R80 Student Manual + OCR

SECURITY ADMINISTRATION
Student Manual
nso
‘
Check Point”
SOFTWARE TECHNOLOGIES INC.
© 2016 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and de—compilationi No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization ofCheck
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors 'or omissions This publication and features described herein are subject to change
without notiCe.
RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://wwwcheckpoint.com/copyrightthtml) for a list of our trademarks
Refer to the Third Party copyright notices (http:// www,checkpoint.com/
3rdjartyicopyrighthtml) for a list of relevant copyrights and third-party licenses.
International Headquar- 5 Ha’Solelim Street

ters Tel Aviv 67897, Israel
Tel: +972—3-753 4555
U.S. Headquarters 959 Skyway Road, Suite 300

San Carlos, CA 94070
Tel: 650-628-2000
Fax: 650-654-4233
Technical Support, 6330 Commerce Drive, Suite 120

Education & Professional Irving, TX 75063
Services Tel: 972-444-6612
Fax: 972-506—7913
Email comments or questions about our courseware to: courseware@us,cheekpuinteom
For questions or comments about other Check Point documentation. email:
CP‘TechPub_Feedback@checkpoint.com
Document # DOC-Manual-CCSA-RSO
Revision R80
Content Joey Witt, Vanessa Johnson> Whitney Bentley
Graphics Chunming Jia
Contributors Beta Testing, Content Contribution, or Technical Review
Michael ,l‘tdlei Wleklllll . England
,
Chris Alhlas QA England

,
A
Mann Angelastro - ITv ay Italy ,
Eli Faskha Soluciones Seguras . Panama

,
Michael Curtin - Red Education Australia »
Kishin Fatnani - K-Secule - India

Patrick Felsner .Arrow ECS - Austria
Omar Gonzalez - Solucione: Seguras Panama 7
Mark Halsall - Check Point Sofiware Technologies USA ,
Eli Har—El en - Check Point Sofiware Technologies lsrael,
Anthony Jouhaire Arrow Ecs France

7 V
Yasushi Kono Arrow ECS Germany

7 7
Fabrizio Lamanna - Check Point Soflware Technologies — USA

lani Linder - S&T - Slovenia
—
Valeri Loukine Dimension Data - Switzerland
Dries Menens Westcon Belgium
r 7
Piotr Misiowiec CLICO Poland

r 7
Richard Parkin Arrow ECS England

A A
ligarkumar Patel - Check Point SottWare Technologies USA ,
Yaakov Simon - Check Point. Sofiware Technologies Israel ,
Dan Valluvassery .Arrow ECS - England

Erik Wagemans Proximus ICT Academy - Belgium
»
Kim Winfield Check Point Software Technologies USA

» 7
Special Thanks:
Ashley McDowell .Arrow ECS-UK (London Beta Host)
Mauro Feleni - lTway - Italy (Milan Beta Host)
Iererny Ford - Check Point Sofiware Technologies USA ,
Certification Exam Development:

Ken Finley
Check Point Technical Publications Team:
Rochelle Fisher, DalyYam. Eli HanEven. Paul Grigg, Richard Levine, Rivkah Alhinder, Sliira Rosenfield,
Yaakov Simon
n facebook.com/CheckPointEducation
Table of Contents
........................................................................
Preface: Security Administration
Course Layout
...... ...... ........ .......... ................
.........................................................................
. 1
2
Prerequisites
Certification Title .....................................................................
..................................................
2
2
Sample Setup for Labs .................................................................

Course Chapters and Learning Objectives 2
5
Concept of a Firewall ....................................................................

Chapter 1: Introduction to Check Point Technology
Open Systems Interconnect Model

....... .. . . . . . ..... .......
. . .. .
........................................................
7
8
8
...................................... 10
..............................................................
—————Transmissioanontrolllrotncol Internet Protocol Model
......................................................................
Controlling Network Traffic 12
Packet Filtering
Stateful Inspection ...................................................................
.............................................................
12
13
Network Communication ................................................................

Application Layer Firewall
.........................................................
15
16
...........................................
Secure Internal Communication
.......................................................................
16
The Check Point Security Management Architecture 19
SmartConsole
...........................................................
....................................................................
Security Management Server
19
19
Security Gateway
The SmartConsole ......................................................................
.............................................................
19
................................................................
20
Gateways & Servers View 21
Security Policies View
Logs & Monitor View
Manage & Settings View
................................................................
..............................................................
22
23
24
Check Pom] Securl'ry Administration
SmartConsole Applications ............................................................... 25

SmartEvent (Advanced Events and Reports) ............................................... 25
SmartView Monitor (Tunnel & User Monitoring) ........................................... 25
SmartUpdate ........................................................................ 25
SmartDashboard ..................................................................... 25
Deployment Platforms ................................................................... 26
Check Point Appliances ............................................................... 26
Open Servers ........................................................................ 28
Deployment Considerations .............................................................. 29
Standalone .......................................................................... 30
Distributed ......................................................................... 30
Bridge Mode ........................................................................ 31
Introduction to the Gaia Operating System ................................................... 32
Command Line Interface .............................................................. 32
WebUI ............................................................................. 37
Users .............................................................................. 40
Updates ............................................................................ 46
......................................................................
Review Questions 47
Chapter 2: Security Policy Management .. . . . . .. . ................ ............. . .. 49

Introduction to the Security Policy ......................................................... 50
Rules ............................................................................. 50
Objects ............................................................................ 52
Anti-Spoofing ....................................................................... 54
The Rule Base ....................................................................... 55
Global Properties .................................................................... 60
Sections ............................................................................ 61
Publish Policy ...................................................................... 61
Policy Packages ....................................................................... 62
Policy Types ....................................................................... 62
Unified Policies ..................................................................... 64
Shared Policies...................................................................... 65
Additional Policy Management Tools .................................................... 66
Install Policy .......................................................................... 69
Install a Policy Package............................................................... 69
Network Address Translation ............................................................. 71
Hide NAT ......................................................................... 72
Static NAT ......................................................................... 80
Tab/c afC'oy/lenls
.
Chapter 6: Basic Concepts of VPN . . .... . ..................... ............... 177
Introduction to VPN ................................................................... 178
IPSec VPN ........................................................................ 178
VPN Components .................................................................. 181
VPN Deployments ..................................................................... 182
Site~to~Site VPN Deployment ......................................................... 182
Remote Access VPN Deployment ...................................................... 184
VPN Communities .................................................................... 186
Meshed VPN Community ............................................................ 187
Star VPN Community ............................................................... 188
Combination VPN Communities ....................................................... 190
Remote Access VPN Community Object ................................................ 190
Access Control for VPN Connections ..................................................... 191
Allow All Connections .............................................................. 191
Allow A11 Site-to-Site VPN Connections ................................................ 192
Allow Specific VPN Communities ..................................................... 192
Site-to-Site Communities Allow All Encrypted Traffic ................................... 193
7
Tunnel Management and Monitoring ...................................................... 194

Permanent VPN Tunnels ............................................................. 194
Tunnel Testing ..................................................................... 195
Monitoring VPN Tunnels ............................................................ 195
Review Questions ..................................................................... 197
Chapter 7: Managing User Access .

....................................... . .. . 199
Overview of User Management Components ............................................... 200
User Directory ..................................................................... 201
Identity Awareness ................................................................. 202
Managing Users ...................................................................... 215
SmartConsole and User Database ...................................................... 215
LDAP and User Directory ............................................................ 215
Authenticating Users .................................................................. 220
Authentication Schemes ............................................................. 220
Managing User Access ................................................................. 222
Access Roles ...................................................................... 222
Rule Base ......................................................................... 223
Captive Portal for Guest Access ....................................................... 223
Check Point Seem-W Adl77iniS/r‘aririw
Chapter 8: Working with ClusterXL .............................. ............ 225

................................................................ 226
ClusterXL Deployments ................................................................ 229
Overview of ClusterXL
High Availability Deployment ........................................................ 229

Failovers ............................................................................ 233
Performing a Manual Failover ......................................................... 233
Synchronizing Cluster Connections ....................................................... 234
........................................................... 234
Securing the Sync Interface
Clock Synchronization ............................................................... 234
................................................................... 235
Monitoring a Cluster
SmartView Monitor ................................................................. 235
Chapter 9: Administrator Task Implementation ............... ................. 239
Compliance Software Blade ............................................................. 240
Best Practices ...................................................................... 241
Continuous Compliance Monitoring .................................................... 246
CPView .............................................................................247
...................................................................... 249
User Interface
..................................................................... 250
Review Questions
Appendix: Questions and Answers .. ........ .... . ............. . . . ... .. ... . . . .. 251
Chapter 1: Introduction to Check Point Technology .......................................... 252
Chapter 2: Security Policy Management ................................................... 253
Chapter 3: Policy Layers ............................................................... 254
Chapter 4: Check Point Security Solutions and Licensing...................................... 255
Chapter 5: Traffic Visibility ............................................................. 256
Chapter 6: Basic Concepts of VPN ....................................................... 257
Chapter 7: Managing User Access ........................................................ 258
Chapter 8: Working with ClusterXL ...................................................... 259
Chapter 9: Administrator Task Implementation .............................................. 260
Vi
Security Administration
Welcome to the Security Administration course. This course provides an understanding of

basic concepts and skills necessary to configure Check Point Security Gateway and
Management software blades. During this course, you will configure a Security Policy and
learn about managing and monitoring a secure netw ork. In addition, you will upgrade and
configure a Security Gateway to implement a Virtual Private Network (VPN) for both
internal and external remote users
Preface Outline
- Course Layout
- Prerequisites
0 Certificate Title
-
0
Course Chapters and Learning Objectives
Sample Setup for Labs
Check Point Seem-{4v Administration
Course Layout
This course is designed for Security Administrators, Check Point resellers) and those who are
working towards their Check Point Certified Security Administrator (CCSA) certification: The
following professionals benefit best from this course:
- System Administrators
- Support Analysts
- Network Engineers
Prerequisites
Before taking this course, we strongly suggest you have the following knowledge base:
0 General knowledge of TCP/IP

. Working knowledge of Windows and/or UNIX
--
Working knowledge of network technology
Working knowledge of the Internet
Certification Title
The current Check Point Certified Security Administrator (CCSA) certification is designed for
partners and customers seeking to validate their knowledge of Check Point’s software blade
products.
Course Chapters and Learning Objectives
Chapter 1: Introduction to Check Point Technology
- Interpret the concept Firewall understand mechanisms used

network traffic.
of a and the for controlling
~ Recognize SmartConsole
elements Check Point’s
Describe the key of security management architecture.
unified,
.- Understand Check Point deployment options.

and
features, functions, tools,
- Describe the basic the Gaia operating system

functions of
Preface
Chapter 2: Security Policy Management
--
Describe the essential elements of a Security Policy.
Understand how traffic inspection takes place in a unified Security Policy.
- Summarize how administration roles and permissions assist in managing policy.
- Recall how to implement Check Point backup techniques.
Chapter 3: Policy Layers
-- Understand the Check Point policy layer concept.

Recognize how policy layers affect traffic inspection.
Chapter 4: Check Point Security Solutions and Licensing
-
0
Recognize Check Point security solutions and products and how they work to protect
your network.
Understand licensing and contract requirements for Check Point security products.
Chapter 5: Traffic Visibility
- Identify tools designed to monitor data, determine threats, and recognize opportunities
for performance improvements,
0 Identify tools designed to respond quickly and efficiently to changes in gateways,
tunnels, remote users, traffic flow patterns, and other security activities.
Chapter 6: Basic Concepts of VPN
-
0
Understand SiteJto—Site and Remote Access VPN deployments and communities:
Understand how to analyze and interpret VPN tunnel traffic:
Chapter 7: Managing User Access
- Recognize how to define users and user groups.

0 Understand how to manage user access for internal and external users.
Check Poi/71 Seem-fly Administration
Chapter 8: Working with ClusterXL
- Understand the basic concepts of ClusterXL technology and its advantages,
Chapter 9: Administrator Task Implementation
- jobUnderstand how
descriptions.
to perform periodic administrator tasks as specified in administrator
J;
Prefix/:3
Sample Setup for Labs

Most lab exercises will require you to manipulate machines in your network and other labs will
require interaction with the instructor’s machines.
Check Point R80 CCSA Lab Topology

'
u : mm «m ,5»qu
, ”may,“ minim mum-\- maximum,
l‘rv‘iauIGW m ix
I «WWW um MI |
warm 192 res n i"):
in. |
mm
mmrmmwm
A W um: um
:n
l Syn: Aadmv
>
madam.» 20 1mm
am... ,/
'p
1”..thth at...“ DWI/Adda“ m mum
m1 wt, mam 197158 l
\
~ /
Izmmrcwnmnv ; t ,
\ t/.
—‘——~«
l | Router
‘
\
‘1
xi
NW ”N t
. rt
\ hm. Afw.may,I i \l \
__
/
.,new
mi n) 16mm
\
.\
i
”wavy“!u U'll
WWII
urir
t
‘ .»
we.
WW
‘téff;;‘;z’.;,;,_
...e .
\
"K
WW
, ‘‘ m
at
.
- IWW
l
.
_ mum.“
N‘s Mam/Nome mats/:4
| "Adam roman/>1
E.
Nnmrlfiou
x‘ >
‘\
. .
l
/ lPAndv-si nuasmmm
mmhtMJszmzll
Wham
I midamzmnmzm mmmamfilgm
‘ l .
/ 1mm“.
: mmnrmm
v J WWW 02.15912th I mimimuazmznl
\ A »
. W am i K ,
, 2 ml u. .tw.7mm.~,. ;
sinAlvh,‘ , , ,.
'
.
Figure 1— CCSA Lab Topology

Check Pain! .S‘ecm‘in/ Adminislmlitm
Introduction to Check Point
Technology
Check Point technology addresses network deployments and security threats while
providing administrative flexibility and accessibility. To accomplish this, Check Point
uses a unified, security management architecture and the Check Point Firewall. These
Check Point features are further enhanced with the SmartConsole interface and the Gaia
operating system. The following chapter provides a basic understanding of these features
and enhancements.
Learning Objectives
- Interpret the concept of a Firewall and understand the mechanisms used for controlling network
traffic.
- Describe the key elements of Check Point’s unified, security management architecture.
. Recognize SmartConsole features, functions, and tools.
- Understand Check Point deployment options.
Describe the basic functions of the Gaia operating system.
Check Pamz Secrr/‘i/j/ Administration
Concept of a Firewall
Firewalls are the core of a strong network Security Policy. They control the traffic between
internal and external networks. Firewalls can be hardware, sofiware or a combination of both
which are configured to meet an organization’s security needs. When connecting to the
Internet, securing the network against intrusion is of critical importance. The most effective
way to secure the Internet link is to put a Firewall system between the local network and the
Internet. The Firewall ensures that all communication between an organization’s network and
the Internet conforms to the organization’s Security Policy.
Open Systems Interconnect Model

To understand the concept of a basic Firewall, it is beneficial to examine the aspects of the
Open Systems Interconnect (OSI) Model. The 081 Model demonstrates network
communication between computer systems and network devices, such as Security Gateways. It
governs how network hardware and software work together and illustrates how different
protocols fit together. It can be used as a guide for implementing network standards.
The 081 Model is comprised of seven layers. The bottom four layers govern the establishment
of a connection and how the packet will be transmitted. The top three layers of the model
determine how applications in the end stations communicate and work. The Check Point
Firewall kernel module inspects packets between the Data Link and Network layers.
Depending on the traflic flow and service, inspection may transcend multiple layers.
7..
6 ~ Presentation
5 - Session
-
Layer - Network .
2 . Data Link
1 -
Figure 2 -—- OSI Model
Chap/er I; [l7ll‘Udl/[f10l'l/U Check Point Techno/up
The 081 Model layers are described as follows:
Layer 1 Represents physical»communication links or media required hardware such

i
as Ethernet cards, DSL modems, cables and hubs.

Layer 2 — Represents where network traffic is delivered to the Local Area Networks
(LAN); this is where identification of a single specific machine takes place. Media
Access Control (MAC) addresses are assigned to network interfaces by the
manufacturers. An Ethernet address belonging to an Ethernet card is a Layer 2 MAC
address, An example of a physical device performing in this layer would be a switch.
Layer 3 — Represents where delivery of network traffic on the Internet takes place;
addressing in this layer is referred to as Internet Protocol (IP) addressing and creates
unique addresses, except when NAT is employed. NAT makes it possible to address
multiple physical systems by a single Layer 3 IP address. An example ofa physical
device performing in this layer would be a router.
Layer 4 7
Represents where specific network applications and communication
sessions are identified; multiple Layer 4 sessions may occur simultaneously on any
given system with other systems on the same network. Layer 4 is responsible for flow
control of data transferring between end systems. This layer introduces the concept of
ports, or endpoints.
Layer 5 Represents where connections between applications are established,
a
maintained, and terminated. This layer sets up the communication through the network.
The Session layer allows devices to establish and manage sessions. A session is the
persistent logical linking of two software application processes,
Layer 6 Represents where data is converted into a standard format that the other
i
layers can understand. This layer formats and encrypts data to be sent across the
network. The Presentation layer is responsible for presenting the data, It defines the
format for data conversion. Encoding and decoding capabilities allow for
communication between dissimilar systems,
Layer 7 Represents end-user applications and systems. Application protocols are
*
defined at this level and are used to implement specific user applications and other
high—level functions. Hyper Text Transfer Protocol (HTTP) and Simple Mail Transfer
Protocol (SMTP) are examples of application protocols. It is important to understand
that usually, the Application layer is a part of the operating system and not necessarily a
part ofthe application in use,
NOTE
Distinctions among layers 5, 6, and 7 are not always clear. Some models
combine these layers.
Check Point Security Adminis/mliow
The more layers a Firewall is capable of covering, the more thorough and effective the
Firewall. Advanced applications and protocols can be accommodated more efficiently with
additional layer coverage. In addition, advanced Firewalls, such as Check Point’s Security
Gateways, can provide services that are specifically oriented to the user, such as authentication
techniquesand logging events of specific users.
Transmission Control Protocol/Internet Protocol Model

The Transmission Control Protocol/Internet Protocol (TCP/IP) Model is a suite of protocols
which work together to connect hosts and networks to the Internet. Whereas the 081 Model
conceptualizes and standardizes how networks should work, TCP/IP actually serves as the .
industry»standard networking method that a computer uses to access the Internet. TCP/IP
protocols support communications between any two different systems in the form of client-
server architecture. The model name is based on its two most dominant protocols but the suite
consists of many additional protocols and a host of applications. Each protocol resides in a
different layer of the TCP/IP Model.
The TCP/IP Model consists of four core layers that are responsible for its overall operation:
Network Interface Layer, Internet Layer, Transport Layer and Application Layer. Each layer
corresponds to one or more layers of the 081 Model. These core layers support many protocols
and applications,
ll‘JmnspottLaveLwi’
l L__.a_lntemei fingl
[ Network interface Layer J
Figure 3 —TCP/|P Model
Chapter 1: Introduction to (77ch Point chno/ngv
The TCP/1P Model layers are described as follows:
Network Interface Layer 7 This layer corresponds to the Physical and Data Link
layers of the OSI Model. It deals with all aspects of the physical components of
network connectivity, connects with different network types and is independent of any
specific network media.
Internet Layer — This layer manages the routing of data between networks. The main
protocol of this layer is the 1?, which handles IP addressing, routing and packaging
functions. IP tells the packet where to go and how to get there. The packets are
transported as datagrams, which allow the data to travel along different routes to reach
its destination. Each destination has a unique IP address assigned. The Internet layer
corresponds to the Network layer of the OSI Model.
Transport Layer *
This layer manages the flow of data between two hosts to ensure
that the packets are correctly assembled and delivered to the targeted application.
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) represent the
core protocols of the Transport layer. TCP ensures a reliable transmission of data across
connected networks by acknowledging received packets and verifying that data is not
lost during transmission. UDP also manages the flow of data; however, data verification
is not as reliable as TCP. The Transport layer corresponds to the Transport layer of the
OSI Model.
Application Layer » This layer encompasses the responsibilities of the Session,
Presentation and Application layers of the OSI Model. It defines the protocols that are
used to exchange data between networks and how host programs interact with the
Transport layer. The Application layer allows the end user to access the targeted
network application or service.
11
Check Point Security Administration
Controlling Network Traffic

Managing Firewalls and monitoring network traffic is the key role of a network Security
Administrator. Effectively controlling network traffic helps to improve overall network
performance and organizational security. The Firewall, or the Security Gateway with a
Firewall enabled, will deny or permit traffic based on rules defined in the Security Policy. The
following technologies are used to deny or permit network traffic:
. Packet Filtering
- Stateful Inspection
- Application Layer Firewall
Packet Filtering
Packet Filtering is the process by which traffic is broken down into packets. Basically,
messages are broken down into packets that include the following elements:
° Source address
0 Destination address
. Source port
- Destination port
- Protocol
Link
Physical thglgal Physical
'
’
Router
PRO 5 CONS
-Application indepemence
,High Farm/mange
r
»
Law Security
No screening above Network
. Scalability Layer (No ‘slate or application-
context Inform anon)
Figure 4 -— Packet Filtering
12
Chapter I: Introduction to Check Point Tec/mo/ogi‘
Packet Filtering is the most basic form ofa Firewall. Its primary purpose is to control access to
specific network segments as directed by a preconfigured set of rules, or Rule Base, which
defines the trafiic pennitted access. Packet Filtering usually functions in the Network and
Transport layers of the network architecture. Packets are individually transmitted to their
destination through various routes, Once the packets have reached their destination, they are
recompiled into the original message,
Stateful Inspection
Stateful Inspection analyzes a packet’s source and destination addresses, source and
destination ports, protocol and contents. With Stateful Inspection, the state of the connection is
monitored and state tables are created to compile the information. State tables hold useful
information in regards to monitoring performance through a Security Gateway. As a result,
filtering includes content that has been established by previous packets passed through the
Firewall, For example, Stateful Inspection provides a security measure against port seaming
by closing all ports until the specific port is requested.
Appttcanon
Presentation
_
w
~-
Application
Presentation —~
Session
-—
——
v
Application
Presentation
Sesalon - Transport — i session
Transport ._. Network »— Transport
.= we r _ . «rm 5
Data Link Data Link Data Link
Physical l Physical Physical
__..>
!NSPECT (lg E;
ENGINE
PROS ~
. Good Security a
- Full Application layer

. High Performance
\ \‘
Wk;
.Extczislbzlziy State Tables
. Transcamncy
Figure 5 -— Stateful Inspection

Check Poi/7i Security Admin/511mm”
Check Point‘s INSPECT Engine, which is installed on a Security Gateway, is used to extract
State related information from the packets and store that information in state tables. State tables
are key components of the Stateful Inspection technology because they are vital in maintaining
state information needed to correctly inspect packets, When new packets arrive, their contents
are compared to the state tables to determine whether they are denied or permitted.
NOTE
Statefiil Inspection technology was developed and patented by Check
Point. State tables are covered in more detaul in the CCSE course.
Stateful Inspection versus Packet Filtering
Stateful Inspection differs from Packet Filtering in that it deeply examines a packet not only in
its header, but also the contents of the packet up through the Application layer to determine
more about the packet than just information about its source and destination. In addition,
Packet Filtering requires creating two rules for each user or computer that needs to access
resources For example, ifa computer with IP address 10.11201 needs to access 8.8.8.8 on the
Internet for DNS, an outgoing request rule is needed for connecting to the server on the
Internet and a second rule is required for the incoming reply for the same connection. The
creation of Stateful Inspection eliminated the need for two rules. The Firewall remembers each
reply for an existing request using the state tables. Therefore only one rule is required for each
connection.
Cimpiu- ] Introduction to Check Point Technology
Application Layer Firewall

Many attacks are aimed at exploiting a network through network applications, rather than
directly targeting the Firewall. Application Layer Firewalls operate at the Application Layer of
the TCP/IP protocol stack to detect and prevent attacks against specific applications and
services. They provide granular level filtering, Antivirus scanning and access control for
network applications, such as email, FTP, and HTTP. These Firewalls may have proxy servers
or specialized application software added.
Application Layer Firewalls inspect traffic through the lower layers of the TCP/IF model and
up to and including the Application Layer. They are usually implemented through software
running on a host or stand-alone network hardware and are used in conjunction with Packet
Filtering. Since Application Layer Firewalls are application aware, they can look into
individual sessions and decide to drop a packet based on information in the application
protocol. The Firewalls deeply inspect traffic content and apply allow or block access rules per
session or connection instead of filtering connections per port like Packet Filtering. Packets are
inspected to ensure the validity of the content and to prevent exploits embedded within the
content. For example, an Application Layer Firewall may block access to certain website
content or software containing Viruses. The extent of filtering is based on the rules defined in
the network Security Policy. Application Layer Firewalls are often referred to as Next—
Generation Firewalls in that they include the traditional functions of Packet Filtering and
Stateful Inspection.
Sample Protocols
Layer 7 — Application 5 l1
6- Presentation HTTP FTP‘SMTP i Application Layer
5~ 5 . M.
4<T it __ TranspodLayer.
TCP. UDP s u
new: in.» w": a, m

‘
i? it
17:11:-th lnlernetLayar
_._,.. .i
l
,,.u
,. ,. .4.
Layer
1» W“ _ We} rites? We 1
OSI Model TCP/IF Model
Figure 6 — Protocol Examples
15
Ch:cl! Point Security A dm {nix/ration
Network Communication
Secure Internal Communication
Secure Internal Communication (SIC) is a means by which platforms and products
authenticate with each other. It creates trusted connections between gateways, management
servers and other Check Point components. SIC is required for policy installation on gateways
and to send logs between gateways and management servers. Once SIC is established, the
management server and its components are identified by their SIC names rather than the IP
address,
There are three authentication methods:
- Certificates
' Standards«based SSL for the creation of secure channels
' 3DES or AES 128 for encryption
NOTE
Gateways above R71 use AESIZS for SIC. If one of the gateways rs below
R71, the gateways use 3DES.
Internal Certificate Authority

The Internal Certificate Authority (ICA) is created during the primary Security Management
Server installation process. It is responsible for issuing the following certificates to
authenticate:
0 SIC Authenticates between gateways or between

—~ gateways and Security
Management Servers.
- VPN Certificates — Authenticates between members of the VPN community in order
to create the VPN tImnel.
0 Users Authenticates user access according to authorization and permissions.
i
NOTE
If the Security Management Server is renamed, trust will need to be
reestablished as the certificate is reissued.
16
Chapter I. Introduction to Check Point Techno/0y
Initializing Trust
A gateway and Security Management Server use a one-time password to initially establish
trust. After the initial trust is established, the ICA issues a certificate to the gateway but does
not yet deliver it. The gateway and Security Management Server will then authenticate over
SSL using a one-time password. The certificate is then downloaded and stored on the gateway
and the one-time password is deleted, Now, the gateway can safely communicate with other
Check Point gateways and Security Management Servers that have a security certificate signed
by the same ICA.
NOTE
Make sure the clocks of the gateway and Security Management Server are
synchronized before you initialize mist between them.
To initialize trust:
Navigate to the Gateways & Servers tab.

Select the gateway object and hit Edit.
In the Navigation tree, select General Properties.
Under the Machine section, click the Communication button,
Under the Authentication section, enter and confirm the one-time password. This one-time
9:5P?
password must be on both the gateway and the Security Management Server.
Under the Trusted Communication Initialization section, click the Initialize button.
F‘
7. Publish the changes.
Secure Internal Communication Status

Once the certificate is downloaded and stored on the gateway, the SIC status will display the
current communication status between the Security Management Server and the gateway.
The communication status may show:
- Communicating — The secure communication is established.

- Unknown — There is no connection between the gateway and Security Management
Server.
0 Not Communicating The Security Management Server can contact the gateway but
#
cannot establish SIC.

Resetting the Trust State

If the trust state has been compromised, such as when keys are leaked or certificates are lost, it
is possible to reset the trust state. Once SIC has been established, it must be reset on both the
Security Management Server and the Security Gateway. When resetting SIC, the Security
Management Server revokes the certificate from the Security Gateway and stores the
certificate information in the Certificate Revocation List (CRL). The CRL is a database of
revoked certificates. Once the trust state has been reset, it is updated with the serial number of
the revoked certificate, The ICA signs the updated CRL and issues it to all gateways during the
next SIC connection, If two gateways have different CRLs, they cannot authenticate
H F P ' ’ ‘ ."
To reset the trust state:
Navigate to the Gateways & Servers tab.

Select the gateway object and hit Edit.
In the Navigation tree, select General Properties.
Under the Machine section, click the Communication button.
At the bottom of the window, next to the certificate status, click the Reset button,
Publish the changes.
Install policy on the gateways to deploy the updated CRL to all gateways.
NOTE
If the default policy is in place on the gateway. trust cannot be reset
because communication from the Security Management Server will be
dropped along with traffic from any other source.
18
Chapter 1: Introduction m Check Point Denna/rig
The Check Point Security Management

Architecture
The Check Point Security Management Architecture is an objecteoriented architecture that
uses graphical representations ofreal-world entities, such as users and gateways These entities
are configured, managed and monitored through a single management console which provides
the flexibility needed for organizations of all shapes and sizes to manage and secure their
network There are three essential components of the Check Point Security Management
Architecture: SmartConsole, Security Management Server, and the Security Gateway.
/\
@""
E .
-,

Lat?
IV“
M
AA /
SmartConsole Security Gateway
Figure 7
\
—- Check Point’s Security Management Architecture Components
SmartConsole
SmartConsole is a Graphical User Interface (GUI) used to manage the objects that represent
network elements, servers and gateways, These objects are used throughout SmartConsole for
many tasks including creating security policies. SmartConsole is also used to monitor traffic
through logs and manage software blades, licenses, and updates.

When a Security Policy is created in SmartConsole, it is stored in the Security Management
Server. The Security Management Server then distributes that Security Policy to the various
Security Gateways. The Security Management Server is also used to maintain and store an
organization’s databases, including object definitions and log files for all gateways.
Security Gateway
A Security Gateway is a gateway on which the Firewall software blade is enabled. It is also
known as a Firewalled machine. Security gateways are deployed at network access points, or
points where the organization’s network is exposed to external trafiic. They protect the
network using the Security Policy pushed to them by the Security Management Server,
19
Cher}: Point Security Administration
The SmartConsole
The SmartConsole is an all—encompassing, unified console for managing security policies,
monitoring events, installing updates, adding new devices and appliances and managing a
multi-domain environment.
Navigation Pane Overview
53 Arew‘ai
4eamenmtw,_w.
“HM mu
“NM“...
Figure 8 — SmartConsole
1. Navigation toolbar — Navigate between SmartConsole views.
2. Main menu ~ Manage policies and layers, explore and create objects, manage sessions,
install policy, manage licenses and packages and configure global properties.
3. Objects menu Create and manage objects.
e
4. Install Policy button Install policy.

e
5. Session details View the session name and description and publish or discard the cur-
*
rent sessron.
6. Side bar Create and manage objects and view validation errors.
e
7. Management activity bar — View the current administrator logged in and the number of
changes made in the current session, Security Management Server details and additional
management activity, such as policy installation tasks.
8. Command Line — Run API commands and scripts.
20
Ctmptm- I: Introduction to Chat Point Technology
The SmartConsole is organized into the following views:
0 Gateways & Servers

- Security Policies
- Logs & Monitor
- Manage & Settings
Gateways & Servers View

In the Gateway & Servers view, you can manage gateways, configure blade activation, view
gateway status and perform actions on the gateways.
Ehmlmdn .m
’.- “Mm.“w. m.
2 mm min
5 sun Milli: . t......w...n....».w.m
as @
d: Acwm
mu. A an, . um...“
a...» mu7
,, m”... bend-m...
mum v vim
a.
mw
Figure 9 — Gateways & Servers View

1. Views menu Navigate between various pre-defined views.
~—
2. Gateways & Servers toolbar — Create and edit gateways and clusters, run scripts, per-
form backups and restores and search and filter gateways.
3. Additional Information section — View a summary of the selected gateway, tasks and
error messages and view installed software blades.
21
Check Point Sect/rig: Admimim-arx‘on
Security Policies View

Under the Security Policies view, you are able to manipulate the various security policies and
layers.
1w.“ a...
a M...“ n...”
(Jump ml:
(9 the...” w»...
9‘”"""M 9 my, m“...
Figure 10 —Security Policies View
Tabs — Navigate between different policy packages.

