CCSA Class Slides

Security Administration
2013 Edition
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
©2013 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties
Preface
©2013 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 2
Training Blades and Certification
2 WAYS to EXTEND CCSA / CCSE for 1 YEAR
Take and pass

any 2 Training
Blades OR
+
AppControl Introduction to Gaia
Attend and pass

1 Instructor-led Based on a 2 day course
class
Advanced IPS
Certification Renewal Examples
CCSA Certification CCSE Certification

Extension Options Extension Options
Training Blades: Instructor Led Training

• Application Control • Advanced IPS
• Data Loss Prevention • SmartConsole Managed
• Introduction to Gaia VSX
• Intrusion Prevention • P1 Managed VSX
• Threat Prevention • Endpoint
CCSA exam CCSE exam
Check Point Security Administration
Key Course Elements
 Overview of Check Point Technology

 Deploying a Security Policy and Monitoring
Traffic
 Managing Users and Providing Access to
Protected Resources
 Deploying Network Address Translation and
VPNs
2
Course Chapters
1. Introduction to Check Point Technology

2. Deployment Platforms
3. Introduction to the Security Policy
4. Monitoring Traffic and Connections
5. Network Address Translation
6. Using SmartUpdate
7. User Management and Authentication
8. Identity Awareness
9. Introduction to Check Point VPNs 3
Lab Topology
Introduction to Check Point Technology
Learning Objectives
 Describe Check Point’s unified approach to

network management, and the key elements
of this architecture
 Design a distributed environment using the
network detailed in the course topology
 Install the Security Gateway in a distributed
environment, using the network detailed in
the course topology
8
Check Point Security Management Architecture (SMART)
 The Check Point Security Management Architecture

(SMART) is a core component of the Check Point unified
security architecture.
 With SMART security administrators can centrally configure,
manage, monitor and report on all security devices,
including endpoints, from a single console - the
SmartDashboard
Core Systems
 The Check Point core systems:

– SmartConsole
– Security Management Server
– Security Gateway
SMART
 SmartConsole:
– The SmartCenter GUI, SmartConsole is comprised of several
clients, used to manage the Check Point security environment.
 Security Management Server:

– The Security Management Server stores and distributes
Security Policies to multiple Security Gateways.
 Security Gateway:
– The Security Gateway is the firewalled machine on which the
firewall software is installed, and is based on Stateful
Inspection.
10
The Open Systems Interconnect (OSI) Model
 To better understand the capabilities of the basic firewall,

understand the OSI model.
11
Controlling Network Traffic
 Check Point utilizes these technologies to deny or permit

traffic, based on defined rules:
Packet Filtering
Stateful Inspection
Application Intelligence
12
Packet Filtering
 Packet Filtering is a
firewall in its most basic
form
13
Stateful Inspection
 Stateful Inspection
examinees the context
of a packet – to
monitoring the state of
the connection:
14
Application Intelligence
 Application
Intelligence works
with application-
layer defense:
15
Security Gateway Inspection Architecture
15
INSPECT Engine Packet Flow
 Sample flow of new

inbound packet:
16-17
Deployment Considerations
18
Standalone Deployment
 Security Management Server and Security Gateway

installed on same computer.
19
Distributed Deployment

installed on different computers.
19
Standalone Full HA Deployment

installed on different computers.
20
Bridge Mode
 A bridge mode deployment adds a Security Gateway to an

existing environment without changing IP Routing.
20
Check Point SmartConsole Clients
 SmartConsole is
comprised of
several clients,
used to manage
the security
environment.
21
SmartDashboard
 Tabs:
– Firewall
– App Control &
URl Filtering
– DLP
– IPS
– Anti Bot & Anti-
Virus
– Anti Spam and
Mail
– Mobile Access
– IPSec VPN
– QoS
– Desktop
21
Check Point SmartConsole
 SmartConsole
components can be
accessed from
SmartDashboard.
22
SmartView Tracker
 SmartView Tracker
is used for
managing and
tracking logs and
alerts.
23
SmartLog
 SmartLog enables
enterprises to
centrally track log
records.
24
SmartEvent
 Event correlation
for firewall, IPS,
DLP, endpoints via
a single console.
24-25
SmartView Monitor
 SmartView Monitor
centrally monitors Check
Point and OPSEC
devices, presenting a
complete visual picture of
changes to gateways,
tunnels, remote users
and security activities.
26-27
SmartReporter
 SmartReporter
centralizes network
security reporting.
27
SmartUpdate
 SmartUpdate
delivers automated
software and license
to distributed
security gateways
from a single
management
console.
28
SmartProvisioning
 SmartProvisioning
provides centralized
administration and
provisioning of
Check Point security
devices via a single
management
console.
29
SmartEndpoint
 SmartEndpoint is
the management
console for endpoint
clients and their
features.
31
Security Management Server
 The Security Management Server is used to manage the

Security Policy.
 The Security Management Server maintains the Security
Gateway databases
 Policies are defined using SmartDashboard, and saved on
the Security Management Server
32
Managing Users in SmartDashboard
32
Securing Channels of Communication
 Communication must be encrypted

 Communication must be authenticated
 Transmitted communication should have
data integrity
 SIC setup process allowing the
intercommunication to take place must be
user friendly
34
SIC Between Security Management Servers

and Components
 SIC among
Security
Management
Servers and
components
36-37
Lab Practice
 Lab 1: Distributed Installation

 Lab 2: Branch Office Security Gateway Installation
38
Review Questions
1. What is the strength of Check Point’s Stateful

Inspection Technology?
38
Review Questions
1. What is the strength of Check Point’s Stateful

Inspection Technology?
– The contents of the packet is examined, not just the
header information.
– The state of the connection is monitored.
38
Review Questions
2. What are the advantages of Check Point’s Secure

