CentOS 3 and Check Point NGX

From The sin within

Jump to: navigation, search

This HowTo assumes the following:

  • Target system uses 2 identical S-ATA Disks
  • Software RAID-1 from the CentOS installation menu
  • Internet connection is available
  • Firewall module name is: fw-1, and domain name is: domain.com
  • Internal interface IP address is: 10.10.10.254

NOTE This article also applies to Check Point NGX R60A, R61, R62, R65 (as the operating system will be the same). This also works on CentOS 3.9 (the latest update to CentOS 3 from the development group to be in sync with update 9 for RHEL 3)


Contents

Installation and cleanup of CentOS 3

  • Choose custom install from CentOS 3 installation menu and afterward when you get to choose the packages, choose Minimum Install
  • After installation complets and the system reboots, login as root and issue the following: 
 ~# yum remove finger lha rdist rsh freetype XFree86-Mesa-libGL redhat-lsb fontconfig XFree86-libs minicom ppp wvdial rp-pppoe stunnel tftp
 isdn4k-utils iptables-ipv6 kernel-pcmcia-cs portmap ypbind nfs-utils yp-tools redhat-config-securitylevel-tui ncompress unix2dos wireless-tools
 jwhois mgetty authd ftp talk iscsi-initiator-utils iptables ipsec-tools setserial usbutils hotplug rmt dump dosfstools mkbootdisk jfsutils
 htmlview cups cups-libs pax fbset pspell aspell aspell-config traceroute XFree86-libs-data libpng up2date rhnlib autofs nss_ldap
 redhat-config-mouse mt-st pam_smb krbafs-utils cyrus-sasl-gssapi quota xinetd bc parted cyrus-sasl-plain redhat-menus dos2unix krbafs
 pam_krb5 libjpeg libtiff diskdumputils netconfig nscd libwvstreams time netdump nc ed raidtools irda-utils nss_db nano jpackage-utils dhclient

This will cleanup the system for un-needed libraries and binaries

Hardening, securing and monitoring the base system

Local MTA

  • Now, install postfix instead of sendmail on the system: 
 ~# yum install postfix
 ~# yum remove procmail sendmail sendmail-doc
  • Configure postfix for usage on the firewall module; edit /etc/postfix/main.cf to contain the following: 
 myhostname = fw-1.domain.com
 mydomain = domain.com
 myorigin = fw-1.domain.com
 inet_interfaces = localhost
 mydestination = $myhostname
 unknown_local_recipient_reject_code = 550
 smtpd_banner = fw-1.domain.com ESMTP
  • Restart postfix 
 /etc/init.d/postfix restart

SSH and remote management

  • Add a user to the system, called cpadmin or whatever name you may choose (this tutorial asumes it's called cpadmin)
  • To harden and secure ssh, edit /etc/ssh/sshd_config and edit it to look like the sample below: 
 Port 22
 Listen 10.10.10.254
 Protocol 2
 ListenAddress ip_intern_firewall (de unde se va face si managementul)
 KeyRegenerationInterval 1800
 ServerKeyBits 1024
 LoginGraceTime 120
 PermitRootLogin no
 StrictModes yes
 X11Forwarding no
 KeepAlive yes
 UsePrivilegeSeparation yes
 Compression yes
 AllowUsers cpadmin
 Ciphers aes256-cbc,aes192-cbc,aes128-cbc
 MACs hmac-sha1,hmac-md5
  • Restart sshd daemon 
 /etc/init.d/sshd restart

Now, only cpadmin will be allowed to login remotely, and must use su to gain root privileges on the machine

Stopping and disabling unwanted services on the system

  • gpm (the only service left running that we do not need). To stop it and disable it, do the following: 
 /etc/init.d/gpm stop
 chkconfig --level 123456 gpm off

Software RAID-1 monitoring

Monitoring the status of the RAID-1 system can give advance warning to the system administrator that the RAID matrix has suffered a failure.

