CCSE Class Slides

Security Engineering
2013 Edition
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
©2013 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties
Preface
©2013 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 2
Training Blades and Certification
2 WAYS to EXTEND CCSA / CCSE for 1 YEAR
Take and pass

any 2 Training
Blades OR
+
AppControl Introduction to Gaia
Attend and pass

1 Instructor-led Based on a 2 day course
class
Advanced IPS
Certification Renewal Examples
CCSA Certification CCSE Certification

Extension Options Extension Options
Training Blades: Instructor Led Training

• Application Control • Advanced IPS
• Data Loss Prevention • SmartConsole Managed
• Introduction to Gaia VSX
• Intrusion Prevention • P1 Managed VSX
• Threat Prevention • Endpoint
OR OR
CCSA exam CCSE exam
Check Point Certified Security Expert
Key Course Elements
 Advanced and in-depth explanation of FireWall-1

technology
 Key tips and techniques for troubleshooting FireWall-1

 Advance upgrading concepts and practices
 Cluster firewall and management concepts and
practices
 Software acceleration features

 Advanced VPN implementations
2
 Reporting tools options and features
CCSE Course Chapters
1. Advanced Upgrading
2. Advanced Firewall
3. Clustering and Acceleration
4. Advanced User Management
5. Advanced IPsec VPN and Remote Access
6. Auditing and Reporting
3/4
Lab Topology
Check Point 3D Security
 Policies that support business needs and transform

security into a business process
 Security that involves People in policy definition,

education and incident remediation
 Enforce, consolidate and control all layers of

security- network, data, application, content and user
 Security is a process
– A network is never 100% secure
– IT security policy must be transparent
– Challenges to IT involve security, deployment, management,
and compliance
– Security products are tools to avoid risk
IT security best practices:
1. Perform a risk assessment

2. Develop and enforce a policy
3. Address known vulnerabilities
4. Control and monitor devices
5. Conduct audits
Deployment Scenario
Alpha Corp
Upgrading
Upgrading
Learning Objectives
 Perform a backup of a Security Gateway

and Management Server
 Upgrade and troubleshoot a Management
Server using database migration
 Upgrade and troubleshoot a clustered
Security Gateway deployment
10
Upgrading
Backup Schedule
 Snapshot – before major changes

 Backup – every few months
 upgrade_export/migrate export – every month, before
upgrade or migration
 Test backups
11
Upgrading
Gaia Snapshot Image Management
 With Gaia snapshot image management you can:

– Make a new image
– Revert to a locally stored image
– Delete an image
– Export a local image
– Export an existing image
– Import an exported image
– View an image list
11
Upgrading
Upgrade Tools
 Backs Check Point configuration independent of

hardware, OS and Check Point version.
 Backup Check Point configuration settings on
management station.
 Intended for upgrades or migration of database
information to new systems with hardware changes.
 Smaller file – dependent on size of Policy
 Can be initiated on live system 12
Upgrading
Backup Schedule Recommendations
 Snapshot – once before major changes

 Backup – every couple of months
 Upgrade_export/migrate export – every month
 Test your backups
12
Upgrading
Upgrade Tools
 migrate.conf
 migrate
 pre_upgrade_verifier.exe
 upgrade export
 cp_merge
12
Upgrading
Performing Upgrades
 Before upgrading – valid support contract

 Upgrade SMS before any gateways
 Process verifies a contract file on server
13
Upgrading
Upgrading Security Gateways
 Upgrade by:
– SmartUpdate
– Local Upgrade
14
Upgrading
Upgrading Security Management Server
 Upgrade by:
– Upgrading Production Security Management Server
– Migrate and Upgrade to a New Security Management
Server
14
Upgrading
Upgrading Full High Availability
 Upgrade by:
– Upgrade one machine and synchronize second
(minimal downtime)
– Upgrade with clean installation on one machine and
synchronize second (system downtime)
16
Upgrading
Minimal Effort Upgrade
 Each Cluster member treated as individual gateway

 Network downtime
 Distributed deployment upgrade procedure
16
Upgrading
Upgrading with Minimal Downtime
 Check status of cluster members

 Failover to second cluster member
 Change second cluster member to Active
 Upgrade primary cluster member
 Install policy on cluster object
 Upgrade second cluster member
 Synchronize 16
Upgrading
Lab Practice
 Lab 1: Upgrade to Check Point R76
18
Upgrading
Review Questions
1. When should snapshots be performed?
18
Upgrading
Review Questions
1. When should snapshots be performed?

– At least once, and before major changes, such as
upgrades.
18
Upgrading
Review Questions
2. To run advanced upgrade or migration, what tool is

used?
18
Upgrading
Review Questions
2. To run advanced upgrade or migration, what tool is

used?
Migrate.
18
Upgrading
Review Questions
3. What is a critical task for both Snapshots and

Backups?
18
Upgrading
Review Questions
3. What is a critical task for both Snapshots and

Backups?
– Testing your backups with either the backup,
upgrade_export, or migrate export files.
18
Advanced Firewall
20
Advanced Firewall
Learning Objectives
 Using knowledge of Security Gateway

infrastructure, including chain modules,
packet flow, and kernel tables, to describe
how to perform debugs on firewall
processes
20
Advanced Firewall
FireWall-1 Infrastructure
 Check Point security components:

– GUI clients
– Security Management
– Security Gateway
21
Advanced Firewall
GUI Clients
 SmartConsole Applications:
– SmartView Tracker
– SmartEvent
– SmartReporter
– SmartDashboard
 Admin Tools:
– Configure
– Manage & Monitor
– Perform Maintenance
– Generate Reports
– Enforce Policy 21
Advanced Firewall
Management
 Management Component processes:

– FWM
– FWD
– CPD
– CPWD
21
Advanced Firewall
Security Gateway
22
Advanced Firewall
User and Kernel Mode Processes
23
Advanced Firewall
The CPD Core Process
 Check Point Daemon (CPD):

1. Secure Internal Communication (SIC)
2. Status
3. Transferring messages between processes
4. Policy Installation
24
Advanced Firewall
FWM
 FWM is available on management products

– GUI Client communication
– DB manipulation
– Policy compilation
– Management HA
24
Advanced Firewall
FWD
 FWD
– Forwards logs
– Related to policy installation
– Command line tool communication
25
Advanced Firewall
FWSSD
 FWSSD
– Child process of FWD
– Maintains Security Servers
– Activated features
25
Advanced Firewall
CPWD
 CPWD (WatchDog)
– Invokes and monitors critical processes
– Check Point daemons
– Restart attempts
– Processes monitored:
– cpd, fwd, fwm
– cpwd_admin utility used to show process
status, and to configure cpwd
25
Advanced Firewall
Inbound and Outbound Packet Flow
26
Advanced Firewall
Inbound FW CTL Chain Modules
27
Advanced Firewall
Outbound Chain Modules
28
Advanced Firewall
Columns in a Chain
29
Advanced Firewall
Stateful Inspection
30
Advanced Firewall
Stateful Inspection
1. Packets pass
through the NIC to
the inspection
module. The
Inspection Module
inspects the
packets and their
data.
31
Advanced Firewall
Stateful Inspection
2. Packets are
matched to the
policy rule, one
rule at a time.
Packets that do
not match any
rule are
dropped.
31
Advanced Firewall
Stateful Inspection
3. Logging and/or alerts that have

been defined are activated.
31
Advanced Firewall
Stateful Inspection
4. Packets that pass

inspection are moved
through the TCP/IP stack
to their destination.
31
Advanced Firewall
Stateful Inspection
5. For packets that do not

pass inspection and are
rejected by the rule
definition, an
acknowledgement is sent.
31
Advanced Firewall
Stateful Inspection
6. The packets that do not

pass inspection and do not
apply to any of the rules,
are dropped without
sending an
acknowledgement.
31
Advanced Firewall
Kernel Tables
 Kernel tables store information on firewall function

 To view Kernel tables: fw tab –t <tablename>
 To view table names on SecurePlaform:
fw tab | grep –e “----” | more
32
Advanced Firewall
Kernel Tables
 Most traffic information I saved in the Kernel tables

 To view Kernel tables: fw tab –t
 Tables can be:
– Created
– Deleted
– Modified
– Read
32
Advanced Firewall
Connections Tables
 Connections table = approved connections list

