Professional Documents
Culture Documents
(CCSA) v1.0
9.00 am – 4.00 pm
LECTURING
12.00 am – 12.45 pm
LAUNCH
3 x 15 min.
BREAKs
About the Class…
Course Materials
LABs
CCSA LAB TOPOLOGY
CCSA LAB TOPOLOGY
Agenda
LAB: 12 - 13
Introduction to Check Point Technology
Check Point is a Software Company operates exclusively on the field of Information Security
Check Point firewall is software package which runs on top of an operating system (OS)
• perform troubleshooting…
• expert mode is NOT role-based administration controls
Introduction to GAiA
set & change expert password:
If someone knows the expert password and has permission to jump into expert mode than there is no way to restrict the commands, he can run.
To overcome this issue, you can create GAiA permission profile for that user and prohibit expert access
Introduction to GAiA
Examples:
hostname> set interface eth0 ipv4-address 10.1.1.3 mask-length 24
hostname> set interface eth0 state off /on
hostname> delete interface eth0 ipv4-address
hostname> set static-route default nexthop gateway address 172.26.115.1 on
hostname> set static-route default nexthop gateway address 172.26.115.1 off
hostname> set static-route 172.26.116.0/24 nexthop gateway address 10.100.100.20 on
hostname> set static-route 172.26.116.0/24 nexthop gateway address 10.100.100.20 off
hostname> add interface eth0 vlan 100
hostname> show interface eth1
hostname> show route
hostname> save config
Introduction to GAiA
Extended commands:
username: admin
password: Chkp!234
Introduction to GAiA Portal
Only one user can have read/write access to Gaia System configuration settings at a time. All other users
can only log in with Read-Only access to view configuration settings.
The user can’t be logged in at the same time with read/write access through CLI or WebUI
The database feature has two commands:
[hostname]> lock database override // obtains the lock from another administrator
[hostname]> unlock database // releases the lock from the current administrator.
Note: The administrator whose read/write access is revoked does not receive notification.
Introduction to GAiA Portal | Network Interfaces
Interface Alias: let you assign more than one IPv4 address to interface. NOT supported in cluster environment
VPN Tunnel Interfaces: Virtual Tunnel Interface (VTI) is a virtual interface that is used for establishing a Route-Based VPN tunnel
Interface Bridge:
Interface Bond:
Interface Bridge:
Introduction to GAiA Portal | Maintenance – System Snapshot
Creates a binary image of the entire root disk partition which includes:
Exporting an image from one machine and importing that image on another machine
SNAPSHOT
Introduction to GAiA Portal | Maintenance – System Backup
BACKUP
Introduction to GAiA Portal | Maintenance – System Backup
Introduction to GAiA Portal | Maintenance
Snapshot - after a fresh installation, before an upgrade, and before a hotfix installation.
Backup - monthly or weekly, depending how frequently you perform changes in your system
1. Revert to a Snapshot - restores the Check Point version with all the setup details, and hotfixes.
2. Restore from Backup - restores latest system configuration with all recent network and security
configuration.
0 t [one month]
1 2
Introduction to GAiA Portal | Maintenance | Service CPUSE
Check Point Upgrade Service Engine (CPUSE) – Tool for automatically update CHKP products
user accounts,
passwords,
roles or privileges,
authentication servers,
system groups.
Introduction to GAiA Portal | User Management | Users
There are two default users that cannot be deleted from the system:
admin: This user has full read/write permission to all Gaia features [adminRole]
monitor: This user has Read-Only permissions for all Gaia features [monitorRole]
An admin must provide a password to monitor user before it can be used.
Introduction to GAiA Portal | User Management | Users
User is not allowed to log in to Gaia.
User can only connect to Gaia over SCP and transfer
files to and from the system. Other commands are
forbidden.
Role-based administration (RBA) lets you create administrative roles for users.
With RBA, an administrator can allow Gaia users to access specified features by including those features in a role and assigning that role
to users.