  • To be able to receive mail notification regarding the RAID status, edit /etc/mdadm.conf to look like the sample below: 
 DEVICE=/dev/sd[ab]1
 MAILADDR admin-team@domain.com
 PROGRAM /usr/sbin/handle-mdadm-events
  • Restart the RAID monitoring daemon: 
 /etc/init.d/mdmonitor restart

Basic system coniguration

Setting the hostname

Check Point SmartCenter installation requires a valid hostname for the use of Internal Certificate Authority (ICA) and also, a correct entry about the hostname and associated IP address in in /etc/hosts. To do this you need to edit two files:

  • /etc/hosts and make it look like the sample below: 
 127.0.0.1           localhost.localdomain localhost
 10.10.10.254        fw-1.domain.com fw-1
  • /etc/sysconfig/network and make it look like the sample below: 
 NETWORKING=yes
 HOSTNAME=fw-1.domain.com

Updating the system

To update the CentOS to the latest updates available, use the following command 

 ~# yum update

Note: At the time of this writing, the update consisted of about: kernel-image, perl and some other small utilities (in a total of about ~30MB)

Configuring the network subsystem

Setting the hostname

  • Edit /etc/sysconfig/network like the example below: 
 NETWORKING=yes
 HOSTNAME=fw-1.domain.com

Normal network interfaces

If you have let's say eth0 as an Internal interface, to configure it, you would need to do the following:

  • Edit /etc/sysconfig/network-scripts/ifcfg-eth0 like the example below: 
 DEVICE=eth0
 ONBOOT=yes
 TYPE=Ethernet
 IPADDR=10.10.10.254
 NETMASK=255.255.255.0
 NETWORK=10.10.10.0

VLAN tagged network interfaces

  • Append this line to the /etc/sysconfig/network file: 
 VLAN=yes
  • To add two VLAN tags (2 and 3) to the eth1 physical interface:

Edit: /etc/sysconfig/network-scripts/ifcfg-eth1.2 

 DEVICE=eth1.2
 ONBOOT=yes
 Type=Ethernet
 IPADDR=10.10.11.254
 NETMASK=255.255.255.0
 NETWORK=10.10.11.0

Edit: /etc/sysconfig/network-scripts/ifcfg-eth1.3 

 DEVICE=eth1.3
 ONBOOT=yes
 Type=Ethernet
 IPADDR=10.10.12.254
 NETMASK=255.255.255.0
 NETWORK=10.10.12.0

Note: the numbers of VLAN tagged sub interfaces is limited to 4096 per physical interface

Switch port trunk configuration

Now, the eth1 physical interface is in trunk mode, so to connect it to a switch you'll need to setup a trunk on the switch also.

  • For Cisco Catalyst Switches the port config should look like the example below: 
 conf t
  int fa 0/1
   switchport mode trunk
   switchport trunk allowed vlans 2,3
   trunk encapsulation dot1q
  exit
 exit
 wr mem
  • For HP Procurve switch, the port config should look like the example below: 
 conf t
  vlan 2
   name vlan2
   tagged 1
   untagged 2
   exit
  vlan 3
   name vlan3
   tagged 1
   untagged 3
  exit
 exit
 wr mem

Check Point NGX installation

To install Check Point use the followig instructions

Insert NGX CD 1 in the CD-ROM/DVD-ROM drive and issue the command: 

 mount /dev/cdrom /mnt/cdrom
 cd /mnt/cdrom
 ./UnixInstallScript

Follow the on screen instructions and after the setup ends, issue the following commands: 

 cd ~
 umount /mnt/cdrom

To complete the installation: 

 reboot

Updating the system

From time to time the CentOS developers will release new patches for the system, and to download and install them just run yum update and answer y at the prompt for the packages the system wants to update. Note: When you update the kernel it's recomended to reboot the system so that Check Point can use the new kernel (which may contain improvements, bugfixes etc).

Updating Check Point

You can update your Check Point installation either by using SmartUpdate to install the HFAs or you can scp the HFA .tgz package to the machine and do it manually. Note that when you do it manually, the HFA installer stops the Check Point components and to make them work again it's adviseable to reboot the machine (if you're logged in trough a console, you can issue a cpstart and eveything will be OK, but when you are remote, as soon as Check Point components are starting and load the policy you're session will time out, which may cause Check Point to malfunction as some of it's components may not start in time before you're console times out)

Retrieved from "http://www.imacandi.net/sin/wiki/CentOS_3_and_Check_Point_NGX"
Personal tools