2.Policy Package menu — Navigate between various policies within a policy package and
view and manage shared policies.
3. Security Policies toolbar —— Add or delete rules, expand and collapse sections, install
policy, export the Rule Base, view the history and search and filter the Rule Base.
4. Related Tools — View and edit VPN communities, view updates, create and mange User-
Check messages, manage client certificates, navigate to the Application Wiki or
ThreatWiki and view installation history.
5. Additional Information section — View a summary of the selected rule along with
details, logs and history.
22
Chapter I ' Introduction to Check Pain/ Techno/ogr-
Logs & Monitor View

The Logs & Monitor View allows you to view graphs and pivot tables in an organized
dashboard, search through logs, SChedule customizable reports, and monitor gateways.
Figure 11 — Logs 81 Monitor View
1. Tabs — Open various event analysis views,

2. Logs toolbar Use pre—defined and custom queries to search through logs, refresh statis—
7
tics, export search results and manage query settings.
23
Check Point Securiry Admimirlmlirm
Manage & Settings View

The Manage & Settings view allows you to manipulate various general settings,
I
-— ti- an” lac-W new":
:4. m...
w avid... m
x...» Iowans
Figure 12 — Manage & Settings View
1. Manage & Settings menu Navigate between the various menu options, create, edit
!—
and manage permissions profiles and administrators, manage software blade global set-
tings, view sessions and revisions, manage tags and edit preferences.
24
Chap/er I: Introduction In Check Point Ter/mn/ogv
SmartConsole Applications
SmartEvent (Advanced Events and Reports)
SmartEvent correlates logs and detects real security threats. It provides a centralized display of
aggregated data and potential attack patterns from perimeter devices, internal devices, Security
Gateways and third-party security devices. SmartEvent automatically prioritizes security
events for action. This automation minimizes the amount of data that needs to be reviewed,
thereby reducing the use of resources. SmartEvent is capable of managing millions of logs per
day per correlation unit in large networks. A correlation unit is used to analyze log entries and
identify events. SmartEvent is a licensed soflware blade and can be installed on a single server
or across multiple correlation units to reduce the network load.
SmartEvent views can be customized to monitor patterns and events that are most important to
a Security Administrator. Information can be displayed from a high level view down to a
detailed forensics analysis view. The free~text search engine is extremely effective in quickly
running data analysis and identifying critical security events.
SmartView Monitor (Tunnel & User Monitoring)

SmartView Monitor displays a complete picture of network and security performance,
allowing you to monitor changes to gateways, tunnels, remote users and security activities.
This SmartConsole application can be used in its most basic form without a license. More
advanced features, such as customized Views and detailed queries will require a license.
SmartView Monitor is discussed in greater detail in a later chapter.
SmartUpdate
SmartUpdate is used to manage licenses and packages for multi—domain servers, domain
servers, gateways and software blades. Through this client, an administrator can add licenses
to the central license repository and assign those licenses to components as necessary.
SmartUpdate can also be used to upgrade packages and install contract files. SmartUpdate is
discussed in greater detail in a later chapter.
SmartDashboard
There are a few legacy applications that must be accessed through SmartDashboard. Links to
SmartDashboard are located throughout SmartConsole and provide access to the following
applications:
Data Loss Prevention

-
0
Anti»Spam & Mail

- Mobile Access
' HTTPS Inspection
25
Check Point Security Arlmirrislmlion
Deployment Platforms
Check Point appliances and open servers are two hardware options for deploying Check Point
technology.
Check Point Appliances

Check Point appliances are built with flexibility and expansion capability to meet the diverse
requirements for today’s enterprise networks. They are designed to be flexible in order to meet
throughput requirements. They also have the ability to divide into multiple, virtualized
gateways and are equipped to handle advanced Check Point software blades. Using Check
Point appliances also means a single support contract for hardware and licensing and a lower
SUpport rate as appliance troubleshooting reduces complexity. They can be re~imaged simply
by plugging in a pre-imaged USB. Many Check Point appliances also have hot-swap
redundant components. Strong and proven, Check Point security appliances provide reliable
services for thousands of businesses worldwide.
Small Business and Branch Office Appliances

Check Point small business and branch office appliances provide
a simple, affordable and easy to deploy all-in-one solution for
delivering industry leading security. These appliances offer
robust multi—layered protection with flexible network interfaces
Branch Office in a compact desktop form factor, Special features include: DSL
and Web Management.
Enterprise Network Security Appliances

Offering the best performance for its class, Check Point
Enterprise Network Security Appliances combine several
network interface options with high-performance multi-core
capabilities to deliver multi—layered security protection. With a
. one rack unit (lRU) mountable form factor, the appliances are
Enterprise designed to meet protection needs and match the performance
requirements of an enterprise network. Special features include:
Flexible I/O.
26
CImp/r17- ]. Introdzrcrion to Check Point Techno/0g};
Data Center Security Systems

Check Point Data Center Security Appliances provide
Eéé
unmatched scalability and serviceability in a compact two rack
unit to secure even the most demanding enterprise and data
center environments. With multi—core and acceleration
Data Center technologies, redundant components and superior performance,
these appliances are ideal for large enterprise and data center
networks that require high performance and flexible I/O options.
Special features include: Low latency, LOM and 40 GbE.
Chassis Systems
Check Point’s Chassis-based security systems are designed to
excel in demanding data center, Telco and cloud service network
environments. These carrier-grade systems offers high reliability
and unparalleled security performamce with a 6RU to 15RU form
factor that supports the dynamic needs of growing networks.
Chassis Systems Special features include: Scalable platform and DC power.
Rugged Appliances
Check Point Rugged Appliance delivers Next Generation Threat

Prevention for Critical Infrastructure and Industrial Control
'7’? Systems. The appliance deploys Supervisory Control and Data

Acquisition (SCADA) security in harsh environments and
remote locations. It operates in extreme temperatures and
Rugged complies with industrial specifications for heat, vibration and
immunity to Electromagnetic Interference (EMI). Special
features include: Desktop or DIN mount, and AC/DC power.
27
Wreck Point Sacra-fly Administration
Additional Check Point Appliance Solutions

Choosing the right security
appliance for a specific Tllk' luosl rmupl
deployment situation can be a arr-d Ni the t
Stan the OR lIhlL‘ or unit: llrr Ir ).\irr tram".
challenging task. However,
Check Point appliance luv additional ir " .yrion cmmurynm Iota]
solutions are prepared to meet (,lruc'r. i’niw Fraullzi din-ell;
the challenge. Additional
appliances designed to meet imp: \\w“armckmalrrtxomr‘pmduch «ormrnnxrxir proumumm 1mm
even more specialized security

functions are also available, such as DDoS Protector appliances, management appliances, and
virtual systems. Leverage the Check Point Appliance Sizing Tool to select the right appliance
based on your specific environment and security needs. Check Point’s Security PowerTM
provides an effective metric for selecting the appliance that can best meet your network
security needs for today and provide room for growth. '
Open Servers
Check Point software technology can also be deployed on open sewers, 0r non-Check Point
hardware. Open servers provide the benefit of bringing your own hardware, which provides the
ability to increase RAM, CPU, and disk space. With open servers, licensing is not hardware
dependent and can be transferred between old and new hardware. Hardware compatibility
must be approved for the device to work and be supported by Check Point. In addition, there is
no requirement to purchase all software solutions, only the necessary software blades.
28
Chap/5r I: Introduction In Check Pain/ Terhnologv
Deployment Considerations
Before delving into the various deployment options for a network, consider the following
network topology:
Figure 13 — Secure Network

Each component in the network topology is distinguished by its IP address and netmask. The
combination of components and their respective IP information make up the network topology.
This network topology represents the internal network, consisting of both the Local Access
Network (LAN) and the Demilitarized Zone (DMZ), that is protected by the gateway. The
gateway must be aware of the network topology in order to correctly enforce the Security
Policy, ensure the validity of IP addresses for inbound and outbound traffic and configure a
special domain for VPNs.
It is important to take into consideration the existing network when deciding the best
deployment strategy for a Security Gateway, as installing a new gateway in an existing
network often requires reconfiguration of the routing scheme. There are three deployment
options available: Standalone, Distributed and Bridge Mode.
29
Check Point Security Arlmimlrlm/ion
Standalone
In a Standalone deployment, the Security Management Server and Security Gateway are
installed on the same computer or appliance,
-
item Description
i Standalone computer
Security Gateway component
m Security Management Server component
Figure 14 — Standalone Deployment
Distributed
In a Distributed deployment, the Security Gateway and the Security Management Server are
installed on different computers or appliances.
item Description
1 Security Manny-mam Server
-
2 Network connection
3 Security Getaway
Security Gateway component
m Security Management Server component
Figure 15 — Distributed Deployment
30
Chapter 1' Introduction My Check Point Techno/Dy
Bridge Mode
A Bridge Mode deployment adds a Security Gateway to an existing environment without
changing IP routing.
Du crlptlon
Switches
Security Gateway Firewall bridging Layer-2

traffic over the one iP address. with a subnet
on each side using the same address.
Figure 16 -Bridge Mode Deployment
31
Check Pufn/ Security Adminis/mn’an
introduction to the Gaia Operating System

Gaia is Check Point’s operating system for all Check Eoint appliances and open servers. It
supports the full portfolio of Check Point software blade, gateway and Security Management
products. It also supports:
' IPv4 and IPv6 network protocols

- High Connection and Virtual Systems Capacity (64 bits)
--
Load Sharing
High Availability
- Dynamic and Multicast Routing
Gaia can be configured via Command Line Interface (CLI) or WebUI. For CLI-inclined users,
a shell-emulator pop»up window makes Gaia CLI more intuitive to use. The intuitive WebUI
delivers a seamless user experience for Security Administrators by integrating all management
functions into a Web-based dashboard accessible via most popular Web browsers. The built-in
search navigation delivers instant results on commands and properties
Command Line Interface

Gaia utilizes an easy»to»use Command Line Interface (CLI) for the execution of various
commands that are structured using the same syntactic rules. CLI can be used via
SmartConsole or a web browser. An enhanced help system and auto-completion further
simplify user operation. The default shell of the CLI is called Clish, Clish is a restrictive shell
and does not provide access to advanced system and Linux functions. Expert mode allows
advanced system and Linux function access to the system, including the file system. To use the
expert shell, run expert. A password for export mode must be set prior to running the shell.
To exit the expert shell and return to Clish, mn exit.
Figure 17 — Expert and Clish shells
32
C/mpler 1.‘ Introduction to Check Point ’Ilchrmlogv
Command Completion
In order to save time, Gaia offers the ability to automatically complete a command using a few
keyboard buttons,
.Ee‘ybpgrd Buttgnfi ~T' _ . '

‘
Description; -
TAB Complete or fetch the keyword.
SPACE + TAB Show the arguments that the command for that feature accepts.
ESC ESC Display possible command completion options.
? Retrieve help on a feature or keyword.
Up/Down arrows Browse the command history.
Left/Right arrows Edit the command.
Enter Run a command string. The cursor does not have to be at the end of
the line.
Table 3: Keyboard Buttons and Descriptions
User-Defined and Extended Commands

User»defmed and extended commands are managed in Clish. Role-based administration can be
used with extended commands by assigning those commands to roles and then assigning those
roles to users or user groups.
Parameter
’
,“ Description J
command i Name of the extended command.
path Path of the extended command.
description Description of the extended command.
Table 4: Extended Command Parameters and Description
To show all extended commands:

show extended commands
To show the path and description of a specified extended command:
show command VALUE
To add an extended command:

add command VALUE path VALUE description VALUE
35
Check Point Seam-fly Administration
To delete an extended command:
delete command VALUE
Obtaining a Configuration Lock
Only one user can have Read/Write access to Gaia configuration settings at a time. All other
users can only log in with Read-Only access to view configuration settings, as specified by
their assigned roles. For example, AdminA logs in and no other user has Read/Write access.
AdrninA receives an exclusive configuration lock with Read/Write access. If AdrninA logs in
and AdminB already has the configuration lock, AdrninA has the option to override AdminB’s
lock. If AdrninA decides to override the lock, AdminB stays logged in but will have Read-
Only access, If AdrninA decides not to override the lock, they will only be granted Read-Only
access.
There are two commands used to obtain the configuration lock from another administrator:
lock database override and unlock database.
NOTE
The administrator whose Read"Write access is revoked does not receive
notification.
36
Chapter I: Introduction tr) Check Point Techno/ogv
WebUl
The WebUI is an advanced, web»based interface used to configure Gaia platforms, It provides
clientless access to the Gaia CLI directly from a browser. A majority of system configuration
tasks can be done through the WebUI. To access the WebUI, navigate to: HTTPs://<Device 1P
Address>. Log in with a user name and password. The following browsers support the WebUI:
Internet Explorer
--
0
Firefox
Chrome
0 Safari
The WebUI operates in the following two modes:
-- Simplified ~ Shows only basic configuration options.

Advanced Shows all configuration options.
7
:M“mbmmifim’ m.
.u than
~1'o~r.l,MA-¢y-w‘-I on
nuns-s1
MM “TN
1
“mum“...m
wimp“... mammwkkmé ‘
,t
w.»- my!“
L'i In...”
new
"w
VMwam l'rwv mum-

mm CW‘vynl'
m in» i»: w
we «run
Bu .m r~m~m
wm km»
Figure 18 — WebUl
37
Check Poi/ii Security Administration
System Overview Page

The System Overview page displays an overview of the system in various widgets. These
widgets can be added or removed from the page, moved around the page and minimized or
expanded. The following widgets are available:
- System Overview 7 Provides system information, including the installed product,

product version number, kernel build, product build, edition (32 bit or 64 bit), platform
on which Gaia is installed and computer serial number (if applicable).
- Blades 7
Displays a list of installed software blades. Those that are enabled are
colored, Those that are not enabled are grayed out.
--
Network Configuration 7
Displays interfaces, their status and IP addresses.
-
Memory Monitor Provides a graphical display ofmemory usage.
7
CPU Monitor Provides a graphical display of CPU usage.

7
Navigation Tree
The Navigation tree is used to select a page within the WebUI. Pages are arranged in logical
feature groups. There are two viewing modes:
Basic — Shows some standard pages.
-
0
Advanced (Default) Shows all pages.

7
To change the view mode, click View Mode and select a mode from the list. To hide the
Navigation tree, click the Hide icon.
Toolbar
The toolbar displays whether the user has Read/Write access or is in Read-Only mode. It is
also used to open the Console accessory for CLI commands and open the Scratch Pad
accessory, which is used for writing notes.
NOTE
The Console and Scratch Pad accessories are available in Read/Write mode
only.
Search Tool
The Search tool is used to find an applicable configuration page by entering a keyword, which
can be a feature, a configuration parameter or a word related to a configuration page.
€110pr i: lulmduc/ion [0 Check Poim Tecimoingv
Status Bar
The Status bar displays the result of the last configuration operation. To View a history of the
configuration operations during the current session, click the Expand icon.
Configuration Tab
Under the Configuration tab, a user may view and configure parameters for Gaia features and
settings groups. The parameters are organized into functional settings groups in the navigation
tree.
NOTE
Read/write access is required to configure parameters for a settings group
Monitoring Tab
The Monitoring tab allows a user to View status and detailed operational statistics, in real time,
for some routing and High Availability settings groups. This ability is useful for monitoring
dynamic routing and VRRP cluster performance.
Configuration Lock
T0 override a configuration lock in the WebUl, click the small lock icon in the toolbar. The
pencil icon, which indicates read/write access is enabled, will replace the lock icon.
NOTE
Only users with read/write access privileges can override a configuration
lock.
39
Users
The WebUI and CLI can be used to manage user accounts and perform the following actions:
- Add users to your Gaia system.

' Edit the home directory of the user.
-
0
Edit the default shell for a user.
Assign a password to a user.
0 Assign privileges to users.
mMnuénm-zm’i‘.
Erin one" FeietPsnwmu L'nlatL-Hiraur-‘r
3,, admin Admin admmRuie

3 (amuse:
2, monitor Monitor monitnrRole
Figure 19 — WebUl Users Page

There are two default users that cannot be deleted. The Admin has full Read/Write access for
all Gaia features. This user has a User ID of 0 and therefore has all of the privileges of a root
user. The Monitor has Read-Only access for all features in the WebUI and the CLI and can
change their own password. An Admin must provide a password for the Monitor before the
Monitor user account can be used.
40
Chapter I.' Introduction r0 Check Point Technology
New users have Read-Only privileges to the WebUI and CLI by default. They must be
assigned one or more roles before they can log in.
NOTE
Permissions can be assigned to all Gaia features or a subset of the features
without assigning a user ID of 0. If a user ID of 0 is assigned to a user
account (this can only be done in the CLI), the user is equivalent to the
Admin user and the roles assigned to that user cannot be modified.
Roles and Role-based Administration
Role-based administration enables Gaia administrators to create different roles. Administrators

can allow users to access features by adding those functions to the user's role definition. Each
role can include a combination of Read/Write access to some features, Read»Only access to
other features and no access to other features.
‘v-vh‘?’
19am
”I; mama Hunter"!
a e mi. nan.”
s e mm. mm
4h. 'JIF-‘mm-mk
.‘tzroutizmhevs ”new
Featuru cammnur
EdmtnROIe 1m Features 50 Commands admin
(InningAdmlnRole ,an Features so Commands
monitoiRui: ma Featuus monitor
Figure 20 —WebU| Roles Page
41
Check Pain/ Security Adniim'xlmlion
When a user is created, predefined roles, or privileges, are assigned to the user. For example, a
user with Read/Write access to the Users feature can change the password of another user or an
Admin user. It is also possible to specify which access mechanisms, the WebUl or CLI, are
available to the user.
When users log in to the WebUI, they see only those features for which they have Read-Only
or Read/Write access. If they have Read-Only access to a feature, they can see the settings
pages but cannot change the settings,
42
CVHlp/LV I [ii/rozi'ticlfon Io Check Poin/ Techno/ogy
To remove access mechanism (WebUl or CLI) permissions for a specified user:
delete rba user <User Name> access-mechanisms [Web—U1 ] CLI]
.93“
Description. 3-: iv j
Role <name> Role name as a character string that contains letters, numbers or
the underscore (_) character.
Domain—type Reserved for future use.
System
readonly— Comma separated list of Gaia features that have read only
features <List> permissions in the specified role. You can add Read—Only and
Read/Write feature lists in the same command.
readwrite— Comma separated list of Gaia features that have Read/Write
features <List> permissions in the specified role. You can add Read-Only and
Read/Write feature lists in the same command.
user <User name> User to which access mechanism permissions and roles are
assigned.
roles <List> Comma separated list of role names that are assigned to or
removed from the specified user.
access— Defines the access mechanisms that users can work with to
mechanisms manage Gaia. You can only specify one access mechanism at a
time with this command.
Table 5: User and Role Parameters and Descriptions
For example:
add rba role NewRole domain—type System readonly—features

vpn,ospf,rba readwrite—features tag,
add rba user Paul access—mechanisms CLI,WebUI
add rba user Daly roles NewRole,adminRole
delete rba role NewRole
delete rba user Daly roles adminRole
45
Check Point Securiry Adminis/i'afian
Updates
Gaia provides the ability to directly receive updates for licensed Check Point products. With
the Check Point Upgrade Service Engine (CPUSE), you can automatically update Check Point
products for the Gaia operating system and the Gaia operating system itself. Updates can be
downloaded automatically, manually or periodically and installed manually or periodically.
- upgnanicpuso r Software Updates Policy
SohwareDeplc‘ymex/itPolity ~ ..
<}m~n~w Download Hattlxes: ® Manually

*Iumm
m 0 Srnadulul
)-
inn-dun» o Automam
"Mm- mm M Sana download ana installation data of Saltware Updates to Chetk Point
rm..."
Amman-o Sellieslsto peflormt {a} StaItCheck Paint Processes
r . , m .
“”"M
away-«w if; lnnall Pullry
I”! Network Llnk Up
El snv test-Auto»rullback upon tellur:
Fl] Puloulally update new Deployment Agentversion (recommendtd’i
.trlpl.
Mnluouilrauons
sod [more
E mail names”:
Figure 22 — Gaia Software Updates Policy Page
Hotflxes are downloaded and installed automatically by default, however full installation and
upgrade packages must be installed manually. Email notifications are sent for newly available
updates, downloads and installations. It is also possible to rollback from new update.
46
Chzlprer 1.‘ Introduction la Check Poin/ Techno/11w
Review Questions
1. What are the three mechanisms for controlling network traffic?
2. What role does SmartConsole play in Check Point’s Security Management Architecture?
3. What are the two hardware options for deploying Check Point technology?
4. Describe the Command Line Interface.
47
Check Poin/ Serllrily Admim'xrmriun
48
Security Policy Management : > 1 4- HI N
Managing the Security Policy for a large network can quickly become a resource—intensive
task. To help manage the network Security Policy, it is important to know the components
of a Security Policy and how they impact traffic inspection. In this chapter, you will also
learn about many SmartConsole features and capabilities that enhance the management of
the Security Policy.
Learning Objectives
- Describe the essential elements of a Security Policy.

- Understand how traffic inspection takes place in a unified Security Policy.
- Summarize how administration roles and permissions assist in managing policy.
- Recall how to implement Check Point backup techniques.
Check PHI/1f Securiljv Administration
introduction to the Security Policy

The Security Policy is a key component in securing and managing any corporate network no
matter how large or small. It sets the plans and processes for protecting an organization’s
information and physical assets. A Security Policy is a collection of objects, settings and rules
that control network traffic and enforces organization guidelines for data protection and access
to resources with packet inspection. It defines rules for such things as how network resources
can be accessed and who can access them, how data security measures are enforced and how
communication occurs within the network.
Rules
A Security Policy consists ofa set ofrules that defines network security using a Rule Base.
Once a Rule Base is defined, the Security Policy can be distributed to all Security Gateways
across a network. Rules are comprised of network objects such as gateways, hosts, networks,
routers and domains, and specifies the source, destination, service and action to be taken for
each session. A basic rule consists of the following information:
-- Rule number
Name of the rule
0 Source
0 Destination
- Whether or not VPN will be used
-
0
Services & Applications
Action to take if the session criteria matches
- If and how the rule activity should be tracked
- Which Firewall object(s) will enforce the rule
- The time period for the rule
50
Chapter 2: Seruriljv Policy Management
Default Rule
A Default rule is added when you add a rule to the Rule Base. These rules are Configured using
all objects, services and users installed on your database. The Default rule is defined with the
following information:
No. — Defines the number order of each rule; the first rule in the Rule
Base is 1.
Hits Tracks the number of connections each rule matches on this gateway.
7
Name Gives administrators a space to name the rule, helping to annotate the Rule
7
Base; by default, it is blank.

Source Displays the Object Manager screen, where you can select network objects
7
or a group of users to add to the Rule Base; the default is Any.

Destination Displays the Object Manager screen, where you can select resource
7
objects to add to the rule; the default is Any.

VPN — Displays the Add Objects VPN Communities screen, where you can select a
VPN Community to add to the rule; the default is Any Traffic.
Services & Applications — Displays the Service Manager screen, where you can
select services to add to the rule; the default is Any,
Action — Accepts, drops or rejects the session; provides authentication and
encryption; the default is drop
Track — Defines logging or alerting for this rule; the default is none. The options are:
Account, Alert, Log, Mail, None, SNMP Trap, and UserDefined.
Install On — Specifies which Firewalled objects will enforce the rule; the default is
Policy Targets, which means all internal Firewalled objects.
Time Specifies the time period for the rule; the default is Any.
#
Comment — Allows administrators to add notes about this rule; the default is a blank
comment field.
Soma- Destination VI‘N '
lnsulOn Time
- " Pam
.
it- My it My
Cleanuprule a Any ti DMZZone a Any a Any (2% Accept None Pulley * Any
<6» omelet
Figure 23 — Default Rule
51
Check Point Scczlri'm Administration
Objects
In SmartConsole, objects are used to represent physical and virtual network components, such
as gateways, servers and users, as well as logical components. Logical components include IP
address ranges and dynamic objects. Objects are divided into the following categories:
adv" some».
\v t .u ~
Network Object Gateways, hosts, networks, address ranges, dynamic objects, security
zones, inter~operable devices, domains, and logical servers
Service Protocols, protocol groups
Custom Applications, user categories, URL categorizations
Application/Site
VPN Community Site-to-site or remote access VPNs
User Users, user groups, user templates
Server Trusted Certificate Authorities, RADIUS, TACACS, OPSEC servers
Resource URI, SMTP, FTP, TCP, CIFS
Time Object Time, time group, bandwidth limit on upload and download rates
UserCheck Message windows (Ask, Cancel, Certificate template, Inform and
Interactions Drop)
Limit Download and upload bandwidth
Table 6: Object Categories
Creating Objects
Objects are created by the System Administrator to represent actual hosts, devices and
intangible components such as services (HTTP and TELNET) and resources (URI and FTP).
Each component has a corresponding object that represents it, Once these objects are created,
they can be used in the rules of the Security Policy Objects are the building blocks of Security
Policy rules and are stored in the Objects database on the Security Management Server,
52
Chapler 2: Seer/riot Policy Management
When creating objects, the System Administrator must consider the needs of the organization.
- What are the physical and logical components that make up the organization? Each
component that accesses the Security Gateway most likely needs to be defined.
0 What components will access the Firewall?
- Who are the users and how should they be grouped?
- Who are the administrators and what are their roles?
- Will VPN be used? If so, will it allow remote users? VPN will be discussed in greater
detail in a later chapter,
Objects Management
System Administrators can add, edit, delete and clone objects. A clone is a copy of the original
object with a different name. An object in the Security Policy can also be replaced by another
object. The Object Explorer window in SmartConsole allows you to create new objects and
edit existing objects, From this window, you can browse objects by categories or search for a
particular object using keywords or tags. A tag is a keyword or label assigned to an object or
group of objects.
. 4. § um .
X Z‘ E P
a... 7-9. Karma
~ nxwi MIm‘lnnL
a erurkfiym rm Aulimyiflww:
Aunt-h m4
. 4’ ’Krnrn was.
luniNa
3 m4 Cc'umlm—in u, new or iomm;
my“
4:) a» wwmww: x4 (null

at on u. x» Mam” mm
m frwrr rma m m4
ci G Y F
$5 mum";
.m m2: mum!“ Melon new,

Mmrhkot mm mm "(who
mm (Immumr n...
Mum mu
um...» when“ our»; km”:
r z i/ It fi e a E
arincfjre 5pm.:
mama Aunt-N4 Ffldvuiex
ram-mmu mw’m ”‘er
1mm ram
”My. mm ‘Wui
”-1anrd
um. .auw.new than“)
l-Vlwv'vflI-(l :1
AOL nun-m Liar-Hwtmko mm m A w
any" mm an new wcmw mu mam me x m:
AP-Menfln Drum: Workman mm
Aim-gamma. an...
um» SNM/bhmfll’tahul we r... rm .m w am.» l tum n n 1.
t
LW'Utrvn
Figure 24 — Object Explorer Window
53
Check Point Security Adniimlrlrmiim
Anti-Spoofing
Spoofing is a technique where an intruder attempts to gain unauthorized access by altering a
packet’s IP address. This alteration makes it appear as though the packet originated in the part _
of a network with higher access privileges. The Security Gateway has a sophisticated Anti-
Spoofing feature that detects such packets by requiring that the interface on which a packet
enters a gateway corresponds to its IP address. Anti—Spoofing is an object setting that when
configured, affects the Security Policy,
Anti~Spoofing verifies that packets are coming from, and going to, the correct interfaces on a
gateway. Anti-Spoofing confirms that packets claiming to be from the internal network are
actually coming from the intemal network interface. For example, if a packet from an external
network has an internal IP address, Anti-Spoofing blocks that packet. It also verifies that once
a packet is routed, it is going through the proper interface.
rnpniogy Settings Q 0 x
Leads To
9 This Network (Internal) 9
. Override
fantirSpoofing
Perform Anti-Spoofing based on intertaret
SpooiTrackmg' lL‘Ee 7";in
l"; "or "j l tamer 'l
Figure 25 — Anti-Spoofing
Configuring Anti-Spoofing
To properly configure Anti»Spoofing, networks that are reachable from an interface need to be
defined appropriately, Configure all the static routes, including the default route, before
configuring or getting the topology for a Security Gateway. For Anti—Spoofing to be most
effective, it should be configured on all gateway interfaces. If Anti-Spoofing is implemented
on a specific interface, spoof tracking for that interface should also be defined. This will help
with both intrusion detection and troubleshooting.
54
Chapter 2. Security Policv Manugemenr
To activate Anti-Spoofing, configure the Firewalled—interface properties. The Topology tab of

the Interface Properties window allows you to configure Anti-Spoofing properties of a
gateway.
The Rule Base

The Rule Base is a collection of individual rules which builds the Security Policy. Each rule in
a Rule Base defines the packets that match the rule based on source, destination, service, and
the time the packet is inspected. The first rule that matches a packet is applied, and the
specified Action is taken. The communication may be logged and/or an alert may be issued,
depending on what has been entered in the Track field. The fundamental concept of the Rule
Base is “a connection that is not explicitly allowed is denied”.
Cleanup and Stealth Rules
There are two basic rules that Check Point recommends for building an effective Security
Policy: the Cleanup rule and the Stealth rule. Both the Cleanup and Stealth rules are important
for creating basic security measures and tracking important information.
1. Cleanup Rule The Security Gateway follows the principle, “That which is not
7
expressly permitted is prohibited”. Security Gateways drop all communication attempts

that do not match a rule. The only way to monitor the dropped packets is to create a
Cleanup rule that logs all dropped traffic. The Cleanup rule, also known as the “None of
the Above” rule, drops all communication not described by any other rules and allows you
to specify logging for everything being dropped by this rule.
2. Stealth Rule ~To prevent any users from connecting directly to the Security Gateway,
add a Stealth rule to your Rule Base. The Security Gateway becomes invisible to users on
the network.
In most cases, the Stealth mle should be placed above all other rules. Placing the Stealth rule at
the top of the Rule Base protects the gateway from port scanning, spoofing, and other types of
direct attacks. Connections that need to be made directly to the gateway, such as Client
Authentication, encryption and Content Vectoring Protocol (CVP) rules, always go above the
Stealth mle.
Suvkmal A. 4 Action Turk
Figure 26 — Cleanup and Stealth Rules
55
Check Point Saturn); Admi'nir/ruliun
Explicit and Implicit Rules
The Security Management Server creates Explicit rules and Implicit rules. Explicit rules are
created in the Rule Base by the administrator. Explicit rules are configured to allow or block
traffic based on specified criteria. The Cleanup rule is a default Explicit rule.
Implicit rules are defined by the Security Gateway to allow certain connections to and from the
Security Gateway. Implicit rules are not visible in the Rule Base. The Security Management
Server enforces two types of Implicit rules that enable Control Connections and Outgoing
Packets.
Control Connections
The Security Gateway creates a group of Implicit rules that it places first, last, or before last in
the explicitly defined Rule Base. These first Implicit rules are based on the Accept Control
Connections setting on the Global Properties window. The Security Gateway anticipates other
possible connections relating to gateway communication and creates Implicit rules for those
scenarios.
There are three types of Control Connections defined by Implicit rules:
. Gateway specific traffic that facilitates functionality, such as logging, management and
key exchange.
- Acceptance of Internet Key Exchange (IKE) and Remote Desktop Protocol (RDP)
traffic for communication and encryption purposes
- Communication with various types of servers, such as RADIUS, CVP, UFP, TACACS,
LDAP and Logical Servers, even if these servers are not specifically defined resources
in your Security Policy.
Implied Rules
Implied rules are generated in the Rule Base as a part of the Global Properties and cannot be
edited. They are configured to allow connections for different services that the Security
Gateway uses, such as connecting to RADIUS authentication servers and sending logs from
the Security Gateway to the Security Management Server. Some Implied rules are enabled by
default. To configure their position in the Rule Base, check the properties enforced in the
Firewall Implied Rules screen then choose a position in the Rule Base for the Implied rule.
. First — first in the Rule Base

-- Before Last ~—
before the last rule in the Rule Base
Last last rule in the Rule Base
~
56
Chap/er 2. SECIll‘iU’PD/ICI Management
Additional Rule Types

The following table describes other rules that may be used.
. 3913' ._if I" >

; pragmatism .‘ _ . _
Critical Subnet Traffic from the internal network to the specified resources is logged.
This rule defines three subnets as critical resources: Finance, HR and
RnD.
Tech Support Allows the Technical Support server to access the Remote—1 web server,
which is behind the Remote-1 Security Gateway. Only HTTP traffic is
allowed. When a packet matches the Tech suppon rule, the Alert action
is executed.
DNS Server Allows UDP traffic to the external DNS server. Traffic is not logged.
Mail and Web Allows incoming traffic to the mail and web servers that are located in
Servers the DMZ. HTTP, HTTPS and SMTP traffic is allowed.
SMTP Allows outgoing SMTP connections to the mail server. Does not allow
SMTP connections to the internal network, to protect against a
compromised mail server.
DMZ and Internet Allows traffic from the internal network to the DMZ and Internet.
Table 7: Additional Rules
Rule Base Management
As a network infrastructure grows, so will the Rule Base created to manage the network’s
traffic. If not managed properly, Rule Base order can affect Security Gateway performance and
negatively impact traffic on the protected networks. Here are some general guidelines to help
you manage your Rule Base effectively.
Before creating a Rule Base, answer the following questions:
. Which objects are in the network? Exarnples include gateways, hosts, networks,
routers, and domains.
Which user permissions and authentication schemes are needed?
-
0
Which services, including customized services and sessions, are allowed across the
network?
57
Check Point Security! Azlminixrmrion
As you formulate the Rule Base for your Security Policy, these tips are useful to consider:
The policy is enforced from top to bottom.

Place the most restrictive rules at the top of the policy, then proceed with the
generalized rules further down the Rule Base. If more permissive rules are located at
the top, the restrictive rules may not be used properly. This allows misuse or intrusion,
due to improper rule configuration.
Keep it simple. Grouping objects or combining rules makes for visual clarity and
simplifies debugging. lfmore than 50 rules are used, the Security Policy becomes hard
to manage and Security Administrators may have difficulty determining how rules
interact.
Add a Stealth rule and Cleanup rule first. Using an Explicit Drop Rule is recommended
for logging purposes,
Limit the use ofthe Reject action in rules. Ifa rule is configured to reject, a message is
returned to the source address, informing that the connection is not permitted.
Use section titles to group similar rules according to their function. For example, rules
controlling access to a DMZ should be placed together. Rules allowing internal network
access to the Internet should be placed together, This .makes it easier to locate rules and
modify the Rule Base.
Add a comment to each rule. Comments ease troubleshooting and explain why rules
exist. This is particularly important when the Security Policy is managed by multiple
administrators. In addition, this Comment option is available when saving database
versions. See the Database Revision Control section in this chapter.
For efficiency, the most frequently used rules are placed above less frequently used
rules. This must be done carefully to ensure a general accept rule is not placed before a
specific drop rule.
58
Cnupler 2. Security Policy Mmmgemcn/
Understanding Rule Base Order
Before you can define Security Policy properties, you must consider Rule Base order. The
Security Gateway inspects packets by comparing them to the Security Policy, one rule at a
time. For this reason, it is important to define each rule in the Security Policy in the appropriate
order. Firewall Implied rules are placed first, last or before last in the Rule Base and can be
logged. Rules are processed in the following order:
1. First 7 This rule cannot be modified, moved or overwritten in the Rule Base. No rules
can be placed before it. Implied rules are processed before administrator explicitly defined
rules.
2. Explicit These are the administrator defined rules, which may be located between the
7
first and the before last rules.

