Today I'll be setting up R77.30 on UNetLab. The idea being that it will be much easier to create labs.
Whilst the mixture of UNetLab and Qemu goes great for the most part, because we need to partly install the GAIA operating system BEFORE moving it to UNetLab, this is slightly more tricky.
We start off by setting up a new VM in VirtualBox, with 20GB disk space, 2048Mb memory and one CPU. I have set it to boot from the ISO disk.
It starts to boot:
We set the management interface:
Then set the IP address information:
Installation continues:
And finishes:
Once it starts to reboot, shut down the VM, and then we can export it to OVA:
Once it has exported, copy the resulting OVA file to the UNetLab machine, preferably to a folder called "cpsg-77-30", and follow the steps below:
Stuarts-MacBook-Pro:~ stuart$ ssh root@192.168.0.16 root@192.168.0.16's password: Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.16.7-ckt8-unetlab x86_64) * Documentation: https://help.ubuntu.com/ Last login: Thu Feb 18 10:20:11 2016 from 192.168.0.35 root@unl01:~# cd /opt/unetlab/addons/qemu/cpsg-R77-30/ root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30# ls CheckPoint-77-30.ova root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30# tar -xf CheckPoint-77-30.ova root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30# ls CheckPoint-77-30.ova CheckPoint-77-30.ovf CheckPoint-disk1.vmdk root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 CheckPoint-disk1.vmdk hda.qcow2 root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30# ls CheckPoint-77-30.ova CheckPoint-77-30.ovf CheckPoint-disk1.vmdk hda.qcow2 root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30# rm -f CheckPoint-* root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30# ls hda.qcow2 root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30# root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions root@unl01:/opt/unetlab/addons/qemu/cpsg-R77-30#
Our topology looks like this:
Before we do anything, we should change the IP address (to 10.1.1.111 to follow the CBT Nuggets CCSA videos), which we should be able to do via telnet:
gw-010000> set interface eth0 ipv4-address 10.1.1.111 mask-length 24 gw-010000> gw-010000> set interface eth1 state on gw-010000>Now we can press ahead and start configuring the HQ-FW, as we can reach it from the Win box:
We connect using Internet Explorer, and start the configuration wizard:
A quick reboot later and we can log back in:
We grab the SmartConsole download.
Remember to install the MSVCR100 files before installing the SmartConsole stuff. Otherwise it won't work. The problem is that the Windows VM is not connected to the Internet, nor does it already have it installed. So, we have to download the 32-Bit version and copy it to the /tmp folder of the UNL box. We can then create an ISO file:
root@unl01:/opt/unetlab/addons/qemu/linux-lamp# mkisofs -o /opt/unetlab/addons/qemu/win-7-Pro/cdrom.iso /tmp/ I: -input-charset not specified, using utf-8 (detected in locale settings) Total translation table size: 0 Total rockridge attributes bytes: 0 Total directory bytes: 116 Path table size(bytes): 10 Max brk space used 0 4564 extents written (8 MB) root@unl01:/opt/unetlab/addons/qemu/linux-lamp#We do then need to stop all the nodes, and start them so that the Windows box picks up the cdrom.iso file. We then just access the CDROM drive, and install the exe file, then install the SmartConsole stuff.
Setting up the SMS server is pretty similar to all the above steps, but we should find that we cannot access the HQ-FW (by icmp, or via the SmartConsole), because it is a Security Gateway (SG), so we need to access it through the SMS, we'll be needing the SIC activation key we set up during the SG installation. We can add it by right-clicking on "Check Point" and selecting "Security Gateway/Management":
Looks good:
Tomorrow we'll set up the Branch-FW, and start to look at how to actually make a network.
Dear
ReplyDeleteThanks alot for the detailed guide for checkpoint installation. I wanted to know that are u following Keith Barker Videos for CP ??? and how good are those ??
Keith videos are always pretty good!
DeleteSecondly I dont have Linux-Lamp installed under /opt/unetlab/addons/qemu/
ReplyDeletePlease help
UNetLab does not come with any pre-installed, you'll need to create your own.
Deleteinstalled it correctly...everything is working..getting console..but unable to get GUI...some ip addressing issue
ReplyDeleteyour UNL VM's network adapter is in NAT or Bridge mode??
how to connect UNL and Checkpoint so that i can access GUI mode from my local machine...
