This is the second part of the tutorial that aims to deploy Check Point Gaia as a personal firewall under Linux. Let' assume that we have created underlying network infrastructure with the scripts create_taps.sh and bridge_interfaces.sh in Part1. This part goes further and explains Gaia installation on QEMU virtual machine (VM). We will use the same network topology depicted on the Picture 1.1 of the part 1. Let's start with the point 2.
Picture 1.1 Network Topology
2. Checkpoint Gaia Installation
First, we need to create an empty qcow VM disk with qemu-img utility as we want to install Gaia into this image.
$ /usr/local/bin/qemu-img create -f qcow2 checkpoint.img 100G
As we downloaded Gaia ISO image in the part1 of the tutorial, we can start Checkpoint Gaia VM machine with the ISO attached to Qemu cdrom.
$ sudo /usr/local/bin/qemu-system-x86_64 -m 4096M -enable-kvm -smp 2 \
-boot d -cdrom Check_Point_R80.10_T462_Gaia.iso checkpoint.img \
-netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
-device e1000,netdev=net0,mac=00:11:22:33:44:00 \
-netdev tap,id=net1,ifname=tap1,script=no,downscript=no \
-device e1000,netdev=net1,mac=00:11:22:33:44:01 \
-netdev tap,id=net2,ifname=tap2,script=no,downscript=no \
-device e1000,netdev=net2,mac=00:11:22:33:44:02
Below are the configuration options.
Select:
- Install Gaia on this system
- Proceed with the installation
- Keyboard - US
- Partition configuration - OK
- Username/Password: admin/check123point
- Choose management interface: eth0
- Management interface
-- IP address: 192.168.0.1
-- Netmask: 255.255.255.0
-- Default 192.168.0.254
Once you are asked for reboot of the system, close the Qemu window.
3. Running the First Time Checkpoint Configuration Wizard
$ sudo /usr/local/bin/qemu-system-x86_64 -m 4096M -enable-kvm checkpoint.img \
-netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
-device e1000,netdev=net0,mac=00:11:22:33:44:00 \
-netdev tap,id=net1,ifname=tap1,script=no,downscript=no \
-device e1000,netdev=net1,mac=00:11:22:33:44:01 \
-netdev tap,id=net2,ifname=tap2,script=no,downscript=no \
-device e1000,netdev=net2,mac=00:11:22:33:44:02 -smp 2
Note: You must specify the option -smp 2 otherwise Gaia installation fails. At least two CPUs are required.
Note: Check if corresponding interfaces are create to the bridges br0 and br2 with the command brctl show. If not, read the part one.
Use Internet browser to connect to the Gaia web portal. Enter https://192.168.0.1. If Gaia portal shows blank page after log in with Firefox 5x or Chrome 66 then login to Gaia CLI and enter expert mode. However, you need to configure the password for expert mode first:
gw-123456> set expert-password
Log to the expert mode with the command:
gw-123456>> expert
[Expert@gw-123456:0]#
Copy the following command from Expert mode to CLI of the affected machine and then reload the Gaia Portal login page (Reference). Now you should be able to load first Time Checkpoint Configuration Wizard with your web browser (Picture 3.1).
Picture 3.1 - R80.10 First Time Configuration Wizard
Click Next and select the option Continue with R80.10 configuration. Configure the IP settings for management interface (Picture 3.2).
Picture 3.2 - IP Address Configuration for Management Interface Eth0
Configure the interface used for connection to the Internet (Picture 3.3). It is the interface eth2 that is connected to the interface tap2 and bridged to the host interface enp4s0f2 by the bridge br2 (172.17.100.6/16).
Picture 3.3 - Configuring Interface for Internet Connection
The next step includes configuration of the hostname, domain name and DNS. We will use Google DNS 8.8.8.8 and 8.8.4.4 for domain names resolving. Continue with NTP server configuration (Picture 3.4).
Picture 3.4 - NTP Server Configuration
I the next window you select Installation Type. Choose the both options - Security Gateway and/or Security Management. Click Next and you will see the Product window (Picture 3.5).
Picture 3.5 - Product
The next windows is Security Management Administrator. Select the option Use Gaia administrator: admin. The picture 3.6 displays IP settings for GUI clients that can log into the Security Management. Configure the network 192.168.0.0/24.
