Ccna CCNP Ccie Training Center

Checkpoint L2
Training
1 © 2018 7NETWORK SERVICES PVT LTD |

Training Overview
CheckPoint Technology Overview
Introduction to Firewall
Types of firewall
Inspection Module and Packet Flow
Checkpoint Firewall
• Architecture
• Components
• Blades
Deployment Scenarios
CoreXL and SecureXL
VSX

Training Overview
Installation
Introduction to GAIA
GAIA Installation.
Secure Web based GUI - SIC CONCEPT
Smart Console Installation
Introduction to Basic commands
Interface Configuration
Backup and Restore
Checkpoint Port Requirements
Checkpoint Licenses

Training Overview
Introduction to the Security Policy
Creating Objects
Creating Gateway Objects.
Configuring Rule Base.
Verification of Policies.
Pushing the Policies.
Revision Control : Database Version.
Understanding NAT
Configuring NAT
Hide NAT
Static NAT
Manual NAT
Auto NAT
IP Spoofing
Anti Spoofing
Cluster
4
Modes and Types
© 2018 7NETWORK SERVICES PVT LTD |
Training Overview
Monitoring Traffic and Connections

 Tracking Activity using Smart View Tracker
 Monitoring Traffic Using Smart View Tracker
Smart View Tracker Tabs
Administrator Auditing
Terminating and Blocking Active Connections
Smart View Monitor Alerts
Troubleshooting Commands
© 2018 7NETWORK SERVICES PVT LTD |

5
Training Overview
User Management and Authentication

Manage users using external databases
Example of External Authentication
Encryption and VPNs

 Introduction of VPN
 Modes of VPN : Main Mode & Aggressive Mode
 SSL VPN
 Site to Site VPN
 Configuring VPN in Checkpoint
 VPN Topology and Lab Testing Scenario
 Secureremote and SecureClient VPN
 VPN Debugging

Introduction to FIREWALL
In computing, a firewall is a software or hardware-based network security system.

It controls the incoming and outgoing network traffic by analyzing the data packets
and determining whether they should be allowed through or not, based on applied
rule set.
A firewall protects the resources of a private network from users from other
networks.
 Basically, a firewall can be closely associated with a router.

Many routers that pass data between networks contain firewall components and,
conversely, many firewalls can perform basic routing functions.
Many personal computer operating systems include software-based firewalls to

protect against threats from the public Internet.

Types of Firewall
 There are three types of Internet firewalls
 Checkpoint Utilizes the following technologies to grant or deny network traffic :
Packet Filtering.
Statefull Inspection.
Application Intelligence.

PACKET FILTERING
The first step in protecting internal users from the external network threats is to implement
this type of security.
Most of the routers have packet filtering built-in, but the problem with the routers is that, they
are difficult to configure and don’t provide extensive logs of the incidents.
PROS – Application Independence, High Performance, and Scalability.
CONS – Low Security, No Screening above network layer. (No state or application context
information). These are least secure type of Firewall.

STATEFUL FIREWALL
Stateful is a technology developed and patented by checkpoint.
It in corporates layer 4 awareness into the standard packet filtering firewall architecture.
It examine the packet not only in its header, but also the contents of the packet up through the
application layer, to determine more about the packet than just the information about the source and
destination.
The state of connections is monitored and a state table is created to compile the information.
 Pros :- Good Security, High performance, Extensibility, Transperency.
Checkpoint's INSPECT ENGINE is the mechanism used for extracting the state related information
from all the application layers and maintains this information in these dynamic state tables.
INSPECT ENGINE enforces security policies on the security gateway on which they reside.

State Table Overview

Src_IP Src_Prt Dst_IP Dst_Prt Timeout
192.168.7.131 10003 207.229.143.8 25 2845/3600
192.168.7.131 10002 207.229.143.8 24 2845/3600
192.168.7.131 10001 207.229.143.8 23 2845/3600

APPLICATION FIREWALL
It is a set of Advanced Capabilities, integrated into the firewall and IPS, which
detect and prevent application attacks.
Its primarily works with application layer defences.

The security gateway integrates both network and application level protection
by combining Stateful inspection and application intelligence.
Example : - Barracuda web Application firewall.

CHECKPOINT OVERVIEW
Check Point is an Israeli information security software company.
 Founded by Ramat Gan, of Israel (1993)
Checkpoint products are installed on 80% of fortune 100 companies.
Checkpoint implements a complete security solution with enterprise management of the
complete network.
 Checkpoint Firewall-1 uses the stateful inspection technology.

