Nokia IP350 User Manual

Check Point NG FP3 step-by-step Install guide on NOKIA IPSO

By Brandon E. Robrahn

INTRO

This document is to be used as a reference on how to install a NOKIA IP350 with Check Point NG FP3. In this
document I have provided a step-by-step reference guide on loading a NOKIA IP350 with IPSO version

3.7.1Build010, and Check Point version NG FP3. Voyager and command line were both used in this guide; this is
just one way that a NOKIA device can be configured as a Check Point Firewall. Not all of the patches and hot fixes
for these versions are shown in this document. There was only one patch applied to this device, this was simply to
show how to apply it to the NOKIA. The two vulnerabilities that have to be addressed when using this version of
Check Point and IPSO are:

1. Hot fix Accumulator 325

2. Open SSL vulnerability
After using this document as a reference guide (not a configuration guide), you should be able to put the device in
line and connect it to a management server with out any issues. This document guides you from entering in the
hostname of the firewall, and ends with applying the default filter and running CPCONFIG. Good luck with your
install and thanks for using this guide as a reference on how to configure a Check Point firewall.

After the start up script runs you will be prompt to enter a hostname, if you hit enter it will get rid of the text
so that you can type the hostname that you choose. Listed below is an actual screen shot taken from
Secure CRT of how an install is performed. I used red text in the areas where you need to type in
commands to configure this Firewall.

Please choose the host name for this system. This name will be used
in messages and usually corresponds with one of the network hostnames
for the system. Note that only letters, numbers, dashes, and dots (.)
are permitted in a hostname.

Hostname? fw-test
Hostname set to "fw-test", OK? [ y ] ? y

Please enter password for user admin: password
Please re-enter password for confirmation: password

You can configure your system in two ways:

1) configure an interface and use our Web-based Voyager via a remote
browser

2) VT100-based Lynx browser

Please enter a choice [ 1-2, q ]: 1

Select an interface from the following for configuration:

1) eth1

2) eth2

3) eth3

4) eth4

5) quit this menu

Enter choice [1-5]: 1

Enter the IP address to be used for eth1: 10.0.0.1

Enter the masklength: 24

Do you wish to set the default route [ y ] ? y

Enter the default router to use with eth1: 10.0.0.254

This interface is configured as 10 mbs by default.
Do you wish to configure this interface for 100 mbs [ n ] ? y

This interface is configured as half duplex by default.
Do you wish to configure this interface as full duplex [ n ] ? y

You have entered the following parameters for the eth1 interface:

IP address: 10.0.0.1
masklength: 24
Default route: 10.0.0.254
Speed: 100M
Duplex: full

Is this information correct [ y ] ? y

Do you want to configure Vlan for this interface[ n ] ? n

You may now configure your interfaces with the Web-based Voyager by
typing in the IP address "131.87.68.50" at a remote browser.

Generating config files for fw-test: ipsrd hosts password group resolver snmp inetd ttys tz ntp ssmtp skey arp ndp
aggrclass acl ddr
ef syslog autosupport httpd lynx modem cron archive ipsec fmd AAA cluster xmode ssh iptune done.

ifmnetlog:eth4 .. enabling 10baseT/UTP port in half duplex mode
netlog:eth2 .. enabling 10baseT/UTP p ort i n hal f d uplex mode
netlog:eth3 .. enabling 10baseT/UTP p ort i n hal f d uplex mode
netlog:eth1 .. enabling 100baseTX/UTP port in full duplex mode
done.
Apr 28 16:08:20 fw-test [LOG_INFO] ker nel: netlog:eth4 .. enabling 10baseT/UTP port in half d upl ex mode
Apr 28 16:08:20 fw-test [LOG_INFO] ker nel: netlog:eth2 .. enabling 10baseT/UTP port in half d upl ex mode
Apr 28 16:08:20 fw-test [LOG_INFO] ker nel: netlog:eth3 .. enabling 10baseT/UTP port in half d upl ex mode
Apr 28 16:08:20 fw-test [LOG_INFO] kernel: netlog:eth1 .. enabling 100baseTX/UTP port in full duplex mode
Wed Apr 28 16:08:23 GMT 2004

IPSO (fw-test) (ttyd0)

login: admin
Password: password
Last login: Wed Apr 28 15:58:11 on tty d0
Apr 28 16:09:09 fw-test [LOG_INFO] login: DIALUP ttyd0, admin
Apr 28 16:09:09 fw-test [LOG_NOTICE] login: ROOT LOGIN (admin) ON ttyd0
Apr 28 16:09:09 fw-test [LOG_NOTICE] login: ROOT LOGIN (admin) ON ttyd0
Apr 28 16:09:09 fw-test [LOG_INFO] login: login on ttyd0 as admin
IPSO 3.7-BUILD027 #1215: 09.23.2003 052500
Terminal type? [vt100]

fw-test[admin]# cd /var/tmp
fw-test[admin]# ls -ls
total 1
1 -rw-r--r-- 1 root wheel 111 Apr 28 15:54 dhcpv4c_eth1c0.conf
0 -rw-r--r-- 1 root wheel 0 Apr 28 16:08 ipsopmdde bu g.txt
0 -rw-r--r-- 1 root wheel 0 Apr 28 15:57 ipsopmdde bu g.txt1
0 lrwxrwxrwt 1 root wheel 40 Apr 28 16:08 present -> IPSO-3 .7-BUILD027-09.23.2003-052500-1215
fw-test[admin]#

By typing cd /var/tmp and then typing ls -ls you are changing the directory /var/tmp and listing what is in
that directory. This allows you to see what IPSO version you are currently running on your NOKIA device.
Since the IPSO version that is shown is not the current version or the version that we want to use, we are
going to change it to the correct version by installing a new IPSO image from an FTP server using
Voyager. Voyager is web based; you are able to configure almost everything via Voyager. To access the
Voyager web page, type in http://10.0.0.1 and then enter the user name and password. Any interface
that is configured on this NOKIA can be used to get access to Voyager.

NOTE: Leave the SSH connection running.

The first screen you will see will look like the one shown above. Click on the Config button to get started.

Under the section System Configuration click on Install New IPSO Image (Upgrade).

The screen that you are on should look like the one shown above. This is where you will need to type in
the IP Address of your FTP Server. Since you will have a cross over cable hooked to your PC and the
other end hooked to the port on the NOKIA that reads ETH-1, you will use the IP Address of your PC.

NOTE: make sure that you have an FTP Server loaded on your PC. EXAMPLE: 3COM Server.

Make sure that your FTP Server is configured for Anonymous, that way you don’t have to type in a user
name and password. Type “ftp://10.0.0.2/ipso_3_7_1_Build007.tgz” I am using IPSO 3.7.1 build 007
for an example, you use whatever IPSO version that is current or that you want to use.

Now click on Apply.

Click on the Apply button one more time and the install should start running. This load will take a few
minutes, so don’t click on anything else just let it run. You can also look on your FTP server to see the
status of your FTP session.

If you click on the link highlighted in Blue you should see the status of your install. When the install is
finished the screen will look like the one shown below.

The install is now complete and you need to reboot your NOKIA device. Before you reboot click on

Manage IPSO images (including REBOOT and Next Boot Image Selection) located at the
bottom of the page.

Select the radio button that reads Last Image Downloaded

. This is the IPSO version that you just

loaded. At the bottom of the page, click on Test Boot.

NOTE: Test boot is used incase something happens when you’re rebooting, this way you can revert back to the old version and no
harm was done. This is a precautionary measure.

After selecting Test Boot you will see the page shown above. Wait about 5 minutes and then hit the
Refresh button at the top of the page.