LiquidLAN Services Products About us Contact us Links to Security Related News Articles on the Net

Checkpoint, Nokia and a DHCP Server

Scope

Since IPSO 3.5, the Nokia platform has been able to accept DHCP allocated addresses, this Technote explains how to configure them and then how to use them with Checkpoint Firewall-1.

This document has been produced following a review of IPSO 3.6 FCS and Checkpoint Firewall-1 NG FP3.

 

Solution - Nokia

By default the Nokia IP range will accept a DHCP allocation with a lease time of at least a year, this can be reduced using the following steps

  • remote / for read/write mount -uw /
  • editing /etc/dhcpv4c-scripts vi /etc/dhcpv4c-scripts
  • change the line that begins MIN_LEASE time so that it either reads: MIN_LEASE=-1 to disable the feature. (NOTE this is a value in Seconds)
  • remount / for Read Only mount -o ro /

Once this file has been successfully edited, to reflect the lease times offered by your DHCP server, the following command can be issued to force the Nokia Appliance to request an IP address for a specific interface

dhcpv4c <interface>

To ensure that a DHCP address is requested on each boot, edit /var/etc/rc.local and add the following

Note in this case eth-s1p1c0 is the interface expecting to receive a DHCP allocated address, liquidlink is the name of the firewall and it is assumed that the allocated IP address remains unchanged

  • dhcpv4c eth-s1p1c0
  • /bin/dbset active:hostname nokialink
  • /bin/dbset :save
  • /bin/hostname liquidlink
  • echo liquidlink > /var/etc/nodename

Since the DHCP script also changes the Hostname, the additional lines are required to reset the hostname to its original value.

 

Solution - Checkpoint

There are a few more restrictions on the CheckPoint side of things;

  • This solution doesn't appear to work if the Enterprise Management and Enforcement Modules have been installed on the same system.
  • The Dynamic address has to be on the external interface.
  • The functionality of the Enforment Module is reduced when it is a dynamically addressed object. For example, the Object can not perform authentication and can not terminate a VPN tunnel.

Configuring the Firewall object is simple enough, create a Check Point > Gateway in the same was as for any other Enforcement Module, except instead of configuring the primary IP address, check the Dynamic Address button and proceed to the Communication screen. The Communication screen will now have the option for you to enter the IP address that the Enforcement Module is currently using, by completing this option along with the Activation Key, the Enterprise Management Module is able to create a SIC link.

Once the SIC link has been established all that remains to do to complete the creation of the object it to define the Topology, remembering to define the dynamic interface

Rules are created in the same way as with a statically addressed module except that there is no way to identify the Enforcement Module in the rulebase, therefor there isn't a way to create a stealth rule. Reading the "help" seems to indicate that Dynamic Objects can be used to identify the Enforcement Module, but every time I have tried to use them, I've had a complete loss of connectivity to the Module.

 

services products about us contact us in the news