You are on page 1of 10

• What is State-full packet inspection Or dynamic packet filtering?

Stateful Inspection, invented and patented by Check Point,is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. It analyzes packets down to the application layer. By recording session information such as IP addresses and port numbers, a dynamic packet filter can implement a much tighter security posture. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid. An example of a stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall. As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested.

• What is deep inspection?

This enables administrators to immediately identify changes in network traffic flow patterns that may signify malicious activity.• What is 3-way handshaking? 3-way handshake is a process used to establish a TCP connection. remote users and security activities. Benefits • • • • • Maintains high network availability Improves efficiency of bandwidth use Tracks SLA compliance Increases security ROI Responds quickly to network and security changes . tunnels. machine A sends a packet with a SYN flag set to Machine B. Host A sends a TCP SYNchronize packet to Host B Host B receives A's SYN Host B sends a SYNchronize-ACKnowledgement Host A receives B's SYN-ACK Host A sends ACKnowledge Host B receives ACK. Machine A then acknowledges B's SYN/ACK with an ACK. Basically. presenting a complete visual picture of changes to gateways. B acknowledges A's SYN with a SYN/ACK. • What is Smart view monitor? SmartView Monitor centrally monitors Check Point and OPSEC devices. TCP socket connection is ESTABLISHED.

which is a public (routable) IP address that does not belong to any real machine. or behind the IP address of the VPN-1 Pro interface through which the packet is routed out (what used to be known as "Hiding behind IP address 0. but a host outside the network cannot initiate a connection to an internal host. You can choose to hide the internal address(es) behind a virtual IP address. The Hide Address is the address behind which the internal network. starting from the defined Static IP address . The Internet is unaware of the division you have created between the Internet and your intranet.go to show query properties in smartview tracker then tick xlatesrc or xlatedst • What is hide nat? Hide NAT With a NAT gateway. This lets an internal host initiate a connection to both inside and outside the intranet.0"). and sees your multiple computer connection as simply a single connection. • What is static nat? Static NAT Static NAT translates each private address to a corresponding public address.0. Static NAT on a network or address range translates each IP address in the network or range to a corresponding public IP address. Static NAT on a node translates the private address of the node to a public address. Hide NAT allows only connections that originate on the internal network.0. address range or node is hidden. it is possible to share a single public address with multiple computers on your intranet that have private addresses.• how can see the gateway status in checkpoint? Using Smart view monitor • What is tcp dump? • Can we check internal ip Natted with what ip without checking firewall rule base? Yes.

with the purpose of concealing the identity of the sender or impersonating another computing system • What is anti-spoofing? how can configure this in checkpoint? From gateway properties-topologies. Workflow . • • What is Smart console? What is Address spoofing? the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address. then without Bidirectional NAT. an automatic NAT rule is generated which performs the required translation. only one automatic NAT rule can match a connection. When NAT is defined for a network object. and allows two automatic NAT rules to match a connection. using the fields NAT Rule Number and NAT Additional Rule Number. SIC or Secure Internal Communication is the process by which communicating components and the Smart Center Server authenticate themselves. Without Bidirectional NAT. these components can communicate freely and securely. If there are two such objects and one is the source of a connection and the other the destination.• What is Automatic NAT? Automatic NAT Rules Allow bi-directional NAT applies to automatic NAT rules in the Address Translation Rule Base. and both objects will be translated. called spoofing. so connections between the two objects will be allowed in both directions. The "additional rule" is the rule that matches the automatic translation performed on the second object in Bidirectional NAT. Once successfully authenticated. only one of these objects will be translated. both automatic NAT rules are applied. The operation of Bidirectional NAT can be tracked using the SmartView Tracker.can enable anti-spoffing • What is dynamic NAT? • What is SIC? how SIC communication from smart centre & splat module? SIC is secure internal communications. because only one of the automatically generated NAT rules will be applied. and so a connection between the two objects will only be allowed in one direction. With Bidirectional NAT.

Possible causes for this are: The Activation Key entered on the module side does not match the key entered on the SmartCenter Server The module is not up or not connected to the network Trust established is where the module has received the certificate and is communicating with the SmartCenter Server Initializing. Trust State reflects the state of the communication between the module and the SmartCenter Server.Initializing SIC 1 Enter the Activation Key. Initialized but Trust not established is a transient stage in which the ICA has issued a certificate but the module has not yet received it. View the Trust State in order to track the progress of the SIC initialization. Stopping SIC Click Reset. This key must be identical on both sides. There are three Trust states: Un-initialized is where a certificate was not issued to the module. therefore the module cannot open a secure communication channel. Understanding the Attributes The Activation Key and the Trust State Activation Key is required on both the SmartCenter Server and the module in order to ensure a secure download. Checking the SIC Status Click Test SIC status. This key is used to authenticate the communicating components. 2 3 Click Initialize to begin the SIC process. Testing and Revoking SIC .

If the SIC status is Unknown then there is no connection between the Module and the SmartCenter Server. • How can take backup of smart centre & firewall module of splat? • • • • • • • • • • • • • backup restoration command in splat? how does this process works? How many files responsible for smart view tracker logs and which are? What is intruder blocking and how can we do this? which command use to configure splat via CLI? what version of your nokia firewall have? what is IPSO? What is VRRP?how can configure this in nokia? how can configure Redundancy in checkpoint and how many ways of it? how can take backup of nokia firewall module? What is vpn?what are various modes? what are interoperatable devices? Difference between main mode & aggressive mode? Main Mode . If the SIC status is Not Communicating. a certificate is created by the Internal Certificate Authority (ICA) and downloaded securely to the module. Establishing SIC with a Dynamic IP Address Enforcement Module The following two options become available as a result of selecting Dynamic Address in the Gateways General Properties window. an error message will appear. It may contain specific instructions how to remedy the situation.Initialize begins the SIC process. During the initialization process. This machine currently uses this IP address enables the establishment of SIC using the IP address that is currently used by the DAIP gateway. and ceases all communication between the modules. SIC must be initialized for every module separately. Test SIC Status reflects the state of the module after it has received the certificate issued by the ICA. I will enter the IP address and establish trust later enables the postponement of SIC establishment. Enter this IP address in the space provided. Reset revokes the SIC certificate issued to the module.

