SECURITY ADMINISTRATION Student & Lab Manual R80.10 CHECK POINT INFINITY GB Check Point© 2017 Check Point Software Technologies Ltd. Ail rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting theit use, copying. distribution, and de-compilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: ‘Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (©)Q)Gi of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR, $2.237-19. TRADEMARKS: Refer to the Copyright page (http://www. checkpoint.com/eopyright.Iitml) for a list of our trademarks, Refer to the Thind Party copyright notices (http:// www.checkpoint.com/ 3rd_party_copyright.htm!) for a list of relevant copyrights and third-party licenses. International ‘5 Ha'Solelim Street Headquarters ‘Teavivort97, ae Teh 72S 4585, US. Headquarters 959 Skyway Road, Suite 300 San Carlos, CA 94070 Te 650.008.200 TechnicalSupport, 6530 Commenve Drive Suite 120 Education & Professional. | Irving, TX 75063 Services Tee 972 444.6612 E-aailcommas er quesions ‘out our eouseware to: comsesradur checks cos For questions or comments aba the Cheek Port Gocunestaion, e-a: (CP TeciPub FeedukOcteckpoicom ‘Document DOC Manual-CCSA-RS0.10 Revision REO.10v4 Content Joey Wilt, Vanessa Johnson ‘Graphics ‘VanessaJohnson, Chunming Jia‘Contributers: Beta Testing, Content Contribution, or Technical Review Michel Acie - Wiel - England (Chis blac -QA-Enalond Eric Andsrson- Netniom - USA, ‘Maia angelante IT ayy EiFadha- Sohciones Segaas-Panara ‘Mtoe Cun -RedEdueaton Aelia ‘iin Faia -K-Seowe- Inia Pesci Felner ow ECS - Susie ‘Omar Gonzales -Schiciones Seguas~ Panoma ‘Tim Hal - Shadow Peak USA, ‘Mark Hale = Chesk Port Software Teehnolosies- USA. EliHlr Even -Chac Point Softeare Tesinoloies- sel Anthony Joubere- nom ECS France ‘Yani Keno -Amow ECS -Gemmaay Fatrsio Lamanna- Check Pik Softmare Technalogin- USA Jui Linder SAT Slovenia ‘aleriLoukine- Dimension Date - Steen Dries Matens -Westean- Belgien Piotr Mionise- CLICO Poland RichurdPatia- Arrow ECS -Eogland Jigniunar Patel- Check Point Softrare Teeolages- USA ‘Yaakov Sion Check Point Soware Tecindosies Isa Dan Vaavassery- Antow ECS -Englmd sik Wagemars-Posimus ICT Acateny -Bdgjun Kim Weil Chek Post Softare Tecinslogies- USA Special Thanks: ‘lon Bales - Cpck Past Software Teshonloge- USA. ‘Mauro Fle -FTway-llaly (ian Evert Hor Jeremy Ford - Check Point Software Technologies -USA Fatrsio Lamanna- Check Pit Software Techalogien- USA ‘ley MD owl Jarow ECS-UK (Londo Evett Hoa) Certification Exam Development: acon Tuga ‘Check Point TechnicalPublications Team: ei Levine Daty Yen, Hi Her Even, Paul Gigs, Rachel Ti, Rt Sepa, ShieaRecefeld, Yakov Sion, Devers Hosein?Table of Contents Preface: Security Administration . . Course Layout Prerequisites Certification Title Course Chapters and Lenring Objectives ‘Sample Setup for Labs Chapter 1: Introduction to Check Point Technology Concept of a Firewall Open Systems interconnect Model Transmission Control ProtocoVntemet Protocol Model Controlling Network Traffic Packet Filtering ‘Stateful Inspection Application Layer Firewall Introduction to the Gaia Operating System ‘Command Line Interface Obtaining a Configuration Lock WebUt Users, Updates, Lab 1.1: Working with Gaia Portal . . Reviewing and Configuring Rasic Setings in the Gaia Portal Defining Roles and Creating Check Point Users ‘Working in Expeit Mode Applying Useftl Commands ‘Adding and Deleting Administrators via the CLI a7 psec sbseseerssbavebswsyecuspes BO 19 ag a 23 23 a4 26 27 27 32 33Table of Contents Preface: Security Administration . . Course Layout Prerequisites Certification Title Course Chapters and Lenring Objectives ‘Sample Setup for Labs Chapter 1: Introduction to Check Point Technology Concept of a Firewall Open Systems interconnect Model Transmission Control ProtocoVntemet Protocol Model Controlling Network Traffic Packet Filtering ‘Stateful Inspection Application Layer Firewall Introduction to the Gaia Operating System ‘Command Line Interface Obtaining a Configuration Lock WebUt Users, Updates, Lab 1.1: Working with Gaia Portal . . Reviewing and Configuring Rasic Setings in the Gaia Portal Defining Roles and Creating Check Point Users ‘Working in Expeit Mode Applying Useftl Commands ‘Adding and Deleting Administrators via the CLI a7 psec sbseseerssbavebswsyecuspes BO 19 ag a 23 23 a4 26 27 27 32 33Chee Pome Secwty Adbusrerton The Rule Base 119 Global Propertios 60.0 ee eect eee te ct teeeeeteneeee 124 SOHONS eee ee eects e cee ce eter crease tees ttaseeereneeeeererse ee dd2S Publish Policy SEES SSEEEEESSSSOESS EL} Policy Packages 127 POLICY TYPES oo eee ee cee cee eee e ete eeeee a . 127 Unified Policies cee ee cee cnee cee teens neeseertteseeenensteesenteeeeesed29 Shared Policies 130 Additional Policy Management Tools. ......0000ce cece cose eeesseeeeeeceteeeeee 131 Install Policy ean . : soo 34 Install Policy Package... 0.00 cec cee cceeeceees ets eeeeeestteeeereeteeeererse ee d34 Lab 2.1: Modifying an Existing Security Policy .. - 136 Reviewing and Modifying Objects in the Check Point Security Management Architecture 137 Editing and Creating Rules for the Rule Base 7 sasmsneanienininnnmnnennnnnnselSL Reviewing Pxisting Seentity Policy Settings 187 Organizing the Rule Base 160 Creating a New Host Object 162 Defining a New Rule soo Publishing and Managing Revisions s170 HTTPS Inspection 176 Enabling HTTPS Inspection 62.0000... ee cee eee eeeeeeeeeeeesseeeeeeceteeeene 176 Inspecting HTTPS Traffic 178 Lab 2.2: HTTPS Inspection . -181 Verifying the HTTPS Server Cettificate sd82 Enabling and Testing HTTPS Inspection 188 Distributing the Certificate 202 Bypassing HTTPS Inspection edd ‘Network Address Transtation svnsnnnnnnnnnnninnnesnn esnnnnnennennnneen dT Hide NAT o.oo eee cece cece ee tete eee te et tteeeeteneeee 217 Static NAT cece eee ec eee eens aeee erie waseeencesaaeesenewaeeeers se eDB2 NAT = Global Properties 0.006000 cee esse ceeeeetstteeeeesteteeeesetnaeees 224 Lab 2.3: Configuring Hide and Static Network Address Translation ...........226 Configuring Hide Network Address Transtation 227 Configuring Static Network Address Translation, 233 Testing Network Address Translation 238Chee Pome Secwty Adbusrerton Administration 240 Permission Profiles 2.0.0.0 .0ccccccceecceeceeeeeeeeeeeceeeceeeceeeeeeeees 241 SeSiOMS eee eee eeeeeeeeeeeeeeeeeeeee