|
NOKIA IPSO 4.1 & CheckPoit NGX R61
安装设置
一、 本文档适用范围
二、 出厂后首次设置
三、 使用web-voyager
四、 CheckPoint for NOKIA安装
五、 重新安装IPSO和所有安全软件包
六、 恢复出厂状态
七、 忘记密码解决办法
八、 性能优化
九、 FAQ
十、 附录A:常用命令
十一、 附录B:技术支持填表
一、 本文档适用范围
适用于下列平台,
硬件平台:NOKIA IP110 IP120 IP130 IP330 IP350 IP380 IP440 IP650 IP530 IP710 IP740 IP740E IP740 IP1260 IP1220 IP2250 IP260 IP265 IP355 IP385 IP560 IP390 IP2255
操作系统:IPSO 4.1
CheckPoint:NGX R61
二、 出厂后首次设置
如果您手中的NOKIA设备是出厂后第一次设置,那么您可以用随机带来的串口控制线,连接其console口和pc机串口。
然后打开超级终端(COM口属性参数设置见图示),打开NOKIA设备电源,看到自检信息。
1. 当看到如下信息时,按照提示键入预先想好的主机名。
Please choose the host name for this system. This name will be used in messages and usually corresponds with one of the network hostnames for the system. Note that only letters, numbers, dashes, and dots (.) are permitted in a hostname.
Hostname? IP380
Hostname set to “IP380”, OK? [y]
2. 接下来按照提示设置管理员admin密码。
Please enter password for user admin:
Please re-enter password for confirmation:
3. 选择配置系统方式。
You can configure your system in two ways:
1) configure an interface and use our Web-based Voyager via a remote browser
2) VT100-based Lynx browser
Please enter a choice [ 1-2, q ]: 1
注:选择方式1时同时也可以用2的。
4. 选择一个接口,并为它配置ip地址。
Select an interface from the following for configuration:
1) eth1
2) eth2
3) eth3
4) eth4
5) quit this menu
Enter choice [1-5]: 1
Enter the IP address to be used for eth1: 192.168.0.220
Enter the masklength: 24
Do you wish to set the default route [ y ] ?
Enter the default router to use with eth1:192.168.0.1
This interface is configured as 10 mbs by default.
Do you wish to configure this interface for 100 mbs [ n ] ?
*如果连接设备支持100M,请选择y
This interface is configured as half duplex by default.
Do you wish to configure this interface as full duplex [ n ] ?
*如果连接设备支持全双工,请选择y
You have entered the following parameters for the eth1 interface:
IP address: 10.0.1.1
masklength: 8
Default route: 10.0.0.19
Speed: 10M
Duplex: half
Is this information correct [ y ] ?
*确认所有设置信息正确
5. 设置是否支持VLAN
Do you want to configure Vlan for this interface[ n ] ?
*如果不做vlan间路由和安全策略,选择n
6. 这样就设置好了一个接口,然后就可以通过此接口ip用web voyager继续后面的配置
You may now configure your interfaces with the Web-based Voyager by typing in the IP address “192.168.0.220” at a remote browser.
7. 配置SNMP
Do you want to change SNMP Community string[ n ] ?
*无需配置,可选择n
8. 网络服务重新初始化,出现新的登陆界面
IPSO (IP380) (ttyd0)
login:
现在,我们就可以进入web-based voyager进行配置工作了。
三、 使用web-voyager
打开IE,在地址栏中输入刚才设置好的ip地址,http://192.168.0.220。
此时,会弹出来一个窗口,要求输入用户名和密码
1. 输入密码,验证通过后,进入voyager! 按configuration ,进入配置界面.
