SECURITY ENGINEERING Student & Lab Manual R80.10 CHECK POINT INFINITY Gd Check Point© 2017 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and de-compilation. No part of this praduet or related documentation may be reproduced in any form or by any means without priar written authorization of Check Point. While every precaution has been taken in the preparation of this boak, Check Point assumes no responsibility for errors ar omissions. This publication and features described herein are subject to change without notice, RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (MU\(i) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52,227-19. TRADEMARKS. Refer to the Copyright page (http://www checkpoint.com/eop yright.html) for a list of ourtrademarks. Refer to the Third Party copyright notices (http) www.checkpoint.com! 4rd_party copyright.himl) for a list of relevant copyrights and third-party licenses Taternational 3 Ha Solelim Suet Headquarters iv 6797, ened U.S. Headquarters 959 Skyway Road, Sue 300) San Carlos, CA 94070 TechnicalSupport, $530 Commerce Drive, Suite 120 Education & Professional | teving, TX 75063, Services anal comments or question about oar cou rarailecebec kp oan For guise orseeinnas aoa dee Chock Pa ces a CP Teche Feat ceric Document F DOC-Manwal-CCSE-RAD.10 Revision Rw.10W2 ‘Content “ouy Win, Vanesea lohason, Whitney Bentley ‘Grapes (Cihuaming Jia, Wanessa lolason, Angels Abendan‘Contributors Beta Tevting, Content Contilbutlon, or Teehaleal Review Michael Adj. Wick Mil- United King dom ete Alan England Pace Czopk C1100 - Pound Brent Beany-Dinensna Data Learning oktinas- Aussi VideryPevermaa - Dia Master La - Ress Aiea Gat - MTech Padus Singapoce Destend Gook -M.Tesh Padus Siaapere AAntoay foubuie - Anon ECS. Fone Saohy Kanecimcety -Red bdseaina Aseria [Ao Koby - Ret Eeition- Ansa [wea Kecbir- Worera-Gemmmy Fabrics Lamia - Check Pine Software Tesbeslogs Drie Mesens- Westen Helgean Caden Mons - Rese ahenbia Tamas Norbeck -Glispuper- Norway Richand Baki Arco ECS England ign ute fuel Chock Point Sotwae Techeckgien- USA Mita Ratan Hakware Trai -Filand NiklisSarsem- Inf pte Sweden Fede Taygaton-Sotine Group - Resa Maihiva\ - MeSya Tech slgis- aia Ek Wages Prosimas CT aden Belin /Spectal Thanks: Kins Winfield Chas Point Softwa Tachsslogies USA Duss Sy Red Edation- Awsrala (Syey Bea Hoth KinWeauel. Antow ECS. Fisind (ekiak Bea Hos) |Certification Exam Development: Jasco Tugwell Cheek Point Technical Publicatlous Team: Noctll: Fakes, Daly Van,Eh Haven, Pal sige, Rachel Tots, Ronit Sepa Shin Ronald, Vashon Simon, Devers HonnalTable of Contents Preface: Security Engineering ....... Cheek Point Security Engineering Course Prerequisites Course Chapters and Learning Objectives Lab Topol Related Certification Chapter 1: System Management .. Advanced Gaia : Gaia Features and Benefits Upgrades Hotfixes CLI Commands Pinto Advanced Firewall Check Point Firewall Infrastructure The Firewall Kernel Packet Flow au Chain Modules 33 Statefual Inspection 36 Security Servers a7 Kernel Tables 38 Policy Installation aL Network Address Translation 46 Firewall Administration st Review Questions cette tere ceeee ieee cece we 86 Tasks: 7 Performance Objectives: stCheck Point Cre Secarihy Engineer Lab 1.1: Upgrading to R80.10.. Migrating Management Server Data 58 Installing the Security Management Server m1 Configuring Security Management Server Using the Gaia Portal 16 Installing SmartConsole a Importing the Check Paint Database 98 Launching SmartConsole and Reconfiguring Existing Security Policies 6.00... 00 00eeeeeeeeeees elOS Lab 1.2: Applying Check Point Hotfixes . Locating the CPUSE Identifier Installing the Hotfix on the Security Gateway Lab 1.3: Configuring a New Security Gateway Cluster ..... Installing a Second Security Gateway : Configuring the Bravo Security Gateway with the First Time Configuration Wizard Mal Using the Gaia Portal ta Configure the Security Gateway 182 Re-configuring the Primary Gateway Lol Configuring the Alpha Security Policy to Manage the Remote Security Gateway Cluster 114 Lab 1.4: Core CLI Elements of Firewall Administration... Managing Policy and Verifying Status from the CLI Recanfiguring the Security Policies Using fw monitor Using tepdump Lab 1.5: Viewing the Chain Modules . . . Evaluating the Chain Madules Moditying the Security Policy anslation. oe. .eeeeeeeeChock Point Cyber Secerity Eng Chapter 2: Automation & Orchestration ..........04+ = 265 Automation & Orchestration. web tee tent eeee beteeeeeee wee teens 266 Check Point APIs 266 Check Point API Architecture 268 Management APE Commands an Management APL Support. ...c0cccsceccseeeecceeseesesescncesetiteeessaessanees DT Review Questions 278 Tasks: 279 Performance Objectives: 279 Lab 2.1: Managing Objects Using the Check Point API... ... : -279 Configuring the Check Point APL 280 Defining and Editing Objects inthe APL 283 Chapter 3: Redundancy ... beens ete ee ees aeeune eens 293 Advanced ClusterXL 294 Load Sharing 294 Proxy ARP. 297 vMAC 208 Cluster Synchronization 300 Cluster Connectivity Upgrade 302 Adda Member to an Existing Cluster . ” . . . . . . . +303 Sticky Connections 303 Management High Availability 304 OPSEC Certified Clustering Products 308 VRRP Clusters 309 WRRP Types: 310 Review Questions 314 Tasks: 3s Performance Objectives: . . . . . . . . . . . . als Lab 3.1: Deploying a Secondary Security Management Server . =315 Installing the Secondary Management Server 316 Configuring Management High Availability Fe BID Testing Management High Availability 0 0...000ccceeeeeeeeeeeeeeeeeeeeeee tesa entrees 2 B28:hack Fasn Cy Lab 3.2: Enabling Check Point VRRP : : 341 Viewing ClusterXL Failover 342 Defining a Virtual Router for VRRP 346 Configuring the Security Policy for VRRP 358 Chapter 4: Acceleration ....... : : : -367 SceureXL: Security Acceleration 368 Using SecureX 368 Packet Acceleration Fee renter ttt r entice cree oo 369 Session Rate Acceleration 370 SecureX L Connection Templates 372 Packet Flow 374 VPN Capabilities... Fe eee eet ntti rent wee BIS CoreXL: Multicore Acceleration 336 Using CoreXL 376 Processing Core Allacation 398 Dynamic Dispateher 380 Packet Flow with CoreXL and SeeureXL Enabled 383 Multiple Traffic Queues 384 Using Multi-Queue 384 Review Questions 387 Tasks: 389 Performance Objectives: 389 Lab 4.1: Working with SecureXL, : : : = 389 Identifying Status of Current Connections 390 Lab 4.2: Working with CoreXL. .. 399 Enabling Com XL weet weet eee settee ee 400 Reviewing CoreXL Settings 407Cheek Point Cober Security Engineering Chapter 5: SmartEvent . The SmanE-vent Solution 410 SmartEvent Components. - . . . . . . . ALL SmantE-vent Clients 412 SmartE vent Workflow. 413 Smartk-vent Deployment Ald Defining the Internal Network AIS Identifying an Event Al6 Monitoring the Network we - . . . . wee . . A422 Event Queries 4z3 Investigating Security Events - . . . . wee . . A2S Ticketing 427 Importing Offline Log Files - . . . . wee . . AQ? Remediating Security Events 428 ‘Configuring Event Policy A28 ‘Configuring IPS Policy AB Reporting Security Events 432 Using Predefined Reports A432 Defining Custom Reports 433 Preventative Measures 4M Creating a New Event Definition 4M Reporting an Event ta Check Point 435 Eliminating False Positives ABS SmarEvent Example 436 High Availability Environment Aa? Security CheckUp 438 Review Questions 440 Tasks: . . wee a . . . . a . . Aah Performance Objectives: 44h Lab 5.1: Evaluating Threats with SmartEvent ..... wees Configure the Network Object in SmartCansole a2 Monitoring Events with Smart vent AstCheck Poin Cyher Securiny Engineering Chapter 6: Remote and Mobile Access ....... Mobile Access Software Blade Mobile Access Wizard Mobile Access Workflow Gateway Security Features Mobile Access Deployment Choosing Remote Access Solutions Installation Types oe Secure Connectivity and Endpoint Security SSL VPN versus IPSec (Layer 3) VPN Clients Mobile Access Portal SSL Network Extender Check Point Mobile : Check Point Capsule Workspace SecuRemote Additional Remote Access Options Cheek Point Capsule Capsule Workspace Capsule Docs Capsule Cloud Mobile Access Policy Mobile Access Rule Base Best Practices Review Questions Tasks: Performance Objectives: Lab 6.1: Managing Mobile Access . Enable Mobile Access Blade . Configure the Chae Point Capsule Policy Testing Cheek Paint Capsule 462 462 468 468 469 4T0 470 an ane ars ans ars am4 am ana ama ATS ATs 479 48 483 483 485 486 487 487 488 497 sisCheck Pom! Cyber Security Engineering ‘Chapter 7: Threat Prevention The Threat Landeape Zero-Day Attacks Advanced Persistent Threats Intrusion Prevention System IPS Profile Settings and Protections IPS Tuning and Maintenance Geo-Protection Antivirus Anti-Bot Sandboxing Operating System-Level Sandboxing CPU-Level Sandboxing Check Point SandBlast Zero-Day Protection SandBlast Components Sand Blast Appliances SandBlast Cloud SandBlast Agent SandBlast Deployment Public Cloud Service Private Cloud Hybrid Solution (SandB last Appliance and Cloud) Mobile Threat Prevention MTP Components Mobile Threat Prevention Warkflow Review Questions Tas Performance Objectives: nderstanding IPS Protections figuring the Protection Profile Configuring the IPS Demonstration Tool Testing the Default Protections Modifying the Protection Profile Settin Working with Logs & Monitorto Iny Modifying an Existing Protection Profile gate Threats Lab 7.2: Deploying IPS Geo Protection . . Modifying Anti-Spoofing Setting Configuring 1PS Geo Protection vii S17 S18 sis sis s19 S19 sz0 S21 S23 soa 528 S28 s2s so7 S27 S30 S34 say S30 sso S39 s40 SAL sat sas 546 say say S48 S62 S68 st? 580 SeL 591 S92 596Cheek Point Cy Lab 7.3: Reviewing Threat Prevention Seitings and Protections ... Review Threat Prevention Settings and Protections 604 Testing EICAR Access . . . - . . . . . 