• Architecture
• Components
• Blades

Checkpoint Architecture
Checkpoint provides a three-tier model that consists of the following components:

SmartCenter server /Dashboard
The Check Point SMART Clients are a set of GUI applications that allow security
administrators to configure and manage the global security policy for the entire
organization. The fundamental SMART Clients include the following:
 SmartDashboard Allows you to configure security policy.
 SmartView Tracker Allows you to view security audit and event logs.
 SMART Clients / Management Server

The SmartCenter server contains the global security policy for an organization
This policy is defined using the SmartDashboard—however, the policy is actually
saved on the SmartCenter server.
Object database, User database, Security rules.
Enforcement Module /Gateway

A Check Point VPN-1/FireWall-1 enforcement module is installed on network
access points where network security rules must be applied

Checkpoint Components
• SmartDashboard
• SmartView Tracker
• SmartView Monitor
• SmartUpdate
• SmartProvisioning
• Eventia Reporter
• Eventia Analyzer

Smart Dashboard
• SmartDashboard is a single, comprehensive user interface for defining
• and managing multiple elements of a Security Policy: firewall security,
• Virtual Private Networks (VPNs), Network Address Translation, Web
• content and access security (i.e., URL Filtering and SSL VPN), desktop
• security, antivirus security, IPS threat-defense protections, QoS, and
• VPN client security.
• The Check Point SmartDashboard allows you to

• define Security Policies and rules in terms of network objects (hosts,
• networks, gateways, etc.).

Smart Dashboard Login GUI

Smart Dashboard Overview

SmartView Tracker
It is used for managing and tracking logs and alerts, viewing administrator audit and logs
and active sessions.

SmartView Monitor
It is used to monitor and generate reports for traffic on different Check Point components.
The SmartView Monitor is a VPN performance-analysis solution that presents users with
graphical views of end-to-end VPN tunnel-performance metrics, such as bandwidth,
round-trip time, and packet loss.

SmartUpdate
It is used to manage and maintain a license repository, as well as to facilitate upgrading
Check Point software.

SmartProvisioning
It provides centralized administration and provisioning of Check Point security devices via
a single management console.

Eventia Reporter
It is a user-friendly solution for monitoring and auditing traffic.

Eventia Analyzer
It automatically prioritizes security events, and by automating the aggregation and
correlation of raw log data, minimizes the amount of data needing review and isolates
and prioritizes the real security threats.

CheckPoint Technology Overview - Blades
Firewall – Provides parameters useful to define the Rule Base for your network. Here, you specify how
connections are allowed or disallowed, authenticated and encrypted
IPSec VPN – Used to manage VPN Communities.

IPS – Gets an overview of various attacks and their corresponding mechanisms of protection;
configures network security, Application Intelligence and Web Intelligence; and creates and assigns
profiles for different Gateways.
Identity awareness – Provides granular visibility of users, groups and machines, providing unmatched
application and access control through the creation of accurate, identity-based policies.
Antivirus – Automatic or manual updates the Anti-Virus scanning and URL filtering Database with the
latest defense signatures from Check Point.
Content Filtering – Helps you to control application & website access in an organization to block and
allow specific URLs.
User Directory - Leverages LDAP servers to obtain identification and security information about
network users, eliminating the risks associated with manually maintaining and synchronizing redundant
data stores, and enabling centralized user management throughout the enterprise.
CheckPoint Technology Overview – Inspection Module

CheckPoint Technology Overview – Routing Support
Static vs. Dynamic Routing

There are two basic methods of building a routing table:
• Static Routing
A static routing table is created, maintained, and updated by a network

administrator, manually. A static route to every network must be configured on
every router for full connectivity. This provides a granular level of control over
routing, but quickly becomes impractical on large networks.
Static routes have an Administrative Distance (AD) of 1.
• Dynamic Routing
A dynamic routing table is created, maintained, and updated by a routing protocol

running on the router. Examples of routing protocols includes, RIP (Routing
Information Protocol),and OSPF (Open Shortest Path First).

CheckPoint Technology Overview – Deployment Types
Standalone and Distributed Installation

A standalone installation –is when the smart center server and the security gateway
installed on the same machine
A distributed installation –is when the smart center server and the security gateway are
installed on separate machine.
© 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

CheckPoint Technology Overview – SecureXL and CoreXL
These are features that you can enable to increase the

performance of the Firewall:
• CoreXL
• SecureXL (Performance Pack)
These are software based features that are included in the

Check Point operating systems. It is not necessary to purchase
additional hardware to use them. You cannot configure CoreXL
and SecureXL with SmartDashboard, instead run the applicable
commands from the CLI.