Management Architecture (SMART)?
38
Review Questions
2. What are the advantages of Check Point’s Secure

Management Architecture (SMART)?
– SMART is a unified approach to centralizing Policy
management and configuration, including monitoring,
logging, analysis, and reporting within a single control
center.
38
Review Questions
3. What is the main purpose for the Security

Management Server? Which function is it necessary
to perform on the Security Management Server
when incorporating Security Gateways into the
network?
38
Review Questions
3. What is the main purpose for the Security

Management Server? Which function is it necessary
to perform on the Security Management Server when
incorporating Security Gateways into the network?
– Used by the Security Administrator, the Security
Management Server manages the Security Policy. In
order to perform that role, the Security Management
Server must establish SIC with other components, so
that communication is verified and management can
be performed on any component on the network.
38
Deployment Platforms
39
Learning Objectives
 Given network specifications, perform a

backup and restore the current Gateway
installation from the command line.
 Identify critical files needed to purge or
backup, import and export users and groups
and add or delete administrators from the
command line.
 Deploy Gateways using sysconfig and
cpconfig from the Gateway command line.
40
Security Appliances
 Check Point Security Appliances are integrated hardware

devices that are preinstalled with essential software blades
to produce a comprehensive, turnkey security gateway
solution.
41
Security Appliances
 Data Center:
– 61000 Security System - fastest
security appliance, offering scalable
performance for data centers and
telecommunication companies.
– 21000 Appliance - industry's best
security performance in their class and
offer unmatched scalability, serviceability
and port density.
– IAS Bladed Hardware - provides
organizations with the ultimate choice in
carrier-grade chassis. 41
Security Appliances
 Large Enterprise:
– 12000 Appliance - multi-core security
technology and high port density, are ideally
suited for perimeter security.
– IP Appliance - offer turnkey and modular
security functionality with integrated firewall,
VPN, IPS, Application Control, Identity
Awareness and more.
– IAS-D, M, and R Appliance — Powered by
HP, the IAS -Series of appliances provide
integrated software and hardware bundles
and direct support that are customized to
organizations' exact specifications. 42
Security Appliances
 Medium-Sized Business:
– 4000 Appliance - offer complete and
integrated security solutions in a
compact 1U form factor.
42
Security Appliances
 Small Business & Branch Office

– 2200 Appliance - offers enterprise grade security
and performance in a compact desktop form
factor.
– Series 80 Appliance – Extends Software Blades
to the edge of the network.
– UTM-1 Edge – All-in-one appliance for branch
offices.
– Safe@Office – Integrated firewall, IPS, anti-
malware, URL filtering, and more.
– Cloud-Managed Security Service – Effective
security in a managed solution.
43
Security Appliances
 Virtualized
– Virtual Systems – Taps the power of
virtualization to consolidate and simplify
security for private clouds.
– Security Gateway Virtual Edition –
Protects virtualized environments and
external networks.
– Virtual Appliance for Amazon Web
Services – Security Gateway for virtual
environments in the Amazon Cloud.
.
44
Security Appliances
 Dedicated Appliances
– Secure Web Gateway Appliance –
Real-time protection against web-borne
malware.
– Threat Prevention Appliance –
Prevents advanced threats and malware
attacks.
– DDOS Protector – Blocks Denial of
Service attacks within seconds.
.
44-45
Check Point Appliance Selection Tool
 Check Point Security Power TM

– Allows customers to select security appliances by capacity
– Accurate appliance sizing to meet needs
45
Security Software Blades
 Threat Prevention
– Threat Cloud – Feeds security gateway software blades real-
time security intelligence.
46
 Security Gateway Software Blades

– Firewall – Industry’s strongest level of
gateway security and identity awareness
– IPSec VPN – Secure connectivity to

corporate networks for remote users
– Application Control – Application security

and identity control
46

– URL Filtering – Optimized web security.
– Anti-Bot – Detects bot-infected machines,

prevents bot damage
– Antivirus – Uses ThreatCloud to detect and

blocks malware real-time
46-47

– Identity Awareness – Granular visibility of
users, groups, and machines access control
– DLP – Preemptively protect sensitive

information
– Web Security – Detects and prevents

attacks launched against the Web
infrastructure
47

– Anti-Spam & Email Security – Protection
for messaging infrastructure
– Advanced Networking & Clustering –

Simplifies complex network security
deployment and management
– Voice over IP – Deploys secure VoIP

applications
47-48
 Remote Access Solutions

– Mobile Access Software Blade – Safely
connect to corporate applications over
Internet with Smartphone, tablet, or PC
– Endpoint Security with Remote Access –

Secure and seamless access to corporate
networks remotely
– Check Pont GO – Turns any PC into your

corporate desktop
48-49
Check Point Gaia
 Check Point GaiaTM is the unified cutting-edge secure

operating system for all Check Point Appliances, open
servers and virtualized gateways. Gaia was derived from
IPSO and SecurePlatform.
50
History – Power of Two
 IPSO
– Developed by Ipsilon Networks
– Based on FreeBSD
– Hardened secure operating system
– Kernel statistics
– Purchased from Nokia 2009
50
History – Power of Two
 SecurePlatform
– Developed by Check Point
– Based on Red Hat
– Hardened secure operating system
– Management performed through a restricted shell
– Supports SecureXL
51
Gaia
 Combining the best features of IPSO and SecurePlatform

 Increase operational efficiency with wide range of features
 A secure platform for the most demanding environments
 Provides for role-based administration
 Web-based user interface for all commands and properties
 Compatible with IPSO and SPLAT CLI commands
52
Gaia Architecture
 Fully compatible with IPSO and SPLAT CLI Commands