14 Lab 7.4: Deploying Threat Emulation and Threat Extraction ....... 0.0.5 617 Use ThreatCloud to Verify Pile Safety 618 Configure Threat Emulation to Inspect Incom ing Traffic 621 Appendix A: Questions and Answers ......... : os 22 633 ‘Chapter 1 634 System Management ” . . - . . . . . 634 Chapter 2 635 Automation and Orchestration . . a wee . . . . 35 ‘Chapter 3 636 Redundancy 636 Chapter 4 637 Acceleration 37 Chapter 5 638 SmanEvent 638 Chapter 6 639 Remote and Mobile Access 639 Chapter 7 640 Threat Prevention 640Security Engineering vU Welcome to the Check Point Cyber Security Engineering course. This course provides an advanced and in-depth explanation of Check Point technology. It includes advanced upgrading, key techniques for building, deploying and enhancing network performance, and management and troubleshooting features to mitigate security risks. The course is intended to provide you with an understanding of the skills necessary to effectively design, maintain and protect your enterprise network. Preface Outline Prerequisites Course Chapters and Learning Objectives Lab Topology Related CertificationCheck Peins Seeurty Engineering Check Point Security Engineering Course This course is designed for security experts and Check Point resellers who need to perform advanced deployment configurations of a Security Gateway and are working towards their Check Point Certified Security Engineering (CCSE) certification. The following prafessionals benefit best fom this course: + System Administrators + Support Analysts + Network Engineers Prerequisites Successful completion of this course depends on knowledge of multiple disciplines related to network-security activities including: * UNIX and W indows operating systems + Certificate management + System administration + COSA trainingicerti + Networking (TCP/IP) tion Course Chapters and Learning Objectives Chapter 4: System Management + Understand system management procedures, including how to perform system ‘upgrades and apply hatfixes + Identify advanced CLI commands Understand the Check Point Firewall infrastructure and other advanced Firewall processes and procedures. Chapter 2: Automation and Orchestration Recognize haw Check Point's flexible API architecture supports automation and ‘orchestration of da ily operations. Understand bow to use the management APE. command Line tools and web services to read information, create objects, work on Sesurity Policiss, and send commands to the ‘Check Point Security Management Server\Chook Paint Seu rnsering Chapter 3: Redundancy * Discuss advanced ClusterXL functions and redundaney. + Deseribe VRRP network redundancy and its advantages, Chapter 4: Acceleration + Understand haw SccureXL acceleration technology enhances and optimizes Security Gateway performance, + Understand haw CoreXL acceleration technology enhances and improves Security Gateway performance, Chapter 5: SmartEvent + Identify SmartEvent components used to store network activity logs and identify events. + Discuss the SmartE vent process that determines which network activities may lead ta critical security issues, + Understand how SmartEvent can assist in detecting, remediating, and preventing security threats targeting organizations, Chapter 6: Mobile Access + Discuss the Mobile Access Software Blade and how it secures communicationand data exchange during remote comections. + Understand Mobile Access deployment aptions + Recognize Check Point Remote Access solutions and how they differ. + Discuss Check Point Capsule components and haw they work to protect mobile devices and business documents, Chapter 7: Threat Prevention + Discuss different Check Point Threat Prevention solutions for dangerous attacks such as zero-day and Advanced Persistent Threats. + Understand haw SandBlast, Threat Emulation, and Threat Extraction helps to prevent security incidents + Identify how Cheek Point Mobile Threat Prevention helps protect an organization from threats targeting company-issued smartphones and tabletsChock Paint Secu Engincering Lab Topology Labs forthis course were developed using VMware Workstation, ¥ ourinstmuctor will have information forthe specific settings and configuration requirements of cach virtual machine. Most lab exercises will require you to manipulate machines in the virtual network. Review the starting lab topology pictured below. Note the location of each server in relation to the Security Gatewaysandhow they are routed. Make sure you understand the purpose of each machine, and the credentials and applications used throughout the course. Check Point R80.10 CCSE Lab Topology Se 3) Saleen by | isin nati Figure 4 — GCSE Lab Topology Related Certification The Check Point Cemtified Cyber Security Engineer (CCSE) certification is designed for partners and customers secking to validate their expert level knowledge of Check Point's software products and security solutions. Students must havea valid CCSA certification before challenging the CCSE examCheck Point R80.10 CCSE Lab Topology ! ! see ea | eae r extranet | she mai | | lal Ve ves OI Se | aes onan aie g Figure 1 — CCSE Lab TopologySystem Management - Cyber Security experts are expected to acquire and apply in-depth knowledge of systems used to securely manage the organization’ snetwork infiastructure, This course begins with a deep dive into the Check Point Gaia operating system, with how to use essential CLI commands, perform upgrades, and apply hotfixes, We will also take a closer look at the Check Point Firewall infrastructure, chain modules, kemel tables, packet flow, and many more advanced Firewall processes and procedures. Learning Objectives + Understand system management procedures, including, how to perform system upgrades and apply hotfixes, + Identify advanced CLI commands. + Understand the Check Point Firewall infrastructure and other advanced Firewall processes and procedures.\Chook Paint Seu rnsering Advanced Gaia Check Point Gaia is the unified, revolutionary, secure operating system for all Cheek Point appliances, open servers, and virtualized gateways. The cutting-edge technology combines the best features af IPSO and Check Point's original secure operating system, SecurePlatfarm, into single, harmonious operating system ta provide greater operatiana| efficieney and rabust performanee. The Makings of Gaia Gaia was derived from IPSO and SecurePlatfarm. The [PSO operating system was developed hy Ipsilon Networks, a computer networking company specializing in IP switching during the 1990s, Nokia purchased Ipsilon Networks in 1997 and incerporatsd IPSO into their secure network appliances. Check Point acquired Nokia's Security business unit in April 2009. As a stripped down operatin: SO provided enough functionality to run Check Point Firewalls, along with the incorporation of some standard Unix commands, such as tep, ps, and A£. Italso provided great visibility into kemel statistics, such as network counters, interrupts, and more. em, Check Point's SecurePlatform operating system is based an a kernel from Red Hat Software. ScourePlatform’s hardened and optimized operating sysicm eliminated software package Component that were amecescary fora network security deve and modified or removed component hat could retent severity rw x eney-tocue command shell provided set commands required for configuration, administration, and system diagrontie including network settings, back up and restore utilities, upgrading, and system log viewing. Routine ‘management and maintenance of SecureP latform was performed through a restricted shell called Standard mode. Standard mode enhanced the security of SecurePlatform by restricting access to utilities that, if used im property, would damage system stability SecurePlatform also consisted of'a Web Graphical User Interface (WebUI), which enabled users to easily configure settings and perform first time installations SccurePlatform allowed all system resourees to be dedicated to the operating system and the installed Check Point products. With SecurePlatform, resources were no longer consumed by sofware such as GUls, office applications, and netwark file systems. Gaia Features and Benefits Gaia supports the full suite of Cheek Point technologies, giving you improved connection capacity and the full power af Check Point security.Check Pain Security Engincering Check Point Gaia offers these key values: + Combine the best Features of PSO and SecursPlatform, + Increase operational efficiency with a wide range of features + Providea secure platform for the most demanding enviranments. Gaia simplifies and strengthens management with the segregation of duties by enabling role- based administrative access. Additionally, Gaia greatly increases operational efficiency with an advanced and intuitive software update agent, commonly referred to as the Check Point Update Service Engine (CPU SE). Gaia management is made simple with the intuitive and feature-rich WebUI, and instant search options fr all commands and properties. The same powerful CLI commands from IPSO and SecurePlatform have been seamlessly integrated into Gaia, along with new commands and capabilities, Figure 2 — Gala PortalCheck Point Security Engineering Key Features Key features of Gaia inelude: Web-based User Interface with search navigation — This interface