Check Point Cyber Security Administrator (CCSA) v1.0 Training

CHECK POINT CYBER SECURITY ADMINISTRATOR
(CCSA) v1.0
Marko Davidovic CCSA, CCSE

marko.davidovic@ingrammicro.com
Check Point Certified Instructor
DAY 1
About the Class…
Ingram Micro doo Beograd

8.30 am Tošin bunar 272v, Beograd
WELCOME COFFEE
9.00 am – 4.00 pm
LECTURING
12.00 am – 12.45 pm
LAUNCH
3 x 15 min.
BREAKs
About the Class…
Course Materials
LABs
CCSA LAB TOPOLOGY
CCSA LAB TOPOLOGY
Agenda
Introduction Introduction to Deployment Licensing Security Architecture

GAiA Options
LAB: 01 - 03 Smart Console Security Policies Logs & Monitors LAB: 04 - 06
Spoofing Topology Table NAT LAB: 07 - 08 HTTPS
LAB: 09 - 10 Identity Awareness LAB: 11 Redundancy IPsec
LAB: 12 - 13
Introduction to Check Point Technology
a big picture …..
Check Point is a Software Company operates exclusively on the field of Information Security
Check Point firewall is software package which runs on top of an operating system (OS)
GAiA is a operating system for all Check Point products
GAiA is a Check Point’s own OS based on RHE Linux

Introduction to Check Point Technology
Configuration & Settings
Smart Console Application

SECURITY SETTINGS
API
Command Line Interface
SYSTEM SETTINGS
Web User Interface
E0 E1 E2 E3 E4 E5 E6
Introduction to GAiA
 SYSTEM SETTINGS
 Networking (IPv4 and IPv6, DHCP, DNS, hostname …. )
 System management (NTP, SNMP, Mail Notification… )
 User management (Role-Based Administration, users, password policy, authentication servers… )
 Routing (BGP, OSPF, PBR, RIP and PIM-SM, PIM-DM, IGMP)
 Maintenance (update & upgrade, license management, hardware monitoring, system backup)
 High Availability (VRRP, Interface bonding)
 Accessible via: WebUI (Gaia Portal) and CLI
 SECURITY SERVICES
 Access Lists, IPS, Anti-Virus, Anti-Spam, Anti-Bot, Zero-Day…
 Network Policy Management, Logging, Reporting
 Accessible via: Smart Console and API
Introduction to GAiA | System Settings & GAiA Access
System settings can be done on one of the two ways:
Web UI is very easy and intuitive…
Our focuses on this class will be in using CLI
1. WebUI (GAiA portal) https://<management_IP>
2. Using Command Line Interface
 CLI access using SSH client
 CLI access using direct console cable connection
 CLI using WebUI

Introduction to GAiA | Command Line Interface
CLI access has two modes:

 Standard mode (clish): [hostname]>
 Expert mode (bash): [Expert@hostname]#
Every Administrator whish to access Clish have they own

username/password and permission profile
clish is a default shell for CLI login
clish is a restrictive shell - role-based administration controlled
expert mode allows access to the Linux file system. In expert mode you can do:
• low level system configuration
• run debugging Expert mode is not a role-based administration controlled
• perform troubleshooting…
• expert mode is NOT role-based administration controls
set & change expert password:
 expert access is NOT role-based administration controlled

 there is only one expert password on GAiA system
If someone knows the expert password and has permission to jump into expert mode than there is no way to restrict the commands, he can run.
To overcome this issue, you can create GAiA permission profile for that user and prohibit expert access
Saving and applying configuration changes

System changes can be made by using:
 Command Line Interface (CLI)
• Configuration changes you enter using the CLI are applied immediately to the running system.
• To ensure changes remain after reboot, you must save your changes.
> save config - save current configuration

> save configuration <filename> - save configuration to file
> show configuration - show configuration
 Web User Interface (WebUI)

• Configuration changes you enter using the WebUI are applied and saved immediately to the
running system.
CLI access has two configuration modes:

 Standard mode (clish): [hostname]>
 Expert mode (bash): [Expert@hostname]#
GAiA CLI Commands:

 clish commands: set, show, delete ….
 extended commands: cpconfig, cplic, cpview ….
 expert mode commands: tcpdump, cat, grep, ls, cd, cp ….

Most common used GAiA Clish operations are:
set Set a value in the system

show Show a value or values from the system
delete Deletes a value from the system
add Adds a new value to the system
save Saves the configuration changes made since the last save operation.
reboot Restart the system.
halt Turn the computer off
quit Exit the CLI
exit Exit the shell
Command Completion:
Press … To do this …
<TAB> Complete or fetch the keyword

>set inter<TAB>
interface - Display the interface related parameters

interface-name - Interface Naming
<SPACE> <TAB> Show the arguments that the command for that feature accepts.
>set interface <SPACE> <TAB>
eth0 eth1 eth2 lo

<ESC> <ESC> See possible command completions
>set interface <ESC> <ESC>
set interface VALUE ipv4-address VALUE mask-length VALUE

set interface VALUE ipv4-address VALUE subnet-mask VALUE
set interface VALUE ipv6-address VALUE mask-length VALUE
….
? Get help on a feature or keyword
> set interface <?>
interface: specifies the interface name

Examples:
hostname> set interface eth0 ipv4-address 10.1.1.3 mask-length 24
hostname> set interface eth0 state off /on
hostname> delete interface eth0 ipv4-address
hostname> set static-route default nexthop gateway address 172.26.115.1 on
hostname> set static-route default nexthop gateway address 172.26.115.1 off
hostname> set static-route 172.26.116.0/24 nexthop gateway address 10.100.100.20 on
hostname> set static-route 172.26.116.0/24 nexthop gateway address 10.100.100.20 off
hostname> add interface eth0 vlan 100
hostname> show interface eth1
hostname> show route
hostname> save config
Extended commands:
 User defined commands.

