Secure Internal Communications (SIC) 26-Jun-2001 NG-FCS Version Abstract Check Point Software has enhanced the Internal Communications method for the components within a Next Generation (NG) Check Point System. This method is based on Digital Certificates, and will be further described below. This is a new and improved method for all of the internal communications, so if you are familiar with "fw putkeys", you will not have to go back there… Document Title: Secure Internal Communications Creation Date: 08-Feb-2001 Modified Date: 26-Jun-2001 Document Revision: 2 (meaning this is the 3rd revision) Product Class: FireWall-1 / VPN-1 Product and Version: NG Author: Joe DiPietro DISCLAIMER The Origin of this information may be internal or external to Check Point Software Technologies. Check Point Software Technologies makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Check Point Software Technologies makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Given the Diagram below, we will establish a Trust Relationship with the Management Station and the FireWall-1 Module. The Management Server is located at 10.1.2.3, and the FireWall-1 Module will be defined as 10.1.2.1.

Table of Contents Description Page SIC Overview .................................................. 3 FireWall-1 Object Definition on Management Station ............ 4 Initialize Trust Relationship ................................. 5 Interface Definition .......................................... 6 Policy Install ................................................ 8 Troubleshooting ............................................... 9 Netstat ............................................... 9 cpstop/cpstart .......................................... 10 cpd –d ............................................... 10

Secure Internal Communications (SIC) is the new method for how Check Point components will communicate with each other in Check Point Next Generation (NG). It is based on SSL with Digital Certificates. When you install the management station, you will create a Certificate Authority (CA). This Certificate Authority will issue certificates for all components that need to communicate to each other. For example, a distributed FireWall-1 Module will need a certificate from the management station prior to downloading a policy to this module (or even licensing this module remotely via the new license method). Here is a quick snapshot of a Primary Management Station installation, where the CA will be created.

Once the Primary Management Station is up and active, then it can initialize the remote FireWall-1 Module if it has the same One Time Password (OTP). The following screen shows a snapshot of the FireWall-1 Module installation, where you must enter a One Time Password (OTP) for the Initialization Process with the Management Station. You can also run "cpconfig" after the installation and initialize the OTP at that point.

FireWall-1 Module Installation

Defining the Network Object on the Management Station When defining the Network Object for SIC communications on the Management Station, the password entered must match the OTP defined on the module, in order for the Certificate to be distributed to the FireWall-1 Module and communications to be established. The screen below shows the object definition for a FireWall-1 Module. This has changed significantly from prior versions.

In this example, the Module is a "Gateway" with Check Point version "NG" Installed. Also, note that you must now select what components are installed on this machine. In our case, we have VPN-1 & FireWall-1 installed. Please notice that until the DN: portion is filled in, we are not communicating with this module. We must now select à Communication in order to initialize the SIC process. Remember, the Management Station must be able to communicate to the Remote Module before you can "remotely" apply the Check Point license from the Management Station.

By selecting "communication" above, the screen on the left appears. This is where we need to enter the OTP that was defined on the FireWall-1 Module during installation as shown below.

Next select, à Initialize Notice that we now have a "Trust" relationship established between the Management Station and the FireWall-1 Module. SIC is now up and running. Unlike putkeys, it is possible to check that SIC is Working. Using the Test SIC status you will see that GW1 is communicating. NB: Name resolution must be functioning correctly.

The Management Station is now communicating with the FireWall-1 Module, and the Certificate has been issued and received. Notice the DN: field at the bottom of this object. It is now filled in with the appropriate information.

Next, continue defining the other components of the Gateway Object so that the Management Station will be able to push a policy to the FireWall-1 Module. You must define the FireWall-1 “interfaces” at a minimum. Select the “Topology” tab, and then Select “Get Interfaces”. The screen to the left will show up with filled in Interface Information. Next, Edit the interface information.

Next Select the “Topology” tab of the Interface Properties. This is where we will define what connects to this particular Interface. In our exa mple, this interface will connect to the Internet. Also note, that Anti-Spoofing information can be based off of the Topology Information defined here. Define the Internal Interface information as shown.

Now the final interface definition is shown on the Right à This is where we can also define the VPN Domain information. So far, we have the following Network Diagram as created by the Visual Policy Editor. The Management Station (mgmt -p- 10.1.2.3), the FireWall-1 Gateway (GW1- 10.1.2.1), and the three networks defined by the topology information (10.1.2.1/255.255.255.0), (192.168.10.0/255.255.255.0), and (199.203.71.0/255.255.255.0) which connects to the Internet Cloud.

If we select “Show” under the “VPN Domain” in the screen above, this will show us what the “Encryption” domain will be calculated to be. It is shown in the screen below with the highlighted objects in Red.

For our Purposes, we will make it just the 192.168.10.0 network. So the final VPN Topology information will be as follows: Please note that we have made this topology “exportable” for SecuRemote. This will allow us to download this topology information to the SecuRemote machine. Now we can push the policy: Select “OK” from the screen on the right, and the screen below will appear:

Notice that the Policy was successfully installed.

