Check Point R80.10 Test Lab in Cloud (Azure) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, January 25, 2018

Check Point R80.10 Test Lab in Cloud (Azure)

Check Point and Microsoft has a test drive for R80.10 lab. The lab has been designed very well to understand Check Point architecture and features To summarize what I have got, I recorded the lab video on my laptop and put them together.




Check Point Lab R80.40 - 4. Create a Site 2 Site VPN Between Checkpoint Gateway


1. Log Into Azure
- https://youtu.be/MInifWUg2H8
This lab is being run within the Microsoft Azure public cloud infrastructure.
5 VMs:
1. Internal Client: Win-Victim : Windows server, smartconsole client, chrome,
2. Gateway&Mgmt server: standalone R80.10 Gateway and Mgmt server on same VM
3. Web Server: Ububtu  used to do web testing
4. Active Director: Win-DC
5. Pen test Tool: Kali


2. RDP into Server to Install SmartConsole
 - https://youtu.be/XJ820_Kr8GQ

Screen recording for how to RDP into Azure Server to install SmartConsole R80.10

1. From the Internal client host run the install for the R80.10 SmartConsole –c:\R8010console.exe
2. For the install of SmartConsole, please accept all the defaulsand perform a full install




3. Log into SmartDashboard and Install Policy
 - https://youtu.be/QizN9YHlE8g

3.1 From the Start menu, click All Programs - Check Point SmartConsole R80.10 -
SmartDashboard and the system displays the login window:

Use the following information to
configure the login window:
User Name: admin
Password: CheckPoint1234!
ManagementServer: 192.168.101.254

Click the OK button, and the system displays the fingerprint.
Click the Approve button, to approve the fingerprint.

3.2 Edit the gateway object select Platform Portal
Change the port for the GAIA portal to 4434. The URL is https://192.168.101.254:4434

3.3 Edit he gateway object select UserCheck
The URL is https://192.168.101.254/UserCheck

3.4 Click “Install Policy” to install the security policy.




4. Compliance Blade
 - https://youtu.be/r7OERY9o2KE

Enable R80.10 SmartEvent and Compliance Blades on Mgmt Server
 Edit the “R80-GWMGMT object in SmartDashboard
 Tick the boxes for both SmartEvent items & Compliance
 Click OK
 Click PUBLISH  (note – you do not need to install to the gateway)
 The processes will now start.

1. How to enable
Goto “Manage and Settings”
• Select “Blades” down the left side
• Click settings under “Compliance”
• You will see the management server has started the best practice scan
• Once the scan is complete, you will see the follow
• From now on, any changes made to the installation will be verified against this blade
• To view the compliance status goto “Logs and Monitor”
• Click “New Tab” and then “Open Compliance View”
• From here you can view the status of the install base
• During the course of the training we can revisit this page and see how things change.





5. HTTPS Inspection
 - https://youtu.be/L_mH6X14zRE

The HTTPS Lab requires Application Control & URLF blades to be enabled.
• Open SmartDashboard on WinVictim and login to 192.168.101.254
• Double-click the Security Gateway object
• Select the Application Control and URLF check box, and install policy

• Access the following URL (from Win-Victim using Chrome). ̶ https://www.facebook.com
• Press CTL+Shift+I to open the developer console
• Click on security
• Click “view certificate”.
• Verify that the cert being  issued is valid

• Edit the gateway object and select HTTPS inspection.
• Click on Step 1: Create and the CA creation dialog window will appear

Step 1:
– Clients will need to trust the new CA certificate.
– We can export a self-signed CA certificate (containing only public key) for later use.
Step 2: Click on Export certificate and save the certificate as gateway.cer on the Win-Victim
desktop.
Step 3: enable HTTPS inspection and click OK.

Click “Manage and Settings” - Blades - Under HTTPS Inspection click “Configure in SmartDashboard"
Ensure the policy looks like in the video
• Save the policy and close the HTTPS policy window
• Install the policy

• Close and open Chrome
• The certificate trust error page should now appear in the www.facebook.com tab.

• A red bar under the URL and Certificate Error message indicating that something is wrong. Click on the Certificate information and look at the Certification Path. This will show that the newly created cert is
the root CA of the certificate path and that it is not trusted.
• Open Logs and Monitor and search for “https”. Look at the logs and verify that the gateway can detect that the client does not trust the gateway CA certificate.

• One way to do this is to manually import the certificate.
• Locate exported .cer file on the Win-Victim desktop.
• Click on the CA certificate and View Certificate.
• Now start the Certificate Import Wizard by clicking Install Certificate

• Restart the browser to make use of the new CA
• Exit the browser, and restart it
• Access www.facebook.com again
• Click in the green lock icon and verify that the certificate is still issued by the management server but
now trusted by the browser.
Check the Certification Path again.
• Try accessing other HTTPS based Web sites to check that the same thing happens there.
• In subsequent labs you may see a CA list update is available.
• Install this automatic update to keep your CA list up to date.

