Professional Documents
Culture Documents
Training
Installation
Introduction to GAIA
GAIA Installation.
Secure Web based GUI - SIC CONCEPT
Smart Console Installation
Introduction to Basic commands
Interface Configuration
Backup and Restore
Checkpoint Port Requirements
Checkpoint Licenses
Introduction to FIREWALL
A firewall protects the resources of a private network from users from other
networks.
Types of Firewall
Packet Filtering.
Statefull Inspection.
Application Intelligence.
PACKET FILTERING
The first step in protecting internal users from the external network threats is to implement
this type of security.
Most of the routers have packet filtering built-in, but the problem with the routers is that, they
are difficult to configure and don’t provide extensive logs of the incidents.
CONS – Low Security, No Screening above network layer. (No state or application context
information). These are least secure type of Firewall.
It in corporates layer 4 awareness into the standard packet filtering firewall architecture.
It examine the packet not only in its header, but also the contents of the packet up through the
application layer, to determine more about the packet than just the information about the source and
destination.
The state of connections is monitored and a state table is created to compile the information.
Checkpoint's INSPECT ENGINE is the mechanism used for extracting the state related information
from all the application layers and maintains this information in these dynamic state tables.
INSPECT ENGINE enforces security policies on the security gateway on which they reside.
APPLICATION FIREWALL
It is a set of Advanced Capabilities, integrated into the firewall and IPS, which
detect and prevent application attacks.
CHECKPOINT OVERVIEW
complete network.
• Architecture
• Components
• Blades
Checkpoint Components
• SmartDashboard
• SmartView Tracker
• SmartView Monitor
• SmartUpdate
• SmartProvisioning
• Eventia Reporter
• Eventia Analyzer
Firewall – Provides parameters useful to define the Rule Base for your network. Here, you specify how
connections are allowed or disallowed, authenticated and encrypted
Identity awareness – Provides granular visibility of users, groups and machines, providing unmatched
application and access control through the creation of accurate, identity-based policies.
Antivirus – Automatic or manual updates the Anti-Virus scanning and URL filtering Database with the
latest defense signatures from Check Point.
Content Filtering – Helps you to control application & website access in an organization to block and
allow specific URLs.
User Directory - Leverages LDAP servers to obtain identification and security information about
network users, eliminating the risks associated with manually maintaining and synchronizing redundant
data stores, and enabling centralized user management throughout the enterprise.
27 © 2018 7NETWORK SERVICES PVT LTD |
CheckPoint Technology Overview – Inspection Module
• Static Routing
• Dynamic Routing
A distributed installation –is when the smart center server and the security gateway are
installed on separate machine.
© 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
• CoreXL
• CoreXL
In a Security Gateway with CoreXL enabled, the Firewall kernel
is replicated multiple times. Each replicated instance runs on one
processing core. These instances handle traffic concurrently and
each instance is a complete Firewall kernel that inspects traffic.
When CoreXL is enabled, all Firewall instances in the Security
Gateway process traffic through the same interfaces and apply
the same gateway security policy
Number of Cores Number of Firewall Instances
1 1
2 2
4 3
8 6
12 10
• SecureXL
SecureXL is an acceleration solution that maximizes
performance of the Firewall and does not compromise security.
When SecureXL is enabled on a Security Gateway, some CPU
intensive operations are processed by virtualized software
instead of the Firewall kernel. The Firewall can inspect and
process connections more efficiently and accelerate throughput
and connection rates.
VSX automatically
directs traffic arriving
via VLAN
Interface eth1.200 to
Virtual System 2
according to the
context defined by the
VLAN ID.
• Introduction to GAIA
• GAIA Installation.
• Secure Web based GUI - SIC CONCEPT
• Smart Console Installation
• Interface Configuration
• Backup and Restore
• Introduction to Basic commands
• Port Requirements
• Licensing
Gaia is a single, unified network security Operating System that combines the best of Check
Point's SecurePlatform operating system, and IPSO, the operating system from appliance
security products. Gaia is available for all Check Point security appliances and open servers.
Configure GAIA
Gaia installation wizard, Select the “ Install Gaia on this system ” option.
Configure GAIA
It will start Copying and
installation of GAIA
After completion of
installation, it will give URL
path for first time installation..
VLAN Interfaces
You can configure virtual LAN (VLAN) interfaces on Ethernet
interfaces. VLAN interfaces let you configure subnets with a
secure private link to gateways and management servers using
your existing topology. With VLAN interfaces, you can multiplex
Ethernet traffic into many channels using one cable.
• A bond interface (also known as a bonding group or bond) is identified by its Bond ID (for
example: bond1) and is assigned an IP address. The physical interfaces included in the bond are
called slaves and do not have IP addresses.
You can define bond interfaces using one of these functional strategies:
• High Availability (Active/Backup): Gives redundancy when there is an interface or link failure. This
strategy also supports switch redundancy. You can configure High Availability to work one of in these
modes:
• Round Robin - Selects the active slave interface sequentially.
• Active/Backup - If the active slave interface goes down, the connection automatically fails over to the primary
slave interface. If the primary slave interface is not available, the connection fails over to a different slave.
• Load Sharing (Active/Active): Slave interfaces are active simultaneously. Traffic is distributed among
the slave interfaces to maximize throughput. Load Sharing does not support switch redundancy. You
can configure load sharing using one of these modes:
• Round Robin - Selects the active slave interface sequentially.