pete seuetseussess ceeee eee DAS Database Rs o 246 Concurrent Administration 247 Lab 2. Managing Administrator Access. ............22ceeeeeeeeeceen cee ns 249 Creating Administrators and Assigning Profiles 250 Configuring IPS 1267 Testing Profile Assignments 269 Managing Concurrent Administrator Sessions 278 Disconnecting an Administrator Session so so ssn ned 85 Defining WiFi ACCESS osmssnnnsmnnnnmunnunnnneunnnmuninninnnninnniamnnennmennnnniemnnnen DSS Managing Remote Gateways 293 Lab 2.5: Installing and Managing a Remote Security Gateway .......6..000044294 Installing Gaia on a Remote Security Gateway 295 Configuring the Branch Office Security Gateway withthe First Time Configuration Wizard 303 Using the Gaia Portal to Configure the Branch Office Security Gateway wo d1A Configuring the Alpha Security Policy to Manage the Remote Security Gateway 320 Creating a New Security Policy 335 Backups ear eenenr ea seonnaamennesenenen SSL ‘Performing Backups 3583 Lab 2.6: Managing Backups -«-------¢ccs-ssceseevscseeseessecesee eos 387 Scheduling a Security Management System Backup 358 Managing Scheduled Security Gateway Backups 361 erforming Backup via CLI 363 Review Questions 366 Chapter 3: Policy Layers 00.0... 00.ccc ce eceeeeeeceeeecceeeeeseeuu essen ees: 367 Policy Layer Concept . 2368 Policy Layers and Sub-Policies 368 Managing Layers 370 Lab 3.1: Defining Access Control Policy Layers . . -376 Assigning Layers to an Existing Security Policy ce B77 Confirming the Installation Target Gateway B82Chee Pome Secwty Adbusrerton Administration 240 Permission Profiles 2.0.0.0 .0ccccccceecceeceeeeeeeeeeeceeeceeeceeeeeeeees 241 SeSiOMS eee eee eeeeeeeeeeeeeeeeeeeee pete seuetseussess ceeee eee DAS Database Rs o 246 Concurrent Administration 247 Lab 2. Managing Administrator Access. ............22ceeeeeeeeeceen cee ns 249 Creating Administrators and Assigning Profiles 250 Configuring IPS 1267 Testing Profile Assignments 269 Managing Concurrent Administrator Sessions 278 Disconnecting an Administrator Session so so ssn ned 85 Defining WiFi ACCESS osmssnnnsmnnnnmunnunnnneunnnmuninninnnninnniamnnennmennnnniemnnnen DSS Managing Remote Gateways 293 Lab 2.5: Installing and Managing a Remote Security Gateway .......6..000044294 Installing Gaia on a Remote Security Gateway 295 Configuring the Branch Office Security Gateway withthe First Time Configuration Wizard 303 Using the Gaia Portal to Configure the Branch Office Security Gateway wo d1A Configuring the Alpha Security Policy to Manage the Remote Security Gateway 320 Creating a New Security Policy 335 Backups ear eenenr ea seonnaamennesenenen SSL ‘Performing Backups 3583 Lab 2.6: Managing Backups -«-------¢ccs-ssceseevscseeseessecesee eos 387 Scheduling a Security Management System Backup 358 Managing Scheduled Security Gateway Backups 361 erforming Backup via CLI 363 Review Questions 366 Chapter 3: Policy Layers 00.0... 00.ccc ce eceeeeeeceeeecceeeeeseeuu essen ees: 367 Policy Layer Concept . 2368 Policy Layers and Sub-Policies 368 Managing Layers 370 Lab 3.1: Defining Access Control Policy Layers . . -376 Assigning Layers to an Existing Security Policy ce B77 Confirming the Installation Target Gateway B82Chace Pain Secu bmtsrtion Access Control Policy Layers 384 Network Policy Layer... eco ceeeceeeceesceeesteseeeeseeeeeseeseeeenee 384 Application Control Policy Layet ee... cee ceceeesececceeeeeeseeseeees eee ceeeee ee 387 Creating an Application Control Policy 389 Content Awareness 390 Creating a Content Awareness Policy 2.0... .60cceeceeees seesereaesncesese 390 Lab 3.2: Implementing Application Control and URL Filtering ..... 392 Configuring the Application Conttol & URL Filtering Rule Base sneered B Creating a Rule to Block sn Application 397 Reviewing Dropped Trafiic 402 ‘Threat Prevention Policy Layers sen OS Layers and Policy Packages oA 08 Lab 3.3: Defining and Sharing Security Policy Layers . 412 Adding an Ordered Policy Layer . 413 Configuring the Content Awareness Policy Layer a ae cnn LT Sharing a Policy Layer ss su Testing the Content Awareness Layer - “ sence 8 Configuring an Tnline Layer 427 Review Questions 434 Chapter 4: Check Point Security Solutions and Licensing ...........-+++s0eee 000+. 435 Check Point Software Blade Architecture nnn sean 6 Security Gateway Software Blades. . Oe eee ee sen ereeeenee eee 437 Advanced Threat Prevention Software Blades 440 ‘Management Software Blades for Policy Management 2... ..060.0000sceecceeveeeceeee ee dO ‘Management Software Blades for Monitoring Analysis 4d ‘Management Software Blades for 44d Endpoint Software Blades 442 Software Blade Packages ooo dB Licensing Overview wn AAS Components of a License 445 Perpetual versus Subscription Blade Licenses 2.0... 600.0 c0cceceeceeeeeeeseene eters M6 Central and Local Licensee 6... cee cee eesceteceseeeeeeseseeteeencee veceeeee MAT License Activation 448 Hardware Licenses eee eee cece eee seeeeteeeeteeseeeee 449 SmaitUpdate ASL 8Chee Pome Secwty Adbusrerton ‘SmartUpdate Architecture 481 Using SmartUpdate o.oo eee eee eetceee tees teeeee senna 452 Package Repository a a oe feo cece ASE Managing Licenses, ae . so . “ sonnel S ‘Add and Install Licenses 488 Attaching and Detaching Licenses... 2... ceec eee a ceo 458 New Licenses Peter nets cet tes eet tet eter ter eeeeeeniteee eer ASB View License Properties 488 Export a License 00.6000 e eee ee ee ccs eeees cee eeeeeetseeeeesenneee 459 License Status Feet terete eee ee tts eeeretteeeer erie eas ees 460 Dioense Reports 60.0600 cee cece ceeeee cette esetieeeeeetstteeeescteeeee renee 462 Service Contracts 462 Lab 4.1: Activating the Compliance Software Blade ..................06+4...467 Activating the Compliance Software Blade 468 Lab 4.2: Working with Licenses and Contracts .. -470 ‘Verifying the Status of Existing Licenses in SmartConsole 471 Importing Licenses 476 Attaching Licenses oe 480 ‘Verifying the Status of Existing Licenses inthe Gaia Portal 484 486 : : : : - 487 Analyzing Logs 488 Collecting Information... ee eee eeeeeeees cee . 488 Deploy Logging Cece tere tee ee ttt eeercteeeet tree ae eee 489 Configure Logging eee eee e eee eee eee etter eee tte erence 490 ‘SmartConsole Logs View 491 Tracking Rules 492 Examining Logs vette eeeeee es cere 493 Pre-defined Log Queries 494 Query Language Overview 496 Lab 5. 1: Working with Check Point Logs .. ..