HTTPS Best Practices Guide: SecureKnowledge sk108202




6. Identity Awareness
 - https://youtu.be/9zGaRUymea0

Enable Identity Awareness on the Security Gateway.
• From SmartDashboard, edit the Security Gateway object.
• In the Network Security tab, verify that Firewall option is selected.
• Select the Identity Awareness blade option
• In the Wizard enable both AD query, Browser-Based Authentication and Terminal Servers click Next.
• If these fields are not already populated then create a new domain “test.ad”, with credentials “cpadmin”,
and “Cpwins1!”. Click Connect.

• Ensure the Main URL is set to https://192.168.101.254/connect
• Click Next. Identity Awareness is Now Active! appears.
• Click Finish. Click OK. Install the policy.

• Edit the gateway object. Click on Identity Awareness branch and check the settings for Browser Based Authentication (aka Captive Portal), Active Directory Query and Terminal Servers
• Notice the other settings. With exception of Identity Awareness, the other settings are not used in this exercise
• Identity Agents – Light weight agent installed on user’s computers.
• Terminal Servers – Identity Awareness supports usage of Terminal Servers
• RADIUS Accounting – gets identity data from RADIUS accounting requests.
• Remote Access - Identity Awareness support usage for IPSEC VPN users – Endpoint VPN


• Start the install process by running c:\R8010-TerminalServerAgent.exe
• First time install you will see this ------
• Click “Multi User Host Settings”
• Enter the shared secret from the gw (your key will be different)
• Click save then Click “Change Settings”
• Under “Connect to Server” enter the IP of the gateway i.e. 192.168.101.254
• Click ok . Note this, click review and trust the cert. The agent is now setup

Check connectivity by browsing to facebook.com.
• Within Logs and Monitor, use the search query “blade:"Identity Awareness“.
• Use Identity Awareness Blade Favorite to simplify sorting and searching for record details.

• Captive Portal Scenario: This is a simple method to authenticate users with a web interface. When users try to access a protected resource, they enter authentication information in a form that shows in their browser.
• In rules with access roles, you can add a property in the Action field to redirect traffic to the Captive Portal. If this property is added, when the source identity is unknown and traffic is HTTP, the user is redirected to the
Captive Portal. If the source identity is known, the Action in the rule (Allow or Block) is enforced immediately and the user is not sent to the Captive Portal.

• Open the firewall policy and right click the Action field of your Internet Access rule
• Right click “Accept” and select “more”.
• Click “Enable Identity Captive Portal”
• Click OK.
• In the Source column right click and delete the Net_192.168.101.0 object.
• Click plus symbol in the top right of the source field.
• Create a new Access role

• Name the Access Role knownusers.
• In the network tab select specific networks: Net_192.168.101.0
• In the Users and Machines tab select Any • Click OK. • Install Policy


• Test Captive Portal to verify the configuration.
• Log in to the gateway via SSH, putty is on the c:\ of victim
• From the cli, type: “pdp monitor all | more” to get the ip address of [email protected]

• Now we must stop the TS Agent, launch the app and click “Disconnect from Gateway”
• If any feedback is shown from the previous slide command, issue this following command
̶ # pdp control revoke_ip 192.168.101.100
• This will revoke cpadmin’s identity mapping on the gateway.
NOTE - You might need to disable windows IE Enhanced security within Server manager
• In Logging, Select from the left navigation “Identity Awareness Blade  All” and identify and review the Redirect log for Captive Portal
• From Expert Mode, type the following command and press Enter:
# pdp monitor all | more
• Notice the Client Type has changed to portal

• Edit the Internet Access rule to disable Captive Portal. We’ll use AD Query for user identity for the rest of the lab.
• Right click the Action field.
• Select Edit Properties.
• Disable Captive Portal.
• Change the Source field from the Access Role to the Network object, Net_192.168.101.0.
• Install the Policy.
• Within the TS Agent, click “Repair Connection”



7.1 SmartLog and SmartEvent
 - https://youtu.be/tcfdPWmgRCQ
Launch R80.10 SmartConsole
• Select Start - All Programs - Check Point SmartConsole.
• Click Login.
• Goto Logs and Monitor
• Type https in the search bar.
• Press Enter. Click on the back arrow to clear the entry
• In the Query Top Results expand the Top Actions.
• Select HTTPS Inspect. Notice the syntax in the query bar.
• Expand another query Top Result as in Top Destinations Select as you like and notice that the query changes
• Press the back arrow to deselect the last query
• Press the forward arrow to go back to the query
• Add the query as a Favorite
• In the menu select Favorites -Add to Favorites

• Accept the default name
• Click on Queries
• Expand My Favorites




SmartLog Lab
 - Create a Query Using Fields
• Click inside the query bar.
• Select Action.
• Select Ask User.
• Press Enter to show the query result.
• Double click a log to see more details.
• Close SmartLog when done.