integrates all Gaia operating system management functions into a dashboard that is accessible via the ‘most popular Web browsers, such as Internet Explorer, Chrome, Firefox, Opera, and Safari. The built-in search navigation tool delivers instant results, and for the CLI- inclined users, a Shell Emulator pop-up window is only a single click away. Full Software Blade support — Gaia provides support for comprehensive Security Gateway and Security Management Software Blade solutions deployed on Check Point appliances and open servers, High connection capa Gaia is capable of boosting the connection capacity of existing Check Paint appliances Role-based administrative access — Segregation of duties is part of a good Security Policy because it improves operational efficiency and auditing of administrative events. Role-based administrative aceess gives Gaia customers the ability and granularity to customize their security management policies to meet their business needs, User authentication and authorization is based on industry standard RA DIUS and TACACS+ protocols. Specific levels of access can be granted based on each individualsrote and responsibility. Intelligent software updates — With Gaia, software updates times are shoriened and post-updatc testing is performed automatically. New releases and patches can be scheduled for automatic download and installed during off-peak hours for minimal business impact, Notification emails are sent about recommended updates and update statuses, Native IP y4 and IPy6 support — Check Point Gaia allows easy interoperability with hoth networking protocols Clustering protocol support — Gaia fully supports ClusterXL, Check Point’ proprietary network redundancy protacol, and standard VRRP an all Check Point appliances, open servers, and virtualized environments. Manageable dynamic routing suite — Multiple dynamic routing and Multicasting protacols are supported by Gaia, providing flexible and uninterrupted network connectivity, All can he managed from both the Gaia partal ar the CLICheck Point Security Engowering Upgrades Supported Protocols Dynamic Routing Protocols Multicasting Protocols + RIP RPC 1058, + IGMPy2 RFC 2236 * RIPV2 (with authentication) REC | « IGMPV3 REC 3376 1723 + PIM-SM RFC 4601 + operating systemPFv2 RFC 2328 | + PIM-SSM RFC 4601 + opsmating systemPFy3 RFC $340 | PIM-DM RFC 3973 * opemting systemPF NSSA REC | « PIM-DM state refresh draft-ietf-pim-refresh-02.txt S101 + BGP4 RFCs 1771, 1963, 1966, 1997, 2918, Table 4: Gala Supported Dynamic and Multicasting Protocols As a Cyber Security Engineer, itis important to evaluate the averall health, compliance, and performance of your netwark. This often entails the task of deciding whether to install new hardware to fit business needs or ta upgrade to newer software versions ta ensure the efficiency of the existing environment, Check Point recommends installing the most recent sofware release to stay up-to-date with the latest funetional improvements, stability fixes, security enhancements, and protections against new and evalving attacks, Upgrades provide added enhancements aver an carlier version and eliminate the complexities of re-creating product configurations, Security Policies, and objects. Before upgrading appliances or open servers, verify the interoperability and upgrade path of your existing environment and make use of the appropriate Check Point upgrade tools. To upgrade from R77.XX to RRO,10, an advanced upgrade with database migration pracess must be performed. Upgrades from R80 ta R8G.10, are performed through the software update agent, CPUSE NOTE Upgrades to R80 and above are not supporied from IPSO- and SccurePlatform. For more information, refer to Check Point's Upgrade Map.Check Peins Seeurty Engineering Upgrade Tools Upgrade tools back up Check Point configurations, independent of hardware, operating system, and Check Paint security management platform version. Use the upgrade tools to back up-Cheek Point configuration settings ondisk partitions of Check Point appliances and open servers, Disk space requirements for upgrades vary based on the upgrade version. Before starting an upgrade, refer to the release notes of the desired platform version‘to verify the space requirements for each disk partition, such asthe /vax/Log / and root partitions There is a different package of upgrade tools for each platform. Download the latest version of upgrade tools from the Check Point support site. Before upgrading, a valid service contract that includes sofiware upgrades and major releases must be registered 10 your organization's Check Point User Centeraccount. The upgrade tools package consists of several files, including the files noted in the table below. Package File Description migrate.conf Holds configuration settings for Advanced Upgrade with Database Migration, migrate Runs Advanced Upgrade with migration pre_upgrade verifier — |Analycescompatibility of the currently installed Jeonfiguration with the upgrade version. It gives a report Jon the actions to take before and after the upgrade. Table 2 Upgrade Took Package Files Advanced Upgrade with Database Migration ‘As in all upgrade procedures, itis best practice to upgrade the Security Management Server or Multi-Domain Server before upgrading the Security Gateways. To upgrade from an earlier sofware version, suchas R77.30, to Check Point's R80, 10 security management platform, use the Advanced Upgrade with Database Migration method to migrate the databaseand install the software. With this method of upgrading, the current environment must meet these requirements for database migration: + Availabledisk space of at least five times the size of the exported database an the target machine. + Size of the /var/1og folder of the target machine must be at least 25% of the size of the /vax/1og directory on the source machine. + Source and target servers must be connested to a network and the connected network interface must have an IP address, + Ifthe soures environments uses only IPy4 or only LPv6, the target must use the same LP address configuration, Por example, you cannot migrate to an IPv6 configuration if the source environment uses only IPv4, 10Chick Point Secunny Empanscring get must have the same or higher version and the same set of installed praduets. + The appropriate package of upgrade tools must be download for each source platform + The correct ports for SmariCansole must be open in order for SmartConsole ta communicate with the Security Management Server. “After the requirements far database migration have been met, create a backup copy af the existing from the Gaia WebUL Gaia operating system settings are not backed ‘upand must be configured manually if the database is restored later due to issues with the ‘stem setting upgmde. Take note of operating system settings (interfaces, servers, routes, system setti ‘cte,) before upgrading, It is important to use the correet migration toal package to perform the upgrade. Use the ‘upgmde tools package for the software version you are upgrading too. For example, if upgmding from R77.30 to R80.10, use the migration tools package for R80.10. Download and ‘extract the tools to the old server (R77.30). Use the migrate uiility of the upgrade tools package, to export the source Security Management Server database (R77.30) to a file, and ‘then import the file to the new server (R80, 10), NOTE SmartEvent databases are net migrated during an advanced upgrade ‘because the databases can be very large. Migration of these databases must bbe performed separately. Refer to sk110173 for information on how to ‘migrate the SmariEvent database. The Upgrade Verification Service ‘Check Point's Upgrade Verification Service is an upgrade verification and environment simulation service created ta help custamers transition to R8O.XX as seamlessly as passible, guration files from your current platform to simulatetheenvironment and verify that the upgrade can be successfully applied across the key features of the software. The service will use con The simulation will also ensure that the database is not corrupted during the upgrade process. Upon completion, a status update of the simulation results along with advice on how best to procesd will be provided. For more detailed information grade Verification Service, refer to ski 10267. Lab 1.1 Upgrading to R80.10‘Check Pasn Sccuriy Engineering Hotfixes Holfixesare updates that are released to correst an issue discovered within the operating system orsoftware, They ean be released to address security vulnerabilities and inconsistencies or to provide enhancements and improvements, A Hotfix Accumulatar (HFA) is a collection of stability and quality fixes that resolve multiple issues in different products, When installed, HEAs will overwrite the current hotfixes insialled on the sysiem, The name of «a hotfix identifies the version it is compatible with. For example, R80_JUMBO_HF 1 Bundle _190 isa very large bundle of hotfixes for R80. In addition to hotfixes, same versions may have new features which require the installation ofan Add-on. Check Point recommends installing the add-on only ifthe features enabled are required When providing a fix to customers, Cheek Point supplies the updated file and installation package which will interactively install the fix. Gaia automatically provides a list of update packages available for download that are relevant to the operating system version installed. The Status.and Actions page of CPUSE displays hotfixes that are available for download and hotfixes that