标题: NOKIA IPSO 4.1 & CheckPoit NGX R61 [打印本页] 作者: chrisqian 时间: 2006-8-24 09:25 标题: NOKIA IPSO 4.1 & CheckPoit NGX R61 NOKIA IPSO 4.1 & CheckPoit NGX R61
安装设置
Please choose the host name for this system. This name will be used in messages and usually corresponds with one of the network hostnames for the system. Note that only letters, numbers, dashes, and dots (.) are permitted in a hostname.
Hostname? IP380
Hostname set to “IP380”, OK? [y]
2. 接下来按照提示设置管理员admin密码。
Please enter password for user admin:
Please re-enter password for confirmation:
3. 选择配置系统方式。
You can configure your system in two ways:
1) configure an interface and use our Web-based Voyager via a remote browser
2) VT100-based Lynx browser
Please enter a choice [ 1-2, q ]: 1
注:选择方式1时同时也可以用2的。
4. 选择一个接口,并为它配置ip地址。
Select an interface from the following for configuration:
1) eth1
2) eth2
3) eth3
4) eth4
5) quit this menu
Enter choice [1-5]: 1
Enter the IP address to be used for eth1: 192.168.0.220
Enter the masklength: 24
Do you wish to set the default route [ y ] ?
Enter the default router to use with eth1:192.168.0.1
This interface is configured as 10 mbs by default.
Do you wish to configure this interface for 100 mbs [ n ] ?
*如果连接设备支持100M,请选择y
This interface is configured as half duplex by default.
Do you wish to configure this interface as full duplex [ n ] ?
*如果连接设备支持全双工,请选择y
You have entered the following parameters for the eth1 interface:
IP address: 10.0.1.1
masklength: 8
Default route: 10.0.0.19
Speed: 10M
Duplex: half
Is this information correct [ y ] ?
*确认所有设置信息正确
5. 设置是否支持VLAN
Do you want to configure Vlan for this interface[ n ] ?
*如果不做vlan间路由和安全策略,选择n
6. 这样就设置好了一个接口,然后就可以通过此接口ip用web voyager继续后面的配置
You may now configure your interfaces with the Web-based Voyager by typing in the IP address “192.168.0.220” at a remote browser.
7. 配置SNMP
Do you want to change SNMP Community string[ n ] ?
*无需配置,可选择n
8. 网络服务重新初始化,出现新的登陆界面
IPSO (IP380) (ttyd0)
login:
现在,我们就可以进入web-based voyager进行配置工作了。
三、 使用web-voyager
打开IE,在地址栏中输入刚才设置好的ip地址,http://192.168.0.220。
输入缺省网关ip ->按apply –> save 。如果删除选off,按apply –> save 。
b) 添加静态路由
在Quick-add static routes列表中按示例格式填写。
示例:
192.168.1.0/24 10.1.1.1
如果删除在路由列表中选off,按apply –> save 。
8. 将相应的软件包设置成on,NGX R60界面
设置步骤:在System Configuration下选择Packages→Manage Packages
a) 设置 Check Point VPN-1 Pro/Express NGX R61 (Mon Mar 6 10:56:42 IST 2006 Build 602000207)为 on
b) 按apply –> save 。
c) 设置 Check Point CPinfo (Thu Dec 22 14:03:00 IST 2005 Build 911000031)为 on
d) 按apply –> save 。
e) 重新login,使相应的环境变量生效。
现在,IPSO基本设置已经就绪,可以安装其他软件包了。下面介绍一下CheckPoint软件包的安装。
四、 CheckPoint for NOKIA安装
a) NGX R61安装全过程
IP380[admin]# cpconfig
Welcome to Check Point Configuration Program
=================================================
Please read the following license agreement.
Hit 'ENTER' to continue...
*按回车,连续按空格,直到看见
Do you accept all the terms of this license agreement (y/n) ? y
Please select one of the following options :
Check Point Enterprise/Pro – for headquarters and branch offices.
Check Point Express – for medium-sized businesses.
-----------------------------------------------------------------------------
(1) Check Point Enterprise/Pro.
(2) Check Point Express.
(1) Stand Alone – install VPN-1 Pro Gateway and SmartCenter Enterprise.
(2) Distributed – install VPN-1 Pro Gateway, SmartCenter and/or Log Server.
