CheckPoint : Basic Setup Security Gateway

1. Introduction CheckPoint Security Gateway

CheckPoint Security Gateway adalah device Firewall yang berfungsi untuk melindungi jaringan dari Attacker.Device ini merupakan bagian dari Security Architecture CheckPoint yang biasanya terdiri dari:

  • Security Gateway → Firewall yang melakukan filtering traffic
  • Security Management Server → Tempat konfigurasi dan policy dibuat
  • SmartConsole → GUI untuk mengelola firewall

Konsep utama dari CheckPoint adalah policy-based security, di mana semua traffic dikontrol berdasarkan rule yang dibuat oleh administrator.

2. Basic Architecture

Dalam Production sederhana, arsitektur terdiri dari:

  • Internal Network (LAN)
  • External Network (Internet/WAN)
  • Security Gateway (Firewall)

Traffic dari LAN ke Internet harus melewati firewall, sehingga bisa diinspeks dan dikontrol.

3. Initial Setup (First Time Configuration)

Setelah install CheckPoint, langkah awal biasanya dilakukan melalui First Time Wizard:

a. Network Configuration

  • Set IP Address pada interface (LAN & WAN)
  • Tentukan default gateway
  • Pastikan konektivitas antar network

b. Hostname & DNS Configure

Set hostname firewall

Set dns primary (dns server)

Tambahkan DNS server agar bisa resolve domain

c. Blade Activation (License Required)

CheckPoint menggunakan konsep Software Blade, yaitu fitur modular seperti:

  • Firewall
  • NAT
  • IPS
  • VPN

Minimal aktifkan:

  • Firewall
  • Management

4. Concept Object at Checkpoint

Semua konfigurasi berbasis object. Contoh:

  •  Host Object → representasi 1 IP
  • Network Object → representasi subnet
  • Group Object → kumpulan object

Tujuannya agar policy lebih rapi dan mudah dikelola.

 5. Policy Rule (Access Control)

Policy adalah inti dari firewall CheckPoint.

Struktur rule:

  1.  Source → asal traffic
  2. Destination → tujuan traffic
  3. Service → port/protocol (HTTP, HTTPS, dll)
  4. Action → Accept / Drop / Reject

Contoh rule sederhana:

  •  LAN → Internet → Allow HTTP/HTTPS → Accept

Urutan rule sangat penting karena Check Point membaca dari atas ke bawah (top-down processing).

6. NAT (Network Address Translation)

Digunakan untuk mengubah IP private menjadi public.

Jenis NAT:

  • Hide NAT → banyak IP private jadi 1 IP public
  • Static NAT → 1:1 mapping

Contoh:

  • Client LAN akses internet → Hide NAT
  • Server internal diakses dari luar → Static NAT

7. Install Policy

Setelah membuat rule:

  1. Klik Install Policy
  2. Pilih gateway target
  3. Policy akan di-push ke firewall

Tanpa install policy, rule tidak akan aktif.

8. Monitoring & Logging

CheckPoint menyediakan logging detail:

 Logs & Monitor di SmartConsole

 Bisa lihat:

  • Traffic yang di-allow / drop
  • Source & destination
  • Service yang digunakan

Ini penting untuk troubleshooting dan security analysis.

9. Best Practice Dasar

Beberapa praktik yang direkomendasikan.

  1.  Gunakan prinsip least privilege (hanya allow yang perlu) 
  2.  Hindari rule "Any → Any → Accept"
  3. Selalu aktifkan logging pada rule penting
  4. Gunakan object, jangan IP langsung di rule
  5. Backup konfigurasi secara berkala

10. Kesimpulan

CheckPoint Security Gateway adalah solusi firewall enterprise yang powerful dengan pendekatan berbasis object dan policy. Dengan memahami konsep dasar seperti:

  •  Network & Interface
  • Object
  • Policy Rule
  • NAT
  • Logging


Topology


1. Pre-Setup

user : admin

pass : admin123

This system is for authorized use only.

login: admin

Password:

In order to configure your system, please access the Web UI and finish the First Time Wizard.

gw-000100> set hostname CP-LAB

CP-LAB> set interface eth0 ipv4-address 172.23.0.95 mask-length 20

CP-LAB> set static-route default nexthop gateway address 172.23.0.1 on

CP-LAB> set dns primary 8.8.8.8

CP-LAB> ping google.com

PING google.com (74.125.24.101) 56(84) bytes of data.

64 bytes from sf-in-f101.1e100.net (74.125.24.101): icmp_seq=1 ttl=104 time=16.6 ms

64 bytes from sf-in-f101.1e100.net (74.125.24.101): icmp_seq=2 ttl=104 time=16.8 ms

--- google.com ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1000ms

rtt min/avg/max/mdev = 16.666/16.767/16.869/0.164 ms

CP-LAB>

2. Setup Wizard

  • Access URL https://172.23.0.95 and Click Next

  • Choose Continue with R81.10 Configuration and Next.

  • Let it exist and next.

  • Configure to new segment at interface eth1 link to network PC-1.

  • Let it exist and next.

  • Set ntp server to ntp you local timezone.

  • Choose Security Gateway/or Security Management.

  • Checklist on Security Gateway and Security Management.

  • Let it exist.

  • Let ist exist.

  • Click Finish.

  • Continue to install wizard click YES.
                    #after install wizard device need it to reboot.
  • Re-Log in to Checkpoint.
  • WebUI GaiA Portal Checkpoint Security Gateway.

3. Access Security Management in SmartConsole.

  • Userr/Pass : admin/admin123
                  #need 15 minutes or more to need established all service CP
  • Dashboard Security Management Checkpoint.

4. Create Policy to allow Network PC-1 to Internet.
  • Verify Before create policy.

  • Create new object segment PC-1.

  • Enable NAT Automatic.
  • Create rule as a below and click install policy to save/running policy.

  • Click Install.

  • Verify after create policy allow PC-1 to Internet.

  • Check Logs.



Thank youu all..................................