checkpoint防火墙技术培训.ppt

112010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Check Point Training Check Point Training UTM-1 UTM-1 222010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|问题问题n为什么需要一个防火墙n防火墙到底起什么作用332010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Workshop 概述概述n目的n通过组织讨论与实践进一步深化理解checkpointn熟悉checkpoint各种常用的功能n方式n演讲n实验n结果n能独立完成utm-1(checkpoint)的初始化工作n能完成基本checkpoint的需求配置n后续n继续熟悉配置n探索新功能442010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Check Point 技术架构技术架构管理客户端管理客户端管理服务器管理服务器(SmartCenter）硬件解决方案：SMART-1软件解决方案：SmartCenter+PC ServerPower-1UTM-1IP系列系列防火墙网关防火墙网关UTM-1安全网关管理服务器552010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|架构例子架构例子UTM-1 272管理客户端管理客户端UTM-1安全网关管理服务器UTM-1 272UTM-1 132管理客户端管理客户端UTM-1安全网关管理服务器(no use)UTM-1安全网关管理服务器例子2例子1662010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|架构例子架构例子2UTM-1 272UTM-1 132管理客户端管理客户端UTM-1安全网关管理服务器(no use)UTM-1安全网关管理服务器（no use）Smart-1(smartcenter)772010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|设备初始化实验设备初始化实验n安装系统n初始化n基本设定992010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|初始化配置（初始化配置（standalone 模式）模式）n配置设备网卡IP地址n配置默认路由n配置DNS和hostnamen配置时间和时区n配置web and SSH clientn配置初始化模块(Security Gateway+Security Management)n配置management GUI clientn配置Security Management Administrator10102010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|初始化配置（初始化配置（standalone 模式）模式）第一次登陆，提示修改admin的密码设定网卡地址，注意需要设置2个以上的网卡添加静态路由设定DNS设定主机名称与绑定IP地址设定时间与时区11112010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|初始化配置（初始化配置（standalone 模式）模式）初始化Security Gateway和Management Server选择Primary Security Management设定GUI client建立GUI的用户cpadmin完成初始化12122010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|实验实验1 初始化设备初始化设备n建立虚拟机两个虚拟网卡需要设置成桥接模式无线网卡需要关闭，有线网卡需要接上网上使网卡能用硬盘需要20G以上。n初始化成standalone模式选择Security Gateway 和Security Management为了试验方便Gui client 设置成any13132010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|基本设定基本设定n设定主地址n设置topology 和 antispoofingn设定管理策略与clear 策略n安装策略14142010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|基本设定基本设定(设定主地址设定主地址)设定防火墙的主地址为外网口地址设定防火墙的主地址为外网口地址15152010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|基本设定基本设定(设置设置topology 和和 antispoofing)16162010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|基本设定基本设定(设置设置topology 和和 antispoofing)17172010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|基本设定基本设定(设置管理策略设置管理策略 和和 clear策略策略)18182010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|基本设定基本设定(设置管理策略设置管理策略 和和 clear策略策略)19192010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|基本策略与基本策略与NATnSmartdashboard 结构n对象的添加nFirewall Policy 选项卡nNAT 选项卡与实现方式n防火墙安装对象n日志记录n其他20202010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Smartdashboard 结构结构对象树功能选项卡对象列表菜单与快捷方式21212010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Smartdashboard 结构结构(对象树对象树)22222010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|对象的添加对象的添加23232010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Firewall Policy 选项卡选项卡1.数据到达数据到达firewall,从第一条策略开始匹配从第一条策略开始匹配2.Firewall根据根据source，destination，service,vpn进行匹配进行匹配3.如果匹配成功，数据会根据如果匹配成功，数据会根据Action中的内容执行动作中的内容执行动作4.如果匹配不成功，数据会找下一条策略进行匹配如果匹配不成功，数据会找下一条策略进行匹配5.如果所有策略都不匹配成功，系统会找到最后一条如果所有策略都不匹配成功，系统会找到最后一条any any drop24242010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|NAT 与其实现方式与其实现方式nNAT的自动策略实现与手工策略实现nHide NAT与 Static NATnNAT功能选项卡表结构25252010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|NAT 与其实现方式与其实现方式(自动实现的自动实现的NAT)26262010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|NAT 与其实现方式与其实现方式(自动实现的自动实现的NAT)27272010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|NAT 与其实现方式与其实现方式(手工实现的手工实现的NAT)28282010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Hide NAT(自动实现模式自动实现模式)双击需要做双击需要做NAT的对象的对象点选点选NAT选项卡选项卡打勾打勾“Add automatic Address Translation”Translation 选择选择 Hide选择选择 Hide 成成gateway的地址还是的地址还是Hide成某个具体成某个具体IP选择选择 需要安装的需要安装的firewall29292010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Static NAT(自动实现模式自动实现模式)双击需要做双击需要做NAT的对象的对象点选点选NAT选项卡选项卡打勾打勾“Add automatic Address Translation”Translation 选择选择 Static填入映射到外网的填入映射到外网的IP地址地址选择选择 需要安装的需要安装的firewall30302010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|NAT表结构表结构 1.