You are on page 1of 7

Page 1 of 7

TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709
CPX-002 Check Point Security Administration
NGX II (CCSE NGX)

Duration: 3 days (9:00 am to 5:00 pm)

Course Description
Check Point Security Administration NGX II offers advanced training on VPN-1/FireWall-1, and
delivers in-depth information on VPN and encryption technologies. This course is designed for
Security Administrators and resellers, who require in-depth knowledge of VPN-1/FireWall-1 that
goes beyond basic installation, setup, and methodologies. Designed for more experienced security
professionals, CCSE NGX certification is one of the most highly recognized and respected vendor-
specific security certifications available. CCSE NGX is an advanced Core security certification
built on CCSA NGX, confirming in-depth skills and expertise in managing and supporting Check
Point products. Proficiencies include configuring and managing VPN-1/FireWall-1 as an Internet
security solution and virtual private network (VPN), using encryption technologies to implement
site-to-site and remote access VPNs, and configuring content security by enabling Java blocking
and anti-virus checking.
You will learn:
♦ Use NGX tools to install NGX on Windows Server 2003 and SecurePlatform
♦ Use NGX tools to upgrade to NGX, from VPN-1/FireWall-1 NG or VPN-1 NG with
Application Intelligence
♦ Use advanced NGX features to minimize the information-security management
burden, when working with objects and rules
♦ Determine whether Database Revision Control or Policy Package Management is the
appropriate solution, given a variety of scenarios
♦ Identify the features and limitations of Management High Availability
♦ Use fw monitor to capture and view packets
♦ Use fw ctl pstat to verify the health of the NGX Security Gateway and SmartCenter
Server
♦ Review VPN-1 debugging and troubleshooting commands, including cpinfo
♦ Given a variety of Check Point QoS configurations, determine how bandwidth will be
allocated
♦ Identify situations where Low Latency Queueing and Differentiated Services are an
appropriate part of a QoS solution
♦ Configure NGX to allow VoIP traffic to pass through a corporate Security Gateway
♦ Identify different modes in ClusterXL configuration, and configure ClusterXL VPN
♦ Configure a Policy Server and SecureClient Rule Base
♦ Configure route-based VPN and dynamic VPN routing






Page 2 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

Lab Exercises:
♦ Installing VPN-1/FireWall-1
♦ Setting up SecuRemote and SecureClient for remote-access VPNs
♦ Configuring logical servers for load balancing
♦ Using content security to enable Java blocking, URL filtering and anti-virus checking
♦ Configuring two-gateway IKE encryption

Target Audience

♦ Systems administrators, security managers, or network engineers implementing VPN-
1/FireWall-1 for VPN deployments.
♦ Individuals seeking the Check Point Security Expert (CCSE) NGX certification.

Course Objectives
♦ Use NGX tools to install NGX on Windows Server 2003 and SecurePlatform
♦ Use NGX tools to upgrade to NGX, from VPN-1/FireWall-1 NG or VPN-1 NG with
Application Intelligence
♦ Use advanced NGX features to minimize the information-security management
burden, when working with objects and rules
♦ Use the commands fw monitor, fw ctl pstat and cpinfo to debug and troubleshoot NGX
issues
♦ Given a variety of Check Point QoS configurations, determine how to allocate
bandwidth
♦ Configure NGX to allow VoIP traffic to pass through a corporate Security Gateway
♦ Identify different modes in ClusterXL configuration, and configure ClusterXL VPN
♦ Configure a Policy Server and SecureClient Rule Base, a route-based VPN, and
dynamic VPN routing
Course Outline

Chapter 1: Check Point Security Administration NGX II
♦ Course Objectives
♦ Course Layout
Prerequisites
Check Point Certified Security Expert (CCSE)
♦ Recommended Setup for Labs






Page 3 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

Chapter 2: Installing VPN-1 NGX and Upgrading
♦ Objectives
♦ Key Terms
♦ Preinstallation Configuration
♦ Distributed Installation
♦ Upgrading To NGX
Upgrade Guidelines
Upgrade Order
Upgrade Export / Import
Upgrading via SmartUpdate
♦ NGX Backward Compatibility
Supported Versions
♦ Licensing NGX
Obtaining Licenses
Deploying Licenses
♦ Upgrading Licenses to NGX
♦ Licensing and Troubleshooting
Viewing Licenses in User Center
Viewing Licenses in SmartView Monitor
♦ Lab 1: NGX Distributed Installation
♦ Lab 2: Installing VPN-1 Pro Gateway on SecurePlatform Pro
♦ Lab 3: Upgrading NG with AI R55 to NGX
♦ SmartCenter Server Pre-Upgrade Overview
Pre-Upgrade Verification-Tool Syntax
♦ SmartCenter Server Upgrade
SmartCenter High Availability Upgrade
SecurePlatform Upgrade
Advanced Upgrade
Upgrading on Windows
♦ Security Gateway Upgrade
Clustered Deployment Upgrade
SmartUpdate Upgrade
SmartUpdate Upgrade
SecurePlatform R54, R55, and Later Upgrade
SecurePlatform NG FP2, FP3, or FP3 Edition 2 Upgrade
Upgrading Gateway on Windows
♦ Lab 4: Upgrading NG with AI Security Gateway via SmartUpdate
♦ Review
Review Questions
Review Answers