and the initiator and responder ID pass in the clear. The next exchange passes Diffie-Hellman public keys and other data. the initiator proposes the encryption and authentication algorithms it is willing to use. key material and ID. how long keys should remain active. The proposals define what encryption and authentication protocols are acceptable. All further negotiation is encrypted within the IKE SA. The third exchange authenticates the ISAKMP session. The initiator replies by authenticating the session. and authenticates the session in the next packet. . Multiple proposals can be sent in one offering. Aggressive Mode Aggressive Mode squeezes the IKE SA negotiation into three packets. with all data required for the SA passed by the initiator. Step 2: IKE Phase One The basic purpose of IKE phase one is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. The responder sends the proposal. The responder chooses the appropriate proposal (we'll assume a proposal is chosen) and sends it to the initiator. for example. and whether perfect forward secrecy should be enforced. IPSec negotiation (Quick Mode) begins. Once the IKE SA is established. IKE phase one performs the following functions: • • • Authenticates and protects the identities of the IPSec peers Negotiates a matching IKE SA policy between peers to protect the IKE exchange Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys Sets up a secure tunnel to negotiate IKE phase two parameters • IKE phase one occurs in two modes: • • Main mode Aggressive mode Main Mode Main mode has three two-way exchanges between the initiator and receiver.An IKE session begins with the initiator sending a proposal or proposals to the responder. The first exchange between nodes establishes the basic security policy. Negotiation is quicker.

The IKE SA in each peer is bidirectional. However. Quick mode occurs after IKE has established the secure tunnel in phase one. fewer exchanges are done and with fewer packets. Third exchange—This exchange verifies the other side's identity. Step 2 is shown in Figure 1-17. and the shared secret key values for the encryption algorithms. which can be used to verify the initiator's identity through a third party. it is possible to sniff the wire and discover who formed the new SA. Therefore.• • First exchange—The algorithms and hashes used to secure the IKE communications are agreed upon in matching IKE SAs in each peer. The only thing left is for the initiator to confirm the exchange. aggressive mode is faster than main mode. The receiver sends everything back that is needed to complete the exchange. a nonce that the other party signs. In the first exchange. The IKE SA specifies values for the IKE exchange: the authentication method used. The weakness of using the aggressive mode is that both sides have exchanged information before there is a secure channel. The main outcome of main mode is matching IKE SAs between peers to provide a protected pipe for subsequent protected ISAKMP exchanges between the IKE peers. the Diffie-Hellman group used. IKE phase two performs the following functions: • • • • Negotiates IPSec SA parameters protected by an existing IKE SA Establishes IPSec security associations Periodically renegotiates IPSec SAs to ensure security Optionally performs an additional Diffie-Hellman exchange IKE phase 2 has one mode. • Aggressive Mode In the aggressive mode. which are random numbers sent to the other party. Second exchange—This exchange uses a Diffie-Hellman exchange to generate shared secret keying material used to generate shared secret keys and to pass nonces. almost everything is squeezed into the proposed IKE SA values. and an identity packet. It negotiates a shared IPSec policy. signed. the lifetime of the IKE SA in seconds or kilobytes. called quick mode. The identity value is the IPSec peer's IP address in encrypted form. the DiffieHellman public key. the encryption and hash algorithms. Figure 1-17 IKE Phase One Step 3: IKE Phase Two The purpose of IKE phase two is to negotiate IPSec SAs to set up the IPSec tunnel. derives . and returned to prove their identity.

Each Diffie-Hellman exchange requires large exponentiations. a new Diffie-Hellman exchange is performed with each quick mode.shared secret keying material used for the IPSec security algorithms. as specified in the Acknowledgment Number field. providing keying material that has greater entropy (key material life) and thereby greater resistance to cryptographic attacks. • ACK—The Acknowledgment (ACK) flag identifies the successful reception of the segment and the next data byte. Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires. Base quick mode is used to refresh the keying material used to create the shared secret key based on the keying material derived from the Diffie-Hellman exchange in phase one. to be expected by the sender from the receiver. Perfect Forward Secrecy If perfect forward secrecy (PFS) is specified in the IPSec policy. Quick mode exchanges nonces that provide replay protection. and establishes IPSec SAs. The nonces are used to generate new shared secret key material and prevent replay attacks from generating bogus SAs. when set. • PSH—The Push (PSH) flag. thereby increasing CPU use a • • • • • • What is IKE? What is IPSEC? how can provide access to checkpoint read-only & r/w? What is office mode in case of remote access vpn? how can configure vpn site to site in checkpoint r60? how can configure remote access vpn in checkpoint? TCP FLAGS: Control Bits ============== The control bits are six flag bits. tells the receiver to immediately forward or push the data to the application. used in identifying and handling the TCP segment. . The following are the control bits used: • URG—The Urgent Pointer (URG) flag indicates to the receiver to accept data as it is deemed urgent.

• FIN—The Finished (FIN) flag is used to tell the receiver that the sender is finished sending the data and the receiver can close its half of the connection.• RST—The Reset (RST) flag is used to abort an existing connection and reset it so that the buffers holding the data can be cleared. • SYN—The Synchronization (SYN) flag is used to signal that the sequence number between the receiver and the client need to be synchronized. The SYN bit is used during the initial connection setup between the client and the server. .