数据到达firewall 从第一条策略开始匹配2.Firewall根据original packet 中source，destination，service进行匹配3.如果匹配成功，数据会根据translated packet表中的source，destination，service的内容进行NAT4.如果匹配不成功，数据会找下一条NAT策略进行匹配手工手工NAT策略策略自动自动NAT策略策略31312010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|防火墙安装对象与策略安装防火墙安装对象与策略安装32322010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|日志记录与查看日志记录与查看日志的记录基于策略设置日志的记录基于策略设置多种日志方式多种日志方式使用工具使用工具SmartView Tracker查看查看查看查看33332010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Smartview Tracker查询树查询树日志内容日志内容日志类型选日志类型选项卡项卡34342010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Smartview Tracker普通日志普通日志当前连接日志当前连接日志管理员操作日志管理员操作日志Log 普通流量日志普通流量日志Control 系统控制操作日志系统控制操作日志Alert 警告日志警告日志绿色通行标志绿色通行标志 Accept 日志日志红色阻止标志红色阻止标志丢弃和拒绝日志丢弃和拒绝日志黄色锁标志黄色锁标志 VPN加解密数据日志加解密数据日志35352010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|日志的字段日志的字段 经常关注的字段有经常关注的字段有Type，action，service，source，destination，XlateSrc，XlateDst，information，rule，source user name36362010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|日志的过滤日志的过滤每个字段都可以进行过滤每个字段都可以进行过滤所有字段也可以进行组合过滤所有字段也可以进行组合过滤点击点击 图标清除所有过滤图标清除所有过滤37372010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|日志的管理日志的管理Switch Active File 把当前日志存成另外一个文件把当前日志存成另外一个文件Purge Active File 把当前日志全部清除把当前日志全部清除增加日志字段增加日志字段38382010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|实验实验2与实验与实验3Internal IP192.168.2.1Webserver192.168.2.2internetExternall IP192.168.1.1/24GW IP192.168.1.254/24n登录系统与基本配置n互联网访问与NATn查看日志确认是否成功39392010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|网桥网桥Clent192.168.1.4/24webserver192.168.1.2/24UTM-1添加添加bridge interface把需要做网桥的端口加到这把需要做网桥的端口加到这个个bridge中中设定设定bridge的的IP地址地址打开打开smartdashboard，取，取消防地址欺骗消防地址欺骗40402010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|网桥网桥(步骤步骤)New一个一个bridge把需要做把需要做bridge的网卡加入的网卡加入bridge中中回到回到smartdashboard 防火墙对象，防火墙对象，Get interface with topology加载策略加载策略41412010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|实验实验4-网桥网桥n配置网桥端口n配置check point 对象的topologyn配置策略n加载策略n查看效果42422010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Url-filtering 刀片讨论刀片讨论n问题1：为什么需要url过滤n问题2：checkpoint 的URL过滤给用户带来了什么n问题3：如何实现43432010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Url-filtering 刀片刀片n编辑firewall对象n在general Properties上打勾URL-filteringn在Anti-Virus&URL filtering 页面，配置各个分类的情况n设定日志记录n设定黑白名单n设置排除对象与通知页面n安装策略44442010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|IPS刀片刀片-仍然这仍然这3个问题个问题n问题1：为什么需要IPSn问题2：checkpoint 的IPS给用户带来了什么n问题3：如何实现45452010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|IPS刀片刀片点击防火墙对象，打勾点击防火墙对象，打勾IPS选择选择IPS 的的Profiles为为recommended_protection设置相应设置相应profile的动作的动作46462010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|IPS 刀片刀片-设置范例，控制设置范例，控制QQ47472010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|IPS 刀片刀片-IPS日志日志Follow upinformation48482010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|实验实验5,实验实验6-IPS刀片，刀片，URL-filteringn设定严禁对防火墙策略n启动IPS刀片与URL-filtering刀片n访问相应的url与使用qq，并观察效果n查看日志并确认效果49492010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Site to Site VPN(与第三方实现与第三方实现)n定义Gateway 和 topologyn设定VPN communityn设定VPN策略50502010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Site to Site VPN(Gateway 和和 topology)注意注意VPN domain设置设置80%以上的以上的vpn错误都是错误都是vpn domain设置不对造设置不对造成成51512010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Site to Site