 For every recorded connection, is a matching
reversed entry
 Prevents returning packets on same connection from
being blocked
33
Advanced Firewall
Connections Tables
 Enhanced performance
 Allow server replies
 Stateful Featues
– Streaming apps
– Sequence verification and translation
– Hide NAT
– Logging, accounting, monitoring
– Client and server id
– Data connections 33
Advanced Firewall
Connections Table Format
34
Advanced Firewall
Check Point FireWall Key Features
 Packet Inspection Flow

 CoreXL
 Policy Installation
 Network Address Translation
 Security Servers
35
Advanced Firewall
Packet Inspection Flow
35
Advanced Firewall
Packet Inspection Flow
36
Advanced Firewall
Policy Installation Flow
 Installation
 Verification
 Conversion
 Code generation
 CPTA
 Commit
38
Advanced Firewall
Policy Installation Process Flow
39
Advanced Firewall
How NAT Works
41
Advanced Firewall
Hide NAT Process
 Packet arrives at inbound interface

 Packet inspected by Security Policy
 If accepted, packet entered in connections table
 First packet matched against NAT rules
 If match found, packet is translated
 Packet arrives at TCP/IP stack
 Packet is routed to outbound interface 42
Advanced Firewall
Hide NAT Process
42
Advanced Firewall
Security Servers
 Firewall acts as a proxy, and user-mode processes

are employed to manage:
– Application layer enforcement
– User, Client, Session authentication
43
Advanced Firewall
How a Security Servers Works
 Client initiates a connection to a server

 Firewall kernel signals FWD process using a trap
 FWD spawns the FWSSD child service running the Security
Server
 Security Server binds to a socket – manages connection

 FWD waits for connections on ports of other servers, starting
corresponding servers
 FWD also talks to child processes on other server

43
Advanced Firewall
How a Security Servers Works
 In the file structure the real_port is the port being

bound to
 If “real_port” is 0, a high random port will be
assigned
 $FWDIR/conf/fwauthd.conf file structure:
<logical_ports> <server>
<real_ports> <opt args>
43
Advanced Firewall
Basic FireWall-1 Administration
 Configuration file structure – main sub-grouping of

configuration files divided into directories under /opt:
– Cpsuite-R76
– CPshrd-R76
– CPvsxngxcmp
– CPedgecmp
44
Advanced Firewall
 /lib and /conf directories store definitions files

 $FWDIR/lib/*.def stores rulebase and protocol definitions
 $FWDIR/conf/fwauth.NDB stores user definitions
 $FWDIR/conf/fwauthd.conf stores security server
configurations
 $FWDIR/conf/classes.C defines fields for objects in

objects_5_0.C
 $FWDIR/database stores specific object entries on a

gateway 44
Advanced Firewall
 Two ways to view and edit database files

– dbedit
– GUIdbedit.exe
44
Advanced Firewall
Common Commands
 cpconfig
 cplic print
 cpstart
 cpstop
45
Advanced Firewall
What is FW Monitor?
 FW Monitor is a packet analyzer

 Provides kernel level inspection
 Works for OSI layer-3 and above
 Syntax is same for all platforms
 Supports CAP output used in Ethereal and
Wireshark
46
Advanced Firewall
What is FW Monitor?
46
Advanced Firewall
C2S Connections and S2C Packets
 FW Monitor captures packets entering and leaving

the firewall kernel
 FW Monitor records when the packet enters and
leaves inbound and outbound chains
 Packet must traverse and be inspected by both
firewall chains
 Once fw monitor is executed, parameters will be
displayed in fw monitor – with the same filter
executed on all interfaces in all directions 47
Advanced Firewall
C2S Connections and S2C Packets
5247
Advanced Firewall
fw monitor
 Running fw monitor without filters can create

excessive output
 Use filter expressions to specify packets to be
captured and limit amount of output
 General syntax:
fw monitor –e “accept <expression>;”
48
Advanced Firewall
Lab Practice
 Lab 2: Core CLI Elements of Firewall Administration
49
Advanced Firewall
Review Questions
1. The core process CPD allows what main functions?
54
Advanced Firewall
Review Questions
1. The core process CPD allows what main functions?

– SIC (Secure Internal Communication) functionality –
ports 18xxx are used for this communication
– Status – pull AMON status from the
GW/Management using Smart Event Transferring
messages between FW-1 processes.
– Policy installation – received the policy (on the GW)
and pushes it forward to relevant processes and the
Kernel.
49
Advanced Firewall
Review Questions
2. The firewall’s kernel consists of two completely

separate logical parts representing the process of a
packet coming into and out from the firewall, these
are referred to as...?
49
Advanced Firewall
Review Questions
2. The firewall’s kernel consists of two completely

separate logical parts representing the process of a
packet coming into and out from the firewall, these
are referred to as...?
– Inbound and Outbound
49
Clustering and Acceleration
51
Learning Objectives
 Build, test and troubleshoot a ClusterXL Load Sharing

deployment on an enterprise network.
 Build, test and troubleshoot a ClusterXL High Availability

deployment on an enterprise network.
 Build, test and troubleshoot a management HA deployment

on an enterprise network.
 Configure, maintain and troubleshoot SecureXL and

CoreXL acceleration solutions on the corporate network
traffic to ensure noted performance enhancement on the
firewall.
 Build, test and troubleshoot a VRRP deployment on

52
an enterprise network.
VRRP
 VRRP (Virtual Routing Redundancy Protocol)

– Two or more gateways work together as one
– Configurable for high availability and/or load sharing
 Additional functionality of Check Point VRRP

– Prevents “black holes”
53
VRRP vs ClusterXL
 VRRP and ClusterXL – mutually exclusive

 Advantages of ClusterXL
– Transparent failover
– Higher performance
– Easy deployment
– Cost-effective
53
VRRP vs ClusterXL
 Advantages of VRRP
– Minimum failover time
– Supports 255 virtual routers
– Minimum service disruptions during failover
– Election of multiple virtual routers for load balancing
– Addresses failover at router level
– Avoids configuration changes in end nodes if router fails
– No need for router discovery protocol for failover operation
– Multi access LAN technology support
53
Simple VRRP Configuration
54
VRRP in More Than One VRID
55
Multiple VIRDs in Active-Active Configuration
56
VRRP Configurations
 VRRP (Simple Monitored Circuit VRRP)

– Basic parameters
– Applicable for most environments
 Advanced VRRP
– Necessary to monitor each interface individually
– Can change the VMAC (Virtual MAC Address assignment
mode
56
Monitored Circuit VRRP
 Eliminates “black holes” caused by asymmetric routes.

 Done by reducing priority over interfaces
 All interfaces are monitored
 If one interface fails, master releases priority over all
interfaces
 Backup takes over all interfaces and becomes master
57
Troubleshooting VRRP
 Enable traces to log error and event information

– All routers of a VRRP group must have same system time
– All routers of a VRRP group must have same Hello Interval
– The Priority Delta must be sufficiently large
– If different encryption accelerator cards, select
encryption/authentication algorithms supported by both
– VRIDs must be same on all routers in VRRP group
– If interface shows in initialize state, IP address may be invalid
– If SNMP Get lists incorrect IP address, may be incorrect Policy
57
Firewall Policies
 Firewall policies must be configured to accept VRRP

packets.
 Multicast destination for VRRP – 224.0.0.18
 Firewalls in same VRRP group will take on Master state if
policy does not accept packets.
58
 SecureXL + ClusterXL + CoreXL = Open Performance

Architecture.
60
Clustering Terms
 Active Up
 Critical Device
 Failure
 Failover
 High Availability (HA)
 Hot Standby
 Cluster Control Protocol
61
ClusterXL
 Organizational needs vs. available resources

 Maintaining dependability of VPN connections critical to
business
 ClusterXL infrastructure ensures no data loss in case of
system failure – load sharing and HA
– High availability ensures redundancy for transparent
failover between machines
– Load Sharing provides reliability and enhances
performance
62
ClusterXL
 Installed in a distributed configuration

 Licensing allows up to three ClusterXL clusters managed
by one Security Management Server
 ClusterXL uses unique physical IP and MAC addresses
for Cluster members
 ClusterXL cluster is represented by a virtual IP address
 Cluster members must synchronize clocks to function
properly
62
Cluster Synchronization
 Cluster members are aware of connections through

other Cluster members via State Synchronization
 Every IP based service including TCP and UDP is
synchronized
 State Synchronization is used by ClusterXL and third-
party OPSEC certified clustering products
63
Cluster Synchronization
 State Synchronization works in two modes:

– Full synchronization
– Delta synchronization
 Full synchronization – initial transfer of state information

 Delta synchronization – update transfer of state
information
60
Synchronized-Cluster Restrictions
 Restrictions to synchronizing cluster members:

– Only cluster members on same platform
– Cluster members must be same software version
– User Auth connections will be lost if cluster member fails
– State of connections using resources in a Security Server
cannot be synchronized
– Account information is accumulated in each Cluster
member, and lost if that member fails before that
information is reported to the SMS
64
Securing the Sync-Interface
 Synchronization network carries sensitive Security Policy

information.
 To secure the synchronization interface:
– Use a dedicated sync network
– Connect the physical network interface of cluster members
directly with cross-over cables or dedicated hub or switch
64
To Synchronize or Not to Synchronize
 Certain types of connections do not require sync:

– Connections solely between cluster members
– Service that puts significant load on network
– Service that opens many short connections
 Bi-directional stickiness is employed for all connections

 For TCP services – HTTP or None – you can configure
to delay connections to only sync if connection exists
after x seconds (SecureXL devices)
65
ClusterXL: Load Sharing
 In Load-Sharing Gateway Cluster, all cluster members

are active – performance advantage
 Load-Sharing deployment modes:
– Multicast
– Unicast
66
Multicast Load Sharing
 ClusterXL Load Sharing Multicast mode

– Every member receives all packets
– ClusterXL decision algorithm decides which member
performs enforcement
– Other members drop the packet
– Only routers or layer 3 switches accepting multicast MAC
addresses in response to ARP requests with unicast IP
addresses are supported
66
Unicast Load Sharing
 ClusterXL Load Sharing Unicast mode

– One machine called the Pivot receives all traffic
– Pivot redistributes traffic to other machines in cluster
– Pivot machine is chosen automatically by ClusterXL
– Pivot machine is only machine in communication with
router
– Pivot functions as cluster router
– Pivot mode is based on unicast addresses only, and works
with all routers and Layer 3 switches
66
Packet Travel – Unicast LS Cluster
1. Router sends ARP request Cluster IP Address
2. Pivot returns ARP reply with own unicast MAC

address
3. Router sends packet to the Pivot
4. Pivot forwards packet to designated Cluster member
5. Cluster member receives packet, sends to

destination
6. Return packet first reaches Pivot, which assigns to

Cluster member
7. Packet forwarded Cluster member for inspection
8. Cluster member sends packet to destination

67
Sticky Connections
 Sticky connections – handled either direction – by single

cluster member
 High Availability mode – all connections routed though
same cluster member
 Load Sharing mode – connections can be made sticky
by enabling Sticky Decision Function
68
Sticky Decision Function
 Sticky connections – handled either direction – by single

cluster member
 High Availability mode – all connections routed though
same cluster member
 Load Sharing mode – connections can be made sticky
by enabling Sticky Decision Function
68
Maintenance Tasks and Tools
 Perform a manual failover of the FW Cluster

– Best practice for initiating failovers:
cphaprob –d STOP –s problem –t 0 register
– Puts current machine into problematic state

– Running cphaprob list will show a STOP entry
– To remove the problematic “STOP”

cphaprob –d STOP unregister
70
Maintenance Tasks and Tools
 Perform a manual failover of the FW Cluster - alternate

– Via the command:
$FWDIR/bin/clusterXL_admin down
– Perform on active cluster member to initiate failover to the

standby cluster member
– To normalize the environment:

$FWDIR/bin/clusterXL_admin up
70
Advanced Cluster Configuration Examples
Example 1 – Setting CCP to use Broadcast

– ClusterXL Control Protocol – multicast by default
– More efficient than broadcast
– If connection switch not able to forward multicast, change
mode to broadcast:
cphaconf set_ccp broadcast
– Traffic will be on UDP Port 8116
– Will survive reboot but as precaution add command to
/etc/rc.local file
– For verification: cphaprob –a if can be executed
– For Verizon Wireless CCP must be set to Broadcast
71
Advanced Cluster Configuration Examples
Example 2 – Multicast MAC Addresses

– To find the multicast MAC address of a cluster on the
Security Gateway run:
cphaconf debug_data
– Output is written to:

– /var/log/messages under the Multicast table section
of each cluster member
68
Management HA
 Security Management Server = system database -

(objects, users, policy information)
 Important to maintain a backup incase of server failure
 Backup Management Server needs to be able to take
over – or fetching of Security Policy and retrieval of the
CRL cannot take place
72
Management HA
 In Management HA the Active SMS has one or more

backup Standby SMS
 These SMS must be same OS and version
 First installed SMS is designated as Primary SMS
 Subsequent SMS installed are designated as Secondary
 Once manually synchronized either SMS can function as
Active SMS
72
The Management HS Availability Environment
 The Secondary SMS is created with empty databases

 The Active SMS populates the Secondary SMS
databases
 The Secondary SMS is ready when:
– It is represented on the Primary SMS by a network object
– SIC has been initialized between it and the Primary SMS
– Manual synchronization has been completed with the
Primary SMS
72
Active vs. Standby
 All management operations are done on the Active SMS

 If the Active SMS is down the Standby SMS must be
made active by the System Admin manually
 Standby and Active SMS are synchronized so databases
are up-to-date
 Gateways can fetch Security Policy and retrieve a CRL
from both the Active and Standby SMS
73
What Data is Backed Up?
 For Management HA to function properly – backed up:

– Databases (such as Objects and Users)
– Certificate information (such as Certificate Authority data
and CRL
– Last installed Security Policy
73
Synchronization Modes
 Two ways to perform synchronizations

– Manual synchronization by System Admin
– Automatic synchronization at set intervals
73
Synchronization Status
 Synchronization status is the status of peer SMSs

– Never been synchronized
– Synchronized
– Lagging
– Advanced
– Collision
74
SecureXL: Security Acceleration
 SecureXL accelerates multiple intensive security

operations
 SecureXL offloads firewall operations to performance-
optimized software or hardware
 Dramatically increases throughput
75
What SecureXL Does
 SecureXL records certain attributes of packets and

packet flows validated by the firewall
 Future validation of related packets and connections is
delegated to the SecureXL API
– Done at hardware interrupt level on x86
– Supervises execution of code in network processors in IP
security appliances
75
Packet Acceleration
 Packets establishing new TCP or UDP connection table

entry are handled in “slowpath”
 Once first packet validated by firewall, further packets
are handled at the OS’s interrupt–level code
 These packets are forwarded directly from the driver
level without added firewall application overhead
 Only packets during the specific TCP/UDP connection
can be accelerated
75
Session Rate Acceleration
 In certain high traffic environments SecureXL:

– Improves new connection rate (connections per second)
– Improves connection setup/teardown rate (sessions per second)
 Extension of SecureXL one-time validation to a range or block

 Once a packet flow is validated and established, a template of that
flow, with source port masked off is saved creating a global match
 New connection setup packets that match, avoid a round trip to the
firewall application.
 Security is not impacted – the OS tracks the state of the new

connection using stateful inspection 76
Masking the Source Port
76
Application Layer Protocol – An Example with HTTP
 Protocol accounting for most Internet traffic is HTTP

 Web pages consist of multiple HTTP components
 Using HTTP 1.0, each component is downloaded using a separate
TCP connection involving substantial overhead in connection setup
and tear-down and proactive firewall connection tracking
 Between the Web Client and a Web Server, TCP connections are
initiated by the Web Client sending an HTTP request
 The Web Server responds by sending the HTTP component
77
 HTTP Requests (->)

– Each packet from the Web client requesting an HTTP
component from the Web Server has the same source
address, destination address, destination port (80), and
protocol (HTTP).
– Only source port, assigned by the Web client per
connection differs, to create a unique socket address at
the Client for each HTTP request, via separate TCP
connection
77
 HTTP Component (<-)

– Going the other direction, each packet from the Web
server building the Web page on the Web client has the
same source address, destination address, source port
(80), and protocol (HTTP)
– Only the destination port differs (assigned by the client OS
to that connection
77
 Once a connection with flow to port 80 is approved by

the firewall application for the web client a template is
created and stored
 All subsequent connection setups carrying those
additional requests can share that template approval
 Establishing those subsequent connections does not
involve a round trip to the firewall, resulting in faster
processing
77
 At the client Firewall, once a connection with flow to port