--- see eeeeeeneeeeeeee eee e nee SOL ‘Viewing Logs and Log Search Results 502 ‘Monitoring Traffic and Connections - neat = e508 ‘SmartView Monitor and SmartConsole S08,Chee Pome Secwty Adbusrerton ‘Monitoring and Handling Alerts Monitoring Suspicious Activity Rules Monitoring Gateway Status ‘Users View a ‘System Counters View Tunnels View Coane Palette Traffic View Lab 5.2: mistntelning Check Folat U0 Peer eee etree reer eee ee eee etre Scheduling Log Maintenance Review Questions Chapter 6: Basic Concepts of VP! Introduction to VPN IPSec VPN ‘VPN Components ‘VPN Deployments 7 Site-o-Site VPN Deployment Remote Access VPN Deployment ‘VPN Communities Meshed VPN Community Star VPN Community Combination VPN Communities Remote Access VPN Community Object Access Control for VPN Connections Allow All Connections Allow All Site-to-Site VPN Connections Allow Specific VPN Communities... Site-o-Site Communities — Allow All Enerypted Trafic Tunnel Menagement and Monitoring ‘Permanent VPN Tunnels ‘Tunnel Testing Monitoring VPN Tunnels Lab 6.1: Configuring a Site-to-Site VPN Between Alpha and Bravo Defining the VPN Domain Creating the VPN Community 520 S41 542 542 543 543 544 545 545 546 10Chee Pome Secwty Adbusrerton Creating the VPN Rule and Modifying the Rule Base S87 Testing the VEN Review Questions Chapter 7: Managing User Access . Overview of User Management Components User Directory Identity Awareness Active Ditectory (AD) Query Browser-Based Authentication Terminal Server Identity Agents Endpoint Identity Agents RADIUS Remote Access How to Choose an Identity Source Managing Users ‘SmartConsole and User Database LDAP and User Directory Authenticating Users Authentication Schemes Managing User Access ‘Access Roles Rule Base Captive Portal for Guest Access Lab 7.1: Providing User Access Configuring the Security Policy for Identity Awareness Defining the User Access Role Testing ddentity Awareness Connection Controlling Tablet Access Through Captive Portal (Optional) Review Questions Chapter 8: Working with ClusterXL . .... 2.2.02... 0... c cece cece cece eee eee O25 Overview of ClusterXL 626 CitsterX Deployments o2y High Availability Deployment 629 Failovers 633 633 ‘Performing a Manval Failover mrChee Pome Secwty Adbusrerton Appendix A: Questions and Answers.........0eceeeeee Chapter 1: Introduction to Check Point Technology Chapter 2: Secutity Policy Management Chapter 3: Policy Layers nmsnmnnnnnieinmnnnnn Chapter 4: Check Point Security Solutions and Licensing Chapter 5: Traffic Visibility Chapter 6: Basic Concepts of VPN Chapter 7: Managing User Access Chapter 8: Working with ChusterXL Chapter 9: Administrator Task Implementation 13Security Administration Welcometo the Security Administration course. This course provides an understanding of basic concepts and skills necessary to configure Check Point Security Gateway and Management Software Blades. During this course. you will configure a Security Policy and learn about managing and monitoring a secure network. In addition, you will upgrade and configure a Security Gateway to implement a Virtual Private Network (VPN) for both internal and extemal remote users Preface Outline + Course layout + Prerequi + Certificate title ites * Course chapters and leaming objectives + Sample setup for labs 8 SEND FEEDBAG” 14Chee Pome Secwty Adbusrerton Course Layout This course is designed for Security Administrators, Check Point resellers, and those who are working towards their Check Point Certified Cyber Security Administrator (CCA) certification. The following professionals benefit best from this course: + System Administrators * Support Analysts + Network Engineers ites Prerequi Before taking this course, we strongly suggest you have the following knowledge base: + General knowledge of TCP/IP + Working knowledge of Windows and/or UNIX * Working knowledge of network technology + Working knowledge of the Intemet Certification Title ‘The current Check Point Certified Cyber Security Administrator (CCSA) certification is designed for partners and customers seeking to validate their knowledge of Check Point’s Software Blade products, Course Chapters and Learning Objectives Chapter 4: Introduction to Check Point Technology * Interpret the concept of a Firewall and understand the mechanisms used for controlling network traffic. * Describe the key elements of Check Point's unified Security Management Architecture. + Recognize SmartConsole features, functions, and tools. * Understand Check Point deployment options. + Describe the basic fimetions of the Gaia operating system. ‘SEND FEEDBACK"Chee Pome Secwty Adbusrerton Chapter 2: Security Policy Management * Describe the essential elements of a Security Policy. * Understand how traffic inspection takes place in a unified Security Policy. + Summarize how administration roles and permissions assist in managing policy. + Recall how to implement Check Point backup techniques. Chapter 3: Policy Layers + Understand the Check Point policy layer concept + Recognize how policy layers affect traffic inspection. Chapter 4: Check Point Security Solutions and Licensing = Recognize Check Point security solutions and products and how they work to protect your network. + Understand licensing and contract requirements for Check Point security products Chapter 5: Traffic Visibility * Identify tools designed to monitor data, determine threats, and recognize opportunities for performance improvements. + Identify tools designed to respond quickly and efficiently to changes in gateways, tunnels, remote users, traffic flow pattems, and other security activities. Chapter 6: Basic Concepts of VPN + Understand Site-to-Site and Remote Access VPN deployments and communities + Understand how to analyze and interpret VPN tunnel traffic. Chapter 7: Managing User Access + Recognize how to define users and user groups. + Understand how to manage user access for internal and extemal users, Chapter 8: Working with ClusterXL + Understand the basic concepts of ClusterXL technology and its advantages, 8 ‘SEND FEEDBACK" 16(Check Pant Securty Adbavasiraton Chapter 9: Administrator Task Implementation * Understand how to perform periodic administrator tasks as specified in administrator job descriptions Sample Setup for Labs Most lab exercises will require you to manipulate