3. Before Last 7 These are more specific Implied rules enforced before the last rule is
applied,
4. Last — This rule is enforced after the last rule, the Cleanup rule, in the Rule Base,
5. Implicit Drop Rule — No logging occurs.
NOTE
It is recommended to create a final Cleanup rule that matches all
connections and drops them. If the Cleanup rule is the last Explicit rule, the
last Implied rule and Implied Drop rule are not enforced.
Completing the Rule Base
When you have defined the desired rules, you must install the Security Policy. The installation
process specifies the network object on which the Security Policy is installed. Only managed
objects are available for policy installation. In contrast, the Install On element in the Rule Base
specifies the network object that is to enforce a specific rule.
There are times when verifying a Security Policy is useful to System Administrators. By
verifying a Security Policy, you check that rules are consistent and there are no redundant rules
before Security Policy installation.
59
Check Point Sccuri/y A dminislmlion
Global Properties
The Security Policy encompasses more than a set of rules and objects. It also includes
numerous settings which are primarily configured as Global Properties. These settings apply to
a variety of Check Point products, services and functions, such as the Firewall, VPN and
Reporting Tools. Settings configured as Global Properties are enforced by all Security
Gateways managed by the Security Management Server. For example, logging Implied rules,
enabling Hit Count, and defining advanced VPN functions are all settings that are applied as
Global Properties. To configure settings, select Global Properties from the SmartConsole
menu.
Global Drape/ties
NAT‘ WWW Arm! Select the icllowmg properties and choose the position oi me rule: m the R is Base
Wmcaflnn Jl Accept control connections: jrn .

4: VPN .
Mam)! Awareness l9] Accept Remote Access central comedians; Fla .
. umi Edge Gateway g
‘
.
’
FT. Hermie Access i1] Accept SmartUpdate comedians: rm . ,

meek Point 60 '7
i’J‘ Accept IFSJ management comedians,
,
User [Memory Firs:

ocs
‘
ussrmihsmy EAccept mgmng packet: originating from Gale-Nay
User Mounts _
_ connsdconm I: accent uuigmng packets engil wing imm Connectm gateway
: vStateful lrispedion . ,
til Lug and Alert '
lAccepi RIP Riv: v
, . Reporting Tool: ,
opsgg : ,] Pcceot Dcma‘m Name ava’ UDP Queries):
r,
Tm ’
,_ ,. j
I Sammy Management.
,NmUnique 1,,Add“: 51mm Domain Name over TCP acne Tangier}
pm,
- 1,75
UselCheok
mama ICMP causes
rjillcceptWebandSSHconnedjunsiorfiateway’sadministiaiian fl";
"
3’
. Hit Count (Small omce Aouliamel
'
’
- Advanced
3Accept incamingtramc to one? and DNS services efgalewa1:.
(Small civics appliance)
Ml Accept Dynamic fiddress modules' outgoing internet cmneciions- ’Fusii .. l
:JiAccecl VRHP packers originating imm cluster members W. "'

.
ivsx iPSO VRRP)
Er:
,
@kcem ldmmy Awareness control connections. _., vj

Track
3Log implied Rules
Figure 27 — Global Properties Window
60
Chapter 2. Seen/1'0! Policy Mmmgemm/
Secuons
When managing a large network, it can be helpful to divide the policy into smaller sections.
These sections are simple visual divisions ofthe Rule Base and do not hinder the order of rule
enforcement. Use section titles to more easily navigate between large rule bases. Section titles
are not sent to the gateway side.
(«made
c:e..:a~mt2~2l\
u AM a Aw I a Any ~ NW (9 ram
. ,
7“
2 \ WNr-Je as am 2; Am :5; WSQI o cm ® my
: \Nflm: a my a My 1 My 3! My (3 Am:
Figure 28 — Policy Sections
PubHsh PoHcy
Newly created Security Policies and changes made to an existing Rule Base must be published
on the Security Management Server before the policy can be installed and enforced on the
Security Gateway. Publishing changes is not the same as saving changes. Saving changes made
during a session in SmartConsole creates a draft of the edited policy on the Security
Management Server. Changes are not updated to the policy when viewed in SmartConsole.
Policy cannot be installed if the changes are not published. Publishing actually updates the
policy on the Security Management Server and/or Log Server and makes the changes visible in
SmartConsole. Many organizations amend policy regularly but only publish policy during a
change window. To publish policy, simply click the Publish button located at the top of the
SmartConsole window. A pop»up window will appear. Click the publish button to make the
changes Visible to all and update the policy. Select the don’t show again checkbook to
eliminate this step when publishing policy.
Click 'Publish' to make these changes

available to all.
Session name: last
Lesa pucn:
Total draft changes: 67
I; Dcn'tshow again FulIISl’; A] l cancelii‘l
Figure 29 — Publish Policy
61
Policy Packages
A policy package is a group ofdifferent types ofpolicies that are installed together on the same
installation targets. After installation, the Security Gateway enforces all of the policies in the
package. Some circumstances require multiple versions of a Security Policy, yet the Objects
database needs to stay the same. Often this will occur when adding or consolidating rules in an
existing Rule Base or when creating a new set of rules on a Security Gateway. In these
instances, using policy packages is better than creating multiple versions of the system
database. Predefined installation targets allow each policy package to be associated with the
appropriate set of gateways, thereby eliminating the need to repeat the gateway selection
process each time you install the package.
Policy Types
SmartConsole uses tabs to make it easy and convenient to navigate between and work within
multiple policy packages, There are four policy types available for each policy package:
0 Access Control
- QoS
- Desktop Security
- Threat Prevention
L'l , NewPolicyPackage
515:! Data: Cam ml
Gavel i Policy Types

wwuontnrueo 2
l
Lil [lgacassmcai ''
l
5 ISI Accessecnlrcl lilade
E 4
3 +
i
a Add Tag
Figure 30 — New Policy Window— General Tab
62
Chapter 2' Security Policy Management
Access Control
The Access Control policy package consists of these types of rules:
0 Firewall
--
0 Application Control and URL Filtering
NAT
Data Awareness
Quality of Service
Quality of Service (QoS) is Check Point’s policy-based bandwrdth management solution
which allows for prioritizing critical traffic, such as ERP, Voiceover IP (VolP), database and
Web services traffic over less time critical traffic. When integrated with the Security Gateway,
QoS optimizes performance for VPN and unencrypted traffic. QOS policy rules are similar to
Firewall rules, however its primary purpose is to enforce bandwidth and traffic control rules.
The QoS policy type is only available when at least one of the gateways has QoS enabled.
Desktop Security
The Desktop Security policy is the Firewall policy for endpoint computers that have an
Endpoint Security VPN remote access client installed as a standalone client. When a remote
user connects to the corporate network, the VPN»enabled Security Gateway verifies whether
the latest desktop Security Policy has been installed on the remote client. The Desktop Security
policy type is available if at least one Security Gateway already enforces Desktop Security
rules.
Threat Prevention
The Threat Prevention policy rules accompany the Threat Prevention software blades. These
rules are in place to defend against network malware infections. Threat Prevention policy
packages consist of the following policy types:
--
o
IPS
Anti-Bot
Antivirus
- Threat Emulation
63
Check Point Sect/rm Administration
The Threat Prevention policy has its own Exceptions section. This section allows an
administrator to create global exceptions and exception groups. A global exception is an
exception applied to the entire Threat Prevention policy. An exception group contains multiple
exception rules. Exception groups can be manually attached to a rule, automatically attached to
. each rule with a particular profile or automatically attached to all rules. These exception
groups can be assigned to one or more rules in the Threat Prevention policy Rule Base.
Unified Policies
One innovative feature of SmartConsole is the concept of the unified policy, which allows an
administrator to control several security aspects from a single console, A unified policy is the
combination of Access Control, QoS, Desktop Security and Threat Prevention policies. The
information on connections from all of the software blades is collected in one log file.
The Access Control policy unifies the Firewall, NAT, Application Control & URL Filtering,
Data Awareness and Mobile Access software blade policies, controlling access to computers,
clients and servers. The rules that accompany these software blade policies make up the
Access Control policy Rule Base, These rules use services, protocols, applications, URLs, file
types or data types to filter traffic entering and leaving the network.
NOTE
In order to configure the URL Filtering and Application Control rules, the
URL Filtering and Application Control blade must be enabled on the
Access Control policy.
The Threat Prevention policy unifies the IPS, Antivirus, Anti-Bot and Threat Emulation
software blade policies.
64
Chapter .7: Security Policy Management
Shared Policies
SmartConsole’s Shared Policies feature allows administrators to share a policy with other
policy packages, Shared Policies are installed with the Access Control policy and can be
referenced in multiple policy packages. The Shared Policies section in a policy package
provides access to these granular software blades and features:
- Mobile Access # Configure how remote users access internal resources, such as their
email accounts, when they are mobile.
. DLP Configure advanced tools to automatically identify data that cannot go outside
#
the network, block the data leak and educate users,
-. HTTPS Inspection — The HTTPS policy allows the Security Gateway to inspect
HTTPS traffic to prevent security risks related to the SSL protocol.
Geo Policy — Create policy for traffic to or from specific geographical locations.
Shared Policies
v Q Geo Policy
21 Hi'rvsinspmion
m, a." m.
L') W” F,“ 1 a...” a...

gmww mun)“
dunup rule (9 ”a-“ a...
Figure 31 — Shared Policies
65
Additional Policy Management Tools

The Access Tools section in the Security Policies Access Control view and the Threat Tools
section in the Security Policies Threat Prevention View provide additional management and
data collection tools.
Access Tools include:
- VPN Communities
edit or delete VPNs.
The VPN Communities tool allows the administrator to create,
- Client Certificates — This tool allows users to access resources using their handheld
devices, such as cell phones and tables, by creating and distributing client certificates,
allowing them to authenticate to the gateway.
- Application Wiki A The Application Wiki tool is a link to die Check Point AppWiki,
From this site, an administrator can search and filter the Web 2.0 Applications Database
and use Check Point security research when creating rules for actions on applications
and widgets.
- Installation History — This tool allows the administrator to View the policy
installation history for each gateway and which administrator made the changes. They
can also see the revisions that were made during each policy installation and who made
them. Revisions are opened in Read-Only mode. From this tool, an administrator also
has the ability to revert to a specific version of the policy, allowing for a quick recovery
without losing all the changes made in the database.
Access Tools
:fi: VPN Communities
'3 Updates
R‘ UserCheck
[5; Client Certificates “
LII:I Application wan 5'
0 Installation History
Figure 32 — Access Control Tools
66
Chop/er 2. Security Policy Management
Threat Tools include:
Profiles — The Profiles tool provides an administrator the ability to create. edit or
delete profiles Multiple profiles can be created for each gateway and assigned to one or
more rules. These profiles can be configured to provide any combination of lPS, Anti-
bot, Anti—virus and Threat Emulation protections. There are a few pre—defined profiles
that are automatically enabled upon upgrade. If edits are made to a pre-defined profile,
the profile must be saved under a new name to preserve the original settings in the pre—
defined profile.
IPS Protections In this tool, an administrator can edit IPS protections and configure
i
exceptions to those protections. An administrator can also activate or deactivate

protections based on their tagging. For example, an administrator can activate all lPS
protections tagged with the vendor Microsoft or deactivate all protections tagged with
the protocol Modbus. This tagging feature provides more protection activation and
deactivation granularity The IPS protection is a link to the IPS Protections tool.
NOTE
Protections are automatically tagged through the IPS update. This is the
only process that can change the tags.
Protections This tool allows an administrator to View the statistics on different

A
detected threats. It enables engine granularity by providing specific protections against

malicious and unusual activity engines. These protections can be overridden per profile.
The Security Management Server uses web services to retrieve the list of protections,
thereby requiring connectivity. Without connectivity, an error message is generated.
Whitelist Files The Whitelist Files tool provides a list of tmsted files. An
7
administrator can specify files that the Threat Prevention blade does not scan or analyze
for malware, viruses or bots. This decreases the use of resources on the gateway.
ThreatWiki — The ThreatWiki is a tool that links an administrator to the Check Point
ThreatWiki. From there, the administrator can search and filter Check Point's Malware
Database and use Check Point security research to block malware before it enters their
environment and respond appropriately when malware does intrUde the environment.
67
Check Point Securin/ Administration
Updates
The Update tool is used by both Access Control and Threat Prevention policies. In the Access
Control policy, the Updates tool allows the administrator to configure updates to the
Application Control and URL Filtering database. Under the Threat Prevention policy, the
administrator is able to configure updates to the Malware database, Threat Emulation engine
and images, and the IPS database It also allows an administrator to revert back to an earlier
IPS package version.
NOTE
Updates require Internet connectivity and name resolution from the
Security Management Server. If there is no connectivity, an error message
is generated.
UserCheck
UserCheck is a communication tool used by the Security Gateway to inform a user about a
website or application they are trying to access. It communicates messages about the
company’s Security Policy or a change in the company’s Security Policy to the person trying to
access the application or Internet site. This tool provides users the ability to create, edit or
delete UserCheck interaction objects in the Access Control and Threat Prevention policy.
There are three types of UserCheck messages:
' Inform v Informs the user of a possible Violation of or a change in the company
Security Policy and provides users the option to continue to the application or cancel
-- the request.
Ask Asks a user if they want to continue to the application or cancel the request.
*
Block — Blocks the request to access the application or Internet site.
When enabled, the user’s Internet browser will display the UserCheck message in a new
window. When UserCheck is installed on endpoint computers, the messages are displayed
directly on the computer.
68
Chapter 2: Seem-try Policy Manage/Meryl
Install Policy
When changes are made to a Rule Base, it is important to install policy to enforce the changes.
The policy cannot be installed if the included changes are not published. When you install
policy, the Security Management Server installs the updated policy and the entire database on
the selected gateways, even if network objects were not modified. It is possible to install only
the Access Control policy, only the Threat Prevention policy, or both policies,
NOTE
Changes made during a session must be published before installing policy.
IT A‘ .
I
M
‘
«a? Secuuty Management Server to,
SmartConsole Security Gateway
Figure 33 — Installing Policy
Install a Policy Package

Policy rules are verified and checked for redundancy when a policy package is being installed.
Once verification is performed, the Security Policy is sent to the Security Gateways for
enforcement.
Installation ensures that each Security Gateway enforces at least one rule If none of the rules
in the policy package apply to a Security Gateway, the Security Management Server does not
install the policy package on the Security Gateway. However, the Security Gateway will then
enforce a default drop rule, which is the default policy for all Security Gateways. Installing a
policy package also distributes the User and Objects databases to the target installation
Security Gateways.
69
Check Pair/I Security Administration
There are two types of installation modes. The first installation mode installs the policy on
each target gateway independently. In this case, if the installation fails on one target gateway, it
does not affect the installation on the rest of the target gateways. The second installation mode
installs the policy on all target gateways. In this case, if the policy fails to install on one of the
gateways, the policy is not installed on any of the other target gateways.
El Standard
v and... us. a“... .
4 yum-"N ‘Iflz‘aw: .
e Mm... as»-
a 1mm ll... erm m». inland-ammu-
a e Branch... lnenii m _ incur-I'm;
w. o a: my mum mm
a a a: m. :4: nun): up:
I. a a 0-,“) mam m
mist Mode
til Insiafl on ead'i sdected getaway independently

[2! For Galzway Clusters install an all the manners, if rails do not install stall
J insert on all selected getaways, itit falls do not install an gateway of the same version
Figure 34— Policy Package Installation Mode
NOTE
If For Gateway Clusters install an all the members, szails do not install at
all is selected, the Security Management Server makes sure that it can
install the policy on all cluster members before it begins the installation. If
the policy cannot be installed on one of the members, policy installation
fails for all of them.
70
Chapter 2. Security Policy Management
Network Address Translation

Network Address Translation (NAT) allows Security Administrators to overcome lP
addressing limitations) allowing private IP-address allocation and unregistered internal—
addressing schemes.
Enterprises employ NAT for a variety ofreasons, including:
- For Private IP addresses used in internal networks.

-- To limit external network access.
For ease and flexibility of network administration.
NAT can be used to translate either IP address in a connection. Translating the IP of the
machine initiating the connection (typically the “client" of the connection) is called Source
NAT. Translating the IP address of the machine receiving the connection is called Destination
NAT.
The Security Gateway supports two types of NAT where the source and/or the destination are
translated:
. Hide NAT —— a many-to—one relationship where multiple computers on the internal

network are represented by a single unique address. This type of NAT is also referred to
as Dynamic NAT.
' Static NAT 4— a one-to-one relationship where each host is translated to a unique
address; this allows connections to be initiated internally and externally. An example
would be a web server or a mail server that needs to allow connections initiated
externally.
NAT can be configired on Check Point hosts, nodes, networks, address ranges and dynamic
objects. NAT can be configured automatically or by creating Manual NAT rules. Manual NAT
rules offer flexibility because it can allow the translation of both the source and destination of
the packet and allow the translation of services.
71
Hide NAT
In Hide NAT, the source is translated, the source port is modified, and translation occurs on the
server side. In the illustration below, notice the source packet with address 10.1.1.101 going to
destination x.x.x.x.
The Firewall modifies the source port and adds the port information to a state table. The packet
translates on post—out, O, as it leaves the gateway. For protocols where the port number cannot
be changed, Hide NAT cannot be used.
Original Packet (Translated) Original Packet

m.
lP llJ‘. ‘
I 30.»
nslated)
Figure 35 — Hide NAT

Choosing the Hide Address in Hide NAT
The Hide Address is the address behind which the network, address range or node is hidden. It
is possible to hide behind either the interface of the gateway or a specified IP address.
Choosing a fixed public IP address is a good option if you want to hide the address of the
Security Gateway. However, it means you have to use an extra publicly routable IP address.
Choosing to hide behind the address of the gateway is a good option for administrative
purposes. For example, if the external IP address of the gateway changes, there is no need to
change the NAT settings.
72
CImprer 2 Security Policy Management
The default method for destination NAT is “client side”, where NAT occurs on the Inbound
interface closest to the client. Assume the client is outside the gateway and the server is inside
the gateway with automatic Static NAT configured. When the client starts a connection to
access the server’s NAT [1’ address, the following happens to the original packet in a client side
NAT:
Original Packet:
1. The packet from outside the gateway arrives at the Inbound interface, ‘i’, destined for the
web server and passes Security Policy and NAT rules.
2. If accepted, the packet information is added to the Connections table and the destination is
translated on the post-in side of the interface, ‘1’, before it is routed.
3. The packet arrives at the TCP/IP stack of the gateway and is routed to the Outbound inter~
face, ‘0’
4. The packet is then forwarded through the Kernel, ‘O’, and routed to the web server.
Reply Packet:
1. The web server replies and hits the Inbound interface, ‘i’, of the gateway.
2. The packet is passed by the policy since it is found in the Connections table and arrives at
the post-in side of the Kernel, ‘I’.
3. The packet arrives at the TCP/IP stack of the gateway and is routed to the Outbound inter~
face, ‘0’
4. The packet goes through the Outbound interface and is translated to the Static NAT IP
address as it leaves the Security Gateway, ‘0’. The source port does not change.
When the external server must distinguish between clients based on their IP addresses, Hide
NAT cannot be used because all clients share the same IP address under Hide NAT. To allow
connections from the external network to the internal network, only Static NAT can be used.
73
Check Point Sect/riry Administration
NAT- Global Properties

Several Global Properties influence how NAT is handled by a Security Gateway. The figure
below shows the default Global Properties for NAT.
Mommc NAT rules .-.. . ,

- .
Fl-VPN
M“““'“”" I7 Allow bidirectional war «or more delafln see help)
idermly Awareness [7 Translate destination on dlefll side
'
UTMr‘l Edge Gateway .
r41 Rama 5 I7 Mommy: an? comgmmn
Chad: Form 50 I" Merge manual pm ARP carillguratiorl
U’” m“ Manual NAT rules
, ans —7 h 77.
ConnedControi l7 Translate destination on client side

Stateful lnspedlorl
[,1 L09 and NE“ lP Fool NAT —~#——~—~vrv‘.~———
Reporting Tools 1’ Enable lF Pool NAT

DPSBC ‘ ‘
. ,
Sammy “mm”. quan- 4. Hm Wm .. r: Nem- G [m r‘ tin
Nnn Unique IF Addres- Adam .illnr'vlim. 'mci wlmw met I: None fl rm
My
~lPS
UserOieck
Ht Count
Mvanced
Li
‘
.l.__.lr
—Camxl
Figure 36 — NAT Global Properties
74
Chapter 2: Sewn/y Policy Management
In most cases, the Security Gateway automatically creates NAT rules based on information
derived from object properties, The following three Global Properties can be modified to
adjust the behavior of Automatic NAT rules on a global level:
Allow bi—directioual NAT 7 IfAllow bidirectional NAT is selected, the gateway will
check all NAT rules to see if there is a source match in one mle and a destination match
in another rule, The gateway will use the first matches found and apply both rules
concurrently. If not selected, only the first match will be applied.
TYanslate Destination on client side For packets from an external host that are to
*
be translated according to Static NAT rules, select this option to translate destination IP
addresses in the Kernel nearest the client If not selected, a host route is required on the
Security Gateway to route to the destination server.
Automatic ARP configuration 7 Select this option to automatically update ARP
tables on Security Gateways, For NAT to function properly, a gateway must accept
packets whose destination addresses differ from the addresses configured on its
interfaces. Automatic ARP configuration adds the ARP entries needed to accomplish
this task. This property applies to automatically created NAT rules only
Merge manual proxy ARP 7 Select this option to merge automatic and manual ARP
configurations, Manual proxy ARP configuration is required for manual Static NAT
rules ARP can be configured through the Gaia portal or Clish.
75
Check Poin/ Security Adlliinis/rafiow
Object Configuration - Hide NAT

Hide NAT can be configured to hide networks using a Security Gateway IP address or another,
externally accessible IP address The following figure illustrates how to configure the NAT
properties for a network using a Security Gateway’s IP address when dynamically translated.
To configure Hide NAT with Automatic NAT rule creation, select the Add Automatic Address
Translation rules options. This automatically creates the necessary NAT rules for the Object
General
NamrkPmpemes
Management
.
Values lar nddress. Translallon vi
AA
[m l7 Add Momalic Address Translation rules

- Olha
Translation method HldE '
(‘ Hide behind Gateway
(2 Hide. behind ”7 Address
[172 221022.111
‘
rim Address
IPVSALtdress r”_“‘-‘_“"“—“‘—
lnstall on Gateway: [51“! '7 E Maw...
7 h 7
'
I‘ Marylin Security Gateway control comedy/ms
cm: I
Figure 37 —- NAT Configured Object
76
Chrlplei' 2: Security Policy Marmgezmmi
Address translation rules are divided into two elements: Original Packet and Translated Packet.
The elements of the Original Packet section inform a Security Gateway which packets match
the rule. The Translated Packet elements define how the Security Gateway should modify the
packet, Configuring the network object as described above creates two mles in the Address
Translation policy. The first rule prevents the translation of packets traveling from the
translated object to itself. The second rule instructs the Security Gateway to translate packets
whose source IP address is part of the Corporate-finance—net’s network, This rule translates
packets from private addresses to the IP address of the exiting interface of the Security
Gateway.
WWUHM too-unnatural.)
“mum-umtwuwsumww
mmammemsnxwww
‘
mummmamummmmm
> wmmummmmnhmua
'
a Quiet. z. exam“; as Any = mm
A ijef, i Any .i Any .5. flu=_deiault_r
O was»;
RI wow.
G. M(awn-cs “
9‘mm,” m-‘
9 :ee-um m».
Figure 38 — NAT Rules

Because Hide NAT also modifies source ports, there is no need to add another rule for reply
packets Information recorded in a Security Gateway’s state tables will be used to modify the
destination IP address and destination port of reply packets.
77
Chuck Point Security Administration
Hide NAT Using Interface IP Address
Using another externally accessible IP address for Hide NAT is considered best practice. The
following figure illustrates how to configure the NAT properties for a network that will use
another externally accessible IP address when dynamically translated,
‘- General Pmpeme:
VaiuesiurAddress Trandailon .. .
La Network Management _.
n MALT. [7 Add Merriam: Address Translation ruies

Other
‘
Transialinn method Hm v
r Hde behind Gateway

8 Hide behind IF Address
vaISAddress' l7222102.11‘l
va6 Address
mean on Gateway [Ed A

i~ fianiyiorSecomy Gateway L‘Oflerl comedians
are i
Figure 39 — Hide NAT Configured Object - Hide Behind iP Address
78
Chapter 2. Security Policy Management
For Automatic NAT rule creation, the Security Gateway makes all necessary route and ARP
table entries on the Security Gateway. The Security Gateway will process packets destined for
the HR_Server even though that IP address is not bound to its interface. For routing to work
properly, the address selected to hide internal networks should be on the same subnet as the IP
address of the interface where packets will arrive.
Like Hide NAT behind a Security Gateway’s IP address, configuration for Hide NAT using
another externally accessible I? address also creates two rules. The first rule instructs the
Security Gateway not to translate traffic whose source and destination is the object for which
Hide NAT is configured The second rule translates the source address of packets not destined
for the object for which Hide NAT is configured
' Amount Generated lulu :Network Hide mo [15)

; A Nahum”
Ollglnil
Figure 40 — Hide NAT Rule base
79
Chuck Point Security Administration
Static NAT
-—
A static translation is assigned to a server that needs to be accessed directly from outside the
Security Gateway The packet is typically initiated from a host outside the Firewall, When the
client initiates traffic to the Static NAT address, the destination of the packet is translated.
Or-iginal Packet (Translated)

u—.—
Original Packet
WWW
. ,, 0 —
wwwdetroimom
Inside
192168.12
i la:
Reply Packet
Static NAT
Figure 41 — Static NAT
Configuring a Security Gateway to perform Static NAT for a host is similar to configuring a
Security Gateway to perform Hide NAT using another externally accessible IP address.
For routing to work properly, Translate to IP Address configuration must be on the same
subnet as the Security Gateway’s IP address. When Automatic NAT rule creation is used, it
makes the necessary adjustments to the ARP configurat on.
80
Chapter 2* Sec ur'ily Policy Management
Permission Profiles
A permission profile is a customizable set of Security Management Server and SmartConsole
permissions that are assigned to administrators. Permission profiles allow for granular control
over who can perform certain tasks, such as backups, scripts, policy installations and logging.
A permission profile may be assigned to multiple administrators Only administrators with the
applicable permissions can create and manage permission profiles
There are three profile types:
-
0
Read/Write All i Administrators can change the configuration.
Auditor (Read Only All) Administrators can see the configuration, but cannot
7
change it.
0 Customized — Configure custom permissions.
Configure Custom Permissions
For each feature, determine if the administrator should be able to configure the feature or only
view it. If the permission for the feature is not selected, the administrator cannot see the
feature. If it is selected, the administrator is able to see the feature. Next to many features is a
drop down menu with the following two options:
-
'
Readi
Write'
The administrator can see the feature but cannot change its configuratiOn.
The administrator can see and change the configuration of the feature.
The permissions are broken down into the following tabs:
- Access Control Configure

Gateways 7 the Provisioning and Scripts permissions
Configure
-
. Prevention —
Threat
;
Access Control policy permissions
Threat Prevention policy permissions.
Configure
. Others — Configure permissions for Common Objects, user databases, HTTPS
Inspection features, and Client Certificates.
0 Monitoring and Logging — Configure permissions to generate and see logs and to use
.
monitoring features.
Events and Reports Configure pemrissions for SmartEvent features.
7
0 Management Configure permissions for managing sessions and administrators.

#
NOTE
A Super User is an administrator with full access to all system resources.
83
Cher/c Pm’nl Sear/rig Administration
Create a Permission Profile

To create a new permission profile:
1. In SmartConsole, go to Manage & Settings > Permissions and Administrators > Permis-
sion Profiles.
Click New Profile.
Enter a unique name for the profile.
Select a profile type.
Click OK.
9'3“!"
r.
ricwfim’aie
H
, NewProfile
om". Permissions
Gateways
‘
- Read/Wine All
.~ Audiruv (Rzad Only No
Access Control
5-.- Custlzmized
Threat Prevention
Others
Monitoring and Logging

Events and Reports
Management
daddrag
Figure 44 — New Profile Window
When configuring a new policy layer in the Access Control policy, the Permissions tab will
automatically populate a list of profiles that have permissions to edit this layer, based on the
software blades enabled for that policy layer. Additional profiles may also be added to the list
using the search tool.
84
Chapter 2; Security Policy Management
Expirations
An administrator account may be configured to expire on a certain date. Once a date is chosen,
the administrator settings may be configured to display notifications about the approaching
expiration date upon administrator log in. The number of remaining days will also be displayed
in the status bar. To use the same expiration settings for multiple accounts, configure a default
expiration date.
NOTE
After the expiration date, the account is no longer authorized to access
network resources and applications.
Revoke a Certificate
It is possible to revoke an administrator’s certificate if they are temporarily unable to perform
their duties. This allows the administrator account to continue to exist, yet does not allow that
account to authenticate to the Security Management Server until the certificate is renewed. To
revoke an administrator’s certificate, click the Revoke button in the Authentication section
under the General tab.
General Authenti
Additional Info Authentication Method: l (is Pam-ma
Certifiate Information-
0 Cerfifimlzrsdefined l Rival/.3 i
Permissions
Permissioni’rofile: if; SuperUser v7. 0
Expir anon
. ' Never
I Expire At: L.
0 W739
Figure 45 — Administrator Window
85
Sessions
Every time an administrator logs into the Security Management Sen/er through SmartConsole,
a new session begins Logging out completes the administrator’s session. During a session, an
administrator may make several changes in SmartConsole, such as editing or creating a rule,
The rule is locked during the session, Those changes can be published, saved or discarded.
Publishing the session will update the policy‘ The policy must be published before it can be
installed. Installing the policy will push the changes to the Security Gateway,
Click ‘Publish' to make these changes

available to all.
Sesston name: ladmuneaizaizois
Desn'ipfiun: "ai‘ciisiggpifisied la; 53.“? 31372112015 '7'
Total draftd‘iangesi 67
I I Don'tshow 59am
Figure 46 — Publishing a Session
Ifthe administrator publishes the session, all the changes are saved, made available to other
administrators and a new revision of the database is created and made available in the
Revisions section of the Manage & Settings tab. When publishing a session, it is recommended
to name the session and provide a description If this is not done, the database revision is saved
with the default Session Name <adminID>@<date> and Description <# of changes>
changes published by <AdminID> on <date>.
NOTE
Any changes made by the administrator are only visible to that
administrator until the session is published
Szwan Detail:
Sesxion name: fliiiiiiiiiiiiiii
' '
“
Desmpllon: "“h—
Figure 47 — Sessions Details Window
%
If the administrator chooses to discard the session, all the changes are lost. When an
administrator attempts to close SmartConsole without publishing or discarding changes, the
changes are saved as a draft on the server. The administrator is prompted with the following
options:
- Exit, allowing the administrator to access the saved session upon the next login
-
- Discard the draft and exit
Cancel and continue with their current session
If the administrator saves the session, the changes made in that session are available only to
that particular administrator upon their next login. This does present an issue if an
administrator saved changes to objects or rules, as those objects or rules are now locked and
other administrators cannot edit them. An administrator with the permission to manage other
administrators can perform actions on other administrator sessions, such as:
- Publish and disconnect
-
- Discard and disconnect
Disconnect
It is possible to View a list of sessions created along with detailed information about each
session, such as how many changes were made and the number of items that are locked. To
navigate to the list of sessions, click the Manage & Settings tab and then select Sessions from
the navigation tree.
Administrator rammed lwm (um-911.10“ Mode Applitakion lurks ( Iunges Logiu ‘

NI» Disconnected
1mm: am wm SmartConsole 2 15mm... manure ma PM
admin N/A Dlstonnlmd SmartUpdate D 0 ins/2016 11:25.“
Figure 48 — Sessions
87
Check Poin/ Securiiy Administration
Database Revisions
A list of revisions may be viewed under the Manage & Settings tab. This list provides details
such as the name of the administrator that made the revision, the time when the revision was
made and the description the administrator wrote before publishing the change. By clicking the
View button, SmartConsole opens in Read-only mode and shows SmartConsole as it was after
the revision was published. Clicking the Purge button will permanently delete a database
rev1ston,
NOTE
It is not possible to revert to a database revision, however it is possible to
revert to a previously installed policy by navigating to the Installation
History tool located in each policy package.
Vu sl‘ Time (hangeN Dexnptmn

ans/2pm 1340 AM [1. Manama. m _ 1 (baa: my titan-urn chi/2912016
1125/1015 3-33 PM
17232015252 PM
[‘9 ldflllflfll/ZSHOIE
El. anmm®1fl1l2016
admin
admin
‘ mange:
2
maniacs published by ade an Uzi/1016
publlshed Dye-1min on ”21/2016
W15 25]. PM [1. 33!!"an admin 1 changes pumishzfl by admhl an 1122/2016
1171/2015 249 PM Q. admiflél/ZZIZC'IS «drum 3 (flanges puhllsheu hyadmin an l/ZZflUlE
Figure 49 -— Revisions
88
Concurrent Administration
A major feature in SmartConsole is concurrent administration. Concurrent administration is
the ability administrators have to work side by side in a single Security Policy without conflict,
The following example details the concept of concurrent administration:
Company XYZ has two administrators, Dan and Mike. If Dan logs into the Security
Management Server as an administrator and Mike logs into the same Security Management
Server right after, they can both work on policy at the same time. Each administrator will have
different sessions assigned.
If Dan is in the process of making changes to an existing rule in the Rule Base to the DMZ
Rule Number 6, a pencil icon appears next to the rule to show that the rule is currently being
edited.
awn u...-
Figure 50 -Administrator Dan‘s View
In Mike’s View of SmartConsole, a lock icon appears next to the DMZ Rule to indicate that this
rule is currently locked for editing by another administrator. This lock icon is a visible
indication to Mike that he cannot work on this rule, In the same way, only one administrator
can work on a network object at a time. Mike can hover his mouse pointer over the lock icon in
his View to reveal Dan’s session that is currently making the change for this specific rule.
a. rap-mm
.u.
Figure 51 — Concurrent Administrator Mike‘s View
89
Check Poinl Security Adliiinistrn/iori
In order for any changes made by one administrator to be made visible to all other
administrators and to unlock any objects or rules that have been worked on, the administrator
must publish their session. The object or item being edited will be locked and made
unavailable until the session is published or discarded. Remember, an administrator with the
correct permissions can act on the active sessions of other administrators,
AutoSaving
Whenever an administrator makes changes in SmartConsole, the changes are automatically
saved into the Management Database. As a result, if an administrator is accidentally
disconnected from the Security Management Server, any changes made will not be lost. It will
be available once the administrator logs back in. A dialogue box will inform the administrator
of the disconnection.
90
Chap/er 2. Security Policy Manugemrm
Managing Remote Gateways