80 is approved by the firewall application, all subsequent
connections can share the same approval.
 Establishing those subsequent connections does not
involve a round-trip to the firewall
 SecureXL accelerates subsequent connection
establishment through both firewalls when multiple
connections share the same source address, destination
address, destination (server) port and protocol
78
HTTP 1.1
 HTTP version 1.1 improves protocol performance by

permitting persistent and pipelined server connections
 The server can keep the connection alive after sending
the end of a component, avoiding the need to create a
new connection to send the next component
 While HTTP 1.1 is significantly less connection intensive,
HTTP 1.0 remains the protocol that generates most of
the new connection requests in enterprise and Internet
traffic
78
Factors that Preclude Acceleration
 SDF (Sticky Decision Function)

 QoS
 Connection to or from the module
 Connection requires Security Servers (AUTH, AV, URLF, AS)
 Connections that have a Handler: ICMP, FTP, H323, etc.
 Some IPS features
 IP ID, TTL, DNS Protocol enforcement
 Multicast packets 79
Factors that Preclude Templating (Session

Acceleration)
 Time objects
 Dynamic objects
 Domain objects
 Source port ranges
 IPS features no supported in Acceleration
 NAT
 Encrypted Connections
79
Packet Flow
80
VPN Capabilities
 SecureXL adds VPN routing capabilities and enhanced

connectivity support to VPNs in dynamic routing
environments:
– VPN Link Selection
– Dynamic VPN Routing
– Wire Mode Connections
81
CoreXL: Multicore Acceleration
 CoreXL introduces advanced core-level load balancing

 Multi-core CPU support allows the sharing of traffic among cores of
a single system
 Joining multi-core CPU with SecureXL acceleration, can deliver

more than 10 Gbps of intrusion prevention throughput
 CoreXL replicates the firewall kernel on each processor core, and

handles traffic concurrently – with each instance a complete and
independent inspection kernel.
82
Supported Platforms and Features
 CoreXL is supported on SecurePlatform, Gaia, IP, and Crossbeam

platforms. It does not support Check Point Suite with the following
features:
– Check Point QoS
– Traffic view in SmartView Monitor
– Firewall-1 GX
– Route-based VPN
– IP Pool NAT
– IPv6
– Overlapping NAT
– SMTP resource
82
Default Configuration
 CoreXL – the number of kernel instances is based on the total

number of cores in the system:
83
Processing Core Allocation
 CoreXL software architecture includes the Secure Network

Distributor. SND is responsible for:
– Processing incoming traffic from the network interfaces
– Securely accelerating packets
– Distributing non-accelerated packets among kernel
instances
83
 Traffic entering NIC is directed to processing core running SND

 Setting a kernel instance or process to run on a particular core is
called the instance’s or process’s affinity with that core
 Default affinity setting for all interfaces is Automatic

 Automatic affinity = affinity is reset every 60 seconds, and balanced
between available cores
 Any processing core running a kernel instance is considered

unavailable, and will not be set as the affinity for any interface
83
 In some cases, SND cores can be overloaded due to

high traffic
 Manual sim affinity can alleviate this:
– sim affinity -1 and the /proc/interrupts file to see
affinity distributions
 Each busy interface should be assigned its own IRP and

distributed among SND cores
 Refer to sk33250 on how to edit sim affinity
84
Allocating Processing Cores
 In some cases, it may be advisable to change the

distribution of kernel instances, SDN, and other
processes among the cores.
 This is done by changing affinities of NICs and/or
processes
 If you change affinities of interfaces or other processes,
you need to set the number of kernel instances and
ensure that the instances run on other processing cores
84
Adding Processing Cores to the Hardware
 Increasing number of processing cores on hardware

does not automatically increase kernel instances
 If kernel instances are not increased, CoreXL does not
utilize some of the processing cores
 After upgrading hardware, increase number of kernel
instances using cpconfig
84
 Reinstalling the gateway will change the number of

kernel instances if you have upgraded the hardware to
increase processing cores, or the number of kernel
instances was changed.
 Use cpconfig to reconfigure the number of kernel
instances
85
 In clustering deployment, changing number of kernel

instances is treated as a version upgrade
 Follow directions in the Upgrade Guide, and perform
either a Minimal Effort Upgrade, or a Zero Downtime
Upgrade
 Substitute the instance number change for the version
upgrade in the procedure
 A Full Connectivity Upgrade cannot be performed when
changing number of kernel instances
85
Allocating an Additional Core to the SND
 In some cases, the default configuration of instances

and SND is not optimal – where the load of the SND
may be disproportionate to that of kernel instances:
– Most traffic of type accelerated by Performance Pack
– ClusterXL Load Sharing Deployment
– IPS features disabled
 If the SND is slowing traffic, and there are enough cores

to reduce kernel instances, allocate an additional core to
the SND
85
Allocating a Core for Heavy Logging
 If gateway performing heavy logging:

– Allocate a processing core to the fwd daemon
 This will reduce the number of cores available for kernel

instances
85
Packet Flows with SecureXL Enabled
 Acceleration path
– Packet handled by
Secure XL
 Medium path
– Packet handled by
Secure XL, except for
IPS processing
 Firewall path
– SecureXL unable to
process packet
86
Lab Practice
 Lab 3: Migrating to a Clustering Solution
87
Review Questions
1. What is the main advantage of Monitored-circuit

VRRP?
87
Review Questions
1. What is the main advantage of Monitored-circuit

VRRP?
– Eliminates “black holes” caused by asymmetric
routes when one interface on the master fails
87
Review Questions
2. What two modes does State Synchronization work

in?
87
Review Questions
2. What two modes does State Synchronization work

in?
– Full synchronization
– Delta synchronization
87
Review Questions
3. What does Check Point recommend for security the

synchronization interface?
87
Review Questions
3. What does Check Point recommend for security the

synchronization interface?
– Using a dedicated sync network
– Connecting the physical network interfaces of
the cluster members directly using a cross-over
cable
87
Review Questions
4. In a Management HA environment, how do you

know when the Secondary SMS is ready?
87
Review Questions
4. In a Management HA environment, how do you

know when the Secondary SMS is ready?
– It is represented on the Primary SMS by a
network object
– SIC has been initialized between it and the
Primary SMS
– Manual synchronization has been completed
with the Primary SMS for the first time
87
Advanced User Management
89
Learning Objectives
 Using an external user database such as LDAP,

configure User Directory to incorporate user
information for authentication services on the
network.
 Manage internal and external user access to

resources for Remote Access or across a VPN
 Troubleshoot user access issues found when

implementing Identity Awareness
90
Active Directory OU Structure
 Active Directory – database technology based on Lightweight

Directory Access Protocol (LDAP)
 Based on objects and containers set up in a hierarchical
structure
 Each tier of the hierarchy is made up of containers containing
objects or a container containing other containers and
objects
91
 Each object or entry in the directory is made up of a set of attributes with

an attribute type or description and one or more values
 Set of rules that govern the types of objects in the directory, and their
associations is called the schema
 Each object has a unique identifier, its Distinguished Name (DN)

 This is a Relative Distinguished Name, constructed from some attributes
in the object, followed by the parent entry’s DN
91
 The container is called an Organizational unit (OU).