Enter your selection (1-2/a-abort) [1]:
IP forwarding disabled
Hardening OS Security: IP forwarding will be disabled during boot.
Generating default filter
Default Filter installed
Hardening OS Security: Default Filter will be applied during boot.
This program will guide you through several steps where you
will define your Check Point products configuration.
At any later time, you can reconfigure these parameters by
running cpconfig
Configuring Licenses...
=======================
Host Expiration Signature Features
Note: The recommended way of managing licenses is using SmartUpdate.
cpconfig can be used to manage local licenses only on this machine.
Do you want to add licenses (y/n) [y] ? n
Configuring Administrators...
=============================
No Check Point products Administrators are currently
defined for this SmartCenter Server.
Do you want to add an administrator(y/n) [y] ? y
Administrator name:admin
Password:
Verify Password:
Administrator admin was added successfully and has Read/Write Permission for all products with Permission to Manage Administrators
Configuring GUI Clients...
=================================
GUI clients are trusted hosts from which
Administrators are allowed to log on to this SmartCenter Server
using Windows/X-Motif GUI.
No GUI clients defined
Do you want to add a GUI client (y/n) [y] ?y
You can add GUI Clients using any of the following formats:
1. IP address.
2. Machine name.
3. “Any” – Any IP without restriction
4. IP/Netmask – A range of addresses, for example 192.168.10.0/255.255.255.0
5. A range of addresses – for example 192.168.10.8-192.168.10.16
6. Wild cards(IP only)- for example 192.168.10.*
Please enter the list hosts that will be GUI clients.
Enter GUI Client one per line, terminating with CTRL-D or your EOF character.
Any (Ctrl-D)
Warning:Every gui client can connect to this SmartCenter Server.
Is this correct (y/n) [y] ?y
Configuring Group Permissions...
==========================
Please specify group name[<RET> for super-user group]:
No group permissions will be granted. Is this ok(y/n)[y]?y
Configuring Random Pool...
==========================
You are now asked to perform a short random keystroke session.
The random data collected in this session will be used in
various cryptographic operations.
Please enter random text containing at least six different
characters. You will see the '*' symbol after keystrokes that
are too fast or too similar to preceding keystrokes. These
keystrokes will be ignored.
Please keep typing until you hear the beep and the bar is full.
[....................] *
Thank you.
Configuring Certificate Authority...
====================================
The Internal CA will now be initialized
With the following name: IP380
Initializing the Internal CA…(may take several minutes)
Internal Certificate Authority created successfully
Certificate was created successfully
Certificate Authority initialization ended successfully
Trying to contact Certificate Authority.It might take a while…
IP380 was successfully set to the Internal CA
Done
Configuring Certificate’s Fingerprint...
====================================
The following text is the fingerprint of this SmartCenter Server:
ALGA WING MAIL BEAK FEET BURL ACHE ROW DESK VINE BOIL MESH
Do you want to save it to a file?(y/n)[n]?n
generating INSPECT code for GUI Clients
initial_management:
Compiled OK.
Hardening OS Security:Initial policy will be applied
Until the first policy is installed
In order to complete the installation
you must reboot the machine.
Do you want to reboot?(y/n)[y]?y
############### IPSO Full Installation #################
You will need to supply the following information:
Client IP address/netmask, FTP server IP address and filename,
system serial number, and other license information.
This process will DESTROY any extant files and data on your disk.
##############################################
Continue? (y/n) [n] y
Motherboard serial number is 12345678.
The chassis serial number can be found on a
sticker on the back of the unit with the letters
S/N in front of the serial number.
Please enter the serial number: 12345678
Please answer the following licensing questions.
Will this node be using IGRP ? [y] n
Will this node be using BGP ? [y] n
1. Install from anonymous FTP server.
2. Install from FTP server with user and password.
Choose an installation method (1-2): 2
Enter IP address of this client (0.0.0.0/24): 192.168.0.220/24
Enter IP address of FTP server(0.0.0.0): 192.168.0.11
Enter IP address of the default gateway (0.0.0.0): 192.168.0.11
Choose an interface from the following list:
1) eth1
2) eth2
3) eth3
4) eth4
Enter a number [1-4]: 1
Choose interface speed from the following list:
1) 10Mbit/sec
2) 100Mbit/sec
Enter a number [1-2]:2
Half or full duplex?[h/f] [h] f
Enter user name on FTP Server: admin
Enter password for “admin”:
Enter path to ipso image on FTP server [~]:/
Enter ipso image filename on FTP server [ipso.tgz]:
1. Retrieve all valid packages, with no further prompting.
2. Retrieve packages one-by-one, prompting for each.
3. Retrieve no packages.
Enter choice [1-3] [1]: 2
Client IP address = 192.168.0.220/24
Server IP address = 192.168.0.11
Default gateway IP address = 192.168.0.11
Network Interface = eth1, speed = 100M, full-duplex
Server download path = [//]
Package install type = prompting
Mirror set creation = no
Are these values correct? [y]y
Checking what packages are available on 192.168.0.11
Hash mark printing on (1048576 bytes/hash mark).
Interactive mode off.
#
The following packages are available:
IPSO_wrapper_R61.tgz
Building filesystems...done.
Making initial links…done.
Downloading compressed tarfile(s) from 192.168.0.11
Hash mark printing on (1048576 bytes/hash mark).
Interactive mode off.
100% 29156KB 00:00 ETA
Do you wish to Download IPSO_wrapper_R61.tgz(y/n) ?:y
Hash mark printing on(1048576 bytes/hash mark).
Interactive mode off.
100% 72898KB 00:00 ETA
Checking validity of image...done.
Checking validity of pkgs...done.
Installing image...done.
Image version tag: IPSO-4.1-BUILD013-03.27.2006-223017-1515.
Checking if bootmgr upgrade is needed...
Do you want to upgrade bootmgr anyway? [n]y
Need to upgrade bootmgr.Proceeding…
Upgrading bootmgr....
new bootmgr size is 1474560
old bootmgr size is 1474560
Saving old bootmgr.
Installing new bootmgr.
Verifying installation of bootmgr.
Packages being stored in /mnt/opt/tmp .
You will be given a chance to install and activate each package
at your first reboot.
Installation completed.
Reset system or hit <Enter> to reboot.
Starting reboot.
Loading Package List
Package Description:Check Point Suite wrapper package NGX R61
Would you like to :
1. Install this as a new package
2. Upgrade from an old package
3. Skip this package
4. Exit new package installation
Choose (1-4): 1
Installing IPSO_wrapper_R61.tgz
Running IPSO_wrapper_R61/INSTALL PRE /opt/IPSO_wrapper_R61 /opt/tmp
/IPSO_wrapper_R61.tgz IPSO_wrapper_R61/MANIFEST newpkg
Running IPSO_wrapper_R61/INSTALL POST /opt/IPSO_wrapper_R61 /opt/tmp
/IPSO_wrapper_R61.tgz IPSO_wrapper_R61/MANIFEST newpkg
It is required to configure Check Point products before activating them,you can do so by re-login to the machine and running “cpconfig” from the command line.
Done installing IPSO_wrapper_R61
End of new package installation
Cleaning up…done
A reboot may be necessary to activate packages.
Cleaning up…
Syncing disks…done
Rebooting…
2. 用newimage命令升级IPSO
a) 利用web-voyager在IPSO上打开ftp服务
在Security and Access下选择Network Access and Services
b) 将新版本的ipso.tgz文件准备好,并上传到NOKIA设备中
C:\>ftp 192.168.0.220
Connected to 192.168.0.220.
220 IP380 FTP server (Version 6.00) ready.
User (192.168.0.220none)): admin
331 Password required for admin.
Password:
230 User admin logged in.
ftp> pwd
257 "/var/emhome/admin" is current directory.
ftp> bin
200 Type set to I.
ftp> lcd e:\
Local directory now E:\.
ftp> lcd technical\NOKIA\ipso3.51
Local directory now E:\technical\NOKIA\ipso3.51.
ftp> hash on
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp> put ipso.tgz
200 PORT command successful.
150 Opening BINARY mode data connection for 'ipso.tgz'.
#################################################
###########################################
226 Transfer complete.
ftp: 29088761 bytes sent in 40.04Seconds 726.53Kbytes/sec.
ftp> bye
221 Goodbye.
C:\>
用控制线连接console口,用管理员密码登录进去
IP380[admin]# ls
.cshrc .history .login .profile ipso.tgz
验证md5值,这一点很重要,如果md5值不一样的操作系统文件被安装,会导致整个系统崩溃!!
