SECURITY ENGINEERING Student & Lab Manual R80.10 CHECK POINT INFINITY (GB Check Point© 2017 Check Point Software Technologies Ltd. Ail rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting theit use, copying. distribution, and de-compilation. No part of this procuct or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: ‘Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (©)Q)Gi of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR, $2.237-19. TRADEMARKS: Refer to the Copyright page (http://www. checkpoint.com/eopyright. html) for a list of our trademarks, Refer to the Thind Party copyright notices (http:// www.checkpoint.com/ 3rd_party_copyright.htm!) for a list of relevant copyrights and third-party licenses. Tatermational ‘SH Solelim Street ‘Headquarters “Te Aviv $1897, et Tob 5723-755 4535 US. Headquarters 959 Skyway Road, Suite 300 San Carlos, CA 94070 ‘Te 650.508.2000 ‘Technical Support, (330 Commerce Drive, Suite 120 Education & Professional jrving, TX 75063 Services Tee 97a 4466 E-mailcomm mis cr questions but aur courseware to: couew ares checkpoint com For questions or comments abou thes Check Pour docunestation, e-: CP TectPub,Feedoak@cteckpoitcom ‘Document # ‘DOC-Manual-CCSE-R80.10 ‘Revision RE0.1004 Content Joey Wilt, Vanesa Johuson Graphics ‘Chunming Jia, Vanessa Johnson‘Contributors: Beta Testing, Content Contribution, or Technical Review Michael Adje- Wick Hi - Unie Kingdom (Chicas QA Ena | Eric Andrson- Netniom - USA, ‘taal Cun - CactenWViee- Sua Prot Czopk -CLICO - Poland ‘Bret Deony -Dinension Data Lesming Sobsions- Aussi. Valeyreeman- Dia MaserLab- Russa ‘Aired Gah. M.TeshBreauss- Singapore Desmond Goah -MTedhPre dicts - Singapore ‘Tim Hal - Shade Peak -USA, Owwerdnt - Arrow ECS - Germany ‘Maio Minch -Anow ECS -Genasy Anthony Joubere- Anew ECS France Surjay Kaesam cont - Rad Edveaioa Auras Arno Kebarg -Red Editon - Ausra ‘Aled Kostle- Wescen- Gemany Yasish Ken - nom ECS - Germany Fatrsi Lamanna- Check Poi Software Technologie -USA Jy Linder ST Slovenia Dries Matens -Weetean- Belgien Gales Moncayo- Rese -Calonbie Thoas Nuiback- Ghssuoer Norway Revie Pakin- Amos ECS - Eland “igaftunar Patel Cheek Pont Software Technologies USA Mika Rentnen - Hawke Teining- Find Jon Ross Red Eduction Ansan [Niles Sesto - Inge -Sveden Fedor Teygmor-Sofline Group - Russia ‘Madhava V -1TeeSys Tecnologies- Inia Sendra VanLoon-Avest- The Neturands sik Wagonare- Prosiaus ICT Aeadeayy. Basan Special Thanks: (len Bales - Check: Pi Software Techmlogis USA, Fetesi Lamanna - Check Pit Softrere Teclogis- USA Kia Watield- Check Port Software Tectnalogies- USA Daniel Sorey- Red Edvesion-Ausale Sydney Bem Hos) Kia Wentsel-Anow ECS -Fistand Qiebinki Bet Hor) Certification Exam Development: Jn Tage ‘Check Point TechuicalPublications Team: Un Lewins Daly Yen, Hi Har-Even, Paul Grigg, Rachel Tete, Rent Segal, Shia Rosenfeld, Yaskov Sin, Devers HoseinTable of Contents Chapter 1: System Management . Preface: Security Engineering . 12 Check Point Security Engineering Course 13 Prerequisites 3 Courve Chapters and Leaming Objectives so css csssesseseeeesee vee a3 Lab Topology 45 TCIM one ace se enes enn ena co sne nen enous shenscnsenscuanesn: 1S eebaavecovspes RO Advanced Gaia oe nearer a7 Gaia Featuresand Benefits. ssssssvsossessovsssvssvossssvsseevsessone veseeeceee dT Uparades 20 ‘Upgrade Tools 2 Advanced Upgrade with Database Migration. ........00.c0ceceseseeseeeeeeees 2 Lab L.1: Upgrading to R80.10 7 : 24 Migrating Management Server Data 25 Insfalling the Security Management Server... sosnnnnnnnnnnnmnnennmnnensnsnndS Configuring Secutity Management Server Using the Gaia Portal 43 Installing SmartConsole 9 Importing the Check Point Database a 66 Launching SimartConsole and Reconfignring Existing Security Policies B Hotfixes 89 ‘The CPUSE Agent Seacsteateeratsterventaseenstense fate wo 89 ‘The Central Deployment Tool... oe o cece cv eeevee cee eceee ects eeteer seer creer BB Lab 1.2: Applying Check Point Hotfixes. .........0.0sc0eeeeceeeeeeee sence 94 Installing the Hotfix on the Security Gateways 95Checc Pom Secrctty Evgnearng Lab 1.3: Configuring a New Security Gateway Cluster. ........ 60.00 eeee eee es 103 Installing a Second Security Gateway 5 . 104 Configuring the Bravo Security Gateway with the Fist Time Configuation Wizard 113 Using the Gaia Portal to Configure the Security Gateway - 124 Re-configuring the Primary Gateway 138 Configuring the Alpha Secntity Policy to Manage the Remote Security Gateway Cluster 146 CLI Commands 183 Pinto 191 Lab 1.4: Core CLI Elements of Firewall Administration ................++++-193 Managing Policy and Verifying Status from the CLI 194 Using cpinfo Reconfiguring the Security Policies Using fw monitor Using tepdump Advanced Firewall . Check Point Firewall Infrastructure The Firewall Kemel Packet Flow Chain Modules Lab L.5: Viewing the Chain Modules . Evaluating the Chain Modules Modifying the Security Policy 7 jewing Changes to the Chain Modules Rs Stateful Inspection . 247 Security Servers 248 Kemel Tables eee cece eee cee eee ee ete eee ee ests eee setae erence eed) Policy Installation . . . 252 Rule Matching 287 Network Addtess Tramslation. 0.006... e occ cece cee eee eeetteeeeeeseteeeene 261 Firewall AdministrationChecc Pom Secrctty Evgnearng Chapter Chapter 3: Redundancy Lab 1.6: Configuring Manual Network Address Translation. .................271 Configuring the Security Policy 272 Configuring the ARP Table - “ 283 Reconfigure the Alpha Rule Base - 291 Review QUESHIONS —eseocnsnnnnnnmnnninninntnninmnnnninininnnnninnnmmnnninnnnnnnesnsenen DA : Automation & Orchestration ...... 2.66.66 eee cece eeeeee eee e eee 295 Antomation & Orchestration 296 Check Point APIS 60.6006 cc ccc cee cere tte eee eee ttteeee cts aeer renee es 296 Check Point API Architecture 298 ‘Management API Commands 303 Management API SUpPOt 6.00.6 oo ec ee cco e eee ceeeeeeeestteeeeeseneee 306 308 309 312 Lab 2.1: Managing Objects Using the Check Point APT . Configuring the Check Point API . .. and Editing Objects im the APT Review QUESHIONS —esencnsnnnnnmnnnninnintinmnnninnininnnnnunnnmmnnninmmnnsnnesniene SDE Advanced ClusterXL ‘Load Sharing Proxy ARP MAC Cluster Synchronization fe eeee teens Cluster Connectivity Upgrade... cee cee cceeee Add a Member to an Existing Cluster Sticky Connections Management High Availability OPSEC Cettified Clustering Products Lab 3.1: Deploying a Secondary Security Management Server Installing the Secondary Management Server Configuring Management High Availability Testing Management High Availability VRRP ChIters oo ossinssnisnnnnninnnnnnnininnnninuninnnnunnnnnsnnnnnnnnnniennen 6S ‘VRRP Types 366Checc Pom Secrctty Evgnearng Lab 3.2: Enabling Check Point VRRP . «2+ 370 Viewing ClusterXL Failover 371 Defining a Virtual Router for VRRP 375 Configuring the Security Policy for VRRP... - 387 Review Questions 396 pemewceesusesusevencmesecesusneae? Chapter 4: Acceleration ........ SecureXL: Security Acceleration 398 ‘Using SecureXL Fee eter cette ret aeer eet taeeeerctereee rs d9S Packet Acceleration 399 Session Rate Acceleration 400 SecureXL Conmection Templates... ...0.cecceeceesceeeeeeesseeeeeeseseseeees 402 Packet OW ccs cceeccccsee eects eter cttseeeeeetttseeesctaeee sere eeee ee Od ‘VPN Capabilities, 405 Lab 4.1: Worklug with SecureXL ... - 406 Identifying Status of Current Connections 407 CoreXL: Multicore Acceleration snninnnnennnnnniinninnneinnninnmnnnnnnnannnneseA ld Using CoreXL, 413 Processing Core AMOCATION ee. eevee eee ceeceeee tees teeeeeettteeeeee -. AIS Dynamic Dispatcher... re 47 Packet Flow with CoreXL and SecueXL Enabled weet terete ee crete arene M20 Multiple Traffic Queues vnsnmnnnnninnsnmnnnnnneneisninnminnnnsnnnnmsennrnsnnnsnnee ADD ‘Using Multi-Quene 421 Lab 4.2: Working with CoreXL . Seana ee ene e ee nann ewes eee onan s aean ee Enabling CoreXL 7 428 Reviewing CoreXL Settings so h33 Review Questions 435 Chapter 5: SmartEvent . : . a 436 The SmartEvent Solution 437 SmartEvent Components 6.00.26 occ cee ceeceeeceeeceeeceeteetteesseeecneees 438 Smartbvent Clietts 660. c cece cece teeter tees tte ett eet eetereeec eee B® SmartEvent WorkfOW 6c e eee eee eee eesteescteeeeeteetseeenee 2 440 ‘SmartE vent Deployment 4al Defining the Intemal Network 2.00.0 c eee cee eee cette ste eeeteesseeereees 442Checc Pom Secrctty Evgnearng fying an Event 443 Monitoring the Network sel Event Queries . cee cece cree cece enee ces eeetteeeeerteeeeenens eee 5L Investigating Security EVEntS ..smnnmnuninmnnnennnnnininnnnnnnnnnmmninnninnmesninannnnnmnnnnd SD Importing Offline Log Files 483 Remediating Security Events ae = enn AS Configuring Event Policy 6.6... cee eee cee cee eset ceeeee es tteee eter ceeeee nse ASM Configuring IPS Policy 487 Reporting Security Events 8 ‘Using Predefined Reports Seeeee : cee . wee A459 Defining Custom Reports... 60 occ cess cesses cece cess eetsseeeeectteseeees 460 Preventative Measures - 461 Creating a New Event Definition . fete cteeeeees . vee AOL Reporting an Event to Check Point 0.2.0... ccc cceeeeeecseeeeesteeeeesttteee 2 462, Eliminating False Positives 462 SmartEvent Example 463 High Availability Environment 464 ‘Security CheckUp 465 Lab 5.1; Evaluating Threats with SmartEvent . . . - 466 Configure the Network Object in SmattConsOle —rsnnmsuninmnnnnnnnnnmmnnnnnnnnesnnnnsnnmre dT Monitoring Events with SmantEvent 76 Review Questions oo 8S Chapter 6: Remote and Mobile Access. - 486 Choosing Remote Access Sofutions se sone 8T Installation Types. se veah seth ages teen pectewsusanase 2 87 Secure Connectivity and Endpoint Security 488 ‘SSL VPN versus IPSec (Layer 3) VPN 2 489 Clients “ snninnnnninnnnnnnnnesnmnnnninnnnnnnnnnsmmnnnnnnninnmsnnnsnsene§9O Mobile Access Portal 490 SSLNetwork Extender 0... cece ect eee eect teeeee serene 490 Check Point Mobile Feet teeter teeter tt eeereetteeer eres AQ Check Point Capsule Workspace... - feet eee ere AOI SecuRemate 491 Additional Remote Access Options eevee eee ccee eee etteeeeee cee AOLChecc Pom Secrctty Evgnearng Chapter 7: Threat Prevention ... Check Point Capsule 492 Capsule Workspace ce vceeee eee 92 Capstle DOS eee eee eee eter create tet ttes tert ttee erences 496 Capstle Cloud ee eee eect eeeee vette ett 498 Mobile Access Software Blade 500 Mobile Access Wizatd eee eeee cee ee area ceeeee 500 Mobile Access Workflow en a sees - ++ +-503 Gateway Security Features 506 Mobile Access Deployment 507 Mobile Access Policy oe 508 Mobile Access Rule Base en a 7 : a 508 Best Practices S10 Lab 6.1: Managing Mobile Access ........ 06.0000. cece cece cece eee e ee eee SID Enable Mobile Access Blade 7 Configure the Check Point Capsule Policy Testing Check Point Mobile Access Review Questions $43 The Threat Landseape ZerorDay Attacks Advanced Persistent Threats Intrusion Prevention System IPS Profile Settings and Protections IPS Tuning and Maintenance... Lab 7.1: Understanding IPS Protections ... . Configuring the Protection Profile so Configuring the IPS Demonstration Tool Testing the Default Protections Modifying the Protection Profile Settings. ‘Working with Logs & Monitor to Investigate Threats Modifying an Existing Protection Profile Geo ProtectionChecc Pom Secrctty Evgnearng Lab 7.2: Deploying IPS Geo Protection . . Modifying Anti-Spoofing Settings Configuring IPS Geo Protection Antivirus 607 AMtHBOt otaissmuunninniisinninuininninniinininnininininasinininnnesinssen 608 Lab 7.3: Reviewing Threat Prevention Settings and Protections ...............609 Review Threat Prevention Settings and Protections 610 Testing EICAR Access 620 Sandboxing ssssninnnnnnmnnnnnmnnnnnnnnnnnnnnnnn 023 OSLevel Sandboxing ee eects 623 CPU-Level Sandboxing Seeeraeeee 623 Check Point SandBlast Zero-Day Protection 625 ‘SandBlast Components 625 SancBlast Appliances eee cee cee ceteeeeteeeeeeeeees 628 ‘SandBlast Cloud SEES SEEESESSEEESOESSEECELEOSSESEIESE71 SondBlast Agent 635 SandBlast Deployment 637 Public Cloud Service vest eeeeeees veces . 637 Private Cloud... cee vite - +687 “Hybrid Solution (SandBlast Appliance and Clond) 638 SandBlast Mobile - “ 1639 SandBlast Mobile Components 6.0... 006.ccccceeeeesceeeeeesseeeeeenteeee ++ 640 SandBlast Mobile Workflow 643 Lab 7.4: Deploying Threat Emulation and Threat Extraction .................645 Use ThreatClond to Verify File Safety 7 646 Configure Threat Emulation to Inspect Incoming Traffic 648 Review Questions 659 10Checc Pom Secrctty Evgnearng Chapter 8: Questions and Answe Chapter 1: System Management Chapter 2: Automation and Orchestration Chapter 3: Redundancy Chapter 4: Acceleration Chapter 5: SmattBvent Chapter 6: Remote and Mobile A Chapter 7: Threat Prevention ers coess «++ 660 sn 661 x62 663 664 een665 666 667 mTSecurity Engineering Welcometo the Check Point Cyber Security Engineering course. This course provides an advanced and in-depth explanation of Check Point technology. It includes advanced upgrading, key techniques for building, deploying and enhancing network performance, and management and troubleshooting features to mitigate security risks. The course is intended to provide you with an understanding of the skills necessary to effectively design, maintain and protect your enterprise network Preface Outline + Prerequisites + Comrse Chapters and Leaming Objectives * Lab Topology + Related Certification 8 senoreeoenck’ E] 12Checc Pom Secrctty Evgnearng Check Point Security Engineering Course ‘This course is designed for security experts and Check Point resellers who need to perform, advanced deployment configurations of a Security Gateway and are working towards their Check Point Certified Security Engineering (CCSE) certification. The following professionals, benefit best fiom this course: + System Adm + Support Analysts + Network Engineers nistrators Prerequisites Successful completion of this course depends on knowledge of multiple disciplines related to network-security activities including: © UNIX and Windows operating systems + Cenlficale maageneut © System administration + CSA training/cettification + Networking (TCP/IP) Course Chapters and Learning Objectives Chapter 1: System Management * Understand system management procedures, including how to perform system upgrades and apply hotfixes. + Identify advanced CLI commands. * Understand the Check Point Firewall infrastructure and other advanced Firewall processes and procedures, Chapter 2: Automation and Orchestration + Recognize how Check Point's flexible API architecture supports automation and orchestration of daily operations. + Understand how to tse the management APT command line tools and web services 10 read information, create objects, work on Security Policies, and send commands to the Check Point Security Management Server. END FEEDBACK 13Checc Pom Secrctty Evgnearng Chapter 3: Redundancy * Discuss advanced ClusterXT, fnetions and redundancy. * Describe VRRP network redundancy and its advantages. Chapter 4: Acceleration * Understand how SecureXL acceleration technology enhances and optimizes Security Gateway performance. + Understand how CoreXL acceleration technology enhances and improves Security Gateway performance. Chapter 5: SmartEvent ‘SmartEvent components used to store network activity logs and identify + Discuss the SmartE-vent process that determines which network activities may lead to critical security issues. + Understand how Smartvent can assist in detecting, remediating, and preventing security threats targeting organizations. Chapter 6: Remote and Mobile Access + Recognize Check Point Remote Access solutions and how they differ. * Discuss Check Point Capsule components and how they work to protect mobile devices and business documents. * Discuss the Mobile Access Software Blade and how it secures communication and data exchange duting remote connections. ‘* Understand Mobile Access deployment options. Chapter 7: Threat Prevention * Discuss different Check Point Threat Prevention solutions for dangerous attacks such as zeto-day and Advanced Persistent Threats. + Understand how SandBast, Threat Emulation, and Threat Extraction helps to prevent security incidents, + Identify how Check Point SandBlast Mobile helps protect an organization from threats targeting company-issued smartphones and tablets. END FEEDBACK 14 BsChecc Pom Secrctty Evgnearng Lab Topology Labs for this course were developed using VMware Workstation. Your instructor will have information for the specific settings and configuration requirements of each virtual machine. Most lab exercises will require you to manipulate machines in the virtual network. Review the starting lab topology pictured below. Note the location of each server in relation to the Security Gateways and how they are routed, Make sure you understand the purpose of each machine, and the credentials and applications used throughout the course. As the course progresses. you will add Virtual Machines to this topology during the lab exercises. Check Point R80.10 CCSE Lab Topology ( erm 6 ) mar | Gay eee, | cern N renera \ =i heen | Figure 1.— Starting CCSE Lab Topology Related Certification ‘The Check Point Certified Cyber Security Engineer (CCSE) cettification is designed for partners and customers seeking to validate their expert level knowledge of Check Point's software products and security solutions. Students must have a valid CCSA certification before challenging the CCSE exam, & seno reeoendic 15System Management Cyber Security experts are expected to acquire and apply in-depth knowledge of systems used to securely manage the organization’snetwork infrastructure. This course begins with a deep dive into the Check Point Gain operating system, with how to use essential CLI commands, perform upgrades, and apply hotfixes. We will also take a closer look at the Check Point Firewall infrastructure, chain modules, kernel tables, packet flow, and. many more advanced Firewall processes and procedures, Learning Objectives + Understand system management procedures, including how to perform system upgrades and apply hotfixes. © Identify advanced CLI commands. * Understand the Check Point Firewall infrastructure and other advanced Firewall processes and procedures, senoreeosnck’ E] 16 8Checc Pom Secrctty Evgnearng Advanced Gaia Check Point Gaia is the unified, revolutionary, secure operating system for all Check Point appliances, open servers, and virtualized gateway’, The cutting-edge technology combines the best features of IPSO and Check Point's original secure operating system, SecurePlatform, into a single, harmonious operating system to provide greater operational efficiency and robust performance. The Makings of Gaia Gaia was detived from IPSO and SecurePlatform. The IPSO operating system was developed. by Ipsilon Networks, a computer networking company specializing in IP switching during the 1990s, Nokia purchased Ipsilon Networks in 1997 and incorporated IPSO into their secure network appliances. Check Point acquired Nokia’s Security business unit in April 2009. Asa stripped down operating system, IPSO provided enongh functionality to in Check Point Firewalls. along with the incorporation of some standard Unix commands. such as tOp. PS. and df. It also provided great visibility into kemel statistics, such as network counters, interrupts. and mote. (Check Point's SecurePlatform operating system is based on a kemel from Red Hat Software. SecurePlatform’s hardened and optimized operating system eliminated software package components that were unnecessary for a network security device and modified or removed. components that could present security risks. Its easy-to-use command shell provided a set of commands required for configuration, administration, and system diagnostics, including network settings, back up and restore utilities, upgrading, and system log viewing. Routine management and maintenance of SecurePlatform was performed through a restricted shell called Standard mode. Standard mode enhanced the security of SecurePlatform by restricting access to utilities that, if used improperly, would damage system stability. SecurePlatform also consisted of « Web Graphical User Interface (WebU), which enabled userstto easily configure settings and perform first time installations. SecutePlatform allowed all system resources to be dedicated to the operating system and the installed Check Point products. With SecurePlatform, resources were nto longer consumed by software such as GUIS, office applications, and network file systems. Gaia Features and Benefits Gaia supports the full suite of Check Point technologies, capacity and the full power of Check Point seeurity, ving you improved connection END FEEDBACK 7Checc Pom Secrctty Evgnearng Check Point Gaia offers these key values: * Combine the best features of IPSO and SecurePlatform, + Increase operational efficiency with a wide range of features. * Provide a secure platform for the most demanding environments Gaia simplifies and strengthens management with the segregation of duties by enabling role- based administrative access. Additionally, Gaia greatly incteases operational efficiency with an advanced and intuitive software update agent, commonly referred to as the Check Point Update Service Engine (CPUSE). Gaia management is made simple with the intuitive and feature-rich WebUT, and instant search options for all commands and properties. The same powerful CLI commands from IPSO and SecurePlatform have been seamlessly integrated into Gaia, along with new commands and capabilities Figure 2— Gaia Portal END FEEDBACK 18Checc Pom Secrctty Evgnearng Key Features Key features of Gaia include: ‘Web-based User Interface with seareh navigation — This interface integrates all Gaia operating system management functions into a dashboard that is accessible via the ‘most popular Web browsers, stich as Intemet Explorer, Chrome, Firefox, Opera, and Safari. The built-in search navigation tool delivers instant results, and for the CLI- inclined users, a Shell Emulator pop-up window is only a single click away. Full Software Blade support — Gaia provides support for comprehensive Security Gateway and Security Management Software Blade solutions deployed on Check Point appliances and open servers, High connection capacity — Utilizing the efficiency of a 64-bit operating system, Gaia is capable of boosting the connection capacity of existing Check Point appliances. Role-based administrative access — Segregation of daties is part of a good Security Policy because it improves operational efficiency and auditing of administrative events, Role-based administrative acoess gives Gaia customers the ability and granularity to customize their security management policies to meet their business needs. User authentication and authorization is based on industry standard RADIUS and TACACS+ protocols. Specific levels of access can be granted based on each individual's role and responsibility Intelligent software updates — With Gaia, software update times are shortened and post-update testing is performed automatically. New releases and patches can be scheduled for automatic download and installed during off-peak hours for minimal business impact. Notification emails are sent about recommended updates and update statuses, Native IPy4 and IPv6 support — Check Point Gaia allows easy interoperability with, both networking protocols. ‘Clustering protocol support — Gaia fully supports ClusterXT., Check Point’s proprietary network redundancy protocol, and standard VRRP on all Check Point appliances, open servers, and virtualized environments. Manageable dynamic routing suite— Multiple dynamic routing and Multicasting protocols are supported by Gaia, providing flexible and uninterrupted network connectivity. All can be managed from both the Gaia portal or the CLI. END FEEDBACK 19Checc Pom Secrctty Evgnearng Supported Protocols Dynamic Routing Protocols Multicasting Protocols + RIPREC 1058 ‘© IGMPv2 RFC 2236 « RIPv? (with authentication) RFC | ¢ IGMPv3 RFC 3376 1723 + PIM-SMRFC 4601 * OSPFv2 RFC 2328 * PIM-SSM RFC 4601 * OSPFv3 RFC $340 * PIM-DMREFC 3973 * OSPF NSSA RFC 3101 ¢ PIM-DM state refresh draft-ietf-pim-tefresh-02.txt ‘+ BGP4 RFCs 1771, 1963, 1966, 1997, 2918 Table 4: Gaia Supported Dynamic and Multicasting Protocols END FEEDBACK 20Checc Pom Secrctty Evgnearng Upgrades Asa Cyber Security Engineer, itis important to evaluate the overall health, compliance, and performance of your network. This often entails the task of deciding whether to install new hardware to fit business needs or to upgrade to newer software versions to ensure the efficiency of the existing environment. Check Point recommends installing the most recent software release to stay up-to-date with the latest functional improvements, stability fixes. secutity enhancements, and protections against new and evolving attacks, Upgrades provide added enhancements over an earlier version and eliminate the complexities of re-creating product configurations, Security Policies, and objects. Before upgrading appliances or open servers, verify the interoperability and upgrade path of your existing environment and make use of the appropriate Check Point upgrade tools. ‘Toupgrade from R77.XX to R80.10, an advanced upgrade with database migration process must be performed. Upgrades from R80 to R80.10, are performed through the software update agent, CPUSE. NOTE Upgrades to R80 and above are not supported from IPSO and SecurePlatform. For more information, refer to Check Point's Upgrade Map. Upgrade Tools Upgrade tools back up Check Point configurations, independent of hardware, operating system, and Check Point security management platform version. Use the upgrade tools to back up Check Point configuration settings on disk partitions of Check Point appliances and open servers, Disk space requirements for upgrades vary based on the upgrade version. Before starting an upgrade. refer to the release notes of the desired platform versian to verify the space requirements for each disk partition, such as the /Var/1og/ and root partitions. ‘There is a different package of upgrade tools for each platform. Download the latest version of upgrade tools fiom the Check Point support site, Before upgrading, a valid service contract that includes software upgrades and major releases must be registered to your organization’sCheck Point User Center account END FEEDBACK 21Checc Pom Secrctty Evgnearng ‘The upgrade tools package consists of several files, including the files noted in the table below Package File Description migrate. cont Holds configuration settings for Advanced Upgrade with Database Migration. migrate ‘Runs Advanced Upgrade with migration. pre_upgrade_verifier | Analyzes compatibility of the curently installed configuration with the upgrade version. It gives a report on the actions to take before and after the uperade. Table 2: Upgrade Tools Package Files Advanced Upgrade with Database Migration As in all upgrade procedures, itis best practice to uparade the Security Management Server ot Multi-Domain Server before upgrading the Security Gateways. To upgrade from an earlier software version, such as R77.30. to Check Point’sR80.10 security management platform. use the Advanced Upgrade with Database Migration method to migrate the database and install the software, With this method of upgrading, the current environment must meet these requirements for database migration: Available disk space of at least five times the size of the exported database on the target ‘machine Size of the /var/ log folder of the target machine must be at least 25% of the size of the /var/ 10g directory on the source machine. Source and target servers must be connected fo a network and the connected network: interface mst have an IP address. If the source environments uses only IPv4 or only IPv6, the target mst use the same IP address configuration. For example, you cannot migrate to an IPv6 configuration if the source environment uses only [Pv ‘The target must have the same or higher version and the same set of installed products. The appropriate package of upgrade tools must be download for each source platform. The correct ports for SmartConsole must be open in order for SmartConsole to communicate with the Security Management Server. After the requirements for database migration have been met, create a backup copy of the existing system settings from the Gaia WebUL. Gaia operating system settings are not backed up and must be configured manually if the database is restored later due to issues with the upgrade. Take note of operating system settings (interfaces, servers, routes, system settings. etc.) before upgrading.Checc Pom Secrctty Evgnearng It is important to use the correct migration tool package to perform the upgrade. Use the upgrade tools package for the software version you are upgrading too. For example, if upgrading from R77.30 to R80.10, use the migration tools package for R80.10. Download and extract the tools to the old server (R77.30). Use the migra te utility of the upgrade tools package, to export the source Security Management Server database (R77.30) toa file, and then import the file to the new server (R80.10). NOTE ‘SmartEvent databases are not migrated during an advanced upgrade ‘because the databases can be very large. Migration of these databases must ‘be performed separately. Refer to sk110173 for information on how to migrate the SmartEvent database, The Upgrade Verification Service Check Point's Upgrade Verification Service is an upgrade verification and environment simulation service created to help customers transition to R80.XX as seamlessly as possible The service will use configuration files from your current platform to simulate the environment and verify that the upgrade can be successfully applied across the key features of the software, The simulation will also ensure that the database is not comupted during the upgrade process Upon completion, a status update of the sinmlation results along with advice on how best to proceed will be provided, For more detailed information regarding the Upgrade Verification Service, refer to sk 10267 Lab 1.14 Upgrading to R80.10 END FEEDBACK 23Upgrading to R80.10 This lab illustrates how to perform an upgrade of a Security Management Server from R77.30 to R80.10. ‘Youwill export the configuration of your old server toa Windows machine before installing a new R80.10 server. Once the fresh installation of the new OS is complete, you can then import the rules, objects, and settings of the previous server into the database of the new, upgraded server Once the upgrade of the Security Management Server is complete, use CPUSE to upgrade a Security Gateway. Tasks: + Save the database information. * Access the migrate file and transfer via SSH/SCP. * Perform a clean installation of R80.10 Security Management Server. * Configure the Security Management Server. + Install R80.10 SmartConsole. + Import the database. + Upgrade the Security Gateway. Performance Objectives: * Use themigrate export command to prepare to upgrade a Security Management Server. + Perform an installation of a Security Management Server + Use themigrate import command to populate the database of a Security Management Server. * Perform an upgrade of Security Gateways in a clustered environment. BD sen reeosace”Checc Pom Secrctty Evgnearng Migrating Management Server Data Export the rules and objects off of the existing Security Management Server so that they can be imported into the new server. 1. From A-GUI, open a Web browser and use HTTPS to connect to A-SMS (10.1.1.101). 2, Use the following credentials to log into the Gaia Portal on A-SMS: Usemame: admin Password: Chkp!234 3. Inthe navigation pane, click User Management > Users. Use the information below to create a new user: Login Name: sepadmin Password: Chkp!234 Home Directory: /home/scpadmin Shell: /bin/bash Assigned Roles: adminRole Access Mechanisms: Web Command Line Click OK. Sign out of the Gaia Portal. ar Close the web browser. @ sero reeosnce™Checc Pom Secrctty Evgnearng 8, From A-GUI, use the following credentials to log into WinSCP and connect to the A-SMS: File Proteol: SCP Host Name: 10.1.1.101 User Name: sepadmin Password: Chkp!234 eos: i ‘btnone te mane stein oF) Figure 3 —WinSCP Login In WinSCP, confirm that the left pane displays the local directory and the right pane displays the remote directory In the right pane, navigate to the /var/ log directory of the old R77.30 Security Management Server: AL. In the left pane (local directory), browse to the location of the Upgrade Tools, NOTE Ask your instructor for the location and name of the upgrade tools file. Though the name varies, the upgrade tools for R80. 10 are called: p1_upgrade_tools.tgz & seno reeoendic 26Checc Pom Secrctty Evgnearng 12, Create a new directory called tmp in the /var/ log directory, if needed. 13, Move the file from A-GUI to the Ivar 1log/ tmp directory on A-SMS, and the system displays the following window: peel pode sede ret rece mer sts [tant ntaoind (ot var ne) ana tos: Figure 4—Upload & seno reeoendic 27Checc Pom Secrctty Evgnearng 14, Click the Transfer Settings button, and configure the transfer to be in Binary mode: Fact aetnge i Finane atin @rodaroe Deere oe “aerate est in wate 2, ) ary Grower) Dene 7 Seta [eireseve testne mer) (Picasa tte oe pon rt peda): Utne Figure 5 —Binary Mode 15. Click OK. 16, Click OK, to continue the file transfer. 17, Highlight the copied file in the right pane of WinSCP and right-click. & seno reeoendic 28Checc Pom Secrctty Evgnearng 18, From the Context Menu, select Custom Commands > UnTar/Gzip: Beep cpr Wa io) a BEM seve BP HD) s Bove [tants Det 8 af | henson) yee eaae Bee 20 e- BADE Brae x emia ig ead i PtH of Cs homers) 3) counonnintnDscwes tine Ce — See Ones Hh Onn Fy Pet iecry 24087 8PM a YAMEYSSHEM tere xh Econo asia Witte inna? Siath eva mignon ie naurammen Tee nm lz 2 ® lb Donerdonsbe, 16 Boop, SRS 3 Gace © tee & rey Thais MasiaiiERaio S [act commande ed econ oar Baw le cana, Figure 6 — Special Commands- UnTar/Gzip 19. Click OK, to extract the directory to the following location: Ivar/ log! tmp ‘SEND FEEDBACK" 29Checc Pom Secrctty Evgnearng After the extraction completes, verify that the following folder now appears in /vat/log/tmp: migrate_tool Bsn -spoemn OLLIE Wes BSR yee PHD | Gowen sreseerge ov 1S vpotriot05[ Nansen) Dirvcccenne + aaae® Rew SM ee BADE Marae % x eaimam i Done i | tt uf Crone OG See Ie args hare Soe Owrges he Ove Pann cry 27 anS0PL a. JBN newark ain JE juovomietchige ASME Wintpfie Yel? 2579 Doizteit RAEI one rey acaur ieee sn Cem part Ba sare Sn AS int Tides OBIT 5 a as Figure 7 —migrate_tool Folder END FEEDBACK 30Checc Pom Secrctty Evgnearng 21. From the WinSCP window, click the PuTTY Login button. 22, PuTTY logs into the A-SMS server (10.1.1.101) at the /home/admia directory: 2 1 eae Figure 8 — PUTTY Session NOTE If you are asked to enter the password for scpadmin, enter the following: Chkp! 234 @ jsenoreeosac®’ El 31Checc Pom Secrctty Evgnearng that all consoles are closed by issuing the following command: cpstat mg P minin AMS Figure 9 —cpstat mg NOTE The Connected Clients list should be empty. If itis not, execute the epstop command to force close all open clients. 24, Change to the following directory by executing the following command: cd /var/log/ tnp/migrate_tool @ jsenoreeosnce’ Bl 32Checc Pom Secrctty Evgnearng 25, Type the following command and press Enter, to view the contents of the folder: Is (BP sinina MSarhnplragele ool Figure 10 — migrate_too! Folder 26, ‘Type the following command: -Imigrate export A-SMS-fran-r7730-to-r8010. tgz @ jsenoreeosnc’ Bl 33Checc Pom Secrctty Evgnearng 27, Press Enter, to run the script. The system asks the following question: a) Pca sacra Figure 14 — Warning senoreeoenck’ E] 34Checc Pom Secrctty Evgnearng 28, Type y, and press Enter. The system exports the data, creates the export file, and identifies its location on the server: (B wmnea suscep eal = Figure 12 — Export Complete NOTE ‘The time it takes for this process to complete may vary depending on the size of your Security Policy, number of objects in the database, and database revisions. Once complete, the system provides the location of the exported file and returns to the Expert mode command prompt. seno reeoenc’ E] 3SChecc Pom Secrctty Evgnearng 29. 30. 31. 32. ‘While still in the PuTTY session on A-SMS, NOTE ‘You can also use the WinSCP session that is still open to transfer the file. Type the following commands and press Enter, to prepare to transfer the file: bin hash Type the following command, and press Enter put A-SMS-from-r7730-to-r8010. tgz NOTE ‘You may want to transfer the file using WinSCP instead of FTP. Just be sure to use Binary Mode for the transfer. ‘Verify that the AXSVS- f ram-7730- to-r8010. tgz file has been transferred to A-GUI. @ sero reeosnce™ nitiate an FTP session back to A-GUI (10.1.1.201). 36Checc Pom Secrctty Evgnearng 33, Close the WinSCP session. 34, In the PuTTY session to A-SMS, issue the following command: shutdown now -h Figure 13 — shutdown now -h 38, Exit PuTTY. 36. Verify that the A-SMS virtual machine is powered down before continuing. senoreeoenck’ ] 37Installing the Security Management Server Install the RSO.10 Management Server. It will manage the Security Gateway cluster for this site. 1 In VMware, verify that the settings for the new A-SMS Viztual Machine is defined as follows: Checc Pom Secrctty Evgnearng Name: A-SMS Memory: 10GB Processors: 4 Hard Disk: 80GB CD/DVD (SATA):Points to R80.10 ISO Network Adapter: One Interface + Comnected + Connect at power on + LAN Segment: LAN 1 Your classroom configuration may be different. Check with your instructor before continuing to the next step. NOTE @ sero reeosnce™ 38Check Pow Secuctty Engineering 2. Power on the A-SMS virtual machine, and the Welcome to Check Point Gaia R80.10 screen appears: elcon Peete ec) Pere rar Cee [ Figure 44 — Welcome to Check Point Gaia R80.40 3. Within 60 seconds, highlight the option Install Gaia on this system. 39 Seno FeeDBAGR™Check Poo Secuotty Evgneering 4. Press the Enter key, to launch the installation: ae Operating system and associated applications ec mcm mCi) Figure 15 — Welcome 5. At the Welcome screen, highlight OK, and press Enter 6. Select the keyboard to suit your region. 7, At the Partitions Configuration screen, modify the Logs partition to be 30GB: eT Pee eee) eee eet eee remot atr a) 3 oy Ey Se Ten SETS oo co Figure 16 — Partitions Configuration @ jsenoreeosnc’ E] 40Check Pow Secuctty Engineering 8, Atthe Account Configuration screen, enter and confirm Chkp!234 as the password for the OS Level admin account. NOTE Verify that NumLock is on. It is not on by default after installation. If you haven’t already turned it on, do so now and re-enter and confirm your password. If you enter this password without turning NumLock on, you will not be able to log into the system. 9, Tabto OK, and press Enter. 10. Use the following information to configure the Management Interface (eth0) screen: IP Address: 10.1.1.101 Netmask: 255.255.255.0 Default Gateway (IP): 10.1.1. CET eee 1 ber Figure 17— Mar gement Interface (ethO) Configured A. Select OK, and press Enter. The system displays the Confirmation screen. Seno FeeDBAGR™ 41Check Pow Secuctty Engineering 12. In the Confirmation screen, select OK, and press Enter to proceed. After the drive is formatted and the installation is complete, the system displays the Installation Complete screen: Coa Pe eee ere recat reat ea, ie Figure 18 — Installation Complete 13, Press Enter to reboot A-SMS. 42 Seno FeeDBAGR™Checc Pom Secrctty Evgnearng Configuring Security Management Server Using the Gaia Portal Follow these steps to configure the primary Security Management Server for your configuration. 1. From the A-GUI virtual machine, launch an Internet browser. 2. In the address field, type the following: https: //10.1.1.101 NOTE Be sure that you are using HTTPS. You may also need to verify that the LANs in ‘VMware are configured properly before you are able to connect. Both the GUI client machine (A-GUI) and the Security Management Server (A-SMS) reside on LAN 2, if you are following the recommended classroom topology. Consult your instructor. if you are using a different configuration 3. Press Enter, and your browser should warn you that the site’s Security Certificate is from an untrusted source, NOTE Ignore this warning and continue to the site. BD sen reeosace” 43Checc Pom Secrctty Evgnearng 4. Log into A-SMS with the following credentials: Login: admin Password: Chkp!234 feneaaens seman Figure 19 — R80.10 Gaia Portal Login & seno reeoendic 44Checc Pom Secrctty Evgnearng 5, Press Enter, and the system displays the following message: 40 First Time Configuration Welcome tothe Check Point First Time Configuration Wizard You're jst few steps aay rom using your sytem! ick Nest to 0 vmware Pattorn: VEware Figure 20— R80,10 First Time Configuration 6. Click Next, and the system displays the deployment Options page. 7. Verify that the following option is selected: Con! ue with Gaia R80.10 configuration & seno reeoendicChecc Pom Secrctty Evgnearng Click Next, and the system displays the Management Connection window: Mest Figure 24 — Network Connection 9, Use the information below to verify that the Security Management Server's network connection is configured properly: Interface: etho Configure IPv4; Manually IPv4 Address: 10.1.1.101 Subnet Mask: 255.255.255.0 Default Gateway: 10.1.1 Configure IPv6: Off 40. Click Next, and the system displays the Device Information window. END FEEDBACK 46Checc Pom Secrctty Evgnearng LL. Use the following information to configure the Device Information window: Host Name: A-SMS Domain Name: alpha.cp Primary DNS Server: 192.168.11.101 Dees ic) onan an sion rman OnsSever 8836843408 Figure 22 — Device Information Configured NOTE Check Point prohibits the use of underscores in object names. 12, Click Next, and the system displays the Date and Time Settings window. 13, Select the option Use Network Time Protocol (NTP), 44, In the Primary NTP server field, type 192.168.11.101 END FEEDBACK 47Checc Pom Secrctty Evgnearng 15, Select the correct Time Zone for your location: Preemie Clencaaerid Figure 23 — Date and Time Settings Configured 16. Click Next, and the system displays the Installation Type window: Ea Clones Figure 24 — Network Configuration - Host Name Options @ sero reeosnce™ 48Checc Pom Secrctty Evgnearng 18. 19. 20. a4. Select Security Gateway or Security Management, and click Next. The system displays the Products window. In the Products window, clear the Security Gateway option, Use the information below to configure the Products window: Products: Security Management Advanced: Define Securi ‘Management as Primary NOTE Clear the Security Gateway option before continuing. This option must NOT be selected. Verify that the Products window is configured as follows Crete Cleats i seaty stn Custerng eine Scary Management a: Figure 25— Products Configured Click Next, and enter ewadmin for the Administrator name. END FEEDBACK 49Checc Pom Secrctty Evgnearng 22, Enter and confirm Chkp!234 as the password: Reet Wena aes Fig 26 — Security Management Administrator 23. Click Next, and confirm that the option Any IP Address is selected in the Security Management GUI Clients window.Checc Pom Secrctty Evgnearng 24, Click Next, and the system displays the Summary page: GeaenCOTy Secu Monagemet Pinay Seurty Management, [Witnror product epetiece by sending celato Cec ot (© Fovmeretorstin eee Figure 27—Summary 28, Clear the following option: Improve product experience by sending data to Check Point NOTE Though this option is recommended, it is not necessary in our lab. We are not in a production environment and only have limited connection to the Internet. 26, Click Finish, and the system prompts you fora response to the following question: @ _Wemtsreecntswtin pees Ayes aereu vata ere! Figure 28 — First Time Configuration Wizard MessageChecc Pom Secrctty Evgnearng 27, Click Yes,and the system proceeds with the configuration: Paani eta TED Secu Monagement Figure 29 — Summary (Progress) 28. Once complete, a message displays indicating that the configuration was successful: © (ohetiecenntencentty r= Figure 30 — Message & seno reeoendicChecc Pom Secrctty Evgnearng 29, Click OK, and the Gaia Postal displays the configuration settings of the newly configured Security Management Server: ware Figure 34 — Cheek Point Gala Portal - Security Management Server Configured END FEEDBACK 53Choc Poon Secrety Breneorne 30, In the System Management section, click Messages. 31. Enter the following for the Banner Message: A-SNB Unauthorized access of this server is prohi ome Figure 32 — Messages Configured 32, Click Apply. & seno reeoendic ited and punishable by law. 34Checc Pom Secrctty Evgnearng 33, In the User Management section of the navigation pane, select Users: t= ~ = = = Senet Figure 33 — Users & seno reeoendic 3sCheck Pow Secuctty Engineering 34, Click the Add button, and the system displays the Add User window: (Ph use ma ange psucra at nt ogon ‘Access Mechanisms wwe lcunseee Figure 34— Add User & seno reeoendic 56Checc Pom Secrctty Evgnearng 38, Use the following information to configure the new user: Login Name: adminbash Password: Chkp!234 Real Name: Adminbash : shome/adminbash |: bin/bash Web Clish Access Assigned Roles: adminRole luserma aang panera tnt ogan wwe icin sees Figure 35— Add User Configured NOTE When you log into the Security Management Server as adminbash, the correct shell is now available for adminbash to connect and transfer files. There is no longer a need to specifically define the shell in the command line. Since this is an OS level user, you must perform this action on every module you want to have the adminbash user defined. & seno reeoendic 37Check Pow Secuctty Engineering 36, Click OK, and the system adds the new user to the Users page: Figure 36 —Users END FEEDBACK 58Checc Pom Secrctty Evgnearng Installing SmartConsole In this section, you will install SmartConsole on the A-GUI virtual machine. 1. In the navigation pane of Gaia Portal, click Overview. 2. On the Overview page, click the Download Now button to download the SmartConsole installer file: ‘Yuka hose tape © smanconsaees frome ps0 L308 Would you eto sae hi ft = Figure 37 —Web Portal - Overview NOTE You may need to reacquire the configuration lock before downloading the application. The system will prompt you, if this is necessary & seno reeoendic 59Checc Pom Secrctty Evgnearng Save the installer file to the Downloads folder of A-GUL. 3 4. Log out of the Gaia Portal. 8, Browse the Downloads folder and locate the SmartConsole.exe file: SLE tien RN sere Soren cere ac 49 veer ee WE Daseop i smanconeie “h Ooneinde (5 Ure 3 Documents 2 Mae Bh tecaDakc i Shared Fetes (wn neck ho Figure 38 — Downloads Folder END FEEDBACK 60Checc Pom Secrctty Evgnearng 6 Double-click the SmartConsole.exe file. The Weleome screen displays. \ay SmartConsole’ [hae read and gre tthe hac Poin Ed Ue eer Inst Decry [Ciegram Fee (6RChe Poin Sarton 10 Figure 39 — Welcome 7. Select the option confirming you agree to the Check Point End User License Agreement. 8. Click Install, to begin the installation process. The system displays installation progress information: CHANGE THE WAY YOU WORK AND COLLABORA’ Efficient Automated Operations Cen ee) Se en 1.89% itsinanon Smarconae Figure 40— Installation 61 & seno reeoendicChecc Pom Secrctty Evgnearng 9. Verify that the system displays the Thank You window, once the installation completes: O70, Oe. Thank you fr instaling SmartConsole 10. Click the Finish button, to complete the SmartConsole installation. LL Log into A-SMS with the following credentials: Login: newadmin Password: Chkp!234 IP Address: 10.1.1.101 @ sero reeosnce™Checc Pom Secrctty Evgnearng 12, Click Login, and the system displays the Fingespsint for verification: Ses Figure 44 — Fingerprint First connection to server 10.1..101 To very server identity. compare the folowing fingerprint with the one cisplayedin the sever. Fingerprint SEW FIRM JO OLAF PAD WIRE JOEY LENO SWAB AHEM WOVE KIND 13, Click Proceed, and the system displays the Welcome to SmartConsole R80.10 page: Sse Figure 42—Weleome to SmartConsole & seno reeoendic 63