machines in your network and other labs will require interaction with the instructor's machines. Check Point R80.10 CCSA Lab Topology Figure 1— CSA Lab Topology Seno FEEDER” "Introduction to Check Point Technology Check Point technology addresses network deployments and security threats while providing administrative flexibility and accessibility. To accomplish this, Check Point uses a unified Security Management Architecture and the Check Point Firewall. These Check Point features are fusther enhanced with the SmartConsole interface and the Gaia operating system. The following chapter provides a basic understanding of these features and enhancements. Learning Objectives + Interpret the concept of a Fizewall and understand the mechanisms used for controlling network traf. * Describe the key elements of Check Point's unified Security Management Architecture. + Recognize SmartConsole features, functions, and tools. © Understand Check Point deployment options. + Describe the basic functions of the Gaia operating system. © sen reeosace’ 18Chee Pome Secwty Adbusrerton Concept of a Firewall Firewalls are the core of a strong network Security Policy. They control the traffic between intemal and extemal networks. Firewalls can be hardware, software, or a combination of both. and are configured to meet an organization's security needs. When connecting to the Intemet. protecting the network against intrusion is of critical importance. The most effective way to secure the Intemet link is to put a Firewall system between the local network and the Intemet. ‘The Firewall ensures that all communication between an organization’s network and the Intemet conforms to the organization's Security Policy. Open Systems Interconnect Model ‘Tounderstand the concept of a basic Firewall, itis beneficial to examine the aspects of the (Open Systems Interconnect (OSI) Model. The OST Model demonstrates network communication between computer systems and network devices, such as Security Gateways. It governs how network hardware and software work together and illustrates how different protocols fit together. It can be used as a guide for implementing network standards. ‘The OSI Model is comprised of seven layers. The bottom four layers govern the establishment of a connection and how the packet will be transmitted. The top three layers of the mode! determine how end user applications communicate and work. The Check Point Firewall kernel module inspects packets between the Data Link and Network layers. Depending on the traffic, flow and service, inspection may transcend multiple layers. | Layer 1 - Physical | Figure 2 — 0S! Mode! SEND FEEDBACK” 19Chee Pome Secwty Adbusrerton ‘The OSI Model layers are described as follows: Layer 1— Represents physical-communication links or media required hardware such as Ethernet cards, DSL modems, cables, and hubs. Layer 2 — Represents where network traffic is delivered to the Local Area Networks (LAN); this is where identification of a single specific machine takes place. Media Access Control (MAC) addresses are assigned to network interfaces by the ‘manufacturers. An Ethemet address belonging to an Ethemet card is a layer 2 MAC address. An example of a physical device performing in this layer would be a switch, Layer 3 — Represents where delivery of network traffic on the Intemet takes place; addressing in this layer is refetred to as Intemet Protocol (IP) addressing and creates unique addresses, except when NATis employed. NAT makes it possible to address multiple physical systems by a single Inyet 3 TP address. An example of a physical device performing in this layer would be a router. Layer 4 — Represents where specific network applications and communication sessions are identified: multiple layer 4 sessions may occur simultaneously on any given system with other systems ou the same network, Layer 4 is responsible for flow control of data transferring between end systems. This layer introduces the concept of ports, or endpoints. Layer 5 — Represents where connections between applications are established, ‘maintained, and terminated. This layer sets up the communication through the network. ‘The Session layer allows devices to establish and manage sessions. A session is the persistent logical linking of two software application processes, Layer 6 — Represents where data is converted into a standard format that the other layers can understand. This layer formats and encrypts data to be sent across the network. The Presentation layer is responsible for presenting the data, It defines the format for data conversion. Encoding and decoding capabilities allow for communication between dissimilar systems. Layer 7 — Represents end user applications and systems. Application protocols are defined at this level and are used to implement specific user applications and other high-level functions. Hyper Text Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) are examples of application protocols, It is important to understand that usually. the Application layer is a part of the operating system and not necessarily a part of the application in use. NOTE Distinctions among layers 5. 6, ancl 7 ate not always clear. Some models combine these layers. SEND FEEDBACK” 20Chee Pome Secwty Adbusrerton ‘The mote layers a Firewall is capable of covering, the more thorough and effective the Firewall. Advanced applications and protocols can be accommodated mote efficiently with additional layer coverage. In addition, advanced Firewalls, such as Check Point's Security Gateways, can provide services that are specifically oriented to the user, such as authentication techniques and logging events of specific users. Transmission Control Protocol/Internet Protocol Model ‘The Transmission Control Protocol/Intemet Protocol (TCP/IP) Model is a suite of protocols which work together to connect hosts and networks to the Intemet, Whereas the OST Model conceptualizes and standardizes how networks should work, TCP/IP actually serves as the industry-standard networking method that a computer uses to access the Intetmet. TCP/IP protocols support communications between any two different systems in the form of a client- server architecture, The model name is based on its two most dominant protocols but the suite consists of many additional protocols and