Page 4 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

Chapter 3: Advanced NGX Management Concepts
♦ Objectives
♦ Key Terms
♦ Advanced Rule Base Functions
Object Cloning
♦ Lab 5: Creating Objects Using Object Cloning
♦ Rule Base Management
♦ Database-Revision Control and Policy Package Management
Database Revision Control
Policy Package Management
♦ Lab 6: Using Database Revision Control
♦ Management High Availability
Primary vs. Secondary
Active vs. Standby
Restrictions
Synchronization
♦ Lab 7: Deploying Management HA
♦ Review
Review Questions
Review Answers

Chapter 4: Administrative Utilities
♦ Objectives
♦ Key Terms
♦ Protocol Analyzers Overview
♦ NGX fw monitor
♦ Lab 8: Capturing Information with fw monitor
♦ NGX Debug Commands
♦ fw ctl pstat
♦ fw ctl debug
♦ Using the fw tab command
♦ Debug Mode with fwd
♦ Debugging cpd Process
OPSEC Related Issues
General cpd Issues
Redirecting Output






Page 5 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

♦ The cpinfo File
♦ VPN Debugging Tools
♦ SecureClient Debugging Tools
♦ Debugging Logging
♦ Lab 9: Using fw ctl pstat
♦ Lab 10: Using cpinfo
♦ Review
Review Questions
Review Answers

Chapter 5: Check Point QoS
♦ Objectives
♦ Key Terms
♦ Check Point QoS Overview
Check Point QoS Architecture
Check Point QoS Deployment Considerations
♦ Check Point QoS Policy
Check Point QoS Rule Base
QoS Action Properties
Bandwidth Allocation and Rules
♦ Differentiated Services
DiffServ Markings for IPSec Packets
Interaction Between DiffServ Rules and Other Rules
♦ Low Latency Queuing
Low Latency Classes
Low Latency Class Priorities
When to Use Low Latency Queueing
♦ Advanced Features
Authenticated QoS
Citrix MetaFrame Support
Load Sharing
♦ Monitoring QoS Policy
SmartView Tracker
SmartView Monitor
Eventia Reporter
♦ Optimizing Check Point QoS
♦ Lab 11: Configuring Check Point QoS Policy
♦ Review
Review Questions
Review Answers






Page 6 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

Chapter 6: Enabling Voice Over IP Traffic
♦ Objectives
♦ Key Terms
♦ Voice Over IP Basics
Supported Protocols
♦ Configuring NGX for H.323-based VoIP Traffic
♦ Enabling VoIP Traffic in an H.323 Environment
Gatekeeper Object Configuration
Configuring Gatekeeper Routing Mode
Gateway Object Creation (Optional)
Configuring Gateway Routing Mode
Configuring Global Properties
Configuring the Rule Base for H.323 Traffic
♦ Enabling VoIP Traffic in a SIP Environment
Defining the VoIP SIP Domain
Configuring Global Properties
Configuring the Rule Base for SIP Traffic
SIP Services
♦ Lab 12: Configuring Security Policy for VoIP Communications
♦ Review
Review Questions
Review Answers

Chapter 7: ClusterXL
♦ Objectives
♦ Key Terms
♦ High Availability
♦ Load Sharing
♦ State Synchronization
♦ CPHA Commands
cphastart
cphastop
cphaprob
fw hastat
♦ Debugging ClusterXL Issues
♦ ClusterXL Configuration Issues
♦ Lab 13: Deploying New Mode High Availability
♦ Lab 14: Manual Failover (Optional)






Page 7 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

♦ Lab 15: Configuring Load Sharing Unicast (Pivot) Mode
♦ Lab 16: Configuring Load Sharing Multicast Mode (Optional)
♦ Review
Review Questions
Review Answers

Chapter 8: Advanced VPN
♦ Objectives
♦ Key Terms
♦ SecureClient
Network Configuration
Licensing
♦ SecureClient Policy
Installing Desktop Policies
♦ Lab 17: Configuring the Policy Server
♦ VPN Routing
VPN Routing with DAIP
Remote-Access Clients and VPN Routing
Security and Connectivity
Remote Client to Remote Client
DAIP Environment
Hub / Satellite Environment
SecuRemote / SecureClient Environment
♦ Lab 18: Configuring VPN Routing
♦ Route-Based VPN
Example
♦ VPN Tunnel Interface
Numbered / Unnumbered VTIs
Configuring VTIs
♦ Directional VPN Rule Match
♦ Dynamic VPN Routing
Configuring Dynamic VPN Routing Using OSPF
♦ Wire Mode in Route-Based VPN
How Wire Mode Works
Wire Mode in Route-Based VPN
♦ Lab 19: Route-Based VPN Using Static Routes
♦ Lab 20: Dynamic VPN Routing
♦ Using OSPF
♦ Review
Review Answers