VPN(VPN community)把需要做把需要做vpn的的gateway加加入到团体里面入到团体里面设定设定vpn参数，例如参数，例如shared secret52522010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Site to Site VPN(策略策略)前面设置的前面设置的VPN community53532010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|实验实验7-site to site vpnn建立vpn对象n设定vpn domain n设定vpn community及其参数n设定vpn策略n查看日志54542010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPNn定义Gateway 和 topologyn设定VPN communityn设定VPN策略nOffice modenVistor modenSSL-network extendern认证方式55552010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(设定设定VPN community)把需要做把需要做remoate vpn的的gateway加到加到community里面里面把需要做把需要做remoate vpn的组加到的组加到community里面里面56562010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(建立用户建立用户)57572010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(VPN策略策略)Source 填入用户组填入用户组Vpn 填入填入 remote-access设定必要的设定必要的Service Action 设置成设置成accept58582010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(office mode)打开防火墙对象打开防火墙对象点击点击IPSEC VPN点击点击office mode设定需要做设定需要做office mode的组的组设定设定office mode分配地分配地址段址段59592010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(vistor mode)打开防火墙对象打开防火墙对象点击点击IPSEC VPN点击点击remote access打勾打勾support vistor mode60602010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(SSL-network extender)打开防火墙对象打开防火墙对象点击点击IPSEC VPN点击点击vpn client打勾打勾SSL network extender 61612010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|实验实验8-Remote Access VPNn设定vpn domain n设定vpn community及其参数n设定vpn策略n查看日志62622010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(认证方式认证方式)n用户名密码认证n内部数据证书认证n与windows domain(LDAP)结合认证n与RADIUS结合认证63632010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(密码与证书认证密码与证书认证)用户名认证：用户名认证：点击点击Authentication 然后选择然后选择check point password证书认证：点击证书认证：点击certificates然后选择然后选择1.点击点击generate and save在本界面保存证书在本界面保存证书or2.点击点击initiate生成一个生成一个registration key,然后证书从客户端生成自动生成然后证书从客户端生成自动生成64642010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(AD认证认证)n建立LDAP accountn建立LDAP group 并把上述LDAPaccount绑定到此group上n建立策略65652010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|Remote Access VPN(RADIUS认证认证)n建立RADIUS 服务器n建立用户，并在用户authentication上选择RADIUS方式认证n建立用户组策略66662010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|实验实验9 VPN AD认证与认证与RADIUS认证认证n配置Remote Access VPNn配置AD认证与Radius 认证n测试AD认证与RADIUS认证n查看日志67672010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|集中管理和双机集中管理和双机n集中管理n新建对象n建立SICn设定参数n建立集群n建立cluster对象n设定cluster vpn 参数n集中管理下vpn设置68682010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|集中管理拓扑结构集中管理拓扑结构(sample 1)UTM-1 276UTM-1 136管理客户端管理客户端只初始化只初始化security gateway初始化初始化Security Gateway+Security Management69692010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|集中管理拓扑结构集中管理拓扑结构(sample 2)只初始化只初始化security gateway只初始化只初始化Security ManagementUTM-1 272UTM-1 132管理客户端管理客户端Smart-1 570702010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|集中管理（建立对象）集中管理（建立对象）71712010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|集中管理（建立策略）集中管理（建立策略）策略策略 install on 字段选择字段选择utm27672722010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|双机配置双机配置n两台机器被smart-1管理n建立cluster对象n设定cluster 功能n设定cluster对象topologyn设定cluster的方式n设定策略73732010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|双机配置双机配置74742010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|双机配置（双机配置（cont.）每个成员可以通每个成员可以通过过Get topology来获得网卡信息来获得网卡信息虚拟地址可以通虚拟地址可以通过设定过设定cluster的的topology来实现来实现设定设定cluster网卡网卡的属性的属性75752010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|双机设置双机设置(设置其他属性与策略设置其他属性与策略)76762010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|实验实验10 集中管理与双机集群集中管理与双机集群n建立cluster对象n把member加到cluster对象中n设置cluster topologyn设置cluster HA参数n设置策略77772010 Check Point Software Technologies Ltd.|Confidential For Check Point users and approved third parties|谢谢谢