 Mostly used for troubleshooting Check Point products.
 Example of Extended Commands: cpconfig, cphaprob, cpview, cpstop, cpstart, cplic, cpinfo, vpn tu….
Introduction to GAiA Portal | WebUI (GAiA Portal)
Use RDP to connect to your LAB-s (IP/username/password – provided)
Access to the Gaia System using portal page by typing https://10.1.1.2
username: admin
password: Chkp!234
Introduction to GAiA Portal
 Only one user can have read/write access to Gaia System configuration settings at a time. All other users
can only log in with Read-Only access to view configuration settings.
 The user can’t be logged in at the same time with read/write access through CLI or WebUI
 The database feature has two commands:
[hostname]> lock database override // obtains the lock from another administrator
[hostname]> unlock database // releases the lock from the current administrator.
Note: The administrator whose read/write access is revoked does not receive notification.
Introduction to GAiA Portal | Network Interfaces
Gaia supports these network interface types:
 Ethernet physical interfaces

 Alias VLAN
 Bond
 Bridge
 Loopback
 VPN interface
 Interface Alias: let you assign more than one IPv4 address to interface. NOT supported in cluster environment
 Interface VLAN: VLAN interfaces let you configure subnets
 VPN Tunnel Interfaces: Virtual Tunnel Interface (VTI) is a virtual interface that is used for establishing a Route-Based VPN tunnel
 Interface Bridge:
o Use wen you do not want firewall to be L3 point in your Network.
o Bridge mode is supported in standalone and cluster environment
o Only two interfaces can be connected by one Bridge interface
 Interface Bond: Port Channel 802.3ad LACP

Interface Bond:
Interface Bridge:
Introduction to GAiA Portal | Maintenance – System Snapshot
 Creates a binary image of the entire root disk partition which includes:
• GAIA Operating System configuration (routing, networking, …)
• Products, binaries and hotfixes
 The log partition is not included in the snapshot
 Exporting an image from one machine and importing that image on another machine
of the same type is supported
SNAPSHOT
Introduction to GAiA Portal | Maintenance – System Backup
 Used to backup GAIA Operating System configuration

(routing, interface configuration, networking…)
 Unlike a snapshot, it does not include the operating system, and hotfixes.
 The log partition is not included in the snapshot

 Exporting and backup from one machine and importing that backup on another
machine is not supported
BACKUP
Introduction to GAiA Portal | Maintenance – System Backup
Introduction to GAiA Portal | Maintenance
Recommended backup plan:
 Snapshot - after a fresh installation, before an upgrade, and before a hotfix installation.
 Backup - monthly or weekly, depending how frequently you perform changes in your system
Recommended steps in case of Disaster Recovery
1. Revert to a Snapshot - restores the Check Point version with all the setup details, and hotfixes.
2. Restore from Backup - restores latest system configuration with all recent network and security
configuration.
snapshot backup backup backup snapshot
0 t [one month]
1 2
Introduction to GAiA Portal | Maintenance | Service CPUSE
Check Point Upgrade Service Engine (CPUSE) – Tool for automatically update CHKP products
 Download and install the updates & upgrades

 Easy rollback from new update
 Get notifications for newly available updates.
Introduction to GAiA Portal | Maintenance | Service CPUSE
Automatically update Check Point Gaia using the Check Point Upgrade Service Engine (CPUSE)
Introduction to GAiA Portal | User Management
Describes how to manage GAiA portal clients:
 user accounts,
 passwords,
 roles or privileges,
 authentication servers,
 system groups.
Introduction to GAiA Portal | User Management | Users
 There are two default users that cannot be deleted from the system:
 admin: This user has full read/write permission to all Gaia features [adminRole]
 monitor: This user has Read-Only permissions for all Gaia features [monitorRole]
 An admin must provide a password to monitor user before it can be used.
Introduction to GAiA Portal | User Management | Users
User is not allowed to log in to Gaia.
User can only connect to Gaia over SCP and transfer
files to and from the system. Other commands are
forbidden.
0 for administrator users (this is the default option)

An integer between 103 and 65533 for non-administrator users
Introduction to GAiA Portal | User Management | Roles
adminRole: Gives the user read/write access to all features
monitorRole: Gives the user read-only access to all features.
 Role-based administration (RBA) lets you create administrative roles for users.
 With RBA, an administrator can allow Gaia users to access specified features by including those features in a role and assigning that role
to users.
 Each role can include a combination of administrative (read/write) access to some features, monitoring (read-only) access to other
features, and no access to other features
Introduction to GAiA Portal | User Management | Authentication Servers
 You can configure Gaia to authenticate Gaia users even when they are not defined locally.
 This is a good way of centrally managing the credentials of multiple Security Gateways.
 To define non-local Gaia users, you define Gaia as a client of an authentication server.
 Gaia supports these types of authentication servers: RADIUS and TACACS+
Introduction to GAiA | Deployment options
 Check Point Security Appliance.

This option includes both hardware and software required to run Check Point Network Security System.
 Open Server.
Gaia OS can be deployed on specific certified servers from a Hardware Compatibility List available on
Check Point web site.
 A Virtual Machine.
Private Cloud Platforms: VMware ESX, Microsoft Hyper-V, KVM
Public Cloud Platforms: AWS, Azure, Google Cloud, Alibaba, and Oracle.
https://www.checkpoint.com/support-services/hcl/
Deployment Options | Standard Deployment
Security Management Server and Security Gateway reside on the same computer or appliance
Deployment Options | Distributed Deployment
Security Management Server and Security Gateway reside on different computers or appliances.
Deployment Options | Bridge Mode
Adds a Security Gateway to an existing environment without changing IP Routing.

Check Point Security Services | Software Blades
“Software Blades” is a term for specific security feature of Check Point’s product
Security Gateway Software Blades
Security Management Software Blades

Licensing
Next Generation Firewall (NGFW): Firewall, IPS, Application Control and VPN
Next Generation Threat Prevention (NGTP): NGFW + Anti-virus, Anti-boot, URLF and Anti-spam & Email Security
Next Generation Threat Extraction (NGTX): NGTP + Threat Extraction service

Check Point Security Architecture
Smart Console: Windows client that manages security policy and events on the Security Management server.
Security Gateway: Integrated network security enforcing access control and threat prevention policies in
physical and virtual environments.
Security Management Server: Stores and distributes security policy to Security Gateways and receives security
logs from them.
Check Point Security Architecture| Secure Internal Communication (SIC)
SIC is a Check Point proprietary mechanism with which Check Point components authenticate each other over SSL.
SIC is used for establishing trusted communication channel over untrusted network.
BO
HQ
SMS
BO
internet
Smart Console
Trusted (secure) communication is required to install polices on gateways and to send logs between gateways and
management servers.
Check Point Security Architecture| Secure Internal Communication (SIC)
How does it work?
SMS
internet
Smart Console
Check Point products authenticate each other through one of these Secure Internal Communication (SIC) methods:
 Certificates.
 Standards-based TLS for the creation of secure channels.
 3DES or AES128 for encryption.
Authentication is based on the certificates issued by the ICA on a Check Point Management Server
Check Point Security Architecture | Steps to Initializing Trust
1. ICA has been created during the primary Security Management Server installation process
2. The ICA on SMS signs and issues a certificate to the gateway but does not yet deliver it.
3. The management server authenticates gateway over TLS using a one-time password.
4. The certificate is then downloaded and stored on the gateway, trust is established, and the one-time
password is deleted
5. Gateway can safely communicate with other Check Point gateways and management servers
One Time Password