Troubleshooting

If you get the following error message, a number of things could be wrong: 1. Connectivity issues from the Management

Station to the FireWall-1 Module 2. CPshared is not installed on the FireWall-1

Module 3. The FireWall-1 Module is not listening on the

proper ports for the SIC communications This is the next screen that appears on the Management Station. This means the digital certificate has been initialized on the CA, but has not been delivered to the FireWall-1 Module. Let's troubleshoot at the FireWall-1 Module First check the Network Port that SIC is trying to listen on with the "netstat" command. It should be listening on port 18211 as shown to the right. Note: On Unix, "netstat -a | grep 211" is the equivalent command If you see the screen above, reset your OTP by using the CPCONFIG utility as shown to the right by selecting: Start à Programs à Check Point Management Clients à Check Point Configuration NG on the FireWall-1 Module Remember to use the same password on the Management Station, as you define within this screen. After you initialize the OTP again, then try and Initialize the object at the management station.

If you don't see the host listening on this port, then perform the following steps as shown below There is a common infrastructure component called "CPShared" with Check Point NG. This component is located under C:\Program Files\CheckPoint\CPShared\5.0. There is a subdirectory call "bin", which has all of the commands for this shared component. To stop and start the shared component infrastructure, use the commands "CPSTOP" and "CPSTART" respectively. An excellent troubleshooting program for this communications is the "CPD" application. To troubleshooting the SIC communications between the Management Station and the FireWall-1 Module, perform the following steps on the FireWall-1 Module. First stop all of the FireWall-1 Processes on the module with the "cpstop" command.

Now, put the Module into Debug Mode by running the CPD application with the "-d" flag.

Now try and "initialize" the FireWall-1 object on the Management Station by selecting the "Initialize" button as shown to the right.

C:\Program Files\CheckPoint\CPShared\5.0\bin>cpstop The following services are dependent on the Check Point SVN Foundation service. Stopping the Check Point SVN Foundation service will also stop these services. Check Point FireWall-1 The Check Point FireWall-1 service is stopping. The Check Point FireWall-1 service was stopped successfully. The Check Point SVN Foundation service is stopping.. The Check Point SVN Foundation service was stopped successfully. C:\Program Files\CheckPoint\CPShared\5.0\bin

C:\Program Files\CheckPoint\CPShared\5.0\bin>cpd -d [8 Feb 16:38:50] SIC initialization started [8 Feb 16:38:50] Initialized sic infrastructure [8 Feb 16:38:50] There is no valid SIC certificate on this machine. Cannot use sslca authentication yet [8 Feb 16:38:50] Initialized SIC authentication methods [8 Feb 16:38:50] Waiting for certificate from management ... ß This is a good sign!! [8 Feb 16:38:50] Cpd started

If the OTP's are in sync, then you should see the "Trust Established" on the management station, as shown to the right. On the FireWall-1 Module, you will see the following:

If the FireWall-1 Module already has a certificate, as shown below:

C:\Program Files\CheckPoint\CPShared\5.0\bin>cpd -d [8 Feb 16:35:12] SIC initialization started [8 Feb 16:35:12] Read the machine's sic name: CN=mgmt -p,O=mgm-p.checkpoint.com.6zqg9w [8 Feb 16:35:12] Initialized sic infrastructure [8 Feb 16:35:12] SIC certificate read successfully ß It already has a certificate [8 Feb 16:35:12] Initialized SIC authentication methods [8 Feb 16:35:13] Cpd started

C:\Program Files\CheckPoint\CPShared\5.0\bin>cpd -d [8 Feb 16:38:50] SIC initialization started [8 Feb 16:38:50] Initialized sic infrastructure [8 Feb 16:38:50] There is no valid SIC certificate on this machine. Cannot use sslca authentication yet [8 Feb 16:38:50] Initialized SIC authentication methods [8 Feb 16:38:50] Waiting for certificate from management ... [8 Feb 16:38:50] Cpd started [8 Feb 16:45:46] Got SIC certificate from management [8 Feb 16:45:46] Wrote SIC certificate to file C:\Program Files\CheckPoint\CPShared\5.0\conf\sic_cert.p12 [8 Feb 16:45:46] Writing SIC data to registry [8 Feb 16:45:46] The sic name of this machine is: CN=GW1,O=mgmt-p.checkpoint.com.6zqg9w [8 Feb 16:45:46] The Internal CA DN is: O=mgmt-p.checkpoint.com. 6zqg9w [8 Feb 16:45:46] The management ip address is: 10.1.2.3 [8 Feb 16:45:46] Read the machine's sic name: CN=GW1,O=mgmt -p.checkpoint.com.6zqg9w [8 Feb 16:45:46] Reloading sslca authentication methods and sic name: CN=GW1,O=mgmt -p.checkpoint.com.6zqg9w[8 Feb 16:45:46] SIC certificate read successfully [8 Feb 16:45:46] Initialized SIC authentication methods [8 Feb 16:45:46] Broadcasting message of SIC certificate arrival to other processes on this machine [8 Feb 16:45:46] SIC initialization completed ^C

Re-initialize the OTP, so that the Management Station can issue the correct certificate to this FireWall-1 Module. In this particular case, SIC has already been initialized on this module, but unable to communicate with the Management Station. You have to reset the OTP in order to get another certificate from the Management Station as shown below. Select "Reset" as shown on the right The following screen will appear to remind you that the OTP's must be the same on the Management Station object, and the FireWall-1 Module.

Select "Yes", and then enter the OTP on the FireWall-1 Module.

Next restart the "CPShare" processes by issuing "cpstop" and then "cpstart" commands.

Next, try to "initialize" the Object at the Management Station, and you should see the following screen to the right.