Many organizations may include remote gateways as a part of their overall network topology.
To manage a remote gateway, administrators must explicitly define Control Connection rules
on their local gateways to ensure that the Security Management Server can interface with the
remote gateway. The Security Management Server must be able to send information to the
remote gateway, such as during policy installation, and receive data, such as logs and alerts
from the remote gateway.
.
SmnAAwI-AI-n Arvin—
. .Wmmme
\ um ti M, . .0, . m, 2. Wu 3 at» -« mm 2: 34min,"
~
2: us:
.- x “mm. W. am . to mm a; at.” = u, -;
.
m,
; sew an.» L! rim-mam:
a \ “mm.“ "a rm; .m l. =< (mm... a: ma :m ; art-Mum
a x w.» a 7, Must”... o m, < M, o w» 9 tea '4: Aflnamzi
-
in,
“mummy“ M
s '- nru a 4mm.“ » up. i an, I; 0“ ID am: i in 3 ”wet..."
n N w: a w rm .a... Q: mu: Lb mm E m. 3' “mm.“
a my
‘ \ ”new a
5
Ana/1r
Hammer
a Any I Any 59 an”
\c‘ My»
m “(IV E m; E AGfl rum-1
I x m» )1 mm,“ s Mn»: a in. a; m. <2 mm L: M g in mm

mm
..
4.
Um) vmmmmn.
\ cw... . M, .., . w a w e may a is,
Figure 52 — Control Connection Rules
91
Check Point .S'ecm-iry Administration
Backups
Check Point provides several methods for backing up and restoring the operating system,
networking parameters, and appliance configurations. Each method backs up certain
parameters and has relative advantages and disadvantages (i.e. file size, speed and portability),
The method of backup used is determined by what needs to be backed up. For complete
backup of the system and maximum confidence, Check Point recommends combining methods
as part of your overall backup plan.
Snapshot
Before performing an upgrade, you can use the Command line to create a Snapshot image of
the operating system or of the packages distributed. If the upgrade or distribution operation
fails, you can use the command line to revert the disk to the saved image. The revert command
restores the system from the snapshot file back to the same machine. Performing the snapshot
backup utility can take a long time and may impact production. Before creating a snapshot
image, make sure there is enough free space on the Backup partition.
System Backup (and System Restore)

The System Backup and Restore method is used to restore information, which can be restored
to a different machine. It functions much the same as the Snapshot backup utility, however it
does not impact production. This method allows you to back up the configuration of the Gaia
operating system and the Check Point configuration, as well as restore a previously saved
configuration, The backup may be stored locally or remotely on a TFTP, SCP or FTP server.
Migrate
The Migrate method, which is also referred to as upgrade_export/migrate export,
backs up all Check Point configurations, independent of hardware, operating system or Check
Point version. However, it does not include operating system information.
Save Configuration (and Load Configuration)

The Save Configuration backup method is used for saving Gaia operating system configuration
settings as a ready-to-mn CLI script. It allows you to review your current setup and then
quickly restore the configuration.
92
Chapfer 2 Securir}Y Policy Managemen/
The folio“ ing chart provides a comparison ofthe backup methods.
Migrate; . ,2. , ‘,Save.,.~_

.
'
.'-_C.¢nf1g‘urafi9n
'
Does it backup Gaia No Yes

operating system
configuration?
Does it backup Yes Yes Yes No
Products
configuration?
Does it backup Yes No No No
Hotfixes?
Size of output file on 5 - 100 GB Depends on Depends on Few KB
Security Gateway configuration configuration
Size of output file on 5 - 100 GB 5 - 100 GB Depends on Few KB
Security Management configuration
Server
Does it support No Yes No No
automatic scheduling?
Can you restore from Yes No Upgrade is With manual
different versions? performed adjustments
when
importing to a
newer version
Table 8: Comparison of Backup Methods
93
Check Point Security Adminisrmlion
Performing Backups
Making a copy of the configuration of the Gaia operating system and the Security Management
Server database is an important step in managing a network. These backups can be run
manually or they can be scheduled. A11 baCkups are saved to a . 1292 file under /var/
CPbackup/backups / on open servers or /var/log/CPbackup/backups/ on Check
Point appliances. It is also possible to restore a previously saved backup. Backups and restores
can be accomplished through SmartConsole, WebUI, or CLI.
Backup via SmartConsole
Performing a backup in SmartConsole is simple. To perform a backup, select the gateway to be

backed up from the Gateways and Server view and then select System Backup from the
Actions menu.
Synem Eazlup
Badmp ‘die members of Dallasitluster‘ m:

'6‘. Badmpservev defined for um duster
Currentiy defined: None
;Ihe following bactup semen
£1.” .1.
Comment:
i
l
l
l
Figure 53 — System Backup Window
It is also possible to backup multiple gateways or servers by simply selecting and highlighting
them all, While the backup is in progress, the status of the backup will be displayed in the Task
session at the bottom of the GUI. When the backup is complete, double-click the task to view
the file path and name of the backup file.
94
Restoring a gateway or server is just as easy as backing it up.
System Pym:
Raster: painfcmw‘ from:
gum: idemm’ecm'
grower:
gems-net
Backup via WebUl
To perform a backup via WebUI, expand Maintenance in the tree View, select System Backup
and Add Backup. Select the location of the backup file from the list of backup types provided
in the New Backup window.
Bdrflup Type
4-? This appliantr

m... U.-.“ The backup Will be mad: to nus appliance
Cr scum"
r4. m, mm In mm lor the backup to be «team
you should Copy "I: fill out“!!! the mmlne
'71 m? sum
Figure 55 —- New Backup Window

Before restoring from a backup, the machine needs to be configured with the previous host
name. Otherwise, a double reboot is needed after the restore to activate the machine.
95
Check Point Security A 11mm [sir-min”
Backup via CLI
The CLI can be accessed through SmartConsole. Log in to the Command Line Interface.
Command Lme
,_L¥.-c
Figure 56 — Command Line Window
Use the following commands to create and save the system’s configuration:
add backup local
add backup tftp ip <ip>
add backup [ftplscp] ip <ip> username <name> password plain
Saves the backup locally to Ivar/CPbackup/backups/

ip IP address of the remote server
username Usemame required to log in to the remote FTP or SCP server
password plain Password for the remote FTP or SCP server
Table 9: CLI Backup Parameters
To monitor the creation of a backup:
show backup status
To view the status of the previous backup:
show backups
96
Chapm‘ 2' Security Policy Management
Review Questions
1. Name five object categories,
2. What is the difference between Explicit and Implicit rules?
3. What is a policy package?
4. Describe concurrent administration
5. Backups are saved as what type of file?
97
Check Poi'rll Securiry Adminix/mtian
98
Policy Layers I > U' - R ”
Check Point‘s policy layers concept creates more options for Security Policy management,
Policy layers allow administrators to separate the Security Policy into multiple
components to provide better security and segregation of duties. Layers also enable
flexible control over policy behavior.
Learning Objectives
-- Understand the Check Point policy layer concept.

Recognize how policy layers affect traffic inspection.
Check Pain) Security Administration
Policy Layer Concept

Managing the Security Policy of a large network can be overwhelming. Policy layers and
sections help to visually organize the Rule Base. It is also important to understand how the
order of rule enforcement affects the Security Policy.
Security Policy
// Alpha Gateway
ma 7 7
i
Bravooaieway
Charlie Gateway
Figure 57 — Check Point Policy Layer Concept
Policy Layers
A layer is a set of rules, or a Rule Base. Layers allow administrators to separate the Security
Policy into multiple components. When the Security Policy has a large number of rules,
enforcing the policy becomes resource intensive and managing the rules becomes a diflicult
task. Policy layers alleviate these issues by dividing a policy, such as the Access Control
policy, into smaller, more manageable sections that serve a certain purpose. The layers concept
also provides more options for policy management, including the ability to set different views
and edit permissions per layer for different administrator roles and the ability to reuse a layer in
different policy packages.
100
Chapter 3: Policy Laycrr
There are a few important factors to consider when creating policy layers:
0 Determine the number of policy layers in a policy.
NOTE
The Access Control policy only supports two policy layers: Network and
Application Control.
0Determine the software blades to enable in each policy layer in the Access Control
policy.
-Determine the order of rules in each policy layer.
' Determine the order of policy layers in a policy.
Management duties for each policy layer can be delegated to the appropriate administrator.
~ Access Control
. 1!! policy
5 Memorial.
3 AW]
556 NAT
~ Threat Prevenliori
v F‘oliqI
9 IPS :3 M m.
g MyPol‘DveetPrevenh‘nn
Excetions
,_—r. ....
Figure 58 —Access Control and Threat Prevention Policies and Layers
101
Check Point SCCIIrin’ Ar/minirrm/ian
Traffic Inspection
When a packet arrives at the gateway, it is checked against the rules in the top policy layer
starting with the first rule and sequentially moving down through the policy layer, When the
packet matches the conditions set forth in a rule, the action specified for that rule is executed
on the packet. If the action is drop, the gateway discontinues matching the packet against any
more miles and drops the packet. If the action is accept, the gateway continues matching the
packet against the rules in the next policy layer. If no policy layer mles match the packet, the
Implicit Default mle is applied. If this rule is non-existent, the Implicit Cleanup rule is applied.
When there are several policy layers, administrators can move the layers up and down the
policy list according to security needs. This process is sometimes referred to as Ordered
Layers.
Order of Rule Enforcement
Implied, Explicit and Implicit Cleanup rules are executed by the Security Gateway in the
following order:
1. First Implied rules These rules are applied before all other rules in the policy layer,
~—
whether they are Explicit or Implicit.

2. Explicit rules These are rules created by an administrator.
#
3. Before Last Implied rules These rules are applied before the last Explicit rule in the
7
policy layer.
4. Last Explicit rule — It is recommended to use a Cleanup rule as the Last Explicit rule.
NOTE
When a Cleanup rule is the last Explicit rule. the Last Implied and Implicit
Cleanup rules are not enforced.
5. Last Implied rule This rule is applied after all other rules in the policy layer, whether
7
they are Explicrt or Implicit.
NOTE
If an Implied Drop rule is used, it will not create log entries. To log traffic,
create an Explicit Cleanup rule.
6. Implicit Cleanup rule — This rule is applied if no other rules in the policy layer match,
102
Chap/er 3: Policy Layer-S
Access Control Policy Layers

An Access Control policy can have up to two ordered layers. The first one must contain the
Firewall rules and is known as the Network policy layer. The second policy layer will be the
Application Control policy layer.
Network Policy Layer
The first policy layer in the Access Control policy is the Network policy layer. This policy
layer is made up of Firewall rules, providing packet inspection on network traffic. The rules
are based on source and destination IP addresses, or service protocol, and do not examine
packet pay load.
NOTE
The Network policy layer must be placed above all other policy layers. Do
not edit these layer properties.
Firewall rules include Implied, Explicit and Implicit Cleanup rules. Implied rules are global
rules that are derived from Global Properties. Implied rules allow control connections such as
management, auditing and tracking as well as communication with servers, like LDAP and
RADIUS. Implied rules also allow outgoing packets originating from the Security Gateway,
By default, the Implied rules are not logged. Implied rule parameters cannot be changed but the
location of some of the Implied rules can be modified in the Global Properties Window.
103
Check Point Seam-fly A dml'nirlrmion
Their positions can be changed to one of the following options:
- First The rule is applied before any other rule in the policy layer.
-
~—
Before Last — The mle is applied before the last explicit rule, if no other rules in the
policy layer matched.
0 Last — The rule is applied ifall other rules in the policy layer were applied and none of
them matched.
5‘ :‘filfiemm Adm Select lheiollcmmg smarts: and ctr-row ine :Icelbon a re me: n m: R‘e Ease’
‘
Wartime" 17 Lccepi control comedians:
a VPN
‘
Idem Awarenesg 1? Accept Fle'mte Acres: cc media‘s
1mm Edge Gateway
I Remote Access [7 Mcept Smarst'm‘aie cunne: (We
Check Pam GO
User Dreamy [7 Acrxpt lPSvt managemert :mneakms'
cos
7
'
Userkrurunls i7 Accept outgoing packers engrazingim Gateway
ammonium .
sraia‘d Inspedion 13 {-t .r ~ ." =
a Lug and Net
‘ Repomg Tools i’ heart RIP
; OPSEC
‘ 55mm Mmgwem
>N Uni lP Add ‘
I" Accept Domain Name over one (ii-aria?
.
~ v:
-
a” We r- Axepi Domain Name aver TCP cameraman. ~—
.
v
lPS
macaw r I‘DsemICMP request!
r
H‘ rm“ i7 Accept Web and SSH eonnect‘amtor Gateways fldmf‘slifillan =w v
‘M‘tm [Small Office Appliance)
I7 55:51! trimming carriers DHCF and DNS services at gateways ‘ ‘
x]
iSmallOfiIce/bpllsnce)
I'v‘ swam (Miami: seams modules'oargmg Hernaccnracticns' f,- v]
17 Accept VR RP packets origiriaflg tram mesa rim-bees
wsxreso ran?)
‘
s. 'E
1'? Accept Manny ‘wavenec', cor-trot connection: as v
)J
‘
{ |' Log Implied Eula
—w|
An Explicit rule is a rule configured by an administrator to allow or block traffic. These miles
are created to enhance security and performance of the Security Gateway. There are a couple
of important Explicit rules to note. The Cleanup rule is a default Explicit rule added to each
new layer. It drops traffic that is not allowed by the previous rules in the policy. This rule may ‘
be edited or deleted. The Stealth rule is an Explicit rule that prevents direct access to the
Security Gateway. It’s purpose is to drop all unauthorized connections to the Security Gateway,
Implicit Cleanup rules deal with all traffic that does not match any Explicit or Implicit rules.
Each layer will have an Implicit Cleanup rule that will either drop or accept traffic. In the
104
2 -.
Network policy layer, the default action for the Implicit Cleanup rule is drop. This rule does
not show up in the Rule Base.
layevEdnm
Q,
V
, Networkl
.
it." i
General ?'ru)‘y Configuration

mama ‘ f, Detect users lotated behind hrrp waxy us‘ng x Forum-Fay header C
p . .
lmolrm Lleanun Rule
._
”mm;
amp
mam
Preview:
Source Dulmalinu Serwces Amen

a Any . Any in Any 9 map
IAdriTag
.V_°L__i n.9,"?
Figure 60 — Layer Editor Window
The Application Control Policy Layer

The second policy layer of the Access Control policy is the Application Control policy layer.
URL Filtering and Application Control rules are used to drop unsafe traffic by identifying
objectionable URLs, URL categories, web application and web widgets. These rules can be
customized for individual users or groups. They are also used in this policy layer to allow or
block applications and Internet sites, such as Facebook, YouTube, and Twitter. Whether they
are allowed or blocked is based on the individual application or site, categories, or risk levels.
105
Check Paini Security Administration
Application and Internet site details are stored in the Application and URL Filtering database,
which is regularly updated with the newest applications and lntemet sites. Security Gateways
constantly reference this database. It is important to remember that applications and websites
can also be used in the creation of objects, which makes it easy to manage the Security Policy,
NOTE
The default Implied last rule in the Network policy layer is to drop all
traffic and the default Implied last rule in the Application Control policy
layer is to accept everything. This rule does not show up in the Rule Base.
Threat Prevention Policy Layers

Threat Prevention policy layers can be organized in many ways, such as by specific blades
(Anti-Malware, Anti-Bot, Anti-Virus) or by scope (Data center to DMZ). Organizing the layers
this way can present some issues. For instance, it may present a conflict between an
administrator that can make changes to the DMZ and LAN and another administrator who can
only make changes from the DMZ to external. In instances like these, there are three conflict
resolution rules:
Conflict on The action for a specified scope is The action taken will be the most
action different between layers. restrictive.
Conflict on The exceptions for a specified scope The action taken will be the most
exception is different between layers. liberal, or least restrictive.
Conflict on The settings, such as MME nesting, The setting used will be from the
settings differ between layers. first policy layer.
Table 10: Policy Layer Conflicts and Resolutions
106
The IPS Policy Layer
The IPS policy layer is part of the Threat Prevention policy, providing granular configuration
with the ability to apply multiple protection profiles per gateway. An IPS layer is automatically
created for pre—R80 gateways. Those gateways are added to the rules of the IPS layer. The IPS
policy for these gateways is installed during the Access Control policy install. The
administrator is notified when this happens.
NOTE
For pre-RBO gateways, the IPS software blade is automatically inactivated
in the Threat Prevention policy.
NOTE
During an upgrade, if the gateway is assigned to a profile in which
troubleshooting is enabled, the activation mode Will be set to Detect Only
on the gateway object.
107
Layers and Policy Packages Example

An organization consists of one sales office in Texas, one sales office in New York, one
executive management office in California and one server farm site in Georgia. Each site has a
particular set of needs and requirements. Therefore, an administrator will have to create
different policy packages for the sites.
Figure 61— Sample Company Topology
108
CIrv/pier 3: Policy Layers
Texas Sales Office Firewall, VPN Access Control (includes Network and
Application Control rules)
2 New York Sales Firewall, VPN, Access Control (includes Network and
Office IPS, DLP Application Control rules) and IPS
(configired as a Threat Prevention
policy layer)
3 California Executive Firewall, VPN, Access Control (includes Network and
Management Office QoS, Mobile Application Control rules), QOS and
Access Desktop Security policies
4 Georgia Server Farm Firewall Access Control (includes Network and
Application Control rules)
5 Internet
To manage these sites efficiently, three different policy packages should be created. Each
package includes a combination of policy types that correspond to the software blades installed
on the site’s gateway. The policy packages on all four gateways include the same Access
Control policy with Network and Application and URL Filtering policy layers.
109
It is best practice to share policy layers with other policy packages when possible. To make the
.
two policy layers available in all policy packages, enable the Multiple policies can use this
layer option.
or
§’/< , Company_APPI
emermmz.n~rvu
'
general Blades
Advanoed $7] firewall
Permissmng iii Wicafims 5. URL Filtering
l1 Data Aware-la:
‘ l Mobile Aries:
Preview:
urination VPN scrmexEApphcanons Dam Anion Turk Inst
bhai mg
0! Muluple polin'es can use this layer
IAWE;
Figure 62 —— Layer Editor Window
110
Clmpfer 3: Policy Layers
According to the table, the New York sales office requires a set of [PS rules and the California
executive management office requires a separate set of Threat Prevention rules. Their policy
packages would be configured as seen below.
Cam gem om. Kru— xnmz QM“

t nun.» ‘(un'ly mu 1..gr“ (mmm.
Aunsfiwtwl ltueal Prevention

t1! TX‘Salts
£1 (km: v
g| NY_Sa|es v «
RI GA_Semrjarm v
Figure 63 — Manage Policies Window

Best Practices
For the most effective Rule Base and to conserve resources, ensure that all Network policy
layer rules are based on source and destination IP addresses or service protocol. These rules
should be placed at the top of the Rule Base since they simply validate connections. They are
the least resource intensive and will be able to filter out a significant amount of traffic. They
should not examine packet payload. Otherwise, there will be higher gateway resource
utilization and gateway performance deterioration. It is also important that the Network policy
layer consists of Explicit rules that accept safe traffic.
Rules with application, data, or mobile access elements should be placed at the bottom of the
Rule Base because they force the gateway to examine the packet's payload, which requires
activation of streaming and is very resource intensive.
Ensure there is an Explicit Cleanup rule at the end of each policy layer or verify the Implicit
Cleanup miles are set to the appropriate setting, depending on the layer.
111
Check Painf Securi/y Administration
lVlanaging the Application Control Policy Layer

The Application Control policy layer consists oprplication Control and URL Filtering rules.
For the layer to work, Firewall and Application and URL Filtering software blades must be
enabled. When combined, the Application Control and URL Filtering software blades unify
web application and widget control with website access control for improved security.
Application Control Software Blade

The Check Point Application Control software blade enables visibility, seaming, detection and
granular control of social networks, Web 2.0 applications and features within the applications.
It provides the largest application coverage in the industry and in»depth 360 visibility into user
activities. Check Point’s Application Control software blade enables application security
policies to identify, allow, block, or limit usage regardless of the port or protocol used,
including SSL encrypted traffic. For example, traffic to Facebook may be over HTTP or
HTTPS. If the policy blocks playing Facebook games, the traffic will be blocked whether the
traffic is encrypted or not.
AppWiki Application Classification Library
AppWiki enables application scanning and detection of thousands of applications and

hundreds of thousands of widgets including messaging, social networking, video streaming,
VoIP, games and more. Applications are classified in more than 150 categories, based on
diverse criteria such as application’s type. security risk level, resource usage and productivity
implications. The AppWiki is continuously updated to support the dynamic nature of internet
applications.
Check Pomt AppWiki

f; (”Mahatma , ‘
ammmnmmmwm arm-FM l, . l
stony“, (>125: mu:
.
m M
new“:
57w.
v Fmianeizanmmw)
r Nimrlmmmfinmufll
,
n rggmgggw
Wu
r aggww,
Fwamumumm)
r mum Mpllmt'ai) rmmnmmumwsi r “was
l'Dvw-nluaflvanywwi , rmummmlssi . rams:
. em . a"
n .a
“~‘ '—"‘ ,.
mum
film/mutt
mm
o is mmm
a, . _
m: a I,
manner-1 mam l
mm
WW
mar-gm
3
a
9
inn-“turnunhuofltsimmnaxmuuw
Wauummmmmummm .
i
l
14’E'rrzn‘r-nmu p1 Jul-mun a
ymmm mm
arming-rm. lama-i. a K 2:;fi(yfi@%;gma l
«ma mm
‘Gam
mm
Anni-awn
a
B , ‘ -~"‘—"““'—v—>
m.§mmm-W 4
Figure 64 — AppWiki
I». .,
Chap/er 3 Pry/Icy Layers
URL Filtering Software Blade

The Check Point URL Filtering software blade protects companies and users by utilizing
cloud»bascd categorization of over 200 million websites. It provides optimized web security
with full integration in the gateway, preventing bypass through external proxies; integration of
policy enforcement with Application Control for full Web and Web 2.0 protection; and
leveraging UserCheck technology, empowering and educating users on web usage policy in
real time. URL Filtering also provides an array of superior filtering options, including the
option to scan and secure SSL encrypted traffic passing through the gateway or filtering
HTTPS traffic without SSL inspection. Check Point’s URL Filtering software blade enables
application security policies to allow, block and limit website access based on user, group and
machine identities.
Creating an Application Control and URL Filtering Policy

Check Point unifies Application Control and URL Filtering to deliver:
. One common Rule Base to simplify policy creation with joint categories for both
websites and applications
. One management console for easier management
- One reporting system for improved visibility into web events
The policy for Application Control and URL Filtering is created and managed in the Access
Control policy. Once unified, it becomes the Application Control policy layer and is the second
layer of the Access Control policy. The Access Control policy defines which users can use
specified applications and websites from within the organization. It also defines what
application and site usage is recorded in the logs. If the Access Control policy has a different
structure, the policy will fail to install.
-
Dvfllutmn mt Selvke‘Aquxlom Am...
tummysnn ¢ Am u momma « My :: mmuarmuw or NDru;- a w a log palms“,
..
blnrr'd
Meiuqt-Mc'tl’onlmt
2 «Ighmuwpivcmom .- w whim“ » Any :2 smmtm
N. ammxwmm
u mom“
a 5e;Dropammumq.mutt-man a m a tag - panama.
a AlldNFcnbnokthA momma a m Ii hrwnnh (1) Arum u ankhuun Fl -

-
up Any n log lehrqtu
Ii
» aluminum-gang; » Any .. Allwlvmmri W b
Farebonkdkpi
Mrdlnnrnm}
0 mailman»:
(9 mp we m L] w: - Policylovum
.
Elmer
9
-
«main,
5 ”gunman.” » Am ~, Alljnmmd x w W e mm as m, n log Mllcahvgzt;
Figure 65 -— Sample Application Control and URL Filtering Rules
113
Check Point Securiry Adminis/ralion
l
l
l
H F W ‘P E
To enable Application Control and URL Filtering in the Access Control policy:
In SmartConsole, select the Securities Policies view.

In the Access Control section, right-click Policy and select Edit Layer.
l
The Policy window will open. Make sure that Access Control policy type is selected
In the Access Control policy section, double~click Policy Layer.
Select Application & URL Filtering.
Click OK.
Install the Policy.
The Rule Base
The Implicit Cleanup rule for the Application Control policy layer is set to Accept all traffic
that is not matched by any rule in the layer. With each new policy layer, the Explicit Default
rule is added automatically and set to Drop all the traffic that does not match any rule in that
policy layer. Check Point recommends that the Action is set to Accept for the Application
Control policy layer. If the default rule is removed, the Implicit Cleanup rule will be enforced.
To learn which applications and categories have a high risk and discover applications and
categories that may need to be included in your policy, look through the AppWiki in the
Access Tools part of the Securities Policies view.
114
Chupler 3: Policy Layer:
Review Questions
1. Describe policy layers.
2. How many policy layers can be included in an Access Control policy and how should they
be ordered?
115
Check Point Security Adminirlmrion
“W
ma
.
Y »,
'lv-«MVF
l
u.r
116
Chapter 4. Check Point Security} Solutions and Licensing
Security Gateway Software Blades
Firewall
The Check Point Firewall software blade is the industry’s strongest
level of gateway security and identity awareness. Built upon Check
Point’s award-winning FireWall-l solution introduced in 1994, Check
Point’s Firewalls are trusted by 100% of the Fortune 100 companies.
lPsec VPN
a The Check Point IPSec VPN software blade provides secure

connectivity to corporate networks for remote and mobile users, branch
offices, and business partners. This software blade integrates access
control, authentication, and encryption to guarantee the security of
network connections over the public Internet:
Mobile Access
The Check Point Mobile Access software blade provides simple and
secure remote access to corporate applications over the Internet using
smartphones, tablets, or laptops. This software blade provides
enterprise-grade remote access via SSL VPN for simple, safe, and
secure mobile connectivity to email, calendars, contacts, and corporate
applications.
Intrusion Prevention System (lPS)

The Check Point IPS software blade combines industry-leading II’S
protection with advanced performance at a lower cost than traditional,
stand-alone IPS solutions. It delivers complete and proactive intrusion
prevention, all with the deployment and management advantages of a
unified and extensible next-generation Firewall solution.
119
~—i
Check Point Seam/y Adminislraiion
Application Control
The Check Point Application Control software blade provides the

industry’s strongest application security and identity control to
organizations of all sizes. It enables lT teams to easily create granular
policies based on users or groups to identify, block or limit usage of
over 250,000 Web 2.0 applications and widgets.
URL Filtering
The Check Point URL Filtering software blade integrates with
Application Control, allowing enforcement and management of all
aspects of web security. URL Filtering provides optimized web security
through full integration in the gateway to prevent bypass through
external proxies. Integration of policy enforcement with Application
Control means enhanced Web and Web 20 protection.
Identity Awareness
The Check Point Identity Awareness software blade provides granular
visibility of users, groups, and machines. It provides unmatched
application and access control through the creation of accurate, identity-
based policies. Centralized management and monitoring allows for
policies to be managed from a single, unified console.
Data Loss Prevention (DLP)/ Data Awareness

The Check Point DLP software blade combines technology and
processes to revolutionize Data Loss Prevention. It helps businesses to
preemptively protect sensitive information from intentional loss by
educating users on proper data handling policies and empowering them
to remediate incidents in real—time, DLP is also referred to as Data
Awareness.
Anti-Bot
The Check Point Anti—Bot software blade detects bot—infected
machines, prevents bot damages by blocking bot C&C
communications, and is continually updated from ThreatCloudTM,
which is the first collaborative network to fight cybercrime.
120
C/mpter‘ 4 Check Point Secrri’iiy Solutions and Limiting
Antivirus
The enhanced Check Point Antivirus software blade stops incoming
malicious files. Using real-time virus signatures and anomaly»based
protections from ThreatCloudTM, the Antivirus software blade detects
and blocks malware at the gateway before the user is affected.
Anti—Spam and Email Security

The Check Point Anti-Spam and Email Security software blade
provides comprehensive protection for an organization’s messaging
infrastructure, A multidimensional approach protects the email
infrastructure, provides highly accurate spam protection, and defends
organizations from a wide variety of virus and malware threats
delivered within emaili
Advanced Networking and Clustering

The Check Point Advanced Networking and Clustering software blade
simplifies network security deployment and management within
complex and highly utilized networks, while maximizing network
performance and security in multi—Gbps environments. This
combination is ideal for high-end enterprise and data center
environments where performance and availability are critical,
Security Gateway Virtual Edition (VE)

The Check Point Security Gateway Virtual Edition protects dynamic,
virtualized environments and external networks, such as private and
public clouds, from internal and external threats by securing virtual
machines and applications with the full range of Check Point software
blades.
121
Check Point Security Admum/rurlon
Advanced Threat Prevention Software Blades
Threat Emulation
{53
Check Point Threat Emulation prevents attacks from zero»day and
undiscovered threats, The technology protects against vulnerabilities
and malware variants in email attachments and file downloads by
discovering malicious activity using advanced behavioral analysis of
threats in virtual environments.
Management Software Blades for Policy Management
Network Policy Management
la
The Check Point Network Policy Management software blade provides
comprehensive, centralized network Security Policy management for
Check Point gateways and software blades via a single, unified console
which provides control over even the most complex security
deployments.
Endpoint Policy Management

The Check Point Endpoint Policy Management software blade
simplifies endpoint security management by unifying all endpoint
security capabilities for PC & Mac in a single console. Monitor,
manage, educate, and enforce policy from SmartConsole down to user
and machine details.
Management Portal
The Check Point Management Portal software blade allows browser-
based security management access to outside groups such as support
staff or auditors, while maintaining centralized control of policy
enforcement, View security policies, the status of all Check Point
products, and administrator activity as well as edit, create, and modify
internal users,
122
Chapter 4: Check Point Security Solo/ions and Licensing
Management Software Blades for Monitoring Analysis
Logging and Status
3'
The Check Point Logging and Status software blade transforms data
into security intelligence. It is an advanced log analyzer that delivers
split-second search results, providing real-time visibility into billions of
log records over multiple time periods and domains,
Next Generation SmartEvent
/®
The Check Point Next Generation SmartEvent software blade
consolidates monitoring, logging, reporting, and event analysis in a
single console to provide comprehensive, easy-to-understand threat
visibility. Using SmartEvent allows security teams to focus their efforts
on critical threats rather than being overwhelmed with loads of data.
Monitoring
—-. The Check Point Monitoring software blade presents a complete picture
of network and security performance, enabling fast responses to
changes in traffic patterns or security events. The software blade
.l-I- centrally monitors Check Point devices and alerts to changes to
gateways, endpoints, tunnels, remote users, and security activities.
Management Software Blades for Operations and Workflow
Compliance
The Check Point Compliance software blade provides an integrated and
\‘ I fully automated security and compliance monitoring solution. The

Compliance software blade enables continuous monitoring, strengthens
regulatory compliance, maintains Security Policy, and reduces audit
time and costs.
123
Check Point Security. Administration
User Directory
The Check Point User Directory software blade leverages LDAP i
servers to obtain identification and security information about network
users, eliminating the risks associated with manually maintaining and
synchronizing redundant data stores and enabling centralized user
management throughout the enterprise.
Endpoint Software Blades
Full Disk Encryption

The Check Point Full Disk Encryption software blade provides
6 automatic security for all information on endpoint hard drives,
including user data, operating system files and temporary and erased
files. For maximum data protection, rnulti-factor pre-boot
authentication ensmes user identity, while encryption prevents data loss
from theft.
Media Encryption
The Check Point Media Encryption software blade provides centrally-
enforceable encryption of removable storage media such as USB flash
drives, backup hard drives, CDs and DVDs for maximum data
protection. Port control enables management of all endpoint ports, plus
centralized logging of port activity for auditing and compliance.
Remote Access VPN

The Check Point Remote Access VPN software blade provides users
with secure, seamless access to corporate networks and resources when
traveling or working remotely. Privacy and integrity of sensitive
information is ensured through multi-factor authentication, endpoint
system compliance scanning, and encryption of all transmitted data.
124
Chapter 4' Check Point Security Solutions and Licensing
—
Software Blade Packages
To address evolving security needs, Check Point offers several Next Generation software blade
packages for a complete and consolidated security solution focused on specific customer
requirements. These all-inclusive software blade packages are available on Check Point
appliances and open servers.
Next Generation Firewall

The Check Point Next Generation Firewall software blade package
includes advanced technologies, such as IPS, identity awareness and
application control, and stateful Firewall to ensure only the traffic and
IL applications you allow can access your network. The following
software blades are included: Firewall, IPS, Identity Awareness, and
Application Control.
Next Generation Threat Prevention

Multi«vector attacks are more common than ever and multiple
technologies are needed to protect companies from those attacks. The
Check Point Next Generation Threat Prevention (NGTP) software
blade package provides a multi-layered threat prevention strategy to
defend against multi-vector attacks. The technologies combined in this
package work together to protect your organization from bots,
eavesdropping, vulnerabilities, phishing, malware, and spam.
The following software blades are included: Firewall, IPS, Application

Control, URL Filtering, Anti-Bot, Antivirus, and Anti-Spam and Email
Security. ThreatCloud Emulation Service is also included.
Next Generation Threat Extraction

The new face of malware is fast and stealthy thanks to obfuscation tools
that help attacks slip past the most sophisticated anti-malware solutions.
The Check Point Next Generation Threat Extraction (NGTX) software
blade package combines the NGTP package set with CPU-level and
operating system-level sandbox capabilities to detect and block
malware. While the file is run in a sandbox, Threat Extraction
reconstructs incoming documents to deliver zero malware documents in
zero seconds. The package includes all NGTP software blades plus the
Threat Extraction Service.
125
C/U'L‘k Point Security Adminirlmliorl
Secure Web Gateway (SWG)

The Check Point Secure Web Gateway software blade package provides
an intuitive solution that enables the secure use of Web 2.0, with real
time multi-layered protection against web~bome malware, the largest
application control coverage in the industry, intuitive centralized
management, and essential end-user eduction functionality. The
solution embraces the current shift from simple URL Filtering to
comprehensive malware protection. The following software blades are
included: Antivirus, Application Control, URL Filtering, and more.
a
Next Generation Data Protection (NGDP)
Data Protection solutions must encompass all facets of protecting
content from getting into the wrong hands. Multiple technologies such
as DLP, IPS, and Application Control must be used to ensure all
potential data leaks are sealed. The Check Point Next Generation Data
Protection software blade package combines these technologies into a
complete solution that protects confidential data from inadvertently
leaving the organization.
Additional Check Point Security Solutions