You will need to use a pnet interface, I am running a Windows host within UNetLab
DeleteDear Stuart,
ReplyDeleteI am not good at Linux ...can you please describe the steps i need to use to create my own linux-lamp
That would be a long post - have a look at Suse Studio, you can create your own servers, and download them as a qcow2 file, ready for putting into UNetLab. Have a look at this post on my other site: http://www.802101.com/2016/03/www-server-for-ccie-security.html
DeleteHello Khixer.
DeleteDid you manage to get CP working?
Were you able to install the linux-lamp server. Would you mind sharing your method if you did?
Thanks
Can you please clarify how to install SMS server...as I followed your guide and unchecked the Security management from first time wizard...now I am not seeing any options from where i can configure SMS....
ReplyDeleteLook on the General Properties of the gateway
DeleteHI Stuart Fordham,
ReplyDeleteThis is great post !
But i am facing some issues for CP and ASAv
When i start node it stars for 5 seconds and then stop immediately
Can you please help me with this ?
Have you looked at the logs?
DeleteThis is for ASAv -
Deletei was unable to find issue from logs but i followed the exact same steps as below -
root@unl01:/opt/unetlab/addons/qemu/asav-941-200#
root@unl01:/opt/unetlab/addons/qemu/asav-941-200# ls
virtioa.qcow2
root@unl01:/opt/unetlab/addons/qemu/asav-941-200# cd /opt/unetlab/addons/qemu/asav-941-200/
root@unl01:/opt/unetlab/addons/qemu/asav-941-200# modprobe nbd
root@unl01:/opt/unetlab/addons/qemu/asav-941-200# /opt/qemu/bin/qemu-nbd -c /dev/nbd0 virtioa.qcow2
root@unl01:/opt/unetlab/addons/qemu/asav-941-200# mount /dev/nbd0p2 /mnt/hgfs/
root@unl01:/opt/unetlab/addons/qemu/asav-941-200# touch /mnt/hgfs/use_ttyS0
root@unl01:/opt/unetlab/addons/qemu/asav-941-200# umount /mnt/hgfs/
root@unl01:/opt/unetlab/addons/qemu/asav-941-200# /opt/qemu/bin/qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected
root@unl01:/opt/unetlab/addons/qemu/asav-941-200# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
root@unl01:/opt/unetlab/addons/qemu/asav-941-200#
root@unl01:/opt/unetlab/addons/qemu/asav-941-200#
it starts and then stops immediately and doesn't show any error, can you pls advice.....
I cant work out what you are trying to do there! What documentation are you following for running the ASAv?
DeleteI am following Unetlab -
Deletehttp://www.unetlab.com/2015/06/adding-cisco-asav-images/
and
http://www.unetlab.com/2014/11/juniper-firefly-perimeter-vsrx/
Weird, I have never had an issue. Try posting in the UnetLab forums, maybe you can get some help there
DeleteUnfortunately I am not seeing anything like "checkpoint" or general properties on my Secucrity gateway :( ... also I m not able to connect it via smart console so as u said i need to add SMS ...can you please point out where do i should look to add SMS server
ReplyDeletecan you post screenshots of your setup/configuration? You can post them in the CCSA forum: http://forum.802101.com/
DeleteHi
ReplyDeleteI connected CP(eth1 - 1962.168.10.100/24) to IOL router (eth0/0 - 192.168.10.1/24) using UNL but they are not able to ping each other, i tried fw unloadlocal on CP. stange is when i try this for Router to Router it work but when i try this for router to checkpoint it doesnt ping at all.
CheckPoint config ---------
gw-bf6a55> show interface eth1
state on
mac-addr 50:00:00:03:00:00
type ethernet
link-state link up
mtu 1500
auto-negotiation Not configured
speed 1000M
ipv6-autoconfig Not configured
duplex full
monitor-mode Not configured
link-speed 1000M/full
comments
ipv4-address 192.168.10.100/24
ipv6-address Not Configured
ipv6-local-link-address Not Configured
Router config ----
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
Do u think is there is some issue with my UNL ?
can you please connect me on skype - rbshreshtha
Thanks
Cuuld be that the default firewall rules on the CP don't allow ping, or that you have added the devices, turned them on, then connected the interfaces. Try shutting everything down and exit the lab, then go back in and turn them all on. If this doesnt work, then it's probably the firewall rules.
DeleteAlternatively try CP->Switch->IOL. Check ARP tables to make sure everything is up...
Hello,
ReplyDeleteWhat exactly is the LAMP server's purpose in this scenario?
Have you(or anyone else) thoroughly implemented CP in UNL(Gateway, management server, and client?)
LAMP: Linux, Apache, MySQL, PHP
DeleteCP worked fine for me in UNL