• CoreXL
In a Security Gateway with CoreXL enabled, the Firewall kernel
is replicated multiple times. Each replicated instance runs on one
processing core. These instances handle traffic concurrently and
each instance is a complete Firewall kernel that inspects traffic.
When CoreXL is enabled, all Firewall instances in the Security
Gateway process traffic through the same interfaces and apply
the same gateway security policy
Number of Cores Number of Firewall Instances
1 1
2 2
4 3
8 6
12 10

• SecureXL
SecureXL is an acceleration solution that maximizes
performance of the Firewall and does not compromise security.
When SecureXL is enabled on a Security Gateway, some CPU
intensive operations are processed by virtualized software
instead of the Firewall kernel. The Firewall can inspect and
process connections more efficiently and accelerate throughput
and connection rates.

Checkpoint Technology Overview - VSX
A VSX Gateway contains a complete set of virtual devices that function as
physical network components, such as Security Gateway, routers, switches,
interfaces, and even network cables. Centrally managed, and incorporating key
network resources internally, VSX lets businesses deploy comprehensive
firewall and VPN functionality, while reducing hardware investment and
improving efficiency.
• Each Virtual System works as a Security Gateway, typically protecting a

specified network. When packets arrive at the VSX Gateway, it sends traffic to
the Virtual System protecting the destination network. The Virtual System
inspects all traffic and allows or rejects it according to rules defined in the
security policy.
• In order to better understand how virtual networks work, it is important to

compare physical network environments with their virtual (VSX) counterparts.
While physical networks consist of many hardware components, VSX virtual
networks reside on a single configurable VSX Gateway or cluster that defines
and protects multiple independent networks, together with their virtual
components.

Term Definition
VSX Virtual System Extension - Check Point virtual networking
solution, hosted on a single computer or cluster containing
virtual abstractions of Check Point Security Gateways and other
network devices. These virtual devices provide the same
functionality as their physical counterparts.
VSX Gateway Physical server that hosts VSX virtual networks, including
allvirtual devices that provide the functionality of physical
network devices.
Management Server The Security Management Server or a Multi-Domain Security
Management used by administrators to manage the VSX virtual
network and its security policies.
virtual device Generic term for any VSX virtual network component.
Virtual System A virtual device that provides the functionality of a physical
Security Gateway with all supported Software Blades.
Virtual System in the A Virtual System that implements native layer-2 bridging
Bridge Mode instead of IP routing, thereby enabling deployment of Virtual
Systems in an existing topology without reconfiguring the IP
routing scheme.
Virtual Switch A virtual device that provides the functionality of a physical
switch in a VSX deployment.
Virtual Router A virtual device that provides the functionality of a physical
router in a VSX deployment.
Warp Link (wrp) A virtual interface that is created automatically in a VSX
topology.
• As you can see in the

diagram, a single
Gateway is divided into
multiple firewall
instances.
• Each firewall instances

act as an individual
firewall and protect
different set of zones
and interfaces.
• Virtual Switch is used
for shared interface
connectivity between
Virtual Firewall.
Fig: Checkpoint VSX architecture

The three basic Virtual System connection scenarios are:
• Virtual System directly connected to a physical or VLAN interface
• Virtual System connected via a Virtual Switch
• Virtual System connected via a Virtual Router

Direct Connection to a Physical Interface
When traffic arrives at an interface (either physical or VLAN) that directly connects to a
Virtual System, the connection itself determines the context and traffic passes directly
to the appropriate Virtual System via that interface. This diagram shows traffic from a
physical VLAN switch that is sent to an interface on the VSX Gateway.
VSX automatically
directs traffic arriving
via VLAN
Interface eth1.200 to
Virtual System 2
according to the
context defined by the
VLAN ID.

Connection via a Virtual Switch
Traffic arriving via a Virtual Switch passes to the appropriate Virtual System
based on the destination MAC address, as defined in the Virtual Switch
forwarding table. Traffic arrives at the Virtual System via the Warp Link
associated with the designated MAC address.
If the destination MAC address

does not exist in the Virtual Switch
forwarding table, the traffic is
broadcast over all defined Warp
Links. The Virtual Switch scenario
is common for inbound traffic from
external networks or the Internet.

Connection via a Virtual Router
Traffic arriving via a Virtual Router passes to the appropriate Virtual System based on
entries in the Virtual Router routing table. Routing may be destination-based, source-
based or both. Traffic arrives to the designated Virtual System via its Warp Link.