Check Point software blades
can be deployed on Check 'ltic mo»! Complete list of Check Point security
Point appliances and open solution" is located on the Cllk'cii Point “attire.
boat: the QR codeor enter llie Iml. in your lilrnucil
servers. New software blades
can be easily added to your for additional inf‘vinisrion COnlJCI your loul
existing hardware by simply (“larch Point Rcaullcr illrctll}.
enabling their functionality in
SmartConsole. No additional imp: .wmmnrrkparmmm pl udum \aluiwns/an prndum iinlchximl
hardware, firmware, or drivers
are necessary. Check Point products and security solutions are designed to address specific
industry needs and adapt to infrastructure changes and dynamic networks. They also help
organizations reduce risk, ensure compliance, and improve operational efficiency.
126
.3
Chapter 4' Check Point Seczirio Solutions and Licensing
Licensing Overview
All Check Point appliances and software products must be properly licensed and activated
before use, A license contains the features and functionality of the purchased product and
specifies its terms of use. It also contains other information, such as the maximum number of
users, devices and/or IP addresses allotted for the product, as well as a signature key,
certification key, and service contract data. Check Point licensing is designed to be both
scalable and modular to accommodate all-inclusive software packages and custom solutions
tailored to meet the needs of the organization.
Components of a License
A Check Point software license consist of two components, the software blade and the
Software Container.
The Software Blade
The software blade enables a specific feature or functionality. Like a physical server, the
software blade would equate to a physical blade server. Like the physical server, each software
blade must be attached to a Software Container just as the blade server must be attached to the
chassis,
The Software Container
Every server running a Check Point product begins with a Software Container. The Software
Container houses the blades. It enables the server functionality and defines its purpose as that
of a management server or gateway. There are three types of Software Containers: Security
Management, Security Gateway, and Endpoint Security. Security Management and Security
Gateway software blades must be attached to a Software Container to be licensed, Endpoint
Security software blades are licensed independently of the Endpoint Security Container
All packaged software blades purchased as part of a specific solution are automatically
attached to at least one container. It is not possible to detach blades included in a package.
When a software blade is purchased separately from a package, it is referred to as an “a la
carte” blade. For example, if you wish to add the SmartProvisioning feature to your existing
Security Management solution, you would purchase an a la carte SmartProvisioning Blade.
The blade would then be attached to your Security Management container. An a la carte blade
can be detached and moved to 'a different server.
127
Cher/r Poinl Sacui'ity Adminirlrnllon
Perpetual versus Subscription Blades
— —~~wi
—~
Security Management and Security Gateway software blade licenses are perpetual, which
means they have no expiration date. Security Gateway software blades are licensed per
gateway, whereas Security Management software blades require one management blade
license per management container, regardless of the container size.
Service blades, such as IPS, URL Filtering, and Application Control are considered
Subscription Blades. Licenses for Subscription Blades can expire, The license includes both
the software subscription and the associated Support Services Contract, These blades are
licensed and renewed for a specified period oftime, which is typically 1, 2, or 3 years. Service
Blades must be attached to a Security Gateway Container.
Endpoint software blades are available as perpetual and subscription blades, however the
Container is always perpetual. Endpoint is unique in that it requires both a management
container and an endpoint container. All Endpoint products are licensed independently of the
Endpoint Security Container and the licenses are installed on the Endpoint management serveri
NOTE
For Endpoint, the Remote Access blade is installed on the Network
Security Management Server instead of the Endpoint Management Server.
Additional Blade Licenses

Additional licenses include Plug—and-Play (Trial) licenses and Evaluation licenses. A Plug~
and-Play license provides a temporary license for 15 days of unlimited client full functionality
after purchasing and installing your appliance. These licenses allow you to activate your
permanent license at a later time,
Evaluation licenses are generated for the purpose of evaluating products prior to purchasing,
These licenses provide unlimited client full functionality for 30 days, When the 30 days expire,
software functionality is disabled.
128
Chapter 4. Check Point Security Salli/inns and Licensing
Central and Local Licenses

Check Point Licenses come in two forms: Central and Local. The Central license is the
preferred and recommended method of licensing. This license ties the package license to the IP
address of the Security Management Server and has no dependency on the gateway 1P. This
means there is only one IP address for all licenses and the license remains valid even if the IP
address of the gateway is changed. The license can be easily taken from one Security Gateway
and given to another. There is no need to create and install a new license.
A Local license is tied to the IP address of a specific Security Gateway. This license cannot be
transferred to a gateway with a different IP address. A Local license can only be used with a
gateway or a Security Management Server with the same address.
Central licenses require an administrator to designate a gateway for attachment while Local
licenses are automatically attached to their respective Security Gateways,
192.1)2.1
“312006
CP-SUITESAMPLE-LIC
m4532242-3MWe—23Mm
123458789
W ,
afififimfime
Upgrade status:
Mdmnal versions aim: license:
Has Cortraets: No
was:Mme:
Cowarettis mde wihthevattdatim wdeyw modvedfmxnoiedc Punt
Vaidation Code: 1132ch
@WWE
Figure 66 — Central License
129
Check Poim 596171-in Administra/ion
License Activation m a”
.1 aa
Once the necessary blades are attached, either by Check Point or the organization’s Account
Administrator, the license for the management server is ready to be activated. Check Point
offers two methods for activating a license: Online Activation and Offline Activation.
Online Activation
The Online Activation method is available for Check Point manufactured appliances Using
the Gaia First Time Configuration Wizard, the appliance connects to the Check Point User
Center and downloads all necessary licenses and contracts, No further steps are required to
license the appliance. The User Center is a single sign-on management portal that provides
technical support and other resources and tools for managing Check Point accounts and
products, Online Activation cannot be used for open servers and non—Check Point appliances,
such as IP series appliances or IBM Integrated Appliance Solutions.
Though optional, the appliance should be configured to have Internet connectivity during
completion of the configuration wizard in order to connect to the User Center, If the appliance
does not have direct Internet access, proxy settings can be configured on the Device
Information page in the configuration wizard,
5 lux lurle-nulmmunl
. Weicunelulha
Gaia First Time Configuration \Mzard
. Yaw: ”no few steps away tram using your n:- (33:- systml
cm mm in mm your mum
Platinum than Pant rm
3Check Point
Figure 67 — First Time Configuration Wizard
130
Chapter 4 ('17ch Point Secr/ri/y SOITIIIOI’LY and Licensing
Offline Activation
The Offline Activation method is available for all Check Point installations, An Account
Administrator or Licenser will generate a license file through the Check Point User Center and
then apply the license via SmartUpdate, an application within SmartConsole.
Hardware Licenses
Licenses for Check Point hardware products are valid only as part of and for the life ofthe
originally designated product. Gaia embedded appliances purchased with a packaged solution
will include the specified software licenses and the associated software container. Both Online
and Offline Activation options are available for Gaia»ernbedded Check Point appliances.
Automatic Licensing
i Check Point’s Automatic Licensing feature provides the option to have all licenses activated
automatically, This option can only be applied to Check Point appliances. To use this feature,
the management server must be able to connect to the Internet, The automatic licensing feature
performs the following operations:
- Checks periodically to verify licenses.

- Activates new licenses added to the Licenses & Contracts Repository.
- Automatically adds new blades to SmartConsole,
131
To tum on the Automatic Licensing feature:
1. Launch SmartConsole.
2, From the Launch menu, select Global Properties and then Security Management Access.
3. Click the checkbox for Automatically download Contracts and other important data (Rec.
0mmended).
FireWall
'
'
NAT~ Netwm Addie: mm Ame“ _,
_____ .AL-
._ _._...
Mherrlicfillon
l3! VPN [7 Mcmaticaliy download [Ir/minds and alher important data fienmmended). \ .
fi:mm;:w [7 1:11pm: plenum merience by sending lninmietiontu Check Palm [éfl v, 4, pm“
tn Remote Access
Check Polnt co
User Directory
E4105
‘ ConnectComml
‘
Steletul lrispediun
in Log and Alert
j Reporting Tools
ovsa.
GK! Cancel
CP.MACRO Files
A cp.macro file is an electronically signed file used by the Check Point software to translate
the features included within the installed license(s) file into code, or primitives. In most cases
you do not need to worry about the cpmacro files. An updated cpmacro file is included in
each release of Check Point software. It includes all current and past license features as of the
time that the software is released and permits the software to support new features.
132
Chapter 4: Check Point Security Sour/ions am] Licensing
SmartUpdate
SmartUpdate extends an organization’s ability to provide centralized package and license
management across enterprise-wide deployments. This SmartConsole application is used to
deliver automated software and license updates to hundreds of distributed Security Gateways.
SmartUpdate enables remote upgrade, installation, and license management to be performed
securely and easily, It provides greater control and efficiency while decreasing maintenance
costs associated with managing global security installations.
SmartUpdate Architecture
--
SmartUpdate installs the following repositories on the Security Management Server:
License & Contract — Stored on all platforms in the directory $CPDIR\conf\
Package Repository — Stored on Windows machines in C :\SUroot and UNIX
machines in /var/log/cpupgrade/ suroot
Sammy Manaqmnr
SmartUpdate 3 Save:
Smurf] army
Sunny Gateway
Information sow-(es:
USE“ Comet, Support Cutler, flu-ck Paint "D
om om Palm Database
License at Padraqe REpOSllfllifi
Figure 69 — SmartUpdate Architecture
Packages and licenses are loaded into these repositories from several sources, such as:
. Download Center Web site (packages)
-- Check Point DVD (packages)
User Center (licenses)
' Running cplic from the command line
133
Check Perm Security Admin/rrrnn'un
Ofthe many processes that run on Security Gateways distributed across the corporate network)
two in particular are used for SmartUpdate. Upgrade operations require the Check Point
Remote Installation daemon (cprid) and license operations use the Check Point Daemon
(cpd), These processes listen and wait for the information to be summoned by the Security
Management Server.
From a remote location, an administrator logged into the Security Management Server initiates
operations using the SmartUpdate application, The Security Management Server makes
contact with the Security Gateways via the processes that are running on these components to
execute the operations initiated by the System Administrator, such as attach a license or upload
an upgrade. Information is taken from the repositories on the Security Management Server. For
instance, if a new install is being initiated, the information is retrieved from the Package
Repository. If a new license is being attached to a remote gateway, information is retrieved
from the License & Contract Repository. This entire process is SIC-based and is completely
secure.
Using SmartUpdate
SmartUpdate contains two tabs, the Package Management tab and the License & Contracts tab,
The Package Management tab shows packages and operating systems installed on the Security
Gateways managed by the Security Management Server. Operations that relate to packages can
only be performed here. The Licenses & Contracts tab shows the licenses on the managed
Security Gateways and Check Point devices. Operations that relate to licenses can only be
performed here.The tabs are divided into a tree structure that displays the packages installed
and the licenses attached to each managed Security Gateway.
134
Chapter 4' Check Point Security So/uriom and Licensing
The tree has the following three levels:
.
- Root — Shows the name of the Security Management Server to which the GUI is
connected.
Second — Shows the names of the Check Point Security Gateways and devices
-
configured in SmartConsole.
Third
i Shows the Check Point packages or installed licenses on the Check Point
Security Gateways and devices.
El {El “11.1151
' Va new-m
: a MSW-02
pill mecmr
Figure 70 —SmartUpdate
135
Check Poin/ Seem-r73: Administration
The following information can be displayed:
The Package Repository pane shows all the packages available for installation. To View
this pane, select Packages > View Repository,
The License & Contract Repository pane shows all attached and unattached licenses. To
view this pane, select Licenses & Contracts > View Repository.
0 The Operation Status pane shows past and current SmartUpdate operations. To View
this pane, select Operations > View Status.
The Operations Performed pane shows the progress of current operations (Le. Installing
package <X> on gateway <Y> or Attaching license <L> to gateway <Y>).
The status of the operation being performed (ie. operation started or a warning).
A progress indicator which shows the progression of the operation.
The time that the operation takes to complete.
Additionally, there are icons included that will allow administrators to quickly perform the
following tasks:
Add Licenses from the User Center.

Add Licenses manually.
Import Licenses from File.
Open a View of the Package Repository.
Open a View of the Licenses & Contract Repository.
Open a View of the Operation Status.
Find a string in the specified SmartUpdate View.
Package Repository
The Package Repository stores package information for software version upgrades and hot
fixes. The following operations are performed when installing a package:
Check Point Remote Installation Daemon connects to the Check Point gateway.
Verification for sufficient disk space.
Verification of the package dependencies.
The package is transferred to the gateway if it is not there already.
The package is installed on the gateway.
Enforcement policies are compiled for the new version.
The gateway is rebooted if the Allow Reboot option was selected and the package
requires it.
The gateway version is updated in the database.
The installed packages are updated in SmartUpdate.
136
Chapter 4: Check Point Security Solo/ions and Licensing
Managing Licenses
All licenses for Check Point packages throughout your organization can be managed from the
Security Management Server using SmartUpdate. SmartUpdate provides a global view of all
available and installed licenses and enables administrators to perform operations such as
adding new licenses, attaching licenses, and upgrading licenses to Check Point Security
Gateways. It is also possible to detach and delete licenses using SmartUpdate.
Add and Install Licenses

After a license has been generated, it must be installed on the gateway and registered with the
Security Management Server, Check Point licenses can be installed through SmartUpdate.
To install a license, you must first add it to the License & Contract Repository. To add a
license:
1. Launch SmartUpdate.
2. Choose the Licenses & Contracts tab.
3. From the Launch Menu, choose Licenses & Contracts > Add License.
Installing licenses via SmartUpdate is recommended, however it is also possible to install a

license through the CLI. Use the following command to verify that the license is installed:
cplic print
137
Cher/t Point Security Adminirrmtion
There are three ways to add a license to the License & Contract Repository: from the User
Center, from a file, or manually,
Vv w‘
a uunsesannmas
VIEW: mums:
ELEM“ R77
puma, alt _‘z,:n<d
mnduw Get all Licenses
Lido
’me user Center. ..
from Hie. ..
Manually. . i
'
update Contracts
i mew Reposirnry
Figure 71 — Add License
Add License From User Center

To add a license from the User Center:
1. Click on the Add Licenses From User Center icon, or from the Launch Menu, choose
Licenses & Contracts > Add License > From User Center.
2. The browser window will open the Check Point User Center/PartnerMap sign-in page.
Sign in with your credentials to download the license file from the User Center.
5"
4. After the file has been download, return to SmartUpdate to add the license to the License
& Contract Repository using the From File or Manually method.
138
Chapter 4: Check Point Security Solution: and Licensing
/_.__._/
Add License From File

To add a license from File:
1. Click on the Import Licenses From File icon, or from the Launch Menu, choose Licenses
& Contracts > Add License > From File.
2. Browse to the location of the license file, select it, and click Open.
Local licenses will be automatically attached to the Security Gateway. Central licenses will be
placed in the License & Contract Repository.
NOTE
The license file name options may vary slightly between versions.
Add License Manually

Upon generating a license, an email containing the license file and manual installation
instructions for adding the license to the License & Contract Repository will be sent to the
Account Administrator. To add a license manually:
1. Copy the license string from your email to the clipboard. The string will start with cplic
put and end with the last SKU/feature. For example:
cplic put 1 . 1. 1.1 31Dec2015 dw59Ufa2z—eLLQ9NBgP—uyflQOwKr—
HeSo4zLQx CPSG-C—Z—U CPSB—FW
2. Select the Licenses & Contracts tab in SmartUpdate.
3. Click on the Add License manually icon, or from the Launch Menu, choose Licenses &
Contracts > Add License > Manually. The Add License window will appear.
4. You may assign a name to the license, if desired. If you leave the Name field empty, the
license is assigned a name in the format SKU@ time date.
5. You may manually enter the license details or click Paste License. If you use the Paste
License option, the fields will be populated with the license details.
6. Click Calculate and make sure the results match the validation code received from the
User Center, The validation code is used to confirm the license.
7. Click OK to complete the operation,
139
Check Pain! Security Adminislruliori
Attaching and Detaching Licenses

When imported into SmartUpdate, Central licenses will need to be attached to the Security
Gateway. To attach a Central license, select the Licenses & Contracts tab and right-Click on the
Security Gateway object you wish to attach the license to,
Detaching a license involves detaching a license from the object to which it is attached. T0
detach a license, select the Licenses & Contracts tab, and right-click on the license to be
detached. Local licenses detached are automatically deleted from SmartUpdate. Central
licenses are placed in the License Repository and are available to be attached to another
Security Gateway object when desired. If the license is no longer needed, you may choose to
delete it from the License & Contracts Repository as well.
New Licenses
New licenses should be generated and installed when:
-- the existing license expires,
.
the license is upgraded.
the IP address of the Security Management or Security Gateway has changed.
View License Properties

The License & Contract Repository displays general information on each license, such as the
name of the license and the IP address of the machine to which it is attached. You can View
other properties as well, such as the expiration date, SKU, license type, Certificate Key, and
signature key. To view license properties, double-click on the license in the Licenses &
Contracts tab.
Check for Expired Licenses

After a license has expired, the functionality of the Check Point package will be impaired.
Therefore, it is advisable to be aware of the pending expiration dates of all licenses. To check
for expired licenses, in SmartUpdate, select Licenses & Contracts > Show Expired. To check
for licenses nearing their dates of expiration:
1. In the License Expiration window, set the Search for licenses expiring within the specified
amount of days property,
2. Click Apply to run the search.
To delete expired licenses from the License Expiration window, select the detached license(s)
and click Delete.
140
Chaprer 4' Check Point Security Solutions and Licensing
Export a License
To export a license to a tile:
1. In SmartUpdate, select one or inore license(s) from the License Repository, and right-
click.
2. From the menu, select Export License to File.
3. In the Choose File to Export License(s) To window, name the file or select an existing file
and browse to the desired location.
File name: |
Save as type: License Files (‘.lic)
Figure 72 — Export License(s) to File Window

4. Click Save.
All selected licenses are exported. If the file already exists, the new licenses are added to the
file.
NOTE
Check Point recommends that you make a backup copy of the license prior
to deleting the file in case the file is needed for future use.
141
Check Point Securiry AdminisIrn/ion
License Status
SmartConsole allows you to quickly reference the license status for each software blade per
gateway. The License Status view provides information about each blade generated for an
individual gateway and summarizes what products or services are active and/or available for
the gateway. To View License Status:
1. In SmartConsole, click the object you desire to View.

2. From the Summary tab, click Device & License Information.
3. The Device & License Information window will appear. Click the License Status option
located in the left-hand panel.
W sun 5 mm.
O can.my
' 5m mm @ R80-MGMT 0 OK
)9 mum Axoum lD mi
in nu swam, um
m m: Supocrihwnen am
11.}.- Am. a... m “Fain... rm. mnwmlu
g ml new mm 5 tax mm W
- cil n u
a may 1.mm 0 at (them-1mm
a vie-«31.x fi) Flu-3417.!
g sun-em: a or Devi! 'u
q Rex-(uni: a. GA
Figure 73 — License Status
142
Chapter 4: Check Point Securi/y Solutions and Licensing
You may also save the status information as a PDF report or export the information to a file.
RBO-MGMT
‘3 remain mom to
c- nm mm .m
w ma
emu mum...”
at rm”; 5 sum
{1mm»;
8«mi
9 (anyway "‘Saveas PDF
c,» mm
Figure 74 — License Status Options
143
License Reports
To generate a report of all licenses allocated for your full network environment:
1 . Launch SmartConsole.
2 In the License Repository, right»c1ick the object,
3 From the menu bar, select Action and then License Report.
4 Select the desired report format to be generated.
mm mm _ ,
0
.
3
ammmwmm
“we: Dimer-mu
:, ,
‘
RnrAin-mIUpmH-a hm"...
.mxcvu.
mun-Sq“
O ‘3 MW
System Barkupm
Syitem Resinre...
open smu.,.
Open Web U1”.
5mm um k'mr
Ga Ran-Mam
Support
Linens: Report.“
WW, in no)
as: 6... Exp um,
vwi m
a
Figure 75—Action > License Report
Service Contracts
Following the activation of the license, a Service Contract file should be installed. The Service
Contract file contains all relevant support data for the subscriptions purchased for a specific
device such as IPS, DLP, and URL Filtering: The Service Contract file is also installed via
SmartUpdate. It is necessary to import the contract data from the User Center for proper
entitlement. The service contract data is referenced whenever a Service Request (SR) is
initiated or a cpinfo file needs to be forwarded to Check Point Support.
144
Chapter 4, Check Point Security Salli/ions and Licensing
To import the Service Contract file:
1. Launch SmartUpdate
2. From the menu, select License & Contracts > Update Contracts > From User Center.
3. A pop-up window will appear. Enter your User Center credentials.
Upgrading Contracts
Before upgrading a gateway or Security Management Server, you need to have a valid service > -— k .
contract that includes software upgrade and major releases registered to your Check Point User
Center account. The contract file is stored on the Security Management Server and
downloaded to Check Point Security Gateways during the upgrade process. By verifying your
status with the User Center, the contract file enables you to easily remain compliant with
current Check Point licensing standards.
CPFWRSMDFSOl 31Jd2017
Figure 76 — Service Contracts
145
Check Pofnl Security Administration
As in all upgrade procedures, first upgrade your Security Management Server or Multi—
Domain Management server before upgrading the gateways, Once the management server has
been successfully upgraded and contains a contract file, the contract file is transferred to a
gateway when the gateway is upgraded or the contract file is retrieved from the management.
146
Chapter 4: Check Point Security Solutions and Licensing
Updating Contracts
To update contracts in SmartUpdate, use the Licenses & Contracts option provided under the
Licenses & Contract tab menu.
0 Update Contracts — Installs contract information on the Security Management
Server. Each time you obtain a new contract, you can use this option to make sure the
new contract is displayed in the license repository.
Get all Licenses # Collects licenses of all gateways managed by the Security
Management Server and updates the contract file on the server if the file on the gateway
is newer.
Elle
ins-u
@ ‘
Lucgnszfacmrpas
Iree
I Earkages
mam...
DpeLah'ons ‘Qatadl...
, Tgols { new all Assigned

'flmdow egg" Licenses i i
vuelu 3;»: A mm
1 Add Lise-Asa
1 cant-
‘gxporttn Hie...
:Shaw Eyl'red. ..
v new Reposimry me Hie...
Figure 77 — Updating Contracts
147
Managing Contracts
Once you have successfully upgraded the Security Management Server, you can use
SmartUpdate to display and manage your contracts, From the License Management window, it
is possible to see whether a particular license is associated with one or more contracts. The
License Repository window in SmartUpdate displays contracts as well as licenses.
148
Chap/er 4: Check Point Security Solutions and Licensing
Review Questions
1. Name the five Check Point all»inclusive software blade package solutions.
2. When should new licenses be generated and installed?
149
150
Traffic Visibility
SmartConsole lets you transform log data into security intelligence by tightly integrating
logging, monitoring and event management. Monitoring network activity and analyzing
threat data is key to protecting an organization’s network. SmartConsole traffic visibility
tools are designed to help administrators effectively monitor traffic and connections,
analyze log data, troubleshoot events and quickly respond to changes in traffic flow
patterns or suspicious security activities.
Learning Objectives
- Identify tools designed to monitor data, determine threats, and recognize opportunities for
performance improvements.
- Identify tools designed to respond quickly and efficiently to changes in gateways, tunnels, remote
users, traffic flow patterns, and other security activities.
Check Poinf Security Adminishmion
Analyzing Logs
Collecting Information
An important reason for collecting and viewing SmartConsole logs is to research alerts,
rejected connections, and failed authentication attempts. Collecting logs help with analyzing
network traffic patterns and meeting compliance requirements. For instance, you can see how
many HTTP services were used during peak activity,
SmartConsole shows the logs from all Security Gateways and all Log Sewers. A Log Server
Stores log files for export and import and helps to reduce the load on the Security Management
Server. Log Servers make an index of the logs so that log queries are very fast. To view logs
from a particular log server or Security Gateway, filter the logs to display the information
desired.
Security Management Server] Log Server
enaglegt
tag in'
r“
'
.. “
SmartConsole
Security ‘-
Gateways
Figure 78 -— SmartConsole Log Collection Process

Deploy Logging
The Security Gateways collect logs and send them to the Log Server. The Log Server is usually
on the Security Management Server. In large organizations that generate a lot of logs, it is
recommended to install the Log Server on a dedicated computer, More than one Log Server
can be installed. SmartConsole shows the logs from all Security Gateways and Log Servers.
152
Chap/er 5. Ti'nflic Visibilicii
The following steps detail the workflow for deploying logging:
1. To store logs on a dedicated computer instead of the Security Management Server, install
one of more standalone Log Servers
2. In SmartConsole, enable logging on the Security Management Server or the standalone
Log Servers, or on all of them
3. Configure the Security Gateways to send logs to the Log Server or the domain Log Server.
Machine
Name RSCFMG MT Color: .Biack v]
va4 Address. lill 1.1M teammate}
WV 5 deiess’
Comment: r
Secuie internal Cummunicaiicrl. Tm: established [Eunim‘Mcgim
Platlonn
Hardware Opensewaf 4 Version. 31%;) ‘~ 05: Gala 'i Get i
F minim. SmartEvem
)7 Network Policy Managemeril
F Sr-ronr‘l .ry m... I" User Dreamy 17 SmartEvent Server
l” Endpm Policy Management l7 Provisinning [:7 SmartEvent Correlation
r...
I? Legging i. Status l7 Compliance
1'" idanrry Logging
a Network Policy Management

Comprrnenswe seturrty polity mamgment using SmartDubboam . a single,
unified consul: torall terurrtyfunctianalines.
Canal
Figure 79 — General Properties Window
Configure Logging ,
To configure logging, from a Security Gateway to a Security Management Server or a Log

Server, define one or more Log Servers if using them, and enable logging on the Security
Management Server and the Log Servers. Then, configure the Security Gateways to send logs
to the Log Server or the Log Server, and install the policy.
153
Check Pain! Seciiri'ni Adiiii’nistmli'on
Logs are not automatically forwarded to a new Log Server. SmartConsole must be used to
manually configure each gateway to send its logs to the server. To configure the Security
Gateway, enable Logging & Status in the General Properties page of the Security Gateway.
Also, configure these options in the Logs page:
-
0
Save logs on this machine
Send logs and alerts to server (<name of management sewer>),
SmartConsole Logs View

The SmartConsole Logs view allow administrators to monitor traffic and query for
information. It continually provides log information on real-time traffic, making it easy to
monitor what is going on in the network. Running queries on the logs is easy, using the many
pre-defined queries. In addition, custom queries can be easily created using pre—defined search
filters. Using the Logs view, administrators can also examine audit logs from administrator
activities, Because the logs are indexed using the indexing engine, the search results are very
fast.
a." are
new wmu a u m "M In .4va

m. ium... ,. mm mu mama
[mfldxflm 67M a.» 5m macro 1am» Imum: 3,. twin
mums '
- n. 0 1 e c u o r
IMJqum random mwm raw-m horses-Amie»:
lmuiln '
In. h an m {9 'M “W ‘
W1 WW ‘
_. mum in sown
mm n ma m G W 3’ "M
1.431. n mam
,
o Minx
”mummy
_ ,
. new.“
mm...
1» «mm
warm
Manama _ 0 “‘1’“ imam ianww
Mummy-A Imus». wmmoo mama ‘wP'WMI‘N
new,“ mm minim 2 . ‘1 mm 1:; innit-m ”MM“
In. mum,"
Imulfik¢$m Irma.“ lamina: ' was-rm
marouvsm Climax. Emma: Wm“
rmiwum Inuw‘. Immu wuss“
"murmur“ humus, mum» . warm
Immlmum Immense #BJIIDSAN We
rm..mu:~ tum-i u mama
m. was»: mum: Emisesui
my. mum;
“3119256.. irxaissrm
Iflnxoilum ‘mmn, Emma

m. mm m w: um 1:453:11!
vammmrm my”: xummm
rm. ran u m manna wmum
Inmwjthm twin manual
0
l-anJMNIfiA mum: :u-i x: m
Figure 80 -— SmartConsole Log View
154
Chapterj: Traffic Visibility
1. Favorite queries Predefined and favorite search queries,

*
2. Time Period Search predefined and custom time periods.

#
3. Query search bar Define custom queries in this field using the GUI tools or manually
#
entering query criteria. Shows the query definition for the most recent query.
4. Event Statistics pane Shows top results of the most recent query.
7
5. Results pane — Shows log entries for the most recent query.
Tracking Rules
Logs should be used to view traffic patterns. Therefore, the Security Policy should be set to
track all rules that may need to be monitored. To do this, tracking options must be configured
for each rule in the Access policy, Make sure that the Access policy tracks all rules you will
possibly wish to study. Keep in mind that tracking multiple mles results in a large log file,
which requires more disk space and management operations. To balance these conflicting
needs, track rules that will help to improve your network's security, will provide a better
understanding of user behavior, and will be useful in reports.
To configure tracking in a policy rule, right-click in the Track column of a rule and select a
tracking option.
Tracking Options
-. Network Log 7 Generate a log with only basic Firewall information, such as source,
destination, source port, destination port, and protocol.
Log — Like the Network Log option, but also includes the application name (for
example, Dropbox), and application information (for example, the URL of the website).
This is the default Tracking option. On Pre—R8O gateways this logging option shows
two logs: A Firewall log, which is the same as Network Log. and an Application
Control and URL Filtering log. To see file attributes, Data Awareness must be enabled.
0 Full Log — Like the Log option, but also includes data type information (Data
Awareness must be enabled). For example, if a connection matches a rule where the
Application is Gmail and the Data is somce code, the source code is included with the
log. For Pre—R8O gateways, this logging option is the same as Log,
- None — Do not generate a log.
155
Check Point Security Adminirlmrian
-_.1
.a
The following options can be added to 3 Log, Full Log, or Network Log:
Accounting 7 If selected, the log is updated every 10 minutes to show how much data
has passed in the connection: Upload bytes, Download bytes, and browse time.
Suppression — If there are multiple similar connections. If selected, one log is
generated every 3 hours for all the connections. This is the default. If not selected, there
is a log for every connection.
Alert Options
Available Alert options include:
None Do not generate an alert.