• 802.3ad - Dynamically uses active slaves to share the traffic load using the LACP protocol. This protocol
enables full interface monitoring between the gateway and a switch.
• XOR - Selects the algorithm for slave selection according to the TCP/IP layer.
Log onto the device via https://<IP-Address> (the default port is 4434 unless it has been
changed to avoid a clash with SSL VPN)
As with snapshots, you can supply parameters with the command such as
the FTP server details and also schedule a backup. type backup -h for more
info.
To take only policy backups without the interface and System OS details use
the command from the directory upgrade_tools
upgrade_export < Filename.tgz>
In order to restore from a back up, you must first have installed SPLAT and all the required
Check Point components and hot fixes etc. You can restore a backup from a file located in
/var/CPbackup/backups, or from a network location. Simply type the command restore,
select the source (local, tftp, ftp, scp server) and file name.
OŶĐe you’ e seleĐted the ďaĐk up file to restore froŵ, you ĐaŶ theŶ Đhose to ŵodify h iĐh
iŶforŵatioŶ to restore, the ͞systeŵ ͟ or ͞cp_products͟. So for example if you wanted to restore
your backup onto new hardware, you could first install the OS, and then just selectively
restore the Check Point configuration.
As with the backup command, you can specify extra options. For a list of options available
with this command, type restore -h.
To import export backup use the command from the directory upgrade_tools
upgrade_import < Filename.tgz>
dns – willtell you what is the DNS server the firewall uses
show configuration
Show running configuration.
save config
Save running configuration.
history
Show command history.
show commands
Show all commands you are allowed to run.
start transaction
Start transaction mode. All changes made will be applied at once if you exit
transaction mode with commit or discarded if you exit with rollback.
Refer to following attached document for list of ports and their functionality in
checkpoint:
• From the Licenses & Contracts tab in SmartUpdate checkbox View Repository.
Local licensing is associated with the IP address of the machine to which the license will be applied. Local
licenses are installed on the local machine and each time the machine's IP address changes, a new license
must be generated and installed. Local licensing should be used when operating a standalone security
gateway (Security Gateway and Security Management Server are installed on the same server).
For example, a license for a VPN/FireWall Module in the Central scheme is generated to the IP address of
the Management Station, and in the Local scheme it is generated to the IP address of the Module.
Centralized and Local Licensing can be used together.
72 © 2018 7NETWORK SERVICES PVT LTD |
Installation-Licenses
Install license files centrally
• From the License and Contracts menu choose Add License and then From File…
• Select the first license file and press open.
• An information dialog box appears. Press OK.
• The first component of the license file is local license and is immediately attached
• Creating Objects
• Creating Gateway Objects.
• Configuring Rule Base.
• Verification of Policies.
• Pushing the Policies.
• Revision Control : Database Version.
• Understanding NAT
• Configuring NAT
• Hide NAT
• Static NAT
• Manual NAT
• Auto NAT
• IP Spoofing
• Anti Spoofing
• Cluster Modes and Types
77 © 2018 7NETWORK SERVICES PVT LTD |
Introduction to the Security Policy- Creating Objects
Top Down Approach : Checkpoint follows top down approach in rule base.
Cleanup Rule :- Drops all traffic. All traffic that is allowed matched one of the earlier rules.
Stealth Rule :- All traffic that is NOT from the internal company network to one of the Security
Gateways is dropped. When a connection matches the Stealth rule, an alert window opens in
SmartView Monitor.
Hide NAT allows connections to be initiated only from the protected side of
the Security Gateway that is protecting this object (Check Point, or Externally
Managed Gateway or Host, Gateway node, or Host node).
In Auto NAT we need to check Add Automatic Address Translation Rule in host
node. Then Checkpoint will automatically configure the NATTING for the Specified
traffic.
1. Add any IPs for which the Checkpoint should answer to ARP requests and the
respective MAC addresses to be advertised to the $FWDIR/conf/local.arp file on
the local Gateway.
For example, in order to reply to ARP requests for IP 192.168.10.100 on interface
eth2-01 with MAC address 00:1C:7F:82:01:FE, add the following entry to the
local.arp file:
192.168.10.100 00:1C:7F:82:01:FE
2. Enable the Merge manual proxy ARP configuration option in SmartDashboard >
Global Properties > NAT.
4. To check if proxy arp table has been updated use the following command:
fw ctl arp
IP spoofing and ARP spoofing in particular may be used to leverage man-in-
the-middle attacks against hosts on a computer network.
The idea is that packets that come from outside must not have source addresses
that match internal network or the firewall itself. The only way to distinguish
packets coming from outside from those coming from inside is to check which
interface of the firewall they cross and in which direction.
A security feature on Checkpoint Firewall that protects from attackers who generate
IP packets with fake or spoofed source/destination IP addresses.
Anti-spoofing is a security feature that enables a Firewall to determine whether
traffic is Legitimate or if being used for malicious purpose. It detects IP address
Spoofing.
Cluster MAC Address Same as that of Active Same as that Multicast MAC Same as that of
appliance of Active address generated Active appliance
appliance
10
10 © 2018 7NETWORK SERVICES PVT LTD |
0