Category Archives: Checkpoint

I. Checkpoint Fundamentals
Q’s:
1. What are the 3 interconnected components in a Checkpoint system?
A: Console, MGMT and Gateway
2. What are 3 Checkpoint OS names, and what devices would run them?
A: IPSO old os, SPLAT Secureplatform old and the newest is GAIA. It running on gate(physical device) and management.
3. What does the INSPECT engine do?
A: From Source going to outside. FW Store the TCP Header(IP,PORT no) on state table on fw and if the reply if match it will be permitted or allow to go back in.
Security Management Architecture (SMART)

Console – We login and create the policy (smart Console)
Management – Where all policy kept. Stored and push going to the gateway.
Gateway FW – one whos implementing the policy.

Traffic Control Methods

Packet Filtering – Verify if all packet should be forwarded

Stateful – Remember Port and Ip address on session as bob go out to cbt server. Stores details on stateful table.
App. Awareness – also look on application layer.
FW inspect dig deep from source to destination under application layer. Firewall verify is the source port is legitimate. If the port is really there the FW can remember that in state table. For that session because it now on state table the layer 2.5 will be implemented the imcomming session will much fater than the first.

Operating System
IPSO – based on BSD
SecurePlatform (SPLAT) based on red hat replace IPSO
2003 GAiA

II. Installing Checkpoint

Standalone vs Distributed
– Standalone 1 physical device w/ Management and FW
– Distributed separate physical box or virtual server or management
High Availability
Routed vs Bridge
– Routed
– Bridge mode its like transparent not dividing network.

III. Linking the manager and Gateway

FW: IPs, Dault Route, Banner
1st Remote via Http
Self signed certificate.

2nd Setup network interface
Network Management > Network Interface > Click Edit

3rd Setup static route
Network Management > IPv4 Static Routes > Edit Default route

Mgr: Add banner
Connect via Http same process in adding interface ip address, routes and banner

Download all smart console components

PC
Download / Install Smartconsole clients from mgr
– We can download Smart console on Management server.

We have read only or demo mode.

Finger print

To verify go to console manager

Configuring Management via Smartconsole to sync with firewall.

Creating network object which represent the firewall and how to communicate with the firewall.
1st Network Object > Check point > Security management> Classic Mode

Fill in the blank and Enble feature or what we called software blades
.
Note: the feature has individual license.

Secure Internal Communication = Uninitialized (Meaning This manager still not connected to gateway)
Setup communication

Firewall know where to assigned the ipaddress to a specific interface because of default route.

Verify on Overview

We could create a network object that identify our internal networks or internal pc that could be use on policy.

Network that can be use on policy

IV. Creating and Pushing a policy to the gateway.

Define Network Objects.

Add Rule to the Security policy
-Management
-Stealth to prevent direct access to the security gateway. Only permitted host or console
-Internal permit inside and can forward to any destination
-Cleanup if traffic is from anywhere going to any where DROP IT (We can see log with this policy)
-Implied rules

Stealth Rule – to prevent direct access to the security gateway
Cleanup Rule – to drop and log all traffic not permitted in previous rules

Save and Push

Adding Rule on Smart Console
Note that there are many ways to create a new policy.

If incase there’s an issues on policy. We need to roll back.

Load the policy from local host or different host.

Save – To save
Install – To push to selected gateway. Deploy the policy to the firewall

Verify if the push has been installed

Network address Translation.
Reason: Private Ips, Security, Limited IPs

How to translate: Source or Destination
Source – Private(Internal Client) to Public
Destination – Private to public

How to translate: static or Dynamic
Static – one to one (fix resource)
Dynamic –
Hide Nat – hide hundreds users on the firewall to public

Where translation is done.

Source Dynamic (Hide nat for internal network)
– Go to internal network object
– NAT Translation Method – Hide nat

Using Smart Tracker

Static Nat
1st Create a object-host
2nd Create a policy

3rd

RESULT:

TRACKER:

TRAFFIC FLOW: USER(OUTSIDE) > PUBLIC IP > TRANSLATED TO PRIVATE > POLICY > ROUTE

POLICY PACKAGES AND DATABASE VERSION
Install and link gateway to manager

Include new firewall in policies

From Management will add static nat .112 for FW2
We need to apply for Gateway control connection.

Create a DMZ object for DMZ server.
Node > Host

And add static nat

We need to make sure that we create policy for that.

! Adding Additional Firewall
Check Point > Right Click > Add new gateway or management device.

Using Wiz mode
NEXT and its going to ask one time password > Next > Close > Finish.
Verify Connection Status

SAVE!!!

Create new Policy package for FW2.

Allow specific host to access FW2 and add stealth.

INSTALL PUSHING (Choose FW2)

Or select target tab
VERIFY

In Advance option under Install Policy
Click Create database version (Create a snapshot and we can use for roll back.)

Verify
File > Database Revision

Smartview Tracker

Modes: log, Active and Audit

Smartview Monitor – the answer to: “So how is Everything”

Ctrl + Shift + M to go to Monitor viewer
Real Time Monitoring

Setup threshold (To generate alert)

Or Global Policy.

Verify software blade enabled

Blocking service of Monitor

ENFORCE!!

But note this is not the right way establishing or implementing a policy.

Site to Site IPsec VPNs

Authentication(shared key) , Data Integrity (Hash,MD5) $ Encyption (DES, 3DES, AES)

If the vpn had not yet establish the rule are implace but VPN is not establish.

What firewall would do? It will start the process what we called IKEv1.

IKEv1: Phase 1 & Phase 2

Phase 1
– Negotiation (Hash, Encryption, Authentication &DH)
– DH – Run to generate Shared secret key
– Authenticate (using method on Negotiation)

BUT THIS SETUP DOESN’T HELP BOB(USER)

Phase 2
– Negotiate (SHA AES )
– Build IPsec Tunnel

VPN Community
– Full Mesh
– Hub & Spoke (Star)

FW GATEWAY – VPN MEMBER (END POINT)
VPN Domains – Server/User Network

Site – Member & Domains

! Disable NAT from bob(User2) to User1. Tell the firewall if network sending to another VPN domain don’t do nat.

Steps:
– Enable on Gateway
– ID Domain
– Create Community
– Add rule
Center – HUB
Satellite – Spoke

! Enable IPSec VPN on Software Blade

! Identify VPN Domain
FW > Topology > VPN Domain
GROUP

! Create Community
IPSec Tab

– CREATING A STAR COMMUNITY

– CENTER GATEWAYS (Click ADD or Create a new Firewall)



– On SATELLITE (PEER)

– Encryption

– Custom Default
– Tunnel Mangement

Advance VPN (OPTIONAL)
DISABLE NAT

Create a new policy

SAVE!!
Incase its not work you can verify on tracker

VPN TUNNEL UTILIty on CLI
#vpn tu

Identity Awareness

Option for learning “Who’s using this IP?”:
– AD Query (Security Event logs)
– Captive portal (Browser)
– Agents (End or Terminal Services)
– VPN

STEPS: Enable feature, Create Access Role & use in rules

Enabling Identity Awareness
 (Blade software)
 (NEXT)
 Credential

Application Control & URL Filtering
Protect Against: Malware, B/W Abuse, Non-approved site

Enable Features
Add Rule
Push policy

We can limit the throughput

Add Policy

Advertisements

Checkpoint HA

I.Diagram
Checkpoint Firewall HA is setup as a cluster or Active/active with one VIP or Virtual IP. There is no single point of failure if one node went down, peer node will be still working.

II. Configuration
checkpointHA

III. Verification
# fw hastat
# cphaprob stat
# cphaprob -a if