a host of applications. Each protocol resides in a different layer of the TCP/IP Model ‘The TCP/IP Mode! consists of four core layers that are responsible for its overall operation: ‘Network Interface layer, Intemet layer, Transport layer and Application layer. Each layer corresponds to one or more layers of the OSI Model. These core layers support many protocols and applications, Application Layer |___TransportLayer ___} j | Internet Layer I | Network Interface Layer | Figure 3— TCP/IP Model SEND FEEDBACK” a1Chee Pome Secwty Adbusrerton ‘The TCP/IP Model layers are described as follows: + Network Interface layer — Corresponds to the Physical and Data Link layers of the OSI Model. It deals with all aspects of the physical components of network connectivity, connects with different network types. and is independent of any specific network media, + Internet layer — Manages the routing of data between networks. The main protocol of this layer is the IP, which handles IP addressing, routing, and packaging functions. IP tells the packet where to go and how to get there. The packets are transported as datagrams, which allow the data to travel along different routes to reach its destination. Each destination has a unique IP address assigned. The Internet layer cotresponds to the ‘Network layer of the OST Model + Transport layer — Manages the flow of data berween two hosts to ensure that the packets are correctly assembled and delivered to the targeted application. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are the core protocols of the Transport layer. TCP ensures a reliable transmission of data across connected networks by acknowledging received packets and verifying that data is not lost during transmission. UDP also manages the flow of data; however, data verification is not as reliable as TCP. The Transport layer corresponds to the Transport layer of the OSI ‘Model. + Application layer — Encompasses the responsibilities of the Session, Presentation, and Application layers of the OSI Model. It defines the protocols that are used to exchange data between networks and how host programs interact with the Transport layer. The Application layer allows the end uset to access the targeted network application or service. SEND FEEDBACK” 22Chee Pome Secwty Adbusrerton Controlling Network Traffic ‘Managing Firewalls and monitoring network traffic is the key role of a network Security Administrator. Effectively controlling network traffic helps to improve overall network performance and organizational security. The Firewall, or the Security Gateway with a Firewall enabled, will deny or permit traffic based on nules defined in the Security Policy. The following technologies are used to deny ot permit network traffic: + Packet Filtering + Stateful Inspection + Application Layer Firewall Packet Filtering Packet Filtering is the process by which traffic is broken down into packets. Basically, messages are broken down into packets that include the following elements: + Source address + Destination address + Source port + Destination post * Protocol ‘Application Presentation ‘Session “Transport Tekvork Datatink || Physical | | Data Link Physical PROS cons Appicaion Independence = Low Securty ign Peromanco ‘No sereoning ave Network “ealaba Layer (Nosloe or epiicaten 7 conten inrmation) Figure 4 — Packet Filtering 23 BD seno reevendic(Check Pant Securty Adbavasiraton Packet Filtering is the most basic form of a Firewall. Its primary purpose is to control access to specific network segments as directed by a preconfigured set of rules, or Rule Base, which defines the traffic permitted access. Packet Filtering usually functions in the Network and. ‘Transport layers of the network architecture. Packets are individually transmitted to their destination through various routes. Once the packets have reached their destination, they are recompiled into the original message Stateful Inspection Statefitl Inspection analyzes a packet's source and destination addresses, source and destination ports, protocol, and content, With Stateful Inspection, the state of the connection is, monitored and state tables are created to compile the information. State tables hold useful information in regards to monitoring performance through a Security Gateway. As a result, filtering inchides content that has been established by previous packets passed through the Firewall. For example, Stateful Inspection provides a security measure against port scanning by closing all ports until the specific port is requested. ppliestion SE Fppneaton || Presentation || ["Appieston Presentation ||| _ session Presentation Seaton anspor Session anspor Network TWanspor a cit} “| Data tink “| Data Link | DataLink | Physica Phys Physical wsrect gf? “Evene pros Good Secuty NY Ful agen ae Hor romance Tams Extensibity area Figure 5 — Stateful Inspection ‘SEND FEEDBACK" 24Chee Pome Secwty Adbusrerton ‘Check Point's INSPECT Engine, which is installed on a Security Gateway. is used to extract state related information from the packets and store that information in state tables. State tables are Key components of the Stateful Inspection technology because they are vital in maintaining state information needed to correctly inspect packets. When new packets arrive, their contents are compared to the state tables to determine whether they are denied or permitted. NOTE Statefull Inspection technology was developed and patented by Check Point. State tables are covered in more detail in the CCSE course, Stateful Inspection versus Packet Filtering ‘Statefil Inspection differs from Packet Filtering in that it deeply examines a packet not only in its header, but also the content of the packet up through the Application layer to determine more about the packet than just information about its source and destination, In addition, Packet Filtering requires creating two rules for cach uscr or computer that needs to access resourees, For example, ifa computer with IP address 10.1.1.201 needs to access 8.8.8.8 on the Intemet for DNS, an outgoing request rule is needed for connecting to the server on the Internet and a second rule is required for the incoming reply for the same connection. The cteation of Stateful Inspection eliminated the need for two rules. The Firewall remembers each, reply for an existing request using the state tables. Therefore only one nule is required for each connection.Chee Pome Secwty Adbusrerton Application Layer Firewall Many attacks are aimed at exploiting a network through network applications, rather than directly targeting the Firewall. Application Layer Firewalls operate at the Application layer of the TCP/IP protocol stack to detect and prevent attacks against specific applications and services, They provide granular level filtering, Antivirus scanning. and access control for network applications, such as email, FIP, and HTTP. These Firewalls may have proxy servers cor specialized application software added. Application Layer Firewalls inspect traffic through the lower layers of the TCP/IP model and up to and including the Application layer. They are usually implemented through software running on a host ot stand-alone network hardware and are used in conjunction with Packet Filtering. Since Application Layer Firewalls are application-aware, they can look into individual sessions and decide to drop a packet based on information in the application protocol. The Firewalls deeply inspect traffic content and apply allow or block access niles per session or connection instead of filtering connections per port like Packet Filtering. Packets are inspected to ensure the validity of the content and to prevent embedded exploits, For example, an Application Layer Firewall may block access to certain website content or software cuulaining visuses, The exten! of filtering is based ou te vules defined int the uelwork Secuily Policy. Application Layer Firewalls are often referred to as Next-Generation Firewalls because they include the traditional functions of Packet Filtering and Stateful Inspection. Sample Protocols HTTP, FTP, SUT? Layer 6 - Presentation Layer 5 Session Application Layer Tense Sa Ser Layer3- Network iP lL Internet Layer r sei euie Neworciace ayer | O81 Model TCP/IP Model Figure 6 — Protocol Examples, SEND FEEDBACK" 26Checie Pome Secuntty Adina Introduction to the Gaia Operating System Gaia is Check Point's operating system for all Check Point appliances and open servers, It supports the full portfolio of Check Point Software Blade, gateway. and Security Management products. It also supports: + IPv4 and IPV6 network protocols. * High connection and virtual systems capacity (64 bits). + Load Sharing + High Availability + Dynamic and Multicast routing. Gaia can be configured via the Command Line Interface (CLI) or WebUL Fot CLI-inclined users, a shell-emulator pop-up window makes Gaia CLI more intuitive to use. The intuitive ‘WebUTdelivers a seamless user experience for Security Administrators by integrating all ‘management functions into a Web-based dashboard accessible via most popular Web browsers. ‘The built-in search navigation delivers instant results on commands and properties, Command Line Interface Gaia utilizes an easy-to-use Command Line Interface (CLI) for the execution of various commands that are structured using the same syntactic mules. CLI can be used via SSH or a web browser. An enhanced help system and auto-completion further simplify user operation, ‘The default shell of the CLI is called Clish. Clish is a restrictive shell and does not provide access to advanced system and Linux fimnctions. Expert mode allows advanced system and Linux function access to the system, including the file system. To use the expert shell, un the expert command. A password for export mode must be set prior to running the shell. To exit the expert shell and retum to Clish, nun the exit command, Figure 7 —Cilsh and Export Shells, 8 SEND FEEDBACK” 27Chee Pome Secwty Adbusrerton Commands and Features Gaia commands are organized into groups of related commands called features. Commands have the following syntax: operation feature parameter Operation Description set ‘Set a value in the system. ‘show ‘Show a value of values from the system. delete | Delete a value fiom the system. add ‘Add a value from the system ‘save ‘Save the configuration changes made since the last save operation, reboot | Restart the system. halt ‘Tum the computer off. quit Exit the CLI. exit Exit the shell start ‘Start a transaction. Put the CLI into transaction mode. All changes made using commands in transaction mode are applied at once or none of the changes are applied based on the way transaction mode is terminated, carmit | Enda transaction by committing changes, expert | Futer the expert shell ver ‘Show the version of the active Gaia image. help ‘Retrieve help on navigating the CLI and some useful commands. Table 4: CLI Operations and Descriptions ‘To view all commands that the user has permissions to run: show commands To view a list of all features: show commands feature ‘To show all commands for a specific feature: show commands feature VALUE ‘SEND FEEDBACK" 28(Checc Pom Secwrty Aduusireaton To show all possible operations: show carmands op Toshiow all commands per operation, per feature: show commands [op VALUE] [feature VALUE] ‘To show how long the system has been running: show uptime ‘To show the full system version information: show version all ‘To show version information for operating system components: show version os build show version os edition show version os kernel To show the name of the installed product: show version product Parameter ‘Description all ‘Show all system information, os build Display the Gaia build number. (0s edition | Display the Gaia edition (32-bit or 64-bit). os kernel Display the Gaia kemel build number product Display the Gaia version. Table 2: System Information Parameters and Descriptions 29(Checc Pom Secwrty Aduusireaton Command Completion In order to save time, Gaia offers the al keyboard buttons. ity to automatically complete a command using a few ‘Keyboard Button Description TAB ‘Complete or fetch the keyword. SPACE+TAB | Show the arguments that the command for that feature accepts ESCESC Display possible command completion options. 7 ‘Retrieve help on a feature or keyword. Up/Down arrows | Browse the command history. LeftiRight arrows — | Edit the command. Enter ‘Run a command string. The cursor does not have to be at the end of the line. Table 3: Keyboard Buttons and Descriptions User-Defined and Extended Commands User-defined and extended commands are managed in Clish, Role-based administration can be used with extended commands by assigning those commands to roles and then assigning those roles to users or user groups. Parameter Description ‘command ‘Name of the extended command. path ‘Path of the extended command. description |Description of the extended command. Table 4: Extended Command Parameters and Desorption ‘To show all extended commands: show extended canmands ‘To show the path and description of a specified extended command: show conmand VALUE Toadd an extended command: add command VALUE path VALUE description VALUE sen reeosace” 30Chee Pome Secwty Adbusrerton Todelete an extended command: delete command VALUE Commonly Used Commands As an administrator, there are additional commands that you may frequently use in your role. ‘Many of these commands will be introduced throughout this course, Here are a few commonly used Firewall commands. To display the version of Check Point software installed on a gateway. enter the following, command in the Clish shell: fw ver Todisplay the name of the Security Policy installed on a gateway: fw stat To display interface information: fw getifs SEND FEEDBACK” a1Chee Pome Secwty Adbusrerton Obtaining a Configuration Lock Only one user can have Read/Write access to Gaia configuration settings at a time, All other users can only log in with Read-Only access to view configuration settings, as specified by their assigned roles. For example, AdminA logs in and no other user has Read/Write access. Admin receives an exclusive configuration lock with Read/Write access. If AdminA logs in and AdminB already has the configuration lock, AdminA has the option to override AdminB’s lock. If Admin decides to override the lock, AdminB stays logged in but will have Read- Only access. If Admin decides not to override the lock, they will only be granted Read-Only access. To further illustrate, AdminA can run the lock database override command to obtain the configuration lock from AdminB and gain Read/Write access. Altemately, AdminB who has Read/Write access can nin UNLOCK database to release the configuration lock, In this, instance, the configuration lock can be obtained by AdminA. NOTE ‘The administrator whose Read/Write access is revoked does not receive notification. SEND FEEDBACK” 32Chee Pome Secwty Adbusrerton WebUl The WebUT is an advanced, web-based interface used to configure Gaia platforms. It provides clientless access to the Gaia CLI directly from a browser. A majority of system configuration tasks can be done through the WebUI. To access the WebUL navigate to /mips://. Log in with a user name and password. The following browsers support the WebUT: Intemet Explorer + Firefox + Chrome + Safari ‘The WebUI operates in the following two modes: + Basie — Shows only basic configuration options * Advanced — Shows all configuration options, Figure 8—WebUI SEND FEEDBACK” 33Chee Pome Secwty Adbusrerton System Overview Page The System Overview page displays an overview of the system in various widgets. These widgets can be added or removed from the page, moved around the page, and minimized or expanded. The following widgets are availabl + System Overview — Provides system information, including the installed product. product version number, keme! build, product build, edition (32 bit or 64 bit), platform ‘on Which Gaia is installed, and computer serial number (if applicable). * Blades — Displays a list of installed Software Blades. Those that are enabled are colored. Those that are not enabled are grayed out. + Network Configuration — Displays interfaces, their statuses, and IP addresses, + Memory Monitor —Provides a graphical display of memory usage. * CPU Monitor — Provides a graphical display of CPU usage. Navigation Tree ‘The Navigation tree is used to select a page within the WebUL. Pages ate arranged in logical feature groups. There are two viewing modes: + Basic — Shows some standard pages. + Advanced (Default) — Shows all pages. Tochange the view mode, click View Mode and select a mode from the list. Tohide the ‘Navigation tree, click the Hide icon, Toolbar The toolbar displays whether the user has Read/Write access or is in Read-Only mode. It is also used to open the Terminal (Console) accessory for CLI commands and open the Scratch Pad accessory, which is used for writing notes. NOTE ‘The Scratch Pad accessories are available in Read/Write mode only. SEND FEEDBACK” 34Chee Pome Secwty Adbusrerton Search Tool The Search too! is used to find an applicable configuration page by entering a keyword, which can be a feature. a configuration parameter. or a word related to a configuration page. Status Bar ‘The Status bar displays the result of the last configuration operation. To view a history of the configuration operations during the current session, click the Expand icon. Configuration Tab Under the Configuration tab, a user may view and configure parameters for Gaia features and. setfings groups. The parameters are organized into functional settings groups in the navigation tree. NOTE Read/write access is required to configure parameters for a settings group. Monitoring Tab The Monitoring tab allows a user to view the status and detailed operational statistics, in real time, for some routing and High Availability settings groups. This ability is useful for monitoring dynamic routing and VRRP cluster performance. Configuration Lock To overtide a configuration lock in the WeblUT, click the small lock icon in the toolbar. The pencil icon, which indicates Read/Write access is enabled, will replace the lock icon, TE ‘Only users with Read/Write access can override a configuration lock,(Check Pant Securty Adbavasiraton Users The WebUI and CLI can be used to manage user accounts and perform the following actions: * Add users to your Gaia system, + Edit the home ditectory of the user. + Fait the default shell for a user. + Assign a password to a user. + Assign privileges to users. Figure 9 — WebUI Users Page ‘There are two default users that cannot be deleted. The Admin has full Read/Write access for all Gaia features. This user has a User ID of 0 and therefore has all of the privileges of a root user. The Monitor has Read-Only access for all features in the WebUl and the CLI and can change their own password, An Admin must provide a password for the