Professional Documents
Culture Documents
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
puresecurity
Course Agenda
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 2
Agenda
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 3
1
Cluster Elements - CCP
• Note: When VLAN are used CCP will run only on the lowest VLAN ID
(Not true for VSX)
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 4
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 5
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 6
2
Cluster Elements - CCP
NOTE: This was taken from HA configuration using multicast for CCP.
The output will appear in the /var/log/messages.
ipmaddr is another tool.
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 7
cphaprob –a if
Required interfaces: 3
Required secured interfaces: 1
eth0 194.29.43.63
eth1 172.30.130.63
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 8
State Synchronization
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 9
3
State Synchronization
Active Member
Standby
Member
member Down
Member
starting
Full sync request
Connection1 Connection1
Connection 2 Connection 2
Connection 3 Connection 3
New New
connection (4) connection (4)
State Synchronization
Generic
Automatic
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 11
State Synchronization
Selective sync:
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 12
4
State Synchronization
Sync:
Version: new
Status: Able to Send/Receive sync packets
Sync packets sent:
total : 209693, retransmitted : 166, retrans reqs : 129, acks : 54
Sync packets received:
total : 134755, were queued : 221, dropped by net : 101
retrans reqs : 29, received 26 acks
retrans reqs for illegal seq : 0
dropped updates as a result of sync overload: 0
Callback statistics: handled 11 cb, average delay : 1, max delay : 1
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 13
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 14
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 15
5
Cluster Elements – Pnotes
Built-in Devices:
Registered Devices:
NOTE : Check Point recommends that customers use the same hardware.
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 17
ClusterXL
CP clustering product
Includes both HA and LS solutions (AKA CPHA
and CPLS)
Works over the state sync
Supports Solaris, SPLAT and Linux, does not
run on Nokia.
4 modes of operation
– HA – Legacy and New
– LS – Multicast and unicast
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 18
6
ClusterXL – HA (New mode)
62.90.111.3
Who isis 62.90.111.3
at 00:80:24:01:01:01
?
ISP router
Internet
62.90.111.3
X
172.168.1.1
A Synchronization S
A
172.168.1.2
00:80:24:01:02:01 00:80:24:01:02:02 Internal router
172.168.1.3
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 19
cphaprob stat :
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 20
62.90.111.3 is at 01:00:5e:5a:6f:03
Internet
Who is 62.90.111.3
62.90.111.3
62.90.111.1
62.90.111.2
A1 Synchronization A2
172.168.1.1 172.168.1.2
172.168.1.3
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 21
7
Cluster XL multicast mode
cphaprob stat
Cluster Mode: Load Sharing (Multicast)
Number Unique Address Assigned Load State
1 192.168.255.21 33% active
2 192.168.255.22 33% active
3 (local) 192.168.255.20 33% active
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 22
62.90.111.3 is at 00:80:00:01:02:03
Internet
62.90.111.3
62.90.111.1
62.90.111.2
Packet forwarding
P Synchronization
172.168.1.1 172.168.1.2
172.168.1.3
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 23
cphaprob stat
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 24
8
Cluster XL unicast mode
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 25
Asymmetric Routing
Session from standby (Forwarding).
IGMP snooping
Block new Conns
Different subnet
Mac Magic
Disconnected interfaces
Freeze mechanism
Pinging the VIP
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 26
Asymmetric Routing
C2S – Hash = X
S2C – Hash = Y
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 27
9
Asymmetric Routing – cont.
Why bother?
– Race conditions (Is the other member synched?)
– Features without sync (Security Servers)
When will this happen ?
– NATed and encrypted connections
– Data connections
How ClusterXL solves it ?
– Flush and Ack mechanism – hold a packet that made
a change in the kernel table until the change is
synced successfully
– NGX – SDF
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 28
Held
packet
Packet
Sync Acks
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 29
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 30
10
Decision Function (DF)
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 31
Activate when…
– Using Cluster XL Load Sharing and a-symmetric
routing exists
– A feature that need stickiness is used
Drawback
– Performance
– Supported platforms
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 32
Active
Sticky
Connection
decision
info
function
Flush&Ack
Sync
Sticky
decision
function
Active
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 33
11
3rd party clusters
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 34
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 35
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 36
12
3rd party clusters
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 37
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 38
Cluster states
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 39
13
Cluster states
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 40
Cluster states
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 41
Debugging tools
cphaprob
– list (look at pnotes)
– -a if (show interfaces)
– state (show cluster and members’ state)
– syncstat
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 42
14
Debugging tools
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 44
Other tips
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 45
15
LAB exercise 1: configuration
Note: You may also turn on the fw module flag “filter” to monitor the
policy installation but that will increace the debug output.
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 46
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 47
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 48
16
Annex:
Problematic scenarios
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 49
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 50
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 51
17
Session from standby (Forwarding).
On the standby
==========================
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 52
IGMP
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 53
IGMP Snooping
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 54
18
IGMP snooping - the problem
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 56
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 57
19
Block New conns
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 58
172.16.6.10
172.16.6.2 172.16.6.1
192.168.0.1
(routable IP)
Internet
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 59
Different Subnet
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 60
20
Different Subnet
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 61
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 62
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 63
21
Mac magic and Forward magic
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 64
Disconnected Interfaces
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 65
Disconnected Interfaces
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 66
22
Freeze mechanism
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 67
Freeze mechanism
fwha_freeze_state_machine_timeout=30
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 68
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 69
23
Pinging the VIP
Solution :
fw _ allow _ simultaneous _ ping
Firewall-1 is treating ICMP Request & Reply packets as
a single connection.
It uses identifier as destination port and zero as source
port, so that sequential ICMP request are treated as the
same connection.
To make continuous ping to work after failover we have
to treat ICMP request/reply pair as a single connection.
By using ICMP Sequence Number as source port , it will
allow to implement the above.
puresecurity ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. 70
24