Installation
• Introduction to GAIA
• GAIA Installation.
• Secure Web based GUI - SIC CONCEPT
• Smart Console Installation
• Interface Configuration
• Backup and Restore
• Introduction to Basic commands
• Port Requirements
• Licensing

Installation
Introduction to GAIA
Gaia is the Check Point next generation operating system for security applications. In Greek
mythology, Gaia is the mother of all, representing closely integrated parts to form a single,
efficient system. The Gaia Operating System supports the full portfolio of Check Point
Software Blades, Gateway and Security Management products.
Gaia is a single, unified network security Operating System that combines the best of Check
Point's SecurePlatform operating system, and IPSO, the operating system from appliance
security products. Gaia is available for all Check Point security appliances and open servers.
Following are the features of GAIA:

1. Web-Based user interface with Search Navigation
2. Full Software Blade support
3. High connection capacity
4. Role-Based administrative Access
5. Intelligent Software updates
6. Native IPv4 and IPv6 Support
7. ClusterXL or VRRP Clusters
8. Manageable Dynamic Routing Suite
9. Full Compatibility with IPSO and SecurePlatform.

Installation
Configure GAIA
Gaia installation wizard, Select the “ Install Gaia on this system ” option.

Installation
Configure GAIA
Press OK to choose the keyboard.
Press OK to Choose eth0 as the management interface to configure
GAIA.
Configure the interface IP settings as shown above.

Installation
Configure GAIA
It will start Copying and
installation of GAIA
After completion of
installation, it will give URL
path for first time installation..

Installation
Configure GAIA from the web
interface
Login using login name “admin” and password
“admin”.

Installation
Configure GAIA from the web interface
Configure IP address for eth0 Interface

Installation
Choose Security Gateway or Security Management check boxes.

Installation
Select Security Gateway/ Management
Select whether this appliance would be part of Cluster.

Installation
Configuring Checkpoint
Enter admin credentials username and password.
Select Next and Installation of Security Gateway and or Security Management
Role starts depending on the products chosen for installation.

Installation
Smart Console and Smart Center installation
•Through Smartconsole manager launch the setup application from the cdrom
drive and press next
•Choose New Installation
•Press Next and verify that Typical-Management is selected
•Press Next again

Installation
Smart Console and Smart Center Center installation (Cont.)

The final screen shows the components selected
Press Finish
Connect the cdrom drive in the virtual machine to avoid the error messages.
The machine is rebooting.

Installation
Launching the SmartDashboard
Start -> Programs-> Check Point R75 -> SmartDashboard
Enter username “admin” , password “admin” and server “localhost”
Approve the fingerprint as valid
Change the administrator password to wipro@123
Approve the trial period and close the window showing R75 components

Installation
Configuring Checkpoint
Right click on checkpoint and choose security management/gateway.
Enter the Name , Platform and IP address.

Installation
• Sysconfig and cpconfig utility snapshots for post installation

configuration

Installation- Interface Configuration
VLAN Interfaces
You can configure virtual LAN (VLAN) interfaces on Ethernet
interfaces. VLAN interfaces let you configure subnets with a
secure private link to gateways and management servers using
your existing topology. With VLAN interfaces, you can multiplex
Ethernet traffic into many channels using one cable.

To configure a VLAN interface using the
WebUI:
• In the WebUI navigation tree, select Interface
Management > Network Interfaces.
• Click Add > VLAN. To change an existing

VLAN interface, select an interface and then
click Edit.
• In the Add (or Edit) VLAN window, select

the Enable option to set the VLAN interface to
UP.
• IPv4 and IPv6 tabs, enter the IP addresses

and subnet information as necessary. You can
optionally select the Obtain IP Address
automatically option.
• On the VLAN tab, enter or select a VLAN

ID (VLAN tag) between 2 and 4094.
• In the Member Of field, select the physical

interface related to this VLAN.

Bond Interfaces (Link Aggregation)
• Check Point security devices support Link Aggregation, a technology that joins multiple physical
interfaces into one virtual interface, known as a bond interface. The bond interface gives fault tolerance
and increases throughput by sharing the load among many interfaces. Check Point devices support the
IEEE 802.3ad Link Aggregation Control Protocol (LCAP) for dynamic link aggregation.
• A bond interface (also known as a bonding group or bond) is identified by its Bond ID (for
example: bond1) and is assigned an IP address. The physical interfaces included in the bond are
called slaves and do not have IP addresses.
You can define bond interfaces using one of these functional strategies:
• High Availability (Active/Backup): Gives redundancy when there is an interface or link failure. This
strategy also supports switch redundancy. You can configure High Availability to work one of in these
modes:
• Round Robin - Selects the active slave interface sequentially.
• Active/Backup - If the active slave interface goes down, the connection automatically fails over to the primary
slave interface. If the primary slave interface is not available, the connection fails over to a different slave.
• Load Sharing (Active/Active): Slave interfaces are active simultaneously. Traffic is distributed among
the slave interfaces to maximize throughput. Load Sharing does not support switch redundancy. You
can configure load sharing using one of these modes:
• Round Robin - Selects the active slave interface sequentially.
• 802.3ad - Dynamically uses active slaves to share the traffic load using the LACP protocol. This protocol
enables full interface monitoring between the gateway and a switch.
• XOR - Selects the algorithm for slave selection according to the TCP/IP layer.