IP380[admin]# md5 ipso.tgz
MD5 (ipso.tgz) = 0266af5dd66a85b71088e47f9d5d7571
Version tag stored in image: IPSO-4.1-BUILD013-03.27.2006-223017
Setting up new image...done.
Checking if bootmgr upgrade is needed...
Upgrading bootmgr....
Saving old bootmgr.
Installing new bootmgr.
Verifying installation of bootmgr.
To install/upgrade your packages run /etc/newpkg after REBOOT
Please reboot immediately
Load new package from:
1. Install from CD-ROM.
2. Install from anonymous FTP server.
3. Install from FTP server with user and password.
4. Install from local filesystem.
5. Exit new package installation.
Choose an installation method (1-5):
按照提示交互进行操作。
Checkpoint介质包路径在/opt/packages/
六、 恢复出厂状态
a) 用console连接到NOKIA设备上
b) 键入 rm /config/active or mv /config/active /config/active.old
c) 重新启动
七、 忘记密码解决办法
如果忘记或者不知道admin密码,那么可以通过如下方法重新设置:
a) 重新启动,根据提示按1,进入bootmgr模式下
b) 运行 boot -s Enter pathname of shell or RETURN for sh:
#/etc/overpw
Please enter password for user admin:
Please re-enter password for confirmation:
Continue?[n]y
Admin password changed.You may enter ^D to continue booting.
THIS ISA TEMPORARY PASSWORD CHANGE.
PLEASE USE VOYAGER TO CREATE A PERMENANT PASSWORD FOR THE USER ADMIN.
#
八、 文件系统手工修复
a) 重新启动,根据提示按1,进入bootmgr模式下
b) 运行
boot –s
进入/sbin目录,输入命令:fsck -y
九、 FAQ
1. What is the FireWall Flows feature on the Nokia IP Series Appliance?
The FireWall Flows feature is designed to increase performance of FireWall-1 on the Nokia Platforms. VPN-1/FireWall-1 Flows (known as Flows) increases the throughput of VPN-1/FireWall-1 software running on the Check Point VPN-1 Appliance. VPN-1/FireWall-1 is integrated at the level directly in the path of the packets. Flows uses cached connection state information to make faster decisions when possible. It is important to note that there is no functional difference between operation with or without Flows in action. The Flows feature allows for the connections table and route lookup associated with packets other than the initial packets to be implemented at a lower level in the OSI model. As a result, the Flows option is as secure as the normal path option. The same connection table lookups take place, simply at a lower level. NATing and anti-spoofing are replicated at this lower level as well.
The FireWall Flows feature is designed to increase performance of FireWall-1 on the Nokia Platforms. VPN-1/FireWall-1 Flows (known as Flows) increases the throughput of VPN-1/FireWall-1 software running on the Check Point VPN-1 Appliance. VPN-1/FireWall-1 is integrated at the level directly in the path of the packets. Flows uses cached connection state information to make faster decisions when possible. It is important to note that there is no functional difference between operation with or without Flows in action. The Flows feature allows for the connections table and route lookup associated with packets other than the initial packets to be implemented at a lower level in the OSI model. As a result, the Flows option is as secure as the normal path option. The same connection table lookups take place, simply at a lower level. NATing and anti-spoofing are replicated at this lower level as well.
[ <<< previous solution ] Printer friendly version [ next solution >>> ]
FireWall Flows (known as Flows ) increases the throughput of the CheckPoint FireWall-1 software running on your Nokia network application platform. Only the Nokia platform implements Flows on FireWall-1 starting with IPSO 3.3 and later.
SOLUTION
This feature reduces the overhead associated with FireWall-1 by moving a copy of the connection table to the device driver hardware interrupt level, eliminating calls to FireWall-1 for existing connections. Only the first packet of a new TCP or UDP session is sent to the FireWall-1 inspection module for processing. The result is greatly improved throughput performance, particularly for small packets in long-lived flows.
The Flows feature allows for the connections table and route lookup associated with packets other than the initial packet to be implemented at a lower level in the OSI model.
As a result, the Flows option is as secure as the "normal" path option. The same connection table lookups take place, simply at a lower level. NATing and anti-spoofing are replicated at this lower level as well.
Note: FireWall Flows does not currently support the following types of traffic:
Encypted
User Authentication
Internet Control Message Protocol (ICMP)
Multicast
All of these traffic types are not "flowed" and do not achieve the throughput performance ehancement provided by Flows.
none)): admin