 Web-Based user interface with search navigation
 Role-based administrative access
 Support for industry standard authentication
 Support for industry standard monitoring
 Intelligent software updates
 Automatic Security Gateway deployments
53-54
Gaia Architecture
 Manageable dynamic routing suite

 Native IPv4 and IPv6 support
 Link aggregation
 ClusterXL or VRRP clusters
 High connection capacity
 Full software blade support
55
Gaia System Information
 Gaia system information is accessible through the WebUI,

and some CLI commands.
58
Gaia Architecture
 Gaia Widgets
– System Overview
– Network Configuration
– Memory Monitor
– CPU Monitor
– Security Configuration
59
Lab Practice
 Lab 3: CLI Tools
60
Review Questions
1. What are some of the advantages in deploying

UTM-1 Edge Appliances?
60
Review Questions
1. What are some of the advantages in deploying

UTM-1 Edge Appliances?
– Easy to install and configure
– Can participate in corporate VPN
– Security Policy can be enforced on the appliance
– Status and traffic can be monitored
– Device firmware can be automatically updated
60
Review Questions
2. How do you manage an IP Appliance?
60
Review Questions
2. How do you manage an IP Appliance?

– Through the WebUI
– Through the CLI
60
Review Questions
3. What does SecurePlatform Pro provide over

SecurePlatform?
60
Review Questions
3. What does SecurePlatform Pro provide over

SecurePlatform?
– Dynamic routing support
– Centralized Administrator management via
RADIUS
60
Review Questions
4. What are the two critical Check Point directories?
60
Review Questions
4. What are the two critical Check Point directories?

– $FWDIR/conf contains Rule Bases, objects, and
the user database
– $FWDIR/bin contains import and export tools
60
Introduction to the Security Policy
61
Learning Objectives
 Given the network topology, create and configure network, host and gateway
objects.
 Verify SIC establishment between the Security Management Server and the
Gateway using SmartDashboard.
 Create a basic Rule Base in SmartDashboard that includes permissions for

administrative users, external services, and LAN outbound use.
 Evaluate existing policies and optimize the rules based on current corporate
requirements.
 Maintain the Security Management Server with scheduled backups and

policy versions to ensure seamless upgrades and minimal downtime.
62
Security Policy Basics
 The Security Policy is a set of rules that defines your

network security.
63
Managing Objects in SmartDashboard
64
Object Types
 Network
 Services
 Resources
 Servers and OPSEC Applications
 Users and Administrators
 VPN Communities
65
Managing Objects
 The Objects Tree is the main view

for managing objects
66
Creating Objects
 When creating objects, consider organizational needs:

– What are the physical components in the network?
– What are the logical components – services, resources,
applications?
– What components access the firewall?
– Who are the users, how should they be grouped?
– Who are the administrators, what are their roles?
– Will VPN be used, will it allow remote users?
66
Creating the Rule Base
 Each rule in a Rule Base defines the packets that

match the rule.
68
Default Rule
 The Default Rule is added when you add a rule to

the Rule Base.
69
Basic Rules
 Two basic rules used by nearly all Security Gateway

Administrators
– Cleanup rule
– Stealth Rule
70
Implicit/Explicit Rules
71
Control Connections
There are three types of Control Connections, defined by default

rules:
– Gateway specific traffic
– Acceptance of IKE and RDP traffic
– Communication with various types of servers
71-72
Detecting IP Spoofing
 Spoofing is where an intruder attempts to gain unauthorized access

by altering a packet’s IP address.
72
Rule Base Management
Before creating a rulebase:
 Which objects are in the network?.

 Which user permissions and authentication schemes are
needed?
 Which services, including customized services and
sessions, are allowed across the network?
74
Rule Base Order
1. IP spoofing/IP options
2. First
3. Explicit
4. Before Last
5. Last
6. Implicit Drop
75
Policy Management and Revision Control
77-78
Multicasting
 Multicasting transmits a single message to a select

group.
80
Lab Practice
 Lab 4: Building a Security Policy

 Lab 5: Configuring a DMZ
82
Review Questions
1. Objects are created by the Security Administrator to

represent actual hosts and devices, as well as
services and resources, to use when developing
the Security Policy. What should the Administrator
consider before creating objects?
82
Review Questions
1. Objects are created by the Security Administrator to

represent actual hosts and devices, as well as
services and resources, to use when developing
the Security Policy. What should the Administrator
consider before creating objects?
– What are the physical and logical components
that make up the organization?
– Who are the users and administrators, and how
should they be grouped, i.e. access permissions,
location (remote or local), etc?
82
Review Questions
2. What are some important considerations when

formulating or updating a Rule Base?
82
Review Questions
2. What are some important considerations when

formulating or updating a Rule Base?
– Which objects are in the network, i.e., gateways,
routers, hosts, networks, or domains?
– Which user permissions and authentication
schemes are required?
– Which services, including customized services
and sessions, are allowed across the network?
82
Monitoring Traffic and Connections
83
Learning Objectives
 Use Queries in SmartView Tracker to monitor IPS

and common network traffic and troubleshoot events
using packet data.
 Using packet data on a given corporate network,

generate reports, troubleshoot system and security
issues, and ensure network functionality.
 Using SmartView Monitor, configure alerts and traffic

counters, view a Gateway's status, monitor
suspicious activity rules, analyze tunnel activity and
monitor remote user access based on corporate
84
requirements.
SmartView Tracker
85
SmartView Tracker – Log Types
 Predefined
 Custom
85-86
SmartView Tracker – Tabs
 Network & Endpoint

 Active
 Management
87
SmartView Tracker – Action Icons
88
Log File Management
1. Open Log File

2. Safe Log File As
3. Switch Log File
4. Remote File Management
5. Show or Hide Progress
6. Query Options
89
Administrator Auditing
 Administrator login and out