Each role can include a combination of administrative (read/write) access to some features, monitoring (read-only) access to other
features, and no access to other features
Introduction to GAiA Portal | User Management | Authentication Servers
You can configure Gaia to authenticate Gaia users even when they are not defined locally.
This is a good way of centrally managing the credentials of multiple Security Gateways.
To define non-local Gaia users, you define Gaia as a client of an authentication server.
Gaia supports these types of authentication servers: RADIUS and TACACS+
Introduction to GAiA | Deployment options
Open Server.
Gaia OS can be deployed on specific certified servers from a Hardware Compatibility List available on
Check Point web site.
A Virtual Machine.
Private Cloud Platforms: VMware ESX, Microsoft Hyper-V, KVM
Public Cloud Platforms: AWS, Azure, Google Cloud, Alibaba, and Oracle.
https://www.checkpoint.com/support-services/hcl/
Deployment Options | Standard Deployment
Security Management Server and Security Gateway reside on the same computer or appliance
Deployment Options | Distributed Deployment
Security Management Server and Security Gateway reside on different computers or appliances.
Deployment Options | Bridge Mode
“Software Blades” is a term for specific security feature of Check Point’s product
Next Generation Firewall (NGFW): Firewall, IPS, Application Control and VPN
Next Generation Threat Prevention (NGTP): NGFW + Anti-virus, Anti-boot, URLF and Anti-spam & Email Security
Smart Console: Windows client that manages security policy and events on the Security Management server.
Security Gateway: Integrated network security enforcing access control and threat prevention policies in
physical and virtual environments.
Security Management Server: Stores and distributes security policy to Security Gateways and receives security
logs from them.
Check Point Security Architecture| Secure Internal Communication (SIC)
SIC is a Check Point proprietary mechanism with which Check Point components authenticate each other over SSL.
SIC is used for establishing trusted communication channel over untrusted network.
BO
HQ
SMS
BO
internet
Smart Console
Trusted (secure) communication is required to install polices on gateways and to send logs between gateways and
management servers.
Check Point Security Architecture| Secure Internal Communication (SIC)
SMS
internet
Smart Console
Check Point products authenticate each other through one of these Secure Internal Communication (SIC) methods:
Certificates.
Standards-based TLS for the creation of secure channels.
3DES or AES128 for encryption.
Authentication is based on the certificates issued by the ICA on a Check Point Management Server
Check Point Security Architecture | Steps to Initializing Trust
1. ICA has been created during the primary Security Management Server installation process
2. The ICA on SMS signs and issues a certificate to the gateway but does not yet deliver it.
3. The management server authenticates gateway over TLS using a one-time password.
4. The certificate is then downloaded and stored on the gateway, trust is established, and the one-time
password is deleted
5. Gateway can safely communicate with other Check Point gateways and management servers
SIC - Authenticates between gateways or between gateways and Security Management Servers, policy
installation and send logs.
VPN Certificates - Authenticates between members of a VPN community in order to create VPN
tunnel
Users - Authenticates user access according to authorization and permissions
Note: If the Security Management Server is renamed, trust will need to be reestablished as the certificate is
reissued.
Check Point Security Architecture | Steps to Initializing Trust
Authenticate security gateway on management server using IP address and one-time password
Check Point Security Architecture | Steps to Initializing Trust
Authenticate security gateway on management server using IP address and one-time password
Check Point Security Architecture | Steps to Reset SIC
gateway> cpconfig
OPTION5
Check Point Security Architecture | Steps to Reset SIC
Check Point Security Architecture | Steps to Initializing Trust
Authenticate security gateway on management server using IP address and one-time password
Check Point Security Architecture | SIC Status & Certificate State
Not Communicating - The management server can contact the gateway but cannot establish SIC
BREAK
15 minutes
LAB
LAB – 01
LAB – 02
LAB – 03
Smart Console
Review
Security Policies
Advanced Firewall
User Management
&
Permission Profiles
The Smart Console - Intro
DEVICE MANGEMENT
Add & Delete Device (gateway, cluster XL, mgmt. srv, log srv. .. etc. )
Enable & Disable SFB (URLF, APCL, AV, AB, Remote Access VPN, IPsec VPN….)
