Browse All Articles > Check Point VM Lab setup using VMware Workstations
1. Disclaimer
This article assumes basic to intermediate networking knowledge and good familiarity with CheckPoint products using VMware "VM". Both the CheckPoint firewall and management server are using GAiA R75.45. For the purpose of this article I will assume that the following is already in place, up and running:
1) A CheckPoint Firewall VM was created under VMware Worstation
2) A CheckPoint management server was also created under VMware Workstation
3) A Windows host "Windows 7" has been created under VMware Workstation
4) The Smart Console (SmartDashBoard) was installed on the Windows 7 VM in step 3, and that it can connect to the management server
Note: All network settings (VM and OS-based network settings) will not matter for now as they will all be changed later in the article
2) A CheckPoint management server was also created under VMware Workstation
3) A Windows host "Windows 7" has been created under VMware Workstation
4) The Smart Console (SmartDashBoard) was installed on the Windows 7 VM in step 3, and that it can connect to the management server
2. Introduction
There are different methods to setup a CheckPoint lab which will consist of a firewall, management server, and an X number of hosts using VMware WorkstationsA) The first method is to setup the firewall with 2 virtual network interfaces: The first "internal" virtual interface (i.e eth0) for our private internal network, for example 10.1.1.0 /24. The second "external" virtual interface (i.e eth1) would use a VM "Bridged" connection to the physical network interface of our local machine, for example, 192.168.1.0 /24. In this scenario, the internal network of 10.1.1.0 /24 will be used for the entire CheckPoint lab, while the 192.168.1.0 /24 network would be used to reach the Internet, all through the interface of our local machine of course. The firewall will consequently be responsible for NATing services and all the routing involved between the 10 and 192 networks
B) The second method involves having only one single virtual interface on the firewall (i.e eth0, with IP 10.1.1.10), which will connect to the VM's virtual router (10.1.1.1). In this method, the entire lab will be on a 10.1.1.0 /24 network, including the virtual router itself of course. NATing will be done through the virtual router to pass traffic towards the Internet and back to the VM lab
This article will explain how to setup the second method. I will leave the first method for another article in the future.
3. Overall description of our small VM lab, using the second method
There will be 1 CheckPoint firewall (10.1.1.10), a CheckPoint management server (10.1.1.2), a single Windows 7 host (10.1.1.3), and a VM virtual router (10.1.1.1). The way this will work is that the management server and Windows 7 host (or hosts if you want to add more) will send all their traffic to the firewall (10.1.1.10). The firewall is effectively acting as their "default gateway".The firewall will then be configured to send its own traffic, the traffic it receives from the management server, as well as other Windows 7 host (or hosts), to the virtual router (10.1.1.1). The virtual router will then NAT all the traffic (in and out) to your physical machine's interface, which will forward everything to the internet. Here is a general representation:
Host(s) + Management server <--> Firewall <--> Virtual router (with NAT) <--> Internal interface of the PC <--> Internet.
The biggest advantage of this methodology is that you will not need a physical router, an Internet modem, or even any cables to have the VM lab running with Internet access. As long as your machine has some sort of Internet, the entire VM lab can use it as well. This works well on the go with a laptop or a dekstop machine with a USB network adapter for example. You will however need a pretty decent machine or laptop to run all the VMs simultaneously.
4. Technical Setup and configuration of the lab
[] VmWare Workstation ]
Let's start by opening Vmware Workstation, choose Edit, Virtual Network Editor.Follow the below steps:
1) Click on "Add Network...", Choose VMnet0
2) Under VMnet Information, select NAT (shared host's IP with VMs)
3) Click on NAT settings, and under Gateway IP, put 10.1.1.1
4) Check the box for "Connect a virtual adapter to this network
5) Under Subnet IP, put 10.1.1.0 and under subnet mask: 255.255.255.0
6) Click Apply then OK
Now, we have a virtual lab under 10.1.1.0/24, a virtual "router" with the IP 10.1.1.1 which in itself has NATing enabled for anything pointing to it (in this case our firewall), and which will also act as our DNS server (for the firewall and each individual Windows (or Linux) machine/host.)
2) Under VMnet Information, select NAT (shared host's IP with VMs)
3) Click on NAT settings, and under Gateway IP, put 10.1.1.1
4) Check the box for "Connect a virtual adapter to this network
5) Under Subnet IP, put 10.1.1.0 and under subnet mask: 255.255.255.0
6) Click Apply then OK
The remaining work is to setup each individual component of our lab for network connectivity. For each component, there will be the general VM adapter settings; followed by the OS network settings. Lastly, we will configure SmartDashboard for the least required initial settings to have the lab working.
