Security Administration Lab Setup Guide: Education Services
Security Administration Lab Setup Guide: Education Services
Security Administration Lab Setup Guide: Education Services
Education Services
Security Administration
Lab Setup Guide
EDUCATION SERVICES
March 3, 2017
S E C U R I T Y A D M I N I S T R A T I O N - L A B S E T U P P R O C E D U R E S
Follow the steps below to configure the virtual machines needed for the students to perform all Security
Administration labs. ATCs may use whatever virtualization software they choose, but Check Point assumes
most Virtual Machines will be created in either a VMware Workstation or an ESX environment. Our tests
were all performed on VMware Workstation 12.
LDAP Information
Configure the virtual machines on the Alpha Internal network to be in the alpha.cp domain. All users
should log into the domain and not the local virtual machine.
S E C U R I T Y A D M I N I S T R A T I O N - L A B S E T U P P R O C E D U R E S
Lab Topology
Configure each student machine with the following virtual environment:
S E C U R I T Y A D M I N I S T R A T I O N - L A B S E T U P P R O C E D U R E S
All network settings described below are suggestions. You may use LAN segments or vmnets at your
discretion. The only requirement is that eth3 interfaces be configured for Internet access.
A-GUI
Use the information below to configure the Alpha GUI Client virtual machine:
Use the following information to configure the interface for this virtual machine:
IP Address: 10.1.1.201
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
Network: Management (LAN 1)
1. Configure a folder on the desktop that can be shared with Read/Write privileges to anonymous users.
This will be used to transfer files through FTP.
A-SMS
Use the information below to configure the Alpha Security Management Server virtual machine:
Use the following information to configure the interface this virtual machine:
IP Address: 10.1.1.101
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
Network: Management (LAN 1)
S E C U R I T Y A D M I N I S T R A T I O N - L A B S E T U P P R O C E D U R E S
A-GW-01
Use the information below to configure the first Security Gateway virtual machine:
Use the following information to configure the interfaces for the first Security Gateway virtual machine:
A-GW-02
Use the information below to configure the second Security Gateway virtual machine:
Use the following information to configure the interfaces for the second Security Gateway virtual machine:
A-Host
Use the information below to configure a protected host virtual machine:
Name: A-Host
OS: Windows Client
Hard Drive: 40GB
RAM: 2GB
Use the following information to configure the interface for this virtual machine:
IP Address: 192.168.11.201
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Interface: eth0
Network: Alpha Internal (LAN 11)
1. Configure a folder on the desktop that can be shared with Read/Write privileges to anonymous users.
This will be used to transfer files through FTP.
Note: The Mail server is not currently used in the CCSA class but will be used in other courses and may
be used in the CCSA at a later date.
S E C U R I T Y A D M I N I S T R A T I O N - L A B S E T U P P R O C E D U R E S
A-LDAP
Use the information below to configure the Alpha LDAP server virtual machine:
Name: A-LDAP
OS: Windows Sever
Hard Drive: 40GB
RAM: 2GB
Use the following information to configure the interface for this virtual machine:
IP Address: 192.168.11.101
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Interface: eth0
Network: Alpha Internal (LAN 11)
4. The following are the required users. Each should be configured with Chkp!234 as their password.
User1
User2
User3
User4
Guest
7. Install and configure the NTP server for the Alpha site.
S E C U R I T Y A D M I N I S T R A T I O N - L A B S E T U P P R O C E D U R E S
A-DMZ
Use the information below to configure the FTP, SMTP, and Web Server virtual machine:
Name: A-DMZ
OS: Windows Server
Hard Drive: 40GB
RAM: 2GB
Use the following information to configure the interface for the FTP, SMTP, and Web Server virtual
machine:
IP Address: 192.168.12.101
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.12.1
Interface: eth0
Network: DMZ (LAN 12)
Note: The Mail server is not currently used in the CCSA class but will be used in other courses and may
be used in the CCSA at a later date.
S E C U R I T Y A D M I N I S T R A T I O N - L A B S E T U P P R O C E D U R E S
A-Guest
Use the information below to configure the guest tablet virtual machine:
Name: A-Guest
OS: Windows 10 in Mobile Mode/Android Tablet
Hard Drive: 20GB
RAM: 1GB
Use the following information to configure the interface for the guest tablet virtual machine:
IP Address: 192.168.13.201
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.13.1
Interface: eth0
Network: WiFi (LAN 13)
Bravo Host
Use the information below to configure the B-Host virtual machine:
Name: B-Host
OS: Windows Client
Hard Drive: 20GB
RAM: 1GB
Use the following information to configure the interface for this virtual machine:
IP Address: 192.168.21.201
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.21.1
Interface: eth0
Network: Bravo Internal (LAN 21)
1. Configure a folder on the desktop that can be shared with Read/Write privileges to anonymous users.
This will be used to transfer files through FTP.
Use the following information to configure the interfaces for the Bravo Security Gateway virtual machine:
Note: The eth0 and eth2 interfaces for B-GW are not used at the beginning of this class but should be
configured so that the eth1 connects to the internal network and the eth3 interfaces connects to the external
network. The other two interfaces should not be connected or powered on until they are needed.
Router
The router may be either a specific virtual machine or you may use the virtualization softwares router
function. In our testing, we use VMwares Network Editor to configure a NAT address on the
203.0.113.0/24 network that NATs guest VM traffic out through the host machines physical address.
All external interfaces of gateways in the topology should all point to 203.0.113.254 as their default gateway.
Network routes for all internal networks should be placed on both the Alpha and Bravo gateways. This will
allow traffic between the two sites but also traffic to exit the environment and reach the Internet.
S E C U R I T Y A D M I N I S T R A T I O N - L A B S E T U P P R O C E D U R E S
The following objects are required to be pre-configured in the Alpha Security Policy:
A-GUI
A-SMS
A-GW-Cluster
A-LDAP
A-INT-NET
A-MGMT-NET
A-DMZ-NET
The cluster virtual IPs for the gateway should be the .1 addresses, whereas the individual gateway interfaces
are configured as .2 or .3. For example, the management interface for Alpha should have a VIP of 10.1.1.1
and the individual member interfaces should be configured as 10.1.1.2 on A-GW-01 and 10.1.1.3 on
A-GW-02.
Use the 203.0.113.1 IP address for the main IP of the Cluster Object. When defining the cluster members,
they should be defined with their 10.1.1.0 addresses (the same two addresses listed in the paragraph above).
Add network routes on the gateways to all internal networks for both sites Alpha and Bravo.