In this tutorial we will look at creating a simple rulebase from a fresh install of Check Point R77. We will create a basic rule that will allow the internal network access to all services outbound and also enable NAT to hide behind the external IP address of the firewall. Following this rule we will create another rule that will PAT remote desktop 3389 from the external interface ip to my Windows 2008 server called server2k8.
The lab is setup as follows:
Creating NAT and PAT Rules with Check Point R77
1. Open up the Check Point SmartDashboard and login to your firewall management station.
2. First up we’ll be creating a network object that will represent the internal network subnet. Right click on the Network Folder and select Network.
3. Type in a Name, the network address and subnet mask. For the colours of object I like to use red for external, green for internal and orange for DMZ. If you expand the colours and click manage you can add in red and green.
4. Add in red and green.
5. For my internal LAN I’ve selected green.
6. Now we’ll click on the NAT tab and tick the Add Automatic Address Translation rules, select Hide, and select Hide behind Gateway. This will hide the internal network subnet behind the external interface of the gateway. If you are using a DMZ interface, it will also NAT behind the DMZ interface.
7. Now that we’ve created an object lets create a few rules. Click on the Rules Menu and select Add Rule.
8. Under the source column where it says Any, right click and select Network Object. As you can see we can also add a User or other objects as the source.
9. Select Internal-LAN as our source.
10. Under the Action column, right click and select accept.
11. Under the Track column select Log so we can see the traffic passing through.
12. Right click in under the comment column and select edit. You can type any comment you like to help remember what the rule is for.
13. Now add in another rule which must always be at the bottom. This rule will drop packet that does not match a rule and also log it. The Check Point rules are always process from top to bottom.
14. To help organise our Check Point Rule Base a little better we can add in section titles. Right click on the rule where you would like to add a section title above and select Add Section title – Above.
15. As you can see I’ve added two section titles to my Check Point Rule Base which makes it is much easier to organize rules.
16. If we click on the NAT tab we can see that the NAT we added earlier in step 6 has been automatically added to the NAT rule base for Internal-LAN.
17. Lets add a resource for a single server. Right click on Nodes and select Node – Host.
18. enter in the Name, IP address and an optional comment. I’ve select green color for internal objects. Click OK.
19. I’ll create another object that will represent the PAT’d ip address that i’ll be using to remote desktop from the internet to my internal host.
20. Now let’s create a PAT rule. Under the NAT tab click on the Rules menu and add a new rule at the top.
21. Lets add a destination for External-192-168-1-2, service Remote_Desktop under the Original Packet column. Under the Translated Packet column lets add server2k8 for destination and Remote_Desktop for service. So any ip that tries to use Remote Desktop to 192.168.1.2 will get translated to our internal host server2k8 192.168.10.10 for Remote_Desktop 3389.
22. After creating the PAT rule we now need to create the firewall rule. Click on the firewall tab, add a new section title of External-Internal and make the destination External-192-168-1-2, service Remote_Desktop, Action Accept, and Track Log.
23. Click on the box that says Verify Policies. Your Check Point Rule Base will be checked for any errors or mis-configuration before applying.
24. Click OK.
25. Click Save and continue.
26. Click OK.
27. Policy Verification is OK. Click OK.
28. Now it’s time to Install our policy. Click Install Policy.
29. Click OK.
30. The policy was install successfully. Click Close.
31. Click on the Window menu and select SmartView Tracker.
32. The Check Point SmartView Tracker is where all the logging happens. To demonstrate accessing a webpage from my server2k8 server I simply browsed to www.google.com.au which produced the following logs.
33. You can double click on a log entry and display more information.
34. Now let’s try our remote desktop rule. I will remote desktop from a PC out on the internet to 192.168.1.2.
35. As you can see in the log the packet is allowed and I can connect via remote desktop to the server.