Nokia安装文档.doc

Nokia安装文档(一)将介质包导入到Nokia首先，设置好FTP Server，将IPSO和Checkpoint的介质包放在相应的目录下；然后在启动的时候按数字“1”进入到Bootmgr模式1Bootmgr2IPSODefault: 1 Starting bootmgrLoading boot manager.11Boot manager loaded.Entering autoboot mode.Type any character to enter command mode.BOOTMGR2 install输入命令“install”开始安装#IPSO Full Installation #You will need to supply the following information: Client IP address/netmask, FTP server IP address and filename, system serial number, and other license information.This process will DESTROY any existing files and data on your disk.#Continue? (y/n) n yMotherboard serial number is 7H060700056.The chassis serial number can be found on asticker on the back of the unit with the letters S/N in front of the serial number.Please enter the serial number: 7H060700056复制上面的序列号！Please answer the following licensing questions.Will this node be using IGRP ? y nWill this node be using BGP ? y n1. Install from anonymous FTP server.2. Install from FTP server with user and password.Choose an installation method (1-2): 2Enter IP address of this client (/24): 10/28Enter IP address of FTP server (): 13Enter IP address of the default gateway (): 13Choose an interface from the following list:1) eth12) eth23) eth34) eth4Enter a number 1-4: 1Choose interface speed from the following list:1) 10 Mbit/sec2) 100 Mbit/secEnter a number 1-2: 2Half or full duplex? h/f h fEnter user name on FTP Server : adminEnter password for admin: *Enter path to ipso image on FTP server : /Enter ipso image filename on FTP server ipso.tgz: 1. Retrieve all valid packages, with no further prompting.2. Retrieve packages one-by-one, prompting for each.3. Retrieve no packages.Enter choice 1-3 1: 2Client IP address = 10/28Server IP address = 13Default gateway IP address = 13Network Interface = eth1, speed = 100M, full-duplexServer download path = /Package install type = promptingMirror set creation = noAre these values correct? y yChecking what packages are available on 13.Hash mark printing on (1048576 bytes/hash mark).Interactive mode off.#The following packages are available:IPSO_wrapper_R60.tgzBuilding filesystems.done.Making initial links.done.Downloading compressed tarfile(s) from 13.Hash mark printing on (1048576 bytes/hash mark).Interactive mode off.100% 37044 KB 00:00 ETADo you wish to Download IPSO_wrapper_R60.tgz (y/n) ? : yChecking validity of image.done.No packages found in /, continuing.Installing image.done.Image version tag: IPSO-4.1-BUILD013-03.27.2006-223017-1515.Checking if bootmgr upgrade is needed.No need to upgrade bootmgr.Do you want to upgrade bootmgr anyway? nyUpgrading bootmgr.new bootmgr size is 1474560old bootmgr size is 1474560Saving old bootmgr.Installing new bootmgr.Verifying installation of bootmgr.Installation completed.Reset system or hit to reboot.Starting reboot.一、 配置Nokia和Checkpoint解包1. 当看到如下信息时，按照提示键入预先想好的主机名。Please choose the host name for this system. This name will be used in messages and usually corresponds with one of the network hostnames for the system. Note that only letters, numbers, dashes, and dots (.) are permitted in a hostname.Hostname? FW-ASH-01Hostname set to “FW-ASH-01”, OK? yy2. 接下来按照提示设置管理员admin密码。Please enter password for user admin:Please re-enter password for confirmation:3. 选择配置系统方式。You can configure your system in two ways:1)configure an interface and use our Web-based Voyager via a remote browser2)VT100-based Lynx browserPlease enter a choice 1-2, q : 1注：选择方式1，通过Web方式配置。4. 选择一个接口，并为它配置ip地址。Select an interface from the following for configuration: 1) eth1 2) eth2 3) eth3 4) eth4 5) quit this menuEnter choice 1-5: 1Enter the IP address to be used for eth1: 10Enter the masklength: 28Do you wish to set the default route y ?n注：默认路由后面跟其他静态路由一起设置。This interface is configured as 10 mbs by default.Do you wish to configure this interface for 100 mbs n ?y注：如果连接设备支持100M，请选择yThis interface is configured as half duplex by default.Do you wish to configure this interface as full duplex n ?y注：如果连接设备支持全双工，请选择yYou have entered the following parameters for the eth1 interface:IP address: 10masklength: 28 Speed: 100M Duplex: fullIs this information correct y ?y*确认所有设置信息正确5. 设置是否支持VLANDo you want to configure Vlan for this interface n ?n注：如果不做vlan间路由和安全策略，选择n6. 这样就设置好了一个接口，然后就可以通过此接口ip用web voyager继续后面的配置You may now configure your interfaces with the Web-based Voyager by typing in the IP address “10” at a remote browser.Generating config files for NokiaIP530: ipsrd hosts password group resolver snmp inetd ttys tz ntp ssmtp skey arp ndp aggrclass acl ddr ef syslog autosupport httpd lynx modem cron archive ipsec fmd AAA cluster xmode ssh iptune done.ifmnetlog:eth4 . enabling 10baseT/UTP port in half duplex modenetlog:eth2 . enabling 10baseT/UTP port in half duplex modenetlog:eth3 . enabling 10baseT/UTP port in half duplex mode done.Nov 27 08:33:46 LOG_INFO kernel: netlog:eth4 . enabling 10baseT/UTP port in half duplex modeNov 27 08:33:46 LOG_INFO kernel: netlog:eth2 . enabling 10baseT/UTP port in half duplex modeNov 27 08:33:46 LOG_INFO kernel: netlog:eth3 . enabling 10baseT/UTP port in half duplex modeMon Nov 27 08:33:47 GMT 2006Loading Package ListPackage Description: Check Point Suite wrapper package NGX R60Would you like to : 1. Install this as a new package2. Upgrade from an old package3. Skip this package4. Exit new package installationChoose (1-4): 1Installing IPSO_wrapper_R60.tgz Running IPSO_wrapper_R60/INSTALL PRE /opt/IPSO_wrapper_R60 /opt/tmp/IPSO_wrapper_R60.tgz IPSO_wrapper_R60/MANIFEST newpkg Running IPSO_wrapper_R60/INSTALL POST /opt/IPSO_wrapper_R60 /opt/tmp/IPSO_wrapper_R60.tgz IPSO_wrapper_R60/MANIFEST newpkg* It is required to configure Check Point products before activating them,you can do so by re-login to the machine and running cpconfigfrom the command line. *Done installing IPSO_wrapper_R60End of new package installationcleaning up .doneA reboot may be necessary to activate packages.Dec 12 02:45:49 FW-ASH-01 LOG_CRIT reboot: rebooted by rootDec 12 02:45:49 FW-ASH-01 LOG_ERR syslogd: exiting on signal 1cleaning up. syncing disks. doneRebooting.7. 网络服务重新初始化，出现新的登陆界面 IPSO (FW-ASH-01) (ttyd0)login:(一) 现在，我们就可以进入web-based voyager进行Nokia设备的配置工作了。打开IE，在地址栏中输入刚才设置好的ip地址，http:/ 10此时，会弹出来一个窗口，要求输入用户名和密码1) 输入密码，验证通过后，进入voyager! 按configuration ，进入配置界面.2) 配置防火墙端口 Configuration-Interface Configuration-Interfaces激活接口，设置连接速度和双工。需要分别对“Physical”和“Logical”部分进行设置。3) 配置系统时间 Configuration-System Configuration-Time4) 设置静态路由a) 缺省路由的设置在Default后选择on-按apply - Gateway type: address -按apply -输入缺省网关ip -按apply save 。b) 添加静态路由在Quick-add static routes列表中按如下格式填写：“网段/掩码位数 下一跳地址”示例：/24 /24 /24 注：可以在记事本中先写好，然后一次粘贴批量加路由！5) vrrp的配置 Configuration-High Acailability-VRRP6) 将Accept Connections to VRRP IPs:更改为Enabled; Monitor Firewall State：更改为Disabled;设置FW-ASH-01 VRRP Priority:100, Priority Delta:5将VIP写入到Backup Address栏设置FW-ASH-02 VRRP Priority:95, Priority Delta:5将VIP写入到Backup Address栏现在，IPSO基本设置已经就绪，可以开始安装CheckPoint软件包。(二) Checkpoint的安装 IPSO (FW-ASH-01) (ttyd0)login: adminPassword: *Last login: Mon Nov 27 16:49:17 from 24Nov 27 17:11:16 NokiaIP530 LOG_INFO login: DIALUP ttyd0, adminNov 27 17:11:16 NokiaIP530 LOG_NOTICE login: ROOT LOGIN (admin) ON ttyd0Nov 27 17:11:16 NokiaIP530 LOG_NOTICE login: ROOT LOGIN (admin) ON ttyd0Nov 27 17:11:16 NokiaIP530 LOG_INFO login: login on ttyd0 as adminIPSO 3.7.1-BUILD025 #1299: 06.04.2006 081958Terminal type? vt100 CNokiaIP530admin# cpconfig输入命令“cpconfig”开始Checkpoint的安装Welcome to Check Point Configuration Program=Please read the following license agreement. Hit ENTER to continue. CSelect installation type:-(1) Stand Alone - install VPN-1 Pro Gateway and SmartCenter Enterprise.(2) Distributed - install VPN-1 Pro Gateway, SmartCenter and/or Log Server.Enter your selection (1-5/a-abort) 1: 2Select installation type:-(1) VPN-1 Pro Gateway.(2) Enterprise SmartCenter.(3) Enterprise SmartCenter and VPN-1 Pro Gateway.(4) Enterprise Log Server.(5) VPN-1 Pro Gateway and Enterprise Log Server.Enter your selection (1-5/a-abort) 1: 1Is this a Dynamically Assigned IP Address gateway installation ? (y/n) n ? nWould you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) n ? yIP forwarding disabledHardening OS Security: IP forwarding will be disabled during boot.Generating default filterDefault Filter installedHardening OS Security: Default Filter will be applied during boot.This program will guide you through several steps where youwill define your Check Point products configuration.At any later time, you can reconfigure these parameters byrunning cpconfigConfiguring Licenses.=Host Expiration Signature Features Note: The recommended way of managing licenses is using SmartUpdate.cpconfig can be used to manage local licenses only on this machine.Do you want to add licenses (y/n) y ? nConfiguring Random Pool.=You are now asked to perform a short random keystroke session.The random data collected in this session will be used invarious cryptographic operations.Please enter random text containing at least six differentcharacters. You will see the * symbol after keystrokes thatare too fast or too similar to preceding keystrokes. Thesekeystrokes will be ignored.Please keep typing until you hear the beep and the bar is full. . 随机输入字符Thank you.Configuring Secure Internal Communication.=The Secure Internal Communication is used for authentication betweenCheck Point componentsTrust State: UninitializedEnter Activation Key: *Again Activation Key: *输入并确认Activation KeyThe Secure Internal Communication was successfully initializedinitial_module:Compiled OK.Hardening OS Security: Initial policy will be applieduntil the first policy is installedIn order to complete the installationyou must reboot the machine.Do you want to reboot? (y/n) y ? ycleaning up. syncing disks. doneNov 27 17:17:47 NokiaIP530 LOG_CRIT kernel: Nov 27 17:17:47 NokiaIP530 LOG_ERR syslogd: /var/log/messages: Input/output errorNov 27 17:17:47 NokiaIP530 LOG_ERR syslogd: /var/run/utmp: No such file or directoryRebooting.(三) Smartcenter安装将Check Point for windows CD放入光驱选择next出现许可协议选择接受单击next选择Check Point Enterprise/Pro单击 next选择New Installation单击next将SmartCenter, SmartConsole打上勾单击next选择Primary SmartCenter单击next单击next完成安装并重新启动(四)配置SmartCenter系统重启后会出现cpconfig设置向导1、添加license,选择Fetch From File,单击next2、添加administrator帐号，选择Add,单击next3、添加定义GUI访问客户端，可以定义单个IP,IP网段,或者Any并Add,单击next4、初始化CA证书,单击next完成向导(五)创建、设置Network Object1、打开SmartDashboard,选择New Check Point-VPN-1 Pro/Express Cluster,选择Simple mode(wizard),单击ok2、创建Cluster的名字和IP,选择cluster solution为Nokia VRRP,单击next3、单击Add选择New Cluster Member,输入Gateway名字,IP以及SIC点击initialize建立SmartCenter和Gateway信任,单击ok4、完成2台Gateway添加,单击next完成Check Point VPN-1 Pro/Express Cluster创建5、确认并修改Check Point Cluster Topology,打开Gateway Cluster属性选择Topology6、单击Edit Topology,选择Get all members topology,如果VIP地址以及Network Objective没有显示需要手动添加,单击ok完成7、启用Monitor firewall,打开2台gateway voyager选择Monitor firewall:Enabled(六)创建设置Policy、Service1、第一次登录SmartCenter后是没有任何的对象策略,这时需要添加,点击Add Rule at the Bottom2、创建Nodes主机IP 8用于Cluster成员之间的广播,定义服务为igmp,vrrp(七)添加license在SmartCenter, Gateway1、将license添加到SmartCenter, 使用SmartDashboard登陆SmartCenter, 通过SmartDashboard界面的Window标签进入SmartUpdate2、进入SmartUpdate单击Gateway选择工具栏里的license移至Add选择From File3、右键点击选择Gateway选择Attach Licenses,单击Attach完成license的添加(八) 使用Smartview tracker查看log，清除log1、使用SmartDashboard登陆SmartCenter, 通过SmartDashboard界面的Window标签进入Smartview Tracker2、打开Smartview Tracker后,在左侧分别有,All Records, Firewall, VPN等选项,分别代表日至的分类,比如在VPN可以看见有关VPN的日至;右侧如下图标注中的3个按钮可以帮助查看日至, Time, Service, Source, Destination等按键可以帮助针对某一特殊的源，目的以及服务来分析日至(九)使用Smartview Monitor查看流量、服务1、默认状态防火墙是不启用Smartview Monitor;打开防火墙属性,在Check Point Products处将Smartview Monitor和QoS打上勾2、点击Topology选择Edit Topology,分别对2台Gateway需要做流量监控的端口打上勾,如下图所示,单击ok,下发策略3、使用SmartDashboard登陆SmartCenter, 通过SmartDashboard界面的Window标签进入Smartview Monitor4、选择Top Service设置想要监控的端口,单击ok5、使用备注框中的按钮可以以曲线图、饼图等方式查看流量(十)安装hotfix补丁包在SmartCenter,Gateway1、安装hotfix补丁包在SmartCenter,首先在命令行使用”cpstop”停止Check Point服务2、停止系统SNMP服务(如果系统没有启用SNMP就不会看到)3、解压缩VPN-1_R60_HFA_04_wrapper.windows.tgz文件，执行Setup输入“y”回车选择“是”确定选择“是”,继续确定，完成安装！2、安装完成后执行“cpstart”启动Check Point服务3、执行“fwm ver”命令查看补丁安装情况4、重新启用系统SNMP服务5、另外，如果要删除HFA_04补丁的话，可通过控制面板删除！6、安装hotfix补丁包在Gateway通过Con