Device General Properties (topology table, enable & disable HTTPS inspection,
License Status
NAT
Geo Policy
The Smart Console - Intro
Audit logs
Reporting
The Smart Console - Intro
Global Settings:
• Manage policies and layers (create policy packages & layers, assign privileges)
Review
Security Policies
Advanced Firewall
User Management
&
Permission Profiles
Security Policies | Access Control Rule Base
The Rule Base is a collection of individual rules which builds the Security Policy
Settings configured as Global Properties are enforced by all Security Gateways managed by the Security
Management Server.
Access Control | Implied Rules
Note: If the Cleanup rule is the last Explicit rule, the last Implied rule and Implicit Cleanup Rule are not
enforced.
Access Control | Rule Base Order
First Implied Rules
Network Object
Portal Content
Application Awareness
User
URL Category
Access Control| Rule Base
• Inspect and match connections row by row (left to right), based on the order of rules within the Rule
Base.
• The integration of application and data criteria requires deep packet inspection before determining the
final match.
Advance Firewall | Rule Matching
Rule base matching process (mail server IP address 192.168.170.10)
No match possible!
No match possible!
No match possible!
No match possible!
• After the first matching round only three rules out of six remained for continued
matching
This is an animated slide. Click once, then wait until this element is blinking.
[Protected] Distribu on or modifica on is subject to approval
Advance Firewall | Service & Applications Matching
Protocol detection may allow several packets to pass to accurately identify the protocol
A few packets will be needed to correctly identify the protocol.
Advance Firewall | Protocol Signatures
When using Service objects with default settings a gateway running only the Firewall Blade works like it
used to work with R77.30 (and older) releases
Example: even if the firewall rule states “allow SMTP to the mail server” you can do a telnet session with
destination port 25 and you’ll have a successful connection
If you just open the connection and leave it idle you will see the connection still allowed
Publish – is a process of moving user defined rules from Smart Console to the Management Server
Installation – is a process of moving security rules from Management Server to Security Gateway
The Smart Console | Policy Installation
Review
Security Policies
Advanced Firewall
User Management
&
Permission Profiles
Smart Console
How can we achieve more visibility on the connections related to an application layer session?
How can we see in one place the applications used or the content accessed?
Log & Monitors | Types of Logging
Understanding Logging
Log catalog
Log & Monitors
Connection vs Session
Session
Connections
Log & Monitors | Tracking Options
The Security Policy determines which rules generate logs and at which logging level.
Tracking Options:
Detail Log
Extended Log
Log & Monitors | Tracking Options
Match by service
default track option
(connection)
Session info.
Connection info.
Log & Monitors | Tracking Options
Session info.
Connection info.
Log & Monitors | Tracking Options
Detailed Log -Equivalent to the Log option, but also shows the application that matched the connections,
even if the rule does not specify an application.
Best Practice - Use for a cleanup rule (Any/internet/Accept) of an Applications and URL Filtering Policy
Layer
Log & Monitors | Tracking Options
Connection info.
Log & Monitors | Tracking Options
Session info.
Connection info.
Log & Monitors | Tracking Options
1. Security Gateways generate logs, and the Security Management Servers generates audit logs.
2. The Security Policy that is installed on each Security Gateway determines which rules generate logs.
Security Management Server that collects logs from the Security Gateways. This is the default.
Log Server on a dedicated machine. This is recommended for organizations that generate a lot of logs.
Security Gateway. This is called local logging.
Log & Monitors | Managing Log Storage
Highly recommended to use
If you have a software SMS
SmartEvent and Log Server use an algorithm to manage disk space and other system resources.
When the Logs and Events database becomes too large, the oldest logs and events are automatically deleted according to the configured
thresholds.