2. 配置防火墙端口
激活接口,设置连接速度,设置双工
3. 配置Interfaces
如果设置新ip地址,在New IP address中输入新的ip地址,在New mask lengh中输入相应的子网掩码长度,按apply –> save 。
如果要删除已经设置的ip,在列表中对应的ip后,选中delete,按apply –> save 。
4. 配置系统时间
在System Configuration下选择Time,
设置时区和当地时间
5. 配置hosts文件列表
在System Configuration下选择Host Address,
添加,在Add new hostname栏中输入主机名,按apply,然后在列表中写入对应的ip,
按apply –> save 。如果从列表中删除末个主机名,按对应off。
6. 验证本机hostname
在System Configuration下选择Hostname,
如果本机hostname不对,请在安装其他软件包之前修改。修改后,按apply –> save
7. 设置静态路由
在System Configuration下选择Routing→Static Routers,
a) 缺省路由的设置
在Default后选择on->按apply -> Gateway type: address ->按apply
输入缺省网关ip ->按apply –> save 。如果删除选off,按apply –> save 。
b) 添加静态路由
在Quick-add static routes列表中按示例格式填写。
示例:
192.168.1.0/24 10.1.1.1
如果删除在路由列表中选off,按apply –> save 。
8. 将相应的软件包设置成on,NGX R60界面
设置步骤:在System Configuration下选择Packages→Manage Packages
a) 设置 Check Point VPN-1 Pro/Express NGX R61 (Mon Mar 6 10:56:42 IST 2006 Build 602000207)为 on
b) 按apply –> save 。
c) 设置 Check Point CPinfo (Thu Dec 22 14:03:00 IST 2005 Build 911000031)为 on
d) 按apply –> save 。
e) 重新login,使相应的环境变量生效。
现在,IPSO基本设置已经就绪,可以安装其他软件包了。下面介绍一下CheckPoint软件包的安装。
四、 CheckPoint for NOKIA安装
a) NGX R61安装全过程
IP380[admin]# cpconfig
Welcome to Check Point Configuration Program
=================================================
Please read the following license agreement.
Hit 'ENTER' to continue...
*按回车,连续按空格,直到看见
Do you accept all the terms of this license agreement (y/n) ? y
Please select one of the following options :
Check Point Enterprise/Pro – for headquarters and branch offices.
Check Point Express – for medium-sized businesses.
-----------------------------------------------------------------------------
(1) Check Point Enterprise/Pro.
(2) Check Point Express.
Enter your selection (1-2/a-abort) [1]: 1
Select installation type:
------------------------------
(1) Stand Alone – install VPN-1 Pro Gateway and SmartCenter Enterprise.
(2) Distributed – install VPN-1 Pro Gateway, SmartCenter and/or Log Server.
Enter your selection (1-2/a-abort) [1]:
IP forwarding disabled
Hardening OS Security: IP forwarding will be disabled during boot.
Generating default filter
Default Filter installed
Hardening OS Security: Default Filter will be applied during boot.
This program will guide you through several steps where you
will define your Check Point products configuration.
At any later time, you can reconfigure these parameters by
running cpconfig
Configuring Licenses...
=======================
Host Expiration Signature Features
Note: The recommended way of managing licenses is using SmartUpdate.
cpconfig can be used to manage local licenses only on this machine.
Do you want to add licenses (y/n) [y] ? n
Configuring Administrators...
=============================
No Check Point products Administrators are currently
defined for this SmartCenter Server.
Do you want to add an administrator(y/n) [y] ? y
Administrator name:admin
Password:
Verify Password:
Administrator admin was added successfully and has Read/Write Permission for all products with Permission to Manage Administrators
Configuring GUI Clients...
=================================
GUI clients are trusted hosts from which
Administrators are allowed to log on to this SmartCenter Server
using Windows/X-Motif GUI.
No GUI clients defined
Do you want to add a GUI client (y/n) [y] ?y
You can add GUI Clients using any of the following formats:
1. IP address.
2. Machine name.
3. “Any” – Any IP without restriction
4. IP/Netmask – A range of addresses, for example 192.168.10.0/255.255.255.0
5. A range of addresses – for example 192.168.10.8-192.168.10.16
6. Wild cards(IP only)- for example 192.168.10.*
Please enter the list hosts that will be GUI clients.
Enter GUI Client one per line, terminating with CTRL-D or your EOF character.
Any (Ctrl-D)
Warning:Every gui client can connect to this SmartCenter Server.
Is this correct (y/n) [y] ?y
Configuring Group Permissions...
==========================
Please specify group name[<RET> for super-user group]:
No group permissions will be granted. Is this ok(y/n)[y]?y
Configuring Random Pool...
==========================
You are now asked to perform a short random keystroke session.
The random data collected in this session will be used in
various cryptographic operations.
Please enter random text containing at least six different
characters. You will see the '*' symbol after keystrokes that
are too fast or too similar to preceding keystrokes. These
keystrokes will be ignored.