 Object creation, deletion,
edits
 Rule Base changes
90
Global Logging and Alerting
 VPN successful key exchange  SLA violations

 VPN packet handling errors  Connection matched by SAM
 VPN configuration and key  Dynamic Object resolution
exchange errors failure
 IP Options drop  Log every authenticated HTTP

connection
 Administrative notifications
 Log VoIP connection
90-91
Time Settings
 Excessive log grace period

 SmartView Tracker resolving
 Virtual Link statistics logging interval
 Status fetching interval
92
Blocking Connections
 Block Intruder function
93
SmartView Monitor
 High performance network and security analysis
94
SmartView Monitor – Customized Views
 Create views based on your specific needs, such as:

– Status
– Traffic
– System stats
– Tunnels
95
Tunnel View
 Monitor the health of your VPN tunnels
96
Remote Users View
 Keep track of your VPN remote users
97
Cooperative Enforcement View
 Verify host
connections
with Integrity
Server
98
Monitoring Suspicious Activity Rules
 Suspicious-activity
monitoring is used to
modify access
privileges, upon
detection of any
suspicious network
activity.
99
Monitoring Alerts
 Alerts provide real-time information about

vulnerabilities to computing systems and how
they can be eliminated.
– They are defined per product
– They may be global or per Gateway
– They are displayed and viewed in SmartView Monitor
 After reviewing the status of certain clients in

SmartView Monitor, you may:
– Disconnect Client
– Stop/Start Cluster Member
100
Gateway Status
 Status Information:
– Check Point Gateways
– OPSEC Gateways
– Check Point Software Blades
102
Overall Status / Blade Status
 OK – Working properly
 Attention – Minor problem
 Problem - Malfunction
 Waiting – 30 second connection period
 Disconnected – no communication
 Untrusted – SIC failed
103
SmartView Tracker vs. SmartView Monitor
 SmartView Tracker  SmartView Monitor

– Ensure network components are – Centrally monitor Check Point &
operating properly OPSEC devises
– Troubleshoot system and security – Present a complete picture of
issues changes to Gateways, tunnels,
– Gather information for legal or remote users, security activities
audit purposes – Maintain high network availability
– Generate reports to analyze – Improve efficiency of bandwidth use
network-traffic patterns – Tack SLA compliance
– Terminate connections from
specific IP addresses
105
Lab Practice
 Lab 6: Monitoring with SmartView Tracker
106
Review Questions
1. Discuss the benefits of using SmartView Monitor

instead of SmartView Tracker in monitoring network
activity?
106
Review Questions
1. Discuss the benefits of using SmartView Monitor

instead of SmartView Tracker in monitoring network
activity?
– SmartView Monitor presents an overall view of changes
throughout the network.
– SmartView Tracker focuses on individual connections.
– SmartView Monitor also helps the Administrator identify
traffic-flow patterns that may signify malicious activity,
maintain network availability, and improve efficient
bandwidth use.
106
Review Questions
2. Why is there a warning message when switching to

Active mode in SmartView Tracker?
106
Review Questions
2. Why is there a warning message when switching to

Active mode in SmartView Tracker?
– There are performance implications for memory and
network resources in Active mode, since data is being
actively logged.
106
Network Address Translation
107
Learning Objectives
 Configure NAT rules on Web and Gateway

Servers
146
Introduction to NAT
 Reasons for employing NAT:

– Private IP addresses used in internal networks
– Limiting external network access
– Ease and flexibility of network administration
 Source NAT = IP of machine (client) initiating the connection

 Destination NAT = IP of machine receiving the connection
109
Types of NAT
 Hid NAT (Dynamic NAT)

– Many-to-one relationship
– Multiple computers represented by one IP address
– Only allows connections from protected side of gateway
 Static NAT
– One-to-one relationship
– Each host translated to unique IP address
– Connections initiated internally and externally
109
IP Addressing
 Addresses allocated for Private Networks

– Class A network = 10.0.0.0 – 10.255.255.255
– Class B network = 172.16.0.0 – 172.31.255.255
– Class C network = 192.168.0.0 – 192.168.255.255
110
Hide NAT
 Hide NAT
110
Static NAT
 Static NAT
85.10.1.4 10.1.1.101
111
NAT - Global Properties
 Allow bi-directional NAT

 Translate Destination
on client side
 Automatic ARP
 Merge manual proxy
ARP
113
Object Configuration – Hide NAT
114
Object Configuration – Hide NAT
 Address translation rules are divided into two elements

– Original Packet
– Translated Packet
115
Hide NAT Using Another Interface IP Address
116
Static NAT
117
Manual NAT
 Instances where remote networks only allow specific IP addresses.

 Situations where translation is desired for some services, and not for others.
 Environments where more granular control of address translation in VPN
tunnels is needed.
 Enterprises where Address Translation Rule Base order must be manipulated.

 When port address translation is required.
 Environments where granular control of address translation between internal
networks is required.
 When a range of IP addresses, rather than a network, will be translated.