Fig: BOND Interface details

To configure a bond interface using the WebUI:
• Make sure that the slave interfaces do not have IP addresses.
• On the WebUI Network Interfaces page, click Enable.
• For a new bond interface, select Add > Bond. For an existing Bond interface, double-click
the bond interface.
• Select the Enable option to activate the bond interface.
• On the Ipv4 and IPv6 tabs (optional), enter the IP address information.
• On the Bond tab, select or enter a Bond Group name. This parameter is an integer
between 1 and 1024.
• Select slave interfaces from the Available Interfaces list and then click Add.
• Select an Operation Mode (Round Robin is the default).
• On the Advanced tab, select a Link Monitoring option and its frequency in milliseconds:
• Media Monitoring Interval - This sets the frequency of requests sent to the Media Independent Interface
(MMI) to confirm that a slave interface is up. The valid range is 1-5000 ms and the default is 100 ms.
• ARP Monitoring - This defines the frequency of ARP requests sent to confirm that a slave interface is up.
ARP requests are sent to as many as five external MAC addresses.
• Select the UP and Down intervals in milliseconds. This parameter defines the waiting time,
in milliseconds, to confirm the slave interface status before taking the specified action.
• Select the Primary Interface (for Active/Backup bonds only).
• Select the Transmit Hash Policy (XOR only). This parameter selects the algorithm for slave
selection according to the specified TCP/IP layer.
• Select the LACP Rate. This parameter sets the LACPDU packet transmission rate.


Installation-Backup and Restore
Backup via the Web UI:
Log onto the device via https://<IP-Address> (the default port is 4434 unless it has been
changed to avoid a clash with SSL VPN)
Select Device –> Backup –> Back Up Now

Select the location you wish to save the file to, supply any credentials for ftp or scp servers,
and optionally select to include logs files in the backup. Then click Apply
Click Yes to proceed. (on a management server note the warning to close GUI clients)
 To view the status of the backup, click View Backup Log

Installation
Backup via the CLI:
Run the command: backup
By default the backup file will be created in /var/CPbackup/backups , so

copy the file from here into a safe location on your network
As with snapshots, you can supply parameters with the command such as
the FTP server details and also schedule a backup. type backup -h for more
info.
To take only policy backups without the interface and System OS details use
the command from the directory upgrade_tools
upgrade_export < Filename.tgz>

Installation
To restore from a backup:
In order to restore from a back up, you must first have installed SPLAT and all the required
Check Point components and hot fixes etc. You can restore a backup from a file located in
/var/CPbackup/backups, or from a network location. Simply type the command restore,
select the source (local, tftp, ftp, scp server) and file name.
OŶĐe you’ e seleĐted the ďaĐk up file to restore froŵ, you ĐaŶ theŶ Đhose to ŵodify h iĐh
iŶforŵatioŶ to restore, the ͞systeŵ ͟ or ͞cp_products͟. So for example if you wanted to restore
your backup onto new hardware, you could first install the OS, and then just selectively
restore the Check Point configuration.
As with the backup command, you can specify extra options. For a list of options available
with this command, type restore -h.
To import export backup use the command from the directory upgrade_tools
upgrade_import < Filename.tgz>

Installation – Checkpoint Directories

Installation -Basic Commands
passwd – To change the password of the current user
timezone – To set the timezone
time – to see the current time
date – to see the current date
exit – Exits from the current user session
shutdown – Shuts down the Device
reboot – Reboots the Device
fw ver – Display gateway version
fwm ver- Display Management version
audit – audit show <number of entries you want to view>
66 ping – ping X.X.X.X © 2018 7NETWORK SERVICES PVT LTD |

Installation - Basic Commands
traceroute – traceroute X.X.X.X
netstat – shows the established connections on the Firewall
ifconfig – use shift + pageup to view the complete content
ip addr – same as ifconfig with some limited info
dns – willtell you what is the DNS server the firewall uses
webui – webui enable <port number>

Installation - Basic Commands GAIA
ver
Show GAiA Version.
show configuration
Show running configuration.
save config
Save running configuration.
history
Show command history.
show commands
Show all commands you are allowed to run.
lock database override

Acquire read/write access to the database.

