RDP (SERVICES) LAN to Any?

[stagger43]

Hello all!

I have just taken over as the Admin for a small company and they have IP350. I have basic knowledge of Linux and how firewalls work. I was able to get RPC over HTTP/s to work by editing/adding services, but I can’t find simple things.

It looks like the VPN user account DON’T use AD, LDAP is not setup in check point. But I can’t find how to change passwords, I can edit vpn user’s accounts, but I don’t see where to change passwords. Also I thought I could access the GUI Client in the Smart dashboard. I don’t think I any where near ready for the CLI…. I want to add my work station on the list of workstation to access the Router thru the smart dashboard. My biggest issue is getting RDP to go from the inside out. And a Cisco VPN client to work for the inside out. LAN to ANY??

I have an existing firewall that I am trying to edit. I don’t want to cause any issues with existing services running thru the firewall. Please point me in the right direction!

Any good books with “how to’s” for nokia’s running check point??


Thanks!
Mat
951 905 2160

[abusharif]

1) Read checkpoint documentation, will save you a lot of headache since you are quite new at it.

To your questions:

1) Users can be authenticated in many different ways, passwords, secureid, radius, ldap,certificate etc. To use user auth with AD extra license is needed. First determine what kind of authentications your users use. Edit a user via dashboard and check the type of auth. Under Authenticaion tab check whats chosen. Most likely "Undefined" since you dont mention any special type of auth. To change password for that user go to Encryption tab and choose Edit on IKE. Change the preshared / password.

2) To give your workstation access to use smartdashboard log on to the gateway via SSH (the nokia) and typ cpconfig. In the mnu you can choose administrators, add new or change and also which ip# / subnets you can reach em from.

3) To add rules and objects you use smartdashboard. You will have to setup some kind of NAT for ur local network/workstation (hide nat) and allow rdp in security policy.

[stagger43]

Thanks! That was a big help already! What do you think on how or why all traffic out is being blocked? Meaning I can't RDP, VNC or use a Cisco VPN client from my node to the outside world. I have not been able to find where destination ports would be blocked. I am use to seeing a rule sets/access lists like port 80 public IP 64.XXX.XXX.XXX nat’d to 172.16.1.XXX for incoming traffic and out going Any Any. I must be over looking something.
thanks Again!!

[northlandboy]

You don't do rules like access lists, with different access lists on different interfaces. Instead, you have one set of rules, that applies for all interfaces, regardless of direction.

If you want specific outbound rules, configure them something like this:

<my internal IP> -> <destination> -> <services> ACCEPT

Outgoing ANY ANY rules are generally considered very poor form, and I would advise against configuring your rulebase that way. Restricting outbound traffic will help you identify, amongst other things, worm-infected systems.

[RayPesek]

abusharif probably nailed it with his/her NAT comment. Somewhere you should have a NAT setting. For instance, if you have a network object for your LAN, check it's NAT tab and see if you have it checked and set to "hide" behind the gateway. This is similar to Cisco's PAT functionality. You can run a Cisco VPN client from behind FW-1 without needing a static IP address or static NAT.

Or look at the NAT tab on the security policy and see if anything there looks like it would be handling this for you.

Also note that the pre-defined service named "RDP" is NOT Remote Desktop Protocol. It's a Check Point protocol where remote access clients can probe the gateway to figure out which interfaces it can reach.

I create a new TCP protocol named Terminal_Services for TCP 3389 for Microsoft RDP.

Note that when you make changes, you must push the policy for it to take effect. At this stage of your learning, you absolutely want to make sure you create database revisions when pushing a policy.

Ray

[stagger43]

Okay have made the changes in the and clicked save... I just now noticed that on the file menu I see "installed policies". Am I not pushing my changing correcty? Installed policies dont match in my view.
Thanks! I will be buying a book today!

[stagger43]

I am slowly getting this .... I now want to install my updated policy... How can I back up my currect policy? I have also verified my updated policy and it looks good!

[RayPesek]

Ahhh, now you're into one of the CP "features."

The only easy way to backup your current policy is to do so before you change it. The SmartCenter actually turns the policy into compiled code and pushes that to the enforcement module. There is no real way to see what is actually installed on an enforcement module because it would have to be de-compiled first.

When you go to push a policy, check the box about creating a database revision. That's a bit of a misnomer because it really backs up everything needed to do a restore. What the database revision "backup" does is make a copy of your current policy, the one you're seconds from pushing.

As long as you get into the habit of doing this, you'll have several copies of earlier policies.

"Saving" saves it on the SmartCenter but does not install it.

Ray

[stagger43]

Thanks! To all that helped! I was able to do what I needed to do! I am now ready to tackle more Check Point issues!! Or not.....
Thanks!