CheckPoint GAIA Installation on Unetlab

Image.png

-download CheckPoint R77.30 iso
-prepare VMware Workstation vm with Other Linux 64bit, 30GB HD, 2GB RAM and 4 nics
16-Jul 10.56.26.jpg

Image.png

Image.png

Image.png

Image.png

Image.png

Image.png

-open Chrome and go to https://10.0.10.61

Image.png

Image.png

Image.png

Image.png

Image.png

Image.png

Image.png

Image.png

Image.png

Image.png

Image.png

Image.png

Image.png

-shutdown vm and go to VMware Workstation
-click CheckPoint vm
-click File/Export to OVF
export as cpsg-r7730.ova
# mkdir -p /opt/unetlab/addons/qemu/cpsg-r7730
scp cpsg-r7730.ova into /opt/unetlab/addons/qemu/cpsg-r7730
# tar xf cpsg-r7730.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 cpsg-r7730-disk1.vmdk hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
create CheckPoint unetlab lab above and start cp1
-open SmartDashboard and login as admin
-right click Edit Network Objects/CheckPoint/cp1
Image.png
Image.png
Image.png
-create Network Objects/Networks/LAN
Image.png
-create Firewall policy
Image.png
-create Application & URL Filtering policy
Image.png

 

 

 

 

 

 

Time zone resetted on every reboot

Mikrotik doesn’t have battery, so it won’t keep time zone upon reboot.

SOLUTION
/system scheduler
add name=startup on-event=ntp policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
/system script
add name=ntp owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=”:delay 15\r\
\n/system clock set time-zone-name=Asia/Jakarta\r\
\n/system ntp client set enabled=yes primary-ntp=203.89.31.13\r\
\n”

Mikrotik Hotspot

HW INFO:
-Mikrotik SXTG-2HNd
WAN IP: 10.0.10.229/24
WIFI IP: 192.168.88.1/24
> ip address print
Flags: X – disabled, I – invalid, D – dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   10.0.10.229/24     10.0.10.0       ether1
 1   192.168.88.1/24    192.168.88.0    wlan1
/ip route
add distance=1 gateway=10.0.10.1
/system ntp client
set enabled=yes primary-ntp=203.160.128.59
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.
/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1

click IP/Hotspot/Servers
click Hotspot Setup
Image.png
Image.png
Image.png
Image.png
Image.png
Image.png
Image.png

Image.png

click IP/Hotspot/Servers/hotspot1

Image.png

click IP/Hotspot/Server Profiles/hsprof1/
Image.png

Image.png

click + on IP/Hotspot/User Profiles

Image.png

create hotspot user
click + on IP/Hotspot/Users

Image.png

To enable self-signed certificate
> ip service print
Flags: X – disabled, I – invalid
 #   NAME        PORT ADDRESS                                          CERTIFICATE
 0 XI telnet        23
 1   ftp           21
 2   www           80
 3   ssh           22
 4 XI www-ssl      443                                                  none
 5   api         8728
 6   winbox      8291
 7   api-ssl     8729                                                  none
> ip service disable 0
> ip service disable 1

> ip service enable 4

create self-signed
# openssl genrsa -des3 -out hotspot.key 1024
Enter pass phrase for hotspot.key: password

Verifying – Enter pass phrase for hotspot.key: password

# openssl req -new -key hotspot.key -out hotspot.csr
Enter pass phrase for hotspot.key: password
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:JKT
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NGTrain
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:hs.ngtrain.com
Email Address []:support@ngtrain.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password

An optional company name []:

# openssl x509 -req -days 10000 -in hotspot.csr -signkey hotspot.key -out hotspot.crt
Signature ok
subject=/C=ID/ST=JKT/L=Jakarta/O=NGTrain/OU=IT/CN=hs.ngtrain.com/emailAddress=support@ngtrain.com
Getting Private key

Enter pass phrase for hotspot.key: password

-scp hotspot.crt hotspot.key into mikrotik /hotspot
> /certificate import file-name=hotspot/hotspot.crt
passphrase: ********
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
> /certificate import file-name=hotspot/hotspot.key
passphrase: ********
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0

  keys-with-no-certificate: 0

/ip service set www-ssl certificate=hotspot.crt_0

-if you don’t have your own dns server, you can add static dns address for hs.ngtrain.com into your mikrotik
> ip dns static add name=hs.ngtrain.com address=192.168.88.1
verify using this command

> ip dns cache print

-modify IP/Hotspot/Server Profiles/hsprof1/
13-May 19.12.46.jpg

ESXi 6.0 Unetlab to Cisco Catalyst trunk

I have problem with Unetlab inside ESXi with 2 trunk port.
Once 1 of the trunk cable disconnected, the issue fixed
The problems are:
-node (in the exmple below is Mikrotik) can’t ping gateway but unetlab vm can
-after ESXi restarted, I can’t ping ESXi anymore
The solution are
Image.png
Image.png
Cisco:
# sh run
port-channel load-balance src-dst-ip
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 flowcontrol receive desired
interface FastEthernet2/0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 speed 100
 duplex full
 flowcontrol receive desired
 channel-group 1 mode on
 spanning-tree portfast trunk
 spanning-tree bpdufilter enable
!
interface FastEthernet2/0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 speed 100
 duplex full
 flowcontrol receive desired
 channel-group 1 mode on
 spanning-tree portfast trunk
 spanning-tree bpdufilter enable
ESXi
Image.png
Image.png
Image.png
Image.png
Image.png
Image.png

Port Mirroring

Image.png
In Wireshark set
Interface: Ethernet
Filter: ip.addr == 10.0.10.115 (your WWW server ip address)

Cisco
to start
(config)# monitor session 1 source interface Fa2/0/1
(config)# monitor session 1 destination interface Fa2/0/2
(config)# monitor session 2 source vlan 10

to verify
# show monitor 1

to stop
(config)# no monitor session 1

HP
to start
(config)# mirror-port 2
(config)# int 1 monitor
(config)# vlan 10 monitor

to verify
(config)# show monitor
 Network Monitoring Port
  Mirror Port: 2
  Monitoring sources
  ——————
  1

to stop
(config)# no mirror-port
(config)# no int 1 monitor
(config)# no vlan 10 monitor

Juniper
# show
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members default;
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/47 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                native-vlan-id default;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.0.10.241/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.0.10.1;
    }
}
ethernet-switching-options {
    analyzer monitor1 {
        input {
            ingress {
                interface ge-0/0/0.0;
            }
        }
        output {
            interface {
                ge-0/0/1.0;
            }
        }
    }
    storm-control {
        interface all;
    }
}

to verify
# run show analyzer
Analyzer name                    : monitor1
  Output interface               : ge-0/0/1.0
  Mirror ratio                   : 1
  Loss priority                  : Low
  Ingress monitored interfaces   : ge-0/0/0.0

to stop
# delete ethernet-switching-options analyzer monitor1
# commit

to start
/interface ethernet switch set mirror-source=ether1 mirror-target=ether4
NOTE: this must be done in physical RouterBoard, can’t be done in Unetlab