have previously been downloaded, imported, and installed Figure 3 — CPUSECheck Point Seuriy The CPUSE Agent CPUSEis an advanced and intuitive tool used to update the Gaia operating system and Check Point software products. It supports the deployment of majar and single hotfixes, and HAs. A major release intraduces new functionali wrsofiware releases, -sand technologies Examples of a major release would be R77 and R80. Minor releases include the latest fixes released to customers. R77.30 is an example af a minarrelease. The CPUSE tool automatically lacates and displays so fiware update packages and full images relevant to the Gaia operating sysiem version installed on the sompuisr. It also considers the role of the computer (management server, gateway, oF Gaia standalone) and other properties. The CPUSE agent is installed on every Gaia-hased machine and is responsible for all software deployment on that machine. The machine must be connectedto the Internet to-obtain software updates from the Check Point Cloud. Prior to every installation, CPUSE runs several verification tests to ensure that the package is compatible and can be installedon the machine without canilicts. To view available packages in the Gaia Portal navigate to the Upgrades (CPUSE}sectionand select Status and Actions. All are displayed in categories and are filtered to show recommended packages only by default hotfix and minor version pack: Check Point recommends downloading the Latest build of the CPUSE agent prior to applying a hotfix, In most cases, the latest build is downloaded automatically, To check the current build ofthe agent, elick the Hatfixes link next to the CPUSE version number, near the top of the Status and Actions page. A pop-up window will appear displaying hotfix information, The installed build of the deployment agent is displayed at the bottom ofthe build ean also be checked by using Clish and running the following com mand: indow. The current HostName:0>show installer status build Figure 4 —CPUSE > Status and Actions > Hotfixes Link NOTE ‘The latest buildof CPUSE is gradually released to all customers, therefore, all machines may not receive the latest build at the sime time. Hot fixes can be scheduled to download automatically, manual ly, or periadically; hawever, full installation and upgrade packages must be installed manually. 1B(Check Pains Securer Engineering Download and Install Hotfixes Hatfixes are applied by first downloading or importing the CPUSE package and then instal the package on the machine, In the Gaia Portal, click the lock icon to obtain the lock aver the configuration database before applying a hotfix and then navigate to the Status and Actions 6 Every haifix displayed as available for download may or may not be allowed or needed for installation onio your machine, Check Point rsvommendds verifying the package to determine if it can be installed without conflicts. To verify a package, perform one of the following actions + Select the package and click the Mare button on the toolbar. Fram the list of options, click Verifier.Or, + Rights the package and ¢liek Verifier The Verifier Results window will display, indicating whether or not installation is allowed. If installation is allowsd, proceed to download the package. The download progress is displayed in the Status column of the hotfix. The dawnload may be paused at any time. When paused, the status of the package will change to Pausing Download and then to Partially Downloaded and may be resumed at any time. Install the package after it has been successfully downloaded. To install a downloaded package, select the package and click the Install Update button, ar right-click the package and select Install Update. Hotfixes can also be downloaded and installed all at once, by simply clicking the Install Update bution, Most Jumbo Hotfix packages and private hotfix packages are posted ta the Check Point Cloud. Click the Add Hotfixes from the cloud button to search, or enter a package identifier pasted to the cloud. Contact Cheek Point Support ta get the package"s CPUSE Identifier, or copy and paste the file name from the Check Point Download Center, Use the CPUSE Identifier search string to add the relevant CPUSE package from the Cheek Point Claud. Once the package is added, its status will display as Available far Dovwalxad. To import a package, click the More button located on the toolbar of the Status and Actions page, and select Import Package. In the Import Package window, browse to the package file, and click Upload.CPUSE Software Updates Policy The WebUI afters different methods for dawnloading hotfixes via CPUSE: + Manually — This is the defiult method, Downloads ean also be manually deployed in Clish, + Scheduled — The CPUSE agent can check for and download hotfixes at a specified time, such as daily, weekly, monthly, or on a selected date. + Automatic — The CPUSE agent will check for updates every three hours and automatically download hoifixes as they become available. The CPUSE agent can also send email notifications to administrators, which can inform them of update events, such as when new packages are available for download ,and the success ot failure ofa package installation. To define the CPUSE update policy and configure email notifications, under the Upgrades (CPU SE) section, select Software Updates Ps Figure 5 — Software Updates Polley Software update packagescan be imported and installed offline if: + the Gala machine has no access to the Check Point Cloud. + the desired CPUSE package isnot available in the Check Point Cloud, + the administrator prefers to manually import the CPUSE package. 15Check Poias Secuny Ei The Central Deployment Tool System Administrators can automatically install CPUSE offline packages on multiple Security Gateways and cluster membersat the same time using the Central Deployment Tool (CDT). The CDT is utility that runs on Gaia operating system Seeurity Management Servers and Multi-Domain Servers using software versions R77.30 and higher. The tool communicates with gateways and cluster members aver SIC via TCP port 18209. Automatic installation on multiple managed gateways and cluster members is supported for the following package types + Upgnides to R77.30 + Minor version upgrades + Hotfixes + Jumbo Hotfixes (bundles) or HF AS Priorto using the CDT, all Security Gateways and cluster members must be already installed and configured with SIC established and Security Policies installed. There are also several file requirements that must be met before the utility ean be run, This includes the CDT executable and configuration files as well as several optional shell script files. The latest build of the CPUSE agent is also required. CDT uses CPUSE agents to perform package installation on remotely managed giteways and cluster members. The entire process is monitored and managed by the management server, lag into Expert mode, and then access the ditestory that contains the CDT files, YT. To begin using the CDT, connect to the command line onthe Do not use CDT for clean instal sofa major jon, Also, CDT does not support upgrades or installs of Clust egarding the CDT utility, refer to the Check Point Central Deployment Tool Administration Guide. XL in Load Sharing mode. Far moredetailed information Lab 1.2 Applying Check Point Hotfixes Lab 1.3 Configuring a New Security Gateway Cluster 16\Chook Paint Suny rnsering CLI Commands Check Point Gaia's powerful CLI commands and Clish shell are designed forusers wha prefer to interact with the system by executing commands or sexipts.,The most commen operations + aaa + set * show + delete CLI commands can be entered in two modes; Standard mode and Expert mode, Standard mode is the default Check Point shell (Clish) and provide commands for easy configuration and routine administration such as epetax t and cpstop. Hawever, most system commands are not supported. The prompt for standard mad= commands is Uhostname] > Expert mode allows advanced Check Poii the Gaia operating system and underlying Linux functions access to sstem. Toenter Expert mode, use the expert command in Clish. This commandopens the Bash shell."The prompt for Expert mode is: [Expert@hostnane] # ‘An Expert made user can run Linux.commands such as 18, e@ and pwd as they would on any Linux system to directly manipulate the Gaia operating system file system. Basic Check Point commands such as £w ver and cpconfig can alse bs run from the Expert mode CLI, similar to Gaia Clish. CLL inelined users can also use CLI commands and taols in Export mode to ereate automation scripts, These tools include: * abedit — creates and configures objects and rules in the database for the Security Policy. © fwm Load — installs the specified Security Policy on Security Gateways. = send_command — runs functions which are not included with standard Check Point CLI commands and tools CLI commands and multiple shells are available forall Check Point Gaia-based operating systems, software blades and features. Several useful commands are noted in this section, however many other commands are discussed in greater detail throughout this course. WChick Point Se Environment Commands Use these commands to set the CL environment for a user. The syntax ta set the client environment is; get clienv To save the client environment permanently: eave client To acquire the confi guration lack from another administrator: lock database override To set inactivity timeout when working with CLL set inactivity-timeout With this command, is the timeout in minutes, Parameter