Installation - Basic Commands GAIA
start transaction
Start transaction mode. All changes made will be applied at once if you exit
transaction mode with commit or discarded if you exit with rollback.
show version os edition Show which OS edition (32 or 64-bit) is running.
set edition default 32-bit|64-bit

Switch between 32 and 64-bit kernel. 64-bit needs at least 6GB of RAM (or
1GB running in a VM).
expert Switch to bash and expert mode.

Installation – Port Requirements
Refer to following attached document for list of ports and their functionality in
checkpoint:

Installation - Licenses
Install license files centrally
• Click on Network Objects Licenses & Contracts Tab.
• From the Licenses & Contracts tab in SmartUpdate checkbox View Repository.
• The License & Contract Repository opens as a windows at the bottom.

Installation- Licensing
Central licensing allows licenses (for Security Gateways and Domain Management Servers) to be
associated with the IP Address of the Security Management server. This simplifies the licensing process
and provides greater flexibility in license management. Central Licenses are installed into the Module via
SmartUpdate and can be attached to or detached from the destination machine. Central licensing should be
used when operating within a distributed environment (Security Gateway and Security Management Server
are on different servers).
The benefits are:

• Central management of all licenses via SmartUpdate.
• The new license remains valid when changing the IP address of the Module.
• There is no need to re-create and re-install a new license when moving IP.
• Only one IP address is needed for all licenses.
• A license can be taken from one Module and given to another.
Local licensing is associated with the IP address of the machine to which the license will be applied. Local
licenses are installed on the local machine and each time the machine's IP address changes, a new license
must be generated and installed. Local licensing should be used when operating a standalone security
gateway (Security Gateway and Security Management Server are installed on the same server).
For example, a license for a VPN/FireWall Module in the Central scheme is generated to the IP address of
the Management Station, and in the Local scheme it is generated to the IP address of the Module.
Centralized and Local Licensing can be used together.
Installation-Licenses
• From the License and Contracts menu choose Add License and then From File…
• Select the first license file and press open.
• An information dialog box appears. Press OK.
• The first component of the license file is local license and is immediately attached

Installation - Licenses
Install license files centrally from wip-bang-manager(Cont.)
• From the License and Contracts menu choose Add License and then From File…
• Select the second license file and press open. An information dialog box appears.
Press OK.

Installation-Licenses
• From the License and Contracts Repository highlight the line that it’s type is
local in the right column.
• Right click on the unattached license in the left and choose Attach License…
Choose Gateway/Management and press Attach.
• The display should show three licenses attached to the objects.

Understanding Lab Topology & Routing Concept
76

Introduction to the Security Policy
• Creating Objects
• Creating Gateway Objects.
• Configuring Rule Base.
• Verification of Policies.
• Pushing the Policies.
• Revision Control : Database Version.
• Understanding NAT
• Configuring NAT
• Hide NAT
• Static NAT
• Manual NAT
• Auto NAT
• IP Spoofing
• Anti Spoofing
• Cluster Modes and Types
Introduction to the Security Policy- Creating Objects
Create the following network objects:

NYLAN (Network)
NYDMZ (Network)
LDAP-Server (Host)

Introduction to the Security Policy- Creating Gateway Objects

Introduction to the Security Policy- Configuring Rule Base
Configure a basic Checkpoint Rule Base
Top Down Approach : Checkpoint follows top down approach in rule base.
Traffic Rules : Allow or deny on the basis of specific services.
Cleanup Rule :- Drops all traffic. All traffic that is allowed matched one of the earlier rules.
Stealth Rule :- All traffic that is NOT from the internal company network to one of the Security
Gateways is dropped. When a connection matches the Stealth rule, an alert window opens in
SmartView Monitor.

Introduction to the Security Policy- Verification of Policies

Introduction to the Security Policy- Pushing the Policies
Install the Policy

From the menu Policy -> Install
Accept the message and mark the checkbox
Press OK and wait for the installation to complete
Remember that changes to the RuleBase take effect just after policy installation.
The policy is enforced until a new policy is installed.

Introduction to the Security Policy- Revision Control : Database Version
This utility creates a version of your current policies, object database,

IPS updates, etc. It is useful for minor changes or edits that you perform
in SmartDashboard.
It cannot be used to restore your system in case of failure.