Enable SmartEvent
• Edit the Management Server object.
• In general properties, Management tab, Enable SmartEvent.
• Enable SmartEvent Server & Correlation Unit
• Install the policy.
• Launch the reporting view by selecting “Logs and Monitor”
• Click “New Tab” or the + symbol at the top of the screen
• Click the default “Access Control” report.
• Now edit this report to your needs by clicking Options then edit
• When finished editing, click “Done”
• Click “Views” down the left side
• In here you will see all the predefined views e.g. “Important Attacks”
• You can double click any of these items to see the realtime data.



7.2 SmartEvent, Report, SmartView and Gateway Portal
  - https://youtu.be/d-ey9YSggNA

It shows how to access smartevent, how to generate report and how to access Check Point R80.10 Gateway Portal.





8.1 Safe Internet Use
- https://youtu.be/lCn6OSqW5pY

This Lab will create a corporate policy:
• Log in as cpadmin to the WinVictim virtual machine.
• Test Internet connectivity by browsing to the following sites:
• www.cnn.com

From SmartDashboard, Edit the gateway object.
• Verify in the Network Security tab that the following are enabled
̶Application Control
̶URL Filtering

Database Updates
• The Application and URL Filtering database is automatically updated.
• Select “Security Policies” then “Updates”
• Verify in Messages and Actions that the Management server is up to date.

Policy Creation
• Your organization has identified URL categories and commonly used applications that you want to prevent access to by company employees. Most of these are easy decisions that back up common sense rules, like no gambling or anonymizers.
• Click Security Policies, to view the Security Policy.
̶ Find rule 6.3, this rule allows all outbound traffic from LAN

• Add a new rule above 6.3:
• Click the plus symbol displayed in the Services and Applications column of the new rule, and the system displays the search assistant.

• Another way to do this is to create a new Applications/Sites Group.
• In the Top right of the Search Assistant window, click the New button.
• Select New Applications/Sites Group, and the system displays the following group object:

• Use the following information:
̶ Name: Very_Bad_Things
̶ Comment: Dangerous Sites and Apps
• Click Add.

• In the search field of the assistant, type: spyware
• In the available pane, select Spyware/Malicious Sites category.

• Now, search for and select the following additional sites and applications to block users from accessing:
• Phishing • Botnets • Anonymizer • P2P File Sharing

• Click OK, to add the group to the Applications/Sites field
Leave the Action field as Drop.
• In the Action column, right click Blocked Message icon, select “More” then click the edit icon next to the message to view the UserCheck Interaction settings:
Click the Add Logo button, and select the Check Point icon.

• Click OK, and the system now displays the selected logo:
• Click the Preview in Browser button to view an example of what the user
will see when this rule is applied to their web browsing attempts:
• Close the browser and click OK in the UserCheck Interaction window.
• Leave the Track category configured as Log so you can see this traffic in SmartLog Tracker.
• Verify that the newly configured rule appears as video shows:
• Add a new rule below to limit bandwidth to Media Streaming.
• Use the information below to configure the High Risk rule:
̶ Name: Media Streaming
̶ Source: Victim
̶ Destination: Internet
̶ Sites: Media Streams, Media Sharing
̶ Action: Allow, Limit… Download_10Mbps
̶ Track: Log
• Use the information below to inform users about inappropriate content:
̶ Name: File Storage & Sharing
̶ Source: Any
̶ Destination: Internet
̶ Applications/Sites: File Storage and Sharing
̶ Action: Allow, Ask, Company Policy
̶ Track: Log
• Use the information below to inform users about inappropriate content:
̶ Name: Social Networking
̶ Source: Any
̶ Destination: Internet
̶ Applications/Sites: Facebook
̶ Action: Allow, Inform, Access Notification
̶ Track: Log
• Use the information below
name: Inappropriate content
̶ Source: Any
̶ Destination: Internet
̶ Applications/Sites: Category: Potentially Liable and Controversial (add as you like - include Alcohol)
̶ Action: Drop, Blocked Message
̶ Track: Log
• As with the firewall policy, rule order is important. Suppose we want to allow access to
www.budweiser.com and block access to other Alcohol related sites.
• Add a rule above this rule.
 In the add Application/Site window, click New - Application/Site.
 Enter the name Allow-Budweiser, Click Next.
 Enter the URL www.budweiser.com, Click Add and Next. Select Next, Finish and OK

Policy Validation
• it’s time to test the new user experience. It’s time to see
Application & URL Filtering in action.
• Test Internet connectivity by browsing to the following
sites:
̶ • www.cnn.com
̶ • www.budweiser.com
• Verify that the user may access the budweiser site, but not other sites in the Alcohol category.