Description config-lock [onjeff) | Default value of the Clisheanfiguration lock pammeter. Ifset to om, Clish will lack the configuration and no jconfiguration changes can be made in the WebUL debug (0 - 6] Debug level. Zero is the default level; do not debug, display error messages only. Level 6 will shaw handler invocation parameters and results, echo-cma [on/off] When sella on, echacs all commands before excouling them. The default is of €. on-failure [continue| — |When the system encounters an error, commands from a stop] file or script will either continue to run ar stop running, The default is stop. output [pretty Determines the command line output format, The |etructured|xm1] default is pretty prompt cwalue> [Command prompt string. Defines the appearance of the Jcommand prompt. Can consist of any printable Jchamacters and a combination of variables. rows «integer Number of rows to display in the terminal window eyntax-check [on|off] [When settoon, puts the shell into syntax-check mode, }Commands are checked syntactically and are not Jexecuted, but values are validated. The default is of £. Table 3: Environment Command Parametersc wh Point Sceurity Eg System Configuration Commands Gaia system configuration settings ean be saved as a ready-to-nin CLL seript. Tosave the system configuration toa CLI script: gave configuration To restore confi guration settings: load configuration Tossee the latest configuration settings: show configuration This example shows part of the configuration settings as last saved to a CLI script: mem103> show configuration 4 # Configuration of mem103 # Language version: 10.0v1 # Exported by admin on Mon Mar 19 15:06:22 2016 # eet hostname mem103 eet timezone London / Europe eat paseword-controle min-paseword-langth 6 est paseword-controle complexity 2 eet paseword-controle palindroms-check true eet paseword-controle hiestory-checking true set password-controle history-length 10 set paseword-controls paseword-expiration never set ntp active off eet router-id §.6.6.103 eat Ipvé-state off eet enmp agent off eet snmp agent-vereion any eet enmp community public read-only set snmp traps trap authorizationError disable get snmp traps trap coldstart disable eet snmp traps trap configurationChange disableCheck Peins Seeurty Engineering System Management Commands There are a multitude of system management tasks that can be perfonned and configured using CLI, suchas managing users, synchronizing system clocks, configuring SNMP banner . core dumps, and mare. Examples of several af these tasks are noted below. messagi To add a user account add user uid 200 homedir To modify user accounts: eet user To sct a user password: eet user paseword To show the current system date and time: show clock To display the current system day, date, and time: Thu Aug 25 15:25:00 2016 ceT ‘A Banner message can be canfigured to show users when they log in, To set a banner message: set message banner megvalue Example of a banner message: eet message banner on megvalue “This eystem is private and confidential” To enable SNMP: eet enmp agent on To enable or disable core dumps: set core-dump [enable|disable] To cnableor disable [P v6 support set TPvé-state [on|off] show IPv§-stateA Pains Security Network Administration Commands The syntax to configure physica! interfaces is eet interface IPv4-addrese mask-length cMask> eubnet-mask IPv6-addrese maek-length 1Pv6-autoconfig [on |of£] comments mac-addr mtu state [on | off] link-speed auto-negotiation [on | off] Parameter Description interface ‘Configures a physical or virtual interface with an Interface Tpvé-addese | Assigns the [Pod or [Pub address Ipv6-addrese TPvé-autoconfig | lfon, automatically getsthe IPvé address from the DHCP fon |ofe] fmaek-length Masks | Configures IPv4 or [Pv6 subnet mask length using CIDR (/xx) notation, subnet-mask | Configures IPy4 subnet mask using dotted decimal notation: comments ‘Adds free text comments to an interface definition, fmac-addr Configures the inlerface hardware MAC address meu | Configures the Maximum Transmission Unit(MTU) size fr an imterface with an integer greater than or equal to 68. The default is 1500. state [on/off] Seis interfaces slatus to enabled ordisabled Link-epeed ‘Configures the interface link speed in Mbps and duplex status values, such as 1M/half or 10M fall Buto-nego tiation | Configures auiomaiic negotiation of interface [ink speed and [on | of) duplex settings to enabled ar disabled. Table 4: Network Administration Command Parameters 21Check Fam suty Engineering Examples! eet interface eth? IPv4-address 40.40.40.1 eubnet-mask 255.255.255.0 eet interface eth? mtu 1500 eet interface eth? estate on eet interface eth? link-speed 1000M/full Todelete an interface settin delete interface eth? Ipvi-addrese Gaia automatically identifies physical interfaces, such as NICs, installed on a computer, Therefore, they cannot be added ordeleted using the WebULor the CLL. Gaia devices can also be conti igured to be a Dynamic Host Configuration Protocol (DHCP) server. DHCP servers allocate [Paddresses and other network parameters to network hosts, ‘thus eliminating the necessity of configuring cach host manually. DHCP server subnets can be ‘configured on the Gaia device interfaces to allocate network parameters, such as [PV4 addresses and DNS parameters, to hosts behind the Gaia interface, Use DHCP commands to ‘configure the Gaia device as a DHCP server for network hosts. To create DHCP server subnets: add dhep server netmask cvalue> include-ip-pool start end exclude-ip-pool start end To change DHCP server subnet configura set dhep server subnet Parameter subnet end The IP\4 address that starts orends the allocated IP. pool range: The range of [Pv addresses to include in the IP pool, For example 192.0,220-192.0.2.90 exclude-ip-pool enable disable The range of IPv4 addresses to exclude from the IP pool Enable or disable the DHCP server subnet, of the DHCP server process (depending an the context). default-gateway The [v4 address of the del ult gateway for the network hosts. domain The domain name of the network hosts, Far example, testdomaineom ane The Domain Name Service (DNS) servers that the network hosts will use to resolve host names Optionally, specify a primary, secondary and tertiary server in the order af precedence. all All DHCP server configuration settings. eubnet DHCP server subnet configuration settings subnet ip-poole statue [enabled|disabled] The IP pools in the DHCP server subnet, and their status: enabled or disabled. The stalus of the DHCP server process: enabled or disabled Table 5: DHGP Gammand ParametersCheck Poias Seeunty Gaia uses the Domain Name Service (DNS) to translate host names in to IP addresses. To enable DNS lookups, the primary DNS server must be entered for your system, The system ‘will consult the primary DNS serverto resolve hast names, A DNS-suffix, which is a search for host-name lookup, cam also be defined To configure the DNS server: eet dne primary cvalue> To configure the DNS suffix: eet dne suffix cvalue> The value parameter for both examples is an [Pv4 or IPV6 address. Additional CLI Commands There are many more CLI commands available, such as commands which allow you to define static routes and configure system logging. To view a list of all possible CLI commands, log imo Clish and press the Ese tab on your keyboard twice. For operation specific commands, press the tab key twice. Lab 1.4 Core CLI Elements of Firewall Administration‘Check Paint Securty Engineering CPinfo ‘CPInfa is a Check Point utility that collects diagnostic data ona machine at the time of execution, The CPinfo output file allows Check Point's support engineers to analyze customer setups remotely. The support engineer opens the CP Inf file in demo mods, while viewing actunil customer Security Policiesand objects. This process allows fora more in-depth analysis ‘of all of the customer's onfiguration options and environment settings. CPInfo collects the ‘sntise gateway installation directory, including $F WDIR/Iog/* files. Some of the other ‘viewable information includes routing tables, system message lags, and the output of various ‘command, such as 1feon£ ig and fw etl petat commands. CPlnfo files are sent to ‘Check Point Technical Support via email or FTP. Touse CPInfo, make sure that the platform's current version of epinfo is installed to extract the CPInfo file. Run the epin£o command with the relevant flags in Clish or in Expert mode: lg records + -£ <£ile>— This flag uploads additional files ta the Check Point server. It should be used in combination with -n and -4, Ifthe file to be uploaded is not compressed, CPinfo will first compress it and then upload it, + -0 <£ilename> — This flag directs the output toa file and ta the screen. Italso specifiesa filename, : is flag instructs the utility to display all installed hotfixes, sis for non-interactive mode instructs the utility not to check for updates is flag forces the update check. By default, the update check of CPInfo uiility is once a week. + -u— This flag connects to the User Center with username and password. + -e — Spscificsa single email or multiple smails of people that should be notified about upload status. Multiple emails must be enclosed in double-quotations and separated by semiscolons. For example: “cemail #1>;cemail #2>" + -8 — Specifies the Service Request mumber opened with Check Point Support. For example, -8 26-123456785 + -7 ctimeout>— Specifies the timeout in seconds for the commands executed by the utility. This does not apply to