Please keep typing until you hear the beep and the bar is full.
[....................] *
Thank you.
Configuring Certificate Authority...
====================================
The Internal CA will now be initialized
With the following name: IP380
Initializing the Internal CA…(may take several minutes)
Internal Certificate Authority created successfully
Certificate was created successfully
Certificate Authority initialization ended successfully
Trying to contact Certificate Authority.It might take a while…
IP380 was successfully set to the Internal CA
Done
Configuring Certificate’s Fingerprint...
====================================
The following text is the fingerprint of this SmartCenter Server:
ALGA WING MAIL BEAK FEET BURL ACHE ROW DESK VINE BOIL MESH
Do you want to save it to a file?(y/n)[n]?n
generating INSPECT code for GUI Clients
initial_management:
Compiled OK.
Hardening OS Security:Initial policy will be applied
Until the first policy is installed
In order to complete the installation
you must reboot the machine.
Do you want to reboot?(y/n)[y]?y
************* Installation completed successfully *************
IP380[admin]#cplic put 192.168.0.220 13Sep2006
ay64zdQT9-4cXL6we63-Jze3FiPQk-wrxHCbk3dCPMP-EVAL-1-NGX CK-51DDD02B7CB5
Host Expiration Features
192.168.0.220 13Sep2006 CPMP-EVAL-1-NGX CK-51DDD02B7CB5
IP380 [admin]# reboot
重新启动后,整个CheckPoint UTM R61安装就算完成啦!
五、 重新安装IPSO和所有安全软件包
1. 使用bootmgr,重新初始化文件系统
BOOTMGR[1]> install
############### IPSO Full Installation #################
You will need to supply the following information:
Client IP address/netmask, FTP server IP address and filename,
system serial number, and other license information.
This process will DESTROY any extant files and data on your disk.
##############################################
Continue? (y/n) [n] y
Motherboard serial number is 12345678.
The chassis serial number can be found on a
sticker on the back of the unit with the letters
S/N in front of the serial number.
Please enter the serial number: 12345678
Please answer the following licensing questions.
Will this node be using IGRP ? [y] n
Will this node be using BGP ? [y] n
1. Install from anonymous FTP server.
2. Install from FTP server with user and password.
Choose an installation method (1-2): 2
Enter IP address of this client (0.0.0.0/24): 192.168.0.220/24
Enter IP address of FTP server(0.0.0.0): 192.168.0.11
Enter IP address of the default gateway (0.0.0.0): 192.168.0.11
Choose an interface from the following list:
1) eth1
2) eth2
3) eth3
4) eth4
Enter a number [1-4]: 1
Choose interface speed from the following list:
1) 10Mbit/sec
2) 100Mbit/sec
Enter a number [1-2]:2
Half or full duplex?[h/f] [h] f
Enter user name on FTP Server: admin
Enter password for “admin”:
Enter path to ipso image on FTP server [~]:/
Enter ipso image filename on FTP server [ipso.tgz]:
1. Retrieve all valid packages, with no further prompting.
2. Retrieve packages one-by-one, prompting for each.
3. Retrieve no packages.
Enter choice [1-3] [1]: 2
Client IP address = 192.168.0.220/24
Server IP address = 192.168.0.11
Default gateway IP address = 192.168.0.11
Network Interface = eth1, speed = 100M, full-duplex
Server download path = [//]
Package install type = prompting
Mirror set creation = no
Are these values correct? [y]y
Checking what packages are available on 192.168.0.11
Hash mark printing on (1048576 bytes/hash mark).
Interactive mode off.
#
The following packages are available:
IPSO_wrapper_R61.tgz
Building filesystems...done.
Making initial links…done.
Downloading compressed tarfile(s) from 192.168.0.11
Hash mark printing on (1048576 bytes/hash mark).
Interactive mode off.
100% 29156KB 00:00 ETA
Do you wish to Download IPSO_wrapper_R61.tgz(y/n) ?:y
Hash mark printing on(1048576 bytes/hash mark).
Interactive mode off.
100% 72898KB 00:00 ETA
Checking validity of image...done.
Checking validity of pkgs...done.
Installing image...done.
Image version tag: IPSO-4.1-BUILD013-03.27.2006-223017-1515.
Checking if bootmgr upgrade is needed...