SMS internet
&
ICA
TRUST
Check Point Security Architecture| Internal Certificate Authority
What are the responsibilities of ICA server ?
ICA is responsible for issuing:
 SIC - Authenticates between gateways or between gateways and Security Management Servers, policy
installation and send logs.
 VPN Certificates - Authenticates between members of a VPN community in order to create VPN
tunnel
 Users - Authenticates user access according to authorization and permissions
Note: If the Security Management Server is renamed, trust will need to be reestablished as the certificate is
reissued.
Steps to initializing trust between management server and security gateway
Create one-time password on security gateway

 this is done upon first time configuration wizard on Gaia system
 restart one-time password if you forgot it or type it wrong
Authenticate security gateway on management server using IP address and one-time password

Check Point Security Architecture | Steps to Reset SIC
gateway> cpconfig
OPTION5
Check Point Security Architecture | Steps to Reset SIC

Check Point Security Architecture | SIC Status & Certificate State
 Communicating – The secure communication is established
 Unknown – There is no connection between the gateway and management server
 Not Communicating - The management server can contact the gateway but cannot establish SIC
BREAK
15 minutes
LAB
LAB – 01
LAB – 02
LAB – 03
Smart Console
Review
Security Policies
Advanced Firewall
Logs & Monitors
User Management
&
Permission Profiles
The Smart Console - Intro
Run Smart Console in Demo Mode

DEVICE MANGEMENT
 Add & Delete Device (gateway, cluster XL, mgmt. srv, log srv. .. etc. )
 Enable & Disable SFB (URLF, APCL, AV, AB, Remote Access VPN, IPsec VPN….)
 Device General Properties (topology table, enable & disable HTTPS inspection,
IPsec & Remote Access VPN settings…)
 Device Status Monitoring(hardware health, CPU, memory, disk space… etc.…)
 SFB Status Monitoring
 License Status
 System Counters and traffic monitoring

SECURITY POLICY MANAGEMENT

 Access Control Policy (firewall, APCL, URLF, Content Awareness, site-to-site VPN,
Remote Access VPN, QoS…)
 NAT
 Threat Prevention Policy (IPS, AV, TE/TX, AB)
 HTTPS Inspection Policy
 Geo Policy
Logs & Monitoring

 Log search
 Audit logs
 Smart Event service
 Reporting
Manage & Settings:
 SFB advance settings,
 Smart Console User Management

Management API (not CLI access to management server)
What is new in release

Object Management (create & delegate & edit)
 Network Object (Hosts, Networks, Groups, Domains …)
 Service (TCP, UDP)
 Custom Application/Site
 VPN Community
 User
 Server
 Data Types
 Time Object
 User Check Interactions
 Limit
 Updatable objects
Global Settings:
• Manage policies and layers (create policy packages & layers, assign privileges)
• Manage licenses and packages (add license and contract)
• Global properties (stateful inspection settings …)
Settings configured as Global Properties are enforced by

all Security Gateways managed by the Security
Management Server.
Smart Console
Review
Security Policies
Advanced Firewall
Logs & Monitors
User Management
&
Permission Profiles
Security Policies | Access Control Rule Base
The Rule Base is a collection of individual rules which builds the Security Policy
 Implied Rules: built in rules – cannot be edited

 Accept control connections to and from the security gateway,
 Installing the security policy on a security gateway,
 Sending logs from a security gateway to the security management server,
 Connecting to RADIUS,
 Allow remote access and IPsec VPN connections…
 Explicit Rules: created by the administrator.
 The cleanup rule drops all traffic that is not allowed by the earlier rules,
 The stealth rule prevents direct access to the security gateway
Access Control | Explicit Rules
drop unwanted traffic
direct access to gateway and
SMS only from trusted source
explicitly defined rules
explicitly cleanup rule

Access Control | Implied Rules
Security Policy > Actions > Implied Rules
Accept control connections to and

from the security gateway,
Settings configured as Global Properties are enforced by all Security Gateways managed by the Security
Management Server.
Allow ICMP requests
Log Implied Rules is

disabled by default
Access Control | Rule Base Order
The Security Gateway inspects packets by comparing them to the Security Policy, one rule at a time
1. First Implied - cannot be modified, moved or overwritten

2. Explicit - administrator defined rules
3. Before Last Implied - more specific Implied rules enforced before the last rule is applied
4. Last Explicit - A Cleanup rule should be used as the last Explicit rule.
5. Last Implied - applied after all other Explicit and Implied rules in the Rule Base
6. Implied Drop Cleanup Rule - This default rule is applied if none of the rules are matched.
Note: If the Cleanup rule is the last Explicit rule, the last Implied rule and Implicit Cleanup Rule are not
enforced.
Access Control | Rule Base Order
First Implied Rules
Explicit Rules (User Defined)
Before Last Implied Rule

Firewall rules enforcement
Last Explicit Rule (cleanup rule)
any – any - deny
Last Implied Rule
Implied Drop Rule

Access Control | Rule Base > Policy Package
A group of different types of policies that are installed together on the same installation targets.
Access Control | Rule Base > Policy Package
Security Zone Logging and

Accounting
Application
Signature
Network Object
Portal Content
Application Awareness
User
URL Category
Access Control| Rule Base
Check Point Management Server – holds policy packages
TRUST TRUST TRUST TRUST

The Smart Console | SECURITY POLICY | Policy Packages
Advance Firewall | Rule Matching Algorithms
 Security Gateways prior to R80.10
• Inspect and match connections row by row (left to right), based on the order of rules within the Rule
Base.
 R80.10 Security Gateways and later
• Inspect and match rules by column.
• Inspection begins in the Destination column.
• The integration of application and data criteria requires deep packet inspection before determining the
final match.
Advance Firewall | Rule Matching
Rule base matching process (mail server IP address 192.168.170.10)
s.IP d.IP TCP s.port d.port
192.168.169.1 192.168.170.10 TCP 35888 25
No match possible!
No match possible!
No match possible!
No match possible!
• After the first matching round only three rules out of six remained for continued
matching
This is an animated slide. Click once, then wait until this element is blinking.
[Protected] Distribu on or modiﬁca on is subject to approval
Advance Firewall | Service & Applications Matching
 Rule match by Application (YouTube, Facebook, Web Browsing …)

 Rule match by Category
 Content Inspection
 Rule Matching by Service (80, 443, 25, 22 …)
 Port (Layer 4): TCP/UDP [1 – 65535 ]