Introduction to the Security Policy- Connection Persistence Options
Connection Persistence provides options and actions to take post policy

installations whether to keep all the connections, rematch as per the new security
policies or keep all data connections.

Introduction to the Security Policy- Connections
In Optimization set the Maximum Concurrent connections to be allowed in the
Gateway, in the versions newer than R75.40 you have an option for automatic
calculation which helps to automatically increase concurrent connections.

Introduction to the Security Policy- Understanding NAT
Network address translation (NAT) is a methodology of modifying network

address information in Internet Protocol (IP) datagram packet headers while
they are in transit across a traffic routing device for the purpose of remapping
one IP address space into another.

Introduction to the Security Policy- Configuring NAT

Introduction to the Security Policy- Configuring NAT

Introduction to the Security Policy- Hide NAT
In Hide NAT, a single public address is used to represent multiple computers

on the internal network with private addresses (many-to-one relation).
Hide NAT allows connections to be initiated only from the protected side of
the Security Gateway that is protecting this object (Check Point, or Externally
Managed Gateway or Host, Gateway node, or Host node).

Introduction to the Security Policy- Static NAT
In Static NAT, each private address is translated to a corresponding public

address (one-to-one relation). Static NAT allows machines on both sides of
the Security Gateway, protecting this object (Check Point, or Externally
Managed Gateway or Host, Gateway node, or Host node), to initiate
connections, so that, for example, internal servers can be made available
externally.

Introduction to the Security Policy- Manual NAT
In Manual NAT we need to configure NATTING manually in NAT Configuration

for inbound and Outbound Traffic.

Introduction to the Security Policy- Auto NAT
In Auto NAT we need to check Add Automatic Address Translation Rule in host
node. Then Checkpoint will automatically configure the NATTING for the Specified
traffic.

Introduction to the Security Policy- Proxy Arp Configuration
To configure the proxy ARP mechanism on Checkpoint:
1. Add any IPs for which the Checkpoint should answer to ARP requests and the
respective MAC addresses to be advertised to the $FWDIR/conf/local.arp file on
the local Gateway.
For example, in order to reply to ARP requests for IP 192.168.10.100 on interface
eth2-01 with MAC address 00:1C:7F:82:01:FE, add the following entry to the
local.arp file:
192.168.10.100 00:1C:7F:82:01:FE
2. Enable the Merge manual proxy ARP configuration option in SmartDashboard >
Global Properties > NAT.
3. Install policy to apply the updated proxy ARP entries
4. To check if proxy arp table has been updated use the following command:
fw ctl arp

Introduction to the Security Policy- Concept of IP SPOOFING
In IP spoofing, an attacker gains unauthorized access to a computer or a

network by making it appear that a malicious message has come from a
trusted ŵaĐhiŶe ďy ͞spoofiŶg͟ the IP address of that ŵaĐhiŶe.
IP spoofing and ARP spoofing in particular may be used to leverage man-in-
the-middle attacks against hosts on a computer network.
IP spoofing is a technique of generating IP packets with a source address

that belongs to someone else. Spoofing creates a danger when hosts on the
LAN permit access to their resources and services to trusted hosts by
checking the source IP of the packets.

Introduction to the Security Policy- Anti-Spoofing
 The idea is that packets that come from outside must not have source addresses
that match internal network or the firewall itself. The only way to distinguish
packets coming from outside from those coming from inside is to check which
interface of the firewall they cross and in which direction.
 A security feature on Checkpoint Firewall that protects from attackers who generate
IP packets with fake or spoofed source/destination IP addresses.
Anti-spoofing is a security feature that enables a Firewall to determine whether
traffic is Legitimate or if being used for malicious purpose. It detects IP address
Spoofing.
 Check Point implements anti-spoofing measures by checking the source address of

every packet against a predefined view of the network layout

Introduction to the Security Policy- Clustering Mode Configuration and
Types

Introduction to the Security Policy- Clustering Mode Configuration and
Types
CLUSTERXL Modes Legacy High New High Load Sharing Load Sharing
Availability Availability Multicast Unicast
High Availability Yes Yes Yes Yes
Load Sharing No No Yes Yes
State Synchronization No No Yes Yes

Mandatory
CLUSTERXL No Additional IP Additional Additional Cluster Additional
Configuration Configured for Cluster, Cluster IP IP required for Cluster IP
Primary appliance IP is required for each LAN segment required for
failed over to each LAN along with each LAN
Secondary appliance segment along Primary and segment
with Primary Secondary Lan alongwith
and Secondary segment IP. Primary and
Lan segment Secondary Lan
IP. segment IP.
Cluster MAC Address Same as that of Active Same as that Multicast MAC Same as that of
appliance of Active address generated Active appliance
appliance
Load On Gateways Active-© 2012

100% WIPRO LTD | WWW.W IPRO.COM | CONFIDENTI AL
Active- 100% Active- 50% Active- 70%
Standby- 0% Standby- 0% Standby- 50% Standby- 30%
Monitoring Traffic and Connections
• Tracking Activity using Smart View Tracker

• Monitoring Traffic Using Smart View Tracker
• Smart View Tracker Tabs
• Administrator Auditing
• Terminating and Blocking Active Connections
• Smart View Monitor Alerts
• Troubleshooting Commands

Monitoring Traffic and Connections - Tracking Activity using SmartView
Tracker
Open Smartview Tracker from within SmartDashboard
Window -> Smartview Tracker
Configure Autoscroll in Smartview Tracker

Query -> Autoscroll

Monitoring Traffic and Connections - Tracking Activity using SmartView
Tracker
10
0

Ccna CCNP Ccie Training Center

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ccna CCNP Ccie Training Center

Uploaded by

Copyright:

Available Formats

Checkpoint L2

1 © 2018 7NETWORK SERVICES PVT LTD |

2 © 2018 7NETWORK SERVICES PVT LTD |

3 © 2018 7NETWORK SERVICES PVT LTD |

Monitoring Traffic and Connections

© 2018 7NETWORK SERVICES PVT LTD |

User Management and Authentication

Encryption and VPNs

6 © 2018 7NETWORK SERVICES PVT LTD |

In computing, a firewall is a software or hardware-based network security system.

 Basically, a firewall can be closely associated with a router.

Many personal computer operating systems include software-based firewalls to

7 © 2018 7NETWORK SERVICES PVT LTD |

 There are three types of Internet firewalls

 Checkpoint Utilizes the following technologies to grant or deny network traffic :

8 © 2018 7NETWORK SERVICES PVT LTD |

PROS – Application Independence, High Performance, and Scalability.

9 © 2018 7NETWORK SERVICES PVT LTD |

Stateful is a technology developed and patented by checkpoint.

 Pros :- Good Security, High performance, Extensibility, Transperency.

10 © 2018 7NETWORK SERVICES PVT LTD |

State Table Overview

11 © 2018 7NETWORK SERVICES PVT LTD |

Its primarily works with application layer defences.

Example : - Barracuda web Application firewall.

12 © 2018 7NETWORK SERVICES PVT LTD |

Check Point is an Israeli information security software company.

 Founded by Ramat Gan, of Israel (1993)

Checkpoint products are installed on 80% of fortune 100 companies.

Checkpoint implements a complete security solution with enterprise management of the

 Checkpoint Firewall-1 uses the stateful inspection technology.

13 © 2018 7NETWORK SERVICES PVT LTD |

14 © 2018 7NETWORK SERVICES PVT LTD |

Checkpoint provides a three-tier model that consists of the following components:

 SMART Clients / Management Server

Enforcement Module /Gateway

16 © 2018 7NETWORK SERVICES PVT LTD |

17 © 2018 7NETWORK SERVICES PVT LTD |

• The Check Point SmartDashboard allows you to

18 © 2018 7NETWORK SERVICES PVT LTD |

19 © 2018 7NETWORK SERVICES PVT LTD |

20 © 2018 7NETWORK SERVICES PVT LTD |

21 © 2018 7NETWORK SERVICES PVT LTD |

22 © 2018 7NETWORK SERVICES PVT LTD |

23 © 2018 7NETWORK SERVICES PVT LTD |

24 © 2018 7NETWORK SERVICES PVT LTD |

25 © 2018 7NETWORK SERVICES PVT LTD |

26 © 2018 7NETWORK SERVICES PVT LTD |

IPSec VPN – Used to manage VPN Communities.

28 © 2018 7NETWORK SERVICES PVT LTD |

Static vs. Dynamic Routing

A static routing table is created, maintained, and updated by a network

Static routes have an Administrative Distance (AD) of 1.

A dynamic routing table is created, maintained, and updated by a routing protocol

29 © 2018 7NETWORK SERVICES PVT LTD |

Standalone and Distributed Installation

30 © 2018 7NETWORK SERVICES PVT LTD |

These are features that you can enable to increase the

• SecureXL (Performance Pack)

These are software based features that are included in the

31 © 2018 7NETWORK SERVICES PVT LTD |

32 © 2018 7NETWORK SERVICES PVT LTD |

33 © 2018 7NETWORK SERVICES PVT LTD |