checkpoint防火墙技术培训

©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdpartiesCheckPointTrainingUTM-1©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|问题为什么需要一个防火墙防火墙到底起什么作用33©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|Workshop概述目的通过组织讨论与实践进一步深化理解checkpoint熟悉checkpoint各种常用的功能方式演讲实验结果能独立完成utm-1(checkpoint)的初始化工作能完成基本checkpoint的需求配置后续继续熟悉配置探索新功能44©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|CheckPoint技术架构管理客户端管理服务器(SmartCenter）•硬件解决方案：SMART-1•软件解决方案：SmartCenter+PCServerPower-1UTM-1IP系列防火墙网关UTM-1安全网关管理服务器55©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|架构例子UTM-1272管理客户端UTM-1安全网关管理服务器UTM-1272UTM-1132管理客户端UTM-1安全网关管理服务器(nouse)UTM-1安全网关管理服务器例子2例子166©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|架构例子2UTM-1272UTM-1132管理客户端UTM-1安全网关管理服务器(nouse)UTM-1安全网关管理服务器（nouse）Smart-1(smartcenter)77©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|设备初始化实验安装系统初始化基本设定99©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|初始化配置（standalone模式）配置设备网卡IP地址配置默认路由配置DNS和hostname配置时间和时区配置webandSSHclient配置初始化模块(SecurityGateway+SecurityManagement)配置managementGUIclient配置SecurityManagementAdministrator1010©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|初始化配置（standalone模式）第一次登陆，提示修改admin的密码设定网卡地址，注意需要设置2个以上的网卡添加静态路由设定DNS设定主机名称与绑定IP地址设定时间与时区1111©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|初始化配置（standalone模式）初始化SecurityGateway和ManagementServer选择PrimarySecurityManagement设定GUIclient建立GUI的用户cpadmin完成初始化1212©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|实验1初始化设备建立虚拟机►两个虚拟网卡需要设置成桥接模式►无线网卡需要关闭，有线网卡需要接上网上使网卡能用►硬盘需要20G以上。初始化成standalone模式►选择SecurityGateway和SecurityManagement►为了试验方便Guiclient设置成any1313©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|基本设定设定主地址设置topology和antispoofing设定管理策略与clear策略安装策略1414©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|基本设定(设定主地址)设定防火墙的主地址为外网口地址1515©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|基本设定(设置topology和antispoofing)1616©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|基本设定(设置topology和antispoofing)1717©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|基本设定(设置管理策略和clear策略)1818©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|基本设定(设置管理策略和clear策略)1919©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|基本策略与NATSmartdashboard结构对象的添加FirewallPolicy选项卡NAT选项卡与实现方式防火墙安装对象日志记录其他2020©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|Smartdashboard结构对象树功能选项卡对象列表菜单与快捷方式2121©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|Smartdashboard结构(对象树)2222©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|对象的添加2323©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|FirewallPolicy选项卡1.数据到达firewall,从第一条策略开始匹配2.Firewall根据source，destination，service,vpn进行匹配3.如果匹配成功，数据会根据Action中的内容执行动作4.如果匹配不成功，数据会找下一条策略进行匹配5.如果所有策略都不匹配成功，系统会找到最后一条anyanydrop2424©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|NAT与其实现方式NAT的自动策略实现与手工策略实现HideNAT与StaticNATNAT功能选项卡表结构2525©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|NAT与其实现方式(自动实现的NAT)2626©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|NAT与其实现方式(自动实现的NAT)2727©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|NAT与其实现方式(手工实现的NAT)2828©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|HideNAT(自动实现模式)双击需要做NAT的对象点选NAT选项卡打勾“AddautomaticAddressTranslation”Translation选择Hide选择Hide成gateway的地址还是Hide成某个具体IP选择需要安装的firewall2929©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|StaticNAT(自动实现模式)双击需要做NAT的对象点选NAT选项卡打勾“AddautomaticAddressTranslation”Translation选择Static填入映射到外网的IP地址选择需要安装的firewall3030©2010CheckPointSoftwareTechnologiesLtd.|[Confidential]ForCheckPointusersandapprovedthirdparties|NAT表结构1.数据到达firewall从第一条策略开始匹配2.Firewall根据originalpacket中source，destination，service进行匹配3.如果匹配成功，数据会根据translatedpacket表中的source，destination，service的内容进行NAT4.如果匹配不成功，数据会找下一条NAT策略进行匹配手工NAT策略自动NAT策略3131©2010CheckPointSoftwareTechnolog