Checkpoint防火墙安全配置手册V11.docx

1、Checkpoint防火墙安全配置手册V11CheckPoint防火墙安全配置手册Version 1.1XX公司二零一五年一月1综述本配置手册介绍了Checkpoint防火墙的几种典型的配置场景，以加强防火墙对网络的安全防护作用。同时也提供了Checkpoint防火墙自身的安全加固建议，防止针对防火墙的直接攻击。通用和共性的有关防火墙管理、技术、配置方面的内容，请参照中国移动防火墙安全规范。2Checkpoint的几种典型配置2.1 checkpoint 初始化配置过程：在安装完Checkpoint软件之后，需要在命令行使用cpconfig命令来完成Checkpoint的配置。如下图所示，SS

2、H连接到防火墙，在命令行中输入以下命令：IP350admin# cpconfigWelcome to Check Point Configuration Program=Please read the following license agreement.Hit ENTER to continue.（显示Checkpoint License版权信息，敲回车继续，敲q可直接跳过该License提示信息）Do you accept all the terms of this license agreement (y/n) ? y（输入y同意该版权声明）Which Module would you

3、 like to install ?-(1) VPN-1 & FireWall-1 Enterprise Primary Management and Enforcement Module(2) VPN-1 & FireWall-1 Enforcement Module(3) VPN-1 & FireWall-1 Enterprise Primary ManagementCheckpoint Firewall-1/VPN-1支持多种安装模式，Firewall-1/VPN-1主要包括三个模块：GUI：用户看到的图形化界面，用于配置安全策略，上面并不存储任何防火墙安全策略和对象，安装于一台PC机上

4、；Management：存储为防火墙定义的各种安全策略和对象；Enforcement Module：起过滤数据包作用的过滤模块，它只与Managerment通信，其上的安全策略由管理模块下载；以上三个选项中如果Management与Enforcement Module安装于同一台设备上，则选择（1），如果Management与Enforcement Module分别安装于不同的设备上，则选择（2）或（3）。在此处我们选择（1）Enter your selection (1-3/a-abort) 1: 1IP forwarding disabledHardening OS Security: I

5、P forwarding will be disabled during boot.Generating default filterDefault Filter installedHardening OS Security: Default Filter will be applied during boot.This program will guide you through several steps where youwill define your Check Point products configuration.At any later time, you can recon

6、figure these parameters byrunning cpconfigConfiguring Licenses.=Host Expiration FeaturesNote: The recommended way of managing licenses is using SecureUpdate.This window can be used to manage local licenses only on this machine.Do you want to add licenses (y/n) y ? n（询问用户是否需要安装Checkpoint License，可以在此

7、时输入，也可在安装完毕时用命令行方式输入，因为使用命令行方式输入较为方便，建议用户在安装完毕后使用copy - paste的方式输入License。在此处我们选择n）Configuring Administrators.=No Check Point Administrators are currentlydefined for this Management Station.Administrator name: fwadmin(配置Checkpoint Firewall-1/VPN-1的管理员用户名，注意系统自身与Checkpoint的管理员不相同)Password:Verify Pass

8、word:（设置管理员的密码，Checkpoint管理员密码没有长度的限制）Permissions for all Management Clients (Read/Write All, Read Only All, Customized) W（设置该管理员的用户权限，有三种权限，写权限W，读权限R，自定义权限C，在此处选择W，给予管理员最大的权限）Administrator fwadmin was added successfully and hasRead/Write permission to all management clientsAdd another one (y/n) n ?

9、（提示是否还加入其它用户）Configuring GUI clients.=GUI clients are trusted hosts from whichAdministrators are allowed to log on to this Management Stationusing Windows/X-Motif GUI.Do you want to Create a new list, Add or Delete one?: C（Checkpoint GUI软件需要安装在一台PC机上，但该GUI的IP地址需要定义，在此处我们选择C，创建一个GUI IP地址表）Please ente

10、r the list hosts that will be GUI clients.Enter hostname or IP address, one per line, terminating with CTRL-D or your EOF character.10.0.0.15Is this correct (y/n) y ?（输入完地址后需要按CTRL-D结束定义GUI）Configuring Groups.=Check Point access and execution permissions-Usually, a Check Point module is given group

11、permissionfor access and execution.You may now name such a group or instruct the installationprocedure to give no group permissions to the Check Point module.In the latter case, only the Super-User willbe able to access and execute the Check Point module.Please specify group name for no group permis

12、sions:No group permissions will be granted. Is this ok (y/n) y ?Setting Group Permissions. Done.（为Checkpoint生成一个管理组，在此处不需要生成专门管理组，直接敲回车，不生成组）Configuring Random Pool.=You are now asked to perform a short random keystroke session.The random data collected in this session will be used invarious cryptog

13、raphic operations.Please enter random text containing at least six differentcharacters. You will see the * symbol after keystrokes thatare too fast or too similar to preceding keystrokes. Thesekeystrokes will be ignored.Please keep typing until you hear the beep and the bar is full. .Thank you.（随意敲入

14、字符，以便Checkpoint用它作为随机的加密参数。随意敲任意，直到出现Thank you）Configuring Certificate Authority.=The system uses an internal Certificate Authorityto provide Secured Internal Communication (SIC) Certificatesfor the components in your System.Note that your components wont be able to communicatewith each other until the Certificate Authority is initializedand they have their SIC Certificate.Press Enter to initialize the Certificate Authority.(输入回车开始生成证书) Internal Certificate Authority created succe