I. Checkpoint Fundamentals
1. What are the 3 interconnected components in a Checkpoint system?
A: Console, MGMT and Gateway
2. What are 3 Checkpoint OS names, and what devices would run them?
A: IPSO old os, SPLAT Secureplatform old and the newest is GAIA. It running on gate(physical device) and management.
3. What does the INSPECT engine do?
A: From Source going to outside. FW Store the TCP Header(IP,PORT no) on state table on fw and if the reply if match it will be permitted or allow to go back in.
Security Management Architecture (SMART)
Console – We login and create the policy (smart Console)
Management – Where all policy kept. Stored and push going to the gateway.
Gateway FW – one whos implementing the policy.
Traffic Control Methods
Packet Filtering – Verify if all packet should be forwarded
Stateful – Remember Port and Ip address on session as bob go out to cbt server. Stores details on stateful table.
App. Awareness – also look on application layer.
FW inspect dig deep from source to destination under application layer. Firewall verify is the source port is legitimate. If the port is really there the FW can remember that in state table. For that session because it now on state table the layer 2.5 will be implemented the imcomming session will much fater than the first.
IPSO – based on BSD
SecurePlatform (SPLAT) based on red hat replace IPSO
II. Installing Checkpoint
Standalone vs Distributed
– Standalone 1 physical device w/ Management and FW
– Distributed separate physical box or virtual server or management
Routed vs Bridge
– Bridge mode its like transparent not dividing network.
III. Linking the manager and Gateway
FW: IPs, Dault Route, Banner
1st Remote via Http
Self signed certificate.
2nd Setup network interface
Network Management > Network Interface > Click Edit
3rd Setup static route
Network Management > IPv4 Static Routes > Edit Default route
Mgr: Add banner
Connect via Http same process in adding interface ip address, routes and banner
Download all smart console components
Download / Install Smartconsole clients from mgr
– We can download Smart console on Management server.
We have read only or demo mode.
To verify go to console manager
Configuring Management via Smartconsole to sync with firewall.
Creating network object which represent the firewall and how to communicate with the firewall.
1st Network Object > Check point > Security management> Classic Mode
Fill in the blank and Enble feature or what we called software blades
Note: the feature has individual license.
Secure Internal Communication = Uninitialized (Meaning This manager still not connected to gateway)
Firewall know where to assigned the ipaddress to a specific interface because of default route.
Verify on Overview
We could create a network object that identify our internal networks or internal pc that could be use on policy.
Network that can be use on policy
IV. Creating and Pushing a policy to the gateway.
Define Network Objects.
Add Rule to the Security policy
-Stealth to prevent direct access to the security gateway. Only permitted host or console
-Internal permit inside and can forward to any destination
-Cleanup if traffic is from anywhere going to any where DROP IT (We can see log with this policy)
Stealth Rule – to prevent direct access to the security gateway
Cleanup Rule – to drop and log all traffic not permitted in previous rules
Save and Push
Adding Rule on Smart Console
Note that there are many ways to create a new policy.
If incase there’s an issues on policy. We need to roll back.
Load the policy from local host or different host.
Save – To save
Install – To push to selected gateway. Deploy the policy to the firewall
Verify if the push has been installed
Network address Translation.
Reason: Private Ips, Security, Limited IPs
How to translate: Source or Destination
Source – Private(Internal Client) to Public
Destination – Private to public
How to translate: static or Dynamic
Static – one to one (fix resource)
Hide Nat – hide hundreds users on the firewall to public
Where translation is done.
Source Dynamic (Hide nat for internal network)
– Go to internal network object
– NAT Translation Method – Hide nat
Using Smart Tracker
1st Create a object-host
2nd Create a policy
TRAFFIC FLOW: USER(OUTSIDE) > PUBLIC IP > TRANSLATED TO PRIVATE > POLICY > ROUTE
POLICY PACKAGES AND DATABASE VERSION
Install and link gateway to manager
Include new firewall in policies
From Management will add static nat .112 for FW2
We need to apply for Gateway control connection.
Create a DMZ object for DMZ server.
Node > Host
And add static nat
We need to make sure that we create policy for that.
! Adding Additional Firewall
Check Point > Right Click > Add new gateway or management device.
Using Wiz mode
NEXT and its going to ask one time password > Next > Close > Finish.
Verify Connection Status
Create new Policy package for FW2.
Allow specific host to access FW2 and add stealth.
INSTALL PUSHING (Choose FW2)
Or select target tab
In Advance option under Install Policy
Click Create database version (Create a snapshot and we can use for roll back.)
File > Database Revision
Modes: log, Active and Audit
Smartview Monitor – the answer to: “So how is Everything”
Ctrl + Shift + M to go to Monitor viewer
Real Time Monitoring
Setup threshold (To generate alert)
Or Global Policy.
Verify software blade enabled
Blocking service of Monitor
But note this is not the right way establishing or implementing a policy.
Site to Site IPsec VPNs
Authentication(shared key) , Data Integrity (Hash,MD5) $ Encyption (DES, 3DES, AES)
If the vpn had not yet establish the rule are implace but VPN is not establish.
What firewall would do? It will start the process what we called IKEv1.
IKEv1: Phase 1 & Phase 2
– Negotiation (Hash, Encryption, Authentication &DH)
– DH – Run to generate Shared secret key
– Authenticate (using method on Negotiation)
BUT THIS SETUP DOESN’T HELP BOB(USER)
– Negotiate (SHA AES )
– Build IPsec Tunnel
– Full Mesh
– Hub & Spoke (Star)
FW GATEWAY – VPN MEMBER (END POINT)
VPN Domains – Server/User Network
Site – Member & Domains
! Disable NAT from bob(User2) to User1. Tell the firewall if network sending to another VPN domain don’t do nat.
– Enable on Gateway
– ID Domain
– Create Community
– Add rule
Center – HUB
Satellite – Spoke
! Enable IPSec VPN on Software Blade
! Identify VPN Domain
FW > Topology > VPN Domain
! Create Community
– CREATING A STAR COMMUNITY
– CENTER GATEWAYS (Click ADD or Create a new Firewall)
– On SATELLITE (PEER)
– Custom Default
– Tunnel Mangement
Advance VPN (OPTIONAL)
Create a new policy
Incase its not work you can verify on tracker
VPN TUNNEL UTILIty on CLI
Option for learning “Who’s using this IP?”:
– AD Query (Security Event logs)
– Captive portal (Browser)
– Agents (End or Terminal Services)
STEPS: Enable feature, Create Access Role & use in rules
Enabling Identity Awareness
Application Control & URL Filtering
Protect Against: Malware, B/W Abuse, Non-approved site
We can limit the throughput