 Protocol (Layer 7): http, https, ftp, smtp, DNS, pop3, ssh, telnet ….
 By convection (IANA), every protocol has its own port: http(80), https(443), smtp(25), DNS(53)
 Rule Matching by Port
• By default, a service object is matched by port in the first packet of the transport protocol.
• When matching by port, the Firewall blade does not consider the actual protocol that runs over the
port.
 Rule Matching by Protocol Signature
• Provides an additional level of security
• When Protocol Signature is enabled Check Point will do transaction level analysis to ensures that only
valid packets are allowable to proceed to destinations (It does this with Passive Streaming Library
(PSL) technology)
• Application Control must be enabled on the gateway and in the policy layer for Protocol Signature to
work
Advance Firewall | Protocol Signatures
Protocol detection may allow several packets to pass to accurately identify the protocol
A few packets will be needed to correctly identify the protocol.
 When using Service objects with default settings a gateway running only the Firewall Blade works like it
used to work with R77.30 (and older) releases
 Example: even if the firewall rule states “allow SMTP to the mail server” you can do a telnet session with
destination port 25 and you’ll have a successful connection
The telnet connection will stay open

until you close it.
• When using an object with Protocol Signature enforcement the telnet session to port 25 will be dropped,
once the violation is detected
• Example: what are the consequences when using the service object “SMTP with Protocol Signature” for
controlling the access to a mail server?
• Logging will show
̶ A successful “Connection”
̶ A successful “Session”
̶ In sequence a “Connection, Alert” log message
̶ A final “Drop” Session log message
• Details of the “Connection,

Alert” log message
 If you just open the connection and leave it idle you will see the connection still allowed
 Sending packets the gateway will drop the connection

• Running a TCPDUMP on the client computer you will see a packet flow like this:
The Smart Console | Policy Installation
Smart Console – manage security rules
Security Management Server – Holds security rules, collect logs…
Security Gateway – enforce security rules
Publish – is a process of moving user defined rules from Smart Console to the Management Server
Installation – is a process of moving security rules from Management Server to Security Gateway
The Smart Console | Policy Installation
Transfer policy package to the Transfer policy package to the

Management Server and policy Management Server without policy
installation installation
Discard all locally made changes Amount of changes in policy

from Smart Console package
Smart Console
Review
Security Policies
Advanced Firewall
Logs & Monitors
User Management
&
Permission Profiles
Smart Console
LOGS & MONITORS
How can we achieve more visibility on the connections related to an application layer session?
How can we see in one place the applications used or the content accessed?
Log & Monitors | Types of Logging
Understanding Logging
Generated by management server Generated by the security gateway

Track GAiA admin activities Track network activities
Log catalog
Log & Monitors
Connection vs Session
 Connection log message

• Contains information related to the TCP connection or UDP connection
• Multiple connections form a session, if they are established within a given time window
 Session log message
• Contains information about the application or content
• Is created when APCL, URLF or Content Awareness are enabled
or the track options are configured for “Detailed Log” or “Extended Log”
Session
Connections
Log & Monitors | Tracking Options
The Security Policy determines which rules generate logs and at which logging level.
Tracking Options:
 None - Do not generate a log
 Log – default option
 Detail Log
 Extended Log
Match by service
default track option
(connection)
NO application intelligence !!!

“connection” log will be generated
default track option

Application Intelligence
(session)
“session” log will be generated

Log & Monitors
Session info.
Connection info.
Application Intelligence Truck: Detailed Log

(session)
“session” log will be generated

Session info.
Connection info.
Detailed Log -Equivalent to the Log option, but also shows the application that matched the connections,
even if the rule does not specify an application.
Best Practice - Use for a cleanup rule (Any/internet/Accept) of an Applications and URL Filtering Policy
Layer
Application Intelligence Content awareness

Truck: Log
(session) Detect any recognized files
downloaded through web browser
Session info.
Connection info.
The name and the type of the file

downloaded via web browser
Application Intelligence Content awareness

Detect any recognized files Truck: Extended Log
(session)
downloaded through web browser
Session info.
Connection info.
full list of URLs in

the connection or
the session
full list of files in

the connection or
the session
Log & Monitors | Understand Logging
1. Security Gateways generate logs, and the Security Management Servers generates audit logs.
2. The Security Policy that is installed on each Security Gateway determines which rules generate logs.
Logs can be stored on a:
 Security Management Server that collects logs from the Security Gateways. This is the default.
 Log Server on a dedicated machine. This is recommended for organizations that generate a lot of logs.
 Security Gateway. This is called local logging.
Log & Monitors | Managing Log Storage
Highly recommended to use
If you have a software SMS

Preserve logging capacity
SmartEvent and Log Server use an algorithm to manage disk space and other system resources.
When the Logs and Events database becomes too large, the oldest logs and events are automatically deleted according to the configured
thresholds.

check the size of the partitions
$FWDIR/logs – location of the log files Check available space in log

partition
$RTDIR/log_indexes – location of the log index files
Log & Monitors | SmartView Monitor
Monitoring Traffic and Connections
 SmartView Monitor gives you a complete picture of network and security performance.
 SmartView Monitor provides a single, central interface, to monitor network activity and performance
of Check Point Software Blades
 To Enable SmartView Monitor you have to enable Monitor option under gateway properties:
Log & Monitors | SmartView Monitor D
To open the monitoring views in SmartConsole:

1. From the Gateways & Servers view, select a Security Gateway.
2. Click Monitor.
3. The Device and License information window opens and shows:
• Device Status
• License Status
• System Counters
• Traffic
To open SmartView Monitor:
1. Open SmartConsole > Logs & Monitor.
2. Open the catalog (new tab).
3. Click Tunnel & User Monitoring
Smart Console
Review
Security Policies
Advanced Firewall
Logs & Monitors
User Management
&
Permission Profiles
User Management & Permission Profiles D
Manage Smart Console Permissions and Users

LAB
LAB – 04
LAB – 05
LAB – 06
DAY 2
Gateway & Servers
Management
Learning Objectives:
 Understanding Anti-Spoofing
 Understanding Topology Table
 Network Address Translation
 LAB-07 – LAB-08
 HTTPS inspection
 LAB-09 – LAB-10
 Identity Awareness
 LAB-11 – LAB-12
 REDUNDANCY
 IPsec
 LAB-13 – LAB-14
IP Address Spoofing | Regular Communication
src_IP_A dst_IP_B accept any
src_IP_A dst_IP_B
host-A host-B
src_IP_B dst_IP_A
IP Address Spoofing | How does spoofing work ?
src_IP_A dst_IP_B accept any

src_IP_B dst_IP_A
Host-A Host-B
src_IP_A dst_IP_B
Host-C (hijack Host-A IP address)