Log & Monitors | Managing Log Storage
SmartView Monitor gives you a complete picture of network and security performance.
SmartView Monitor provides a single, central interface, to monitor network activity and performance
of Check Point Software Blades
To Enable SmartView Monitor you have to enable Monitor option under gateway properties:
Log & Monitors | SmartView Monitor D
Review
Security Policies
Advanced Firewall
User Management
&
Permission Profiles
User Management & Permission Profiles D
LAB – 04
LAB – 05
LAB – 06
DAY 2
Gateway & Servers
Management
Learning Objectives:
Understanding Anti-Spoofing
Understanding Topology Table
Network Address Translation
LAB-07 – LAB-08
HTTPS inspection
LAB-09 – LAB-10
Identity Awareness
LAB-11 – LAB-12
REDUNDANCY
IPsec
LAB-13 – LAB-14
IP Address Spoofing | Regular Communication
src_IP_A dst_IP_B accept any
src_IP_A dst_IP_B
host-A host-B
src_IP_B dst_IP_A
IP Address Spoofing | How does spoofing work ?
src_IP_A dst_IP_B
Internet
10.10.10.0/24
10.20.20.0/24
10.30.30.0/24
10.10.10.0/24 10.20.20.0/24
10.30.30.0/24
Address Spoofing | Troubleshooting & Detection
# fw accel stop
# fw ctl zdebug drop | grep spoofing
# fw accel start
Address Spoofing | Possible reasons (how it comes to… )
Routing issue:
The traffic is being returned to the Security Gateway from the next hop.
Traffic will be returned with a source IP address that belongs to the Security Gateway.
Network issue:
There is a host on the network with assigned IP address that belongs to one of the
interfaces on the Security Gateway member.
Gateway & Servers
Management
Learning Objectives:
Understanding Anti-Spoofing
Understanding Topology Table
Network Address Translation
LAB-07 – LAB-08
HTTPS inspection
LAB-09 – LAB-10
Identity Awareness
LAB-11 – LAB-12
REDUNDANCY
IPsec
LAB-13 – LAB-14
GATEWAY & SERVERS | Topology Table
Check Point Security Gateway must be fully aware of network environment in which he is find
Topology Table defines network environment in which security gateway is set up
Check Point Security Gateway needs to know which IPs he can expect on certain interface
so it can perform Anti-Spoofing protection
GATEWAYS & SERVER > Double click on Gateway/Cluster Object > Network Management
GATEWAY & SERVERS | Update Topology Table
How to update topology table if there is a change in interfaces and routing table ?
• Manual NAT
NAT section in policy package
Offers flexibility.
Network Address Translation | Types of NAT
Hide NAT (Dynamic NAT)
• Many-to-one relationship
• Multiple computers represented by one IP address
• Only allows connections from protected side of Gateway
Static NAT
• One-to-one relationship
• Each host translated to unique IP address
• Connections initiated internally and externally
Network Address Translation | Types of NAT | Automatic NAT
• Translation of Destination IP address takes place closer to the "Source/Client" side of the
Security Gateway.
• This is used, when Manual Static NAT is configured for the Destination/Server.
• Destination IP address is NATed by the inbound kernel chains - before it is looked up in the
routing table of the underlying operating system.
Network Address Translation | Proxy ARP for Manual NAT
• Configure proxy ARPs to associate the translated IP address for Manual NAT rules.
• Proxy ARPs allow the gateway to answer ARP queries.
• To configure a proxy ARP:
1. Match the IP of the relevant hosts on the internal network to the MAC of the gateway
on the external network.
2. Create the relevant Manual NAT rules.
3. Install the policy.
Network Address Translation
2. Verify that the certificate has not been altered since it was created by the CA
3. The client checks that the server's domain name supplied in the certificate matches the domain name of the
requested serve
HTTPS Inspection
HTTPS traffic has a possible security risk and can hide illegal user activity and malicious traffic.