collection of the CPInfo ouput file itself, The default timeout is 600 seconds (5 minutes) + “bh — The flags displays the built-in help. 25(Check Paint Secaver Empancring Advanced Firewall The Check Point Firewall Software Blade builds on the award-winning technology first offered in Check Point's Firewall solution and provides the industry's best cyber secur demonstrated industry leadership and continued innovation since the introduction of the Firewall-I in 1994, Check Point Firewalls are trusted by 100% of the Fortune 100 companies, Check Point Firewall Infrastructure As a security expert considering the needs of your organization, in-depth knowledge of Sceurity Gateways must be applied as you implement them beyond a simple distributed deployment. To establish a framework for assessing gateway performance in a complex network topology, you must understand the infrastructure. ‘Youshould weall from the CCSA that fundamentally, Check Point security components are divided inta the following com ponent © GUI Clicat + Security Management + Security Gateway GUI Client GUI applications, for object manipulation, log Monitor and SmariEvent, are all unified into one console (SmantConsole). These GUL applications offer you the ability to configure, manage and monitorsceurity solutions, perform jena reports and enforce corporate policy in real-time. maintenance tasks, Check Point periodically releases new executables that include updates for SmartConsole applications. These updates are not always related to oraligned with Security Gateway hoifines and are considered a separats, unrelated release track Security Management the system. It server, ete. All The management component is responsible far all management operation contains several elements, suchas the management server, reporting suite, of the functionality of the Management server is im plemented in User-Mode processes, where each process is responsible for several operations, 26Check Paint Secu Empincering Check Point Management (epm) is the main management process. It provides the architecture for a unified security environment. CPM allows the GUI client and management serverto communicate via web services using TCP port 19009. It empawers the migration from legacy Client-side logic to Server-side logic. The epm pracess performs database tasks, such as creating, deleting, and modifying objects, and compiling policy. Processes controlled by CPM include: + web_services — Transfers requests to the dle_server. + dle_server — Contains all the logic af the server and validates information before it ‘written into the database. + object_store — Translates and writes data to the database CPM saves all data in the Postgres $QL database and stores mast of the data in Solr, a standalone search server powered by the Lucene Java search library. The Posigres SQL database contains objects, policies, users, administrators, licenses, and management data.The dats is segmented into multiple database domains, Salr generates indexes of the data ta be used for fill text searching capabilities, ‘Clantand tener commana via Webserices wing TCP port 19000 dle_server ‘object store Peigies sr Figure 6—CPM Architecture a(Check Point Scour Engincoring “Additional significant management processes include: fwm — Firewall Management (£wm) is on all management products, including Multi- Domain Security Management, and on products that require direct GUI access, such as SmariEvent, The £wm process is used mainly for backward compatibility of gateways. It provides GUI client communication, database manipulation, policy compilation, and Management High Availability synchronization. fwd — Check Point Firewall Daemon {£wd) allows other processes, including the kernel, to forward logs to external Log servers, aswell asthe Security Management Server. It communicates with the kernel using command line tools, such as the £w commands, kernel variables, and kemel control commands. fwsed— A child process of fwd. It is responsible for managing Firewall Security Servers which provide a higher level of pratacol enforcement. epd — Check Point Daemon (epd) isa core process on every Check Point product. It allows Secure Internal Cammunieation (S1C) funetionality, pulls application monitoring status, transfers messages between Firewall processes, fetches and installs, policy, and more. such epwd — Check Point WaichDog (cpwd) invokes and monitors critical pros: as Check Point daemons on the local machine, and attempts to wslart them if they fail. Among the pracesses monitored by epwd are epd, fwd, and fwm, The epwd_admin utility shows the status of processes.and configures epwa. 28‘Cheek Paint Seusry Engineering Security Gateway ‘The Security Gateway, sometimes referred to simply as the Firewall, is the com ponent in the system responsible for security enforcement, encryptionidecryption, authentication, and accounting ‘The functionality of the Security Gateway is implemented both in User-Mode and in the kernel. The Security Gateway is a network device running an operating system which makes it vulnerable to possible Network layer attacks. To mitigate this vulnerability, some af the Firewall functionality is implemented inthe kernel mode. This allows the traffic to be inspected before even getting to the opemting system IP stack, Security Gateway Figure 7 — Operating System Kemet The Firewall Kernel ‘The Firewall kemel is responsible for the majority of the Security Gateway’s operations, such as security enforcement, encryptionidectyption, Na T,etc. In order tadetect which part of the kernel might be responsible fara specific issue, start by considering the inner struc ture of the Firewall kernel and its interaction with the aperating system kernel (Gaia), the hardware, and other kernel components, such as aeceleration, There are certain processes that operate at the operating system level in the User Mode space and others that operate in kernel mode space.‘Check Paint Secasin Engineering User and Kernel Mode Processes ‘The Kernel Mode resides in the Data Link layer af the OSI model, The Firewall kernel inspects packets between the Data Link layer and the Network layer. Every packet that goes through the Firewall is inspected. In the Netwark layers, you wauld not see all those packets, User Mode is not mandatory, however, itallows the Firewall to fiction more efficiently in the Application layer. The Firewall employs services of the operating system and allows easier inspection of files on open connections, Itis possible and, in some cases, required for user and kernel processes to communicate, To allow this, there are two mechanisms: Input/Output Controls (IOct!) and traps, When a Kernel process wishes to signal to a User Mode process, it sets a trap by changing a value in a registry key. The User Mode process monitoring that flag stumbles on the trap and performs the requested operation, When a User Mode entity needs to write information to a kernel prosess, it uses IOectl, which is an infrastructure allowing the entity to call a function in the kernel and supply the required parameters. User Mode TE = Kernel Mode Figure 8 Processes As administrators trying to debug the Firewall, the first observation to make is to decide which Firewall functionality is implemented in the user space and which is implemented in the kemel. Once that distinction is made, decide the best approach to use in addressing the problem, including which tool is the most appropriate to use.Packet Flow Check Point Seeuny Enpineering ‘Taunderstand how packets are inspected, consider the Firewall keme! more clasely Inbound and Outbound Packet Flow Traffic first arrives into the Firewall through one af the Firewall Network Interface Cards (NICS). The Cheek Point Firewall kemel is installed on each Firewall NIC that is enabled in ‘the operating system, The Firewall kernel consists of two completely separate, logical parts called the Inbound and Outbound, which represents the pracess of packets coming in and out ‘ofthe Firewall, These processes work on each packet thraugh another process called inspection. Each part acts independently and does not assume that a packet was inspected or processed by the other. Therefore, some functionality is implemented hath on the Inbound and ‘on the Outbound, Some key points include: handlers, © Each direction has its own ordered chain of modules, ot packet processi + Handlers decide whether to continue, terminate or hold the processing of a packet. + Inspection is performed on virtually defragmented packets The inspection process does expect that a packet in the Outbound that has not entered the Inbound first originated from the Security Gateway itself, It also assumed that a packet not ‘originating from the gateway was Inbound, Frcoat Kern inspection pootansccracmente’ | Firewall 4 tnbaund chain o-Outbound Chain Figure 9 — Check Point Firewall Kemel Inspection Points(Check Point Security Engincering Packet Inspection Flow ‘The following diagram describes a packet flow through the Firewall kemel and haw the User Made processes work to contral the traffic Geant Figure 10 — Packet Inspection Flow 1. The packet amives at the Security Gateway and is intercepted by the NIC on the Inbound. 2, The Firewall kernel Inbound chain begins inspecting the packet. 3. The packet is matched against the Rule Base. A log is generated and sent from the kernel to the User Mode process, £wa, located in the Security Gateway. 4. The £wd processon the Security Gateway sends the log ta the £wa_processon the Management server, where it is forwarded to cpm via cpa. Spm sends the log to the relevant SmartConsole GUI application, such as SmartView Monitor. 