IP Address Spoofing
Routing decision is based on destination IP address
Firewall rules are based on Source and Destination IP addresses.
There is NO check if packet is coming or not from the trusted source IP address range
Attackers use IP spoofing to hijack IP address and make a packet look like it is from a
trusted source.
If your network is not protected against IP spoofing, attackers can exploit the
vulnerability in the Firewall rules and gain access to the network.
Spoofing attack is a consequence of corruption in firewall rule base
Anti-Spoofing protection |
How Anti-Spoofing protection is implemented ?
 Anti-Spoofing drops packets with a source
IP address that does not belong to the network
behind the packet’s interface.
 Firewall needs to know which source

IP address he can expect on his interfaces.
 Anti-Spoofing protection is defined in

topology
table settings.
 Anti-Spoofing protection is based on topology

table
Anti-Spoofing on External Interface
An external interface includes all the networks that are not covered by the internal interfaces.
Internet
10.10.10.0/24
10.20.20.0/24
10.30.30.0/24
10.10.10.0/24 10.20.20.0/24
10.30.30.0/24
Address Spoofing | Troubleshooting & Detection
# fw accel stop
# fw ctl zdebug drop | grep spoofing
# fw accel start
Address Spoofing | Possible reasons (how it comes to… )
 Routing issue:
The traffic is being returned to the Security Gateway from the next hop.
Traffic will be returned with a source IP address that belongs to the Security Gateway.
 Network issue:
There is a host on the network with assigned IP address that belongs to one of the
interfaces on the Security Gateway member.
Gateway & Servers
Management
 LAB-07 – LAB-08
 LAB-09 – LAB-10
 LAB-11 – LAB-12
 REDUNDANCY
 IPsec
 LAB-13 – LAB-14
GATEWAY & SERVERS | Topology Table
 Check Point Security Gateway must be fully aware of network environment in which he is find
 Topology Table defines network environment in which security gateway is set up
 Check Point Security Gateway needs to know which IPs he can expect on certain interface
so it can perform Anti-Spoofing protection
Blades affected by Topology Table:
 Anti-spoofing  Anti Virus protection

 IPS protection  Application Control
 Threat Emulation  URL filtering
 External (leading to the Internet)
Defined by IP and Net Mask

 Internal (leading to the local LAN).
Defined by IP and Net Mask + routing table
If interface is defined as Internal, security gateway needs to know exactly to which IP

subnets this Interface Leads To
AUTOMATICALLY
How security gateway can discover which
interface is External and which is Internal ? MANUALY
Automatically (default settings) – from routing table
Manually (override settings) – manually settings.

GATEWAY & SERVERS | Topology Table | Override
If you Override the default setting:
• Internet (External) - All external/Internet addresses
• This Network (Internal) -
• Not Defined - All IP addresses behind this interface are considered a part of the internal network that
connects to this interface
• Network defined by the interface IP and Net Mask - Only the network that directly connects to this
internal interface
• Network defined by routes - The range of IP addresses behind the internal interface is automatically
calculated every second (default value) without the need for the administrator to click Get Interfaces
and install a policy.
• Specific - A specific network object (a network, a host, an address range, or a network group) behind
this internal interface
• Interface leads to DMZ - The DMZ that directly connects to this internal interface
GATEWAYS & SERVER > Double click on Gateway/Cluster Object > Network Management
GATEWAY & SERVERS | Update Topology Table
How to update topology table if there is a change in interfaces and routing table ?
 Get Interfaces > Get Interfaces With Topology

Will update interface changes and changes in routing table
 Get Interfaces > Get Interfaces Without Topology
Will update interface changes
GATEWAY & SERVERS | Topology Table | Update
Update Topology with new changes:
Brand new firewall [Get Interface With Topology]

Adding New Interface [Get Interface Without Topology]
Routing Changes [Get Interface With Topology in a case of default settings ]
Routing Changes [Get Interface Without Topology in a case of manual settings ]
Routing Changes [No needs to update Topology Table in a case when “Network
define by route” is selected ]
Gateway & Servers
Management
 LAB-07 – LAB-08
 LAB-09 – LAB-10
 LAB-11 – LAB-12
 REDUNDANCY
 IPsec
 LAB-13 – LAB-14
Network Address Translation | Types of NAT
Check Point security gateway supports two types of NAT :
• Automatic NAT (Object NAT)

 NAT section in object (host, network, address range, dynamic object … )
 Offers simplicity
• Manual NAT
 NAT section in policy package
 Offers flexibility.
Network Address Translation | Types of NAT
Hide NAT (Dynamic NAT)
• Many-to-one relationship
• Multiple computers represented by one IP address
• Only allows connections from protected side of Gateway
Static NAT
• One-to-one relationship
• Each host translated to unique IP address
• Connections initiated internally and externally
Network Address Translation | Types of NAT | Automatic NAT
Hide NAT Static NAT

Network Address Translation | Types of NAT | Manual NAT
Network Address Translation | Global Properties
When configuring Manual NAT in Global

Properties, check the
Translate destination on client side checkbox.
Network Address Translation | Global Properties
Client side NAT:
• Translation of Destination IP address takes place closer to the "Source/Client" side of the
Security Gateway.
• This is used, when Manual Static NAT is configured for the Destination/Server.
• Destination IP address is NATed by the inbound kernel chains - before it is looked up in the
routing table of the underlying operating system.
Network Address Translation | Proxy ARP for Manual NAT
• Configure proxy ARPs to associate the translated IP address for Manual NAT rules.
• Proxy ARPs allow the gateway to answer ARP queries.
• To configure a proxy ARP:
1. Match the IP of the relevant hosts on the internal network to the MAC of the gateway
on the external network.
2. Create the relevant Manual NAT rules.
3. Install the policy.
Network Address Translation
• An infrastructure of services used
• NAT rules are prioritized according to:

1. Manual/Pre-Automatic NAT
2. Automatic Static NAT
3. Automatic Hide NAT
4. Post-Automatic/Manual NAT
Gateway & Servers
Management
 LAB-07 – LAB-08
 LAB-09 – LAB-10
 LAB-11 – LAB-12
 REDUNDANCY
 IPsec
 LAB-13 – LAB-14
Gateway & Servers
Management
 LAB-07 – LAB-08
 LAB-09 – LAB-10
 LAB-11 – LAB-12
 REDUNDANCY
 IPsec
 LAB-13 – LAB-14
HTTPS Protocol - fundamentals
1. HTTPS is a communications protocol used to secure access to websites and applications via
the Internet.
2. To provide secure access HTTPS protocol use SSL/TLS certificates.
3. There are two basic functions that SSL/TLS certificates provide:

o Data privacy (data encryption) – symmetric encryption
o Trust – authentication of the accessed web site
1. Client checks that the CA issuing the certificate is on its list of approved CAs
2. Verify that the certificate has not been altered since it was created by the CA
3. The client checks that the server's domain name supplied in the certificate matches the domain name of the
requested serve
HTTPS Inspection
Why do we need HTTPS inspection?
HTTPS traffic has a possible security risk and can hide illegal user activity and malicious traffic.
How does it work?
Check Point firewall acts as a man-in-the-middle.
Affected Blades:
• Application Control • IPS
• URL Filtering • Antivirus
• Content Awareness • Anti-Bot
• DLP • Threat Emulation
Understanding Policies Matching
Gateway Topology
HTTPS Inspection | inbound inspection
• Inbound HTTPS Inspection
• Protects internal servers from malicious requests that arrive from the Internet or an
external network.
https://alpha.cp
External network Internal network
1. Decrypt the encrypted data from the client.

