GB): 50 %

NOTE: It depends on the disk size.

STEP 27: Choose a password for Admin . So by Default username is Admin.

NOTE: Make sure that NumLk is on.

STEP 28: Assign IP address and as well as Default Gateway.

STEP 29: Click “OK”.

STEP 30: We are going to reboot the Security Gateway.

STEP 31: Select Login : admin and password:”****” and run the First Time Configuration Wizard.

And Checking the interface configuration, like verify the IP address that we assign to the Security Gateway is properly or not.

STEP 32: Open the Browser like chrome, Mozilla, Internet Explorer, Opera, and other supported browser and browse https://192.168.1.2.(Is my Gateway IP address)

NOTE: Not “http://” it should be “https://”

STEP 33: Login with Username : admin and Password : ***** and click “Login”.

STEP 34: Click “Next”.

STEP 35: Select “Continue with R80.20 configuration” and click “Next”.

STEP 36: On below The IP address that we see, I already configured (Check STEP:32) but still if you want to change the IP address and the Default Gateway then you can do it. eth0 is the internal interface for the security gateway because we have only one VMnet (VMnet1: 192.168.1.0) but for Gateway setup you must be added one more interface for external.

NOTE: Default gateway can be configured later.

The gateway must have one more interface so on our case we only one interface to demonstrate But it required two interfaces so we can able to install the policy.

STEP 37: Give a Host Name as per your wish, in my case I named as “SG” and also assign the Primary and Secondary DNS then click “Next”.

NOTE: Apart from “Host Name” all rest of configuration we can give later as well.

STEP 38: Select “Set time manually” and choose the Time Zone and after selecting this verify the other parameter such as Date and Time.

STEP 39: Select ” Security Gateway and /or Security Management”

NOTE: On R80.20 onward we have separate ISO for Security Gateway and Management Server and for only Security Gateway ISO we use as StandAlone Setup as well as dedicated Security Gateway setup.

STEP 40: As we can see below image Security Gateway checkbox is already enable because it is a dedicated ISO for Security gateway, Yes we also have an option to enable the “Security Management” so once you enable the “Security Management” then it acts as a StandAlone Setup. Soon my case we only setup the security Gateway so no need to enable the “Security Management” checkbox.

Also, we see the option “Clustering” section because this is a Gateway ISO so basically on my case I am not going to configure the ClusterXL so I leave it as is it like not mark the checkbox “Unit is a part of a cluster type”.

Select the “Automatically download Blade Contracts and other important data (highly recommended)” and click “Next”.

STEP 41: On my case, the Gateway does not have any dynamic assign IP address so select “NO” am click “Next”.

STEP 42: Give a strong Secure Internal Communication (SIC) for establishing SIC between Management Server and Gateway and click “Next”.

NOTE : Note down the SIC key it require when you establish SIC.

STEP 43: Click “Yes”.

Now processing is starts.

NOTE: System is automatically going to reboot.

STEP 44: As we see below image that on the host machine or the machine where the VMware installed and running so that machine we unable to ping the gateway address (IP:92.168.1.2) because the default policy is already applied to the Security Gateway.So we need to uninstall the policy to ping work

command : clish>fw unloadlocal

STEP 45: Set the expert-password for advances access.

STEP 46: Open the command cpview (work on both default mode CLISH and also in Expert mode) to check the System Information.

STEP 47: Power on the “Management Server” VM then open the SmartConsole and create a Gateway Object and establish SIC.

STEP 48: After on the Management Server then Login via CLI and try to ping from the Host Machine where the VMware is installed. So first ping to the Management Server IP if it is successful then we open the SmartConsole before that also verify that all services are established (check CPM and FWM).

Command : [Expert]#cpwd_admin list

STEP 49: Add the Security Gateway by using SmartCosole.

STEP 50: As per the below image we able to see the two option one is Wizard Mode and another is Classic Mode. So we can use any of this option but I always like Wizard Mode because of it simple for me. So click on “Wizard Mode”.

STEP 51: Give a name to the Security Gateway Object. I named as “SG” and it’s an open Server so select “Open Server” so if you add any dedicated checkpoint appliance then you need to select that appliance model in that listed.

STEP 52: Assign the Gateway IP address on my case IP address is IP:192.168.1.2.

STEP 53: Now we need to put the SIC key that we set during the Security Gateway First time Configuration Wizard. (Refer STEP:42) , after assign the One-time password (SIC key) click “Next”.

STEP 54: Click “Close”.

STEP 55: Mark “Edit Gateway properties for further configuration” and click “Finish”.

STEP 56: After established the SIC just verify the General Properties.

STEP 57: On the Security Gateway —> “Network Management” click “Get Interfaces” and Click “Get interface with Topology” so anti-spoofing is automatically configured.