7
Alert 7 Generate a log and run a command, such as send an email alert, or run a user-
defined script.
SNMP —— Send an SNMP alert to the SNMP GUI, or run the script.
Mail —— Send an email to the administrator, or run the mail alert script.
User Defined Alert — Send one of three possible customized alerts. The alerts are
defined by specified scripts.
To define scripts for all Alert options, launch SmartConsole and select Global Properties from
the Menu. Select Log and Alert > Alerts.
Examining Logs
Logs per Rule

In SmartConsole, administrators can select a rule to View the logs that were generated by
packets that matched the rule. This provides a very useful way of improving the performance
of an organization’s Access Control policy. If a rule has lots of hits it should be moved higher
up in the Rule Base.
156
_
Log Details
f‘
Lu“; We
was:
System Monitor
Lori Sewn Dion

O'igln
True
Product Family
Type
Ge‘ era! Eve
ConfidenreLevel
92er
mm"? (mus-:1)
a ”(17me
, . Tnday, 12:15:06 PM
system Monitor
3‘. Newark
;« Cont-oi
i‘c’mi‘i‘kin
— MA
Hick
~
-
More
Sensor mt Ham:
Sensor Alertfilit
Sensor Aim
Sensor AkrtMassage
sensor MtMGdUlt
Senna! Mariya:
Sensor Alert Source
SensorNertld
SW“ Matswfim
Sensor Alert smug

Sensor rim Biad:
Ham:Tn awe
Chapter 5:
Double-click a log to view the details ofthat log. Log details include log information, policy
and traffic flow details.
license Is about to ”plot
03mm Donna and Contracts

Traffic Vi'sibi'lhji’
" V
n» amuse-salami to expire in 1days
PROBLEM
RMeMGNY
501m
System
W
Sensor Aim Duam Mme um 21 days
a
Figure 81— Log Details Window
Predefined Log Queries

SmartConsole provides a way to quickly and easily search logs by using predefined log
queries. To run a predefined query, click the Favorites icon to open the list of Favorites and
Predefined Log Queries. Predefined queries are organized into folders according to policy
type, such as Access Control and Threat Prevention, and according to software blade.
157
Check Poin/ Securiry Administration
Custom queries can also be created and saved for future use. The Favorites List stores saved
custom queries Additional folders can be created to organize the customized queries.
QM
any .rh.
«1..-- m S-u-m r
)EQVOA‘O‘ Gram, filth-w:
*<
Add to Favorites... [OvlvD]
Organrre Favorites... [cm -51
* My Favorites
*ll“ Presumed
Anagrams
0 Alerts
9 Not Allowed Trot-n:
a Mower} Traffic Ea mom.“
3
.0
vaE
pm mum
Access ”New. mu.
Q
. 4% w
s inrearPrevenbcri
V a Endpointsecunty Blades
, e DDoS Protector
E5 ruennr; Awareres: ewe
? Moore Access Blade
El HTWsrnspecuun
r :Arri'Spem at Email security Glade
:3. VPN
> .1. Mi'anred Networlring Blade
> ml More
Figure 82 — Predefined Log Queries
Query Results
Queries can return tens of thousands of results. Network performance is not degraded because
the Logs View only displays the first set of results. Typically, this is about 50 results. To view
more results, scroll down the page. While scrolling, SmartConsole extracts more records from
the log index on the Security Management Server or Log Server, and adds them to the results
set. The number of results are displayed above the Results pane. Query results can be exported
to a Comma Separated Value file
158
Chap/er 5 Trafiic Visibility
Filter Criterion
Filter criterion values are written as one or more text strings. A text string may be a word, IP
address, or URL.
Examples:
-
'
richard
.
192 0 . 2 . 1
0 10 . 0 . 0 . 0/24
-
-
2001:Odb8::61:1/32
mahler. ts . example com .
Text strings with more than one word must be surrounded by apostrophes or quotation marks.
Examples:
- ‘John Doe’
-- ‘109 out’
“VPN—1 Embedded Connector"
Numbers and IP addresses cannot be placed in quotation marks.
Examples:
'
- 65000-66000
port: 80—660
IPv4 addresses can be entered using dotted decimal or CIDR notation. Typically, IPv6
addresses are entered using CIDR notation,
Examples:
. 192.0.2.1
- 192.168.0.0/24
Null values, or empty values, may be used with fields using one of the following syntax
options:
. <fie1d>
. <fie1d> []
161
Check Point Seturity Adminixlrnrion
Wildcard Characters
Wildcard characters are used to expand search results. There are two standard Wildcard
characters, the asterisk and the question mark. The question mark matches a single character
whereas the asterisk matches a character string,
Jo? Jon
Joe
192.168.2.* 192.168.210
192.168.2255
192.168.* 192,168.00
192.168.255.255
Table 12: Wildcard Search Examples
If the criteria value contains more than one word, use the Wildcard in each word. For example,
.lo* N* shows Joe North, John Nat, Joshua Norway, and so on.
Boolean Operators
Boolean operators are used to refine search results. The Boolean operators AND, OR, and
NOT are used to create queries with multiple filter criteria in order to refine search results.
They are not case sensitive. In order to retrieve the most usefiJl results, there are a few
guidelines that should be followed when using Boolean operators. The syntax for using a
Boolean operator is:
[<F'ield>:] <Fi1ter Criterion> ANDIORINOT [<Fie1d>:] <Field

Criterion>
Multiple Boolean expressions should be entered in parentheses. For example, to find logs that
were dropped, rejected or blocked, use the following query:
Action: (drop OR reject OR block)
162
Chap/er 5. Trafic Viability
{ff/
lfmore than one criteria is entered without a Boolean operator, the AND operator is implied.
When using multiple criteria without parentheses, the OR operator is applied before the AND
operator.
blade: " application Displays log records from the Application Control
control ” AND action :block and URL Filtering software blade where traffic was
blocked.
. .
192 . 0 2 . 133 10 . 19 136 101. Includes log entries that contain both ofthese IP
addresses.
.
192 . O 2 . 133 OR Includes log entries that match one ofthe IP
10.19.136.101 addresses.
(blade :Firewall 0R Includes all log entries from the Firewall, IPS, or
blade : IPS 0R blade :VPN) VPN blades that are not dropped. The criteria in the
AND NOT action :drop parentheses are applied before the AND NOT
criteria.
Table 13: Boolean Operator Search Examples
The NOT Boolean operator may also be used to return fields that are not null. The syntax is:
'
- NOT <field>
NOT <fie1d> []
“"
163
Chack Point Security Admiivir/ratimr
Monitoring Traffic and Connections

SmartConsole and SmanView Monitor provide a complete picture of network and security
performance. They are essential tools for monitoring network activity and the performance of
Check Point Security Gateways and software blades. Using SmartConsole and SmartView
Monitor, administrators can respond quickly to changes in gateways, tunnels, remote users,
traffic flow patterns and other security activities.
SmartView Monitor and SmartConsole

SmartConsole and SmartView Monitor provide some of the same capabilities. Both provide
monitoring views. Use SmartView Monitor only for the features that are not integrated into
SmartConsole, such as the ability to create customized monitoring views. The monitoring
views show real—time and historical graphical views of:
Gateway status
-
c
Remote users (SmartView Monitor only)
-
0 System Counters
VPN tunnel monitoring (SmartView Monitor only)
'
- Cooperative Enforcement, for Endpoint Security Servers
Traffic
To use SmartView Monitor, enable the Monitoring software blade on the Security Gateways to
be monitored, and on the Security Management Server.
Monitoring Examples
The following scenarios exhibit situations for which monitoring can help:
0 If a company‘s Internet access is slow, a Trafiic View can be created to determine what
may be impeding the company’s gateway interface. The View can be based on a review
of things such as, specific services, Firewall rules or network objects, that may be
known to impede the flow of Internet traffic. If the Traffic View indicates that users are
aggressively using such services or network Objects (for example, Peer to Peer
application or HTTP), the cause of the slow Internet access has been determined. If
aggressive use is not the cause, the network administrator will look at other possible
causes such as, performance degradation resulting from memory overload.
164
Chaprer 5: 77-11171: Visibility
- If employees who are working remotely cannot connect to the network, a Counter view
can be created to determine what may be prohibiting network connections. The Counter
view can include counts such as, CPU usage, Total Physical Memory or VPN Tunnels,
to collect information about the status, activities hardware, and software usage of
different Check Point products in real~time. If the Systems Counters View indicates that
there are more failures than successes, it is possible that the company cannot
accommodate the mass number of employees attempting to log on at once.
Using Monitoring Views

To open the monitoring Views in SmartConsole, from the Gateways & Servers View, select a
gateway and click Monitor.
To launch SmartView Monitor:
1. Open SmartConsole and go to the Logs & Monitor View.

2. Click the “+” tab, and in the External Apps section, click Users & Tunnel Monitoring.
Immediate Actions
If the status shows an issue, immediate action can be initiated on that network object. For
example:
- Start/Stop cluster member All Cluster Members of a gateway Cluster can be seen.
i
In SmartView Monitor Gateway Status view, choose to start or stop a selected Cluster
Member.
- Suspicious Action Rules In SmartView Monitor, suspicious network activity can be
i
blocked while investigating the real risk or to quickly block an obvious intruder.
- Disconnect client Disconnect one or more of the connected SmartConsole clients
;
from the SmartView Monitor toolbar. In SmartConsole clients can be disconnected

from Manage & Settings > View Sessions Actions > Disconnect.
165
Check Point St‘CItI’lfy Administration
Monitoring and Handling Alerts

Alerts provide reaHime information about vulnerabilities to computing systems and how they
can be eliminated. Alerts are sent in order to draw the administrator's attention to problematic
gateways and potential threats to the security ofthcir systems. The alerts provide information
about how to avoid, minimize, or recover from the damage.
Alerts are sent by the gateways to the Security Management Server, They can be seen in
SmartView Monitor. By default an alert is also sent as a pop-up message to the administrator's
desktop, These alerts are sent when the following occur:
0 Events related to products, which are configured to be tracked as alerts, are matched by
a connection.
0 System events, also called system alerts, are configured to trigger an alert when various
predefined thresholds are surpassed.
System Alerts
Alerts are sent for certain predefined system events if a predefined threshold is crossed. These
are called system alerts. For example, if free disk space is less than 10% or ifa Security Policy
has been changed, a system alert will be sent, A global set of thresholds for system alerts can
be configured and applied to gateways, Customized thresholds can also be configured for each
gateway.
Configuring Alerts
Configure the Alert commands in the SmartConsole > Global Properties > Log and Alert
Alerts page. The Alerts in this window are for Security Gateways. In the policy Rule Base, an
alert can be configured to be issued if traffic matched the rule, In the Track setting of the rule,
select Alert, or one of the user»defined alerts.
To see alerts, click the Alerts icon in the SmartVieW Monitor toolbar and the Alerts window
will open. In this window alert attributes can be set and displayed alerts can be deleted.
Activating the System Alerts Mechanism

The Security Management Server monitors system alerts using the configured system alert
thresholds. If the thresholds are reached, it activates the defined action, To activate the system
alerts mechanism, select Tools and Start System Alert Daemon. To stop the system alert
monitoring mechanism, select Tools and Stop System Alert Daemoni
166
C/rapter'5 Traffic Visibility
Monitoring Suspicious Activity Rules

Suspicious Activity Monitoring (SAM) is a utility that is integrated in SmartView Monitor. It
can be used to block activities that are displayed in the SmartView Monitor results and appear
to be suspicious. For example, a user who continually tries to gain unauthorized access to a
network or Internet resource can be blocked.
A Security Gateway with SAM enabled has Firewall rules to block suspicious connections that
are not restricted by the Security Policy. These rules are applied immediately. Installing policy
is not required.
SAM rules allow administrators to react to a security problem without having to change the
Firewall rules of the Access Control Rule Base. This is useful in cases where a specific user
needs to be instantly blocked. All inbound and outbound network activity should be inspected
and identified as suspicious when necessary such as when network or system activity indicates
that someone is attempting to break in.
Creating a Suspicious Activity Rule

SAM rules require CPU resources, therefore an expiration needs to be set that allows time to
investigate without affecting network performance. Best practice is to keep only the SAM rules
needed. If an activity is confirmed as risky, edit the Security Policy, educate users, or otherwise
handle the risk.
If a SUSpicious result is seen while monitoring traffic, a SAM rule can be created immediately
from the results. A Suspicious Activity rule can only be created for Traffic views with data
about the source or destination, such as Top Sources and Top P2P Users. For example, a
company’s corporate policy does not allow PeerZPeer file sharing, and the administrator
monitoring traffic sees PeerZPeer file sharing in the Traffic > Top P2P Users results. The
administrator can right—click the result bar and select Block Source. The SAM rule is set up
antomatically with the user IP address and the P2P_'FilegSharing_Applications service. To act,
click the Enforce button and for the next hour, while this traffic is dropped and logged, contact
the user.
Managing Suspicious Activity Rules

The Enforced Suspicious Activity Rules window displays the currently enforced rules. If a rule
is added that conflicts with another rule, the conflicting rule remains hidden. For example, if a
rule is defined to drop HTTP traffic, and a rule exists to reject HTTP traffic, only the drop rule
shows.
167
Check Point Semi-1'01 Administration
Monitoring Gateway Status

To see gateway Status in SmartConsole, in the Gateways and Servers view, select a gateway,
rightvclick and select Monitor, Gateway status information includes device status, license
status, system status and traffic.
our...»
in m
-.. 1!”:th M
-
41: mm mu
m
Figure 83 — Gateway Status View
168
Chapter 5 ' Traflic Visibility
System Counters View

System Counters in SmartConsole collect information on the status and activities of Check
Point products. Using custom or pre—defined views, administrators can drill down on the status
of a specific gateway and/or a segment of traffic to identify top bandwidth hosts that may be
affecting network performance. If suspicious activity is detected, a Firewall rule can be
immediately applied to the appropriate Security Gateway to block that activity. These Firewall
rules can be configured in SmartView Monitor and set to expire within a certain time period.
rm UPC
Um u
le89.
Figure 85 — System Counters View
171
Tunnels View
The SmartView Monitor Tunnels view shows the status of gateway to gateway VPN tunnels.
Use this view to identify VPN tunnel malfunctions and connectivity problems. The Tunnels
View also allow administrators to monitor Tunnel status, the Community with which a Tunnel
is associated, and the gateways to which die Tunnel is connected.
Tunnels on Community BranchOffices A
tSiate 1' Commun‘ny
..
.
CorporaleCluster-l (0 Remote-313w ‘x/ Un V Regular
i mexaeflunui <~> Remutngw x rawm a. N}; grandmas Molar

,‘
i
minimums-1 a.» mm ‘l-gw 1 Down ‘ge anchfllicen Permanent
1.CMWBlB0U£H~l <->Rcmoie~1qw x Demmd ‘3; Ehmveerflnes Regular
Figure 86 — Tunnels View
172
Chapter 5: Tmflie Viribililjr
Cooperative Enforcement View

Cooperative Enforcement works with Check Point Endpoint Security Management Servers.
Using Cooperative Enforcement, a host that initiates a connection through a gateway is tested
for compliance with the Endpoint Security Policy. This prevents hosts with malicious sofiware
components from accessing the network. Cooperative Enforcement acts as a middle—man
between hosts managed by an Endpoint Security Management Server and the Endpoint
Security Management Server.
The SmartView Monitor Non—Compliant Hosts by Gateway view shows hosts with these
states:
-
-
Unauthorized These hosts cannot access the Internet.
#—
No Endpoint Security client — The gateway is not associated with an Endpoint

Security client.
- Monitor Only The Endpoint Security client can access the Internet whether or not it
is authorized.
#
- Blocked — The hosts cannot access the Internet.
Non—Compliant Hosts By Gateway — Remote—lvgw
|Host IP l Action l Reason

192 25.1W.4 Unauthorized
1922523.45 Unauthorized
19.25420 Unauthorized
19225 4 47 Unauthorized
m Haunted-9w 19225.5! Nu Endpnint Security amt
IE Remote-Jaw 19225 56I Unaumonzed
Figure 87 —— Cooperative Enforcement View
173
Traffic View
SmartConsole Traffic Monitoring provides in-depth details on network traffic and activity, and
allows network administrator to do the following:
- Determine which services demand the most network resources.
-
0 Audit and estimate costs of network use.
See how the use of network resources is divided among users and departments.
- Identify the departments and users that generate the most traffic and the times of peak
activity.
. -
- Detect and monitor suspicious activity such as blocked traffic, alerts, rejected
connections, and failed authentication attempts.
Figure 88 — Traffic View
174
Chapter 5: Trafic Visibilzly
A Traffic View can be created to monitor the following traffic types:
Services displays the current status view about Services used through the selected
7
gateway.
IFS/Network Objects 7 displays the current status view of active IFS/Network
Objects through the gateway selected
Security Rules 7 shows the current status of the most frequently used Firewall rules.
The Name column1n the legend states the rule number as previously configured1n
SmartConsole.
Interfaces 7 displays the current status view about the Interfaces associated with the
selected gateway.
Connections — shows the current status of current connections initiated through the
selected gateway.
Tunnels 7
displays the current status view of Tunnels associated with the selected
gateway and their usage.
Virtual Link 7 shows the current traffic status between two gateways, such as
bandwidth, bandwidth loss, and round trip time.
Packet Size Distribution 7 shows the current status View about packets according to
the size of the packets.
Q05 displays the current traffic level for each QoS mile.
7
175
Check Point Security Adminixtrmion
Review Questions
1. Which monitoring view would you use to see real»time statistics about open remote access
sessions?
2. In what instance should you install a Log Server on a dedicated computer?
176
Basic Concepts of VPN- I D U' - m x
The VPN software blade is used to create Virtual Private Networks to securely
communicate and transmit data over the Internet. Use SmartConsole to create VPN
deployments and topologies for a network to easily share internal resources with
authenticated users.
Learning Objectives
- Understand Site-to—Site and Remote Access VPN deployments and communities.

- Understand how to analyze and interpret VPN tunnel traffic.
Check Point Security Adm I'Mis/r‘nfion
introduction to VPN
A VPN securely connects networks and protects the data that passes between them. Tunnels
are used to securely encrypt and decrypt the network communications. A VPN gateway
provides virtual connectivity and security for a wide range of situations. For example, a
company has multiple offices throughout the world that communicate over the Internet The
offices have connectivity but the communications are not secured or encrypted. A VPN
gateway provides privacy and security by encrypting connections and data.
Another situation is when company employees need to download files and check email when
they are offsite. A VPN gateway allows the employees to log in to the company network mid
gives them all the necessary connectivity and security.
The Check Point VPN solution guarantees authenticity by using standard authentication
methods to transfer information and data. It provides privacy, securely encrypting all data sent fl
over the network. It also has integrity with the use of industry-standard protocols that make
sure the data is safe and protected.
Network A
Network B
VPN Tunnel
Figure 89 — Check Point VPN Deployment
IPSec VPN
The Check Point VPN solution uses the IPSec suite of protocols to manage encrypted
communication tunnels. A key component of IPSec is IKE. IKE is a standard protocol that
creates the VPN tunnels and manages the keys used to encrypt and decrypt data and
information. The IPSec protocol suite supports secure IP communications that are
authenticated and encrypted on private or pUblic networks.
178
Chaprer 5: Basic Concepts of VPN
/
IPSec uses Authentication Headers (AH), Encapsulating Security Payloads (ESP), and
Security Associations (SA) for authenticating and encrypting IP packets for secure VPN
communications. The AH protocol authenticates the IP header and datagrams, provides
connectionless integrity, and ensures that the header and payload have not been changed since
transmission. ESP operates directly on top of IP and provides origin authenticity, integrity, and
confidentiality protection of the packets. SA provides the set of algorithms and data that
establishes the parameters to use AH and ESP. With SAs, Security Administrators can manage
exactly which resources can securely communicate as per the Security Policy.
IKE Protocol
HOE protocol is used to set up a SA in the IPSec protocol suite. Set up requires that the IPSec
packets first authenticate and establish IKE shared keys. To deliver a secure communication
session, and ensure authentication and confidentiality, IKE conducts a two-phase negotiation
process using both authentication and encryption algorithms agreed upon between the two
computers.
- Phase 1 — Operates in Main Mode, which protects the identity of the two peers. Main
Mode negotiates the encryption algorithm, hash algorithm, the authentication method,
and Diffie—Hellman (DH) group to be used for the base keying material. During this
phase, the IPSec peers authenticate and establish a secure channel for communicating.
The following process occurs:
0 Authentication methods, encryption algorithms, and DiffieeHellman groups are all
negotiated.
0 Each gateway generates a DH private key and public keys and calculates the shared
keys.
D Authentication occurs and a secure tunnel is established to negotiate IKE Phase 2
parameters.
, , 5%)! «K
Encryption Algorithm AE3, 3DES
Hash Algorithm SHAl, MDS
Authentication Method Certificate, Pre-shared Key
Diffie-Hellman Group for IKE Group 1, (768 bit), Group 2 (1024 bit), Group 5
(1536 bit), Group 14 (2048 bit)
Table 14: Negotiation Requirements
179
Check Point Security Adminirrmrinn
- Phase 2
i This phase is called Quick Mode. During the phase, SAs are negotiated on
behalf of services such as IPSec, the shared-secret key material is determined. and an
additional DH occurs. Once the two computers reach an agreement, two SAs are
established, one for outbound communication and the other for inbound
communication. The following process occurs:
0 More key material is exchanged and IPSec authentication and encryption parameters
are agreed on.
o The DH key is combined with the key material to produce the symmetrical IPSec key,
0 IPSec keys are generated.
NOTE
The Diffie—Hellman key exchange is a secure method for exchanging
cryptographic keys. It involves exchanging numbers and performing
calculations to get to a common number that serves as the secret key.
180
VPN Componen ts
The following components are used to construct VPN communication in the network:
VPN domain Includes the computers and networks that are defined as the internal
7
resources connected to the VPN tunnel.

VPN gateway — Encrypts and protects the resources in the VPN domain. A Security
Gateway with the VPN software blade enabled is also called the VPN gateway. In Site—
to-Site VPN deployments, all Security Gateways are VPN gateways.
VPN community —— Includes VPN domains that securely share network resources.
Types of VPN communities include Star, Meshed, and Remote Access.
VPN trust entities Includes certificates and shared secrets. The Check Point ICA
7
can be used to provide certificates for internal Security Gateways and remote access
clients.
VPN management tools — Includes the Security Management Server and
SmartConsole, which allow companies to easily define and deploy Site-to—Site and
Remote Access VPN tunnels.
Alpha Domain Bravo Domain
! Ctearieur
—-->
rieurexz
@ Encrypted
Encrypt
Figure 90 — VPN Domain
181
Check Point Securiry Adminir/r-azion
VPN Deployments
VPN communications are securely sent over the Internet between:
- VPN gateways in the same VPN community.

0 An endpoint computer or mobile device and the VPN gateway.
There are different VPN deployment options available to meet the specific needs of the
network.
Site-to—Site VPN Deployment

A Site-to»Site VPN deployment handles secure communication between offices that are
connected by the Internet. The foundation of Site-to—Site VPN is the encrypted VPN tunnel.
Two VPN gateways negotiate a link and create a VPN tunnel and each tunnel can contain more
than one VPN connection. One VPN gateway can maintain more than one VPN tunnel at the
same time. The hosts and endpoint computers do not need special software to use the VPN
tunnel because the VPN gateways are responsible for encrypting and decrypting the files and
connections.
Emmet Partners “Clienuess VPN"

(SSL Browser or
L2TF Client)
0 ate Network
VPNJ
Remote Users
Endpointclient
'
\ VPN-1
‘
DiaLup
9'9 SecureClienr‘
.-‘
(FDA)
”“3 VPN-i
Secureciient
% é§
integrated VPN-1
VPN-1 Gateway
‘QJ SmallOfficeAppliance
Branch Offices
Figure 91 — Site-to-Site VPN Topology
In this Site-to»Site VPN deployment, a computer in the Main office needs to download a file
from the Branch office. The Firewalls in both networks perform IKE negotiation and create a
VPN tunnel. They use the IPsec protocol to encrypt and decrypt the file as it is dowriloaded
182
Chapter 6. Basic C(weep/s of VPN
from the Branch office to the Main office. The user experience is the same whether a file is
downloaded within a VPN deployment or a wired network.
Authentication between VPN Gateways in a Community

Before the VPN gateways can create VPN tunnels, they first need to authenticate to each other,
Authentication is how the VPN gateways are completely certain that they can trust the other
networks and share data. VPN gateways authenticate to each other by presenting one of the
following types of credentials:
0 Certificates
' Pre-shared secret
Each VPN gateway shares a certificate containing information that identifies the VPN gateway
itself and the credentials used to create the VPN tunnel. Both items are signed by the trusted
Certificate Authority (CA). For convenience, the Check Point product suite installs its own
Internal CA that automatically issues certificates for all internally managed Security
Gateways. The Internal CA does not need to be configured. In addition, SmartConsole and the
Security Management Server support using external CAS.
Certificates are considered to be more secure and are the preferred means of authentication. In
addition, since the Internal CA on the Security Management Server automatically provides a
certificate to each Check Point Security Gateway that it manages, it is often convenient to use
this type of authentication,
If a VPN tunnel needs to be created with a VPN gateway that is managed by a different
Security Management Server (externally managed) then it is often necessary to use pre-shared
secrets for authentication. The pre-shared secret can be a mixture of letters and numbers, such
as #SampleIZi
A separate pre—shared secret must be defined for each externally managed VPN gateway. For
example, if there are five internal VPN gateways and two externally managed VPN gateways,
it is necessary to create two pre-shared secrets. All the internally managed VPN gateways use
the same pre—shared secret when they communicate with a specific extemally managed VPN
gateway.
Configuring VPN Routing
A VPN gateway can be configured to route VPN traffic based on VPN domains or the routing
settings of the operating system. In Domain-based VPN, the VPN traffic is routed according to
the VPN domains that are defined in SmartConsole. For example, use domain based routing to
allow satellite VPN gateways to send traffic to each other. The central VPN gateway creates
VPN tunnels to each satellite VPN gateway and the traffic is routed to the correct VPN
domain.
183
Check Point Security Adminis/I'ulion
In some advanced deployments, there are specific routing settings in the VPN gateway
operating system, such as dynamic routing. The VPN traffic can be configured to be routed
according to these settings, This is referred to as Route»based VPN. The VPN gateway uses a
virtual interfaces called VPN Tunnel Interface (VTI), which sends the traffic as if it were a
physical interface. The VTIs of VPN gateways in a VPN community connect and can support
dynamic routing protocols.
Remote Access VPN Deployment

A Remote Access VPN deployment handles secure communication between internal corporate
resources and remote users using VPN tunnels. If users remotely access sensitive information
from different locations and devices, System Administrators need to be able to provide secure
access to that information.
.
NOTE
The remote computer or device requires special VPN software, such as
endpoint Security VPN, to connect to the VPN tunnel and encrypt the
communication with the VPN gateway.
aux/Pu bile Stan/"(st

emu
wan
rue mum
Mum one. Hobie Usm
__
inns-Eu 2w -{
g
e. .
WWW
‘t'
Figure 92 — Remote Access VPN Topology

Check Point VPN solutions for remote access use IPsec and SSL encryption protocols to create
secure connections between the remote computer or device and the VPN gateway. The
authentication data for the remote users are stored in an LDAP database or in SmartConsole.
Check Point supports client-based and clientless VPN solutions for the remote users.
184
Remote User Authentication

The VPN gateway and remote client must establish trust to create a VPN tunnel. This is done
when the VPN gateway verifies the user's identity and the remote client verifies the identity of
the VPN gateway, Remote users are authenticated with a pro—shared secret or digital
certificates, including the Check Point ICA and third—party solutions such as SecurID and
RADIUS.
Client-based Remote Access

The users install an application or software client on their endpoint computers and devices,
The client supplies secure remote access to most types of corporate resources according to the
access privileges of the user.
Clientless Remote Access

Users authenticate with an Internet browser and use secure HTTPS connections. Clientless
solutions often provide access to web-based corporate resources.
Using Office Mode to Route Remote Access Traffic

A Remote Access VPN deployment can present challenges when creating a VPN tunnel
between the remote computer or device and the VPN gateway. Challenges include:
-
0
Unknown IP addresses for the remote access client
Connecting from a hotel LAN that only has internal IP addresses
0 The remote client needs to use unsupported network protocols
- The local ISP (Internet Service Provider) assigns a non-routable IP address to the
remote user
Office Mode solves these routing problems. Office Mode allows a Security Gateway to assign
a remote client an IP address. The assignment takes place once the user connects and
authenticates. After the user authenticates, the VPN gateway assigns an IP address to the
remote client. The VPN gateway encapsulates the IP packets with an available IP address from
the internal network. Remote users can then send traffic as if they are in the office and do not
have VPN routing problems.
185
Check Point Securily Adminis/mrion
VPN Communities
Recall that the VPN domain consists of the computers and networks that are defined as the
internal resources connected to the VPN tunnel. When configuring a VPN gateway in
SmartConsole, decide which IP address objects are included in the VPN domain. The System
Administrators combine multiple VPN domains into a VPN community. Different VPN
gateways in the same VPN community can securely share network resources with each other
through VPN tunnels. These VPN communities provide granular control over the permissions
for internal networks.
[\lesned (mm, 0 x
, MyIntran-et
Llpiw/Ermo rm”
Gatmays Participating Gateways

gnawed 7mm Allthe (onnectiuns between the VPN Domains ofthe Gateways below will
heentrypteu.
a: firm . .. .
1 w
Tunnel Management
+ x ‘Q
‘
.m.
Search...
" "
_
*
,
brciuded Serviea
Nam
i
Comments i
3"; mew-Cluster Alpha Serunty Gateway-Cluster
Shared Secret
lViraMode a
BAGV‘I
’
Eiavu Securll Gateway
Advanced
anadrag 0 Alpha o Bravo
L or i[ Cancel l
Figure 93 — VPN Communities Window
When planning a VPN topology, it is important to consider the following questions:
What access privileges do you need to assign to users?

Are the internal resources shared by all offices?
If using certificates, which CA will be trusted?
. What types of network resources will be available to remote users?
AWNi-l
Chap/er 6: Basic ConcEp/s ofVPN
There are three types of VPN communities: Meshed, Star and Combination.
Meshed VPN Community

A Meshed VPN community consists of VPN gateways that create VPN tunnels with all the
other VPN gateways in the community It is oflen used for a corporate intranet, which is only
available to corporate offices The partners are not included in the community and cannot
connect to the corporate intranet.
Alpha
security same-y
/\
Echo lmvo
Swur'ny Gateway Security mummy
um: enarun
sun-my Gil-way Securlry Galoway
Figure 94— Meshed VPN Community

Check Point Security Adminis/ralion
Star VPN Community _ -. .4 ,
_..
A VPN star community consists of one or more central VPN gateways and satellite VPN
gateways. In this type of community, a satellite can create a VPN tunnel only with other VPN
domains where thevVPN gateway is defined as a central VPN gateway. A satellite VPN
gateway cannot create a VPN tunnel with a VPN gateway that is also defined as a satellite
VPN gateway.
A Star VPN community can be used when a company must share information with external
partners or companies. These partners need to communicate with the company but not with
each other. The company’s VPN gateway is defined as a central VPN gateway and the partner
VPN gateways are defined as satellites.
mm
SncumyGawfiuy
lemma!
Echo Elmvo
Security Gateway Security enemy
Sammy Gateway
\
om.- Ctr-rite
Seculiw Gateway Security Gateway
Figure 95 — Star VPN Community

Star community objects can be configured to Mesh Center Security Gatewaysi The VPN
gateways that are defined as the hubs share the network resources as a Meshed community.
The satellite VPN gateways can access all the resources in the Meshed hub community
188
VPN Routing
A Star VPN community supports VPN Routing, a way of directing communication through a
specific tunnel in order to enhance existing connectivity or security. The VPN Routing options
available in Star VPN communities are:
- To center only Only connections between the satellite gateways and central gateway
7
go through the VPN tunnel. Other connections are routed in the normal way.
0 To center and to other satellites through center Use VPN routing for connection
‘-
between satellites, Each packet passing from one satellite gateway to another satellite
gateway is routed flirough the central gateway. Connections between satellite gateways
and gateways that do not belong to the community are routed in the normal way,
0 To center, or through the center to other satellites, to Internet and other VPN
targets Use VPN routing for every connection a satellite gateway handles. Packets
#
sent by a satellite gateway pass through the VPN tunnel to the central gateway before
being routed to the destination address. NAT configuration is important to allow correct
Internet connectivity.
% ' EnteIObyeciName
l
Gateways VPN Routing

Emwmd mm: Enable VPN routing for satellltes
In To (enter only
Enuyptmn
f To (EntEr and to other satellites through (EMEY
T'W‘El Mmgmem ’. To (enter urthrougb the renterta othersatellites in Internet and ciherVPN targets
vm Routing
MEP “
g.
Excluded SENICES
Shared Secret n a Q
Wire Mode 9
AdverEd
n
a Add Tag
l g
or! MW] l Tahoe]
Figure 96 —VPN Routing
189
Check Point Semriry Administraliun
Combination VPN Communities

There are more complex VPN deployment scenarios. For example, a company has corporate
offices in two countries, London and New York. These corporate offices need to share network
resources and require a Meshed VPN community. '
The London and New York offices are connected to a number of branch offices. The branch
offices only need to communicate with the corporate office in their country, but not with each
other. These branch offices require a Star VPN community to share network resources with
only one of the corporate offices.
The solution for this scenario is to define a combination VPN community using two Star VPN
communities and one Meshed VPN community. There two central VPN gateways in the Star
VPN communities are the London and New York VPN gateways. Then, add the appropriate
branch offices to the London and New York Star VPN community. The branch offices are now
able to transmit encrypted communications with the corporate office in their country. Finally,
create a Meshed VPN community with the London and New York VPN gateways.
Figure 97 — Combination Star and Meshed VPN Community
Remote Access VPN Community Object

The Remote Access VPN community object contains the settings that allow users to connect to
the internal corporate resources. Configure the Remote Access VPN community object to
create VPN tunnels for the user groups to the specific VPN gateways. Then, add the remote
user information to the Security Management Server. There is only one Remote Access VPN
community object in SmartConsole. Remote Access VPN community objects are discussed in
greater detail in the CCSE course.
190
Chaprer 6: Basic Concepts of VPN
Access Control for VPN Connections

When creating a VPN community, configure the source and target Firewalls to use VPN
tunnels to securely share data and information. The Firewalls in the community encrypt and
decrypt the connections, however it is still necessary to configure them to allow the
connections through the Firewall.
In other words, when adding VPN gateways to a VPN community, the Firewalls are configured
to use encrypted communication with each other with allowed connections. Configure rules in
the Access Control policy to allow the connections between the VPN gateways. The VPN
column in the Access Control policy is used to configure how VPN connections are matched to
the rules,
Name hurts Dfilllflliflfl UV" Sr!vkes 1k Apvl'n 4!... Ar lion

Snctnm *My *Any firm ..
m
.7
imam 4(- My a Any
name A CR. a Any

rm
y
.
Figure 98 —VPN Rules in Access Policy
.Allow All Connections

When the rule uses the All Connections (Clear or Encrypted) option, all encrypted and non-
VPN traffic that matches the rule is allowed. If the connection is between VPN gateways in a
VPN community, the traffic is encrypted. The following sample rule allows all connections.
The VPN column shows Any when the All Connections (Clear or Encrypted) option is
enabled.
191
Allow All Site-to-Site VPN Connections

When the rule uses the All Sire-to—Site VPN Communities option, all matching encrypted VPN
traffic between VPN gateways in any Site»to-Site VPN community is allowed. The following
is a sample rule that allows all FTP connections between the branch office VPN gateway and
any VPN gateway in a Site—to-Site VPN community:
.l‘
All_GwToGw
Allow Specific VPN Communities

To configure a rule that only matches and allows traffic to VPN gateways in specific VPN
communities, select the Specific VPN Communities option. A pane opens and displays the
VPN communities. Then, select one or more communities to add to the rule. The following is a
sample rule that allows remote clients and hosts to access the company’s SMTP server, called
SMTP_SRV.
Remote Acces
Community
192
Chapter 6: Basic Concepts o/VFN
Site-to-Site Communities — Allow All Encrypted Traffic

Instead ofmanually adding rules to the Access policy, it is possible to configure a Site-to—Site
VPN community to automatically allow all encrypted connections, Use the Accept all
encrypted traffic option to configure the Firewall to allow all VPN traffic to the internal
networks for the VPN communities.
When this feature is enabled on a VPN community, it is not necessary to add rules to the
Firewall Rule Base in order to allow the VPN traffic for the VPN community,
Meshed Community
$. SiteZSite
Gateways Encrypted Traffic

Enqryptgd Traffic El Accept all encrypted traffic
The rulaanpnmm allto internally managed community members
Encryption
Log Traffic: tog» [Defined m Global Propertiet, Log and mm Tab)
Tunnel Management
Excluded Service:
Shared Secret
Wire Made
Advanced
a Add Tag
[”37 “j [' an; "i

Figure 99 — Accept All Encrypted Traffic in VPN Community Object
193
Check Point ecurily Administration
t
Tunnel Management and Monitoring

When companies use VPN communication between users and gateways, it is crucial they
maintain uninterrupted connectivity System Administrators must make sure the VPN tunnels
are kept up and running.
Permanent VPN Tunnels

Permanent VPN tunnels are constantly kept active and, as a result, it is easier for
administrators to recognize connectivity problems. They can monitor the two sides of a
Permanent VPN tunnel and identify problems with minimum delay. Edit the Siterto-Site VPN
community object to configure the Permanent VPN Tunnel settings. Permanent Tunnels can
only be established between Check Point VPN gateways. Permanent VPN Tunnels can be set:
' On all tunnels in the community

- On all tunnels for specific gateways
- On specific tunnels in the community
, MyIntranet
Alphas .t- Nix—«Ir
Gateways Permanent Tunnels

Encrypted warm 2 Set Permanent Tunnel:
Encwfim ‘0': On all tunnels in therommunity
Tunnelegemem . , On all tunnels oi speaflc gateways . ..
Excluded seams; "
0n specific tunnels in the commume;
Shared Secret 4:; Enable Routelmecrlun Mechanism (RlM)
Wire Mode Tunnel down track: ling
Advanced Tunnel up trade
VPN Tunnel Shanna

olre VPN tunnel per each pair of hosts
'5 One VPN tunnel per subnet pair
One VPN tunnel per Gateway pair
a AddTag o arm IAlpha
L_;’_ w I. '
Figure 100 — Configuring Permanent Tunnels for a VPN Community
194
Chapter 6. Basic Concepfs of VPN
Tunnel Testing
Tunnel Testing is a proprietary Check Point protocol used to test if VPN tunnels are active.
Since Permanent Tunnels are constantly monitored, if the VPN tunnel is down, SmartConsole
can send a log, alert or user-defined action. A VPN tunnel is monitored by periodically sending
tunnel test packets. As long as responses to the packets are received, the VPN tunnel is
considered up. If no response is received within a given time period, the VPN tunnel is
considered down.
Monitoring VPN Tunnels

The SmartView Monitor GUI displays the status of the VPN tunnels in the network. The
Tunnels section in the SmartView Monitor GUI clearly shows VPN connectivity problems by
constantly monitoring and analyzing the status of a company’s tunnels.
.. Cemaaamsanz
<
(a,
.3'
Heme-19w
“ :16; ammonia:
Regular
’
.‘
; Concrete-CW4 a: Neme‘lgw Regular
cuwaiemeenze-a Ranneflgw i x cw not R ,.