[] Windows 7 host, with IP 10.1.1.3 ]
VM settings:Right click on the Vmware Workstation tab for the Windows 7 host, choose Settings. Under the Hardware tab, choose network adapter, and under Network Connection, select: "Custom: Specific Virtual Network". From the drop-down menu, select VMnet0 (NAT), and finish by clicking OK.
OS settings:
Under the Control Panel, open Network and Sharing Center --> Change adapter Settings --> Right click on your Local Area Connection interface icon --> Choose Properties --> under the Networking tab, double click on Internet Protocol Version 4 (TCP/IPv4) and enter the following settings:
IP: 10.1.1.3
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.10
Preferred DNS server: 10.1.1.1
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.10
Preferred DNS server: 10.1.1.1
[] The management server, with IP 10.1.1.2 ]
VM settings:Right click on the Vmware Workstation tab for the Management server, choose Settings. Under the Hardware tab, choose network adapter, and under Network Connection, select: "Custom: Specific Virtual Network". From the drop-down menu, select VMnet0 (NAT), and finish by clicking OK.
OS settings:
Through the Windows VM host (10.1.1.3), open a browser and login to the management server (10.1.1.2).
Under Network Management:
Network Interfaces:
- Double Click on "eth0", check "Enable"
- Set eth0 to 10.1.1.2 and the subnet mask to 255.255.255.0 (which is /24)
- Under the Ethernet tab, select "Auto Negotiation", and Click OK.
Hosts and DNS:
Set the primary DNS to 10.1.1.1 and click Apply
Ipv4 Static Routes:
Set the default route to Normal and the gateway to 10.1.1.10
- Double Click on "eth0", check "Enable"
- Set eth0 to 10.1.1.2 and the subnet mask to 255.255.255.0 (which is /24)
- Under the Ethernet tab, select "Auto Negotiation", and Click OK.
Hosts and DNS:
Set the primary DNS to 10.1.1.1 and click Apply
Ipv4 Static Routes:
Set the default route to Normal and the gateway to 10.1.1.10
[] The firewall, with IP 10.1.1.10 ]
VM settings:Right click on the Vmware Workstation tab for the Firewall, choose Settings. Under the Hardware tab, choose network adapter, and under Network Connection, select: "Custom: Specific Virtual Network". From the drop-down menu, select VMnet0 (NAT), and finish by clicking OK.
OS settings:
Through the Windows VM host (10.1.1.3), open a browser and login to the firewall (10.1.1.10).
Under Network Management:
Network Interfaces:
- Double Click on "eth0", check "Enable"
- Set eth0 to 10.1.1.10 and the subnet mask to 255.255.255.0 (which is /24)
- Under the Ethernet tab, select "Auto Negotiation", and Click OK.
Hosts and DNS:
Set the primary DNS to 10.1.1.1 and click Apply
Ipv4 Static Routes:
Set the default route to Normal and the gateway to 10.1.1.1 (yes, 10.1.1.1, because that's our virtual VM "router", it will act as a gateway to the firewall itself. In other words, the firewall, by default, will send all its traffic to 10.1.1.1, which is essentially our way out to the internet, and also our NATing setup.)
- Double Click on "eth0", check "Enable"
- Set eth0 to 10.1.1.10 and the subnet mask to 255.255.255.0 (which is /24)
- Under the Ethernet tab, select "Auto Negotiation", and Click OK.
Hosts and DNS:
Set the primary DNS to 10.1.1.1 and click Apply
Ipv4 Static Routes:
Set the default route to Normal and the gateway to 10.1.1.1 (yes, 10.1.1.1, because that's our virtual VM "router", it will act as a gateway to the firewall itself. In other words, the firewall, by default, will send all its traffic to 10.1.1.1, which is essentially our way out to the internet, and also our NATing setup.)
[] Smart DashBoard ]
I will presume that both the firewall and management servers were created under CheckPoint's Network Objects, that the SIC communication was established between them, and the IPs reflect the instructions above.For both the Firewall and security management objects, simply do the following: Under "Topology", click on "Get" and then "Interfaces with topology".
The last thing to do is to add some rules on the firewall through SmartDashboard, but for the purpose of this lab and to make things work initially, we should add a temporary "Any-Any-Any-Accept-LOG" rule to test that everything works fine, and once that is done, you can add your specific firewall ruleset, objects, and network(s) as needed. We have logging enabled so we can track and find out any problems and resolve them through SmartView Tracker.
5. Conclusion
Now the entire lab is setup from a VMware workstation point of view, as well as from a CheckPoint connectivity between the firewall, management server and a single host.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)