8.2 Safe Internet Use (DLP)
 - https://youtu.be/1TaLuOhKkpI


9. Content Awareness
https://youtu.be/9eCGSVxHln4
Enable Content Awareness
• From the dashboard, edit the gateway object
• Enable the “Content Awareness” blade
• Enable the “URL Filtering” blade
• Enable the “Application Control” blade
• Click ok and install the policy
• Modify The “Internal Network” Layer and
enable “Content Awareness”
• Right click “Internal Network” under the
action
• Select Inline Layer - Edit Layer
• Tick “Content Awareness”
• Click ok
• Click Publish


Create Policy:
• Under the policy layer “Internal”, create two new rules to match either of the below images.
• If you have a dropbox account, use the those rules. If not then use the DMZ-WebServer rules


Test Content Awareness:
• If you have a dropbox account, login to your account and
Try to upload a word document from c:\dlp-files
• If you don’t have a dropbox account, use the unknown300
Site.
• Open Internet Explorer
• Goto http://unknown300.com from the VICTIM
• Goto “download”
• Try to download “Clean.Doc”, this will work
• Goto Upload
• Try to upload a document file from c:\DLP-files e.g. protected file.doc
• You find that Content Awareness will block the upload.
Note the following is logged
• Application
• Session details
• Web Resource
• HTTPS Inspection status
• File name
• File Type
• File Size



10. Threat Prevention IPS
https://youtu.be/i6T2KzCuciU
Enable IPS:
• Edit the Gateway object
• In General Properties enable the IPS blade
• Select IPS in the left tree.
• Ensure the activation mode is set like this
• Click OK
• Goto the Threat Policy and change the
Action to “My_Profile” policy
• Install the Policy


Test IPS:

• For this test we’ll use metasploit to exploit Firefox 17.0
• Install c:\FirefoxSetup17.0.exe (accept all defaults options),








11. Threat Prevention AntiVirus and AntiBot
https://youtu.be/WUnWHb5Yfno
Enable Antivirus & Anti-Bot:
• Edit the Gateway object.
• Disable Content Awareness
• Enable Anti-Bot, Antivirus.
• Accept the defaults to use the Anti-Bot and Antivirus policy.
• Select the Anti-Bot and Antivirus branch and verify the setting match below
• Install the policy and you are now protected from known threats.
• Notice the Network Security and Threat Prevention policy are
installed separately.
• Select the Threat Prevention policy, select Policy.
• In the Action column right click the policy name and click view to expand the My_Profile Profile.
• Notice that for Anti-Bot, Antivirus and Threat Emulation the default setting is set to Prevent except Low Confidence
• While still in the Threat Prevention tab, select Protections.
• This section of the user interface is informative only and describes the protection mechanisms used to detect
threats.



Test Antivirus & Anti-Bot
• If you don’t have a live virus or bot, then how can you test Anti-Bot and Antivirus?
• From the Win-Victim VM visit https://threatwiki.checkpoint.com
• Click the Threat Prevention Resources -- Threat Wiki link at the page top.








12. Security Management API Basics
https://youtu.be/cNV1ZBnhc18

During this lab, we will create a basic host object and rule via the api.
These changes will be watched via the Dashboard in real-time
Management API
[Confidential] For designated groups and individuals
• From the dashboard, click on “Manage & Settings”
• Click “Advanced Settings” under Management API
• Ensure the access settings look like this
• Open a ssh session from the victim to the R80.10 mgmt server
• From here we will run the API commands to create the objects and rules


• Run the following set of commands via a putty session to the management server
• mgmt_cli login user admin password Cpwins1! --port 4434 - id.txt
• mgmt_cli add address-range name "BadISP" ip-address-first "1.2.4.0" ip-address-last "1.2.4.255" -s id.txt
• mgmt_cli add access-rule layer Network position 1 name "Block to Known BAD IP's" action Drop destination BadISP -s id.txt
• mgmt_cli add access-rule layer Network position 1 name "Block from Known BAD IP's" action Drop source BadISP -s id.txt
• mgmt_cli publish -s id.txt
• mgmt_cli logout -s id.txt

• You will now see two new rules at the top of the policy that will look like this






No comments:

Post a Comment