Do you want to upgrade bootmgr anyway? [n]y
Need to upgrade bootmgr.Proceeding…
Upgrading bootmgr....
new bootmgr size is 1474560
old bootmgr size is 1474560
Saving old bootmgr.
Installing new bootmgr.
Verifying installation of bootmgr.
Packages being stored in /mnt/opt/tmp .
You will be given a chance to install and activate each package
at your first reboot.
Installation completed.
Reset system or hit <Enter> to reboot.
Starting reboot.
Loading Package List
Package Description:Check Point Suite wrapper package NGX R61
Would you like to :
1. Install this as a new package
2. Upgrade from an old package
3. Skip this package
4. Exit new package installation
Choose (1-4): 1
Installing IPSO_wrapper_R61.tgz
Running IPSO_wrapper_R61/INSTALL PRE /opt/IPSO_wrapper_R61 /opt/tmp
/IPSO_wrapper_R61.tgz IPSO_wrapper_R61/MANIFEST newpkg
Running IPSO_wrapper_R61/INSTALL POST /opt/IPSO_wrapper_R61 /opt/tmp
/IPSO_wrapper_R61.tgz IPSO_wrapper_R61/MANIFEST newpkg
It is required to configure Check Point products before activating them,you can do so by re-login to the machine and running “cpconfig” from the command line.
Done installing IPSO_wrapper_R61
End of new package installation
Cleaning up…done
A reboot may be necessary to activate packages.
Cleaning up…
Syncing disks…done
Rebooting…
2. 用newimage命令升级IPSO
a) 利用web-voyager在IPSO上打开ftp服务
在Security and Access下选择Network Access and Services
b) 将新版本的ipso.tgz文件准备好,并上传到NOKIA设备中
C:\>ftp 192.168.0.220
Connected to 192.168.0.220.
220 IP380 FTP server (Version 6.00) ready.
User (192.168.0.220none)): admin
331 Password required for admin.
Password:
230 User admin logged in.
ftp> pwd
257 "/var/emhome/admin" is current directory.
ftp> bin
200 Type set to I.
ftp> lcd e:\
Local directory now E:\.
ftp> lcd technical\NOKIA\ipso3.51
Local directory now E:\technical\NOKIA\ipso3.51.
ftp> hash on
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp> put ipso.tgz
200 PORT command successful.
150 Opening BINARY mode data connection for 'ipso.tgz'.
#################################################
###########################################
226 Transfer complete.
ftp: 29088761 bytes sent in 40.04Seconds 726.53Kbytes/sec.
ftp> bye
221 Goodbye.
C:\>
用控制线连接console口,用管理员密码登录进去
IP380[admin]# ls
.cshrc .history .login .profile ipso.tgz
验证md5值,这一点很重要,如果md5值不一样的操作系统文件被安装,会导致整个系统崩溃!!
IP380[admin]# md5 ipso.tgz
MD5 (ipso.tgz) = 0266af5dd66a85b71088e47f9d5d7571
IP380[admin]#
安装新的操作系统
IP380[admin]# newimage -l -R ipso.tgz
usage: basename string [suffix]
Validating image...(no signature file found, continuing)...done.
Version tag stored in image: IPSO-4.1-BUILD013-03.27.2006-223017
Setting up new image...done.
Checking if bootmgr upgrade is needed...
Upgrading bootmgr....
Saving old bootmgr.
Installing new bootmgr.
Verifying installation of bootmgr.
To install/upgrade your packages run /etc/newpkg after REBOOT
Please reboot immediately
IP380[admin]#
也可以通过远程ftp server来安装新的IPSO。详见newimage help。
3. 用newpkg命令安装新的软件包或补丁
IP380[admin]# newpkg
Load new package from:
1. Install from CD-ROM.
2. Install from anonymous FTP server.
3. Install from FTP server with user and password.
4. Install from local filesystem.
5. Exit new package installation.
Choose an installation method (1-5):
按照提示交互进行操作。
Checkpoint介质包路径在/opt/packages/
六、 恢复出厂状态
a) 用console连接到NOKIA设备上
b) 键入 rm /config/active or mv /config/active /config/active.old
c) 重新启动
七、 忘记密码解决办法
如果忘记或者不知道admin密码,那么可以通过如下方法重新设置:
a) 重新启动,根据提示按1,进入bootmgr模式下
b) 运行 boot -s Enter pathname of shell or RETURN for sh:
#/etc/overpw
Please enter password for user admin:
Please re-enter password for confirmation:
Continue?[n]y
Admin password changed.You may enter ^D to continue booting.