118
ARP
 If Manual NAT rule creation is used, Gateway ARP table must be edited:
– Hide NAT, Security Gateway in Translated Packet, Source field — No additional
ARP table entries are required.
– Hide NAT, hiding behind an IP address not assigned to the Security Gateway
— Add an ARP table entry to the Security Gateway for the hiding address.
– Static NAT — Add ARP table entries to the Security Gateway for all hiding
addresses.
119
Lab Practice
 Lab 7: Configuring NAT
120
Review Questions
1. What are some reasons for employing NAT in a

network?
120
Review Questions
2. When would an Administrator favor using Manual

NAT over Automatic NAT?
120
Review Questions
1. What are some reasons for employing NAT in a

network?
– When requiring private IP addresses in internal
network.
– To limit external-network access
– To ease network administration
120
Review Questions
2. When would an Administrator favor using Manual NAT

over Automatic NAT?
– Instances where remote networks only allow specific IPs
– Situations where translation is desired for some services, not for others
– Environments where more granular control of address translation in VPN
tunnels is needed
– Enterprises where Address Translation Rule Base order must be
manipulated
– When port address translation is required (port forwarding)
– Environments where granular control of address translation between
internal networks is required
– When a range of IP addresses, rather than a network, will be translated
120
Using SmartUpdate
121
Using SmartUpdate
Learning Objectives
 Monitor remote Gateways using

SmartUpdate to evaluate the need for
upgrades, new installations, and license
modifications.
 Use SmartUpdate to apply upgrade
packages to single or multiple VPN-1
Gateways.
 Upgrade and attach product licenses using
SmartUpdate. 122
Using SmartUpdate
SmartUpdate and Managing Licenses
123
Using SmartUpdate
SmartUpdate Architecture
124
Using SmartUpdate
SmartUpdate Introduction
126
Using SmartUpdate
Overview of Managing Licenses
127
Using SmartUpdate
License Terminology
 Add  Upgrade Status

 Attach  Get
 Certificate Key  License Expiration
 CPLIC  Multi-License File
 Detached  Features
129
Using SmartUpdate
License State
 Attached
 Unattached
 Requires Upgrade
 Assigned
130
Using SmartUpdate
Upgrading Licenses
 New Licenses need to be attached when:

– Existing license expires
– Existing license is upgraded
– Local license replaced with central license
– IP address changes
131
Using SmartUpdate
Service Contracts
135
Using SmartUpdate
Service Contracts
136
Using SmartUpdate
ReviewQuestions
1. What can be upgraded remotely using SmartUpdate?
137
Using SmartUpdate
ReviewQuestions
1. What can be upgraded remotely using SmartUpdate?

– VPN-1 Gateways
– Hotfixes, HFAs, and patches
– 3rd party OPSEC applications
– UTM Edge devices
– Nokia operating systems
– Check Pont Secure Platforms.
137
Using SmartUpdate
ReviewQuestions
2. What two repositories does SmartUpdate install on the

Security Management Server?
137
Using SmartUpdate
ReviewQuestions
2. What two repositories does SmartUpdate install on the

Security Management Server?
– License & Contract Repository in $CPDIR\conf
– PackageRepository in C:\Suroot (Windows), /var/suroot (UNIX).
137
Using SmartUpdate
ReviewQuestions
3. What does the Pre-Install Verifier check?
137
Using SmartUpdate
ReviewQuestions
3. What does the Pre-Install Verifier check?

– Operating-system compatibility
– Disk-space availability
– Package not already installed
– Package dependencies met
137
User Management and Authentication
139
Learning Objectives
 Centrally manage users to ensure only

authenticated users securely access the
corporate network either locally or remotely.
 Manage users access to the corporate LAN
by using external databases.
140
Creating Users and Groups
 Authentication rules are defined by user

groups.
 First define your users, then add them to
groups to define authentication rules.
141
User Types
 External User Profile

 Groups
 LDAP Groups
 Templates
 Users
141
Types of Authentication
 User Authentication
 Session Authentication
 Client Authentication
142
Authentication Types
143
Authentication Schemes
 Check Point Password

 Operating System Password
 RADIUS
 SecurID
 TACACS
 Undefined
143-144
Authentication Schemes
145
Authentication Types
146
User Authentication (Legacy)
148
Session Authentication (Legacy)
149
Client Authentication Sign-On
152
Client Authentication Sign-on Methods
 Partially Automatic Sign-on

 Fully Automatic Sign-on
 Agent Automatic Sign-on
 Single Sign-on
153
LDAP User Management with SmartDirectory
 LDAP is based on client/server model

 Each entry has a unique DN
 Default port numbers – 389 & 636
 Each LDAP server is an Account Unit
156
Distinguished Name
157
Multiple LDAP Servers
158
Configuring Entities to Work with the Gateway
159
Defining Account Units
160
Managing Users
161
UserDirectory Group
162
Lab Practice
 Lab 8: Configure User Directory
163
Review Questions
1. User Auth can be only used for what services?
163
Review Questions
1. User Auth can be only used for what services?

– Telnet
– FTP
– HTTP
– rlogin
– HTTPS
163
Review Questions
2. When using Session Authentication, what is needed to

retrieve a user’s identity?
163
Review Questions
2. When using Session Authentication, what is needed to

retrieve a user’s identity?
– Session Authentication Agent
163
Review Questions
3. What are the advantages of using multiple LDAP servers?
163
Review Questions
3. What are the advantages of using multiple LDAP servers?

– Compartmentalization
– High Availability
– Faster access time
163
Review Questions
4. Why integrate the Security Gateway and SmartDirectory?
163
Review Questions
4. Why integrate the Security Gateway and User Directory?

– To query user info
– To enable CRL retrieval
– To enable user management
– To authenticate users
163
Identity Awareness
165
Identity Awareness
 Use Identity Awareness to provide granular

level access to network resources.
 Acquire user information used by the
Security Gateway to control access.
 Define Access Rules for use in an Identity
Awareness rule.
 Implementing Identity Awareness in the
Firewall Rule Base 166
Identity Awareness
Introduction to Identity Awareness
 Identity Awareness –
configure network access
and auditing based on
network location, identity
of user, identity of
machine
167
Identity Awareness
Introduction to Identity Awareness
 Identity Awareness –
shows user activity in
SmartView Tracker and
SmartEvent based on
user and machine name,
not just IP address.
168
Identity Awareness
AD Query
 Recommended for
– Identity based auditing and logging
– Leveraging identity in Internet application control
– Basic identity enforcement in the internal network
 Easily deployed, clientless identity acquisition method,