6. Atthe same time, depending on routing decisions made by the operating system and excluding specific scemrios such as VPN routing, the packet is routed to a selected NIC ‘The packet must go through the Firewall kernel again, only this time through the Outbound chain to the appropriate NIC and to the network. 32Chock Paint Se Chain Modules Chain Modules are packet processing handlers. Handlers decide which modules will inspect the packet and, based on the inspection, may then madify, pass, or drop the packets, Bach module in the chain has an unique job. The number of chains on a Security Gateway is based t gateway, Inbound and outbound packets are inspected in both directions by chain modules. Familiarity with the elements of a chain module is an important step in understanding how traffic moves through the firewall, and will ely be af grea on the number of blades and features enabled for th ultin assistance when debugging is required. Consider the following chain module example. The location af'the module in the chain is a in module for this particular gateway configuration, For example, above the fw VM outbound is the 6th chain module, Itmay be in a different lovation in ather gateway scenarios, The chain positionis an absolute number that h kernel is ascocia ted with a key, which specifies the type of traffic applicable to the chain module, For Wire Mode configuration, chain modules marked with 1 will notapply and for State ful Made, the chain modules marked with 2 will not apply. Chain Modules marked €£ ££, such as IP Options Strip/Restore,and 3 will apply toall trafic relative, serial number ta the location af this ch never changes. In the Firewall kernel, e Figure 44 — Chain Module Example To take a look atan actual chain, use the £w etl chain command. This willshaw you the chain modules actually loaded on your machine and their order.Inbound fw ctl Chain Modules View the chain modules displayed below. In this fi aple and in different configurations some chain modules will not app be added. Between different releases, chain modules are added or removed, others mi dependit on the version specific design decisions. Figure 12 — Inbound Chain Outbound Chain Modules View the chain modules displayed below. Shown in this figure, the Outbound chain shows roughly the same chain modulesas seen on the Inbound. The most significant difference is that inthe Inbound, the vpn decrypt and vpn decrypt verify chain modules are present This makes sense because it is expected that a packet would be decrypted on the Inbound. In addition, the Outbound chain also has the vpn enexypt chain module, if the packet needs to be encrypted on the Outbound. Figure 13 — Outbound ChainWire Mode Wire Mode enables VPN connections ta successfully maintain a private and secure VPN session without employing Stateful Inspection. Using Wire Made, the Pirewall can be bypassed for VPN connections by defining internal interfaces and communities as “trusted”. This improves the performance of the WPN tunnel and reduces downtime. With Stateful Inspection no longer taking place, dynamic-routing protocols that do not survive state verification innon-Wire Made configurations can now be deployed. Wire Made is based on a trusted source and destination and uses internal interfaces, such as the Security Gateway and VPN Communities, Lab 1.5 Viewing the Chain Modules(Check Point Security Engincering Stateful Inspection Stateful Inspection was invented by Check Point ta provide accurate and highly efficient traffic inspection, Apart from checking the IP Header of a packet, Statsful Inspection also implements checks on other characteristics of a packet, such as TCP stream, sequence numbers, UDP communication and port mumbers ta monitor the state of a packet operating primarily at the Transport layer of the aperating system. The Inspection Engine examines every packet as they are intercepted at the Network layer. The comection state and context information are stored and updated dynamically in the kemel tables. Kernel tablesae also known as State tables Tasee the process flow ofthe Inspection Engine, review the flaw chart below. ‘ew cometan Inperiontaeue = ! taps | $+ [fat DS or Figure 14 — Inspection Process Flowchart 1, Packets pass through the Network Interface Card (NIC) to the Inspection Module, which inspects the packets and their data. 2. Packets are matched to the policy Rule Base one rule at a time, Packets that do not match any rule are dropped. 3. Loy 4. Packets that pass inspection are moved through the TCP/IP stack to their destination, 5. Forpackets that do not pass inspection and are rejected by the rule definition, a negative acknowledgment (NACK) issent (ise. RST packet on PCP and ICMP unreachable on and/or alerts that have been defined are started UDP). 6. Packets that do not pass inspection and do not apply to any of the rules are dropped without sending a NACK,Security Servers Security servers are a necessary and crucial element to Firewall funetionality. Some Firewall fe higher level of protocol enforcement and RFC compliance, such as in the ures require Application Layer. Sceurity servers are the individual processes within the Firewall system that are responsible for the detailed protocol-specifie security inspection such as FP, HTTP, or SIP and other inspection services like DLP. NOTE When Identity Awareness is deployed, this process operates differently. How a Security Server Works Essentially, when a client initiates a connection to Is the Ewa process using a trap. Ewd spawns the fweed child service, which runs the Security server. Then, the Security server binds to a sacket and mai server, the Firewall kernel si Ewa waits for connections on the ports af other servers (daemons) and starts the corresponding server when the connection is made. Ewd also talks to its children processes on ather servers usinga pipe and signals The $PHDIR/coné /Ewauthd. cong file contains the structure of the security servers showing the port numbers, corresponding protevol name, and status. If the real port is 0, then a higher random port is assig Figure 15 — Example of $ FWDIR/cont/fwauthd contCheck Point Secunty Emgincering Kernel Tables There are dazens of'kemel tables, each storing information relevant ta a specific Firewall function, Using the information saved in the kemel tables, very elaborate and precise protections can be implemented. To view all existing kere! tables, type the command fw tab -t at the command prompt. To view only the table namesand get a perspective on the number of kernel tables available, use the fw tab =s command, Most traffic related information is saved in the kernel tables. Information is also stored in habe, ghtabe, arrays, kbufe, and other devices, Tablesmay be created, deleted, fied, and wad. In particular, consider the Connections table, Connections Table The Connestions table is essentially an approved list of connections, The Firewall, as a network security device, inspects every packet coming in and out of each interface, After the firstpacket is matched against the Rule Base, weassume that the netuming packet might not be accepied in the Rule Base. For example, we allow 74.100.100.1 to connect with 212,150,141,5 using Telneton port 23 in the Rule Base and drop everything else, The syn packet will match th Rule Base and pass; but the Syn-Ack packet comes back with the reversed tuple (source IP 212.150.141.8, Destination IP 74.100.100.1) and source port 23 with a random destination port. (Reference the Connections Table figure inthe following section) To mitigate this, for every meorded connection, a matching, reversed-tuple entry fs also added to the list of approved connections. Some seenaries sueh as NAT, data connections and elaborate protocols, such as Voiceover IP (VolP), introduce mare complexity to the logic behind maintaining the Connections table. The Connections table provides enhanced performance. As we saw in the Inspection Process Flowchart, the action of matching a packet against the Rule Base may be very cosily (especially if there is a very large Rule Base with dynamic objects and logieal servers that need to be resolved), By maintaining the list of approved eonncetions in the Connections table, the gateway can enforce an intelligent analysis for assumed rule-matching, thus saving valuable time and computing power. 