14¢ umomm
r
1 Regular
lea
1
CorporateWu‘l t=> Rma-igw ; ! Down Brnndwofhm ; Parmmerrt

CMpoMeGusler-l momma-1w I x Demuyyed i3; mom: Heuuar
‘
Figure 101—Showing VPN Tunnel Status in SmartView Monitor GUI
195
Check Point Seczlriry Administration
There are three tunnel statuses:
. Up
--
Up - Init or Up - Phase 1
Down
When the VPN tunnel is Up, the VPN tunnel is functioning and data can be transmitted with no
problems. When a VPN tunnel is Up - Init or Up - Phase 1) the two Sides of the tunnel are
verifying the credentials to create the VPN tunnel. Up - Init is used for Permanent Tunnels, Up
— Phase 1 is used for regular VPN tunnels. When a VPN Tunnel is Down, there is a tunnel
failure. The two sides of the tunnel cannot send or receive data. For example, if there is a
Permanent Tunnel between a VPN gateway in the New York office and in the London office,
when that tunnel is in the Down state, there is no VPN traffic between the VPN gateways in
those offices.
196
Chap/er 6: Basic Conceplr of VPN
Review Questions
1. What type of VPN deployment handles communication between a network and remote
users?
2. What are two different ways to configure the Access policy to allow VPN connections?
197
198
Managing User Access ‘ Z > 1 4- N OI
An integral part of configuring the optimal network centers around defining users and user
groups. Users and user groups are added to the database manually through LDAP and
User Directory or with the help of Active Directory. Defining users and managing internal
and external user access is easily achieved through SmartConsole. Activating Check
Point’s Identity Awareness software blade for a granular View of users, groups and
machines, provides unmatched access control through the creation of accurate, identity-
based policies.
Learning Objectives
- Recognize how to define users and user groups.

. Understand how to manage user access for internal and external users.
Overview of User Management Components

Consistent user information is critical for proper security. Users are created for use as network
objects in security policies. They are called user objects and are used to define the different
terms under which users can operate, such as:
The services users are allowed to use.
-.-
o
The locations from which users are allowed to access your network.
The network destinations to which users are allowed to connect.
The time frame during which users are allowed to connect.
. The time frame during which users are allowed to access your network.
- How users are authenticated,
- How users remotely. can work
SmartConsole employs several components to manage user information.
..Lao‘gammm.» mm
A
;.
5 Wm M)
mm
_
a...
3:” m
.
‘5‘
”"W'"
me
mm em
rim-rum r... haw!“
“wanna.
means u as l
#wn :www :1) s. .4. “mi Ow ,
‘
,[
13mm“) 5" ‘3‘ gm... .

. a wwmrsm “ “7 :mrzlflaawen‘m! .
A has in k W
.g woman or .-: ..-_ ”WWW ‘
.p swimmer;
x
.‘ ..,,,.
Spam 5‘, A41 Usu '
- LBJ “W"
,, Rnnu
. ‘
Dam, 5;
3%. MM >1...th 11‘ ..
p, m Sewer
mow.
Mum
w, «my
arm :31 k
n
,1",
m m
When
--
,
Um
mmmw. .
. . mm..."
A,
- n. M w—,s..-...-m—-'A.:u mum“
“Mm“.‘mmu
..-. mew-um
i. “new.“ rmmuvwec.
24w:P‘nrrmwnrv
.. am:
k’
33 mmmwu
immune
w lumm We»: WM
e .or an lun-n‘tuvrqp Air: was, 212:. u. mm luwnin 47!

x ”paw,“ m Minimum," m me e st A; am :1: m. n m
‘~. :9 barren M":rva.¢nu‘i\qtm in- u 31.!“ x 11 3m. 11 ‘ 5,.
{C firm.§r;.kuw€nul who mnmucru,
.; ,17¢ Wm Wem’.’ 1mm". man; a.” m, arm-n erlxi n :7)
1315mm ,
Figure 102 — Object Explorer Window
200
Chapter 7: Managing User Access
Use the Object Explorer window to create and manage the following iiser properties:
- Users 7 These are individual local and remote entities who access your network and
its resources,
0 User Groups User groups consist of risers and of user sub—groups to be used in the
7
Rule Base. Including users in groups is required for performing a variety of operations,
such as defining user access rules or remote access communities,
- User Templates
you to create a
7
set
User templates facilitate the user definition process by allowing
of properties that are common to multiple users. A user created from
a template inherits all the properties of the previously defined user, such as
authentication scheme, encryption methods, access time and others. It is also possible
to create a new user template and use it to create new users. Existing user templates can
be modified or deleted. Changes made to a user template do not affect existing users
-
created from the modified or deleted template.
LDAP Groups An LDAP group is a user group whose members are defined in a
7
LDAP directory server, An LDAP group can be used in the Security Policy in the same
way as a VPN user group. The only difference between these groups is in the way you
define users.
0 Access Roles Access roles allow you to assign users or user groups to the access
7
role.Y0u can use Access Role objects as source and/or destination parameter in a rule.
Before creating access role objects, you must first activate Identity Awareness.
User Directory
Check Point User Directory software leverages LDAP servers to obtain identification and
security information about network users, User Directory eliminates the risks associated with
manually maintaining and synchronizing redundant data stores and enables centralized user
management throughout an organization. Integrating the Security Gateway and User Directory
allows you to query user information, enable CRL retrieval, enable user management and
authenticate users.
Check Point User Directory integrates the Security Management Server and an LDAP server
as an external user management database solution. If you have a large user count, Check Point
recommends using an external user management database, such as LDAP, for enhanced
Security Management Server performance. LDAP is an open industry standard application
protocol used over an IP network for accessing and managing distributed directory
information. User Directory user management requires a special license. The Mobile Access
software blade automatically includes the User Directory license.
20]
Check Pm'm Secnriry Adm i'nis/ru/i‘nri
Identity Awareness
Firewalls typically use IP addresses to monitor traffic and are unaware of the user and machine
identities behind those IP addresses. ldentity Awm'eness removes this notion of anonymity by
’ using source and/or-destination IP addresses of network traffic to identify users and computers,
Identity Awareness is enabled as network security feature on the Security Gateway.
(heck Pa t Galena
in Network Management Machine

. NAT
HTTPS median
Neme‘ VPN_GW
,. .. . Color.
HTI‘F'fHTTFS Pm
Platform Portal
51 identity Awareness
_
IPv4 Mdmss’ 192.133 1i
R
”1“ "dd”:
swath In. ‘
[777—7
, t,._ 7
i‘ imam Pddrag
UserCheck
‘PS Comment.
. [
W WSW VPN Secure imamamammumcaim mnnmalized
.a VPN am:
> Optimizations Platform
1 Hit Count
at Other Herdwere'lOpen server Ll Version'lRWZO . fl OS'IGalE
WW;“News“ M
'
[7 Firewall W IPS Advanced Networking & Clustering

rv‘ lPSecVPN l‘ AnliBor 0 Dynamic Hauling
l’ h.l._;i\,, m r ArriWiru: o seaflm
r“ Mobile Access i“ ThieaiEmulaiiun ,— one
i7 Application Control l" AniiSpam i Email Security F Mmlloirng
i‘ URLFilieilng I7 identity Awarenen
1’ Data rim Prevention i‘ L=.1lc/'Wulffi»‘
’5‘ Mobile Access

Integrated Mobile Azuss mar provides student and mum mum mess
connzcmiryinr earn managed ma unmanagm (items
0“" __Ei"‘:Ll
Figure 103 — Enable identity Awareness
The configuration wizard can configure a Security Gateway that uses one or more of identity
acquisition sources. You cannot use the wizard to configure multiple Security Gateways at the
same time.
202
Cnap/er 7: Managing User Accexr
Identity Awareness lets you easily configure network access and auditing based on one or more
ofthe following items:
- Network location
- The identity of a user
- The identity of a machine
This easy to deploy and scalable solution is applicable for both Active Directory and non~
Active Directory based networks as well as for employees and guest users.
Use Identity Awareness to define a policy rule for specified users who send traffic from
specified computers or from any computer and to create a policy rule for any user on specified
computers. Identity Awareness shows the user and computer name together with the IP address
in logs and reports
203
Check Point Seem-fly Adminirrmrion
Methods for Acquiring Identity
Identity Awareness obtains identities using the following acquisition methods. They must be
enabled on the gateway, from the Identity Awareness page of the gateway object.
-Active Directory (AD) Query
9
-Browser—Based Authentication
Identity Agents (installed on the Endpoint)
' Terminal Servers Agent
-
I
- RADIUS
Remote Access
. .
ngfllv Awareness (cafigurahon

. . .
1?} Methods For Ammrtg idemty

(0'1
Sdem haw userswill be itieniiired byyom security gateway.
l7 AD awry
The gateway seamlesty idemfiies Active Dreamy users and compete/3
F. Miser—Eager! Mbeflidiun
Transparent Kelbems authentication or Captive Penal.
l" remnai Sena:

ldsfltfy individual usustraffic mmingimm terminal servers (eg. 0th
An L7H“ IS Iconired on the lamina: sewer.
Figure 104 — Methods for Acquiring Identity
Identity sources are different in terms of security and deployment considerations. Depending
on your organization requirements, you can choose to set them separately or as combinations
that supplement each other.
204
Cliaplcr 7' Managing UserAccesx
#__/_/#
Account Units
If you are implementing User Directory user management for your Security Gateways, you
will need to know which entities to define and how to manage the users defined. An LDAP
server holds one or more Account Units (AU). An Account Unit represents branches of user
information on one or more LDAP servers. Users are divided among the branches of one
Account Unit, or between different Account Units.
When enabling the Identity Awareness and Mobile Access software blades in SmartConsole,
the Active Directory Integration window of the Configuration Wizard lets you create a new
AD Account Unit. Creating a new User Directory Account Unit will require you to decide if
the AU will be used for CRL retrieval, user management or both. You will also need to select a
profile to be applied to the new Account Unit. The following profiles are defined by default,
each corresponding to a specific LDAP server:
I OPSEC_DS Default profile for a standard OPSEC certified User Directory server
’
- Domino__DS — Profile for a Domino Directory Server

- Netscape_DS — Profile for a Netscape Directory Server
' Novell_DS — Profile for a Novell Directory Server
0 Microsoft_AD -Profile for Microsoft Active Directory
wen Acmurtttrrrtrrropcmec _ A
,, V.
l—Ggglisgejsbeeiiwaeieilwmnl l
Name.
Commeni
Color Iblack‘ 1 7 l
we ESE—BL _»_:
Frel‘ix' d W‘ ,_ T‘ N .. ‘
Account Umi usage A .
,7;an retrieval
l
‘ 2 User managemeri
,Letr re Uilir‘lely
Additional ccniiguratron .
1 l Enacie Unicode support
oer;
Figure 105 — LDAP Account Unit Configuration

205
Check Poin/ Security Administration
Active Directory (AD) Query

The Active Directory Query is a clientless identity acquisition method that allows the Security
Gateway to seamlessly identify Active Directory users and computers, It is based on Active
Directory integration and allows the Security Gateway to correlate Active Directory users and
machines to IP addresses in a method that is completely transparent to the user.
When using AD Query (ADQ), the Security Gateway connects to the Active Directory
Domain Controllers using Windows Management Instrumentation (WMI), a standard
Microsoft protocol to get Security Event logs. Security Event logs are generated, by default, on
the Domain Controllers, when users perform login. Using these event logs, the Security
Gateway can correlate Active Directory users and machines to IP addresses and to enforce a
user»based policy. Security event logging must be enabled on the AD server.
The following example shows how AD Query works:
1. The Security Gateway registers to get Security Event logs from the Active Directory
Domain Controllers
2. A user logs in to a computer using his Active Directory credentials.
3. The Active Directory Domain Controller sends the Security Event log to the Security
Gateway. The Security Gateway extracts the user and IP address information
(usename@domain, machine name and source IP address).
4. The user initiates a connection to the Internet.
5. The Sectu'ity Gateway confirms that the user has been identified and allows him to access
the Internet, based on the Security Policy.
Security Gateway
AD Domain
Controller
Figure 106 ——- AD Query Example
206
Chap/er 7. Managing User Accurr
Browser—Based Authentication
BrowsecBased Authentication is HTTPS based. It sends users to a web page to acquire
identities using Captive Portal and Transparent Kerberos Authentication. Captive Portal is a
simple method that authenticates users through a web interface before granting them access to
resources. Captive Portal is recommended for:
- Identity based enforcement for non—AD users, non-Windows operating system and
guest users
. Deployment of Endpoint Identity Agents
When users try to access a resource, they are directed to a web page reqUiring them to enter
login credentials for verification,
Figure 107 — Captive Portal
If Transparent Kerberos Authentication is configured, the browser attempts to authenticate AD

users transparently by retrieving identity information before the Captive Portal username and
password page opens. When you configure this option, the Captive Portal requests
authentication data from the browser. Upon successful authentication, the identified user is
redirected to its original destination. If authentication fails, the unidentified user must enter
credentials in the Captive Portal.
207
Cher/r Pom! Securi/y Administration
Transparent Kerberos is recommended for use in AD environments, when users are already
logged in to the domain and the browser obtains identity information from the credentials used
in the original log in. This is referred to as Single Sign On (SSO). If unidentified users try to
connect to resources in the network that are restricted to identified users, they are
automatically sent to the Captive Portal. If Transparent Kerberos Authentication is configured,
the browser will attempt to identify users that are logged into the domain using SSO before it
shows the Captive Portal. After the user is authenticated, new connections from this source are
inspected without requiring authentication.
Terminal Server Identity Agents

Terminal Server Identity Agents are used to identify users in a Terminal Server environment,
such as application servers that host Microsoft Terminal Servers, Citrix XenApp, and Citrix
XenDesktop. It identifies individual users whose source originates from one IP address.
The Terminal Servers solution is based on reserving a set of TCP/UDP ports for each user.
Each user that is actively connected to the application server that hosts the Terminal/Citrix
services is dynamically assigned a set of port ranges. The Identity Server receives that
information. Then, when a user attempts to access a resource, the packet is examined and the
port information is mapped to the user.
User authentication through the Terminal Server Identity Agent is issued differently from the
Endpoint Identity Agent. For the Identity Server to trust the other end, a shared secret is used.
This is to remove the possibility that a user may use this ability to claim they are running a
Terminal Server and indicate a false user. To deploy Terminal Servers, perform the following
steps:
1. Install a Terminal Servers Identity Agent — Install this agent on the application server
that hosts the Terminal/Citrix services after you enable the Terminal Servers identity
source and install policy.
2. Configure a shared secret — Configure the same password on the Terminal Servers
Identity Agent and the Identity Server (the Security Gateway enabled with Identity Aware-
ness). This password is used to secure the establish trust between them. The shared secret
must be eight characters in length and contain at least 1 number, 1 lowercase character, 1
uppercase character, and no more than three consecutive digits. In SmartConsole, it is pos—
sible to automatically generate a shared secret that matches these conditions.
208
“av
i."
Chapter 7.‘ Managing User/imam
The following points briefly explain how Terminal Server Identity Agents work:
0 The Terminal Server Identity Agent installed on the Terminal Server communicates to
the Identity Server about how it will control the connections for each user, This
information is later used when the traffic reaches the Identity Gateway,
0 The Terminal Server Agent communicates with the gateway over SSL (usually port 443
unless configured differently).
' The Terminal Server Identity Agent installs a TDI driver that intercepts all requests
from any process that requests a new connection. A TDI driver is an interface used to
communicate with network transport protocolsOnce the request reaches the TDI driver,
it queries the system to fetch the requesting user behind this new connection and
chooses a source port from a pool of port ranges allocated for this specific user.
- Two different users will have two different port range pools, thus allowing the Identity
Gateway to distinguish between the different connection owners.
Endpoint Identity Agents
Endpoint Identity Agents are dedicated client agents installed on user computers that acquire
and report identities to the Security Gateway. They authenticate to the Identity Server either
with a usemame and password or a Kerberos Ticket. With Endpoint Identity Agents, you can
require users to download the Endpoint Identity Agent from the Captive Portal.
Administrators configure the agent, not the user. Connectivity is established through
transparent authentication using Kerberos $80 when users are logged in to the domain. If the
user does not want to use Kerberos SSO, they must enter their credentials manually. Users
remain identified automatically when they move between networks, as the client detects the
movement and reconnects.
There are three different Endpoint Identity Agent types.
-Full Endpoint Identity Agent - This agent includes packet tagging and computer
authentication. Packet tagging prevents spoofing from connection and passing through
the Security Gateway. Full Endpoint agents require administrator permissions for use
and applies to all users of the computer that its installed on,
. Light Endpoint Identity Agent - This agent does not include packet tagging and
computer authentication nor does it require administrator permissions. It can be
installed individually for each user on the target computer.
' Custom Endpoint Identity Agent - This agent allows custom features to be
configured for all computers that use it.
209
Check Point Sammy Administration
Before you configure Endpoint Identity Agents, consider these elements:
- Installation deployment methods —— Deploy the Endpoint Identity Agent for

installation through the Captive Portal or use other distribution methods currently used
to deploy software in your organization.
- Server discovery and trust — Before the Endpoint Identity Agent can connect to a
Security Gateway with Identity Awareness, the Endpoint Identity Agent must discover
and trust the server it is connecting to.
0 Automatic authentication using Single Sign-On (S50) Endpoint Identity Agents
M
installed on endpoint computers authenticate users automatically when they log in to

the domain using 880. The Endpoint Identity Agent uses $80 to authenticate users
when they enter their login credentials (AD or other authentication server). The system
securely gets authentication data one time without making users authenticate manually,
as is necessary with Captive Portal.
Endpoint Identity Agents are recommended for leveraging identity for Data Center protection,
protecting highly sensitive servers, and when accurately detecting identities is crucial.
210
Chap/er 7, Managing User-Access
The following steps detail how a user dOWnloads the Endpoint Identity Agent from the Captive
Portal:
1. The user logs in to their computer using their credentials and wants to access the internal
Data Center.
2. The Security Gateway enabled with Identity Awareness does not recognize the user and
sends the user to the Captive Portal.
3. The Security Gateway sends a page to the user that shows the Captive Portal. It contains a
link that can be used to download the Endpoint Identity Agent.
4. The user downloads the Endpoint Identity Agent from the Captive Portal and installs it on '
— ,,,
their computer.
5. The Endpoint Identity Agent client connects to the Security Gateway. If Kerberos $80 is
configured, the user is automatically connected.
6. The user is authenticated and the Security Gateway sends the connection to its destination
according to the Firewall Rule Base.
Security Gateway
.
Ki
AD Domain
controller L
Figure 108 — Endpoint Identity Agent Example
RADIUS
In environments where authentication is handled by a Radius server, configure a Security
Gateway with Identity Awareness to use RADIUS (Remote Authentication Dial-in User
Service) Accounting to get user and computer identities directly from the RADIUS
Accounting client, which is a host with RADIUS client software installed. Once configured
with RADIUS, the Security Gateway becomes a RADIUS server client. Identity Awareness
uses the information received from the client to apply access permissions to the connection.
RADIUS Accounting gets identity data from requests generated by the accounting client.
Using RADIUS, the Security Gateway forwards authentication requests by remote users to the
211
Check Po/m Seem-icy A dnzims/rnffaw
server, which stores user account information. Identity Awareness uses the data from these
requests to get user and device group information from the LDAP server, The server
authenticates the user and Firewall rules apply permissions to users, computers and networks_
The Security Gateway lets you control access privileges for authenticated users, based on the
administrator’s assignment of users to RADIUS groups,
RADIUS protocol uses UDP to communicate with the gateway. RADIUS servers and server
group objects are defined in SmartConsole.
Remote Access
For users who access the organization through VPN, the Remote Access identity source must
be set to identify Mobile Access and IPSec VPN clients in Office Mode. Identities are acquired
for Mobile Access clients and IPSec VPN clients configured in Office Mode when they
connect to the Security Gateway. This option is enabled by default. Users who get access using
IPSec VPN can authenticate seamlessly. If there is more than one Security Gateway enabled
with Identity Awareness that share identities with each other and have Office Mode
configured, each gateway must be configured with diflerent office mode ranges.
212
CImp/Cr 7. Managing User Access
How to Choose an Identity Source

The following table presents some examples of how to choose identity sources when Identity
Awareness is enabled for different organizational requirements.
AD Query For logging and auditing or basrc enforcement,

AD Query and For Application Control. The AD Query finds all AD users and
Browser-Based computers. Browser-Based Authentication is necessary to include all
Authentication non-Windows domain users and will act as a catch all option to the
AD Query.
For Data Center and internal server protection. Use both options when
most users are desktop users and easy deployment is necessary.
Endpoint Identity Agents may be added for mobile users. Users not
identified will be redirected to the Captive Portal.
Endpoint Identity For when a higher level of security is necessary. The Captive Portal is
Agents and used for distributing the Endpoint Identity Agent. To prevent packets
Browser-Based from being IP spoofed, set IP Spoofing protection.
Authentication
Terminal Servers For Windows Terminal Servers and Citrix environments.
Endpoint Identity
Agent
RADIUS For environments that use a RADIUS Server for authentication. Make
sure the Security Gateway is configured as a RADIUS Accounting
client and give it access permissions and a shared secret.
Remote Access For users that access the organization via VPN. Set the Remote
Access identity source to identify Mobile Access and IPSec VPN
clients that work in Office Mode.
Table 15: Choosing Identity Sources
NOTE
The Identity Awareness Configuration Wizard cannot be used to configure
multiple Security Gateways at the same time or to configure Endpoint
Identity Agent and Remote Access acquisitions.
213
Check Pain! Security Admimrlm/iun
Identity Sharing
Multiple Security Gateways enabled with Identity Awareness can acquire and share identities
with other Security Gateways. For example, a complex data center environment with several
gateways may use Endpoint Identity agent authentication on two different gateways to balance
the load. Identities learned from agents enabled on the two gateways are then shared between
all Security Gateways in the network. To define a list of Security Gateways between which
identities are shared, go to Gateway properties and select Get identities from other gateways in
the Identity Awareness tab, and then select the Security Gateways to obtain identities from.
There are two Identity Awareness CLI commands which support identity sharing; PDP and
PEP. Policy Decision Point (PDP) is the process on the Security Gateway responsible for
collecting and sharing identities. Policy Enforcement Point (PEP) is the process responsible for
enforcing network access restrictions. PEP decisions are made based on the identity data
collected from the PDP.
214
_ .” n
,._ _‘,.
Chapler 7: Managing User-Access
Managing Users
Centrally managing user information ensures that only authorized users securely access the
corporate network.
SmartConsole and User Database

Users defined in SmartConsole are saved to the User Database on the Security Management
Server, together with the user authentication schemes and encryption keys. The User Database 7 _ ,
g
7
is then installed on the Security Gateway when the policy is installed, and on Check Point
hosts with an active management blade, such as Log Server, To install the User Database on
selected targets, log in to SmartConsole, and from the menu options, select Install Database.
The User Database does not contain information about users defined outside of the Security
Management Server, however, it does contain information about the external groups
themselves. For example, the User Database does not contain information about users in
external User Directory groups but it does contain information on which Account Unit the
external group is defined. Changes to external groups take effect only after the policy is
installed, or the user database is downloaded from the Security Management Server.
LDAP and User Directory

LDAP is the most widely accepted directory-access method. One of the reasons that it is the
obvious choice for so many vendors is because of its cross-platform compliance. LDAP is used
by many different operating systems and servers. When integrated with Check Point Security
Management, LDAP is referred to as User Directory.
Integrating LDAP with Check Point User Directory allows the following:
- Users can be managed externally by a User Directory (LDAP) server.

- The Security Management Server can use the LDAP data to authenticate users.
- User data from other applications gathered in the LDAP users database can be shared
by different applications.
To illustrate, when deployed with a User Directory server, the Security Management Server
and the Security Gateways function as User Directory clients. The Security Management
Server integrates the user information on the User Directory server, and the Security Gateway
will use the data to query user information, retrieve CRLs and for authentication.
Listed below are some of the key features of User Directory.
- LDAP is based on a client/server model in which an LDAP client makes a TCP

connection to an LDAP server.
0 Each entry has a unique Distinguished Name (DN).
I Default port numbers are 389 for standard connections and 636 for SSL connections.
215
Check Point Security Adriiiniir/ra/ion
- Each LDAP server can consist of one or more Account Units.

- User Directory is enhanced with LDAP’s High Availability replication feature which is
used to duplicate user data across multiple servers.
- '
Encrypted and non-encrypted connections, where connections between the clients (i.e,,
Security Management Server, Security Gateways) and the User Directory servers, are
conducted using SSL or in the clear.
. Support is provided for multiple LDAP vendors using User DireCtory Profiles.
Local User Management versus User Directory

It is important to understand how managing users internally differs when incorporating LDAP
users with User Directory. First, user management in User Directory is handled extemally and
not locally. Secondly, User Directory server templates, unlike internal user templates, can be
modified and applied to users dynamically. This means that user definitions are easy to change
and manage. Changes that are applied to a User Directory template are reflected immediately
for all users who are using that template.
Distinguished Name
A DN is a globally unique name for an entity> constructed by appending the sequence of DN

from the lowest level of a hierarchical structure to the root. The root becomes the relative DN.
A DN includes elements such as a Common Name (CN), Organizational Unit (0U),
organization name, and country.
l
t
CH:
John Brown
Figure 109 — Distinguished Name i

216
‘ ,_ . e -
. .
CImpter 7, Managing User Access
For example, if searching for the name John Brown, the search path would start with John
Brown’s CN. You would then narrow the search to the organization he works for and then to
the country If John Brown works for ABC Company, one possible DN is show below:
cn=John Brown,ou=Marketing,o=ABC Company,c=US

This can be read as, “John Brown, in Marketing, of ABC Company, in the United States”.
NOTE
Naming attributes such as o=organization name and c=countrylregion
name are recognized by LDAP but are not used in Active Directory.
Using Multiple LDAP Servers
There are several advantages to using more than one LDAP server. With multiple LDAP
servers, you achieve compartmentalization by allowing a large number of users to be
distributed across several servers, gain High Availability by replicating the same information
on several servers and you also achieve a faster access time by placing LDAP servers
containing the database at remote sites.
If there is an existing LDAP User Database, integration with the Security Gateway is relatively
simple. The LDAP server maintains all user information, including login name and password.
Addition and deletion of users is performed on the LDAP server.
LDAP Groups
LDAP groups are created to classify users. The groups are then applied in Security Policy
rules, A LDAP group can be defined in SmartConsole using the Object Explorer feature or
through the Objects menu. Only those users who match the defined criteria will be included as
members of the LDAP group. For instance, you can include all users defined in the selected
Account Unit as part of the User Directory group, only members of a specified branch or only
members of a specified group on the branch.
217
Chuck Pom! Security Administration
The User Directory Scheme

The User Directory default schema is a description of the structure of the data in a User
Directory. It has user definitions defined for an LDAP server The schema does not have
Security Management Server or Security Gateway specific data, such as IKE-related attributes,
authentication schemes or values for remote users.
Authenticating with Certificates

The Security Management Server and Security Gateways can use certificates to secure
communication with LDAP servers. If you choose not to configure certificates, the Security
Management Server, Security Gateways, and LDAP servers will communicate without
authentication.
NOTE
The User Directory on a management—only server cannot be configured to
authenticate to an LDAP server using certificates. Management-only
servers do not have an IPSec VPN option included in the Network Object
Properties window.
User Directory Profiles

Use User Directory Profiles to make sure that the user management attributes of a Security
Management Server are correct for its associated LDAP server The User Directory profile is a
configurable LDAP policy that lets you define more exact User Directory requests and
enhances communication with the server. For example, if you have a certified OPSEC User
Directory server, apply the OPSECDS profile to get enhanced OPSEC~specific attributes.
Profiles control most of the LDAP server-specific knowledge.
218
Clmpter 7' Il/Iawagirig User/imam
Retrieving Information from a User Directory Server
When a gateway requires user information for authentication, it goes through the following
process:
1. The gateway searches for the user in the internal users database.
2. If the specified user is not defined in the intemal users database, the gateway queries the
LDAP server defined in the Account Unit with the highest priority.
3. If the query against an LDAP server with the highest priority fails, the gateway queries the
server with the next highest priority.
4. If the query against all LDAP servers fails, the gateway matches the user against the
generic external user profile.
Managing Users on a User Directory Server 7,
Using SmartConsole, you can manage information about users and OUs that are stored on the
LDAP server. Users and user groups in the Account Unit show in the same tree structure as on
the LDAP server. User Directory users can be viewed in the LDAP Groups folder.
219
Chtcl Point Security Administration
Authenticating Users
Security Gateways authenticate individual users using credentials and manage them using
different authentication schemes. Check Point authentication features allow you to verify the
identity of users logging in to the Security Gateway and control security by allowing access for
valid users and refusing access for others.
Authentication Schemes
The authentication process begins with a fetch or query to the user database to locate the user,
The method of authentication is determined once the user is located. The user is authenticated
according to the defined authentication scheme and then authorized for access. All
authentication schemes require a username and password to identify valid users. Some
schemes store usemarnes and passwords on the gateway itself, while others are stored on
external servers. Individual users must be added to user groups that are defined in the Security
Gateway’s internal user database or on an LDAP server prior to defining authentication rules
for those groups. Authentication rules are defined for user groups, not individual users.
Check Point supports these user authentication schemes:
~ Check Point Password —— The Security Gateway can store a static password in the
local user database for each user configured in the Security Management Server. No
additional software is required.
- Operating System Password — The Security Gateway can authenticate using the user
name and password that is stored on the operating system ofthe machine on which the
. Security Gateway is installed.

RADIUS An external authentication scheme that separates the authentication
7
function from the access server.

O SecurID — SecurlD requires users to possess atoken authenticator and to supply a PIN
or password. Token authenticators generate one-time passwords that are synchronized
to a RSA ACE/server and may come in the form of hardware or software. When a user
attempts to authenticate to a protected resource, the one-time-use access code must be
validated by the ACE/server. ACE manages the database of RSA users and their
assigned hardware or software tokens. (For additional information on agent
configuration, refer to ACE/Server documentation.)
220
Chapter 7 Managing User Acres:
- TACACS Terminal Access Controller Access Control System (TACACS) is an

*7
external authentication scheme that provides verification services. It provides access

control for routers, network access servers and other networked devices through one or
more centralized servers. Using TACACS, the gateway forwards authentication
requests by remote users to a TACACS server. The TACACS server, which stores user-
account information, authenticates users. The system supports card-key devices or
token cards and Kerberos authentication. TACACS encrypts the user name, password,
authentication services and accounting information of all authentication requests to
ensure secure communication.
- Undefined Undefined means that either no authentication is performed and access is
i
always denied, or IKE authentication is used. IKE authentication supports IPSec VPN
7* ~A 77
clients. If a user with an undefined authentication scheme is matched to a rule with

some form of authentication, access is always denied.
221
Check Point Securinv Administration
Managing User Access

Managing internal and external user network access is easily achieved in SmartConsole.
Access Roles
Access roles are objects that allow you to configure network access according to:
-- Networks
User and user groups
0 Computers and computer groups
- Remote access clients
V Remote Access Users

£1fsr0b;e:: Cw per-t
NW0d“ Enforcethe following settingswher: formatting remotely:
Users AllowedClrenl: [ii Any

Machines
Remote Access Client:
a Add rag
Figure 110 —— Access Role Wizard

After Identity Awareness has been activated, you can create access role objects and use them in
the Source and Destination columns of Access Control policy rules. An example would be a
rule that allows file sharing between the IT department and the Sales Department access roles,
Name Sauna Destination VPN Servizes E: Applicat. . Action

1 Trend Sales IE1 IT_dept E Salesj at Any Iv, an a, Armor E Lug
Fileshanng _
Figure 111 ——Sample Access Policy Rule with Access Role Objects
Before you add Active Directory users, machines or groups to an access role, make sure there
is LDAP connectivity between the Security Management Server and the AD Server that holds
the management directory.
222
Chapter 7' Managing USEi‘AL‘t‘EXS
Rule Base
Using Identity Awareness, you can define a policy rule for specified users who send traffic
from specified computers or from any computer. In rules with access roles objects, you can add
an Accept option in the Action field to enable Captive Portal. When the Accept option is
added, in cases where the source identity is unknown and traffic is HTTP, the user is redirected
to the Captive Portal.
The following is an example of a rule that redirects the user to the Captive Portal.
Name Sean: Drstnulkm VPN Service‘s. Appauiiom Aninn Tuck

Medusa :23 Saki-M I! Salesmwunm » My is Any 9 mummpmem .[g m
Figure 112 — Rule Base Redirect to Captive Portal
’Captive Portal for Guest Access.