2. Inspect the clear text content for all blades set in the policy.
3. Encrypt the data again to keep client privacy as the data travels to the destination server behind the Security Gate
HTTPS Inspection | inbound inspection
External network
https://alpha.cp
Internal network
HTTPS Inspection | inbound inspection | example
HTTPS Inspection | outbound inspection
• outbound HTTPS Inspection
• Protects against malicious traffic sent from an internal client to an external site or server
Certificates are used to act as an intermediary between the client and the secured website.
https://alpha.cp
External network
Internal network
1. Decrypt the encrypted data from the client.

2. Inspect the clear text content for all blades set in the policy.
3. Encrypt the data again to keep client privacy as the data travels to the destination server behind the Security Gate
HTTPS Inspection | outbound inspection
Internal network
https://alpha.cp
External network
HTTPS Inspection | outbound inspection | example
Bypass https inspection to financial URLs

Logging is not enabled by default
Inspect all other traffic
Bypass https inspection of traffic to

well known software update
services is
Enabled by default
HTTPS Inspection | Trusted CAs and Server Certificates
To view Trusted CAs and Server Certificates for HTTPS Inspection:

1. In SmartConsole, navigate to the Security Policies view.
2. Under the Shared Policies section, select HTTPS Inspection.
3. Click the link to open HTTPS Inspection in SmartDashboard.
4. Select the list of certificates you desire to view from the navigation pane of the HTTPS Inspection tab.
HTTPS Inspection |Trusted CAs and Server Certificates
• The list of certificate authorities is taken from the Windows system stores. It is updated
according to Microsoft updates
• Create an HTTPS inspection Bypass rule, which defines explicitly the IP addresses of the
servers as destination (in case the IP addresses are static and known). Using this technique, the
software does not attempt to evaluate the SSL chain and SSL bypass will take place.
• Note: You can use Host / Network / Group object in this Bypass rule
HTTPS Inspection | types of certificates
single host certificate
the certificate matches only for one hostname (it is recommended to add a SAN
attribute even you use single host certificate)
multiple hosts certificate (multi domain certificates)
allow us to secure multiple fully qualified domain names (FQDN) and sub-domains with
a single certificate where domains can be resolved to a single IP address.
wildcard certificate
allows us to secure unlimited subdomains with a single certificate.
HTTPS Inspection | Multi-domain SSL certificates
1. Multi-domain SSL certificates (SAN) – allow us to secure multiple fully qualified domain
names (FQDN) and sub-domains with a single certificate where domains can be resolved to
a single IP address
2. If you have SAN extension field in certificate, it replace subject in certificate name check
3. google chrome only support SAN extension for server host/certificate check, it stops to use
subject for server host check
4. Example: google certificate
HTTPS Inspection | URL categorization in multi-domain certificates
1. Site category is determined according to the FQDN in server's certificate and IP
address
2. For URLs with single host certificate things are pretty straightforward.
3. For URLs with multi-domain certificates things are complicated.
Single certificate can secure several domains from different categories (Search
Engines / Portals, Media Sharing, etc.)
4. Examples: google certificate, Microsoft office …
5. Without SSL decryption, there is no way for the Security Gateway to know the
underlying URL and easily categorize the connection.
6. HTTPS inspection must be enabled for URL categorization to work properly.
HTTPS Inspection | HTTPS Inspection Bypass
In order to enable rule for HTTPS Inspection Bypass, Security Gateway needs to
determine the site's category without SSL decryption
The Site Category is determined by the certificate FQDN and the IP address.
There are web servers hosting different domains by using the same IP and each
domain can belongs to different categories !!!
HTTPS Inspection | HTTPS Inspection Bypass
 Application Control cannot detect web application if traffic is over SSL and HTTPS Inspection is
disabled for most sites.
 Several applications can be detected without HTTPS Inspection being enabled by inspecting the
DN in the certificate sent by the server. For most web sites, there are no such signatures
 The YouTube service cannot be detected based on the DN (Domain name) since Google is using
a generic wildcard certificate for its service (*.google.com, in most cases).
Solution: You must enable HTTPS Inspection in order to detect the service
URL filtering without HTTPs inspection
Difference between HTTPS Inspection and Categorize HTTPS websites
settings
 HTTPS Inspection allows you to see all the traffic as if it was unencrypted, allowing you to do
full threat prevention and content inspection
 Categorize HTTPS Sites will allow you to categorize HTTPS connections based on the certificate DN,
which is sent in the clear.
 If you can do HTTPS Inspection, you don't need Categorize HTTPS sites. The options are mutually
exclusive.
Gateway & Servers
Management
 LAB-07 – LAB-08
 LAB-09 – LAB-10
 LAB-11
 REDUNDANCY
 IPsec
 LAB-12 – LAB-13
Gateway & Servers
Management
 LAB-07 – LAB-08
 LAB-09 – LAB-10
 LAB-11
 REDUNDANCY
 IPsec
 LAB-12 – LAB-13
Managing User Access | Identity Awareness
 Traditional firewall policies use IP addresses to enforce security rules.

 Traditional firewalls are unaware of the users and computers identities behind those
IP addresses.
 Identity Awareness removes anonymity since it maps user and computer identities.
 Identity Awareness lets you define policy rules based on:
 User or user group and/or
 Computer or computer groups and/or
 Network location
 Identity Awareness lets you manage logs based on user and computer name
Managing User Access | Identity Awareness
Check Point supports both local and external users:

o Local users are defined on Security Management Server
o External users are those whose records are managed on Active Directory,
RADIUS, or an LDAP server.
Identity Awareness | Methods for Acquiring Identity
Identity Awareness gets identities from these identity sources:
 Active Directory (AD) Query
 Browser-Based Authentication
 Identity Agents (installed on the Endpoint)
 Terminal Servers Agents
 Radius Accounting
 Remote Access
 Identity Collector
 Web API
GATEWAY OBJECT > IDENTITY AWARENESS
Identity Awareness | Active Directory (AD) Query
Identity Awareness | Identity Collector
Query option to ADQ
Lowers the load on the gateway
Minimizes the effect on gateway performance
Uses API to query events instead of WMI
Reduces the load on the domain controller
Identity Awareness Browser-Based Authentication
Captive portal is recommended for:

• Identity based enforcement for non-AD users, non-Windows operating system, and
guest users
• Deployment of Endpoint Identity Agents
Identity Awareness | Terminal Server Identity Agents
Identifies users in a Terminal Server environment, such as application servers that host
Microsoft Terminal Servers, Citrix XenApp, and Citrix XenDesktop.
Identifies individual users whose source originates from one IP address.
To deploy Terminal Servers:
• Install a Terminal Servers Identity Agent
• Configure a shared secret
Identity Awareness | Endpoint Identity Agents
Full Endpoint Identity Agent

• Includes packet tagging and computer authentication.
• Require administrator permissions for use
• Applies to all users of the computer that its installed on
Light Endpoint Identity Agent
• Does not include packet tagging and computer authentication
• Does not require administrator permissions.
• Can be installed for each user on the target computer
Custom Endpoint Identity Agent
• Allows custom features configuration for all computers using it
Identity Awareness | Endpoint Identity Agents
Identity Awareness | RADIUS
Security Gateway forwards authentication requests to the server, which stores user
account information.
Identity Awareness uses data from these requests to get user and device group
information from the LDAP server.
LDAP server authenticates the user.
Security Gateway lets you control access privileges for authenticated users.
Identity Awareness | RADIUS
Identity source must be set to identify Mobile Access and IPSec VPN clients in Office
Mode.
Identities are acquired for Mobile Access clients and IPSec VPN clients configured in
Office Mode when they connect to the Security Gateway.
Users who get access using IPSec VPN can authenticate seamlessly.
Identity Awareness | How to Choose an Identity Source ?
Identity Source Organizational Requirement

AD Query For logging and auditing or basic enforcement.
AD Query and Browser-Based For Application Control.
Authentication For Data Center and internal server protection.
Endpoint Identity Agents and For when a higher level of security is necessary.
Browser-Based Authentication
Terminal Servers Endpoint Identity For Windows Terminal Servers and Citrix environments.
Agent
RADIUS For environments that use a RADIUS server for
authentication.
Remote Access For users that access the organization via VPN.
LDAP and User Directory
Key features of User Directory:

LDAP is based on a client/server model in which an LDAP client makes a TCP
connection to an LDAP server.
Each entry has a unique DN.
Default port numbers are 389 (standard connections) and 636 (SSL connections).
Each LDAP server can consist of one or more Account Units.
User Directory is enhanced with LDAP’s High Availability replication feature.
Encrypted and non-encrypted connections are conducted using SSL or in the clear.
Support provided for multiple LDAP vendors using User Directory profiles.
Distinguished Name
LDAP and User Directory
Using multiple LDAP servers allows you to:
 achieve compartmentalization,
gain High Availability, and
achieve a faster access time.
LDAP groups are created to classify users and can be defined in SmartConsole.
User Directory default schema has user definitions defined for an LDAP server.
Use certificates to secure communications with LDAP servers.
User Directory Profiles
Used to make sure the user management attributes of a SMS are correct for its
associated LDAP server
Configurable LDAP policy that lets you define more exact User Directory requests
Enhance communication with the server
Control most of the LDAP server-specific knowledge
Retrieve Information from a User Directory Server
• Gateway searches for the user in the internal users database.
• If specified user is not defined in the internal users database, gateway queries
the LDAP server defined in the Account Unit with the highest priority.
• If the query fails, the gateway queries the server with the next highest priority.
• If the query against all LDAP servers fails, the gateway matches the user against
the generic external user profile.
Authentication Schemes
Check Point Password
Operating System Password
RADIUS
SecurID
TACACS
Undefined
Access Roles….??????
Access Role is an objects which defines users, computers, and network locations as
one object and can be used as a source or destination in a rule
Objects that allow you to configure network access

according to:
• Networks
• User and user groups
• Computers and
computer groups
• Remote access
clients
Managing User Access - Rule Base
• Define a policy rule for specified users who send traffic from
specified computers or from any computer.
• In rules with access roles objects, add an Accept option in the
Action field to enable Captive Portal.
• User is redirected to the Captive Portal.
Captive Portal for Guest Access
• Use Captive Portal to allow Internet access to guests.

• A rule must be created in the Rule Base to allow unauthenticated
guests Internet-only access from an unmanaged device.
• When guest browses to the Internet, Captive Portal will open.
• Guests will enter required credentials
• Guest must then agree to the terms and conditions written in a
network access agreement.
Gateway & Servers
Management
 LAB-07 – LAB-08
 LAB-09 – LAB-10
 LAB-11
 REDUNDANCY
 IPsec
 LAB-12 – LAB-13
Gateway & Servers
Management
 LAB-07 – LAB-08
 LAB-09 – LAB-10
 LAB-11
 REDUNDANCY
 IPsec
 LAB-12 – LAB-13
GATEWAY & SERVERS | Security Gateway Redundancy
Redundancy needs to ensure uninterrupted service delivery in a case of failure
Check Point supports 4 working modes:

 High Availability Mode (One Cluster Member process all the traffic)
 Cluster XL
 VRRP
 ClusterXL Load Sharing Multicast Mode (All traffic is processed in parallel by all Cluster Members)
 ClusterXL Load Sharing Unicast Mode (All traffic is processed in parallel by all Cluster Members)
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 191
Check Point Redundancy | ClusterXL
1. ClusterXL is a group of identical machines connected in such a way that if one member fails,
another immediately takes its place.
2. ClusterXL is a Check Point proprietary protocol for clustering
3. ClusterXL provides transparent failover between machines in a case of failure.
A failover occurs when a gateway is no longer able to perform its designated functions.
4. ClusterXL is a software-based solution that distributes network traffic between cluster members.
ClusterXL in High Availability mode supports up to 5 Cluster Members.
ClusterXL in Load Sharing mode supports up to 5 Cluster Members.
Check Point Redundancy | ClusterXL | Topology
Check Point Redundancy | ClusterXL | How ClusterXL Works ?
 ClusterXL uses State Synchronization to keep active connections alive and prevent data loss when a
Cluster Member fails.
 With State Synchronization, each Cluster Member "knows" about connections that go through other
Cluster Members.
 For State Synchronization, Check Point use Synchronization Network
Check Point Redundancy | ClusterXL | How ClusterXL Works ?
 ClusterXL uses virtual IP addresses for the cluster itself and unique physical IP and MAC addresses for
the Cluster Members. Virtual IP addresses do not belong to physical interfaces.
Cluster Synchronization
Synchronization works in the following two modes:
• Full Synchronization — Transfers all Firewall kernel table information from one cluster member to another.
Full synchronization is used for initial transfers of state information for thousands of connections. If a cluster
member is brought up after failing, it will perform full sync. Once all members are synchronized, only updates are
transferred via delta sync. Full synchronization between cluster members is handled by the Firewall kernel using
TCP port 256.
• Delta Synchronization — Transfers changes in the kernel tables between cluster members.
Delta sync is much quicker than full sync. It is handled by the Firewall kernel, using UDP Multicast or Broadcast on
port 8116.
Check Point Redundancy | ClusterXL | High Availability Mode
 Only one member handles all the traffic - Active Member

