Cael ageing Peau acai Nokest Tan) Cd 4 / Security Administration Ad fa Lab Manual ) jj} ; . [ ) } Mn (ce j ea =SECURITY ADMINISTRATION Lab Manual R80 ey ¢ Check P SOFTWARE KE Ol nt© 2016 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and de-compilation. No part ofthis product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described hercin are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1M(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. ‘TRADEMARKS: Refer to the Copyright page (http://svww.checkpoint.com/copyright. htm!) for a list of our trademarks. Refer to the Third Party copyright notices (http:// www.checkpoint.com/ 3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. International Headquar= | 5 Ha’Solelim Sireet ters Ta Aiv 6797, sae Te: 972.3755 455 US. Headquarters ‘959 Skyway Road, Suite 300 San Carlos, CA 94070 ‘Tl: 650.628.2000 Fae 650.684.4253, Technical Support, ‘6330 Commerce Drive, Suite 120 Education & Professlonal__| Irving, TX 75063 Services Ta: 972444-612 Fr 972.506.7913, ‘E-mail comments or questions about ou courseware to: courseware@2usehechpint com For questions or comments shout ther Check Pint documentation, e-mail (CP TechPab Feedback checkpoint. som Document # DOC-Manual-CCSA-REO Revision R80 ~ Content ~ | Joey Witt, Vanessa Johnson, Whitney Bentley Graphies ‘Chunming Jia‘Contributors Beta Testing, Content Contribution, or Technical Review Michael Aji - Wickhill- England (Chis Alblas-QA -England ‘Mao Angelasto = Tay Maly i Fashha- Soluciones Seguas- Panama MichaclCurin- Red Education - Ausalis shin Fetnani ~K-Secure- India Patick Felener- Anow ECS Austin (Omar Gonzaler-Solucones Seguas- Panama ‘Matk Halsall - Check Pont Software Technologies - USA Bl Har-Even- Chock Pot Software Technologies - acl Anthony Jubaire- Arow ECS - France Yasushi Keno Anow ECS - Germany Fotizio Lamanna - Check Pin Software Techaologies- USA Jani Linder ST - Slovenia ‘Valet Loukine- Dimension Data Switzerland Dries Mertens - Westcon- Belgium Pots Misiowiee- CLIC Poland ‘Richard Path - AnowECS - England Sigadkuma Patel - Check Point Software Techologis - USA ‘Yaakov Simon - Check Pint Software Techaologies- Irct Dan Vllovasery- Arrow ECS - England [ik Wagemans~Poximus ICT Acadeay- Belgium Kim Winild - Check Poin! Software Technologies -USA Special Thanks: [Ashley McDowell - AnrawECS-UK (London Beta Host) “Mao Fle - Fray (Milan Beta Hos) Certification Exam Development: Ken Fisley ‘Check Point Technical Publications Team: Rochelle Fisher, DalyYam, Eli Har Even, Paul Grigg Richard Levine, Rivksh Ander, Shira Rosen, ‘Yaakov SionFi facebook.com/CheckPointEducationTable of Contents Lab 1.1: Working with Gaia Portal .. Reviewing and Configuring Basic Settings in the Gaia Portal... Defining Roles and Creating Check Point Users . .. : : oS Working in Expert Mode ........60005 Applying Useful Commands Adding and Deleting Administrators via the CLI . ‘ Testing User Role Assignments .......s0sceeeceeseeeesees Lab 1.2: Installing and Touring SmartConsole . Installing SmartConsole ‘Touring SmartConsole Lab 2.: Modifying an Existing Security Policy ......... Reviewing and Modifying Objects in the Check Point Security Management Architecture Baiting and Creating Rules for the Alpha Rule Base. : ee Reviewing Existing Security Poli Organizing the Rule Base . Creating a New Host Object Defining a New Rule . Publishing and Managing Revisions Lab 2.2: Configuring Hide and Static Network Address Translation .........++++++- 103 Configuring Hide Network Access Translation . . = 104 Configuring Static Network Access Translation, 12 ‘Testing Network Address Translation . -120Check Poin Security Administraiton Lab 2.3: Managing Administrator Access Creating Administrators and Assigning Profiles Configuring IPS ae i Testing Profile Assignments . : Managing Concurrent Administrator Sessions. Disconnecting an Administrator Session . Defining WiFi Access Lab 2.4: Installing and Managing a Remote Security Gateway Installing Gaia on a Remote Security, Gey Update the Alpha Security Policy . Using the Gaia Portal to Configure the Branch Office security teWAY oe. ees e Configuring the Alpha Security Policy to Manage the Remote Security Gateway . Creating a New Security Policy .........+. wees Lab 2.5: Managing Backups . Scheduling a Security Management System Backup . Managing Scheduled Security Gateway Backups ...... Performing Backup via CLI ....... Lab 3.1: Defining Access Control Policy Layers ............. Assigning Layers to an Existing Security Policy Specifying an Installation Target Gateway . Lab 3.2: Implementing Application Control and URL Filtering . Configuring the Application Control & URL Filtering Rule Base Creating a Rule to Block an Application . Reviewing Dropped Traffic... Lab 3.3: Defining and Sharing Security Policy Layers ‘Adding a New Access Control Layer .. . Configuring the Application Control & URL Filtering Policy Layer . Confirming the Policy Layer Sharing . Lab 4.1: Activating the Compliance Software Blade Activating the Compliance Software Blade ....... Lab 4.2: Working with Licenses and Contracts .... Verifying the Status of Existing Licenses in SmartConsole Importing Licenses... Attaching Licenses ....,. : Verifying the Status of Existing Licenses in the Gaia PortalTable of omens Lab 5.1: Working with Check Point Logs ........ ‘Viewing Logs and Log Search Results . ... 0000 385 +336 Lab 5.2: Maintaining Check Point Logs F ‘Scheduling Log Maintenance ...... 347 348, Lab 6.1: Configuring a Site-to-Site VPN Between Alpha and Bravo . Defining the VPN Domain * Creating the VPN Community .......... Creating the VPN Rule and Modit Teitiig OVEN acinenoveswreesnsvessisacess Lab 7.1: Providing User Access .. Configuring the Security Policy for Identity Awareness Defining the User Access Role . Testing Identity Awareness Connection . seat Control Tablet Access Through Captive Portal (Optional)... Lab 8.1: Working with ClusterXL .. Reviewing High Availability Seuings Testing High Availability Lab 9.1: Verifying Network Compliance . Identifying Inactive Objects .. . Reviewing a Compliance Scan Report .........- Lab 9. Working with CPView . Reviewing Statistics in CPView 2 ‘Changing the Refresh Rate of CPView . Viewing Historical Data in CPView Saving Statistics toa File ....(Check Point Seeuriny Administration5 Working with Gaia Portal rN a Ue B This lab is an introduction to Check Point Gaia. Here, you will view and manipulate basic settings of the Gaia operating system through the Gaia Portal, the WebUI. Create users and define settings that will appear in later labs. Tasks: + Review and configure basic settings in the Gaia Portal. + Define a new role and create new Check Point users. + Work in Expert mode, + Apply useful commands. ‘+ Add and delete administrators via the CLI. + Test user role assignments. Performance Objectives: ‘= Identify important operating system level settings configured through the WebUI. + Create and confirm administrator users for the domain. + Configure network messages. + Confirm existing configuration settings.(Check Point Security Administration Reviewing and Configuring Basic Settings in the Gaia Portal Follow these steps to connect to the Gaia Portal on the Alpha Security Management Server. 1. From A-GUI, launch a web browser such as Firefox or Internet Explorer. 2. Inthe address field, type the following: https: //10.1.1.101 ge Goa NOTE : ‘You must use HTTPS to access the Gaia Portal or the connection will fail. 3. Press Enter, and your browser should warn you that the site’s Security Certificate is from an untrusted source. 4. Ignore this warning and continue to the site, The system displays the Gaia Portal login screen: Figure 1—Gala Portal REOLah 1.1: Working with Gata Portal 5. Log into A-SMS with the following credentials: Usemame: admin Password: Chkp!234 6. Click Login, and the system displays the Gaia Portal Overview page: so uma J@HQBOG | Figure 2—Overview 7. Review the Overview page and identify the information presented about A-SMS.(Check Point Security Administration 8. In the Navigation pane, select System Management > Time: m Management - Time 9. Review the information displayed for the following: + Time and Date + Time Zone 10. Make any corrections necessary for this information to display correctly for your environment. 10Lab 1.1: Working with Gata Portal 11. In the toolbar search field, type the following: ans Figure 4 — DNS Search Results Displayed ul(Check Point Security Administration 12. In the search results drop-down list, select Hosts and DNS. The system displays the Hosts and DNS page: Figure 5 — Network Management - Hosts and DNS 13, Use the information below to configure the DNS settings for A-SMS: Host Name: A-SMS Domain Name: alpha.ep DNS Suffix: alpha.cp Primary DNS Server: 192.168.11.101 14, Click Apply. 12Lab 1.1: Working with Gaia Portal 15, In the Navigation pane, select System Management > Messages: Figure 6 —System Management - Messages 16, Inthe Banner Message field, replace the default text with the following: a-SMS Unauthorized access of this server is prohibited and punishable by law. 13(Check Point Security Administration 17. Click Apply, to save the message: Figure 7 —System Management - Messages Configured 14Lab 1.1: Working with Gaia Portal Defining Roles and Creating Check Point Users All Check Point users and administrators are role-based, with each role defining what privileges are assigned. In this section, you will define operating system level users. In a later lab, you will define application level users. 1. In the Navigation pane, select User Management > Roles: Figure 8— User Management - Roles 15(Check Point Security Administration 2. Inthe Roles page, click Add. The system displays the Add Role window: oning eau ‘ning eeu Cloning Goup Manasentnt Cnt Gaup Minspement Auaentton toes Configure authentiatlan though een TACACS/ADIIS sees avancea vie? Centgure he tal Route Redundan Proto adanced log Route Agregson ‘crests upeme edt tom he combintion of nto wl con a ‘onto sta AP eis npr Beni, oi janie SP ok. stem asset urdeare ie somty ssa ‘rat bau ofthe tenor nt of aon scr Canngure gmsmicrouting va the Soe Catena Foose odes Sunny Dipl ies summary + oP Rely RelgsOMCP and BOOTP mesages between et ana rene cents tnorty Figure 9—Add Role 3. Inthe Role Name field, enter the following: rtrRole 16Lab 1.1: Working with Gaia Portal 4. In the Search field, enter the following: route Route Agoteonton Route yeeton Meoanin outing Opvone Foutiog Motor © wmsereyptound "Cote he Vue Route Resundane Pott bined alba Cates upene net om the combination feta wtha nm. Aawerientet of outing ntrmation tom ane protect anethe Congr ound Rote ites or FP, OSPF, BE, and OSPF upper Congr route scores Show route Contig ne soteinjes neranem Contig proto nks nd ace options Figure 10— Add Role - Search initiated NOTE ‘The search results displayed by the system are a list of commands and features available for assignment to the role, based on the search criteria. 7Check Point Security Adanisration Features Extended Commands out agtaition Bouter Once © wnataeatouns To view the assignment options, click the down arrow on the Route item: Conngure th itu Router Redundancy Pool asianced ding (ete a supenet eek tom the ombistin ot etn wn come. ‘Acvetzemer of ting wmation tom one poco anther upp Config Inound Rowe ites or, O52, 69, and SEPA hopper ontigure he outset mess, Congr proocl tals and tte oon ‘eniew page tor rovting ect ie summa ntrmaton sboutroutes on jour stem Sai ta Routes Figure 44 —Add Role - Search Results - Assignment Options NOTE Ifno privilege is specifically selected for the command or feature, it is not assigned to the role, 18Lab 1.1: Working with Gaia Portal 6. Assign the following privileges to the rtrRole role: Route: Route Map: Static Multicast Routes: Feature | latended Commande out Agpeoiton| Route Oncor, Route nedion Mecanam outing Options outenp ‘Sa nat Ras Figure 12— Add Role - Pri Read Only Read Only Read / Write Configure nets Rote Resundang Motel seeed daly Advisement vung imation om one gat to another upp Contgue inbound Route Fits Ost, 86, an 0503 (URE ome ote acre Contgurepotce ans ana race opin ‘Overton page ta routing ees ‘Sion Roe 19(Check Poin Security Administration 7. Click OK, and the system adds rtrRole to the list of configured roles: Figure 43 — User Management - Roles Configured 20Lab 1.1: Working with Gaia Portal 8. Inthe Navigation pane, select User Management > Users: Figure 44 — User Management - Users 21‘Check Point Security Administration 9. In the Users page, click Add and the system displays the following: tegntine Wore owecor (heme! ‘Shot ‘aioe w EX var must nnge poser at et iogon ‘Access Mechanims rs Ti connanatice Figure 15 —Add User 22Lab 1.1: Working with Gaia Portal 10. Use the information below to configure a new user: Login Name: sepadmin Password: Chkp!234 Real Name: Sepadmin Home Directory: /home/sepadmin Shell: bin/bash Assigned Roles: adminRole ‘Access Mechanisms: Web Command Line famine “sqren shee inna user mst tang pssmord at netogon ‘Acces Mechanisms —— wen (W)cComanatine Figure 16—Add User Configured NOTE ‘The system automatically assigns the Real Name and Home Directory settings. Here, just accept the defaults assigned. 23(Check Point Security Administration Il. Click OK, and the system displays the new user in the Users list: eben Mowptyronet aoa Rimmenay see ren Bee | Figure 17 — User Management - Users - User Added 12, In the Users page, click Add and the system displays the Add User window.Lab 1.1: Working with Gaia Portal 13. Use the information below to configure a new user: Login Name: rtradmin Password: Chkp!234 Real Name: Router Admin Home Directory: /home/rtradmin Shell: /ete/elish Assigned Roles: rtrRole ‘Access Mechanisms: Web Command Line sa ane i ser mst ange pusswardat este este Mechanism Den (©) commana se Figure 18 — Add User Configured 25(Check Poin Security Administration 14. Click OK to add the new user to the Users list: 20% ‘Quacestece Figure 19— User Management - Users - New User Added 15, In the toolbar, identify the name of the user currently logged into the system. 26Lab 1.1: Working sith Gaia Portal 16. Click the Logout icon to the right of the usemame, and the system logs the user out of the Gaia Portal: Figure 20—Gaia Portal Logout(Check Point Security Adminisiration Working in Expert Mode Gaia has two modes. In order to run some CLI commands, you must be in Expert mode, 1. Log into Gaia on the first gateway in the Alpha cluster, A-GW-01. Username: admin Password: Chkp!234 2. Then, from the CLI, type the following and press Enter: set expert-password 3. When prompted to enter a new password for Expert mode, type and confirm the following: chkp!234 Figure 24 — sot expert-password 4. At the prompt, type the following and press Enter. save config 5. From the CLI, run the following command: tcpdump -ni eth1 6. Press Enter, and the system displays an error. 7. Atthe prompt, type the following: expert 28Lab 1.1: Working with Gata Portal 10. u. 12 2B. Press Enter, and the system prompts you for the newly configured Expert mode password. Type the following and press Enter: Chkp! 234 ‘Once in Expert mode, you are in BASH. Notice that the prompt now displays Exper t@A-GW-01:0, indicating the current mode. : NOTE Expert mode is root BASH, so proceed with caution, Type exit and press Enter, so that you are at the Clish prompt. NOTE To exit to the login prompt, you would type exit again. Enter Expert mode. From Expert mode, run the following command and press Enter: tepdump -ni eth NOTE ‘This runs a packet sniff on eth!. 29Check Poin Security Administration 14, Pres Ctrl + C to stop: Figure 22—tepdump Stopped NOTE ig are shutdown and reboot. More commands worth n¢ 15, Type exit and press Enter so that you are in Clish again, 30Lab 1.1: Working with Gaia Portal Applying Useful Commands There are many commands commonly used in troubleshooting on the gateway. Commands to try are those beginning with £w. 1. Type the following command at the prompt, and press Enter. ‘This displays the name of the Security Policy installed on the gateway: fw stat Figure 23 —fw stat 2, ‘Typethe following command at the prompt, and press Enter. This unloads the current Security Policy: fw unloadlocal Figure 24 —fw unloadiocal NOTE This command unloads all policies from the gateway, preventing network access, bling IP forwarding, and turing off NAT. Consider only using this command when you need to regain access to the gateway and all other measures have failed. 31(Check Point Security Administration 3. Type the following command at the prompt, and press Enter: fw stat Figure 25 —fw stat 4, Type the following command and press Enter at the prompt, to display the gateway versio fw ver Figure 26 —tw ver NOTE For more information about each command from the prompt, type the command name followed by --he1p. For example, fw --help. 325. Lab 1.1: Working with Gaia Portal ‘Type the following command and press Enter, to display the system interfaces: show interfaces Figure 27 —show interfaces NOTE This command displays information on the show available options for the show interfaces command. If you are not sure which flags are available for a ‘command, simply type the basic command and then press the Tab key. ‘Type the following command and press Enter, to display information on ethO: show interface ethO Figure 28 —show interface othO 33Check Point Security Adminisration 7. Type the following command and press Enter, to display route information: show route Figure 29 —show route 8. Type the following command and press Enter, to display the routing table: netstat -rn Figure 30— netstat -m 34Lab 1.1: Working with Gaia Portal 9. Type the following command and press Ent netstat -an Figure 34 —netstat -an NOTE The netstat -an command displays running services and down ports. 10, ‘Type the following command and press Enter, to display interface information: fw getifs Figure 32 —fw getifs 35Check Point Security Administration Adding and Deleting Administrators via the CLI Clish supports multiple administrators on the regular shell. This is important for audit purposes. In the following steps, you will create user Sam with password Chkp! 234, 36 From the Clish prompt, type the following command and press Enter: add user sam uid 200 homedir /home/sam Figure 33—add user Type the following command and press Enter, to set the user's password: set user sam newpass Chkp1234 Figure 34 —set user sam newpass NOTE, When adding users in Clish, you must assign a permissions profile in addition to the password. Because we do not have any permission profiles defined, we are not going, to do this step. This is, however, important. Type the following command and press Enter, to set the user’s role: add rba user sam roles adminRole Figure 35—add thaLab 1.1: Working with Gaia Portal 4. To show all users, type the following and press Enter: show users Figure 36 —show users 5, To delete the user Sam, type the following command and press Enter: delete user sam rey its Figure 37 —delete user 6. To show all users, type the following and press Enter: show users Figure 38 —show users 7. Verify that user Sam is no longer in the list of configured users. 37(Cech Poin Sey dintsraton Testing User Role Assignments Log into A-SMS as different users to confirm that user privileges are properly assigned. 1. From the desktop of A-GUI, launch PuTTY. 2. Connect to the following IP address: 10.1.1.101 Figure 39 — PuTTY 38Lab 1.1: Working with Gaia Portat ‘Use the information below to log into A-SMS as the admin user: Login as: admin Password: Chkp!234 Figure 40— PuTTY Session - admin 39Check Point Security Aduintseatton . ‘Type the following and press Enter: show configuration Figure 44 —show configuration 5. Exit the PuTTY session, 40Lab 1.1: Working with Gaia Portal Next, use the information below to log in as a different user: Login: rtradmin Password: Chkp!234 Figure 42 —PuTTY Session -router-guy 41Check Point Seewrity Administration 7. Type the following and press Enter: show configuration Figure 43 — Invalid Command 8. Note that this user does not have sufficient privileges to execute this command. 429. Next, type the following and press Enter: show route summary Figure 44 —show route summary 10. End the PuTTY session. END OF LAB 1.1 Lab 1.1: Working with Geia Portal 43(Check Point Security AdministrationInstalling and Touring SmartConsole From the Gaia Portal, you will download and install the SmartConsole application. Once installation is complete, tour the new GUI client application to see how to configure and manage your security environment. Tasks: + From Gaia Portal, download and install SmartConsole. © Tour SmartConsole. Performance Objectives: ‘+ Perform an installation of the SmartConsole application. Connect and tour SmartConsole. 45(Check Poin Security Administration Installing SmartConsole Download the SmartConsole installer from the Gaia Portal of the Security Management Server. 1, From A-GUI, launch a web browser. 2. In the address field, type the following: https: //10.1.1.101 3. Press Enter. Your browser may warn you that the site’s Security Certificate is from an untrusted source. 4. Ignore this warning and continue to the site, The system displays the Gaia Portal Login window: natboriedscces ota seneria | reed napa yee | ON eameliis Ueenace __]} Figure 45— Gaia Portal R8O 5. Enter the following information into the Gaia Portal Login window: Username: admin Password: Chkp!234 46Lab 1.2: Insallng en Touring SmariConsole 6. Click Login, and the systems displays the Gaia Portal Overview page: Figure 46 — Gaia Portal Overview Page NOTE ‘You can also find the SmartConsole download in the Maintenance section of the Gaia Portal. 7. Inthe Overview page displayed at login, identify the Manage Software Blades using the SmartConsole banner. 47(Check Point Security Administration 8. Click the Download Now button. 9, Save the SmartConsole.exe in the Downloads folder of A-GUI: Figure 47 —Downloads 48‘Lab 1.2: Installing ad Towing SmartConsole 10. Double-click the SmartConsole.exe file. The system displays the following: Console Welcome to SmartConsole” Elthave read and aie the Check Pit Ee User License geen raat Duce [C Figure 48 — Welcome to SmartConsole In the Welcome screen, select the following option: I have read and agree to the Check Point End User License Agreement NOTE In this lab environment, you should accept the default installation path. 49(Check Point Security Administration 12, Click the Install button, to continue the installation of SmartConsole: CHANGE THE WAY YOU MANAGE SECURITY, Figure 49 — Installation 50Figure 50 — Finish 14, Clear the following option: Launch SmartConsole 15, Click Finish. Lob 1.2: Installing and Towing SemartConsole Thank you for nstaling SmartConsole~ lack SmatCoscte 51(Check Point Security Administration Touring SmartConsole Launch SmartConsole for the first time and tour the new features for the R80 version. 1, From the desktop of A-GUI, Click Start > All Programs > Check Point > SmartConsole R80. The system displays the Login window: ‘ a) Cal Figure 61—SmartConsole Login 2. Use the information below to log into SmartConsole: Login as: epadmin Password: Chkp!234 IP Address: 10.1.1.101 52Lat 1.2: Insaiting and Towing SmartConsole 3. Click the Login button, and the system displays the Fingerprint message: Fist connection to server 10:1.1.101 To verily server identity, compare the folowing fgerprint With the one displayed inthe server. ® Fingerprint: SHAG SALK SLEW HOTLAG FIRM. FLOW TIME FOOL OF ALP IDLE Centon Figure 52— Fingerprint 4. Next, log into the A-SMS: Figure 53 — A-SMS Clish 53(Check Poin Security Administration 5. At the prompt, type the following and press Enter: epconfig Figure 54—cpoontig 6. Type 7, and press Enter: Figure 65 — Configuration Certificate’s Fingerprint Compare the fingerprint displayed on A-SMS to the one displayed on A-GUI. On A-GUI, click Proceed to continue to SmartConsole. 54Lab 1.2: Installing and Touring SmariConsole Review the Welcome page displayed when logging into R80 for the first time: (Mi Unified poticy &toos @ Integrated monitor views seem pty ered cent ee emg peti a, epapcaneve Siiljecy soccer panna asarmae incr ort Deca & Poliytayers EB Adcanced gateway management ancient pettiotyes engine mn SS cectceones summoner & Concurrent administrators Fr eemneenennt pt ng et [EH Dozens of manageability enhancements Wiiganmamarmosaee ortace eer taabenn en utomation and APL Figure 56 — Welcome to SmartConsole - R80 10. On the Welcome to SmartConsole page, review the features highlighted for this software version. 55(Check Point Security Administration 11, Click the right arrow and the system displays the following: Ooi Figure 87 — Welcome to R80 - Navigation Frame 12. Identify where in the Navigation frame the following items are located: + Application menu + Application main navigation + Session details and actions * Objects management 56ais Lab 1.2: Insailing and Touring SmartConsole 13. Click the right arrow and the system displays the following: 4. Figure 58 — Gateways & Servers Identify where in the Gateways & Servers tab the following items are located: Server status. Module version Active software blades CPU usage Object summary 3](Check Poin Security Administration 15. Click the right arrow and the system displays the following: Figure 69 —Secutity Policies 16, Identify where in the Security Policies tab the following items are located: + Access Control policy + Threat Prevention policy + Shared Policies Install Policy Button 58Lab 1.2: Inteling and Towing SmariConsole 17. Click the right arrow and the system displays the following: Figure 60 — Logs & Monitor 18, Identify where in the Logs & Monitor tab the following items are located: + Gateway statistics + Infected hosts summary 59Check Point Security Administration 19. Click the right arrow and the system displays the following: Figure 64 — Logs & Monitor 20. Identify where in the Logs & Monitor tab the following items are located: Log views and reports Event analysis Link to launch SmartEvent GUI elient Link to launch SmartView Monitor GUI client 60Lab 1.2: Installing and Touring SmartConsole 21, Click the right arrow and the system displays the following: Figure 62—Manage & Settings 22, Identify where in the Manage & Seltings tab the following items are located: + Administrators + Permission profiles + Global software blade settings * Automatic Security Policy revision control 61Check Point Security Administration 23. Close the Welcome to R80 window. You are now logged into SmartConsole: B rowor See Figure 63 — Gateways & Servers. END OF LAB 1.2 62L Modifying an Existing rn oO Security Policy B 2 First, you will review the objects that make up the Check Point Security Management Architecture. Then, you will modify the existing Security Policy by defining a DMZ server, editing rules, and verifying Global Properties settings. Tasks: + Review the configuration of basic Check Point Security Management Architecture objects: A-GUI, A-SMS, A-Cluster, and A-INT-Net. + Edit and ereate rules for the Alpha Rule Base. + Review existing Security Policy settings. + Organize the Rule Base. + Create a new Host object for the DMZ server. + Define a new rule in the Rule Base that allows access to the DMZ. + Publish changes and examine revisions. Performance Objectives: + Create and configure network, host, and gateway objects. + Evaluate and manipulate rules in a unified Access Control Security Policy. 63‘Check Point Security Administration Reviewing and Modifying Objects in the Check Point Security Management Architecture Review the three-tiered architecture of your Check Point deployment. 1, In SmartConsole, select the Security Policies tab. The system displays the Access Control policy: Figure 64— Security Policies - Access Control PolicyLab 2.1: Modifying an Existing Security Policy 2. Inthe Objects pane, select Network Objects > Hosts. 3. Highlight the A-GUI object, and the system displays the object summary: co terse Bere, Romy gee spe Pact sem ie Ore ee een Orne Ome am war teeet Figure 65— A-GUI Object Summary 4, Double-click A-GUI, and the system displays the General Properties window of the Host object: A-GUI ip SmatCoale ane Machine NebrorkMenagement | addex (0301) [Rese ternname) ha Insite Advanced @ Att Toy @ Management Figure 66—Host - General 65(Check Pot Security Administration 5. Click OK. 6. In the Objects pane, navigate to and highlight the A-SMS object to view the information displayed in the object summary: Baas Bowie ne Sate ey Beene iene © terri te alae! Ones —aonmen Figure 67 — A-SMS Object Summary 66Lab 2.1: Modifying an Existing Security Policy 7. Double-click the A-SMS object, and the system displays the General Properties window of the Check Point Host object: = teeta] Meare “a tie NE Gi om rte HTH Geaamamed hate, Commert —igha Pinay Securty Nanagenert Sever Sease rte Conmnicton Takata (Peete ey Manager "Secmnay Sever (lta Fey Magenet Whogong tse ere exon 1 Network Policy Management Conmpanenie sect pot maragentet wing SeudDushboid-2 sate ‘Sore cone or at recor fananaes Gg) facet) 61Check Poin Security Administration . In the Navigation pane, select Logs. The system displays a list of the Security Gateways or Security Gateway clusters that send logs to this Security Management Server: 1 Ee tog terns Deo riera uence exces pelea ogee | ptovayhoscortgredtianachns an tbgsaner — Figure 69 — Check Point Host - Logs 68‘Lab 2.1: Modlfng an Existing Security Policy 9. Double-click the A-GW-Cluster object, and the system displays the object’s General Properties window: | oes Ehanrsot Diner Eitvestemsaton Elanespen stnalseanty Eide tasers (Cae anaes HH Firewall ers mast proven eva rlton ht caneanine handed of pins, pote andsentseutot ne bor because Figure 70— Gateway Cluster - General Properties 69(Check Point Security Administration 10. In the Navigation pane, select Network Management: [Arcavetos NE@ ame B](Q Seacr 5 [Heply | Weteair | A-oweoi | AW02 [Comments Thrivent” sotiat”) Jobdaia! 7 iotisrn S/S haneeme roebwert pRneSsLA2t sgseasizat snseastaa coxa Se smsssioact smomeseaat feral masint moran sasLDaA isnewon ignusszi2t ssnsssi229t wess2aee Tic networe Topaensi24 wasseszamt 92368333404 Figure 74 — Gateway Cluster - Network Management 7011, In the list of interfaces, double-click eth0: ~ tho Manager (Geseat) General 65, Newer Type Member IPs “AON Pat ‘AA a Topology Leads To Ant Spoofing Mody) eo nas0g ron / 24 oats / 24 Tis Network term) Diabied Figure 72— Network - General Lab 2.1: Modifying an Existing Security Policy 1Check Point Secwrity Administration 12. In the Topology section of the General page, click Modify. The system displays the Topology Settings: teads To © ThsNerwonetntemay Dred © mati ma) D Adress hind thi interace [Anti-Spooting 1 Pete AatsSpocing based onintace topology AntiSpocfingaconinstta Pies Spoot aching Figure 73 —Topology Settings 13. Verity that the Leads To section for eth0 (Management Network) is configured as follows: This Network (Internal) RLab 2.1: Modifying an Existing Security Policy 14, In the Anti-Spoofing section of the page, select the following option: Perform Anti-Spoofing based on interface topology Leads To © tis tebeok Untona 0 Oveide D adores bins tisimerace ‘Anti-Spooting © Pete Aat-Spotiog based oninteace topology An Spocting action eto Spool Tracing: Figure 74 — Topology Settings 15, Verify that the Anti-Spoofing action settings are set to Prevent. B(Check Point Seeurity Administration 16. Click OK, and the system updates the Topology settings for eth0: ~ tho Management GRBIE| General Via Pot Vial Member IPs AGHOVP Ae 10112 124 ROUND 1OLL3 7 24 (| Topology Lead Te AatSpeetog (ia @ staTe9 Figure 75 —Network - General 17. Click OK. 18, Next, update the Topology settings for all other interfaces in the gateway cluster, defining each to prevent spoofing. 4Lab 2.1: Modifying an Existing Security Policy 19. In the Navigation pane, select Logs. 20. Verify that the cluster is configured to send gateway logs and alerts to the Security Management Server (A-SMS): By Sevetagpeay nb mach AGM Ot 1 Senge og oa tse ASS) Figure 76 — Gateway Cluster- Logs 21. Click OK. 75(Check Poim Security Administration Editing and Creating Rules for the Alpha Rule Base Clean up the existing Rule Base and define new rules and objects to allow for traffic to the DMZ. 1. In the Objects pane, click the New button, 2. Select More > Network Object > Group: conte ten Bene innit O rari tee rete otto Figure 77 — New Object Menu 16Lab 2.1: Modifying an Existing Security Policy 3. From the Group Menu, select Network Group. rte Objet Caenent ‘Mo items found Figure 78— New Network Group 1(Check Point Security Adminstration Name: Alpha-Nets Comment: All Alpha Networks « Alpha-Nets [AIAPhwots asaseazia. ronies20asassz80 weaaza Figure 79 —New Network Group B Use the following information to configure the New Network Group window: apron ne. || ipa seancon ‘ona secu ipa sear ‘As seurty 6.Lab 2.1: Modifying an Existing Security Policy 5. Inthe search field, enter the following: net. « Alpha-Nets ALA Networks a] [a noma. ieeieiz0 23280 Apnsoncll. A AweHR so2ress.0 2552552550 Aphatstenallle A AMGH. 30110 2552552550 sphaanagen Figure 80 — New Network Group 79‘Check Point Security Administration 6. Click the + icon next to the following items to add them to the group: + A-DMZ-NET + A-INT-NET + A-MGMT-NET Te ae 2 AWA sonics) 552552550 Figure 81 —Now Network Group Ahan 7. Close the Search window, and the system adds the selected networks to the new group: « Alpha-Nets Q sk Wades | i [annem wane asa Basar wisi sassas0 ned Tog Figure 82 — New Network Group 80 J [comments | | ‘oh OME Het ian Apna ManagemeLab 2.1: Modifying an Bxisting Security Policy 10. u. Click OK. In the Rule Base, select the Source field of the LDAP rule: 2 Vesamet Aa Bas “8 iy @ wos @ sceot Bis | os eee oe areas eg ele ae Gas seme alee ee ron se ee i mi aes | ee | E 1 1 t see : SS eae ee, Temes 7 ome or ec so th © owe B toy + Rag trots Figure 83 —LDAP Rule Delete all objects in the Source field by right-clicking each object and selecting Remove. Click the + icon, to access the Object selector: aie + rst Sn seni pee & Avima sao sponte Stowe wis psec out | Bscee wens sect ey tee Shorea wens ip seoey ryote A nor sen tae wae saan anos see & neuer 2 popes irene Bass wane a my Segre Figure 84—LDAP Rule 81(Check Poin Security Admintsteation 12. From the Objects selector, select the following and close the window: Alpha-Net 7 ome tay ky oo om Bu + roel Figure 85 —LDAP Rule 13. Next, delete all the objects in the Source field of the DNS rule, 14. Click the Alpha-Nets object and drag it to the Source field of the DNS rule. 15. a= ieee Diss orate Gece | a sme om 0 hat Diy fe new EB Behe he @ Shs 1 aro Be vet Ta [sae | suet i Oe a [ee oo oie fe see Figure 86 — DNS Rule 82Lab 2.1: Modifying an Existing Security Policy Reviewing Existing Security Policy Settings Verify the correct configuration of basic settings in Global Properties. 1. From the Application menu, select Global Properties. Bseewnane Figure 87 — Application Menu 83(Check Point Security Administration 2. In the Firewall page, select the following options: + Accept ICMP requests: First + Log Implied Rules Breont ones cemacent (Wc Ret een ctl coco (Doct Sterne (Wc PS trogen cree rect tra pt errtrgton Gateway (Cian atasnspesiet ttre Covet cdews,(Bdesisd =] Brow ne: eS) [peat Oran ae oer UP (me Fiscal Dann Hane oer TCP ne net if ecm CP ees Geese) cep ve nd Sst cemmcerterGatene esate [fk zi (Grate Renee) eoetrsmegiclo MCPS anemdoteens (Ral Seiko { (CiAcep Onan es dn tga Mend exnecors: [Fd Witcap VRRP pach cgncraton termes ‘ests vA) Figure 88 — Global Properties 3. Click OK. 84Lab 2.1: Modifying an Existing Security Policy Organizing the Rule Base Add Section Titles to the Rule Base to better organize your Security Policy. Review the existing Rule Base. 2. Right-click the No. column of the first rule in the Rule Base: {ous Srcwonn —# by @ be Bie» paste oe aie ole on roe oe cole) =o oom © veut Bue mint (2 wom © ow son © sea Bie # tates + commune | cr oi oo ic ores =| Figure 89—Do Not Log Rule 3. Inthe menu, select New Section Title > Above. The system adds a default section title to the top of the Rule Base: waa Cre soy me @ bat & hewexne Berna? a) os 7 Oo * 1 Noe ses ley @ tent Bt sage 5 Nowe apraet any O bor Bip raugtenes Assert Now 1H apsene ta @ tent Bice» patent 7 NGane «by oo +o @ be Bue « Faotuow Figure 90—Section Title 4, In the section title, type the following and press Enter: Management Rules 85(Check Point Security Administration 5. 6. 1. 9. 10. 86 Add a new section title below the Stealth rule and call it Site Traffic Rules. Add a section title above the Cleanup rule and call it Check Point Best Practice: Verify that the Rule Base appears as follows: See Ye aes Bis + reatow Bo fe pawn Ca Bue + rates | Bie + maemem or + rage | Figure 91 —Rule Base Review the existing Rule Base and consider the following questions: + What is the purpose of the Noise rule? + Why is the Management rule above the Stealth rule? + Why is the Stealth rule necessary? + Which rule or rules govern access to the Web server on the DMZ? + What does the Cleanup rule do and why does Check Point recommend it as a best practice? Click the Publish button, fill in the session name and details. Click the Publish button,Lab 2.1: Modifying an Existing Security Policy Creating a New Host Object Create an object to represent the server that handles FTP, Mail, and Web traffic in the Alpha DMZ. 1, Locate the Objects pane on the far right side of SmartConsole. 2. Inthe Objects pane, click the New button: No rue is selected Figure 92— Objects - New5. 88 Check Point Security Administration 3. Select Host, and the system displays the New Host window: 4. Use the information below to configure an object to represent the DMZ, server: Name: A-DMZ Comment: Alpha DMZ Server IP Address: 192,168,12.101 Tag: DMZ. A-DMZ Be CnTN Machine Figure 93 — Host - General In the Navigation pane, select Servers.6. On the Servers Configuration page, select the following options: * Web Server + Mail Server . A-DMZ ‘Aloha OMZ Sener Genet Sewers Configuration Netwoik Management Web Server nur B Matsere hanced DONS Sere Shee Web Serve neve ensatesg @ ou Figure 94— Host - Servers 7. Click OK, to add the new Host to the objects list. Lab 2.1: Modhfving an Existing Security Policy 89(Check Point Security Administration Defining a New Rule Define a new rule in the Site Traffic section of the Rule Base that allows specific types of traffic to the newly configured DMZ, server. 1. Select the Outgoing rule (#5). 2. Right-click the number column and the system displays the following menu: ors Binns senime Cr Orem ametwiine Figure 95 — Security Policies - Access Control 90‘Lab 2.1: Modifving an Existing Security Paley 4, Select New Rule and click Above. The system adds a new rule above the Outgoing rule: Figure 96 —New Rule Double-click the Name column of the new rule. Enter the following and press Enter: Figure 97—DMZ Rule [ioe 91(Check Point Security Administration 6. In the Objects pane, select Network Objects > Host > A-DMZ. 7. Drag the A-DMZ object to the Destination column of the DMZ rule. a Eh Sa « Figure 98 — DMZ Rule - Destination Defined 8. Click the + icon in the Services & Applications column of the DMZ rule. The system displays the Services & Applications selector: enmcncon Rigen Figure 99 — Services & Applications Selector 9, In the search field, enter the following: http 92Lab? |: Modifring an Existing Security Policy 10, Press Enter, and the system displays search results related to HTTP: SSE «cen vO i a 3 ae om. Vireo Se 2 ms sree aac (Check ein Seuty ste Chen uthencaton (HTP) ‘Match By: one Kp Figure 100— Services - Search Results 11, In the search results pane, click the + icon next to http. 12, Clear the search field. 13. Enter the following into the search field: smtp 14, In the search results pane, click the + icon next to smtp. 15, Exit the Services & Applications selector, and the system adds the selected services to the Services & Applications colum Sea fe taw oo Figure 101 —Rule- Service Added 93Check Point Security Administration 16. Right-click the Action column of the DMZ rule, and the system displays the following menu: cr) om 3 asucae Figure 102—Action Menu 17, Select the following option: Accept Eee ee re) Figure 103 —Action Defined 18, Right-click the Track column, and the system displays the following menu: jose Jae i | (amet w neat [ee O me @ woe { i Bi onsen? Sea [oa [ee [ome © m0 ys aaa [ee Ot B ee va Oh (aiken Be eee Ea, sas Ph ee Se 33 rer + oy oo Ome © tows Bu Be 2 swam hm ae 7 Xtshem ascie sm Rue Ox im © aglow lo ee Cm aw Figure 104—Track Menu 94Lab 2.1: Modifying an Existing Security Policy 19. Select the Log option: Va vo [wane |O dere Ea Pate Figure 105 —Track Defined 20, Verify that the newly configured rule appears as follows: Figure 106 —DMZ Rule ease‘Check Point Security Administration Publishing and Managing Revisions ‘Name the session to help identify the changes you've made. Then, publish the changes and look at the list of Security Policy revisions. 1. _ In the Session Details bar, click Session: Bovey, ame Q teenies te Ore amon Figure 107 —Session Details 2. Use the information below to configure the Session Details window: Session Name: DMZ Configuration Description: Created a DMZ object and added a new DMZ access rule. 96Lab 2.1: Modifying an Existing Security Policy 3. Close the Session Details window, and the system displays the newly configured Session Name, 4, Identify the number of changes made to the Security Policy. NOTE ‘The objects and rules being edited are locked by this session. That means that changes made will not be visible by other administrators until after publication. 5. Click the Publish button, and the system displays the following: Click ‘Publish’ to make these changes available to all. Setvonsane : Deveption sector ete ondaded aren Figure 408 —SmartConsole 6. Configure the window as follows: Session name: DMZ Configuration Description: Created a rule to allow DMZ access. 7. Click Publish, and the system publishes the changes and releases the modified objects and rules for all privileged administrators. NOTE Publishing writes changes to the database but does not install the Security Policy. ‘The Publish button also makes changes made by one administrator in a session visible to all administrator sessions.Check Point Security Administration 8. Next, click the Install Policy button. The system displays the Install P¢ (MM standard BM Acortermt Nate 7 cpt DAgreeteten — TatChege 3 DB © Acw-cluser P20. | YecenRO90 ‘oct ine Figure 109 — Install Policy 98Lab 2.1: Modifving an Existing Security Policy 9. Click Install, and the Security Policy is installed on the Security Gateways: Figure 140 — Policy Installation 10. In the Navigation bar, select Manage & Settings. Rew oe Fa coon tern Otte ew Onion en aaremens 99‘Check Point Security Administration 11. In the Manage & Settings page, select Revisions: arr Gomera oo Recrreemn nest, eames ce Secprramedneteeene Seat taceraenimaomme seaunnn omecsrant owe tomreneesriome eon aioe oa [pres creune Figu 114 —Manage & Settings - Revisions 100Lab 2.1: Modifying en Existing Security Poliey 12. To view the details, double-click the first item in the Revisions list. The Revision Details window appears: ee «DMZ Configuration {ater Oe Cnment, [iets Bit ajc added anew] |ondaccssnte Deseiption (ae (ee Figure 142—Revision Details 13. Click OK. END OF LAB 2.1 10)(Check Point Security Administration 102Configuring Hide and Static Network Address Translation This exercise focuses on understanding the behavior of Network Address Translation in network traffic. ‘You will configure both Static and Hide NAT for your environment. Tasks: + Configure Hide NAT on the Management and Internal networks. + Configure Static NAT on the DMZ server and the Security Management Server. + Test the Static and Hide NAT. Performance Objectives: = Configure Network Address Translation for server and network objects. 10:Check Poin Security Administration Configuring Hide Network Access Translation Configure Hide NAT on the Management and Internal Alpha networks. 1. Inthe Rule Base, add ht tps to the Services & Applications column of the Outgoing rule: Pesarnaes | mr ies wee Tea @ mm © tt Bie 6 rtm Browns ay ow or Som © Pane Taoes Kamo tym Rw om Geen | om see © © hot Se atop om 7 = Tamer) Say (a a a eee] 3 Aine {Oanctes | | Xen Ane th Btw @ hws Sia + maton [eis aoe ttm Oo i+ ee Figure 113 — Outgoing Rule 2. Publish the change and install the Security Policy. 104Lab 2.2: Configuring Hide and Siatte NAT 3. From A-GUI, launch a web browser and attempt to visit a site on the Internet. This attempt should fail: This page can’t be displayed shtteare seen aes pegongeem cere esas) Figure 114 — Browser Message 4, Inthe Objects pane, Network Objects > Networks. 105Check Point Security Aduinisiation 5. Select A-INT-NET: “Oonme Figure 445 — Objects Pane - AINT-NET 106 B smn‘Lab 2.2: Configuring Hide and Static NAT 6. Right-click the A-INT-NET object and select Edit: ~ AAINT-NET eal Awe adde (BIG Nemes (7552552550 onda adsese Ineades O Nevin 16 Networked Pic is 09@ tte! Figure 116 —Network- General 7. Inthe Navigation pane, select NAT: ~ AINT-NET ‘Alpha lnte Network Genaat Values fr address translation HAV) Addastomatc des vartion es Wetdese (0000 Dé adds @ Aad tog @ vena Figure 147 — Network - NAT 10:Check Point Security Adinisiation 8. On the NAT page, select the following option: Add automatic address translation rules 9. Select Hide as the translation method. 10. Select the following option: Hide behind the gateway 11, In the Install on gateway drop-down menu, select the A-GW-Cluster object: . AINT-NET Apia ett Gerant Value for address transtation WUT) Si Ad tera ade tron ts Tumieionmatne (Hide) @ tide eine gateway © Hie ein eee Patirex 0000 Insstongstnny (SE AGH Gate @ 228109 @ tena Figure 118 — Network - NAT 12. Click OK. 108Lab 2.2: Configuring Hide and Static NAP 13. In the Navigation bar, select Security Policies. Then, select Access Control > NAT: Baa Figure 149 —Security Policies - Access Control - NAT 14, Identify the system-created NAT rules derived from the A-INT-NET object's NAT settings. 18, Next, Edit the A-MGME-NET object. 16. On the NAT page, select the following option: Add automatic address translation rules 17. Select Hide as the translation method. 18. Select the following option: Hide behind the gateway(Check Point Security Administration 19. Install on the A-GW-Cluster object: . A-MGMT-NET pha Management ewer ‘Values for addres translation Add ama odes triton ies Tandsonmathes: [Hide : © tedetind te gtensy O Hebe tes wastes (9000 Inasllengsteny @ 428103 @ Maracenert, Figure 120 — Network - Hide Configured 20. Click OK. 21. Double-click the A-GW-Cluster object. 110Lab 2.2: Configuring Hide and Stari NAT 22, In the Navigation pane, select NAT: (Ett tnatrtnoa ehnthe Gates otert | TTeasttes ro | Eaton att ttsee ven Figure 124 — Gateway Cluster Properties - NAT 23. Verify that the following option is cleared: Hide internal networks behind the Gateway’s external IP NOTE By selecting this option, the system will Hide all traffic behind the Security Gateway. Do not select this option, if you do not want to Hide all internal networks, In this lab environment, we manually configured Hide NAT on specific internal networks. Wwheck Pot Sci Adinsaton Configuring Static Network Access Translation Configure Static NAT on the DMZ server, LDAP server, and the Security Management Server. 1, In the Objects pane in SmartConsole, navigate to and select A-SMS: Figure 122 —Security Policies - Objects Pane 412Lab 2.2: Configuring Hide and Static NAT 2. Double-click the A-SMS object: [Network Policy Management Comprenenie sei po managenet wing SeanDunboad- 25mg, Silled conte forot candy fondoraines Figure 123 — Check Point Host - General Properties 3. In the Navigation pane, select NAT. 113(Check Point Security Administration 4. Use the information below to configure the NAT page of the Check Point Host object: Add Automatic Address Translation rules: ‘Translation method: IPv4 Address: Install on Gateway: Apply for Security Gateway control connections: Veter hes Teen IN Adama Ae Tt nd Tarde ti Abbess ret pate: mao teen Gen ouram— (ec Secty Galery ere comets Figure 124 — Check Point Host - NAT Click OK. 14 Selected Static 203.0.113.151 A-GW-Cluster Deselected fs} (Meas)Lab 2.2: Configuring Hide and Static NAT 6. Double-click the A-LDAP host object: ~ ALDAP Alpha DAP Sever a Machine eto Management address (12800301 nat = seat @ Aad Tag @ Intel Figure 125 —Host - General Add automatic address translation rules: Translation Method: IP Address: Install On: | A-LDAP ‘Alpha DAP Sever Gent Values for adress translation Nese Management Ad evtaicediess Use the information below to configure the NAT page: Selected Static 203.0.113.161 A-GW-Cluster BRE Ttanston mahod (Ste ‘Adiances TrnleletoP adits si Podiess — (ROUTIEL } Instengnevay (BE AGW Cine @ Aus Teg @ tte Cet Figure 426 — Host - NAT 1(Cheek Point Security Adininistraion 8 Click OK. 9. Edit the A-DMZ object: ADMZ ‘ps OH Ser Cel | Machine NewodkManagement — Wadie ar 6 adds: danced seve Web Sener Sener Figure 127 — Host - General 116‘Lab 2.2: Configuring Hie ane Stevie NAT 10, Use the information below to configure the NAT page: Add Automatic Address Translation rules: Selected Translation Method: Static IP Address: 203.0.113.171 Install On: A-GW-Cluster fmm. AMZ Aiphs OME Sener Genes! Values for address translation eto Management 2 Adautumatic adds eration WAY “nsation method (Sate Adaanced Tandteto address Sens Wosdeee (35103071 We Sere woadtex [ ree lusutlongstensy, [BE AGWchme =) OhdTos @ OME (Geos) leo Figure 128 —Host- NAT I. Click OK. WVCheck Point Security Administration 12, Under the Access Control Security Policy, select NAT: Figure 129 — Security Policies - Access Control - NAT 13. Review the system-generated NAT rules for both Static and Hide NAT. 118Lah 2.2: Configuring Hide ond Static NAT 14, Publish the changes and install the Security Policy on A-GW-Cluster: Standard © Ma Accen Cont Tena seeene 1 yep) ZW Treatroentn ——TelChnger © BAGW-Cluster PAOLA | Vesion 7730 everoman | @ reatae: © batten hd pepe 2 Fer Gneny Csr © iaaton steadied gene Figure 130 — Install Policy 119(Check Point Security Administration Testing Network Address Translation Generate HTTP and HTTPS traffic from two internal Alpha networks to confirm the correct configuration of NAT. 1. Confirm that web traffic can now be generated from the following two Virtual Machines: « A-GUIL + A-Host 2, In SmartConsole, select the Logs & Monitor tab: EEELEESERUE Figure 134 — Logs & Monitor 120Lab 2.2: Configuring Hide and Static NAT 3. Double-click a log to view the log details: @ Meco ip Tei cep or 104221t 10416 110235 Today 2165226 og fa eeua omy toe nar Tre sce Petey enone: ston © team eset rose eon rage Dae on am Actions: AoW oer 003.0315 @ Acuaoa.209 Ss rousennass tp rere Be Figure 132—Log Detalls END OF LAB 2.2 @ pcest Teday 40007 12(Check Point Security Administration 122oe Create multiple administrator accounts with different permissions in SmartConsole and test administrator access based on their assigned permission profile. You will also perform various Security Policy manipulations to see how the concurrent administration feature works. Orr Managing Administrator Access Tasks: + Create new administrators with varying permission profiles. = Configure IPS. + Test administrator access based on assigned profiles. + View concurrent administrator activities. + Disconnect an administrator session, * Define WiFi access. Performance Objectives: + Create multiple administrators and apply different roles and permissions for concurrent administration. «Evaluate and manipulate rules in a unified Access Control Security Policy. 123Check Po Security Anniston Creating Administrators and Assigning Profiles Define a new administrator for yourself. While logged into SmartConsole as admin, create your own administrator with Super User privileges. Next, define an administrator that functions as an auditor. Then create a new customized profile that is assigned to an administrator that only has privileges to manage IPS functions. 1. In the Navigation bar of SmartConsole, select Manage & Settings > Permissions & Administrators: Figure 133 — Manage & Settings - Permissions & Administrators 124Lab 2.3: Managing Administrator Access 2. On the Administrators page, click the New icon. The system displays the following window: Ente Objet Comer eal Authentication ‘Addionaifo. Atherton Method (Check Pit 2 Paacrsisnet dines [SétNew Passwort, ettcateraon (© centencort dees (Get) Permissions Peamison Pole (Notemiceced Bapiration @ newer Obrien 479 018 4 n29 05 Figure 134 —New Administrator 3. Enter your name and a comment. 4. For the Authentication Method, select the following: © Check Point Password 5. Click the Set New Password button, and the system displays the following: (© User mun change pazrword on nest fogin Cx Cem] Figure 135 —Set Password 6. Clear the following option: + User must change password on next login 7. Enter and confirm Chkp ! 234 as the password.(Check Poin Security Administration 8. Select Super User for the permission profile: + joey ta MessaSupenses aie Authentication Adtiontnfo Auten aoc © Passordie defines erate lefrmaton © Centres ot dened [Crete Permissions Paision Profi 1 Sper 7} @ Expiration © Neer (O tape ne 405518) @ At og Figure 136 —New Administrator - General 9. Verify the user permissions are set to never expire. 126Lab 2.3: Managing Administrator Access 10. Click OK, and the system adds the administrator to the database: Figure 137 —Manage & Settings - Permissions & Administrators 12(Chock Point Security Administration 11. Next, use the information below to configure an auditor with Read Only All permissions: Name: auditor Comment: Audit Only User Authentication Method: Check Point Password Set New Password: Chkp!234 Permission Profile: Read Only All Expiration: Never «auditor ‘At ny De ete ‘Autentication ‘aidonlle—Authertesbon thos (hak Paar >] © Pasmordisdeined [St New Paso aniston: © Contesteicnst defined [Greate Permissions Permision oie (Ch estonia Bpiration 2 Never 0 bape a | 75208) @ Assteg Figure 138 —New Administrator 128Lab 2.3: Managing Administrator Aecess 12. Click OK, to add the auditor to the list of administrators: Figure 139 —Manage & Settings - Permissions & Administrators 129(Check Point Security Administration 13. Next, use the information below to configure an administrator who only has permissions to modify IPS settings: Name: ips admin Comment: IPS Only Administrator Authentication Method: Check Point Password Set New Password: Chkp!234 Expiration: Never S . ipsadmin Ee Ws 0uyatmisater or) Authentication Adoni | Aubenieiontithos (Cha aaaanard +] © Pumerdisddined —(SNew Pom] eniestntormation © ceneaeisnet dees [Grate Perrnissions Permiaion tile (Reiemuieaea—__] o Expiration @ Never O pean [752018] @ Add og Figure 140 —New Administrator- General 13014. Click the Permission Profile drop-down menu: «ips admin Ba 500 Adrnater EGET] Authentication ‘dgiontifo— AthaionNtt (Check nord 7) © Posonerde dines [Seer Password) © cenficstetsnotdetines [Cite] Pesmisions Spirati a Sie Th Red ony an One Stoica Tamim) Rnewaeay superuser @ sas T05 Figure 141 — New Administrator - Permission Profile Drop-Down Menu 15. Click New, and the system displays the New Profile window: Fees ‘Orie Permissions Garey (© Renate © Aur e040) © cutomzes Acces Conti “Thiet Posen Othe Mestorng and ogaing nt and Reports regent @ Asso Figure 442 —New Profile - Overview Lab 23: Managing Administrator Aecess 13)Check Poin Security Administration 16. Use the information below to configure a new profile: Object Name: IPS Only Object Comment: Admins with only IPS Access Permissions: Customized IPS Only nite onl Aces rion Permissions Gacweys (© Reaitet © Audter feed Ont A) © Catered Meniting en tog9ig vente and Reporte Managenet ren Coe) Cert) Figure 143 — New Profile - Overview 17, In the Navigation pane, select Gateways. 132Lab 2.3: Managing Administrator Access 18. Clear all options in the Gateways tab: IPS Only. ainitiatr wth only BS Aces, Oveview Provisioning Cr (7 Manage tices end Potagee cei Coma 1 vex Provisioning “THwet Prevention i Stem astup thes i System Restore Mestoringandtogsing open shat vers and Repos Menagement Sexpts Can One Te eipt (i un Repostor Sit Ci manage Repair Scape @ 438 09 Figure 144 —New Profile - Gateways, 19, In the Navigation pane, select Access Control. 13:Check Point Security Administration 20, Clear all options: , IPS Onl meine potey Sw atey AE TE ey Shae Tit eon Ut pou a SL LL ‘ihe: renal Mositing and Logging Appleton Coie and URL Fite eantsand Repos Management Additional Policies, nar Poy Dasstoicy 1 Data ors Preven 7 Gee Conte General Access Coro Objects Settings Actions tnt Pocy Figure 145 — New Profile - Access Control 21, In the Navigation pane, select Others. 134Lab 2.3: Managing Administrator Access 22, Configure the following Permissions: + Common Objects: Read + Check Point Users Database: Read FR - Peony 5S piece cany iis: Onenien Pesrissions Gators Z Common Obes ‘Acc Contal © check Point se Datboce rat Prenton (tose vir Daabve ‘Sie teeter and Access Montonsgandteasi"a ©) yrTPstipecion vet and epee Management Di client ceniter @ saa t09 (oe Comer} Figure 146 — New Profile - Others 23, In the Navigation pane, select Monitoring and Logging. 13.Check Point Security Administration 24, Configure the following Monitoring and Logging options: Monitoring: Read Management Logs: Read ‘Track Logs: Read Packet Capture and forensics Show Packet Capture by default view Gstenaye Acer Cont Test Prevention Others He ea gy vent and Reports Managemen . IPS Only Monitoring and Logging & Montoning © management toss 1 Waektoge 1 Appcation and UR Fitering Loge HPStnipectionogs © Pate aptre and forerice © show Packet Capture ty ett Diente 1) Show Mente by dla 1 DP Logeinling confident lds esate Cx Ce] Figure 447 — New Profile - Monitoring and Logging 25, In the Navigation pane, select Events and Reports. 136Lab 2.3: Momoging Administrator Access 26. Select the following option: + SmartEvent Application Control and URL Filtering reports only , PS 2) Oveniew Events And Reports Gateways (© Smantvent Aces Cont 2 Evens Mositorig sndtogying Smart Appeation Conta nURLFteingeports ny ised Reparte Management eo nsateg Figure 148 —New Profile - Event and Reports 27. In the Navigation pane, select Management. 28, Clear all options: gi Eee aca! anion ‘Management Petmissions Gaewaye S Minage Administ @ High rslabity Operations Ci Management APL Login ‘Acces Ceo! “hes Prevention 1h Montoig endoggag vets and Repos Figure 149 — New Profile - Management 29. In the Navigation pane, select Threat Prevention, 13(Check Point Seeuriyy Administration 30. Verify that all Permissions options are selected and set to Write and all Actions options are selected: G IPS Only ga alugerae Denon Permissions Getene TD PocyRatee (Wide) Acces Cental Zroicy ceptions [Wit = ‘tte GF Protiee ie tee Girrtectons —_ [ite =) Montingsodessng Yang wa} Fens and Regents Management Actions LZ tnnsiPoey ws upsae @ 408109 Figure 150 —New Profile - Threat Prevention BI. Click OK. 13832. In the Permission Profile drop-down menu, select IPS Only. WS . ipsadmin Be” 25007 Adninorser Gener ‘Authentication Adicnslo—Audhentenion Mathes Checkin Pas © rasordicdeined [Seow Perse. Cenfsterfrmstion. © Contents net tine Permissions Pemison ro piration © Net pie ae (45208 @ aast09 Figure 454 —New Administrator Configured 33. In the Navigation pane, select Additional Info. Lab 2.3: Managing Administrator Access 136(Check Point Security Administration 34. Use the following information to configure the Additional Info tab: Phone Number: 1-972-555-0101 Email: userl@alpha.cp Contact Details: Bob in Dallas Tag: IPS «ips admin a P5005 hdminstoe Gene! Aaditonat (Rigi) Phone tambr Comet ett (Bob in Dain a ActTeg 0 05 Figure 152 —New Administrator - Additional Info 140Lab 2.3: Managing Administrator Access 35. Click OK, to add the new administrator is added to the database: EN Hoe Figure 153 — Manage & Settings - Permissions & Administrators 36. In the Sessions bar, click Publish. 14)(Check Poim Security Administration 37. Configure the following session details: Session Name: New Admins Description: Added personal superuser, auditor, and the IPS Administrator. “Caieoem often Steet Figure 454 —Manage & Settings - Permissions & Administrators 142Lab 2.3: Managing Administrator Access 38. Click Publish. Click ‘Publish’ to make these changes available to all sewsonmane (NewAtmine ewiton: Figure 155 —Publish Session Window‘Check Point Seewity Administration Configuring IPS Enable the IPS software blade to illustrate administrator privileges. 1, In the Navigation bar, select Security Policies. The system displays the Access Control policy: Norte sete Figure 156 — Security Policies - Access Control 144Lab 2.3: Manoging Administrator Access 2. Double-click the A-GW-Cluster object: neWOae (Pet natess TOT (ened Eps asc Birreast Ehraey sever Elteesis Eine nces [estenaston Eitgpcnencaned | Ane spom tna Searty Elune rters | Elta creas: ioatatossreverton [ta Anrasee HH Firewall Wor ost prven ea sauna an ene Nunes ef appatiens Figure 157 — Gateway Cluster - General Properties In the Network Security section, select IPS. The following window appears: Bem ome estate sreaccccniiomccrasa icnrcasrayoeni Gime fia | Figure 158 —IPS First Time Activation Window 145Check Point Security Adminisration 4. Click OK: naWOumer Petia TOUT | ws | Banoo © oyromcteira| Biocon © sora Bitroteusen Bes | leeesoonttatsearty idan | eaten ees Boniery | Coosa antonss BE Anti-Spam & Email Security Conpehenine and matcimersteral poten fr egiiatons ena ‘irteucare Upsitesse nuded Figure 159— Gateway Cluster - General Properties 146Lab 23: Managing Administrator Access 5. Publish the change: Click ‘Publish’ to make this change available ' toall. oewaoten | Figure 160 —SmartConsole - Publish Window 6. Install the Security Policy. The IPS software blade is now enabled on the Security Gateway. IM standard en dyToenterecon —Teulchamee secon! TeulSasons 1 eyepai) © Er Awcluster Puseaas | vesor730 vi gts Fea ope @ tate ah dtd pede 0 tate saat ae de atin gion theca Figure 464 — Install 147Check Poin Seeuriy Administration Testing Profile Assignments Log into SmartConsole as different administrators to verify permission settings. 1. Use the information below to log into SmartConsole: Username: auditor Password: Chkp!234 Server: 10.1.1.101 B 03.1301 | | Read Only Figure 162—SmartConsole - Login 2. Click the Login button, 148Lab 23: Managing Administrator Access 3. Navigate to the Access Control Security Policy. 4. Attempt to add a new rule to the Rule Base: Omen Ome ee ttenies Figure 163 — Security Policies - Access Control NOTE Most action buttons and menu items are unavailable to this user based on the assigned role of Read Only. 149(Check Point Security Administration 5. Navigate to and double-click the A-GW-Cluster object: Qseteter | Miles —— Comte VRP | ine RI sve Hageme| Passes OTT Saar TPS rac . SHTPMTIPSPey | PSE “tate an Cewmet Reha Sey Garay Caer ix - 7 Fac Pecy Hu [Ope +) Yeon | oes psec Crenace Corder ser Crete Covet tes imeeatemdain Cinwtonncnee | pnts at Senay Duntrieey ‘td aes {Firewall Figure 164 — Gateway Cluster - General Properties NOTE This user is not allowed to save any changes made to objects in the database or create new objects. 6. Click Cancel. 1501 In the Navigation bar, select Logs & Monitor: 6 9101818 Omron teem eer iO tems Wek mores Bosumne mo Buon Bepumnn Figure 465 —Logs & Monitor Lab 2.3: Managing Adminstrator Aecess 151(Check Point Security Administration 8. Double-click one of the displayed logs to view the log details: @ fect (PO Toe cepted em 1041.2 16 101.1301 Today 183322 toa inte Potey Potertane oduct taniy 1 Adios Repetiog Rear Legtocheck Pit Tratfe some @ Aowor ans More Soureron 3th Destination ASS AMLLION Figure 166 —Log Details 9, Close the Log Details window. 10. Close SmartConsole. 152Lab 2.3: Managing Administrator Aecess LL. Use the information below to log into SmartConsole: Password: Chkp!234 Server: 10.1.1.101 B r01.1101 Co Resd Only Clee Figure 167 —SmartConsole Login 15(Check Point Security Administration 12, Click the Login button. The Gateway & Servers page is displayed: Figure 168—SmartConsole 154Lab 23: Managing Administrator Access 13. Navigate to and double-click the A-GW-Cluster object: owe Teka Soest Gtevay Ose vies Abreadneworing BOs Dresest © opanekastng Cas © searon Drvestemuaton oe Tianssoon semaScarty Caxton. ery ress ed FH Firewall Figure 469 — Gateway Cluster- srl Properties 14, Attempt to edit the A-GW-Cluster object. Notice that all editable objects are grayed out and unavailable for selection. 15. Click Cancel. 155Check Point Security Administration 16, In the Navigation bar, click Security Policies > Access Control. Notice that this user does not have permissions to edit the Access Control Security Policy: — Figure 170 — Security Policies - Access Control 17. In the Threat Prevention section, click Policy > IPS. 156Lab 2.3: Managing Administrator Access 18. In the Threat Tools section of the Navigation pane, select IPS Protections: sstdtve ese na vam — a am Sania ee Sata | on Rscnaincon hes i be ‘Someemnacrtonws | =e Secconiomires [we Sere | se S emnose roman me laa @ cerattcentenctras-|cnonet shen uae 9 aepecareceens [eoreton Laem at Rccsneme fame om ee Ccamementavien ormney eum nem Semnorrene ee = in Scores siesta srt G cimtonnosteen onan ame tee Chat at ene |e Rewenseas a AW Teco Seely Satenny Usemame Bter ven pee Figure 171 —IPS Protections 19. Log out of SmartConsole.(Check Point Security Administration Managing Concurrent Administrator Sessions ‘View system behavior during concurrent administrator access of the shared database, 1. Use the information below to log into SmartConsole: Username: [Personal Username] Password: Chkp!234 Server: 10.1.1.101 HB wo1i z Read Only Figure 472—SmartConsole Login 158Lab 2.3: Managing Administrator Access 2. Click Login, and the system displays the Gateways & Servers page: Figure 173 — Gateways & Servers 3. While logged in as your personal administrator, launch another instance of SmartConsole, 4, Log into the system using the following credentials so that you have two concurrent administrator sessions open: Usemame: epadmin Password: Chkp!234 5. Retum to your personal administrator session. 156(Check Point Security Administration 6. As the personal administrator, navigate to the Access Control policy: Figure 174 — Security Policies - Access Control NOTE To verify which administrator session is displayed, reference the administrator username located in the bottom right comer of the screen, 160Lab 2.3: Managing Administrator Access In the cpadmin user session, navigate to the Access Control policy: amet sect Figure 175 —Security Policies - Access Control 161(Check Point Security Administration 8. Next, select the Stealth rule. 9. Double-click the Name field of the Stealth rule: BS caty te Beene apne O een tee Once wonint Figure 176 — Security Policies - Access Control Policy 162Lab 2.3: Managing Administrator Access 10. In the personal administrator session, notice the lock icon next to the Stealth rule. The rule is currently locked for editing by another administrator: Figure 4177 —Security Policies - Access Control 11, As the cpadmin user, double-click the A-GW-Cluster object. 163(Check Poin Security Administration 12, ‘The system displays the Gateway Cluster Properties window: ae: ‘ret Atte: TOT seven Eley saver inate Aces iteptaton cnt Ete inst tossreventon HL Firewall Figure 178 — Gateway Cluster - General Properties 164Lab 2.3: Managing Administrator Access 13, Edit the A-GW-Cluster object by changing the object color to pink: lowtates Preven © Traditional Anti-virus {aang Ant-vrsproteion inducing eatin an Figure 179 — Gateway Cluster - General Properties 14, Click OK. 165Check Point Security Administration 15. As the personal administrator, notice the lock icon next to the A-GW-Cluster object: ‘igure 180 — Access Control Policy 16. Consider the following questions: + Does the system indicate that the rule is locked by another administrator? + What objects and rules are locked and by which administrator? + Where on the SmartConsole does it display the administrator user for that session? 166Lab 2.3: Managing Adminisirator Access 17, Open the A-GW-Cluster object. Notice that all editable fields are grayed out and that the object color is still red. a | msec | Copetey Sener vente et a wth ein petomance and umes tang os sence Figure 481 —Gateway Cluster- General Properties NOTE The personal administrator cannot edit the object nor see the color change because the object is locked by another administrator and the changes have not been published. 18. Click Cancel. 16)(Check Point Security Administration Disconnecting an Administrator Session As an administrator with the permission to manage other administrators, disconnect an administrator session. 1. As the personal administrator, navigate to the Manage & Settings tab. Select Sessions > View Sessions. Confirm that there are two concurrent administrator sessions active at this time. woes Figure 182 —_Manage & Settings - Sessions - View Sessions 168Lab 2.3: Managing Administrator Access 2. Right-click on the cpadmin user session. Select Discard & Disconnect. Figure 183 —Manage & Sessions - Sessions - View Sessions 3. The following window will display. Click Yes: o ‘Are you sure you want to discard changes and disconnect? ae) | Figure 184 —SmartConsole 165Check Point Security Administration 4. Notice that the cpadmin user session has been disconnected. Ge Worumes) Figure 485 — Manage & Settings - Sessions - View Sessions 1705, on Lab 2.3: Managing Administrator Access Retum to the cpadmin user session. Notice that the session has been disconnected by the personal administrator. Rome one By cect nema Omer tee Q meee rnin Figure 186 — Security Policies - Access Control 6. From the personal administrator session, confirm that the A-GW-Cluster object is still Red. 171Check Point Security Administration Defining WiFi Access Create a network for WiFi users and then define a generic WiFi user account. 1. In the Objects pane, click New > Network: ~,: Sa Gey Network eddie [ Nama @ tacases tines 16 Neworkaddesx [—] Prec @ Ass og Figure 187 — New Network 172Lab 2.3: Managing Administrator Access 2. Use the following information to configure the New Network window: Object Name: A-WIFI-NET Object Comment: Alpha WiFi Network Network Address: 192.168.18.0 Net Mask: 255.255.255.0 . AAWIFI-NET ‘Alpha Wa Network Nenworkadeese (BER amas (552552550 onda adress Figure 188 —New Network 3. Click OK. 4, In the objects list, click New > More > User > User: Figure 189 —New UserCheck Point Security Administration 5. 6 1 & 174 From the Choose template drop-down menu, select Default. Click OK, to assign the default template, Use the information below to configure the General Properties of the new user: Name: Guest Comment: WiFi Guest Account « Guest WiFi Sues Account ea General properties Audheniction Emacs Location Mobiephone number Expiration elie! reat eo assteg Figure 190 —New User - General In the Navigation pane, select Authentication.Lab 2.3: Managing Administrator Access Use the information below to configure the Authentication page of the new user: Authentication Method: Check Point Password Set new password: Chkp!234 L ~ Guest wrayer Account Genet ‘Authentication "Albee! Athersicaion eto: (Chek Pan Password =] © Puumordisdeined [Setnew pasword) Cenates Encyption onset Figure 4191 —New User - Authentication Configured 10, In the Navigation pane, select Location.(Check Poin Security Administration 11, In the Allowed Locations section, add A-WIFI-NET to the Sources field: Guest Genet ‘Allowed locations Atherton SE ies +x Q sem Time [commen cet ona wane Encyption Figure 192—New User- Location 12. Click OK. 13. Publish the changes to the Security Policy. Click ‘Publish to make these changes available to all. Seon cone (ES le Deenptine [4 changes published by joey on Toten ranges a Dont shew aps Figure 193 —Publish 176Lab 2.3: Managing Administrator Aecess 14, Exit SmartConsole. 15. Log into SmartConsole as the epadmin user and navigate to the Access Control policy: ‘Grete oe Nona sled fees Been Figure 194 — Security Policies - Access Control 177‘Check Point Security Administration 16. From the Objects Pane, open the Network Objects category. Verify that the new WiFi object is included in the Networks list. Figure 195 —Network Objects 17. Log out of SmartConsole. END OF LAB 2.3 178Installing and Managing a Remote Security Gateway You are implementing the Check Point Security Gateway at a branch office. To do this, you decide to install only the Security Gateway at the remote site and manage it from the existing Management Server at the corporate headquarters. Tasks: + Install Gaia on the Branch gateway. + Update the Security Policy. + Configure the Security Gateway with the First Time Configuration Wizard. + Configure the Branch gateway via the Gaia Portal. + Configure the Security Policy to manage the Security Gateway. Create a new Security Policy. Performance Objectives: + Install the remote Security Gateway in a distributed environment using the network detailed in the course topology. «Verify SIC establishment between the Security Management Server and the remote Security Gateway, + Create a basic Rule Base with site specific rules. 176Check Point Seewrty Administration Installing Gaia on a Remote Security Gateway In this section you will install and configure the Bravo Security Gateway, which will be managed by the Alpha Security Management Server. 2 180 In VMware, create a new Virtual Machine (VM) using the iso image or DVD provided by your instructor. Verify that the VM is defined as follows: + Name: B-GW + OS: Other + Version: Other + Disk Space: 60GB + Memory: 1GB + Two interfaces (eth0 and eth1) © etho + Connect at power on + LAN Segment: LAN 1 © ethi + Connect at power on + LAN Segment: LAN 4 NOTE Your classroom configuration may be different. Check with your instructor before continuing to the next step. Before powering on your VM, verify that it is configured as defined above.» 5. Lab 24: Installing and Managing a Remote Securiy Gateway Power on the B-GW virtual machine, and the Welcome to Check Point Gaia R77.30 screen appears: Ferree aera Pancras Date rcesac etter Tec eietcneestayieert tt einer eee CWeltradrant Figure 196 —Weleome to Check Point Gaia R77.30 Within 60 seconds, highlight the following option: + Install Gaia on this system Press the Enter key, to launch the installation, 181(Check Point Security Administration 6. When the system is prepared for you to begin the operating system installation, it displays the Welcome screen: Oa This proce operating Figure 197 —Weleome 7. Tab to OK, and press Enter. The system displays the Keyboard Selection screen: COTE Con Pee ee to this computer? Figure 198 — Keyboard Selection 8. Select the keyboard type to suit your region. 182Lab 2.4: Insalting and Managing a Remote Security Gateway 9. OTIS coer coer ee) Disk space will be assigned as fol lous: ry r re eee Sustem-root (GB) Prac) i Coren aetr tree occ EE} Figure 199 — Partitions Configuration 10. Modify the Log partition size to 30 GB: CE Po eee} Degeneres ar 4 Lo ican Figure 200 — Partitions Configuration(Check Point Security Administration 11. Tab to OK, and press Enter. The system displays the Account Configuration screen. NOTE, ‘Again, at this step, you are configuring the password for the admin user, the default OS level administrator. 12, Enter and confirm Chkp!234 as the admin account password. NOTE Verify that NumLock is on, It is not on by default after installation, If you haven't already tured it on, do so now and re-enter and confirm your password. If you enter this password without turning NumLock on, you will not be able to log into the system. 13, Tab to OK, and press Enter. The system displays the Management Port screen. 14, Use the arrow keys to highlight eth3: CEC reco Terni atk ere oer ere Cicer ercstt tem nat Girish) Erno] anette era ica cc | Figure 204 — Management Port NOTE In this classroom environment, all external interfaces are eth3. This Security Gateway is remotely managed by the A-SMS, so the management interface must be the extemal interface. 184Lab 2: Installing and Managing a Remote Security Gateway 15, Tab to OK, and press Enter. The system displays the Management Interface screen, 16. Use the following information to configure the Management Interface screen: IP address: 203.0.113.100 Netmask: 255.255.255.0 Default gateway: 203.0.113,254 Pao oe oC ec eee ean ot cn Figure 202 —Management Interface 185(Check Point Security Administration 17, Tab to OK, and press Enter. The system displays the Confirmation screen: ED onan Cenecae erate eey Preece Ne Mca ore renee Figure 203 — Confirmation 18. In the Confirmation screen, tab to OK, and press Enter. 19. After the drive is formatted and the installation is complete, the system displays the following screen: RET EE} eevee vere CN CR an aren state peering Retreat ica Figure 204 — Installation Complete 186Lab 2.4: Insialling amd Managing a Remote Security Gi 20. Press Enter, to reboot your system. 21. After reboot, the system displays the following prompt: Figure 205 —Login Prompt 18)(Check Point Security Administration Update the Alpha Security Policy Update the Alpha Security Policy to allow for the Security Management Server to use Check Point control connections to manage the remote Security Gateway, 1. Inthe Alpha Rule Base, add a new rule above the Stealth rule. 2. Use the information below to configure the new rule: Name: Remote Control A-SMS Accept Source: Action: Track: Log + or rod Stet _ 2 mae Re Same Soy Oe Bi 3 sanoote tren? bon why © het a Fl tog om Bis 1 loaerg Rawat ay Bite Cats Hs ars Bly Tete [omy [= om + im Ob Be Figure 206 — Remote Control Rule 188 + pacytepte © pate rertesee | Te er + raya + Faerie3. 4. Lab 2.4: Intaling andl Managing a Remote Security Gateway Click the + icon in the Services & Applications field of the Remote Control rule: ire Mimceca® Cranes, Figure 207 — Services & Applications Selector In the Services & Applications selector, click the New icon, 189(Check Point Security Administration 5, Select Group, and the system displays the following: No tems found Figure 208 — New Service Group 6. Use the information below to configure the new object: Name: CHKP Services Comment: Check Point Control Connections 190Lab 2.4: Insalling and Managing a Reuote Security Gateway 7. Click the + icon, and the system displays the Services & Applications selector: 8 . CHKP Services Check Pent Conta Connecont 4 ap peep seres aa = LOCE Ar po mesengt % Biona setup AD Dee sens AD Deeg Service Group Group Members 5s DCOM bemtevetLegin ‘OM RemUntncwn ensences [WberfetehSmarnum ‘EL MitertCOSeutnar nate Obyect, Mote info ae modties Stern Lt madly tine: 4/13/2016 14139284 Figure 209 —Services & Applications Selector In the search field, enter the following: pe 191(Check Point Security Administration 9. Click the + icon next to all services that start with ep: ve Bene 4 Fin conn ve Binet ean 4% Breduncet v & Boones ve Bas v% ius Mote Info ¥ Stewedgeotaadp ‘Last modifier System a “ + Last modify time: 4/13/2016 13431 AM v4 Bhanu Check int Remeron Protocol Mateh By: Pore wept 2% Bs ewe ee v4 4% Boson vo 2 the 4 Figure 240 —Services & Applications Selector 10, Clear the search field. 11, Next, search for all services beginning with the following: fw 192Lah 2.4: Installing andl Monaging a Remote Security Gateway 12, Click the + icon next to all services that start with fw: ve 4 Bienen vs Bhonaun Ye Bil oman oe {Check oi Scat Gteny Senice Match By: ve Bh coautn tenet Rec eg ve Bit con0 More Info 26 thes + Lest moder Stem a Listy time 4/19/2016 2351 AM YD Bib teeprision 1 % Biba momicos ve Bibo.pun Bib pun ve Bosemas ve Bhs ve Bites YS Bit onegent Figure 244 —Services & Applications SelectorCheck Point Seewrity Administration 13. Close the Services selector. 14, Verify that the newly created group object appears as follows: Teal. CHKP Services 188 ecb Conte enecns +1x Pana reste Figure 212 —New Service Group 15. Change the color of the icon to red: Taal , CHKP Services 1881 * check Point Cont Conections tix Nine +o 4 cme om 4 Ona + Cunt saohe 2 CPSSinutwone tanger o aasteg Figure 213 — New Service Group 194Lab 2.4: Installing and Menaging a Remote Security Gateway 16, Click OK, and the system adds the new group to the Services and & Applications field of the Remote Control rule: Oey Bass oon tovoue (oe rere © Faytupte 7 lessens = or ren te atone Coat ces ony @ hawat Bie resto Figure 244 — Remote Control Rule 17. Publish the changes and install the Security Policy: MM standara Marcel @ Teter? yet) Cobarinarinwten —— Tealcrngers © GAGW-Cluster ema | VewonRT730 evewasns |G Foe ns (0 Note tat Accom poi on re 8D wcty geen wi cle PS © taut en eh ec gtr rap [foie Chara onan mene Ht deta tot O fatten tuaucegtenny thon de natn gen ae me aie Figure 215 — Install Policy 195(Check Point Security Administration 18. From the A-GUI Virtual Machine, launch an Internet browser, such as Firefox or Internet Explorer. 19. In the address field, type the following: https: //203.0.113.100 NOTE eae i fol ne Yl no nea ce a TANG ‘VMware are gated bbe roperly before you are able to connect. Both the GUI client ‘machine aay, and the Security Gateway and Security Management Server (B-_ GW) reside on LAN 4, if you are following the recommended classroom topology. Consult your instructor | ‘if you are using a different configuration. 20. Press Enter, and your browser should wam you that the site’s Security Certificate is from an untrusted source. 21. Ignore this waming and continue to the Login sereen: Figure 216 —Login Page 196Lab 2.4: Installing and Managing a Remote Security Gateway Configuring the Branch Office Security Gateway with the First Time Configuration Wizard Follow these steps to configure the branch office Security Gateway and activate its default trial license. NOTE ‘Your instructor will provide altemate directions if you use other licenses. 1. Log into B-GW with the following credentials: Username: admin Password: Chkp!234 2. Press Enter, and the system displays the following window: ‘Wolcometo the Check Point First Time Configuration Wizard ‘You're just few steps away from using your new system! (Gick Nextt conigure your system. vmware ation: vanware El Sree Figure 247 — Gaia First Time Configuration WizardCheck Poin Security Administration 3. Click Next, and the system displays the Deployment Options page: Deployment Options Figure 218 — Deployment Options 4. Verify that the following option is selected: + Continue with Gaia R77.30 configuration 5. Click Next, and the system displays the Management Connection page: Figure 219 — Management Connection 198Lab 2.4: Installing amd Managing a Remote Security Gateway 6. Use the information below to verify that the Security Gateway’s network connection is configured properly: Interface: eth3 Configure IPv4: Manually Configure IPv4: 203.0.113.100 Subnet Mask: 255.255.255.0 Default Gateway: 203.0.113.254 Configure IPv6: Off 7. Click Next, and the system displays the Connection to UserCenter page: Connection to UserCenter ‘Check Point Figure 220 —Connection to UserCenter 8. Click Next, and the system displays the Device Information page. 9. Use the following information to configure the Device Information page: Host Name: B-GW Domain Name: Leave Blank 195(Check Point Security Administration 10. Click Next, and the system displays the Date and Time Settings page: Figure 224 —Date and Time Settings 11. Verify that the time and date is correct for your area. 12. Click Next, and the system displays the Installation Type page: Figure 222—In 200Lab 2.4: Installing ond Managing a Remote Security Gateway 13. Select Security Gateway or Security Management, and click Next. The system displays the Products |W)seeu ostenay (eeu lnagment Chtereg Flue petctacuses pe (@ feceece rete ca Figure 223 —Products 14. Use the information below to configure the Products page: Security Gateway: Selected Security Management: Deselected Unit is a part of cluster type: Deselected Automatically download Blade Contracts and other Selected important data (highly recommended): 201(Check Poin Security Administration 15, Click Next, and the system displays the Dynamically Assigned IP page: Figure 224 —Dynamically Assigned IP 16. Verify that No is selected. 17. Click Next, and the system displays the Secure Internal Communications (SIC) page: Secure Internal Communi Figure 225 — Secure Internal Communications (SIC) 202Lab 2.4: Insalting and Managing a Remote Security Gateway 18. Enter and confirm sic123 as the Activation Key. 19. Click Next, and the system displays the Summary page: Figure 226 —Summary 20. Click Finish, and the system asks you if you want to start the configuration. 21. Click Yes. 22. Once the configuration process is complete, the system prompts you with a restart message. 203(Check Point Security Administration 23. Click OK, and the system displays the Login screen after reboot: Figure 227 — Login Screen 1. Log into B-GW with the following credentials: Username: admin Password: Chkp!234 2. Click the Log In button, and the system displays the following window: Figure 228— Help Check Point Improve Software Updates 3. Click No, and the WebUI displays the configuration settings of the newly configured Security Gateway. 204Lab 2.4: Installing and Managing a Remote Security Gateway Using the Gaia Portal to Configure the Branch Office Security Gateway Define the interfaces and login message for the branch office gateway. 1. Review Gaia Portal’s Overview page: Figure 229 — Overview 2. Inthe Navigation pane, identify the Network Management section. 20!(Check Point Security Administation 3. Click Network Interfaces, and the system displays the Network Interfaces pa; NOTE Notice how only eth3 is configured. This is your management interface. In this lab, this also represents your external network 206Lab 2.4: Insialling and Managing a Remote Security Gateway Select eth, and click Edit, The system displays the Edit window: Figure 231 —Edit etht Use the information below to configure eth: Enable: Checked Comment: Internal IPv4 Address: 192,168.21. Subnet Mask: 255.255.255.0 20'‘Check Point Security Administration 6. Click OK, and the system saves the new ethl configuration. Figure 232 — Network Interfaces 7. Double-click eth3, and the system displays a warning. 8. Click OK, and the system displays the Edit window. 9. Use the information below to configure eth3; Enable: Checked Comment: External IPv4 Address: 203.0.113.100 Subnet Mask: 255,255.255.0 208Lab 24: Installing and Managing a Remote Security Gateway 10. Verify that the newly configured eth3 appears as follows: Figure 233 — Edit eth3 I. Click OK, to retum to the Network Interfaces page. 208Check Point Security Administration 12. Verify that your interfaces appear as follows: Figure 234 — Network Interfaces 13. In the Management Interface section of the page, notice that the current Management Interface is set to eth3. 210Lab 2.4: Installing and Managing a Remote Security Gateway 14, In the Navigation pane, under Network Management, click IPv4 Static Routes: Figure 235 — Network Management - IPv4 Static Routes, 15. Verify that the default gateway is 203.0.113.254. 211Check Point Security Administration 16, In the Navigation pane, under System Management, click Messages: Figure 236 — System Management - Messages 212Lab 2.4: Installing and Managing a Remote Security Gateway 17. In the Banner Message field add the following text: B-GW Unauthorized access of this server is prohibited and punishable by law. Figure 237 — System Management - Messages 18. Click the Apply button. 19. From the toolbar, click Sign Out.‘Check Point Security Administration Configuring the Alpha Security Policy to Manage the Remote Security Gateway Define the remote Security Gateway object and incorporate it into the Alpha Security Policy. 1. From the Home page of the Objects pane, click New > More > Network Object > Gateways & Servers: Figure 238 — Gateways & Servers 214Lab 2.4; Installing and Managing a Remote Seewrity Gateway 2, Inthe menu, select Gateway. The system displays the following window: Figure 239 — Check Point Security Gateway Creation 3. Select the following option: + Don’t show this again 215(Check Point Security Administration 4. Select Classic Mode, and the system displays the following: Bs Adsaoeediesing bates Eason © oyanctatro Barve OC tecuee, Eltheséeusten ros BiniSpenbnaseory | yevaing Biter scooss EidwsAneness Beatin cs negate Sth ending petrmanc ans unites sang 5 Drotelons are upantes bys sercee Figure 240 —Check Point Gateway - General Properties 216Lab 2.4: Insulting ant Managing a Remote Security Gateway 5. Use the information below to configure the new Security Gateway object: Name: B-GW IPv4 Address: 203.0.113.100 Comment: Bravo Security Gateway Network Security: Firewall IPSec VPN iow ‘aaa Goret Bev Seay Gaevey Sears Hand Comarteaon, Utind Teena ies AavecedNebesirg ben Wirseeven Banea © one Rarg iP Sener Elon © acute, imei acess Eithea Endsin pos Eitertetontar idesSpam nl Seaaty Biunreas Bild teers EdsatonPevaten | El osAweress ElMextieg @ Ps neat ne ratea Swath ecing permanente ig. S| otacions re upased bys Sees Figure 244 —Check Point Gateway - General Properties 6. Click the Color drop-down menu. 20(Check Point Security Administration 7. Select Manage, and the system displays the Color Manager window: Figure 242—Color Manager 8. Click the Add button. From the Color drop-down, select the dark red option (Firebrick), and the system displays the following: Figure 243 — Add Color 10. Click OK, and the system adds the new color to the color list. 11. Click OK, to close the Color Manager. 218Lab 2.4: Installing anal Managing a Remote Security Gateway 12. Now, select Firebrick from the Color drop-down menu: ar Fick Gtntentions) Cove ams Seon tend Gomncaon. Ui (Coomnesen.3} ators Bes Eianise ley Senet Biever imei neces Eitwexteusion Biertean Cat tesspant Ema Secnty ut reg iter zens BlosatorePirton | E)0#aAnrenens {adn Aas potedion indusing newts vs ass Hops ais, worm Sheet maaae athe stew Figure 244 —Check Point Gateway - General Properties, 21S‘Check Point Security Administration 13. Click the Communication button, and the system displays the following window: Figure 245 —Trusted Communication 14. Enter and confirm sie123 the following as the One-time password. 220Lab 2.4: Installing and Managing a Remote Security Gateway 15. Click Initialize, and the system verifies the one-time password. Secure Internal Communication is now established: Figure 246 —Trusted Communication 16. Click OK, and the system displays the interface information retrieved from the newly configured gateway: m0 100252552550 eis2i1—ass2ssass0 221Check Point Security Administration 17. Click Close, and the imported topology information is associated with the gateway object. On the General Properties window, note that the version has changed to R77.30. movie aaa) rho mene Aten ‘Bae east Gao rent | Br ‘Arcadia BO ‘wiesecven | Bane © Dyan Raseo Eipoeyserer | Aven some Eine ecss Eittesmdain Boe itescaton Cd Eicespentnatseny | rainy Buiuiaere Elise nse ElowatenPinecon | CldaaAnseres © Anti-Bot heck Point’ A ot software bce detec bot feted machines pins Dot ‘indges ty bling bt Command snd Con ed communi, Cec) (Sater) Figure 248 — Check Point Gateway - General Properties 18, Select Network Management in the Navigation pane, 222Lab 2.4: Installing an Managing a Remote Security Gateway 19, Verify that the interfaces appear as follows: Figure 249 — Check Point Gateway - Network Management 223224 (Check Point Security Administration 20. Click OK, and verify that the new B-GW object appears in the Gateways and Servers section of the Objects pane: Figure 250 —Security Policies - Acces ControlLab 2.4: Instating and Managing a Remote Security Gateway 21. In the Objects pane, select the A-GW-Cluster object and drag it to the Install On column in the first tule in the Rule Base: Figure 254 — Security Policies - Access Control . 225(Check Point Security Administration 22. Drag and drop the A-GW-Cluster object to every rule’s Install On field in the Rule Base: (2 Niecucoua Gass + An = cacy si, Bowne Nee ent omy iyo @ tt Bu Browne © Noe hy = how Cr) © sat Bur Baoan ane 7 Noa Anwar son toy Oy © wt Sus Baoeaee pees _ a aie aa je 2 Now K Ache ALB Sty Rie @ het Bin Ragone ee seoe ae = Ea [ow [ow SRaam Figure 252 — Rule Base 23. In the Bravo_Standard policy package, add the B-GW to the Install On column for each rule. 226Lab 2.4: Installing and Managing a Remote Security Gateway 24. Double-click the A-SMS object: Agancea managenen tooth ene ting an conoting enangesto| fete teat enguaton Figure 253 —Check Point Host - General Properties, 25. In the Navigation pane, select NAT. 22(Check Point Security Administration 26. On the NAT page, select the following option: + Apply for Security Gateway control connections Trimet a] een Pvt nts mae rveasiee lon Gate: i a (Dire te Seacty Cte crt caecns Figure 254 — Check Point Host - NAT Configured 27. Click OK. 228Lab 2.4: Installing cand Managing a Remote Security Gateway 28. In SmartConsole, click the Application menu: oe coro tern Orne me Oricon meee Figure 255 —Security Policies - Access Control 229(Check Point Security Administration 29. Select the Manage Policies option, and the system displays the following window: Geen Pie On Nia W Bae] Q Som Figure 256 — Manage Policies 230Lab 2.4: Installing and Managing a Remote Security Gateway 30, Select Standard and click Edit. The system displays the Policy window: « Alpha Standard pha Seay Paty etal Policy Types Insttaion Togas | QM Aces Con QI het rsetion ‘ces Con fe By WwerPrecenion — | ws | sensors Trent Pevetion eases Figure 257 —Policy 31. Configure the policy as follows: Name: Alpha_Standard Comment: Alpha Security Policy 32. Click OK. 33. Click Close. 231(Check Point Security Administration 34. Under Security Policies, verify that the name of the policy package is Alpha Standard, Bowie se Brent ae OQ ceeie tw Once menue Figure 258 —Security Policies - Access Control 232Lab 2.4: Insialing and Managing a Remote Security Gateway Creating a New Security Policy Create a new Security Policy that includes the additional Access policy layers of Data Awareness and Application Control and URL Filtering. 1. Click the + icon to add a new tab. The system displays the Manage Policies tab: Figure 259 — Security Policies - Manage Policies 23:(Check Point Security Administration 2. In the Recent Policies section, click the Manage Policies link. The system displays the following window: Figure 260 — Manage Policies 3. Click the New button and the system displays the New Policy window: Pati Types Insaliten Tages | (Aces Conteh CNR, Test Preven MW AccessConnet | taser #8 + Figure 261 —New Policy 234Lab 24: intaling and Managing a Remote Secwriy Gateway 4, 5. 6. ‘Verify that only the Access Control option is selected. NOTE ‘The Firewall layer is activated by default. It is the foundation on which all the other ayers are based, so it cannot be removed from the Access policy. Use the information below to configure the new policy: Name: Bravo Standard Comment: Bravo Security Policy Tag: Bravo Verify that the Access Control policy appears as follows: Q Bravo Standard Bay Secuty Pty wn Policy Types Insalaten Tages | Aces Contech IIR tse Preeton + @ nas og Figure 262 —New Policy 23!Check Point Seewity Administration 7. Click OK, and the system adds the new policy package to the database: Figure 263 — Manage Policies 8. Click Close. 9. In the Objects panel, select New > More > Network Object > Host. 236Lab 2.4: Insalling amd Managing a Remote Security Gateway 10. Use the information below to configure the new object: Name: A-GUI Comment: Alpha SmartConsole IP Address: 203.0.113.1 ‘Tag: Management Color: Brown ~ AGU Alp SmanConele Came Machine Netwoik Management Dadiere nar Pibadies: - sere Aad og @ Marasement (a Cee Figure 264 — Host - General U1, Click OK. 12, Adda new rule to the top of the Rule Base. 13. Use the information below to configure the Noise rule: Name: Noise Sou ‘Any Destinatic Any Services & Applications: bootp NBT Action: Drop Track: None 14, Add a new rule below the Noise rule. 23"Check Point Security Administration 15. Use the information below to configure the Management rule: Name: Source: 16. 17, Name: Source: Destination: Services & Applications: Action: ‘Track: 18. 19. Name: Source: Destination: Services & Applications: Action: Track: 238 Management A-GUI A-SMS : BGW : https version_2 Accept : Log Add a new rule below the Management rule. Use the information below to configure the Stealth rule: Stealth Any B-GW Any Drop Log Add a new rule below the Stealth rule, Use the information below to configure the Outbound rule; Outbound Any Any https http ftp Accept LogLab 2-4: installing and Managing a Remote Security Gateway 20. Use the information below to configure the Cleanup rule: Name: Cleanup Souree: Any Destinal Services & Applications: Any Action: Drop Track: Log 2S vanagenent am Ac oben or @ mee @ hewot Bio + a mm Bass Bane 3 Nsom oo eto oi oo Oe or + pa erow 1 Nloateea fe aw si iy Gm @ sure Bie» rete Figure 265 —Bravo_Standard Rule Base or [ew 239(Check Point Socurity Adminisration 21, In the Source column of the Outbound rule, click the + icon: ‘ern Fresco Sapna rasan Figure 266 — Security Policies - Access Control 240Lab 2.4: Installing and Memaging a Remote Security Gateway 22. Click the New icon and select Network: g, - Pawo Ente Oe Comment Nama (© Netincates 6 @ saateg Fiqure 267 —New Network mu 241Check Point Security Administration 23. Use the information below to configure the new object: Name: T-NET Comment: Bravo Internal Network Network Address: 192.168.21.0 Net Mask: 255.255.255.0 Broadcast Address: Included Tag: Bravo . BAINT-NET Broan Network wt Neewoikadanss (DHE: Hama (555. Brostean tere © tacts O Nevins ING Figure 268 —Network- General 24, In the Navigation pane, select NAT. 242Lab 2.4: Installing and Managing a Remote Security Gateway 25. Use the information below to configure the NAT page: Add automatic address translation rules: Selected Translation Method: Hide Install on gateway: B-GW Sa Carnet Genet | Values for address translation FATE) Z Addawonsticsddesstnstsion les Traaionmethod [Hi @ Hie behind he gt © Hide behing aes Pade = Inaatengienss (6-60 Figure 269 — Network - NAT 26. Click OK, and the system adds the B-INT-NET object to the Source column of the Outbound rule: f Coa ry 7 Bier 7 F nirtn ee : Br |» ravines Figure 270 —Outbound Rule 27. Adda new rule above the Outbound rule. 243(Check Poin Security Administration 28. Use the information below to configure the DNS rule: Name: DNS Source: B-INT-NET Destination: Any Services & Applications: dns Action: Accept ‘Track: None Ses ine | SN cane shy Boe Punto Figure 271 — DNS Rule 244Lab 2.4: Installing anu! Managing a Remote Security Gateway 29, In SmartConsole, select the Alpha_Standard tab. 30, Use the information below to update the Remote Control rule: Name: Remote Control Source: A-SMS B-GW Destination: B-GW A-SMS Services & Applications: CHKP Services Action: Accept Track: Log oeaen ed oer Q tetie tee O Wome tie Ramat Conta Figure 272 —Remote Control RuleCheck Point Security Administration 31. Publish the changes made to the two Security Policies: Click Publish’ to make these changes available to Teta et anges 57 rs Caer) ere) Figure 273—SmartConsole 32. Select the Bravo Standard tab, 33. In the policy page, click the Install Policy button. The system displays the Install Policy window: (UH bravo standard Accs Camtel — TlSerions 2 Opp) eatcrange 2 ewan |G eure | Sank = [heen [vein [tntintstinowe | Gomes ‘eka sn m5 evamsaant eas ay i wosinan sme om Se em MLL tcc plone Dayana nde © baton eerste tony nspeterty (Oat enact oten fie do ratiatca ion oer Figure 274 — Install Policy 34. Notice that both the Bravo Security Gateway and the Alpha Security Gateway cluster are listed as policy targets. 246Lab 2.4: Installing and Managing a Remote Security Gateway 38. Click Caneel. 36, Click the Application menu: Bonar ratinke Figure 275 — Security Policies - Access Control(Check Point Security Administration 37. Select Manage Policies, and the system displays the Manage policies window: Figure 276 — Manage Policies 38, Select the Bravo_Standard policy and click Edit: Bravo Standard Seo Security Pay Poy Types tater Tages BAe Conta CN The ron f | accesscontot ager #8 | + Figure 277 —Policy - General 248Lab 2.4: installing and Managing a Remote Security Gateway 39. In the Navigation pane, select Installation Targets. 40, Select the following option: Specific Gateways 41. Click the + icon and search for the B-GW object. Click the + icon next to the B-GW object to add it to the list of installation targets: Insalaon targets O atten © spe ns +x ces ea aa [comnts ea 2030113100 ro stu Cae @ Aad 0g Figure 278 — Policy - Installation Targets 42. Click OK. 43. Click Close. 44, Publish the changes. 249(Check Poin Security Administration 45, Click the Install Policy button, and the system displays the Install Policy window. From the Policy drop-down menu, select Bravo_Standard: UM Bravo. standard MAcconcontet —TelSeione Teche © @ccw {F2000318:00 | Voor 8730 eaten een see gyre (© islonstateanonrs, at do aan gen oh nme ven Figure 279 — Install Policy 46. Verify that only the B-GW (203.0.113.100) is listed as a policy target. 47. Click the Install button, 48, From the B-Host virtual machine, launch a web browser. 49, Use HTTP to connect to A-DMZ, (203.0.113.171). 250Lab 2.4: Installing anel Managing a Remote Security Gateway 50. In SmartConsole, select Logs & Monitor from the Navigation bar: Daan Figure 280 —Logs & Monitor- Logs 251(Check Poin Security Administration 51. View the log showing the accepted HTTP traffic from B-Host to A-DMZ: @ Accept itp Tlie eceted rom 192168.21 201 to 990313. Today 1651728 | mt i gia mt swune m9 ‘aie ee hand Product Famity — Aaceas atin. = aie rae soe vcs tt ‘Mate Destination P. sation © Aeceot inate gine sin hatred we ound Actions eperiog Report Logo Check Point More Figure 284 — Log Details 52. Close the log file. 53. Select Security Policies from the Navigation bar. 54. Select the Alpha_Standard tab. 55, From the policy page, click the Install Policy button. 252Lab 2.4: stalling and Managing a Remote Security Gateway 56. Click Install, and the system displays the following window: You selected to install a policy on A-Cluster that is different from the currently installed policy. which will be overwritten. Selected policy: AppCtrl_ DataAware Installed policy: Standard Are you sure you want to continue? Figure 282 —SmartConsole 57. Click Yes, to continue the Security Policy installation on B-GW. END OF LAB 2.4 25:(Cheek Poin Security Administration 254Managing Backups ‘Use the Gaia Portal to perform and schedule backups for the Security Gateway. Tasks: + Schedule a Security Management Server backup to take place every midnight. + Backup the Security Gateway cluster members from SmartConsole. + Perform a backup via CLI. Performance Objectives: + Prepare and schedule backups for the gateway. 255Check Point Security Administration Scheduling a Security Management System Backup Schedule the Security Management System to be backed up at midnight and for it to send the backup to the A-GUI machine upon completion. 256 In SmartConsole, double-click the A-GUI host object in the Objects pane. Change the IP address to 10.1.1.201. Publish the changes and install policy on A-GW-Cluster. From A-GUI, launch a web browser such as Firefox or Internet Explorer. In the address field, type the following: https://10.1.1.101 NOTE ‘You must use HTTPS to access the Gaia Portal or the connection will fail. Press Enter, and your browser should wam you that the site’s Security Certificate is from an untrusted source, Ignore this warming and continue to the site. The system displays the Gaia Portal login screen: asus [rohtted ond punta ee Cilened pains vere j Figure 283 — Gaia Portal R80 Log into the Gaia Portal: Username: admin Password: Chkp!234Lab 25: Managing Backups 10. i. 2, ‘The system displays the Gaia Portal Overview page. In the Navigation pane of Gaia Portal, navigate to Maintenance > System Backup: Figure 284—M tenance - System Backup In the System Backup page, locate the Scheduled Backup section. Click the Add Scheduled Backup button, 257(Check Point Security Administration 13. Use the information below to schedule a backup of the Security Management Server: Backup Name: Backup Type: IP Address: Usernam Password: Upload Path: Backup Type © tszpetance © serene MGMT_Daily FTP Server 10.1.1.201 anonymous Chkp!234 /share/ : Daily 23:59 @ Firs Oren Backup Schedule © ayy ery © Monn ptr Figure 285 —New Scheduled Backup NOTE This will fail if an FTP server is not configured on A-GUI. 258Lab 2.5: Managing Backups 14, Click Add, and the system displays the MGMT_Daily backup in the Scheduled Backups list: Figure 286 — Maintenance > System Backup 15, Log out of Gaia Portal. 25sManaging Scheduled Security Gateway Backups Use SmartConsole to backup the Alpha Security Gateway cluster members. 1. In the Navigation bar, select Gateways & Servers: & vwar Cmca Figure 287 — Gateways & Servers 2. Select the A-GW-Cluster object. 260Lab 2.5: Managing Backups 3. Click the Actions drop-down menu: Cae ris rece on Dre yr Figure 288 — Actions Menu 4, Select System Backup. 5, Inthe System Backup window, select the following option: + The following backup server 261(Cheok Poin Security Administration 6. Use the information below to configure the backup server settings: Server: A-GUL Protocol: FTP Username: administrator Password: Chkp!234 Path: /sharef Backup the member of AGEChate es 0 Bctup server defined er tiscaer Cunely deined None © Thetotoning bac Figure 289 — System Backup 7. Click OK. 8. On Day 2 of this course, verify that the following machines have backups on A-GUI: + A-SMS + AGW01 + A-GW-02 NOTE The A-SMS backup was scheduled in an earlier lab to begin at 23:59. 262Lab 2.5: Managing Backups Performing Backup via CLI - Use the CLI to create a backup of the B-GW, save it locally, and restore it. 1. Log into the B-GW. Figure 290—B.GW 2. At the prompt, type the following command and press Enter: add backup local Figure 294 —add backup local ‘Type the following command and press Enter: show backup status Figure 292 —show backup status 263(Check Pott Security Adninistration 4. Enter Expert mode: Figure 293 — expert 5. Type the following command and press Enter: set expert-password 6. Type and confirm the following password: chkp1234 Figure 294 —sot expert-password 7, Enter Expert mode, 8. Navigate to the following location: ed /var/log/CPbackup/backups Figure 295 — cd /vat/log/CPbackup/backups 264Lab 25: Managing Backips 9, Type the following and press Enter: 1s -1h Figure 296—Is -Ih 10, Note the backup file name, Exit Expert mode. 11, ‘Type the following command and press Enter: set backup restore local backup_{backup file name] Figure 297 —set backup restore local 12. Exit Clish. END OF LAB 2.5Check Point Security Administration 266Defining Access Control A Policy Layers r=} In SmartConsole, assign layers to the Access Control policy in the Alpha_Standard policy package. Then, specify A-GW-Cluster as the installation target for the policy package. Tasks: + Assign layers to an existing Security Policy. + Specify an installation target gateway. Performance Objectives: + Assign the Application Control layer to an existing Security Policy.(Check Point Security Administration Assigning Layers to an Existing Security Policy ‘Add the Application Control & URL Filtering layer to the Standard Security Policy. 1. In the Navigation bar, select Security Policies. 2. In the Navigation pane, right-click Access Control > Policy: Nome sected Figure 298 — Security Policies - Access Control 268Lab 3.1: Defining Access Comrol Policy Layers 3. Select Edit Policy, and the system displays the Policy window: is eee ea Poly Types ena cece, Th reion 4 Acces Cento ides #8 4 TwestPrevenion | ws | Sundaes Ten Prevention Figure 299 — Policy 4, ° Clear the Threat Prevention option, if it is selected: i. enol Cr Polcy Types InttonTages Ace Cont IN Tet ieon MM Aecescenol | tae HE + Figure 300 — Policy 269Check Point Security Administration 5. In the Access Control section, click the + icon. 6. Verify that no additional layers are displayed: Comment Figure 304 — Access Control Layers 7. Click New Layer button, and the system displays the Layer Editor window: Soa DF © eer0vjc comert Ged Blades tances Felt Peamisions Cl Apltions URL Fiteing 1 Data arene (D Mate Access Preene Sharing (Matte pois anu thi iyer 0 had eg Figure 302 — Layer Editor 270Lab 3.1: Defining Access ControtPaliey Layers 8. Use the information below to configure the Layer Editor window: Name: AppCtrl Comment: Application Control Layer Blades: Applications & URL Tag: Alpha ® . rvpcet yy Appleton Con Layer Geren Blades dvonced Feel Pamaions © Appicatons Ut Fitting 1 oaaAnateness i Mabie pecs a heton Taek (Mate pocies an ue ye @ AddTog @ Hobe Figure 303 —Layer Editor 27Check Poin Security Administration 9. Click OK, and the system adds the new layer to the Access Control policy: a Alpha Standard pba Scuty Pay ene Pole Types bettas Tages cen Conal (Tee Penson Access Conte Netwoi | Bde Figure 304 — Policy - Layer Added NOTE In this example we clear the Firewall option for this layer, even though it is selected by default. This is because it already exists in the first blade. By separating the Application Control & URL Filtering layer, it can be reordered when additional blades are added. In either case, the Network layer is always applied first during inspection. 10, Open the Network layer by double-clicking it. 272Lab 3.1: Defining Access Control Policy Layers 11, Add the tag Alpha: ® . Firewall TF © nerwosctayer an) Blades vanced Frew eninians | i Appleton: URL Fiting 1 ata arenes 1 Mite acces EE Sharing ) Matin pais can se this aper @ Aad Tog @ Nome Figure 305 —Layer Editor 12. Click OK. 273Check Point Security Administration Specifying an Installation Target Gateway Edit the Alpha Security Policy package and define a specific target for Installation, I. Select Installation Targets from the Navigation pane: Q Alpha Standard pha Sect Poy Gener Installation targets iullidon age) Allgstenoys + ix Ohad To Figure 306— Policy 2. Select Specific gateways radio button option and then click the + icon. 274Lab 3.1: Defining Access Comrol Policy Layers 3. Click the + icon next to A-GW-Cluster to add it to the list. Exit the Gateways selector. ‘ph secutyPley a Alpha Standard Installation targets O Atgstensye © Specie guess +x Gene Irsalitin Tangas [rAddeess 2 AGwowie yous @AtdTog @ Hom Figure 307 —Policy Q Sanh. [ comments pn Scut ate- 27:‘Check Point Security Administration 4. Click OK: Figure 308 — Security Policies - Access Control END OF LAB 3.4 276Implementing Application Control and URL Filtering After enabling the Application Control and URL Filtering software blades, create a rule to block specific applications. Then, review the logs to see what traffic was dropped by this rule. Tasks: + Configure the Application Control & URL Filtering Rule Base. + Create a rule to block specific applications. + Review dropped traffic. Performance Objectives: + Understand how to enable the Application Control and URL Filtering software blades to block access to various applications. ar(Check Point Security Administration Configuring the Application Control & URL Filtering Rule Base Configure a rule that will block Skype and display a UserCheck message. 1. From A-Host, navigate to https:/;vww.skype.com/en/: QO c0 mimes Te 8 Vow frat Tsk coma + Bsc Snanci i [Blom Cee (9 Inge omen tact a" enter CsTdelstoem Figure 309 — Skype In SmartConsole, select Gateways & Servers from the Navigation bar. 3. Right-click A-GW-Cluster and select Edit. 218 ‘all phone notLab 3.2: Implementing Application Control and URL Filtering 4, Ensure the following software blades are enabled: IPSee VPN Application Control URL Filtering + IPs eens seven lpr seve ‘ [| Elite tees Dirodaten cea ‘Wun tere ‘Flowmteesreenn ‘88 Application Control Sitesi gna cot et nutans theme appeons ana Figure 340 — Gateway Cluster- General Properties 5. Click OK. 279Check Poin Security Administration 6. In the Navigation bar, click Security Policies > Access Control > Policy > AppCtrl: cee te BD eseetaie Eh mene ts ees © spans we ean Once tote Figure 344 —Security Policies - Access Control - AppCtrl 280Lab 3.2: Implementing Application Control and URL Filtering 7. Right-click on the Application Control policy layer and select Edit Policy: Lennie te hens tims tran ae Ocoee tes Figure 312 — Security Policies - Access Control - AppCte! 8. The Policy window appears: IB Beka stander ap Sec fey a Poly pes TrsstonTieges A score CNR Thurston 2 aepceh eater Figure 313 — Policy 281(Check Point Security Administration 9. Click on the menu for the Application Control policy layer and select Edit Layer: ®D | Appctet y xe Object Cone GERI Hades Atvnced El Preval Persons pplication: URL Fiteing 1) Dae cess 1 Miblesccess Shang (Coie pies can wether sat T09 Figure 314— Layer Editor 282Lab 3.2: Implementing Application Control and URL Filtering 10, Click Advanced in the Navigation pane: eS | AppCtrl DF © enerosjeaconnent Geen) Proxy Configuration TRIBES, Otc ses lcaed bein ip pry wing XForanFor hander Femisions pict Cleanup Rule © bop © Aecept osaireg Figure 345 —Layer Editor 11, Select Accept as the Implicit Cleanup rule: ® . Appcts DZ + Mljntconent Genes) Proxy Configuration TRaianeede) CO) Detectuer lected behing tp posing Foraafor header Femarort implicit Cleanup Rule O Dep © accept Figure 346 —Layer Editor 12. Click OK. 283(Check Poim Security Administration 13. Click OK: By sensi ( Bl etait Figure 347 — Alpha_Standard Policy Package 284Lab 3.2: Implemesning Application Control and URL. Filtering Creating a Rule to Block an Application Create the Block Bad Stuff rule to block the following applications: + Anonymizer + Botnets + P2P File Sharing + Facebook-chat + Skype + WhatsApp Messenger-file transfer 1, Change the Cleanup rule according to the following table: Name: Log Everything Source: Any Destination: Any VPN: Any Action: Accept Track: Log Install On: A-GW-Cluster 2. Adda rule above the Log Everything rule: © sono Figure 318 —New Rule 28:(Check Poin Security Administration 3. Configure the new rule as follows: Name: Source: Destination: VPN: Services & Applications: Action: ‘Track: Install On: Block Bad Stuff Any Internet Any Any Drop None Policy Targets oy @ Ase Bis © Acwnate Figure 319— Block Bad Stuff Rul 4. Click the + icon in the Services & Applications column of the Block Bad Stuff rule: =m (QT +B Montoas 3 snaias @ orm HF toomeonss Primary Cater Twitter Cente Pte Very tow ashags ates commmuiy-iven concen fr asin ational conte and tor0memere ‘meats to your tees Tyree tag on ia ‘oucrsteshahtag spb plang evens cso Match By . M5-eusio spins Bi ussaee D rzsriamcnat + Applicaton Sgntue » Senex @ tip tee, © ha tenees) 1G HTTP poy p08 © HTTP pron Gepz02) D waswermessenge Mote Info HF siseerset BF rz X sro Figure 320 —Services and Applications 286Lab 3.2: Implementing Application Control and URL Filtering 5, Search for and add these additional Services & Applications: + Spyware / Malicious Sites + Anonymizer + Botnets » P2P File Sharing + Facebook-chat + Skype ‘© WhatsApp Messenger-file transfer {© sppmare /Muneusster 17 appliations ‘his categony nce URL tt pay code special designe hjsckyou computer city or change Ihe seings on your compuesto undestabe oss, ‘cue sting can nce but not tes to el-intaling apestions {Gis Dive by execuatetedomiass) Tejsnhone abdvinse ta opt ‘cunt ners in boner or ete appestion: Match By * Applian signatures URL in ctegony Relevant Blades {BB Artation contol] @ URLFiing Figure 321 —Services and Applications 6. Exit the Services & Applications selector: Figure 322 —Block Bad Stuff Rule Stow 28)Check Point Security Administration iF Right-click in the Action field and select Drop and then select Blocked Message - Access Control: E oy TS el Figure 323 — Block Bad Stuff Rule 8. Hover over Blocked Message - Access Control: SS ease acescnt || Stestennog # dey . —— Nmeie . @ kee re Figure 324 — Block Bad Stuff Rule 2889. Click the Edit icon: Blocked Message - Access Control Erte Objet Comet S Application Control Page Blocked = Lab 3.2: Implementing Application Conurol and URL Filtering oye ‘Access to Application Name i blocked according tothe ganization security policy Category: Category | Click nese to report wrong category For more information, please contact your helpdesk. Reference! incident IO Figure 325 — Drop 289(Check Point Security Administration 10. Click the Add Logo drop-down menu and select the Check Point image: .° Blocked Message - Access Control XS fete Objet Conrent {Seni Application Control Page Blocked Access to pplication Name is blacked according tothe organization security policy. Category: Cateeory ‘lickhoro to report wrong category For more information, please contact your helpdesk. Reference: Incident 10 0 488 109 Figure 326—Drop 1. Click OK, 290Lab 3.2: Implementing Application Control and URL. Filtering 12. Re-configure the Block Bad Stuff rule as follows: Track: Log Install On: A-GW-Cluster Figure 327 — Block Bad Stuff Rule 13, Adda new rule below the Block Bad Stuff rule and configure it as follows: Name: Destination: VPN: Services & Applications: Action Track: Install On: Figure 328 — Streaming Rule Streaming Internet Any Streaming Media Protocols Drop; Blocked Message - Access Control Log A-GW-Cluster 1S seyeve scm ae @ toner tame 1 rota seg WG hese wnttes trees serene teat Saeed er @ oe (aS korcme a ie Sooaeaienge | a yt i © me BiB Aeweune 291(Check Poim Secuity Administration 14, Publish the changes: Click ‘Publish’ to make these changes available to all (Dont show apse Figure 329 —SmartConsole 15. Install Policy: (MM Alpha Standard SaAccenCortel —ToSaone & ys) Teac 65 D ED AGW- Cluster HOAs | Vesonara30 © ven aseoe |@ httegt (None Ace py one hit nee wl ae ie PS @ tnsatonech sce hese teense Fr xo Canin on a eer # ata at (© honstnactedguenay, fale drat ea engtny ti me vues Figure 330 — Install Policy 292Lab 32: Implementing Application Control and URE. Filtering 16, Navigate to https://skype.com/: Page Blocked pes Sipe ad age epee ry gee Gah taetoseran mony clare oxen boson loa cet at tet tence 81087 Figure 331—Skype 293(Check Point Security Adminisireuton Reviewing Dropped Traffic Review logs to verify which traffic was dropped by the Block Bad Stuff rule. 1, Select Logs & Monitor from the Navigation bar: Figure 332 — Logs & Monitor- Logs 294Lab 3.2: Implementing Application Contr and URL Filtering Open the log that logged traffic from A-Host (192.168.11.201) to 40.121.80.200 and was blocked by the Block Bad Stuff rule: @ Blox ‘op Tt locked em 192.168.1201 to Siype(4042189200) Today 332956 tog tno ~ Poiy nn encwan sien © bea Tine © Yeas 525564 Paigone Alpha Stand onde BB Arptcaton Contot Polis Dele Tada. 319 Pm roouctromsy OAc ruta Bleek Bd ut wwe Be Acton Aopleation / Ste fepenttog Report Logo Chee Point ropliatontane Q Spe More rpm ope. Nigh Banden Prt apt. Supports Sypete a pee te peerntmet tepnony. cette evome resource tinue? Trae “a souee © Aver uszsasi200) rsinsion —— RtzLan0 seve rns ete wan Figure 333 — Log Details 29!‘Check Point Security Administration END OF LAB 3.2 296Defining and Sharing Security Policy Layers 3. Define an Application Control and URL Filtering layer for the Bravo Security Policy. Once the Rule Base for the new layer is configured, share the layer, so that it can be used in the Alpha Security Policy. Orr Tasks: + Add an Access Control layer to the Bravo Security Policy. + Configure the Application Control and URL Filtering Rule Base. + Share the new Bravo layer in the Alpha Security Policy. Performance Objectives: + Demonstrate how to share a layer between Security Policies. 297(Check Poim Security Administration Adding a New Access Control Layer Add an Application Control & URL Filtering layer to the Bravo Security Policy. 1. Navigate to the Bravo_Standard policy package: Botte one ener Co Orit une Figure 334 — Security Policies - Access Control 298Lab 3.3: Defining and Sharing Security Poliey Layers 2. Under Access Control, right-click Policy and select Edit Policy: Q Bravo Standard tere Sec oy eet Poly Types Ingalstion Tape QB Ace Com NB Tetrion IM AccessContcl | Eades iy 1 esas eg Figure 335 —Policy 3. Inthe Access Control section, click the + icon. The system displays the following: Comment No tems foun Figure 336 — Manage Layers 4, Click the New Layer button, 299(Check Point Security Adinismation 5. Configure the new layer as follows: Name: URL, er Comment: URL Filtering Blades: Applications & URL Filtering Multiple policies can use this layer: Selected Tag: Alpha/Bravo | . vRiFilter F © omsaeing (GesaaT—N] Blades Adres Cl Few Pemisions 7 Appictions URL Fitting 1D Date arenes Mabie Acces Sharing (Mute pois an uc tier @ AddTog 6 Apmis Figure 337 —Layer Editor - General 6. In the Navigation pane, click Advanced. 300Lab 3.3: Defining amd Sharing Security Policy Layers 7. Inthe Implicit Cleanup Rule section, select the following option: + Accept ~ URL Filter Enter Object Cann Genet Proxy Configuration Hii”) 0) Daect rloate behind tp roy ing Forea For header Implicit Cleanup Rule drep © hecept a ae 09 Figure 338 —Layer Editor- Advanced Click OK, and the system adds the new layer to the Bravo_Standard policy package: eee sa Poly Types Insniontorges | I Aces Conta CNB, Test Peetin MH Acces Comat || Network Blader F/2 | unin toes 9B Figure 339 — Policy - General Configured 9. Click OK, and the system adds the new layer to the Bravo_Standard policy package. 301(Check Point Security Administration Configuring the Application Control & URL Filtering Policy Layer ‘Now that you have created a new policy layer for Bravo, define a rule that will prevent web browsing categories your company feels should be prohibited at work. 1. In the Navigation pane, select the URL Filter policy layer. 2. Change the Cleanup rule according to the following table: Name: Source: Destination: ‘VPN: Services & Applications: Action: Track: Install On: Log Everything Any Any Any ‘Any Accept Log Policy Targets 3. Add anew rule above the Log Everything rule, 302Lab 3.3: Defining and Sharing Security Policy Layers: 4. Use the information below to configure the Corporate Standards rule: 5. ‘Name: Source: Destination: ‘VPN: Services & Applications: Action: ‘Track: Install On: Corporate Standards Any Internet Any Violence Gambling Sex Drop; Blocked Message - Access Control Log Policy Targets Figure 340 — Corporate Standards Rule In the Services & Applications field of the Corporate Standards rule, click the + icon. 303‘Check Point Security Adminisiration 6. Inthe Services & Applications selector, click the New icon: Ptoreoe 8 trewinnee Xamon Figure 344 — Security Policies - Access Control - AppCtrl 304Lab 3.3: Defining and Sharing Security Policy Layers: 7. From the menu, select Custom Application/Site > Application/Site. The system displays the following: Ente Objet Conment Genel bso coegeee Pima Cage: (Ga URLUst FINI x No items four (D biasare dened 2 Regu presion esas te9 Care] Figure 342 —Application/Site - General 305(Check Poin Security Administration 8. Use the information below to configure the General page: Name: Wrestling Comment: Commerce Wrestling Primary Custom_Application | Category: URL List: http:/wwwowwe.com Wrestling a Gena ‘iitond Cacjtes| Pinay Cane, (Canon gon Decipar onus +. x a Cun are dained Regular presion Figure 344 — Corporate Standards Configured 10, Publish the database changes. 306Lab 3.3: Defining and Sharing Security Poticy Layers 11. Click the Install Policy button: IM bravo standard Macon Certs) Telenor 1 yep ret cngee? A @eow 17-203.0.113.100 | Verso: R773 eviews | rots Figure 345 — Install Policy 12. Click the Install button and verify that you do want to install a policy on B-GW that is different from the currently installed policy. 307Check Poim Security Administration Confirming the Policy Layer Sharing Confirm that the policy layer created in the Bravo_Standard policy package is available to be added to the Alpha_Standard policy package. 1. Navigate to the Alpha_Standard policy package. 2. View the AppCtl layer in the Access Control policy: Om ues cvs tte omens sts Qe me Omer emit Figure 346 —Security Policies - Access Control- AppCtrl 308Lab 3.3: Defining and Sharing Security Policy Layers: 3. Right-click Policy and select Edit Policy: An ee Ca Poti Types Tsang | INR cen Cone) Ther Penton Mh Access Control 1 | Firewall | Blades: $83 2 Acid | Sider BB @aateg @ Bra Figure 347 —Policy 305Check Point Security Administration 4. In the Access Control section, click the + icon. The system displays the Edit Layers window: Alpha Standard ‘pa Sect Paty oneal Policy Types Imsaliten Tages Aces Conteh CIN, The Prenton Mi AecesContet | Frew | des BE Avec @sceteg mom | & unener Figure 348 — Edit Layers 5. Verify that the shared URL_Filter layer created in the Bravo_Standard policy package is available to add to the Alpha Standard policy package, END OF LAB 3.3 310Activating the Compliance Software Blade Enable the Compliance software blade on the A-SMS object. Tasks: + Activate the Compliance software blade. Performance Objectives: + Enable the Compliance software blade. [vse a ue 31Check Point Secwity Administration Activating the Compliance Software Blade Enable the Compliance software blade. 1, Click Gateways & Servers in the Navigation bar. 2, Double-click the A-SMS object and enable the Compliance software blade: Noten = Nee RSIS PetAaten TOI TIOT ® Compliance ‘Compan ade ep ou opine your seca seltings and com wth ‘ego requrenee Game) fate] Figure 349 — Check Point Host - General Properties 3. Click OK. 4. Publish the changes and install policy. 312END OF LAB 4.14 313‘Check Point Seeurty Adminisrarion 314Working with Licenses and Contracts Use SmartConsole and Gaia Portal to verify license status. Tasks: + Verify the status of existing licenses in SmartConsole. + Import licenses. «Attach licenses. + Verify the status of existing licenses in Gaia Portal. Performance Objectives: © Validate existing licenses for products installed on the network. aiCheck Point Security Administration Verifying the Status of Existing Licenses in SmartConsole Use SmartConsole to access SmartUpdate and verify license status. SmartUpdate is used to manage licenses and packages for multi-domain servers, domain servers, gateways, and software blades. 1. In the Navigation bar, select Gateways & Servers: Figure 350 — Gateways & Servers 316Lab 4.2: Working with Licenses and Contracts 2. Inthe objects list, verify the status of A-GW-Cluster: Premereent Beet Has Que ao Figure 354 —Gateways & Servers 3. In the Summary section, identify the license status of the participating members.(Check Point Security Administration 4. Click the Device & License Information hyper link: O Frat lemesOn” Satay 5 7001092016 custo ering mote gh aay tv ed Ca esas ter ne © repeater Cent Figure 352 — Device & License Information - Device Status 318Lab 4.2: Working with Licenses amd Contracts 5. 6 In the Navigation pane, select the License Status tab: Figure 353 — Device & License Information - License Status Exit the window. (exer) GQ AGW | ox EEE Cry Orewe Orem rane Oxo Ore Oran Orns Orie Orne raise Onauwe Hagia ‘ig 26 aon un 06 er.080) asia aon) 10 21am ‘gee auson 319Check Point Security Administration 7. Click the Application menu in the toolbar: B seven Figure 354 —Gateways & Servers 320Lab 4.2: Working with Licenses and Contracts Select Manage Licenses and Packages, and the system displays Check Point SmartUpdate: eonentnnnn oo tl item == = a oa Figure 355 —SmartUpdate 9. Inthe message, select the following option: + Don’t show this message again 10. Click OK. 32:(Check Point Security Administration 11, For each of the four objects displayed, right-click and select Get Gateway Data: q] i i i = Figure 356 — Package Management 322Lab 4.2: Working with Licenses and Contracts Importing Licenses Import licenses using the Import License From File feature in SmartUpdate. 1, Select the Licenses & Contracts tab. 2. Right-click all objects and select Get Licenses: (Socata Latatarern oor eugrear_ seems geet fo jee ieee a Figure 387 —Liconses & Contracts(Check Point Security Administration 3. Double-click a license file for A-SMS: Figure 358 — License Properties 4. Check the expiration date of the license. 5. Click OK. 324Lab 4.2: Working with Licenses and Contracts 6. Click the Navigation menu and select Licenses & Contracts > Add License > From ar . =) rnapos20ee zanris230%e 2arns210°M Figure 359 — Choose Liconse FileCheck Point Security Administration 7. Select a file and click Open: ge am xe era Forse Figure 360— Licenses & Contracts 8. Click OK. 326Attaching Licenses Attach a license to the B-GW. 9, Right-click the B-GW and select Attach Licenses: Lab 4.2: Working with Licenses and Contracts: 327‘Check Point Security Administration 10. Select a license: Name Paden Elenco eqsveatewprae 1012101 0016 Elect. cpabestepeper= 1022101 10Augro Figure 362—Attach Licenses 4. Click Attach. 328Lab 4.2: Working with Licenses and Contracts 12. Notice the license was successfully attached to B-GW: Figure 363 — Licenses & ContractsCheck Point Security Administration 330 Figure 364 — Licenses & ContractsLeb 4.2: Working with Licenses and Contracts 14. Close SmartUpdate: Aro Biree! aE Figure 365 — Gateways & Servers 33(Check Point Security Administration Verifying the Status of Existing Licenses in the Gaia Portal Use SmartConsole to access SmartUpdate and verify license status. SmartUpdate is used to manage licenses and packages for multi-domain servers, domain servers, gateways, and software blades. 1. From A-GUI, launch a Web browser. 2. Use HTTPS to connect to A-SMS (10.1.1.101). 3. Log into the A-SMS with the following credentials: Username: admin Password: Chkp!234 Figure 366 — Gaia Portal - Overview 332Lab 4.2: Working with Licenses and Comacs In the Navigation pane, select Maintenance > License Status: Figure 367 — Maintenance - Licenses END OF LAB 4.2(Check Poim Security Administration 334ie ao) Working with Check Point Logs i=) , SmartConsole shows logs collected from all Security Gateways and Log Servers. Using the SmartConsole Logs view, you will examine real-time traffic and query log information. Tasks: + View live logs and perform searches to gather historic data. Performance Objectives: © Generate network traffic and use traffic visibility tools to monitor the data. 335(Cheek Point Security Administration Viewing Logs and Log Search Results ‘View live logs and run a series of searches to examine historic data, 1, Generate HTTP traffic from A-Host (192.168.1110) and A-GUI (10.1.1.201) to the Internet. 2. In the Navigation bar, select Logs & Monitor: Figure 368 — Logs & Monitor - Logs 336Lab 5.1: Warking with Check Point Logs 3. Double-click a drop log, to view the log details: @ dsp Tei Dieppe en 19236812101 to192 468111 Today at 168137 Log Info osin encwat Tine © Today 207 suse Hewat Prcumramy —( Aue we Stoo Trae Source @ Aomzas2s6ai210 Detinaion aces sence Mapp UDP Inetae ue Figure 369 —Log Details Pokey Fes tame Aetiont @ vv00 ‘Apna tant satay 6 01956 cane 8 337(Check Point Security Administration 4. In the Tops pane, select Top Blades > URL Filtering: Figure 370—Logs & Monitor- Logs 5. Identify the type of logs appearing for the Threat Emulation software blade. 6. Clear the search criteria, 338Lab 5.1: Working with Check Pot Logs 7. Inthe search field, type the following address: 192.168.11.201 Howl € 9/0/68 Ounron IAAT Figure 374 —Logs & Monitor - Logs 8. Review the traffic going to and from A-Host (192.168.11.201). 33!Check Point Security Adiinistanton 9. Double-click a log, to view the details: @ Aecovt oni np Tlic ce or 82161.201 9888 Ta 169027 Lea ito -_ nin macnn sowee © Aves arsaniz00 Time © Today 23927 9k Source Fo reauatamiy Aces Destinstion we Bu estaton2on6 a ntutce ate Souue Pot ey Acton upettog —__—eprtLegto Check Pit More Figure 372 — Log Details 340‘Lab 5.1: Working with Check Point Logs 10, Next, initiate a search with the following criteria: 192.168.11.201, http doen! € 21010 [@ Oustan> Riad Figure 373 —Logs & Monitor - Logs AL. Clear the search criteria. 34(Check Poin Security Administration 12, In the Tops pane, select Top Sources: eer pisadanraaary Figure 374 —Logs & Monitor- Logs 13. Clear the search criteria. 342Lab 5.1: Working with Check Point Logs 14, In the Tops pane, select Top Services > http: Figure 375 —Logs & Monitor- Logs 15, Next, select Top Firewall Rules. 16. Double-click a log, to view the details.(Check Point Security Administration 17. Click on the rule located in the Policy section of the Details tab: Accept @ Acces itp Tai Accepted fom 192308 1.20 a 236417127 Today 143928, Loa into Tratfe og souue © Arostus2sessi200 sce Someone tnt nocua tony etnaon SET atm. Nat nttce ate soure Po Poty Aven © mcept Potstice i Stans Poteate 1snsy16 sar02 7m ute ongoing) ations epentiog Repo LogtaCheckPoint More Figure 376 — Log Details 344Lab 5.1: Working with Check Point Logs 18, The Security Policies tab appears, displaying the Access Control policy with the selected rule highlighted: Lowe Fb teennt tems Cm ougeng O teenie te Ome tment Figure 377 —Security Policies - Access Control END OF LAB 5.1 34sCheck Point Security Administration 346Maintaining Check Point Logs “To maintain the large amount of logs collected on the Security Management Server, you will configure the system to create a new log file at midnight each day and create a new file when the current file exceeds a set file size. Tasks: * Schedule daily log switching and file size limitations. Performance Objectives: lity tools to maintain Check Point logs. * Utilize various traffic vi 34(Check Point Security Administration Scheduling Log Maintenance Configure the system to create a new log file when the current log file gets too large or at midnight everyday. 1. Open the Objects menu and click the Object Explorer option: Bcwnty opoe BR iene apne © tmnt how Oe tare Figure 378 — Security Policies - Access Control 348Lab 5.2: Maintaining Check Point Logs 2. The Object Explorer window appears: + ese ae | tee | td sei E Gace amieeannl 2 oven nm hrs woumescan 10) 5 tat onece 2) » 4 sere 2) Af Cunem fopnion te 1 voucemmntse 2) + Dave CB Sener Someones) 1 ai pat ammesnesnt 3 rower a sey te enn wamusuassti 3 rower pa ey Caen ute aaansissssiM B tones spe se sea Catt saeonssotzrme 18 vanities Saami Direc acamussoeins DO tines Boe sic eamiseanaans 5 @ benst cn Bao a ma secure Se sages 0200 aig) Akane awe kewee saroissioune cence estate apace sat @ 00) seston sprestarset eu sateen amsstsrieat Figure 379 — Object Explorer 34(Check Point Security Administration 3. Double-click the A-SMS network object, and the system displays the General Properties window of the Check Point host: ss oro BI Logging & Status Conprehenineteematon sa ecury ay by gs 3nd complete via ‘ite enanges te guenay unre ur 384 Figure 380 — Check Point Host - General Properties 350Lab 5.2: Maintaining Check Point Logs. 4, In the Navigation pane, select Logs: (© nie top tng GB We tea nso wesma songs to poeta aes Figure 384 — Check Point Host- Logs NOTE Log Indexing is enabled by default. This allows you to search historic data for log records more quickly. 351(Check Point Security Administration 5. In the Navigation pane, select Logs > Additional Logging Configuratior og fewer Seas [Efong ests op Se: lepton had: tote — - ee Flo orevigtententearetteaten (—}E) wagen louse orewkateen steeds ssocced Str Elite dicot |e pte ene Lager Wterendostoaana [ees CA npn anes Lidcet Soeanage (lsomtEvet tm Comin Ut Figure 382 — Check Point Host - Logs - Additional Logging Configuration. 352Lab 5.2: Maimaining Check Point Legs 6. Inthe Log Files section, select the following options: + Create a new log file when the current file is larger than 100 MBytes + Create a new log file on scheduled times ea Fearn See Frente Loy Sane eaten she: eae Weeds snmtiglievinntiecanettentagetnen iGO oes Whores arenes teen cheeses Advent ive 8k eae sb White Roast Logerey Fitment tomes (Cho ew an Aakers Eirecr Soares smote te Cann Figure 383 — Check Point Host- Logs - Additional Logging Configuration. 35:Check Point Seurity Administration 7. In the Create a new log file on scheduled times drop-down list, select Midnight. og Fomaring ergs lowed tnt tog Sve {ep end sede: wa ee Elven agaist Uae Acct ogee et on Ce A hc aes aco Son met Wi seatEvet tem Comte tht Figure 384— Check Point Host - Logs - Additional Logging Configuration 354Lab 3.2: Maintaining Check Poin Logs 8. Click OK, exit the Object Explorer window, and publish the changes. Click ‘Publish’ to make this change available toll. Seen me (STATS Deseiption |Tehange publaedbyepadmin en SAV sae anges 1 Cy Don't show again ‘Publ Gancel_ | Figure 385 — Publish Window 9, From the Application menu, select Install Database: Q Senn | tradivess oasio1 ‘pns Pan Secu Morape= Figure 386 — Install Database Window 10. Click Install. 355Check Point Security Administration 11. Install policy: (MM Aipha standard Anscesomal Teens yep) Teale © @acw-ciuster Figure 387 — Install Policy END OF LAB 5.2 356ie Configuring a Site-to-Site VPN rn 6 Between Alpha and Bravo iz) In this lab, you will define a site-to-site VPN between the corporate and branch office Gateways, This is an ‘example of a certificate VPN based on the SmartCenter Intemal Certificate Authority (ICA). Tasks: Define the VPN domain. Create the VPN community, Create the VPN rule and modify the Rule Base. ‘Test VPN Connection. ‘Performance Objectives: + Configure and deploy a site-to-site VPN. + Test the VPN connection and analyze the tunnel traffic. 35(Check Point Seeurity Administration Defining the VPN Domain Define the networks to and from which traffic should be sent encrypted. 1. In SmartConsole, open the A-GW-Cluster object. 2. In the Navigation pane, select Network. Management > VPN Domain. In the VPN Domain section, select Manually defined. 3. Select the A-INT-Net object: | vewoonan © ALP Attend ter Harton bed Teno oman @Meusystees (RRBTIET Figure 388 — Gateway Cluster - Network Management - VPN Domain 4. In the Navigation pane, select IPSec VPN > Link Selection. 5. In the IP Selection by Remote Peer section, select the following options: 358Lab 6.1: Configuring a Site-o-Site VPN « Always use this IP address © Selected address from topology table: 203.0.113.1 6. Inthe Outgoing Route Selection section, select the Operating system routing table option: Secon ante Per a sy managed VP pes amin agen I aac ung be loung nats © Masts ates © Man ates @ Sietedatiatentescarttie (IOUT) © saat narod © Gaakte Poot enetwakocear © tee ONS eta @ Fateerane (© teva/enane ad dona nae tect n Gb Popes) © We pning Urkreddanay ede: Ora Aatay © lesb Sra gang Rae Sen —___ empath etpangttace ung oe dl lonna mas: Whenetang ater (@ Opes tence ale Figure 389 —Gateway Cluster IPSec VPN - Link Selection 7. Click OK. 8. Double-click the B-GW object. 9, In the Navigation pane, select Network Management > VPN Domain. In the VPN Domain section, select Manually defined. 358(Check Poin Security Administration 10. Select the B-INT-Net object: Figure 390 — Check Point Gateway - Network Management - VPN Domain 1. In the Navigation pane, select IPSec VPN > Link Selection. 12. In the IP Selection by Remote Peer section, select the following options: + Always use this IP address © Selected address from topology table: 203.0.113.1 360Lab 6.1: Configuring a Site-to-Site VPN 13. In the Outgoing Route Selection section, select the Operating system routing table option: Local caraged VP per emia tena aes age tounge @ Rranse bats, © Man abso (@ sendetadterstontrcnp tte: (@A0NIRIEO amen) © aaeaynstea CI © cents Posesenratotteceny © Use Shs: @hutetnne © Gtewa/srane and donan nan (estan Gab Pesan) © Vea peg Lk dey nae @ th Abi oot Sra tana Rae Scion, Daumiate algo tface ing oe letra abt We nttng a trod opetng srten eng ile © Fabel tng (e5apes) ( SesseP atin rot) Teak Figure 394 — Check Point Gateway - IPSec VPN - Link Selection 14. Click OK. 13, Publish the changes and name the session Corporate-VPN. 361(Check Point Security Administration Creating the VPN Community Define the VPN community that specifies how encryption takes place. 1. From Objects menu, select More Objects Types > VPN Community > New Meshed Community: Figure 392 — Security Policies - Access Control 2. Configure the community object as follows: Name: MyIntranet Comment: Alpha-Bravo Mesh ‘Tags: Alpha Bravo 362Lab 6.1: Configuring a Site-toSite VPN 3. In the Participating Gateways section, click the + icon, and the system displays the following: . Mylntranet Galea Participating Gateways Enenped Tai ‘lth canntions eben the PRE Damsing fhe Gatevay oil Enertion Policy > AppCtrl. 3. Add a new rule to the top of the Rule Base: 4. Configure the Marketing Access rule as follows: Name: Marketing Access Souree: Any Destination: Any VPN: Any Services & Applications: Any Action: Drop 393(Check Poin Security Administration 5. In the Source field of the Marketing Access rule, click the + icon: aia rete OQ tren tow mc tent Figure 423 — Security Policies - Access Control - AppCtrl 394Lab 7.1: Providing User Access 6. Click the New icon and select New Access Role, and the system displays the following: 8 Fn Obj Cannan ‘any Heo Specic etn +x Renate AccesChents Mame eo nasteg Figure 424 — New Access Role - Networks Use the following information to configure the access role: Name: Marketing Comment: Marketing Group Access Role Specific Networks: A-INT-NET In the Navigation pane, select Users. 395(Check Point Security Administration 9. Add to the list the Odd group: (a enced O hay ue O Aden ses © Specie vee stoupe +x Distogaied Hane (ueosq ore veo aii vcecr 6 A819 Figure 425 —New Access Role - Users NOTE ‘You must select a user group. 10. Click OK, to create the new Access Role and add it to the new rule, 11, Re-configure the Marketing Access rule: Services & Applications: Skype YouTube Facebook ‘Twitter Snapehat Action: Accept Track: Log 12. Publish the changes. 396Lab 7.1: Providing User Access 13. Next, right-click the Accept icon in the Action field of the Marketing Access rule: Scrmine pie Th oeone tee @ teenie Howe Ore tt Figure 426 — Security Policies - Access Control - AppCtrl 14, Select More, and the system displays the Action Settings window. 15, Select the following option + Enable Identify Captive Portal ation arched UserCheck nequensy Conf tUseC ack Figure 427 — Action Settings 397(Check Point Security Administration 16. Click OK, and the system modifies the Action field of the Marketing Access rule: 9 [Swenson hy sno asa a 3 vewoue Blades: 1 ntrstemen Figure 445— Manage & Settings - Blades 4182 In the Compliance section, click Inactive Objects: Inactive Objects te Charges tis sa te et ne et an f tos SR rcv Sry Ht Pastis on Spt Opt Lab 9.1: Verifying Neowork Compliance Pies Olan SRR TSO = Figure 446 — Inactive Objects Review the results of the latest scan, and consider the following: «+ Are any Security Best Practices inactive, and why? 4, Click OK. + Has gateway or policy configurations been affected by changes made to the policy? 419(Check Point Security Administration Reviewing a Compliance Scan Report Review the results of a compliance scan. 1. Navigate to and double-click the A-SMS object. 2, Enable the Compliance software blade. 3. In the Navigation bar of SmartConsole, select Manage & Settings > Blades: 4. Inthe Compliance section, click Settings, and the following window will appear: Settings ‘iti fa et Gam acco matt = B severe tere oie Bh somone neas ‘ative Regations so Se ee ee ee Figure 447 —Settings 420ab 9.1: Verifving Nevwork Compliance 5, Inthe Engine Status section, Click Export: FeO ee Fletolier BMC Document ois Figure 448 —Save As Name the file Compliance, and save it to your desktop. Click OK. Navigate to your desktop and double-click the compliance file. 421Check Potut Security Administration 9. Review the report results: sa sea RUE ew ret ne ei ee ice Ml cn ate mst a ga os ice ens ro fo cat sige a ake SaaS ree a ats ese pa ‘Srna eat tie ae Cae es nob Ses oS ca Sry ening te ea Papeete a aerate neces erated repre assets rear ttn Pn onic onan velo he Global espe Rote Sensi at cal eae me ed ce eat tana own opp ete Saat. See ner Steve tr th wr na rane Me A ne item reg Se ean aes er aaa co tn dra teat te [RIE iar te ae ee ee SS cca ee tare eet cae LCE nde 4 Figure 449 — Compliance Report 10. Close the report. END OF LAB 9.1 422Working with CPView In this lab, you will use the CPView utility to retrieve and review basic gateway status information. Tasks: + Review statistics in CPView. © Change the refresh rate of CPView. ‘= View historical data. + Save CPView statistics to a file. Performance Objectives: + Perform periodic tasks as specified in administrator job descriptions. + Understand how to use CP View to gather basic gateway status information. 423Check Pit Seer dattnsetion Reviewing Statistics in CPView Use basic navigation to identify statistics presented in CPView. 1, From A-GW-O1, execute the following command: cpview Figure 450— CPView - Overview NOTE Ifrunning CPView on Secure Platform, it must be run in Expert mode. 2. Use the following keys to navigate inside CPView: Arrow Keys Moves between menus and views and scrolls in a view. Home Retums to the Overview. Enter Switches to View Mode. Eso Returns to the Menu Mode. 424Lab 9.2: Working with CPHiew 3. Navigate to the Sysinfo 4 w and review the statistics. Figure 451 —CPView- Sysinfo In View Mode, press the Space bar to refresh the statistics. 425(Check Point Security Administration 5. In SmartConsole, select the Gateways & Servers tab: Figure 452 — Gateways & Servers 426Lab 9.2: Working with CPView 6. Right-click the A-GW-01 object, and the system displays a menu: Figure 453 — Gateways & Servers 427(Check Point Security Administration 7. Select Monitor, and the system displays the Device & License Information window: Uptime Iepant hea cn Poe Aya Ste BzaesG on 1 5D48 2018 Orcutt Weng mode gh Aen ted OU Feng © dpsiesion con Oise daneress terete Figure 454 — Device & License Information - Device Status 8. Review the details of the device status. 428Lab 9.2: Working with CPView 9. Inthe summary section, click the Network Activity link. The system displays the following: 2 bait © encore General 1afo Shes Moore eles sepia ae Patti) ew Coven fat New ooecere) “raf Interfaces Fable ostina Table Figure 455 — Device & License Information - Device Status 429Check Poin Security Administration 10. Return to A-GW-01 and navigate to Network > Traffic: Figure 456 —CPView- Network - Traffic 11, Compare the data displayed in SmartConsole to what is displayed in CPView. 430Lab 9.2: Working with CP¥iew Changing the Refresh Rate of CPView Manually edit the setting that defines the refresh rate. 1. Press the Home button, or navigate to the Overview. Figure 457 —CPView- Overview 2, Press R, and the system lays the following: Figure 458— Set refresh rate 4. Change the refresh rate to 1 second by typing 1, and press Enter. Figure 459 —Set refresh rate 4. Confirm the refresh change. 5. Press q, to quit CPView. 4BCheck Point Security ddinstraton Viewing Historical Data in CPView Use CPView to see historic data from a specific date. 1. At the prompt, type the following and press Enter: epview -t <[(01..31] [Jan..Dec] [4-digit year] [hh:mm:ss]> Figure 460 —cpview + NOTE Date should be standard format with the four digit year. Time should be military time in hours, minutes, seconds, This isan example of how the date and tine parsley should be entered: 31.12.2015 07:15:00 432Lab'9.2: Working with CPView 2. Next, execute the command without a parameter: cepview -t NOTE If no parameter is entered, the system displays the last historical data recorded. 3. Press Q, to exit CPView. 43hack Pit Sec dditston Saving Statistics to a File Save statistical information for forensics or other use later. 1. In Expert mode, run CPView on A-GW-01 to review statistics for this cluster member: Figure 462 — CPView - Overview 434Lab 9.2: Working with CPView 2. Navigate to the Software Blades: Figure 463 — CPView - Software-blades - Overview 3. Press C, to save the current page to a file. Press q, to exit CPView. In Expert mode, view the saved file by executing the following command: 1s Figure 464 —Is 43:(Check Point Security Administration 6. Type the following command and press Enter to view the saved file: cat [file name] Figure 465 — cat [file name} END OF LAB 9.2 436