Check Point GAiA is the next generation Secure Operating System for all Check Point appliances, open servers and virtualized gateways. In this tutorial we will create a network infrastructure which supports usage of Gaia Qemu VM as a personal firewall on Ubuntu Linux. We will also go through the entire installation of Gaia on Qemu VM. This firewall appliance can be used up to 15 days period covered by a free trial Gaia license (no registration needed).
Hardware: Asus K55VM laptop:
- Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
- RAM - 2 x Kingston DDR3 8192MB,
- HDD - ST1000LM024 HN-M101MBB 1000GB
Hardware requirements:
- Gaia QEMU VM: RAM - 4096MB, HDD - 15GB
- Windows 7 QEMU VM: RAM 2048MB, HDD - 15 GB
Software:
Host - Kubuntu Linux 18.04.1 LTS with installed QEMU emulator version 3.0.0 and KVM module
Guest 1 - Checkpoint GAiA R80.10, OS build 462, OS kernel version 2.6.18-92cpx86_64
Guest 2 - Windows 7 Home Premium, x86 with installed Smart Console R80.10 Build 991140073
Credentials - username/password:
- Gaia web portal: admin/check123point
- Gaia expert mode: check123point
- Windows 7: no password set
Firstly, login to Check Point customer portal with your credentials. If you do not posses a valid account, register it for free. Now you can download Checkpoint GAiA R80.10 ISO image. Click the link hit the Download button.
1. Configure Linux Ubuntu for Connection to Gaia OS
The network infrastructure is depicted on the Picture 1.1.
Picture 1.1 - Network Infrastructure Using Gaia as Personal Firewall on Linux
The management network 192.168.0.0/24 is used for Gaia management. The network consists of the interface eth0 of Gaia appliance (192.168.0.1/24), the bridge br0 (192.168.0.3/24) and Qemu VM2 appliance (192.168.0.2/24). The bridge br0 connects the interfaces tap0 and tap00. The Qemu VM2 machine is attached to the interface tap00. It is Windows 7 x86 OS with installed CheckPoint SmartConsole R80.10.
The internal network 192.168.1.0/24 is the network where internal clients reside. They are not any virtual machines connected to this network. The host PC with OS Kubuntu 18.04 is the only client connected to internal network via the interface tap1. The interface tap1 is directly connected to the Gaia interface eth1 when Gaia VM1 is started, no bridge is used. The tap1 interface is configured with the IP address 192.168.1.2/24. The Gaia Ethernet 1 interface is configured with the IP address 192.168.0.1/24. In order to send traffic from the internal network 192.168.1.0/24 to the Internet, we need to configure the default route via the IP address 192.168.0.1 (Gaiaga, eth1). We will configure it later in the part - Post installation steps.
The external network 172.17.0.0/16 is used for connection to the Internet. The network includes the interface eth2 on Gaia (172.17.100.50/16), the interface tap2 and the bridge br2. In order to connect Gaia to the Internet, the default gw must be set to 172.17.100.1 in Gaia configuration. We will configure it later in the tutorial. The interface eth2 is connected to the interface tap2 by QEMU, when Gaia VM is started. The bridge br2 connects tap2 and the Ethernet interface enp4s0f2 together. The interface enp4s0f2 is the NIC located in the Asus k55VM laptop and it is connected to LAN interface of SOHO router (172.17.100.1/16). In fact, SOHO router acts as the gateway to the public Internet and NAT is done here. In order to send traffic coming back from SOHO router to the internal network 192.168.1.0/24 attached to the Gaia interface eth1, a static route must be created on SOHO router. The route includes the network 192.168.0.0/16 via the IP address 172.17.100.50 (Gaia interface eth2). We will create the route later in the tutorial.
I have created three scripts - create_taps.sh, bridge_interface.sh and delete_config.sh that somehow help me to automatize creating of Linux bridges, tap interfaces and attaching corresponding interfaces to bridges. Use itby your own but you need to modify them to follow your configuration. In fact, you need to to set particular variables such as eth_int, br_ip, gw_ip etc., according to your network topology.
Firstly, we will create tap interfaces tap00, tap0 and tap1 with the script create_taps.sh.
$ ./create_taps.sh
Secondly, we will create the bridge br0 with attached interfaces tap00 and tap0 with the script ./bridge_interface.sh and the positional argument 0.
$ ./bridge_interface.sh 0
And finally, we will create the bridge br2 with attached interfaces enp4s0f2 and tap2, with the script ./bridge_interface.sh and the argument 2.
$ ./bridge_interface.sh 2
Now, check whether the interfaces have been properly created with the command below. Here is the list interfaces.txt of the interfaces that should be created by the scripts.
$ ifconfig | grep -v 'lo'
Check whether bridges have been created and the corresponding interfaces (Picture 1.2) are attached to them.
$ brctl show
Picture 1.2 - Bridges with Attached Interfaces
Note: I suggest checking bridging again after start of each Qemu VMs. I noticed that sometimes Linux attached the interface to the wrong bridge when QEMU VM was started. If it is your case, you have to manually del interface from the bridge and rerun the script ./bridge_interface.sh with the particular argument.
Note: Use the script delete_configuration.sh to revert back configuration to the initial state, more particularly to delete bridges and tap interfaces.
CheckPoint Gaia installation and configuration is discussed in the second part of the tutorial.