Picture 3.6 - IP Settings for GUI Clients Configuration
The picture 3.7 Summarizes First Time Configuration Wizard settings.
Picture 3.7 - First Time Configuration Wizard Settings
Installation process begins.
4. GAiA After Install Steps
Once Gaia boots up, login to the web portal using url https://192.168.0.1. Configure IP address 192.168.1.1 for the interface eth1. It is the IP address from the internal network and it represents a default gateway IP for the clients connecting to Internet. Navigate to Network Management-> Network Interfaces. Select the interface eth1 and click Edit button (Picture 4.1).
Picture 4.1 - List of Gaia Interfaces
Thick Enable and configure the IP address 192.168.1.1 with the mask 255.255.255.0. (Picture 4.2).
Picture 4.2 - Configuring IP Address for Interface Eth1 of Gaia Appliance
Check the static default route on Gaia. Navigate to Network Managemnt-> IPv4 Static routes (Picture 4.3).
Picture 4.3 - Static default Route Via 192.168.0.254
Select the default route and change 192.168.0.254 to 172.17.100.1. This is the IP address of SOHO router that represents a gateway to the Internet for Gaia appliance. NAT is enabled here. Click Edit button and replace 192.168.0.254 with 172.17.100.1 (Picture 4.4).
Picture 4.4 - Changing Static Default Route to 172.17.100.1
We need to check if the forwarding is enabled between Gaia interfaces . As we test Gaia in lab environment, we are going to enable it permanently for the all interfaces, However in real world scenario forwarding should not be enabled for the management interface eth0. Connect to the Gaia console via ssh and switch to expert mode with the command expert. Enable IPv4 forwarding with the command below.
# sysctl -w net.ipv4.ip_forward=1
# sysctl -p /etc/sysctl.conf
Now, we can change the next-hop IP address for the default route from 172.17.100.1 to the IP address of the Gaia internal interface eth1 (192.168.1.1). This is done in CLI of Kubuntu.
$ sudo ip route del default via 172.17.100.1
$ sudo ip route add default via 192.168.1.1
Note: When you finish the installation of both Gaia and Windows 7 on QEMU VMs, change the value of the variable 'gw_ip' from 172.17.100.1 to the 192.168.1.1 in the script bridge_interface.sh. The next time you start the network infrastructure with script, default gateway is set correctly.
As the last step, we need to create a static route 192.168.0.0/16 on the SOHO router (172.17.100.1) pointing to the next-hop IP address 172.17.100.50 (Gaia, eth2). You need to do it by your own based on the SOHO router, you posses.
5. Smart Console Installation and Configuration on Windows 7 QEMU VM
Windows installation on Qemu VM is not discussed in the tutorial. The CheckPoint SmartConsole R80.10 release accumulates GUI client fixes for R80.10 and we need it to configure firewall rules. Download SmartCosnole R80.10 from Checkpoint portal. When downloading process is finished, install the the console on Windows VM.
As the next step, we will configure the static IP address 192.168.0.2/24 from management address pool to Windows QEMU VM. Shutdown Windows and start it with the command below.
$ sudo /usr/local/bin/qemu-system-x86_64 -m 2048M -enable-kvm win7-base-clean.img \
-device usb-ehci -device usb-kbd -netdev tap,id=net00,ifname=tap00,script=no,downscript=no \
-device e1000,netdev=net00,mac=00:11:22:33:40:00
The command connects Window Ethernet interface with the interface tap00. The interfaces tap0 and tap00 are connected to the bridge br0 (192.168.0.3/24). The eth0 management interface of Gaia appliance is connected to tap0 interface when Qemu Gaia VM is started.
Start SmartConsole (Picture 5.1) and login with username/password:admin/check123point.
Picture 5.1 - Starting Checkpoint SmartConsole
Navigate to Security Policies on the left and create the security policy that pass all traffic through firewall (Picture 5.2). Then click the button Install Policy. Click Publish&Install button and Install button. You can check the progress of policy installation in the left bottom corner of the SmartConsole screen.
Picture 5.2 - Creating Security Policy to Pass All Traffic via Firewall
Connect to the Gaia web portal with URL https://192.168.0.1 and notice that the firewall soft blade is not grey anymore (Picture 5.3).
Picture 5.3 - Status of Firewall Soft Blade in Gaia Web Interface
Create other firewall rules according to your needs.
End.