 OU’s are tiers in the hierarchy, and contain objects in three
categories:
– Resources
– Services
– Users
91
 AD hierarchies are nested within each other, stemming from

a root level.
 Example: atlantiscorp.cp.local sub-OU’s:
– sales.atlantiscorp.cp.local
– finance.alantiscorp.cp.local
– mis.atlantiscorp.cp.local
 Each are distinct containers at their own level and are part of the
enterprise container: atlantiscorp.cp.local
 A user in MIS could have an AD designation of:

– CN=Boucher\\,Eric,OU=MIS,DC=atlantiscorp,DC=cp,DC=local 92
92
Using LDAP Servers with Check Point
 The Security Management Server supports LDAP

 No user management infrastructure in place?
– Choose between managing Domains internally, or
implementing LDAP
– Large user count – use an external user management
database such as LDAP
 LDAP advantages:
– SMS performance enhanced
– LDAP database available for other applications
93
Using LDAP Servers with Check Point
 To manage users on User Directory (LDAP) server – special

license required
 Integrate SMS and Security Gateways with User Directory to:
– Query user information
– Enable User management
– Enable CRL retrieval
– Authenticate users
93
LDAP User Management with User Directory
 Integrated with Check Point Security Management, LDAP is

User Directory (LDAP)
 Security Management Server and Security Gateway function
as User Directory clients
 SMS manages user information in the User Directory (LDAP)
server
 Security Gateway queries it for user information, retrieving
CRLs and for authentication
94
 Differences between internal users and User Directory

(LDAP):
– User management on User Directory server is done externally
– User Directory server template can be modified and applied to
users dynamically
94
 User Directory (LDAP) features:

– Based on client/server model
– Each entry has a unique DN
– Default port numbers are TCP 389, TCP 636
– Each LDAP server is an Account Unit
– High Availability
– Compartmentalization
– Encrypted and non-encrypted connections
– Support multiple LDAP vendors using Profiles
94
Defining an Account Unit
 An Account Unit is an interface between client and server

 Each account unit represents one or more branches of each
User Directory (LDAP) server
 An Account Unit represents the location of users in the LDAP
95
Configuring Active Directory
 User Management Wizard for configuring Active Directory

 User Management Wizard has two parts:
– Quick setup of AD
– Users, Groups, LDAP Groups and Authentication Servers
Management
 RADIUS server is configured in Wizard as well
95
Schemas
 LDAP Schema defines types of objects and object attributes

 Default schema includes user definitions for that proprietary
LDAP server
 Check Point schema complements structure of information in
LDAP server, includes SMS and Gateway specific
information
 Check Point schema can be used to enhance object
definitions for more granular user authentication
95
Multiple User Directory (LDAP) Servers
 With Multiple User Directory (LDAP) Servers – query from

clients made to servers based on priority defined:
– By Gateway
– By Account Unit
96
Authentication Process Flow
96
Limitations of Authentication Flow
 Some limitations to keep in mind:

– Authentication method is set on user record - internal database
– Authentication schema cannot be set on user record – LDAP
database – without extending the schema
– Predefined search order – 1st internal database, then LDAP
servers – slows search down – conflicting user information
– All LDAP servers searched simultaneously – cannot determine
which account unit to search
97
User Directory (LDAP) Profiles
 User Directory profiles designed to normalize different LDAP

vendor’s dissimilar object repositories, schema, and object
relations
 Four default profiles:
– OPSEC_DS
– Netscape_DS
– Novell_DS
– Microsoft_AD
97
Troubleshooting User Authentication and User

Directory (LDAP
 User Authentication problems? Verify configuration.

1. Make sure that Global properties > Smart Directory (LDAP) >
Use Smart-Directory(LDAP) for Security Gateways is checked.
2. Verify that your AU (Account Unit) is configured for user
management, i.e., User management is checked on the General
tab of the AU.
3. Configure the correct User Directory profile. Which LDAP server are
you using? Is it one of our supported OPSEC servers?
Verify that your OPSEC LDAP server is supported on http://
www.opsec.com/solutions/
sec_authentication.html.
98

Directory (LDAP
4. Check the AU object is configured correctly, i.e., profile, correct

branches and
5. Check the LDAP group objects configuration. How did you
configure the LDAP groups? If you selected the option:
All Account-Unit’s Users or Only Sub Tree - the groups defined
on the LDAP server are irrelevant
Only Group in branch - the group must point to a group on the
LDAP server. Is it a dynamic group?
6. Where do you use authentication? The relevant LDAP groups
should be used in the authorizations of the product that uses
authentication. For example, when using Endpoint Connect, the
user groups should be defined on the Remote Access object.
98

Directory (LDAP
 Once configuration is verified – debug:.

– Run TDERROR_ALL_AU=5 on the process that performs the
authentication.
– In this case, it depends on item number 4 above
– for example, it would be the vpnd process for Endpoint
Connect.
– Try to authenticate with the problematic user (and with a user
that authenticated successfully if you have one), and save the
log file.
98

Directory (LDAP
 Once configuration is verified – debug:.

– A capture of a successful and unsuccessful login will help you
in investigating the problem
– Be sure your AU object is configured not to work with SSL so
that you have a clear connection
– When you have the capture, try to see which attributes are
being used to query for group membership..
98
Common Configuration Pitfalls
 When troubleshooting User Directory (LDAP):

– The Use User Directory (LDAP) checkbox is unchecked in Global
Properties.
– Getting the bind credentials for the LDAP AU is wrong. Incorrect
credentials are not flagged at the time the AU is created.
– The option, User Management is unchecked on the General tab of the
AU.
– Allowed authentication schemes may be configured on the SG, but
the corresponding scheme is not selected in the AU properties.
99
Common Configuration Pitfalls
 When troubleshooting User Directory (LDAP), cont.:

– The AUs are assigned to the SG, but the AU is not selected.
– The LDAP schema is not extended and the AU is not assigned with
an authentication scheme.
– Even if the schema is extended, the authentication schema on the
user record could still be undefined. It will remain undefined even
though the AU defines a scheme.
– If the generic template is used and a password is defined on it.
99
Some LDAP Tools
 ldapsearch
For example: ldapsearch -D cn=administrator,
cn=users,dc=boaz,dc=com -w zubur1! -b
cn=users,dc=boaz,dc=com -h 20.20.20.100
'(&(objectclass=user)(sAMAccountName=zaza) )'
mobile otherMobile.
 ldapcmd (per process, commands: cacheclear, cachetrace,log

on/off)
 Ldapmodify
For example: ldapmodify -c -h <host> -D <Admin FQDN> -w
<password> -f <schema ldif file>
99
Troubleshooting User Authentication
 A set of libraries in the /CPShared directory is linked to the

application process. The processes which perform the
authentication include:
– fwm - SmartDashboard authentication
– vpnd - Remote Access authentication
– cvpnd - SSL VPN user authentication
– Security Servers - user/client/session authentications
100
 The authentication is mostly performed by the infrastructure

in cpauth. The authentication infrastructure code modules in
the chain include::
– cpauth
The authentication schemes performed by cpauth include:
Username and password (internal database as well as LDAP)
RADIUS
SecurID
TACACS
OS password
– cpldapcl, ldap
100
– ace5sdk
 When examining log entries, search for the following

information to help with the debugging:
– Username
– Functions: make_au, au_auth, au_fetchuser,
cpLdapGetUser, cpLdapCheck
– After fetch the user’s set is printed
– Auth starts with au_auth_auth, look for the authentication result
– Often the problem is authorization, not authentication
100
Identity Awareness
 Identity Awareness key features:

– Configurable access roles
– Multiple user identification methods
– Deployment wizard for fast & simple deployment
– Identity sharing
 Identity Awareness uses IP addresses as a means to map

users and machine identities
101
Identity Awareness
 Identity Awareness acquires user identities from Identity

Sources
– AD Query
– Captive Portal
 Once an Identity Source is enable on the Gateway, a

network IP address is mapped to the user
 When traffic arrives from/to the IPs, user and computer name
information is included in the logs
101
Identity Awareness
 Identity Awareness troubleshooting procedures:

1. Verify AD Query Setup
2. Identify users behind an HTTP proxy
3. Verifying there’s a logged on AD user in the source IP
4. Checking the source computer OS and activating captive
portal
5. Using SmartView Tracker for further troubleshooting
102
Enabling AD Query
 Once AD Query is enabled, the Gateway registers to the

Domain Controllers to analyze security logs and map IP on
the network to users and computers
 Detecting all users and computers may take a few hours,
depending on network activity
 To quickly ID a user, lock and unlock the users' computer, to
generate a security event
102
AD Query Setup
 Verify the following conditions:

– Active Directory even logging is setup
– Verify Domain Controllers are configured to audit and authenticate success
events – look for these event numbers
– Windows 2003: events 672, 673, 674
– Windows 2008: events 4624, 4768, 4770
– The LDAP Account Unit is setup
– The gateway connects to all domain controllers
– A firewall/IP devise en route to the domain controller is blocking DCOM
– Check Point Firewall or IPS is blocking DCOM
– Non-English user names
– Users reach the gateway and domain controller with the same endpoint ID
103
Identifying Users Behind an HTTP Proxy
 With an HTTP proxy server between users and Security