based on Active Directory integration
 Transparent to the user
168
Identity Awareness
Firewall Rule Base Example
169
Identity Awareness
Scenario: Laptop Access
 The gateway policy permits access to HR Web Server only

from John's desktop which is assigned a static IP address
10.0.0.19
 John wants access from anywhere in the organization
 Current Rule:
170
Identity Awareness
Scenario: Laptop Access - Solution
 John wants to move around the organization and have

access.
– Enable Identity Awareness on Gateway
– Select AD Query as one of the Identity Sources
170
Identity Awareness
 Check SmartView Tracker – system identifies John in logs
171
Identity Awareness
 Add access role object to Firewall Rule Base
172
Identity Awareness
Browser- Based Authentication
 Browser-based Authentication acquires identity from

unidentified users.
 Acquisition methods:
– Captive Portal
– Transparent Kerberos Authentication
173
Identity Awareness
 Captive Portal – authenticates users through a Web

interface. Recommended for:
– Identity based enforcement for non AD users
– Deployment of Endpoint Identity Agents
173
Identity Awareness
 Transparent Kerberos – browser attempts to authenticate

users before Captive Portal page opens.
– Captive Portal requests authentication data from browser
– If request successful, user redirected to destination
– If request fails, user must enter Captive Portal credentials
173
Identity Awareness
 Captive Portal in Firewall rule base
174
Identity Awareness
 Transparent Kerberos:
– User wants to access Internal Data Center
– Identity Awareness does not recognize user, redirects browser to
Transparent Authentication page
– Transparent Authentication page asks browser to authenticate itself
– Browser gets Kerberos ticket from Active Directory, and gives to
Transparent Authentication page
– Transparent Authentication page sends ticket to Security Gateway,
which authenticates user, redirects to original URL
– If Kerberos authentication fails, Identity Awareness redirects browser
to Captive Portal
175
Identity Awareness
 Browser-based authentication lets you acquire identities

from unidentified users:
– Managed users connecting to network from unknown devices
– Unmanaged, guest users such as partners or contractors
175
Identity Awareness
Scenario: Recognized User from Unmanaged Device
 Jennifer’s accesses internal financial data on her office

computer. She wants to access the same internal financial
data on her iPad.
– Enable Identity Awareness on a gateway and select Browser-Based
Authentication as one of the Identity Sources
– In the Portal Settings window in the User Access section, make sure
Name and password login is selected
– Create a new rule in the Firewall Rule Base to let Jennifer McHanry
access network destinations. Select accept as action
– Right-click the Action column – Edit Properties to open the Action
Properties
– Select Redirect http connection to authentication (captive) portal
– Click OK 176
Identity Awareness
– From the Source of the rule, right-click to create an Access Role

– Enter a Name for the Access Role
– In the Users tab, select Specific users, and choose Jennifer
McHanry
– In the Machines tab make sure that Any machine is selected
– Click OK. The Access Role is added to the rule.
176
Identity Awareness
 Jennifer:
– Browses to Finance server from iPad
– Enters her system credentials in Captive Portal
– Is successfully directed to Finance server
176
Identity Awareness
 Log entry
177
Identity Awareness
Scenario: Guest User from Unmanaged Devices
 The CEO wants company guests to have Internet access on

their own laptops.
– Enable Identity Awareness on a gateway, and select Browser-
Based Authentication as one of the Identity Sources
– In the Portal Settings window in the User Access section, make
sure Unregistered guest login is selected
– Click the Unregistered guest login – Settings and configure:
– The data guests must enter
– For how long users can access the network resources
– If a user agreement is required, and its text
178
Identity Awareness
– Create a rule that identified users can access the Internet from
the organization
– In the Users tab, select All identified users
– Click OK
178
Identity Awareness
– Create a rule to let Unauthorized Guests access only the Internet

– In the Users tab, select Specific users and choose Unauthenticated
Guests
– Click OK. The Access Role is added to the rule
– Select Accept as the Action
– Right-click the Action column and select Edit Properties
– Select Redirect http connections to an authentication (captive) portal
and click OK.
179
Identity Awareness
 The Guests:
– Browse to an Internet site from their laptop
– The Captive Portal opens (they are not identified so cannot
access the Internet)
– The enter identifying data in the Captive Portal, and read
through and accept a network access agreement
– A welcome window opens
– The can successfully browse to the Internet for a specified
period of time
179
Identity Awareness
 The SmartView
Tracker log shows
how the system
recognizes a guest
180
Identity Awareness
Identity Agents
 Two types of
Identity Agents
– Endpoint Identity
Agents
– Terminal Servers
Identity Agents
180-181
Identity Awareness
Identity Agents
 Endpoint Identity Agent – recommended for:

– Leveraging identity for Data Center protection
– Protecting highly sensitive servers
– When accuracy in detecting identity is crucial
181
Identity Awareness
Identity Agents
 Using Endpoint Identity Agents gives you:

– User and machine identity
– Minimal user intervention
– Seamless connectivity
– Connectivity through roaming
– Added security
181
Identity Awareness
Identity Agents
 Types of Endpoint Identity Agents:

– Full
– Light
– Custom
178
Identity Awareness
Identity Agents
 How a user downloads the Endpoint Identity Agent from

the Captive Portal
182
Identity Awareness
Scenario: Endpoint Identity Agent Deployment & User Group Access
 ACME wants only the Finance Department to access the

Finance Web server.
– Finance users to be automatically authenticated with SSO
– Roaming users to have continuous access to Finance Web
Server
– Access to the Finance Web server to be secure, preventing IP
spoofing attempts
183
Identity Awareness
 To make the scenario work:

– Enable Identity Awareness on a gateway and select Identity
Agents and Browser-Based Authentication as Identify Source
– Click the Browser-Based Authentication Setting button
– In the Portal Settings window in the Users Access section,
select Name and password login
– In the Identity Agent Deployment from the Portal, select Require
users to download and select Identity Agent – Full option
– Configure Kerberos SSO
184
Identity Awareness
– Create a rule in the Firewall Rule Base that lets only Finance
Department users access the Finance Web server, and install
policy.
– In the Networks tab, select Specific users and add the Active
Directory Finance users group
– In the Users tab, select All identified users
– In the Machines tab, select All identified machines and select IP
spoofing protection, and click OK
184
Identity Awareness
– The Finance Department user can now browse to the Finance

Web server, where the Captive Portal opens because the
user is not identified and cannot access the server
185
Identity Awareness
Other Endpoint Identity Agent Options
– Other options that can be configured for Endpoint Identity

Agents:
– A method that determines how Endpoint Identity Agents connect
to a Security Gateway enabled with Identity Awareness and
trusts it
– Access roles to leverage machine awareness
– End user interface protection so users cannot access the client
settings
– Let users defer client installation for a set time and ask for user
agreement confirmation
185
Identity Awareness
Scenario: Identifying Users Accessing the Internet through Terminal Servers
– ACME wants user access to the Internet through Terminal

Servers and only the Sales Department is to be able to
access Facebook
– Sales users will automatically be authenticated with Identity
Awareness when logging in to the Terminal Servers
– All connections to the Internet will be identified and logged
– Access to Facebook will be restricted to the Sales Department’s
users
186
Identity Awareness
Scenario: Identifying Users Accessing the Internet through Terminal Servers
– To enable the Terminal Servers solution, Amy must:

– Configure Terminal Server/Citrix Identity Agents as an identity
source for Identity Awareness.
– Install a Terminal Servers Identity Agent on each of the
Terminal Servers.
– Configure a shared secret between the Terminal Servers
Identity Agents and the Identity Server.
– After configuration and installation of the policy, users that log
in to Terminal Servers and browse to the Internet will be
identified and only Sales department users will be able to
access Facebook. 186
Identity Awareness
Deployment
 Perimeter security gateway with Identity Awareness

– Most common deployment
– Protects access to DMZ and internal network
– Can control and inspect outbound traffic
– Can create identity-based firewall security Rule Base together
with Application Control
186
Identity Awareness
Deployment
 Data Center Protection

– Protect access to segregated server farms
– Gateway inline in front of Data Center
– All traffic that flows in is inspected by gateway
– Identity based access policy controls access to resources and
applications
– Can be deployed in transparent (bridge) mode to avoid
changing existing infrastructure
186-187
Identity Awareness
Deployment
 Large scale enterprise deployment

– Multiple gateways deployed at different locations
– Identity Awareness managed centrally
– Identity-based policies distributed to all identity aware
gateways
– Identity information about users and machines obtained by
each gateway is shared by all gateways
187
Identity Awareness
Deployment
 Network segregation
– Control access between network segments with identity-
based policy
– Deploy gateway close to access network to avoid malware
and unauthorized access in global network
187
Identity Awareness
Deployment
 Distributed enterprise with branch offices

– Deploy gateway at remote offices to avoid malware and
unauthorized access to headquarters network and Data
Centers
– Enable Identity Awareness at branch office gateway so users
authenticate before reaching internal resources
– Branch office identity information is shared between internal
gateways
187
Identity Awareness
Deployment
 Wireless campus
– Deploy Identity Awareness enabled gateway inline in front of
wireless switch
– Provide an identity awareness policy and inspect traffic that
comes form WLAN users
– Guest access can be given by authenticating with Captive
Portal
187
Identity Awareness
Lab Practice
 Lab 9: Identity Awareness
188
Identity Awareness
Review Questions
1. Identity Awareness lets you configure network access

based on what?
188
Identity Awareness
Review Questions
1. Identity Awareness lets you configure network access

based on what?
– Network location
– Identity of a user.
– Identity of a machine
188
Identity Awareness
Review Questions
2. Browser-based Authentication lets you acquire identities

from…?
188
Identity Awareness
Review Questions
2. Browser-based Authentication lets you acquire identities

from…?
– unidentified users, such as managed users connecting to the
network from unknown devices, and guests, such as partners or
contractors
188
Identity Awareness
Review Questions
3. What are two types of Identity Agents?
188
Identity Awareness
Review Questions
3. What are two types of Identity Agents?

– Endpoint Identity Agent
– Terminal Servers Identity Agent
188
Introduction to Check Point VPNs
189
Learning Objectives
 Configure a pre-shared secret site-to-site

VPN with partner sites.
 Configure permanent tunnels for remote
access to corporate resources.
 Configure VPN tunnel sharing, given the
difference between host-based, subnet-
based and gateway-based tunnels.
190
The Check Point VPN
191
The VPN
 VPN – encrypted tunnels to exchange data

 Uses IKE and IPSec protocols
 IKE creates the tunnel
 IPSec encodes the data
191-192
Site-to-Site VPN
 Strong encryption
 Reliable
 Scalable
192
Remote-Access VPN
 Strong
authentication
 Centralized
Management
 Scalable
193
VPN Implementation
194
Understanding VPN Deployment
 Check Point VPN management model

– Administrators directly define a VPN on group of Gateways
– Gateway in group = VPN site
– Each VPN site performs encryption for VPN Domain, LAN, Networks
– Grouped VPN sites = VPN Community
195
VPN Communities
 VPN Community
member VPN
VPN Site
 VPN Domain
Domain
 VPN site VPN

Community
 VPN Community
VPN
Members
 Domain-based VPN
VPN Tunnel
 Route-based VPN
195-196
Remote Access Community
 Specifically for remote users

 Secures communication between users and corporate LAN
197
Meshed VPN Community
198
Star VPN Community
199
Choosing A Topology
 Meshed Community  Star Community