Affected Blades:
• Application Control • IPS
• URL Filtering • Antivirus
• Content Awareness • Anti-Bot
• DLP • Threat Emulation
Understanding Policies Matching
Gateway Topology
HTTPS Inspection | inbound inspection
• Inbound HTTPS Inspection
• Protects internal servers from malicious requests that arrive from the Internet or an
external network.
https://alpha.cp
External network
https://alpha.cp
Internal network
HTTPS Inspection | inbound inspection | example
HTTPS Inspection | outbound inspection
• outbound HTTPS Inspection
• Protects against malicious traffic sent from an internal client to an external site or server
Certificates are used to act as an intermediary between the client and the secured website.
https://alpha.cp
External network
Internal network
Internal network
https://alpha.cp
External network
HTTPS Inspection | outbound inspection | example
• The list of certificate authorities is taken from the Windows system stores. It is updated
according to Microsoft updates
• Create an HTTPS inspection Bypass rule, which defines explicitly the IP addresses of the
servers as destination (in case the IP addresses are static and known). Using this technique, the
software does not attempt to evaluate the SSL chain and SSL bypass will take place.
• Note: You can use Host / Network / Group object in this Bypass rule
HTTPS Inspection | types of certificates
single host certificate
the certificate matches only for one hostname (it is recommended to add a SAN
attribute even you use single host certificate)
multiple hosts certificate (multi domain certificates)
allow us to secure multiple fully qualified domain names (FQDN) and sub-domains with
a single certificate where domains can be resolved to a single IP address.
wildcard certificate
allows us to secure unlimited subdomains with a single certificate.
HTTPS Inspection | Multi-domain SSL certificates
1. Multi-domain SSL certificates (SAN) – allow us to secure multiple fully qualified domain
names (FQDN) and sub-domains with a single certificate where domains can be resolved to
a single IP address
2. If you have SAN extension field in certificate, it replace subject in certificate name check
3. google chrome only support SAN extension for server host/certificate check, it stops to use
subject for server host check
4. Example: google certificate
HTTPS Inspection | URL categorization in multi-domain certificates
1. Site category is determined according to the FQDN in server's certificate and IP
address
2. For URLs with single host certificate things are pretty straightforward.
3. For URLs with multi-domain certificates things are complicated.
Single certificate can secure several domains from different categories (Search
Engines / Portals, Media Sharing, etc.)
4. Examples: google certificate, Microsoft office …
5. Without SSL decryption, there is no way for the Security Gateway to know the
underlying URL and easily categorize the connection.
6. HTTPS inspection must be enabled for URL categorization to work properly.
HTTPS Inspection | HTTPS Inspection Bypass
In order to enable rule for HTTPS Inspection Bypass, Security Gateway needs to
determine the site's category without SSL decryption
The Site Category is determined by the certificate FQDN and the IP address.
There are web servers hosting different domains by using the same IP and each
domain can belongs to different categories !!!
HTTPS Inspection | HTTPS Inspection Bypass
Application Control cannot detect web application if traffic is over SSL and HTTPS Inspection is
disabled for most sites.
Several applications can be detected without HTTPS Inspection being enabled by inspecting the
DN in the certificate sent by the server. For most web sites, there are no such signatures
The YouTube service cannot be detected based on the DN (Domain name) since Google is using
a generic wildcard certificate for its service (*.google.com, in most cases).
Solution: You must enable HTTPS Inspection in order to detect the service
URL filtering without HTTPs inspection
Difference between HTTPS Inspection and Categorize HTTPS websites
settings
HTTPS Inspection allows you to see all the traffic as if it was unencrypted, allowing you to do
full threat prevention and content inspection
Categorize HTTPS Sites will allow you to categorize HTTPS connections based on the certificate DN,
which is sent in the clear.
If you can do HTTPS Inspection, you don't need Categorize HTTPS sites. The options are mutually
exclusive.
