Setup examples for a Checkpoint firewall.

Configuring Firewall-1

This infomration assumes that you have performed the following:

- Have the necessary network interfaces working correctly in the Operating System
- Installed and licensed version 4.1 of the Firewall-1Software
- Installed version 4.1 of the GUI and can connect to the Firewall-1 Server
- Open the Policy Editor to start configuration of the Firewall-1 server
- Add Local and Remote Networks
- Select Manage ->Network Object from the menu bar
- Click New ->Network

Enter the following settings:

- Name: Instagate-Network
- IP Address: Network address of Instagate Network(ie. 192.168.1.0 - This should match the local network box on the Instagate EX IPSec Settings)
- Location: External
- Type: Gateway
- Modules Installed: unchecked
- Management Station: unchecked

Repeat steps 1 through 3 to create a CheckPoint-Network icon using the following settings:

- Name: CheckPoint-Network
- IP Address: Network address of CheckPoint Network(ie. 10.10.1.0 - This should match the remote network box on the Instagate EX IPSec Settings)
- Location: Internal
- Type: Gateway
- Modules Installed: Check VPN-1 and Firewall-1 (see CheckPoint documentation for more details)
- Management Station: unchecked
- Add CheckPoint Firewall Object

If you have already created a CheckPoint Object make certain that the following properties are selected.

- Select Manage ->Network Object from the menu bar
- Click New ->Workstation
- Enter the following settings in the General tab:
- Name: CheckPoint-FW
- IPAddress: Internet (external) IP Address of the CheckPoint Firewall
- Location: Internal
- Type: Gateway
- VPN-1&Firewall-1: Checked
- Version: 4.1
- Management Station: Unchecked
- Choose the Interfaces tab and create an interface for each IP Address (Internal and Internet IPAddresses)

Enter the following settings in the VPN tab:
- Domain: Other, Select the icon for the CheckPoint-Network you created earlier
- IKE: Checked
- Select the Edit button to change the properties for IKE. Make sure the following options are selected:
- 3DES: Checked
- MD5: Checked
- Pre-Shared Secret: Checked
- Click OK to save the IKE Properties
- Click OK to save the CheckPoint-FW Object
- Add Instagate EX Firewall Object
- Select Manage ->Network Object from the menu bar
- Click New ->Workstation

- Enter the following settings in the General tab:

- Name: Instagate-FW
- IPAddress: Internet (external) IP Address of the Instagate EX
- Location: External
- Type: Gateway
- VPN-1&Firewall-1: Unchecked
- Management Station: Unchecked
- Choose the Interfaces tab and create an interface for each IP Address (Internal and Internet IPAddresses)

- Enter the following settings in the VPN tab:

- Domain: Other, Select the icon for the Instagate-Network you created earlier
- IKE: Checked
- Select the Edit button to change the properties for IKE. Make sure the following options are selected:
- 3DES: Checked
- MD5: Checked
- Pre-Shared Secret: Checked
- Select the Edit Secrets button
- Choose the CheckPoint-FW and choose edit
- Type in the Shared Secret that was entered (or created) on the Instagate EX
- Click Set then Click OK to save the Shared Secret settings
- Click OK to save the IKE Properties
- Click OK to save the Instagate-FW Object
- Create Firewall Rules
- One additional rule in an existing policy is needed to create a tunnel for encrypted traffic between the Instagate EX and Firewall-1.

If this is the first time setup we recommend adding the following rules as recommended in the CheckPoint documentation.
- Allow traffic from your management station to the Firewall-1 as the first rule so that you never accidentally lose access to the firewall for configuration.
- Allow traffic from the Firewall-1 to any destination
- Create a default rule that is always the last rule to drop packets so that you can log them for trouble shooting.

Encrypted Traffic Create the following Rule to encrypt traffic between the Instagate EX and Firewall-1. This rule should be below any client VPN rules and above any rules that will deny traffic between the two firewall servers.

- Select Edit ->Add Rule ->Top. {Move the Rule to it's appropriate location as needed}
-Right-click the SOURCE section of the rule you just created and choose Add.
- Select the CheckPoint-Network Icon you created earlier. Click OK.
- Right-click the SOURCE section of the rule again and choose Add.
- Select the Instagate-Network Icon you created earlier. Click OK.
- Right-click the DESTINATION section of the rule we created and choose Add.
- Choose the CheckPoint-Network Icon you created earlier. Click OK.
- Repeat steps 6 and 7 to add the Instagate-Network as a DESTINATION
- Leave the SERVICE section set to ANY.
- Right-click ACTION and choose ENCRYPT
- Double-click the Encrypt icon. Select the IKE radio button.

Click the Properties button and set the following:
- Transform: ESP
- Encryption Algorithm: 3DES
- Data Integrity: MD5
- Allowed Peer Gateway: Instagate-FW icon created earlier
- Use Perfect Forward Secrecy: Checked
- Click OK to the Properties dialog box.
- Click OK to close the Encryption selection window.
- Right-click on TRACK and select LONG.
- Right-click on INSTALL ON and select Targets.
- Choose the CheckPoint-FW icon you created earlier. Click OK.
- Right-click the Gateways icon for INSTALL ON and choose Delete.
- Choose File ->Save to save the firewall policy you have just created.
- Choose Policy ->Install. Verify that you are installing the Security Policy on the CeckPointFirewall. Click OK.
- Verify that the Policy is installed correctly.

To view the logs select Window ->Log Viewer.
Once an encrypted session is started you will see a key exchange appear in the logs. To force an immediate connection attempt, return to the Instagate EX, select Servers ->IPSec VPNs, click Modify for the rule associated with the CheckPoint VPN and click Apply. Open a connection or ping a host on the remote network to verify a successful VPN session has been established.