Gateway, logs show the proxy as the source IP address, not
user identities
 For Application Control add X-Forward-For HTTP Header, to
the proxy server to resolve the issue:
1. Configure the proxy server to use X-Forward-For HTTP Header
2. In SmartDashboard, on the Identity Awareness page of the gateway
object, check “For Application Control blade, detect users located
behind HTTP proxy using X-Forward-For header”
3. Install the policy
104
Verify Logged On AD User at the Source IP
 Verify computer on the IP is a domain computer, and has a

user logged on
1. Verify the computer is a domain member. From a computer in
the domain, try to access the C$ share on the source IP. For
example, using the Start- >Run command, enter
\\10.0.0.1\C$. When prompted for credentials, enter a
domain administrator credentials. If you successfully opened
the C$ share, it means this is a domain computer.
2. Verify that there's a user logged on. Use a WMI tool such as
WMI Explorer to remotely connect to the IP and query for the
user name.
104
Checking the Source Computer OS
 Cannot connect to source IP C$ share or with WMI Explorer:

– Possible that this computer is not a member of the domain
– Possible that this IP is a domain computer but RPC and
WMI traffic is blocked on network or target computer
105
 To determine the OS at the IP, use remote endpoint profiling

tools such as nmap to detect the OS.
 For example run “nmap –A 10.0.0.1” to detect the OS on
this IP:
105
104105
Using SmartView Tracker
 Track Identity Awareness Login Activity to troubleshoot:

1. Open SmartView Tracker Identity Awareness Login Activity
View
2. Search for log records from source IP missing in logs
– If no logs, search in log files switched already – still no logs? AD
Query failed to ID user – contact support
– If you see Login and AD Query on different gateway, verify
identity sharing configure correctly in Identity Awareness Prop.
– If you see Logout logs despite user was active in duration,
increase the AD Query association time-out
– If you see a Logout log of user, followed by Login log of different
user on same IP, may be Windows service logging in with 106
a user account
Lab Practice
 Lab 4: Configuring SmartDashboard to Interface with

Active Directory
107
Review Questions
1. What objects make up an Organizational Unit

container?
107
Review Questions
1. What objects make up an Organizational Unit

container?
– Resources
– Services
– Users
107
Review Questions
2. What does an LDAP Schema do?
107
Review Questions
2. What does an LDAP Schema do?

– Defines the types of objects and object attributes in the
directory
107
Review Questions
3. How long can it take for an AD Query to map users

and computers to IPs?
107
Review Questions
3. How long can it take for an AD Query to map users

and computers to IPs?
– AD Query may take up to a few hours to complete the
mapping of users and computers to IPs
107
Review Questions
4. If you cannot connect to the source IP C$ share or

with WMI Explorer, what is the likely cause?
107
Review Questions
4. If you cannot connect to the source IP C$ share or

with WMI Explorer, what is the likely cause?
– This IP is a computer that is not a member of the domain
107
Advanced IPsec VPN and Remote Access
109
Advanced IPSec VPN and Remote Access
Learning Objectives
 Using our knowledge of fundamental VPN tunnel

concepts, troubleshoot a site-to-site or certificate-
based VPN on a corporate gateway using IKEView,
VPN log files and command-line debug tools.
 Optimize VPN performance and availability by using

Link Selection and Multiple Entry Point solutions.
 Manage and test corporate VPN tunnels to allow for

greater monitoring and scalability with multiple
tunnels defined in a community including other VPN
providers. 110
IPsec
 IPsec is open standard protocol suite for secure IP

communication, using authentication and encryption
techniques on IP packets:
– Authentication Headers (AH)
– Encapsulating Security Payloads (ESP)
– Security Associations (SA)
111
Internet Key Exchange (IKE)
 IKE negotiations – two phases

– Phase 1 (Main mode)
– Phase 2 (Quick mode)
 Negotiation process can be observed in ike.elg with IKE

view
112
IKE Key Exchange Process – Phase 1
 Phase 1 (Main mode) negotiates encryption methods, and

establishes a key to protect messages of an exchange
– Stage 1: Pears negotiate algorithms, authentication methods,
and Diffie-Hellman groups
– Stage 2: Each gateway generates a DH private key and public
keys and calculates the shared key
– Stage 3: Peers authenticate using the certificate or PSK
111
IKE Key Exchange Process – Example
 The IKE exchange uses six packets for Phase 1 (Main

mode), and three packets for Phase 2 (Quick mode)
 For Main mode packet 1, the initiator 172.24.104.1 provides:
– Encryption algorithm: AES-CBC
– Key length: 256 bit
– Hash algorithm: SHA1
– Authentication method: pre-shared key
111
– 172.24.104.1
– Encryption algorithm:
AES-CBC
– Key length: 256 bit
– Hash algorithm: SHA1
– Authentication
method: pre-shared
key
111
1. Packet 2 is from the responder to agree on one encryption and hash algorithm:
113
2. Packets 3 and 4 perform key exchanges and include a large number never used
before, called a nonce:
112
3. Packets 5 and 6 perform authentication between the peers of the tunnel. The
peer’s IP address shows in the ID field under MM packet 5:
113
4. Packet 6 shows the peer has agreed to the proposal and has authenticated the
initiator:
113
 In Phase 2
– Security Associations are negotiated
– Shared-secret key material is determined
– Additional DH exchange occurs
 Phase 2 failures are often due to misconfigured VPN Domain,

such as:
– Omitted objects
– Duplicate objects
– All IP address behind the gateway
114
IKE Key Exchange Process
 Phase 2 Stages
– Peers exchange more key material and agree on encryption and
integrity methods for IPSec
– DHC key is combined with the key material to produce the
symmetrical IPSec key
– Symmetric IPSec keys are generated
115
1. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm,
and ID data:
115
In the ID field, the initiator’s VPN Domain configuration displays. In the following figure,
the VPN Domain for the initiator is the 10.2.4.0/24 network:
116
2. ID field_2 proposes the peer’s VPN Domain configuration. In the figure below, the
VPN Domain for the peer Gateway is the 10.2.2.0/24 network:
116
3. Packet 2 from the responder agrees to its own subnet or host ID, and encryption
and hash algorithm:
117
4. Packet 3 completes the IKE negotiation:
117
Remote Access VPNs
 Check Point provides several Remote-Access VPN solutions

 Newest – Endpoint Connect
– Lightweight remote access client
– Native desktop used to launch business applications
– Does not require authentication each time a connection is
initiated
118
Connection Initiation
 In order for VPN tunnel between the site and remote user, an
IKE negotiation must take place between them
 Peer identities are authenticated (Phase 1):
– Digital Certificates
– Pre-Shared Secrets
– Hybrid Mode
– One-Time Password
– Security Gateway Password
– OS Password
– RADIUS
– TACACS
118
– SAS
 Once authentication is successful, IKE negotiation (Phase 2)

occurs, and VPN tunnel is established
118
 Client connects to gateway with a Connection Mode

 Initial connection is to the gateway, with subsequent
connections to internal resources made though VPN links
 Five connection methods:
– Office Mode
– Visitor Mode
– Hub Mode
– Auto Connect
– User Profile
119
Link Selection
 Link selection specifies which interfaces are used for incoming

and outgoing VPN Traffic
 Configuration options:
– Probe link for availability
– Use Load Sharing on links to distribute VPN traffic
– Use links based on services to control the bandwidth
– Set up links for remote access
119
Link Selection
 Link selection is only applicable to locally managed VPN

peers
 A link set to the wrong IP address can damage VPN
connectivity configuration, unless configured to “auto probe”
119
Multiple Entry Point VPNs
 Multiple Entry Point (MEP) VPNs provide high availability:

– MEP VPNs are not restricted to gateway location
– MEP Security Gateways can be managed by separate
Management Servers
– No state synchronization needed between gateways
– VPN client selects which Gateway site will take over if
connection fails
121
How Does MEP Work
 MEP VPNs continuously probes IP connections to check

gateway availability
 This is done via Probing Protocol (PP) sending special UDP
RDP packets to port 259 to check if an IP is reachable
121
Explicit MEP
 Only Star VPN Communities with more than one central

Security Gateway can be defined as explicit MEP VPNs
 Entry point Security Gateways are chosen by:
– First to respond (Gateway closest to source)
– By VPN domain (Gateway closest to destination)
– For Load distribution (random selection)
– MEP rules (from priority list)
121
Implicit MEP
 Fully or partially overlapped encryption domains – MEP VPNs

can be implicitly defined
 Implicit MEP VPNs select entry-point Security Gateway by:
– First to respond
– Primary-Backup
– Load Distribution
 For remote access MEP VPNs, clients must use Office mode
122
Tunnel Management
 Two types of VPN tunnel management:

– Permanent Tunnels
– VPN Tunnel Sharing
123
Permanent Tunnels
 Permanent tunnels are always active and monitored

 Permanent tunnels can only be established between Check
Point Gateways, configured:
– For the entire community
– For a specific Gateway
– For a single VPN tunnel
123
Tunnel Testing
 Tunnel Test – to test a VPN tunnel is active

 Tunnel Test packet has an arbitrary length – only first byte
contains meaningful data – the type field:
– 1 – Test
– 2 – Reply
– 3 – Connect
– 4 – Connected
124
Tunnel Testing
 Tunnel Test – requires two Gateways, a pinger and a

responder
 Pinger sends type 1 or type 3 message, responder responds
with type 2 or type 4 message
124
VPN Tunnel Sharing
 VPN tunnel sharing provides for interoperability and scalability

by controlling the number of VPN tunnels via three settings:
– One VPN Tunnel per each pair of hosts
– One VPN Tunnel per subnet pair
– One VPN Tunnel per Gateway pair
124
Tunnel Management Configuration
125
Permanent Tunnel Configuration
 To set VPN tunnels as permanent, use one of the Permanent

Tunnel modes:
– On all tunnels in the Community
– On all tunnels of specific Gateways
– On specific tunnels in the Community
126
Tracking Options
 Administrators can monitor tunnel status by configuring

alerts
 Alerts can be configured globally or individually on tunnels
 Alert options:
– Log
– Popup Alert
– Mail Alert
– SNMP Trap Alert
– User Defined Alert
126
Advanced Permanent Tunnel Configuration
 Several attributes allow for customization of tunnel tests and

intervals for permanent tunnels:
1. In SmartDashboard, select Global Properties >
SmartDashboard Customization.
2. Click Configure. The Advanced configuration screen is
displayed.
3. Click VPN Advanced Properties > Tunnel Management to
view the five attributes.
127
VPN Tunnel Sharing Configuration
 Configuration of VPN Tunnel Sharing can be set on both the

VPN community and Gateway objects.:
– One VPN Tunnel per each pair of hosts
– One VPN Tunnel per subnet pair
– One VPN tunnel per Gateway pair
 If there is a conflict between the tunnel properties of a VPN

Community and a Gateway object that is a member of that
same Community, the “stricter” setting is used.
127
Troubleshooting
 1st step – are packets traversing the VPN tunnel?

– Use SmartView Tracker logs to confirm packets arriving at
Gateway
– fw monitor can confirm if IKE packets arrive and leave the
Gateway
128
Troubleshooting
 Run a debug for IKE traffic

– vpn debug on
– Generate traffic from VPN Domain to peer’s VPN Domain
– If ike.elg file does not contain useful information, an invalid
tunnel may have been set up
127
Troubleshooting
 Use vpn tu to remove site-to-site IKE and/or IPSec keys and

initiate traffic
– Check ike.elg file to identify on which packet the IKE
negotiation fails
– Check relevant configuration parameters
– Look at the vpnd.elg file for other errors
128
VPN Debug
 vpn debug Command
vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [

- s size(Mb) ]| ikeoff | trunc | truncon | truncoff
| timeon [ SECONDS ] | timeoff | ikefail [ -s
size(Mb) ]| mon | moff >
129
VPN Debug
 VPN debug on|off

– vpn debug on — Turn on vpn debug, and write the output to
the following file: vpnd.elg
– vpn debug on [debug topic]=[debug level] sets the
specified TDERROR topic to the specified level, without affecting
any other debug settings. This may be used to turn specific topics
on or off.
– vpn debug on TDERROR_ALL_ALL=1,2,3,4,5 turns on default
VPN debugging, i.e., all TDERROR output and default VPN topics,
without affecting any other debug settings.
– vpn debug off — Disable vpn debug.
130
VPN Debug
 VPN debug ikeon|ikeoff

– vpn debug ikeon — Turn on ike debug and write the output to
the following file: ike.elg
– vpn debug ikeoff — Disable ike debug..
130
VPN Debug
 vpn Log Files

– IKE debugging is written to $FWDIR/log/ike.elg
– VPN debugging is written to $FWDIR/log/vpnd.elg
130
VPN Debug
 vpn debug trunc

– When the vpn debug on command runs, the output is written
to $FWDIR\log\vpnd.elg file by default
130
VPN Environmental Variables
 Setting the environment variables is recommended as a method for

debugging, only if there is a VPN tunnel failure:
– Windows – set VPN_DEBUB=1
– Unix – set VPN_DEBUG 1
131
VPN Command Options
131
VPN Debug
 vpn tu
– The command vpn tu is short for vpn tunnelutil, and is
useful for deleting IPSec or IKE SAs to a specific peer or user
without interrupting other VPN activities.
 Example
– You have several site-to-site VPN tunnels among Gateways.
– You want to remove the IKE SAs for a particular peer, without
interrupting the other VPNs. How do you do that?
– Run vpn tu from the Gateway Command Line Interface, and select
delete all IPSec and IKE SAs for a given Peer (GW) option.
132
VPN Debug
 Comparing SAs
1. Enable VPN debugging on both your site and your partner’s site with vpn
debug on trunc.
2. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer
with which you are about to create the tunnel, or all tunnels.
3. Have your peer initiate the tunnel from its site to yours.
4. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer
with which you are about to create the tunnel, or all tunnels.
5. Initiate the tunnel from your site to your peer.
6. Disable debugging on both sites.
7. Examine ike.elg and vpnd.elg, as they will now contain records of
the SA sent by your gateway, as well as what was received from your
partner site.
132
VPN Encryption Issues
 Quick mode packet 1 fails with error “No Proposal Chosen” from
the peer.
– Cause: Peer does not agree to the proposal field, such as encryption
strength or hash
– A Security Gateway agrees loosely to the proposal, when host or network
based.
– Third part vendors may only agree to proposals with strict adherence to
defined parameters
133
 Security Gateway proposes supernetted address as VPN

Domain to Cisco (or other) concentrator in phase 2.
– Cisco device only agrees to a VPN Domain that matches its network
– address and subnet mask.
– This issue is known as the Largest possible subnet problem.
133
 Largest possible subnet problem - troubleshooting.

– Check the Shared Tunnel settings in the Tunnel Management section
of the VPN community. Make sure both sides agree on either host
based or subnet based.
– Interoperable devices do not support the Gateway to Gateway option.
– In GuiDbedit, change the following property to false.

ike_use_largest_possible_subnet
– This will prevent Check Point from supernetting networks in the VPN
domain. The subnets defined in the network object should be used.
133
– Cont…
 Largest possible subnet problem - troubleshooting. (Cont.)
– Check for multiple network objects in the VPN domain that overlap.
For example, 10.1.1.1/24 and 10.0.0.0/8 are both in the VPN
domain. It is possible that a packet sourced from 10.1.x.x will use
255.0.0.0 for the subnet in phase 2 instead of 255.255.255.0.
– In some cases, particularly when network overlaps exist in the VPN

domain, it is still required to modify the user.def file. See
SecureKnowledge
– solution sk19243 and sk30919 on Check Point’s Web site:

133
https://usercenter.checkpoint.com/support
 Example - 1
– Assume you have a site-to-site VPN between two Check Point
Security Gateways.
– They are managed by their own Management Servers.
– You see a lot of IKE Phase 1 failures in SmartView Tracker.
– You run IKE debug on one Gateway and discover only one packet
in Main mode is transferred.
– There is no packet in Main mode after packet 1.
– What might have caused this problem?
134
 Example - 1
– What might have caused this problem?
– First, check VPN settings (including Encryption Algorithm, key length,

and Hash method) in the Community object.
– Make sure Phase 1 settings are identical on both sides.
– Check Phase 1 settings in the Advanced settings in the Community
object, such as group 1 or group 2, aggressive mode, etc.
– They must be defined identically on both sides.
134
 Example - 2
– You are configuring a site-to-site VPN from a Check Point Security
Gateway to a Cisco device.
– You see that traffic initiated from the VPN Domain inside the Security
Gateway is dropped with the error, “Packet is dropped as there is no
– valid SA”.
– The Cisco side is sending “Delete SA” to the Security Gateway.
– The IKE debug indicates a Phase 2 (Quick mode) failure.
– What is causing the misconfiguration?
134
 Example - 2
– What is causing the misconfiguration?
– A Quick mode failure usually indicates the VPN Domain is not

configured exactly the same for one or both peers.
– For example, if the Security Gateway’s VPN Domain is a Class B

network, but the same network is defined with a Class C subnet mask
on the Cisco VPN configuration, then this type of error occurs.
134
Lab Practice
 Lab 5: Configuring Site-to-Site VPNs with Third Party

Certificates
 Lab 6: Remote Access with Endpoint Security VPN
135
Review Questions
1. What are the stages of a Phase 2 IKE exchange?
135
Review Questions
1. What are the stages of a Phase 2 IKE exchange?

– Peers exchange more key material, and agree on
encryption and integrity methods for IPSec
– The DH key is combined with the key material to produce
the symmetrical IPSec key
– Symmetric IPSec keys are generated
135
Review Questions
2. What is the advantage of Link Selection for VPN traffic?
135
Review Questions
2. What is the advantage of Link Selection for VPN traffic?

– When high-traffic demands are applied to the gateway and its
performance is impaired, Link Selection provides the means to
specify which interfaces are to be used for incoming and outgoing
VPN traffic
135
Review Questions
3. What type of VPN communities can be explicitly defined

as MEP VPNs?
135
Review Questions
3. What type of VPN communities can be explicitly defined

as MEP VPNs?
– Only Star VPN Communities using more than one central Security
Gateway can be defined explicitly as MEP VPNs
135
Review Questions
4. Quick mode packet 1 fails with error “No Proposal

Chosen” from the peer. What is likely the cause?
135
Review Questions
4. Quick mode packet 1 fails with error “No Proposal

Chosen” from the peer. What is likely the cause?
– This failure is usually caused when a peer does not agree to the
proposal fields, such as encryption strength or hash
135
Auditing and Reporting
137
Learning Objectives
 Create Events or use existing event

definitions to generate reports on specific
network traffic using SmartReporter and
SmartEvent in order to provide industry
compliance information to management.
 Using your knowledge of SmartEvent
architecture and module communication,
troubleshoot report generation given
command-line tools and debug-file 138
information.
Auditing and Reporting Process
 Security Administrator role:

– Guided by process and procedures
– Need to document changes on corporate
network
– Compliance with industry standards and
corporate mandates
 Corporate governance
– Efficient auditing and reporting
– Compliance regulatory practices
139
 Implementing audit policies

– Password changes
– Changes to access rights to shares, files, folders, etc.
– Attempts of unauthorized access to computer system resources.
– Attempts of unauthorized access to information held in application systems.
– All internal system activity including logins, file accesses and security
incidents.
– Produce and retain logs recording exceptions and security-related events
– Any attempts of unauthorized changes to IT systems.
– Key system files and critical data for unauthorized changes.
– Changes to Active Directory permissions for user accounts, groups and
computer accounts.
140
 Implementing audit policies (cont.)

– Unauthorized Active Directory access permissions.
– Any changes to users, groups, rights, and user account policies.
– Notifications of group policy changes.
– Authorized users attempts to perform unauthorized activities.
– Permission changes in Active Directory.
– User information, access information, date and time stamp.
– Real-time policy modifications.
– Last access dates for files and applications
140
SmartEvent
 SmartEvent - Management Software Blade

 Uses network security information with real-time security event
correlation and management for Check Point Security Gateways and
third-party devices.
 SmartEvent’s unified event analysis identifies critical security events from

the clutter of data, while correlating events across all security systems.
 Its automated aggregation and correlation of data minimizes the time

spent analyzing log data, and also isolates and prioritizes the real
security threats.
141
SmartEvent
141
SmartEvent
 SmartEvent – available as a software blade, or an appliance

 SmartEvent Appliance bundle:
– SmartEvent
– SmartReporter
– Logging and Status
142
SmartEvent Intro
 SmartEvent Intro – security event correlation and management for a

single Check Point Security Software Blade
 Full reporting – part of SmartReporter Software Blade

 Only possible to install one SmartEvent Intro blade per device
 To monitor and correlate firewall events – use full SmartEvent Software
Blade
142
SmartEvent Architecture
 Three main components for log consolidation, correlation, and results

analysis:
– Correlation Unit (CU)
– Analyzer Unit
– Analyzer Client
143
Example Deployment
143
Component Communication Process
144
Analyzer Server
144
Event Policy User Interface
 Event Policy is fundamental to the workings of SmartEvent
145
 Edit Event Definition
145
146
147
147
148
149
150
151
152
153
SmartReporter
 SmartReporter provides:
– High-level view, trends, reports
– Understanding of the details of each event
– Integration with other tools to modify the security policies
– Manage events by state and owner
154
SmartReporter
154
Consolidation Policy
 Consolidation Policy:
– Similar to a Security Policy in structure and management
– Uses Rule Bases defined via SmartDashboard
– Uses the network objects
– Consolidation rules – store or ignore logs that match rules
– Based on logs, not security issues
155
SmartReporter
155
Consolidation Policy
 Consolidation is performed at two levels:

– Interval at which the log was created
– Log fields whose original values should be retained
 When several logs match a Rule and are recorded:

– Values of their relevant fields are saved as-is
– Values of their irrelevant fields are merged or consolidated together
 SmartReporter server then can extract the consolidated records that

match a specific report definition
155
Report Types
 Two types of reports can be created:

– Standard Reports
– Express Reports
 SmartReporter Standard Reports are supported by two Clients:

– SmartDashboard Log Consolidator
– SmartReporter Client
156
User Management and Authentication
Lab Practice
 Lab 7: SmartEvent and SmartReporter
157
Review Questions
1. What does the SmartReporter Consolidation Policy do?
157
Review Questions
1. What does the SmartReporter Consolidation Policy do?

– The Consolidation Policy goes over your original “raw” log file,
compressing similar events and writing the compressed list of
events into a relational database.
157
Review Questions
2. What is the difference between a Consolidation Policy, and

a Security Policy?
157
Review Questions
2. What is the difference between a Consolidation Policy, and

a Security Policy?
– A consolidation Policy is based on logs, as opposed to
connections, and has no bearing on security issues.
157
Review Questions
3. When is an event reported?
157
Review Questions
3. When is an event reported?

– When it is created
– Up to five updates
– When it is closed
157
Security Engineering
2013 Edition
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
©2013 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties

CCSE Class Slides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCSE Class Slides

Uploaded by

Copyright:

Available Formats

Security Engineering

2 WAYS to EXTEND CCSA / CCSE for 1 YEAR

Take and pass

Attend and pass

CCSA Certification CCSE Certification

Training Blades: Instructor Led Training

Key Course Elements

 Advanced and in-depth explanation of FireWall-1

 Key tips and techniques for troubleshooting FireWall-1

 Software acceleration features

 Policies that support business needs and transform

 Security that involves People in policy definition,

 Enforce, consolidate and control all layers of

IT security best practices:

1. Perform a risk assessment

 Perform a backup of a Security Gateway

 Snapshot – before major changes

Gaia Snapshot Image Management

 With Gaia snapshot image management you can:

 Backs Check Point configuration independent of

Backup Schedule Recommendations

 Snapshot – once before major changes

 Before upgrading – valid support contract

Upgrading Security Gateways

Upgrading Security Management Server

Upgrading Full High Availability

Minimal Effort Upgrade

 Each Cluster member treated as individual gateway

Upgrading with Minimal Downtime

 Check status of cluster members

 Lab 1: Upgrade to Check Point R76

1. When should snapshots be performed?

1. When should snapshots be performed?

2. To run advanced upgrade or migration, what tool is

2. To run advanced upgrade or migration, what tool is

3. What is a critical task for both Snapshots and

3. What is a critical task for both Snapshots and

 Using knowledge of Security Gateway

 Check Point security components:

 Management Component processes:

User and Kernel Mode Processes

The CPD Core Process

 Check Point Daemon (CPD):

 FWM is available on management products

Inbound and Outbound Packet Flow

Inbound FW CTL Chain Modules

Outbound Chain Modules

3. Logging and/or alerts that have

4. Packets that pass

5. For packets that do not

6. The packets that do not

 Kernel tables store information on firewall function

 Most traffic information I saved in the Kernel tables

 Connections table = approved connections list

Connections Table Format

Check Point FireWall Key Features

 Packet Inspection Flow

Packet Inspection Flow

Packet Inspection Flow

Policy Installation Flow

Policy Installation Process Flow

How NAT Works

Hide NAT Process