Captive Portal (Browser-Based Authentication) is a simple method that authenticates users
through a web interface before granting them access to the Internet and other corporate
resources. An administrator can use Captive Portal to allow Internet access to guests of the
company. To do so, a rule must be created in the Rule Base to allow the unauthenticated guests
Internet only access from an unmanaged device.
When the guest browses to the Internet, Captive Portal will open. The guest will enter required
credentials, such as their name, company, email address and phone number in the portal. The
guest must then agree to the terms and conditions written in a network access agreement.
Afterwards, the guest is provided access to the Internet for a specified period of time.
223
Check Point Security Administr-a/r’on
Review Questions
1. What is the purpose ofldentity Awareness?
2. What is the difference between an Endpoint Identity Agent and a Terminal Server Identity
Agent?
3. How do Access Roles work within a Rule Base?
224
Working with CIusterXL l I ’ U' - M Z
Ensuring that Security Gateways and VPN connections are kept alive in a corporate
network are critical to maintaining a smoothly running network. The failure of a Security
Gateway or VPN connection can result in the loss of active connections. Many of these
connections, such as financial transactions, can be mission critical and losing them results
in the loss of critical data. CIusterXL provides an infrastructure that does not lose data in
case of a system failure. The cluster is a group of identical and connected Security
Gateways. It guarantees that if one fails, another immediately takes its place.
Learning Objectives
- Understand the basic concepts of ClusterXL technology and its advantages.

Check Point Security Adminis/r-arian
Overview of CIusterXL
ClusterXL is 21 Check Point softwarebased cluster solution that provides Security Gateway
redundancy and Load Sharing, It provides an infrastructure to ensure that data is not list.
CIusterXL uses State synchronization to keep active connections alive and prevent data loss
when a member fails. With State Synchronization, each member knows about connections that
go through other members,
CIusterXL consists of clusters and cluster members. A cluster is two or more Security
Gateways configured to act as one unit. Each Security Gateway in a CIusterXL cluster is
identical and connected in such a way that if one fails, another immediately takes its place. The
cluster is one object in SmartConsole, Network traffic can be processed by one cluster member
or shared between the Security Gateways in the cluster. The gateways can be configured to
provide redundancy to prevent network down-time, Up to eight cluster members are supported
in CIusterXL. During this chapter, we will focus only on two»member ClusterXL deployments.
tmemal Switch
. Gateway Cluster
Figure 113 — Two-Member Cluster
Each Security Gateway in the cluster is called a cluster member. A cluster member that is
processing traffic has an Active status. A cluster member that is not receiving any traffic has a
Standby status. The Cluster Control Protocol (CCP) connects and binds the cluster members to
each other. It passes synchronization and other information between the cluster members. CCP
is used specifically for clustered environments to allow gateways to report their own states and
learn about the states of other members in the cluster.
226
Chapter 8: ”hi-king mil/7 Cluster-XL
The CCP maintains a heartbeat between cluster members to broadcast that the cluster members
are active and processing network traffic. If after a predefined time, no message is received
from a cluster member, that member is assumed to be down and failover occurs, At this point,
another cluster member automatically assumes the functionality of the failed member,
ClusterXL supplies an infrastructure that ensures no data is lost in case of a system failure.
NOTE
Cluster Control Protocol (CCP) is a Check Point proprietary protocol. It is
located between the Check Point Kernel and the Network Interface.
227
Check Paint Set zirity Administration
CIusterXL Topology
CIusterXL uses unique physical IP and MAC addresses for the cluster members and virtual IP
addresses to represent the cluster itself. The virtual IP addresses do not belong to a physical
interface on a server or appliance. Each cluster member has three interfaces; one external
interface, one internal interface, and one for synchronization. Cluster member interfaces facing
in each direction are connected via a switch, router, or VLAN switch. All cluster member
interfaces facing the same direction must be in the same network. For example, there must not
be a router between cluster members. The Security Management Server can be located
anywhere, and should be routable to either the internal or external cluster addresses.
All Check Point software components must be identical on all cluster members. This means
that identical software blades and features must be enabled on all cluster members. If
CIusterXL is installed on Check Point appliances, it can be installed in a configuration in
which the cluster members and the Security Management Server are installed on different
machines, or in a configuration in which the cluster members and the Security Management
Server are installed on the same machines. If CIusterXL is installed on Open Servers, then it
must be installed in a distributed configuration, in which the cluster members and the Security
Management Server are installed on different machines.
m into-mt 5mm
l Mame-r s
/
/‘\
mm: {F
10.10.02
4 /
emu“ net is
'
m we we
M
my
A
5y
-—val-um
time-r Emmi lF
m was to we
«1mm;
Diana
192163!“
IF\\/‘
Figure 114 — Cluster XL Deployment
228
Chapter 8. Working with C/ns/LrXL
CIusterXL Deployments
Check Point CIusterXL provides both High Availability and Load Sharing solutions. High
Availability ensures gateway and VPN connection redundancy for transparent failover
between machines. There is a redundant standby cluster member and only one cluster member
is active at a time. If there is a problem with the active cluster member, the standby members
are activated. This is referred to as an Active/Standby cluster.
Load Sharing provides reliability and enhances performance because all cluster members are
active and traffic is shared between them. This is referred to as Active/Active clusters. Load
Sharing is discussed in more detail in the CCSE course.
High Availability Deployment

High Availability provides the ability to maintain a network connection when there is a failure
of the active Security Gateway or for maintenance reasons. A failure occurs when a hardware
or software problem causes a machine to be unable to filter packets. When this happens,
another cluster member takes over the connection from the active member. In a synchronized
cluster, the standby cluster members are updated with the state of the connections of the active
cluster member:
NOTE
This chapter only discusses High Availability clusters for Security
Gateways. It is also possible to create a High Availability cluster for the
Security Management Server which is called Management High
Availability and is covered in the CCSE course.
In SmartConsole, there are two tabs in the Gateway Cluster Properties window that are used to
configure the settings for a High Availability cluster: Cluster Members and CIusterXL.
229
Configuring Member Priority

The Cluster Members tab displays each Security Gateway that is a member of this cluster. It is
also used to configure the priority for each cluster member. Gateway Cluster members are
listed in SmartConsole by priority. The highest priority member is the active cluster member
by default. If this member fails, control is passed to the next highest priority member. If that
cluster member fails, control is passed to the next highest priority member, and so on. The
cluster member at the top of the list has the highest priority. Cluster member priority rankings
can be modified at any time.
Gateway Cluiler Dvc tirGWrCluslfl
GeneisfPropenles
Cluster Members Gateway Cluster members in ordered by pmwlles
qusterXL and VRRF’ rivw— _.
rm Mdress
w
.J Network Managemm Name IPvB Address

to NAT mAGwm 16,1 1z 7‘
"’5 cumin/a2 toms ”1112156 am, '

HTTPS inspection
'
‘
‘
HTTP/HTTPS PW
Platform Portal
times“ N0417-
UserCheck
lF’Sec VPN
VPN Glen‘s
‘2:El-
Logs
ram Policy
‘ OMimrrallons
rHit Crmnt
Le Other
L
{:53 C:i
fi___
Figure 115 — Configure Cluster Member Priority
230
Chapter 8. Working nit/1 CIusterXL
Configuring High Availability
The ClusterXL tab is used to configure the cluster for a High Availability or Load Sharing
deployment. There are two High Availability modes available: New and Legacy. CIusterXL
High Availability New mode designates one of the cluster members as the Active machine,
while the rest of the members are in a Standby mode. Legacy mode is not Gaia supported,
therefore it will not be covered in this course. In a High Availability configuration, the
behavior method must be defined for when the failed Active member in a cluster recovers. The
options are:
- Maintain current active Cluster Member — Select this option if the lower priority
active cluster member should continue as the active gateway. This means that the
member that was previously in Standby mode prior to failover is now in Active mode
and will continue to be in control as the Active member when the failed active member
recovers. This option is referred to as Active Up and is recommended if all members in
the cluster are equally capable of processing traffic.
- Switch to higher priority Cluster Member 7 Select this option if a higher priority
member that failed should become the active cluster member. This means that the
Security Gateway with the highest priority will regain control from the lower priority
member once it recovers. The lower priority gateway will return to Standby mode.
Referred to as Primary Up, this option is recommended if one member is better
equipped for handling connections.
231
Check Point Securily Administration
Gateway \usm Pvapemfi om:

General Pmuemes
Duster Members Sales! the duster made and configuration
GAIBXLW 9 HughAvaflabiiny 0.5ng '.
in Netwoi‘n Managemm , ,
1+, NAT *9 Load Sham Muiiii‘aii .i

‘
7P5 ’
V HTrPs impediofl
HTTP/HTTPS mey Tracking
‘
Pla’dorm Portal .
. Track changes In the status at Gum Memes Lou-
v w
v
UserOieck
n iPSec VPN
El VPN Cienis Advanced gems .. ,_.,,
ti Lugs
V
'
FEM “3'“? Fl] Use State Synchronization
Optimization:
3 HiiCouni t lUseVIrtualMAC
#3 02m
own cluster member iacorei',‘
‘3‘ Maintain current active (Elmer Mamba
v?) Swiiehiu higher pnwy Cluster Member
EEC) 3m;
Figure 116 — Configure High Availability Settings in the CIusterXL
If State Synchronization is enabled, any open connections are recognized by the new Active
machine, and are handled according to their last known state. ClusterXL in High Availability
New mode combined with State Synchronization can maintain connections through failover
events, in a user-transparent manner, allowing a seamless connectivity experience
232
Chnpfer 8, Working Willi Cli/Sle/‘XL
Failovers
If there is a problem with a cluster member and it can no longer process network traffic, all
traffic fails»over to the next priority cluster member. In an Active/Standby High Availability
deployment, the status of the existing connections depends on whether or not the cluster is
synchronized.
A failover takes place when one of the following situations occurs on the active cluster
member:
Hardware or software fails.

~
0
The Security Policy is not installed.

- Flamed maintenance.
As a network security professional, ensuring that Security Gateways and VPN connections are
kept alive in a corporate network is critical to maintain a smoothly running network. The
failure of a Security Gateway or VPN connection can result in the loss of active connections
and access to critical data.
Rerforming a Manual Failover

In some circumstances, it may be necessary to manually cause a cluster member to failover.
Use SmartView Monitor to stop CIusterXL on a Security Gateway and cause a failover. In
SmartView Monitor, right-click the cluster the cluster member, and select Cluster Member >
Stop Member.
*1 AITESateways
.7-
a Gikwaw Status ; cue-yams» lP' Mm Sums mm: ten i-cl‘ve \ma Memory 9911‘.
-
-; v [ask
I'D Hawaii: l @vsxwysm «‘1 0K was: vast-is 24
u ”mam”
M s
, 3mm
l
" ’ "
«haw-I
“man, 6..any
’
_M; We
l“
:5 WMB
'
24
.c :3 mm 1 ammaiwmmas., 17119 i, 63““‘1’ “m” .374 mini :1
.0 :3 Side-n counters a vsxwya 151155. ““9"" I"""‘=‘d5 in. 119 MB 24
'r b “WK"
:0 Tunnels on cammunny § 9
cwanti°am:mms
”WM?"
‘0 ‘251‘a
mi
Rem"
t I . 7':
‘4 222m
T
in 77
W
93
75
:) Permanentmnntli
10.1702“
i. f.12
9 com Permanent Tunnel: a VEMLVSX‘iIdsgVSZ MM“ °' “WM H5 MB 2‘
:i
t: :25“
runnds on Gateway
n
9 vulnemLVSXdislerJ/S‘
-mmLVSX-dflerA/Ri
10,1701, Manila! Remake Users in MB
in Me
24
2.101
ti , ,
MonilurTr-ffic > 24
0 mmtPM, New! Um,l aWerdemmmm-m
. 10.0 Chm Mm" ‘l ,
W ”mm 1
g on um is, m... g a mMLVSXdeaLVSEi , l h M mb
9 Um by Gain-I] ; g vsxmi 101761.} Pmpertis-
‘ ”33‘ .1 'i _ .
In Ci cooperative WWW“ l cavsxwyn 19215521 9' 0K 27'; 133 ME 24
EWmOmwimmfl OK Z“ ‘7! ME 90
l 1810,21
Figure 117 —- Initiating a Failover in SmartView Monitor

233
Chack Point Security Adminirlmrion
Synchronizing Cluster Connections

Cluster members can be configured to synchronize the active connections for the Security
Gateway. Check Point State Synchronization is the tool responsible for passing information
and data about connections and other Security Gateway states between the cluster members.
NOTE
There are several restrictions when using State Synchronization in a
network. For example, all the cluster members must use the same platform
and software version. These details are covered in the CCSE course,
Securing the Sync Interface

Since the synchronization network carries the most sensitive Security Policy information in the
company, it is critical to protect this network against both malicious and unintentional threats.
We recommend securing the interfaces used for synchronization with a dedicated sync
network. Alternatively, it is possible to connect the physical network interfaces of the cluster
members directly with a cross-over cable. For clusters that have three or more cluster
members, use a hub or switch to secure the synchronization network.
Clock Synchronization
When working with CIusterXL, make sure to synchronize the clocks of all of the cluster
members. CIusterXL operation relies on internal timers and calculation of internal timeouts.
Clock synchronization can be done manually or through a network protocol, such as NTP.
Some features, such as VPN, only function properly when the clocks of all of the cluster
members are synchronized.
234
Chapter 8. Working with ClusterXL
Monitoring a Cluster
In order to ensure that clusters and cluster members are operating correctly, use SmartView
Monitor or run the cphaprob state command from the CLI.
SmartView Monitor
SmartView Monitor shows information and details for all Security Gateways in the network,
including the cluster members. It provides real-time monitoring and alerts. For each cluster
member, the window shows state change and critical device problem notifications. Monitor the
status of a cluster member in SmartView Monitor by right—clicking the Security Gateway and
selecting Gateway Details. The Member State field shows if the cluster member is Up and
active, or Down and standby, or Failed.
All Gateways F” H 0““ '49

saw». it.» Emu-s - Elwin; new... an“ m m '. u.“-
amzme ”wig-2 155m m min ., _ M41}
awmmlwfl WE‘SSWJ 00K in may 1r Ems
a mm. M 192mm 0 or 5: mar z; w:
9: mm vmu-w is: var 2,2 5; or in new: {-7 Maxim
‘orpurale»(1ustcr—7- member}!
n: Moves: n: 155 no.1
Uz'uar: 1115.40
n5- sequin-mam.
ixfiljflmir‘fllm ‘mmn; = in “saws
i Li firewall sum
1:. Availhhlll‘v
Dun“
Q floater)“ on Om.
9 IPSKVPN Dame
3 cos 0 w.
Figure 118 — Cluster Member Status in SmartView Monitor
235
Check Point Security A dminislra/ion
Running cphaprob state

The cphaprob state command is used to monitor cluster members and define critical
devices and processes that can trigger a failover. Log in to the Security Gateway CLI and run
cphaprob state to Show the details of that cluster member.
Figure 119- Sample Output of cphaprob state
To check the status of the cluster member use the following command:
# cphaprob state
To bring the cluster member up:

# c1usterXL_admin up
To bring the cluster member down:
# c1usterXL_adrnin down
236
Chapter 8 Working with CIusterXL
Review Questions
1. Describe Check Point CIusterXL High Availability.
2. How can you monitor the state of the cluster members?
237
238
Administrator Task =>1 Hmfl
Implementation
Basic network monitoring is part of an administrator’s daily routine. Although there are
many aspects of the network to monitor, there are some tasks that may only require
occasional implementation. This chapter provides a brief overall of features that help
administrators to see if their security environments are compliant with industry policy and
regulations and to quickly View general system information. The Compliance software
blade is an integral part of monitoring the network’s compliance with security standards.
CPView is a utility used to retrieve basic gateway status information.
Learning Objectives
- Understand how to perform periodic administrator tasks as specified in administrator job descriptions.
Check Pain! Seem-10‘ Administration
Compliance Software Blade

One important task of a System Administrator is determining if their network is compliant with
widely accepted best practices and identifying policy and configuration weaknesses in order to
prevent security breaches. Couple these tasks with the constantly evolving configuration and
policy settings and these tasks quickly become daunting, time consuming, complex and costly.
With an increase in auditing and compliance requirements and stakeholders demanding that
monitoring be performed continuously, administrators need to be able to analyze and provide
reports on their network efficiently and in a timely manner that does not compromise their
other day-to-day tasks.
The Compliance software blade is used to continuously scan the Security Policy and
configuration settings defined within the Check Point sofiware blades, Security Gateways and
Security Management Server. It identifies configuration weaknesses and errors, making them
available for remediation.
9 (new
an...“ or. p. “at.“ a at am“ M.” my“.was.
Sawfly Ear Frozuhfifl'utuwu' l-r Cmewa‘r-

153 ”humans“... m
4. .n. ‘- '
:-. ""
an
6 cm w vm
Rrrlu'ALg-n (rw my . . m m km. or: 9415).“
”
lit- 1C 2' r “ii—‘mum.igum-u=é ‘-
Figure 120 — Compliance Overview
240
Chapter 9: Administrator Task Imp/ememaliow
Best Practices
A library of best practices is used to optimally configure software blades and management
settings, allowing companies to monitor and compare their environment against vendor and
security recommendations These best practices are based on security considerations and
defined by security experts. However, companies may create their own set of best practices.
The Compliance software blade compares policy and configuration changes against best
practices before any changes are installed, which means System Administrators are able to
identify compliance issues before the policy is installed This is accomplished through on- »A
screen security alerts. Auditing and compliance reporting requirements are easily
accomplished with predefined reports.
Snow" Be. Int-implant .. a mum“ . mm it man
153 wit-immwm
.mm
as"?
Figure 121—Compliance Regulatory Compliance
241
Check Point Seem-Hy Adminislra/ion
Best practices are used to examine compliance with the following standards:
'3'!1: no
va— . , -:_T~ $39395???“
ISO 27001 International Standards for the implementation of Information Security
Management Systems (ISMS). This standard includes 133
control objectives that cover organizational security
architecture.
ISO 27002 International Supplemental controls and best practices for
implementation of Information Security Management
Systems (ISMS). This standard includes detailed control
objectives that are applicable to certain industries.
HIPPA Security USA Health Insurance Portability and Accountability Act of
1996. These regulations require government agencies,
insurers and health care providers to protect all data that
they collect, maintain or use.
PCI DSS 2.0 USA Industry standards for transmission, processing and
storage of credit card data.
DSD Australia Military data security regulations and standards,
GLBA USA Gramm»Leach-Bliley Act. These regulations include
financial privacy guidelines and safeguards related to
information security.
NIST 80041 USA National Institute of Standards and Technology guidelines
for Firewalls and Firewall policies.
NIST 800—53 USA National Institute of Standards and Technology
recommend security controls for federal government
information systems and organizations.
UK Data UK British data security standards.
Protection Act
CobiT 4.1 USA Information technology governance framework that
includes control requirements, technical issues and
business risks.
Table 16: Standards and Descriptions
242
Chapter 9: Adlninislm/or Task Implementation
To activate or deactivate a regulation:
‘. ’ N W F
Click the Manage & Settings tab.
Select Blades.
Click the Settings button under the Compliance section.
Activate or de-activate a regulation by clicking the checkbox next to the regulation.
Best Practice Tests, Alerts and Action Items

A best practice test details compliance status and recommends corrective action. There are two
types of tests: global and object»based. Global tests examine configuration settings for the
entire organization. Object-based tests examine the configuration settings for particular
objects, such as gateways and profiles.
When a best practice test detects a degradation to the compliance status, such as when a rule is
changed, an alert is displayed with the following details of the issue:
Corresponding software blade

-
0
ID
--
0
Name and description of the best practice
Compliance status
What the test looks for
' Action item and due date
- Dependency on other security best practices
0 Relevant objects
' Relevant regulatory requirements
243
Check Poin/ Securicu Adminislmrion
An action item is then automatically generated when this degradation is detected. An action
item will detail corrective actions that need to be taken in order to restore the compliance
status. The action item is removed from the list once the corrective actions have been taken and
another scan has been performed. Due dates can be assigned to action items. The following
statuses are assigned in the due date column of a pending action item:
- Overdue — Action item is overdue
-
0
Upcoming — Action item has a due date within the next 30 days
Future — Action item has a due date beyond the next 30 days
- Unscheduled —~
Action item has no defined due date.
“Wif- f‘"‘ilimmu_
j
ma-flswwnufimmludfl‘:Minivan-myommtuhmowm
w.m.~~w~xmmmmmuwm a...
hhnm-nwwm Mnnmuwn—tnmwyun
Wocwvwm «mm
wmx..—-mumum
eam.m.<,»....
:Mb-M—«bmmwu-‘w
Maw”...m~mwu.~n»m
w“(nan-EH: r" a'
Figure 122 — Compliance Action Items

ri'v tvn'lfir-‘p u;gnzri
re ‘
244
Chapter 9: Administrator Turk Implementation
To activate a best practice test:
1. In the Security Best Practices Compliance section, click the See All link.
2. Check the box next to the best practice.
‘( \ fl &- E £ ’ o € i kc fi
9‘" ain‘t-n;Rfikm"A—QL‘MMVum‘ Inn-Mn
’
mktMMMWuI-q-nMAD—Imm
., NMIeIIMWIw-Wwflm _
ISamflwBaaPmflASnM: (mmenommwapmmnummm
out mam one-as pm: Huguewy Rwlilmnulhl
- um. . . .
A
"mum.....n....w..x......~....i »~»v- i A. , «
- Amman..-
Figure 123 — Compliance Best Practices
Scoring and Status

Each best practice is scored on a scale of 0-100 by averaging the results for each object
examined according to the best practice. The score determines the status of the best practice.
Some best practices are only scored as compliant (100) or not compliant (0).
Secure 100
Good 76-99
Medium 51-75
Poor 0-50
N/A Not Applicable
Table 17: Best Practice Scoring and Status
245
Check Point Secilrity Administration
A best practice can Show an N/A status if:
The software blade is not installed on the Security Management Server.

The Security Gateway does not support the examined feature.
A new best practice was created, but a manual scan was not performed,
A best practice is not activated for this company.
A best practice cannot run because it is dependent on another best practice with a non-
compliant status.
In SmartConsole, compliance status can be viewed by best practice, regulation, gateway or

software blade.
Continuous Compliance Monitoring

Continuous Compliance Monitoring is a technology that monitors compliance parameters
through scans, Automatic scans are performed on a daily basis to find changes made to the
gateway, policy configurations made through the Command Line Interface or changes made
with scripts. Automatic scans are also performed when an administrator changes objects that
affect gateway or policy configuration. It is recommended to run a manual scan after objects
are added to the Check Point environment or when a best practice test is activated or de-
activated.
NOTE
While a scan is running, you cannot work within the Compliance tab.
246
Chapter 9 Adminr‘xrra/oi- 7m Imp/emenmiian
CPView
CPView is an interactive, text-based utility that runs on Check Point gateways. It is used to
quickly view general system information, such as CPU, memory, disk space, and individual
software blade data. To start CPView, run cpview in Clish or Expert mode in Gaia. The basic
syntax is:
cpview [—c <fi1e>] [history {on|offistat}] [—t]
—c <f11e> Uses a custom configuration file.

—p Prints all statistics to the screen.
history on Turns on the CPView history daemon, This setting persists after
restart of Check Point applications,
history off Tums off the CPView history daemon. This setting persists after
restart of Check Point applications.
history stat Displays the current status of the CPView history daemon.
~t Opens CPView in Database Viewing mode, which displays the
contents of the history daemon database.
To add a timestamp in order to view the contents of the database

from a certain time:
format [Jan..Dec] [01..31] [4—digit year]

[hh:mm:ss]
If no timestamp is given, the parameter shows the entire contents

of the database.
Table 18: CPView Parameters
Navigation and Configuration

Use the following keys to navigate CPView:
-- Arrow key(s) 7
Move(s) between menus and Views, Allow(s) you to scroll in a view.
Home key — Returns to the Overview view.
I Enter — Switches to View mode (if currently on a menu with sub»menus, will change
focus to the lowest sub—menu to see its views).
- Esc — Returns to Menu mode.
- Q Quits CPView.
#
247
Check Point Security Arlm imylralinn
Use the following keys to change interface options:
-- R
W
7
Opens a window to change the refresh rate. The default rate is 2 seconds.
Switches between wide and normal Display mode.
-
i
S Allows you to manually set the number or rows and columns displayed.
~
-
0
M ~ Turns the mouse on or off
P ~ Pauses and resumes the collection of statistics,
Use the following keys to save statistics, Show help, and refresh statistics:
0 C ~ Saves the current page to a file. The filename format is cpview_”cpview

process ID” .cap"number of captures”.
- H ~
Shows a tooltip about the CPView options.
0 Space bar ~ Refreshcs statistics.
248
Chapter 9. Adil‘iimsfi’alor Task lmplemema/mn
User Interface
The CPView user interface has three sections: View, Navigation and Header, The View section
simply displays the retrieved statistics, The Navigation section shows the navigation menus
and their sub~menus The Header section displays the time at which the statistics shown were
gathered, which is updated every time the statistics are refreshed.
View Navigation Header
Figure 124 — CPView User Interface
249
Check Poin/ Security Ad”7ilTIA‘lV0li0W
Review Questions
1. How are best practice scores determined and displayed?
2. What key is used to save the current CPView page to a file?
250
Questions and Answers i
End of chapter review questions are answered in this Appendix.

Check Point Semi: fly Administration
Chapter 1
Introduction to Check Point Technology
1. What are the three mechanisms for controlling network traffic?
The three mechanisms for controlling network trafi‘ic ore Packet Filtering, Statefill
Inspection, and Application Layer Firewalls.
2. What role does SmartConsole play in Check Point’s Security Management Architecture?
SmartConsole is a unified graphical user interface which is used to manage the objects
that represent network elements, servers and gateways. It allows Security Administrators
to Configure and manage security policies, monitor network traffic. andperfiarm other
tasks such as installing updates, adding new devices, and managing license through a
single console.
3. What we the two hardware options for deploying Check Point technology?
Check Point appliances and open servers are two hardware optionsfor deploying Check
Point technology.
4. Describe the Command Line Interface.
The CLI is usedfor the execution ofvarious commands that are structured using the some
syntactic rules. Its shell-emulator pop-up window makes Gaia more intuitive to use. The
CLI can be used to manage administrator user accounts, assign privileges and define
administrator roles. I
252
Appendix. Questions and Answers
Chapter 2
Security Policy Management
1. Name five object categories.
Network Object, Service, VPN Community, User, and Server are five object categories.
Custom Application/Site, Resource, Time Object, UserCheck Interactions, and Limit are
additional categories.
What is the difference between Explicit and Implicit rules?
Explicit rules are rules created in the Rule Base by the administrator and are configured
to allow or block traffic based on a specified criteria. Implicit rules are defined by the
Security Gateway to allow certain connections to andfrom the Security Gateway.
,—
What is a policy package?
A policy package is a group ofdifferent types ofpolicies that are installed together on the
some installation targets. After installation, the Security Gateway enforces all of the
policies in the package.
Describe concurrent administration.
Concurrent administration is a feature in SmartConsole which allows multiple

administrators the ability to work simultaneously on the same policy without conflict. An
administrator ’s changes to the policy will be lockedfor his view only until the changes are
published and made available to the other administrators,
Backups are saved as what type of file?
Backups are saved as a . tgzfile.
253
Check Point Security Adnunrslratlort
Chapter 3
Policy Layers
1. Describe policy layers.
Policy layers allow administrators to separate the Security Policy into multiple
components such as the Access Control policy and the Threat Prevention policy, to
provide more optionsfor policy management, The layers concept provides the ability to set
different view and edit permissions per layer for diflerent administrator roles and the
ability to reuse a layer in diflerent policy packages. When the gateway matches a rule in a
layer it moves on to inspect the rules in the next layer
How many policy layers can be included in an Access Control policy and how shoLIId they
be ordered?
An Access Control policy can have up to two ordered layers. The first layer must contain
the Firewall rules. The second layer is the Application Control policy layer which
contains URL Filtering and Application Control rules.
254
A ppendix' Questions and Answers
Chapter 4
Check Point Security Solutions and Licensing
1. Name the five Check Point all-inclusive software blade package solutions.
Next Generation Firewall
Next Generation Threat Prevention
Next Generation Threat Extraction T 7 7 77 C
Secure Web Gateway
Next Generation Data Protection
2. When should new licenses be generated and installed?
New licenses should be generated and installed when the existing license expires, when
the license is upgraded and when the IP address of the Security Management or Security
Gateway has changed.
255
Check Point Security) Adttiinistrotion
Chapter
Traffic Visibility
1. Which monitoring View would you use to see real»time statistics about open remote access
sessions?
The Users view ofSmart View Monitor shows real—time statistics about open remote access
sessions. It shows the users that have current VPN connections to the Security Gateways.
2. In what instance should you install a Log Server on a dedicated computer?

In large organizations that generate a lot of logs, it is recommended to install the Log
Server on a dedicated computer
256
Appendix: Questions and Answers
CTEEEr 6
Basic Concepts of VPN
1. What type of VPN deployment handles communication between a network and remote
users?
A Remote Access VPN Deployment handles secure communication between internal

corporate resources and remote users using VPN tunnels.
2. What are two different ways to configure the Access policy to allow VPN connections?
The Access policy can be configured to Allow All Connections or to Allow All Site—to—Site
VPN Connections.
257
Check Point Security .lilminislra/ion
Chapter 7
Managing User Access
1. What is the purpose of Identity Awareness?
Identity Awareness uses source and destination IP addresses of network traffic to identify
users and machine identities.
What is the difference between an Endpoint Identity Agent and a Terminal Server Identity
Agent?
An Endpoint Identity Agent is installed on user computers to acquire and report identities ,
.7 W 77
to the Security Gateway. With Endpoint Identity Agents, users are required to download
the agentfrom the Captive Portal and authenticate using Kerberos SSO. They difi’erfivm ,
Terminal Server Identity agents in that the agent is configured, not the user Terminal
Server Identity Agents identifi/ users in Terminal Server and Citrix environments. They .
reserve a set ofTCP/UDP ports for each user. User authentication through the Terminal *
t
Server is dijferent in that a shared secret is used to establish trust.
How do Access Roles work within a Rule Base?
After Identity Awareness has been activated, Access Roles objects can be created and used
in the Source and Destination columns ofA ccess Control policy rules. Access Role objects
allow administrators to configure network access according to networks, user and user
groups, computers and computer groups, and remote access clients.
Appendix Questions and Answers
Chapter 8
Working with CIusterXL
1. Describe Check Point CIusterXL High Availability.
Check Point CIusterXL High Availability ensures gateway and VPN connection
redundancyfor transparent failover between machines. Only one cluster member is active
at a time. If there is a problem with the active cluster member, the redundant standby
cluster member is activated,
2. How can you monitor the state of the cluster members?
Use SmartView Monitor or run the cphaprob state cammandfiom the CLI to . .
monitor the state of the cluster members.

7 7 7
259
Check Pom] Seem-m» Administration
Chapter 97
Administrator Task Implementation
1. How are best practice scores determined and displayed?
Each best practice is scored on a scale of 0 to 100 by averaging the resultsfor each object
examined according to the best practice. The score determines the status of the best
practice There are five statuses: Secure, Good, Medium, Poor and Not Applicable.
2. What key is used to save the current CPView page to a file?
The ”C ” key is used to save the current CP View page to a file.
260

R80 Student Manual + OCR

Uploaded by

Copyright:

Available Formats

R80 Student Manual + OCR

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

R80 Student Manual + OCR

Uploaded by

Copyright:

Available Formats

SECURITY ADMINISTRATION

RESTRICTED RIGHTS LEGEND:

International Headquar- 5 Ha’Solelim Street

U.S. Headquarters 959 Skyway Road, Suite 300

Technical Support, 6330 Commerce Drive, Suite 120

Chris Alhlas QA England

Mann Angelastro - ITv ay Italy ,

Eli Faskha Soluciones Seguras . Panama

Michael Curtin - Red Education Australia »

Kishin Fatnani - K-Secule - India

Mark Halsall - Check Point Soﬁware Technologies USA ,

Eli Har—El en - Check Point Soﬁware Technologies lsrael,

Anthony Jouhaire Arrow Ecs France

Yasushi Kono Arrow ECS Germany

Fabrizio Lamanna - Check Point Soﬂware Technologies — USA

Piotr Misiowiec CLICO Poland

Richard Parkin Arrow ECS England

ligarkumar Patel - Check Point SottWare Technologies USA ,

Yaakov Simon - Check Point. Soﬁware Technologies Israel ,

Dan Valluvassery .Arrow ECS - England

Kim Winﬁeld Check Point Software Technologies USA

Certiﬁcation Exam Development:

Sample Setup for Labs .................................................................

Concept of a Firewall ....................................................................

Open Systems Interconnect Model

Network Communication ................................................................

SmartConsole Applications ............................................................... 25

Chapter 2: Security Policy Management .. . . . . .. . ................ ............. . .. 49

Tunnel Management and Monitoring ...................................................... 194

Chapter 7: Managing User Access .

Chapter 8: Working with ClusterXL .............................. ............ 225

High Availability Deployment ........................................................ 229

Welcome to the Security Administration course. This course provides an understanding of

0 General knowledge of TCP/IP

Course Chapters and Learning Objectives

Chapter 1: Introduction to Check Point Technology

- Interpret the concept Firewall understand mechanisms used

.- Understand Check Point deployment options.

- Describe the basic the Gaia operating system

Chapter 2: Security Policy Management

- Recall how to implement Check Point backup techniques.

Chapter 3: Policy Layers

-- Understand the Check Point policy layer concept.

Chapter 4: Check Point Security Solutions and Licensing

Chapter 5: Traffic Visibility

Chapter 6: Basic Concepts of VPN

Chapter 7: Managing User Access

- Recognize how to deﬁne users and user groups.

Chapter 8: Working with ClusterXL

- Understand the basic concepts of ClusterXL technology and its advantages,

Chapter 9: Administrator Task Implementation

Sample Setup for Labs

Check Point R80 CCSA Lab Topology

Figure 1— CCSA Lab Topology

Open Systems Interconnect Model

The 081 Model layers are described as follows:

Layer 1 Represents physical»communication links or media required hardware such

as Ethernet cards, DSL modems, cables and hubs.

Transmission Control Protocol/Internet Protocol Model

The TCP/1P Model layers are described as follows: