Professional Documents
Culture Documents
Checkpoint
Checkpoint
Using fwstop/ fwstart will only restart VPN-1/FireWall-1, and using cpstop/ cpstart will restart
all Check Point components, including the SVN foundation.
Smartview tracker also will be useful to see if traffic is allowed on certain ports via certain
policies.
What is Anti-spoofing?
Anti-Spoofing feature ensures that the IP addresses of the packets entering the FireWall are valid.
It verifies that packets originate from and are destined to the correct interfaces on the gateway. It
confirms which packets actually come from the specified internal network interface. It also
verifies that once a packet is routed, it goes through the proper interface.
A packet coming from an external interface, even if it has a spoofed internal IP address, is
blocked because the firewall anti-spoofing feature detects that the packet arrived from the wrong
interface.
Configuration on R75, see below, Source: Firewall R75 Administration Guide. (Free
available)
Configuring Anti-Spoofing: It is important to configure anti-spoofing protection on every
interface of every Security Gateway, including internal interfaces.
Detect - to allow packets that have possibly been spoofed. This option is used for
monitoring purposes and should be used in conjunction with one of the tracking options.
It serves as a tool for learning the topology of a network without actually rejecting
packets.
If there is only one network behind the interface, select Network defined by the
interface IP and Net Mask.
If there is more than one network behind the interface, define a group network object that
consists of all the networks behind the interface by selecting Specific and the group.
Detect - to allow packets that have possibly been spoofed. This option is used for
monitoring purposes and should be used in conjunction with one of the tracking options.
It serves as a tool for learning the topology of a network without actually rejecting
packets.
I was thinking how to explain this in better way and found following link in my bookmarks.
Source: Essential Check Point FireWall-1 NG: An Installation, Configuration, and
Troubleshooting Guide by Dameon D. Welch-Abernathy
on the wrong interface, this is a potentially serious problem a misconfigured host or router,
or an intruder! To catch these sorts of issues, we establish anti-spoofing on the firewall, that is,
preventing the use of IP addresses on interfaces where the hosts should not appear.
When you define anti-spoofing, you assert that only packets with source IPs defined for an
interface are allowed to originate traffic on the interface. For example, if a valid address is
192.168.182.0/24 and the interface is le0, the following are true.
This is different from FireWall-1 4.1, which also validated that a packet being routed to a specific
interface was also valid. This caused all sorts of problems with address translation.
In FireWall-1 4.1 and earlier, this was defined in the Valid Address setting in the Interface
portion of the gateway object. In the NG version, the setting is now called Topology, and we
define it in the Topology frame of the gateway object. Unlike the Valid Address setting in
FireWall-1 4.1, the Topology setting is also used to define external interfaces, which is
important for licensing.
the configuration screen. All other networks are not considered valid. In FireWall-1 4.1 and
earlier, this option was titled the more confusing This Net.
Specific: This option refers to a defined group of network objects (networks, hosts) that make up
the valid addresses for this interface. This is typically used where there are multiple networks
reachable from this interface.
Perform Anti-Spoofing based on interface topology: If this option is checked, anti-spoofing
will be performed on this interface, assuming that Not Defined is not selected. If unchecked,
anti-spoofing will not be performed on this interface. Spoof tracking can be set to None (no
logging), Log, or Alert.
If you enable anti-spoofing, it is highly recommended that you enable logging of this property.
All anti-spoofing drops will log as Rule 0. If you want to log IP Options drops, go to the Log and
Alert frame of the Global Properties screen and enable IP Options Drop logging.
Question 1 Which of the applications in Check Point technology can be used to configure
security objects?
Answer:
SmartDashboard
Question 2 Which of the applications in Check Point technology can be used to view who and
what the administrator do to the security policy?
Answer:
SmartView Tracker
Question 3 What are the two types of Check Point NG licenses?
Answer:
Central and Local licenses
Central licenses are the new licensing model for NG and are bound to the SmartCenter server.
Local licenses are the legacy licensing model and are bound to the enforcement module.
Question 4 What is the main different between cpstop/cpstart and fwstop/fwstart?
Answer:
Using cpstop and then cpstart will restart all Check Point components, including the SVN
foundation. Using fwstop and then fwstart will only restart VPN-1/FireWall-1.
Question 5 What are the functions of CPD, FWM, and FWD processes?
Answer:
CPD CPD is a high in the hierarchichal chain and helps to execute many services, such as
Secure
Internal Communcation (SIC), Licensing and status report.
FWM The FWM process is responsible for the execution of the database activities of the
SmartCenter server. It is; therefore, responsible for Policy installation, Management High
Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log
Display, etc.
FWD The FWD process is responsible for logging. It is executed in relation to logging,
Security
Servers and communication with OPSEC applications.
Question 6 How to Install Checkpoint Firewall NGX on SecurePlatform?
Answer:
1. Insert the Checkpoint CD into the computers CD Drive.
2. You will see a Welcome to Checkpoint SecurePlatform screen. It will prompt you to press any
key. Press any key to start the installation,otherwise it will abort the installation.
3.You will now receive a message saying that your hardware was scanned and found suitable for
installing secureplatform. Do you wish to proceed with the installation of Checkpoint
SecurePlatform.
Of the four options given, select OK, to continue.
4.You will be given a choice of these two:
SecurePlatform
SecurePlatform Pro
Select Secureplatform Pro and enter ok to continue.
5.Next it will give you the option to select the keyboard type. Select your Keyboard type (default
is US) and enter OK to continue.
6.The next option is the Networking Device. It will give you the interfaces of your machine and
you can select the interface of your choice.
7.The next option is the Network Interface Configuration. Enter the IP address, subnet mask and
the default gateway.
For this tutorial, we will set this IP address as 1.1.1.1 255.255.255.0 and the default gateway as
1.1.1.2 which will be the IP address of your upstream router or Layer 3 device.
8.The next option is the HTTPS Server Configuration. Leave the default and enter OK.
9.Now you will see the Confirmation screen. It will say that the next stage of the installation
process will format your hard drives. Press OK to Continue.
10.Sit back and relax as the hard disk is formated and the files are being copied.
Once it is done with the formatting and copying of image files, it will prompt you reboot the
machine and importantly REMOVE THE INSTALLATION CD. Press Enter to Reboot.
Note: Secureplatform disables your Num Lock by over riding System BIOS settings, so you
press Num LOck to enable your Num Lock.
For the FIRST Time Login, the login name is admin and the password is also admin.
11.Start the firewall in Normal Mode.
12.Configuring Initial Login:
Enter the user name and password as admin, admin.
It will prompt you for a new password. Chose a password.
Enter new password: check$123
Enter new password again: check$123
You may choose a different user name:
Enter a user name:fwadmin
Now it will prompt you with the [cpmodule]# prompt.
13. The next step is to launch the configuration wizard. To start the configuration wizard, type
sysconfig.
You have to enter n for next and q for Quit. Enter n for next.
14.Configuring Host name: Press 1 to enter a host name. Press 1 again to set the host name.
Enter host name: checkpointfw
You can either enter an ip address of leave it blank to associate an IP address with this hostname.
Leave it blank for now.
Press 2 to show host name. It now displays the name of the firewall as checkpointfw.
Press e to get out of that section.
15.Configuring the Domain name.
Press 2 to enter the config mode for configuring the domain mode. Press 1 to set the domain
name.
Enter domain name:yourdomain.com
Example:
CHECKPOINT
Q.1
Q.2
Q.3
Q.4
Q.5
Q.6
Ans.
In case of SNAT
Antispoofing
Session lookup
Policy lookup
Routing
Netting
In case of DNAT
Antispoofing
Session lookup
Policy lookup
Netting
Routing
Q.7
Q.8
Q.9
Q.10
Q.11
Q.12
Q.13
Q.14
Q.15
Q.16
Q.17
Q.18
CHECKPOINT CLUSTER
Q.1
Q.2
Q.3
Q.4
Q.5
Q.6
CHECKPOINT VPN
Q.1 Difference between IPSec and SSL VPN?
Q.2 Difference between Domain Base and Route Base VPN?
Q.3 What are the protocols of IPSec? And what are the Port numbers of various
IPSec Protocols.?
Q.4 What is NAT traversal? Where it used?
Q.5 How use NAT in VPN Tunnel?
Q.6 What is Norm in IPSec?
Q.7 What the Phases of IPSec VPN? And many messages being exchanged in MAIN
and QUICK Mode? What are these messages?
Q.8 What is Encryption Domain?