THIS ISA TEMPORARY PASSWORD CHANGE.
PLEASE USE VOYAGER TO CREATE A PERMENANT PASSWORD FOR THE USER ADMIN.
#
八、 文件系统手工修复
a) 重新启动,根据提示按1,进入bootmgr模式下
b) 运行
boot –s
进入/sbin目录,输入命令:fsck -y
九、 FAQ
1. What is the FireWall Flows feature on the Nokia IP Series Appliance?
The FireWall Flows feature is designed to increase performance of FireWall-1 on the Nokia Platforms. VPN-1/FireWall-1 Flows (known as Flows) increases the throughput of VPN-1/FireWall-1 software running on the Check Point VPN-1 Appliance. VPN-1/FireWall-1 is integrated at the level directly in the path of the packets. Flows uses cached connection state information to make faster decisions when possible. It is important to note that there is no functional difference between operation with or without Flows in action. The Flows feature allows for the connections table and route lookup associated with packets other than the initial packets to be implemented at a lower level in the OSI model. As a result, the Flows option is as secure as the normal path option. The same connection table lookups take place, simply at a lower level. NATing and anti-spoofing are replicated at this lower level as well.
The FireWall Flows feature is designed to increase performance of FireWall-1 on the Nokia Platforms. VPN-1/FireWall-1 Flows (known as Flows) increases the throughput of VPN-1/FireWall-1 software running on the Check Point VPN-1 Appliance. VPN-1/FireWall-1 is integrated at the level directly in the path of the packets. Flows uses cached connection state information to make faster decisions when possible. It is important to note that there is no functional difference between operation with or without Flows in action. The Flows feature allows for the connections table and route lookup associated with packets other than the initial packets to be implemented at a lower level in the OSI model. As a result, the Flows option is as secure as the normal path option. The same connection table lookups take place, simply at a lower level. NATing and anti-spoofing are replicated at this lower level as well.
[ <<< previous solution ] Printer friendly version [ next solution >>> ]
FireWall Flows (known as Flows ) increases the throughput of the CheckPoint FireWall-1 software running on your Nokia network application platform. Only the Nokia platform implements Flows on FireWall-1 starting with IPSO 3.3 and later.
SOLUTION
This feature reduces the overhead associated with FireWall-1 by moving a copy of the connection table to the device driver hardware interrupt level, eliminating calls to FireWall-1 for existing connections. Only the first packet of a new TCP or UDP session is sent to the FireWall-1 inspection module for processing. The result is greatly improved throughput performance, particularly for small packets in long-lived flows.
The Flows feature allows for the connections table and route lookup associated with packets other than the initial packet to be implemented at a lower level in the OSI model.
As a result, the Flows option is as secure as the "normal" path option. The same connection table lookups take place, simply at a lower level. NATing and anti-spoofing are replicated at this lower level as well.
Note: FireWall Flows does not currently support the following types of traffic:
Encypted
User Authentication
Internet Control Message Protocol (ICMP)
Multicast
All of these traffic types are not "flowed" and do not achieve the throughput performance ehancement provided by Flows.
十、 附录A:常用命令
Newimage: 安装新的IPSO
Newpkg: 安装新的Nokia应用软件包(有效的后缀:tgz,tar.gz,tar,tar.z)
Tcpdump –i: 监测某一网卡上的数据包
Cpconfig: 配置checkpoint
Cpstop: 停止checkpoint Firewall-1/VPN-1服务
Cpstart: 启动checkpoint Firewall-1/VPN-1服务
Cprestart: 重新启动checkpoint Firewall-1/VPN-1服务
Fw unloadlocal: 从enforcement Module上卸载安全策略
Cplic put: 增加License命令
Cplic print: 查看License命令
Fwm sic_reset: 重装SmartCenter证书
Uname –a: 看IPSO版本
Fw ver: 看执行模块上CheckPoint版本
Fwm ver: 看SmartCenter版本
Lynx: 当所有的网络连接不可用时,用来配置Nokia
Ifconfig –a: 查看端口IP地址 |
|