 All other members – Standby Member(s)
 Standby Member is synchronized with the state of the connections from Active Member
 In the event that the active Member becomes unavailable, all connections are re-directed to a
designated standby Member without interruption.
 ClusterXL High Availability mode supports both IPv4 and IPv6.
 Upon Security Gateway recovery you can

o Maintain the current Active Security Gateway (Active Up),
o Hang to the highest priority Security Gateway (Primary Up).
This scenario describes a user logging from the Internet to a Web server behind the Firewall cluster
Who is 62.90.111.3
62.90.111.3 ?
at 00:80:24:01:01:01
ISP router
Internet
62.90.111.3
62.90.111.1 62.90.111.2 62.90.111.3 is now at 00:80:24:01:01:02

00:80:24:01:01:01 00:80:24:01:01:02 Gratuitous ARP
X
172.168.1.1
A Synchronization S
A
172.168.1.2
00:80:24:01:02:01 00:80:24:01:02:02 Internal router
172.168.1.3
Check Point Redundancy | Useful commands
# cphaprob stat
> show cluster state
> cphaprob –a if
> cphaprob syncstat
> cphaprob –l list
# clusterXL_admin down
# clusterXL_admin up
Check Point Redundancy | Cluster States
 Active
Everything is OK, forwarding packets – no issue
 Active Attention
A problem has been detected, but the cluster member is still forwarding packets because it is
the only machine in the cluster or there is no other active machines in the cluster. In any other
situation the state of the machine would be down.
Forwarding packets - there is an issue.
Check Point Redundancy | Cluster States
 Down
Applies only to a High Availability configuration and means that the member is waiting for an
active machine to fail in order to start packet forwarding.
NOT forwarding packets - there is an issue.
 Standby
NOT forwarding packets - NO issue.
VMAC
• A variation of HA and Load Sharing Unicast mode.
• Configuring the cluster to use VMAC mode allows all members to use the same
virtual MAC address and minimizes possible traffic outages during failover.
• VMAC advertised by members through G-ARP requests, keeps the real MAC address
of each member and adds another VMAC address on top of it.
• VMAC failover time is shorter than failovers that involve a physical MAC address.
Configuring VMAC Via SmartConsole:
Via SmartConsole:
1. Select the cluster object and navigate to
Gateway Cluster Properties.
2. Select ClusterXL and VRRP.
3. Enable Use Virtual MAC option.
Configuring VMAC Via Via Command Line:
1. Set the value of the global kernel parameter to 1. (The default value is 0. The default value
means that VMAC is disabled)
# fwha_vmac_global_param_enabled 1
1. Ensure that VMAC mode is enabled on all members. Run this command:
# fw ctl get int fwha_vmac_global_param_enabled
To view the VMAC address of each virtual cluster interface, run the following command:
> cphaprob -a if
Rule Processing Order
1. Anti-spoofing checks
2. "First" Implicit Rules

1. Anti-spoofing checks
3. Explicit Rules (except for the final rule)
2. Rule base 4. "Before Last" Implicit Rules
3. Routing 5. Last Explicit Rule (should be cleanup rule)
4. Network Address Translation 6. "Last" Implicit Rules
7. Network Address Translation

Gateway & Servers
Management
 LAB-07 – LAB-08
 LAB-09 – LAB-10
 LAB-11
 REDUNDANCY
 IPsec
 LAB-12 – LAB-13
Questions ?

Check Point Cyber Security Administrator (CCSA) v1.0 Training

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Check Point Cyber Security Administrator (CCSA) v1.0 Training

Uploaded by

Copyright:

Available Formats

CHECK POINT CYBER SECURITY ADMINISTRATOR

Marko Davidovic CCSA, CCSE

Ingram Micro doo Beograd

Introduction Introduction to Deployment Licensing Security Architecture

LAB: 01 - 03 Smart Console Security Policies Logs & Monitors LAB: 04 - 06

Spoofing Topology Table NAT LAB: 07 - 08 HTTPS

LAB: 09 - 10 Identity Awareness LAB: 11 Redundancy IPsec

a big picture …..

GAiA is a operating system for all Check Point products

GAiA is a Check Point’s own OS based on RHE Linux

Configuration & Settings

Smart Console Application

1. WebUI (GAiA portal) https://<management_IP>

2. Using Command Line Interface

 CLI access using SSH client

 CLI access using direct console cable connection

 CLI using WebUI

CLI access has two modes:

Every Administrator whish to access Clish have they own

 expert access is NOT role-based administration controlled

Saving and applying configuration changes

> save config - save current configuration

 Web User Interface (WebUI)

CLI access has two configuration modes:

GAiA CLI Commands:

 extended commands: cpconfig, cplic, cpview ….

 expert mode commands: tcpdump, cat, grep, ls, cd, cp ….

Most common used GAiA Clish operations are:

set Set a value in the system

<TAB> Complete or fetch the keyword

interface - Display the interface related parameters

eth0 eth1 eth2 lo

set interface VALUE ipv4-address VALUE mask-length VALUE

interface: specifies the interface name

 User defined commands.

Use RDP to connect to your LAB-s (IP/username/password – provided)

Access to the Gaia System using portal page by typing https://10.1.1.2

Gaia supports these network interface types:

 Ethernet physical interfaces

 Interface VLAN: VLAN interfaces let you configure subnets

o Use wen you do not want firewall to be L3 point in your Network.

o Bridge mode is supported in standalone and cluster environment

o Only two interfaces can be connected by one Bridge interface

 Interface Bond: Port Channel 802.3ad LACP

• GAIA Operating System configuration (routing, networking, …)

• Products, binaries and hotfixes

 The log partition is not included in the snapshot

of the same type is supported

 Used to backup GAIA Operating System configuration

 The log partition is not included in the snapshot

Recommended backup plan:

Recommended steps in case of Disaster Recovery

snapshot backup backup backup snapshot

 Download and install the updates & upgrades

Describes how to manage GAiA portal clients:

0 for administrator users (this is the default option)

 Check Point Security Appliance.

Adds a Security Gateway to an existing environment without changing IP Routing.

Security Gateway Software Blades

Security Management Software Blades

Next Generation Threat Extraction (NGTX): NGTP + Threat Extraction service

How does it work?