– Appropriate for Intranet – Appropriate for exchange
– Participating Gateways part with external partners
of internally managed – Central and satellite
network Gateways
199-200
Combination VPN
200
Introduction Check Point VPNs
Topology and Encryption Issues
201
Special VPN Gateway Conditions
202
Special VPN Gateway Conditions
203
Authentication Between Community Members
 Before exchanging keys and building tunnels, Gateways must

authenticate one of two ways.
– Certificates
– Pre-shared secret
203
Domain and Route-Based VPNs
 Two ways to direct VPN traffic:

– Domain-based VPN
– Route-based VPN
204
Access Control and VPN Communities
205
 Using the VPN column of the Rule Base, you can create access
control rules that apply only to members of a VPN community:
205
 You can also create rules that are relevant for both VPN Communities
and host machines not in the Community:
205
205
Accepting All Encrypted Traffic
206
Special Considerations for Planning a VPN Topology
1. Who needs secure/private access?

2. From as VPN point of view, what will be the organization structure?
3. How will externally managed Gateways authenticate?
207
Integrating VPNs into a Rule Base
 Simplified Mode Rule Base
208
Simplified vs. Traditional Mode VPNs
 Simplified Mode  Traditional Mode

– Simpler – Maintain existing VPN
– Less error-prone definitions
– More secure
– Easier to understand
– New VPN features
209
VPN Tunnel Management
 VPN Tunnel
– Authenticity
– Privacy
– Integrity
 Types and number of tunnels:

– Permanent Tunnels
– VPN Tunnel Sharing
209
Permanent Tunnels
 Configuration of permanent tunnels on Community level:

– Can be specified for an entire community
– Can be specified for a specific Gateway
– Can be specified for a single VPN tunnel
210-211
Tunnel Testing for Permanent Tunnels
 Testing to see if VPN tunnels are active:

1. Test
2. Reply
3. Connect
4. Connected
210
VPN Tunnel Sharing
 Control number of tunnels:

– One per each host
– One per subnet pair
– One per Gateway pair
211
Remote Access VPNs
 SecuRemote
 SecureClient
 SecureClient Mobile
 L2TP
213
Multiple Remote Access VPN Connectivity Modes
 IPsec Software Blade – modes for connectivity and

routing issues
– Office Mode
– Visitor Mode
– Hub Mode
214
Establishing a Connection Between a Remote User

and a Gateway
214-215
Lab Practice
 Lab 10: Site-to-Site VPN Between Corporate and

Branch Office (Certificate)
216
Review Questions
1. What is a VPN Community?
216
Review Questions
1. What is a VPN Community?

– A collection of VPN enabled Gateways capable of communication
via VPN tunnels.
216
Review Questions
2. What is a meshed VPN Community?
216
Review Questions
2. What is a meshed VPN Community?

– A VPN Community in which a VPN site can create a VPN tunnel
with any other VPN site within the community.
216
Review Questions
3. Which is the preferred means of authentication between

VPN Community members, and why?
216
Review Questions
3. Which is the preferred means of authentication between

VPN Community members, and why?
– Certificates, because they are more secure than pre-shared
secrets.
216
Review Questions
4. When planning a VPN topology, what questions should be

asked?
216
Review Questions
4. When planning a VPN topology, what questions should be

asked?
– Who needs secure/private access?
– From the point of view of the VPN, what will be the structure of the
organization?
– How will externally managed Gateways authenticate?
216

CCSA Class Slides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCSA Class Slides

Uploaded by

Copyright:

Available Formats

Security Administration

2 WAYS to EXTEND CCSA / CCSE for 1 YEAR

Take and pass

Attend and pass

CCSA Certification CCSE Certification

Training Blades: Instructor Led Training

Key Course Elements

 Overview of Check Point Technology

1. Introduction to Check Point Technology

 Describe Check Point’s unified approach to

Check Point Security Management Architecture (SMART)

 The Check Point Security Management Architecture

 The Check Point core systems:

 Security Management Server:

The Open Systems Interconnect (OSI) Model

 To better understand the capabilities of the basic firewall,

Controlling Network Traffic

 Check Point utilizes these technologies to deny or permit

Security Gateway Inspection Architecture

INSPECT Engine Packet Flow

 Sample flow of new

 Security Management Server and Security Gateway

 Security Management Server and Security Gateway

Standalone Full HA Deployment

 Security Management Server and Security Gateway

 A bridge mode deployment adds a Security Gateway to an

Check Point SmartConsole Clients

Check Point SmartConsole

Security Management Server

 The Security Management Server is used to manage the

Managing Users in SmartDashboard

Securing Channels of Communication

 Communication must be encrypted

SIC Between Security Management Servers

 Lab 1: Distributed Installation

1. What is the strength of Check Point’s Stateful

1. What is the strength of Check Point’s Stateful

2. What are the advantages of Check Point’s Secure

2. What are the advantages of Check Point’s Secure

3. What is the main purpose for the Security

3. What is the main purpose for the Security

 Given network specifications, perform a

 Check Point Security Appliances are integrated hardware

 Small Business & Branch Office

Check Point Appliance Selection Tool

 Check Point Security Power TM

Security Software Blades

Security Software Blades

 Security Gateway Software Blades

– IPSec VPN – Secure connectivity to

– Application Control – Application security

Security Software Blades

 Security Gateway Software Blades

– Anti-Bot – Detects bot-infected machines,

– Antivirus – Uses ThreatCloud to detect and

Security Software Blades

 Security Gateway Software Blades

– DLP – Preemptively protect sensitive

– Web Security – Detects and prevents

Security Software Blades

 Security Gateway Software Blades

– Advanced Networking & Clustering –

– Voice over IP – Deploys secure VoIP