Gateway & Servers
Management
Learning Objectives:
Understanding Anti-Spoofing
Understanding Topology Table
Network Address Translation
LAB-07 – LAB-08
HTTPS inspection
LAB-09 – LAB-10
Identity Awareness
LAB-11
REDUNDANCY
IPsec
LAB-12 – LAB-13
Gateway & Servers
Management
Learning Objectives:
Understanding Anti-Spoofing
Understanding Topology Table
Network Address Translation
LAB-07 – LAB-08
HTTPS inspection
LAB-09 – LAB-10
Identity Awareness
LAB-11
REDUNDANCY
IPsec
LAB-12 – LAB-13
Managing User Access | Identity Awareness
Identity Awareness lets you manage logs based on user and computer name
Managing User Access | Identity Awareness
Identifies users in a Terminal Server environment, such as application servers that host
Microsoft Terminal Servers, Citrix XenApp, and Citrix XenDesktop.
Identifies individual users whose source originates from one IP address.
To deploy Terminal Servers:
• Install a Terminal Servers Identity Agent
• Configure a shared secret
Identity Awareness | Endpoint Identity Agents
Security Gateway forwards authentication requests to the server, which stores user
account information.
Identity Awareness uses data from these requests to get user and device group
information from the LDAP server.
LDAP server authenticates the user.
Security Gateway lets you control access privileges for authenticated users.
Identity Awareness | RADIUS
Identity source must be set to identify Mobile Access and IPSec VPN clients in Office
Mode.
Identities are acquired for Mobile Access clients and IPSec VPN clients configured in
Office Mode when they connect to the Security Gateway.
Users who get access using IPSec VPN can authenticate seamlessly.
Identity Awareness | How to Choose an Identity Source ?
Used to make sure the user management attributes of a SMS are correct for its
associated LDAP server
Configurable LDAP policy that lets you define more exact User Directory requests
Enhance communication with the server
Control most of the LDAP server-specific knowledge
Retrieve Information from a User Directory Server
• If specified user is not defined in the internal users database, gateway queries
the LDAP server defined in the Account Unit with the highest priority.
• If the query fails, the gateway queries the server with the next highest priority.
• If the query against all LDAP servers fails, the gateway matches the user against
the generic external user profile.
Authentication Schemes
RADIUS
SecurID
TACACS
Undefined
Access Roles….??????
Access Role is an objects which defines users, computers, and network locations as
one object and can be used as a source or destination in a rule
• Define a policy rule for specified users who send traffic from
specified computers or from any computer.
• In rules with access roles objects, add an Accept option in the
Action field to enable Captive Portal.
• User is redirected to the Captive Portal.
Captive Portal for Guest Access
Learning Objectives:
Understanding Anti-Spoofing
Understanding Topology Table
Network Address Translation
LAB-07 – LAB-08
HTTPS inspection
LAB-09 – LAB-10
Identity Awareness
LAB-11
REDUNDANCY
IPsec
LAB-12 – LAB-13
Gateway & Servers
Management
Learning Objectives:
Understanding Anti-Spoofing
Understanding Topology Table
Network Address Translation
LAB-07 – LAB-08
HTTPS inspection
LAB-09 – LAB-10
Identity Awareness
LAB-11
REDUNDANCY
IPsec
LAB-12 – LAB-13
GATEWAY & SERVERS | Security Gateway Redundancy
Redundancy needs to ensure uninterrupted service delivery in a case of failure
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 191
Check Point Redundancy | ClusterXL
1. ClusterXL is a group of identical machines connected in such a way that if one member fails,
another immediately takes its place.
2. ClusterXL is a Check Point proprietary protocol for clustering
3. ClusterXL provides transparent failover between machines in a case of failure.
A failover occurs when a gateway is no longer able to perform its designated functions.
4. ClusterXL is a software-based solution that distributes network traffic between cluster members.
ClusterXL in High Availability mode supports up to 5 Cluster Members.
ClusterXL in Load Sharing mode supports up to 5 Cluster Members.