Monitor before the Monitor user account can be used SEND FEEDBACK" 36(Check Pant Securty Adbavasiraton ‘New users have Read-Only privileges to the WebUT and CLI by default. They must be assigned one or more roles before they can log in, NOTE Permissions can be assigned to all Gaia features or a subset of the features, Without assigning a user TD of 0. If a user ID of 0 is assigned to a user account (this can only be done in the CLI), the user is equivalent to the ‘Admin user and the roles assigned to that user cannot be modified. Roles and Role-based Administration Role-based administration enables Gaia administrators to create different 1oles. Administrators can allow users to access features by adding those functions to the user’s tole definition. Each role can include a combination of Read/Write access to some features, Read-Only access to other features, and no access to other features. Figure 10 —WebUI Rules Paye SEND FEEDBACK" a7Chee Pome Secwty Adbusrerton ‘When a user is created, pre-defined roles, or privileges, are assigned to the user. For example, a user with Read/Write access to the Users feature can change the password of another user or an ‘Admin user. It is also possible to specify which access mechanisms, the WebUT or CLI, are available to the user. ‘When users log in to the WebUL. they see only those features for which they have Read-Only or Read/Write access. If they have Read-Only access to a feature, they can see the settings pages but cannot change the settings. SEND FEEDBACK” 38(Check Pant Securty Adbavasiraton Configure Roles in the WebUI Roles are defined on the Roles page of the WebUI. To add a new role or change an existing role: 1. Select User Management > Roles in the WebUI navigation tree. 2. Toadd a new role, click Add and enter « Role Name. The role name can be a combination of letters, numbers, and the underscore (_) character, but must start with a letter. 3. Tochange permissions for an existing role, double-click the role, 4, In the Add or Edit Role window, click a feature (Features tab) or extended command (Extended Commands tab). 5. Select None, Read-Only. or Read/Write from the options menu to the left of the feature or command. 7 Users CSE) Facrger poster magenent Stem Conti Stes cotgation Se rei ge fo stem manngeses CAS Este TACKS Gane atin semsson to TACACS- ees Usrace vpgaee Figure 11 —WebUI Add Role Window SEND FEEDBACK” 39Chee Pome Secwty Adbusrerton Toassign users to arole 1. Select User Management > Roles in the WebUI navigation tree. 2 Click Assign Members. 3. In the Assign Members to Role window: * Double-click a user in the Available Users list to add that user to the role. * Double-click a user in the Users with Role list to remove that user from the role, Configure Roles in the CLI To add role definitions: add rba role damain-type Syste readonly-features readwrite-features To delete role definitions: delete rba role delete rba role readonly-features readwrite-features Toadd users to or from existing roles: add rba user roles ‘Toremove users to or from existing roles: delete rba user roles ‘Toadd access mechanism, WebULor CLI, permissions for a specified user: add rba user access-mechanisns [Web-U! | CLI] ‘SEND FEEDBACK" 40(Checc Pom Secwrty Aduusireaton Toremove access mechanism (WebUT or CL1) permissions for a specified user delete rba user access4mechanisns [Web-UI | CLI] ‘Parameter Description Role Role name as a character string that contains letters, numbers, or the underscore (_) character. Domain-type ‘Reserved for future se. systen Teadonly- ‘Comma separated list of Gaia features that have read only features | permissions inthe specified role, You can add Read-Only and ‘Read/Write feature lists in the same command. readwrite- ‘Comma separated list of Gaia features that have Read/Write features | permissions inthe specified role. You can add Read-Only and ‘Read/Write feature lists in the same command. user | User to which access mechanism permissions and roles are assigned. Toles ‘Comma separated list of role names that are assigned fo or removed from the specified user. access- Defines the access mechanisms that users can work with to mechanisms ‘manage Gaia. Youcan only specify one access mechanism at a time with this command. Table 5: User and Role Parameters and Descriptions For example: add rba role NewRole damain-type System readonly-features vpn,ospf,rba readwrite-features tag, add rba user Paul access mechanisms CLI ,WebUI add rba user Daly roles NewRole,adninRole delete rba role NewRole delete rba user Daly roles acminRole 41Chee Pome Secwty Adbusrerton Updates Gaia provides the ability to directly receive updates for licensed Check Point products. With the Check Point Upgrade Service Engine (CPUSE), you can automatically update Check Point products for the Gaia operating system and the Gaia operating system itself. Updates can be downloaded automatically, manually, or periodically and installed manually or periodically Upgredes CPLSE) + Software Updates Ply software Deployment olgy — Dowmlcsdiates —— ® Morualy SetTetstopafome | at checrpot owes Flinn Pty Elaerercure up (Piset te Aut somsscupen aie [WPeiecayupate ne Ceploment ger verionyconmande Figure 12 —Gala Software Updates Policy Page Hotfixes are downloaded and installed automatically by default, however full installation and upgrade packages must be installed manually. Email notifications are sent for newly available updates, downloads, and installations. Updates are discussed in greater detail in the CCSE. course. Lab 1.4 Working with Gaia Portal BD seno reevendic 2Working with Gaia Portal This lab is an introduction to Check Point Gaia. Here, you will view and manipulate basic settings of the Gaia operating system through the Gaia Portal, the WebUI. Create users and define settings that will appear in later labs. Performance Objectives: + Identify impostant operating system level settings configured through the WebUL. + Create and confirm administrator users for the domain. + Configure network messages. + Confirm existing configuration settings Tasks: + Review and configure basic settings in the Gaia Portal. * Define a new role and create new Check Point users + Work in Expert mode + Apply useful commands. + Add and delete administrators via the CLL + Testuser role assignments sen reeosace” 43