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 192
Check Point Redundancy | ClusterXL | Topology
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 193
Check Point Redundancy | ClusterXL | How ClusterXL Works ?
ClusterXL uses State Synchronization to keep active connections alive and prevent data loss when a
Cluster Member fails.
With State Synchronization, each Cluster Member "knows" about connections that go through other
Cluster Members.
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 194
Check Point Redundancy | ClusterXL | How ClusterXL Works ?
ClusterXL uses virtual IP addresses for the cluster itself and unique physical IP and MAC addresses for
the Cluster Members. Virtual IP addresses do not belong to physical interfaces.
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 195
Cluster Synchronization
Synchronization works in the following two modes:
• Full Synchronization — Transfers all Firewall kernel table information from one cluster member to another.
Full synchronization is used for initial transfers of state information for thousands of connections. If a cluster
member is brought up after failing, it will perform full sync. Once all members are synchronized, only updates are
transferred via delta sync. Full synchronization between cluster members is handled by the Firewall kernel using
TCP port 256.
• Delta Synchronization — Transfers changes in the kernel tables between cluster members.
Delta sync is much quicker than full sync. It is handled by the Firewall kernel, using UDP Multicast or Broadcast on
port 8116.
Check Point Redundancy | ClusterXL | High Availability Mode
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 197
Check Point Redundancy | ClusterXL | High Availability Mode
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 198
Check Point Redundancy | ClusterXL | High Availability Mode
This scenario describes a user logging from the Internet to a Web server behind the Firewall cluster
Who is 62.90.111.3
62.90.111.3 ?
at 00:80:24:01:01:01
ISP router
Internet
62.90.111.3
X
172.168.1.1
A Synchronization S
A
172.168.1.2
00:80:24:01:02:01 00:80:24:01:02:02 Internal router
172.168.1.3
Check Point Redundancy | Useful commands
# cphaprob stat
> cphaprob –a if
# clusterXL_admin down
# clusterXL_admin up
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 200
Check Point Redundancy | Cluster States
Active
Everything is OK, forwarding packets – no issue
Active Attention
A problem has been detected, but the cluster member is still forwarding packets because it is
the only machine in the cluster or there is no other active machines in the cluster. In any other
situation the state of the machine would be down.
Forwarding packets - there is an issue.
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 201
Check Point Redundancy | Cluster States
Down
Applies only to a High Availability configuration and means that the member is waiting for an
active machine to fail in order to start packet forwarding.
NOT forwarding packets - there is an issue.
Standby
NOT forwarding packets - NO issue.
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 202
VMAC
• A variation of HA and Load Sharing Unicast mode.
• Configuring the cluster to use VMAC mode allows all members to use the same
virtual MAC address and minimizes possible traffic outages during failover.
• VMAC advertised by members through G-ARP requests, keeps the real MAC address
of each member and adds another VMAC address on top of it.
• VMAC failover time is shorter than failovers that involve a physical MAC address.
Configuring VMAC Via SmartConsole:
Via SmartConsole:
1. Select the cluster object and navigate to
Gateway Cluster Properties.
2. Select ClusterXL and VRRP.
3. Enable Use Virtual MAC option.
Configuring VMAC Via Via Command Line:
1. Set the value of the global kernel parameter to 1. (The default value is 0. The default value
means that VMAC is disabled)
# fwha_vmac_global_param_enabled 1
1. Ensure that VMAC mode is enabled on all members. Run this command:
# fw ctl get int fwha_vmac_global_param_enabled
To view the VMAC address of each virtual cluster interface, run the following command:
> cphaprob -a if
Rule Processing Order
1. Anti-spoofing checks
Learning Objectives:
Understanding Anti-Spoofing
Understanding Topology Table
Network Address Translation
LAB-07 – LAB-08
HTTPS inspection
LAB-09 – LAB-10
Identity Awareness
LAB-11
REDUNDANCY
IPsec
LAB-12 – LAB-13
Questions ?