38(Check Point Scour Engincoring The Connections table also allows server replies, We noted earlier that sometimes Server to ‘Client ($2C) packets might not match the Rule Base. In these cases, they would be handled by ‘the Connections table. To view the Connections table, use the following command: fw tab -t connections -£ NOTE Using the fw tab -t connections -£ command could impact performance. ‘The following Stateful features are provided with the Connections table: + Streaming based applications + Sequence verification and translation + Hide NAT(Eaplicit entries to the Connections table may need to be added when the $2€ packets returning ta the Firewall may nat match the Rule Base.) + Logging, accounting, monitaring, ete. + Clisntand server identification + Data connections(Check Pan Sccuriy Engineering Connections Table Format Each new packet is recorded inthe table in all available entries. In FireWall-1 version 4.1, only one entry was made to each new connection, Each packet had to go through the Connections table several times to verify all available types of connection. Today, each packet goes through asingle lookup as all available entries are already recorded in the table. on ro easy 9 a SAS a [rewctent [pane Pstemonces [aie] <—— Seo Lea Crates Envy) 3 SBA EDT, DE CLOT, COTS > a oh (ireionre [sears Tatoorans [aa [ey] > [0 [ra sco01 [sons [ae cows |] a Abc nc ahs nthe afte (w[eraoonns | a3 [ranooreos fours] 6) > Lo [7.1010 | suze [aratsarers | oT a |_| ‘ow bund pace fo te ret oie he (Dereon | 2a: [raomcreos Panes] 6) > Lo [re teor0 | anes [ere tonra | eo | 6 Figure 16 — Connections Table The Symbolic Link format pravides the 6-tuple of the camection we want to pass. The arrow is a poinierio the tuple of the Real Eniry in the Connections table. The first six attributes in every entry in the Connections table state the connection’s 6-tuple. The 6-tuple isa unique identification of the connection within the system. The direction can be cither @ for Inbound or 1 for Outbound. Inthe Connections Table figure, we see a simple connection representation in the Connections table. The first entry is called the Real Entry and holds all of the relevant information for that traffic, such as state, sequence numbers and matching rule, The Real Entry allows the Client to Server (C2S} packet to enter the Firewall on the Inbound The second entry isa Symbolic Link, allowing for the same C2 packets to enterthe Firewall on the Outbound, The third entry is another Symbolic Link that allows for the $2C traffic to enter the Firewall on the Inbound. The last entry is also a Symboli¢ Link and allows for the S2€ packet to enter the Firewall on the Outbound\Chook Paint Secu Empnwering Policy Installation ‘The policy installation process is divided into three main stages: Verification & Compilation, ‘Transfer (CPTA), and Commit, Figure 17— Polly Installation Process 41(Chock Poin Seusny Engineers Verification & Compilation The Verification & Compilation stage of policy installation occurs om the management side. It involves the following steps: er from SmartConsole or from the commandline, Information required for the policy instal lation, Fgateways ‘on which the policy is to be installed, is provided. User permissions for policy installation will also occur prior to continuing to the next step in the proc 1, Initiation — Policy installation is initiated such as the listo! 2. Database Dump — A database dump from postgres to old file formats for epmit able only if changes occurred. A dump from non epma will occur any time, 3. Verification — Information in the database is verified to comply witha number of mules, specific to the application and package for which policy installation is requested. If this verification fails, the process ends here, and an errarmessage is passed to the initiator. The system can also issue warnings in addition to failisuccess messages. 4. Conversion — The information in the database is converted from its initial format to the format understandable by later participants in the flow, such ascade generation and gateway. $. Fem rexee — Pum loader takes a lot of memory. To release memary after verification and conversion, wm state is sived toa file located in the $FWDIR/ tmp/ directory. fwm is then re-cxecuted as a fwm load command to push the files far code generation and compilation 6. Code Generation and Compilation — Policy is translated to the INSPECT language and compiled with the INSPECT compiler. Also, some additional data transformations are complied, Afler verifying and converting the database, the £wm process compiles the relevant files, such as objects _§ 0. C,and AccessCTRRules_0.€, into several compiled files (loeal. ft, local. set, etc.). The complied policy will he copied to the §FWDIR/state/ directory on the management server Transfer (CPTA) The Transfer stage occurs between both the management server and the galsway.Onse the policy is successfully compiled and moved to $PWDIR/state/ on the ‘management server, the Check Point Policy Transfer Agent (CPTA) transfers the compiled policy to the gateway using SKC, Using SIC will ensure that the management server is 1o install policy on the gateway. Italso encrypts the conneetion via SSL. so thatthe policy data ‘ransferred to the gateway is trusted, Once SIC is initialized, SIC authentication will oss ur for every policy installation a2(Chock Point Secnsiy Engineering Commit During the Commit stage, the Firewall is instructed to load the new policy it has just received from the management server. The following steps will oecur: + The epd process on the gateway will execute the following command to load the policy which was just transferred to the gateway: fw fetchlocal -4 $PWDIR/state/_tmp/Pw1 + The policy will then be loaded into the kernel + Ifsuccessful, the new policy will be copied to the $FWDIR/etate/EW1 folder on the gateway. + Ifthe £etch1ocal process fails, cpd will get a notification regarding the failed pracess and will inform the £ wm process that loading the policy has failed(Check Point Security Engincering Policy Installation Flow The graphic belaw displaysa general process flow for policy installation. Differences are version specific, so $8MDIR is replaced with the compatibility package when other products or versions are used. @ ® (e) @ Pe vn “sreornyecner x erway cuner pe a= > @ HEED» “Oa a Figure 18— Policy Installation Flow 1, The policy is defined in SmariConsole, ished, itis saved in the postgres database. At a push, ‘erification of user permission is performed, 3. Datahase dump from postgres taold file formats (ob Ject_5_0. ¢ and others) for epmitable, only if changes occurred, and a dump for non epmi will accur. All * .¥ files are soredin rulebases § 0. fws. 2. _Afler the policy is pul 4. Afer the policy is saved, files are created under $FHDTR/coné/* .¥. 5. fwm_gen compiles the new $2WDIR/coné/*..W into a machine language, creating a new file called $EWD2R/con£/*.p£, The $FWDIR/conE/*.pé is actually the input from the $#WDIR/con£/*.Wand the $EWDIR/con£/objects.€ files. The SPWDIR/cons /*. W file isthe exact same information defined in the GUI. justin a text format instead of a graphic one. 6. © preprocessor compiles the*.pfand 14b/*.deg files, creating anew file called ¥epp 7, Allnew gencrated files aw stored under $PWDIR/ ta te/ on the management server + cep is compiled and translated to a:machine language and transferred to the gateway 8. $FWDIR/etate/ directory is pushed to the enforcement module (gatew ay) 9, pd and the kemsl on the enforcement module performs an automatis load 44Chock Paint Scustn: Engancering Policy Installation by User Mode Now we will examine how policy installation ishandled by User Mode processes. Figure 19 — Policy Installation Pracess Flow 1. Assuming the initiation was made by a SmartConsole applisation, as opposed to using command line options such as €wm load orfw fetch, the Check Point Manigement Interface (cpmi ) policy installation command is sent to wm on the Management server where verification and compilation takes place. 2. fwm forwards the command to epa for code generation and compilation, 3. epd invokes the epta command which sends the policy to all applicable Security Gateways, 4. epd.on the Security Gateway receives the policy and verifies it's integrity 5. epdoon the Gateway updates all of the User Mode processes responsible for enforcement aspects, These include vpnd for VPN issues, Ewaed. pracesses for Security server issues and so on. Once camplete, the epd then initiates the kernel replacement. 6. The new policy is prepared andthe kernel halts the traffic and starts queuing all incoming traffic, J. ‘The Atomic load takes place. This process should take a fraction of a second. 8 The Queue is released and all of the packets are handled by the new policy NOTE Additional sicps may be included for debugging purposes. 45Chack Foam Se Network Address Translation Network Address Translation (NAT Jand Network Address Port Translation (NAPT) are the two primary technologies traditionally used as methods to hide networks sa actual IP addresses sate not revealed or required to be publicly routable, This reduces the need for more publicly routable IPs, and allows aceess to intemal (sometimes non-roulable) resources from an external network, How NAT Works NAT is regarded as an infrastructure of services used, for example, to erate clustering solutions, security servers, office mode connections, ele. Infrastructure tures + INSPECT rulesand tables + NAT Rule Base is efficient + Performed on the first packet + Dual NAT (automatic rules) + Rule priorities Table 6: NAT When NATis defined on a neiwork object, NA Trules are aulomatically added to the NAT Rule Base, Those rules are called Automatic NAT ales, NAT is translated during policy installation 1o tables and performed on the first packet of the connection. The NATRule Base is very efficient and can match two NAT rules on the same connection. This is called bi-directional NAT and only applies for Automatic N AT rales. NOTE Even though NAT merges two Automatic NAT rules into one, this feaiure may be disabled and NAT rules may be manually defined for additional ‘options. NAT rules are prioritized according ta the list below: 1. Manual/Pre-A.utomatic NAT 2. Automatic Static NAT 3. Automatic Hide NAT 4. Post-Automatic/Marual NAT rulesChock Poon Seusry Enginesreng Hide NAT Process ‘Consider first the original packet. When the packet arrives at the Inbound interface, itis inspected by the Security Policy. Ifaccepted, the packet is entered into the Connections table. The first packet of the comestion is matched against NAT rules. The packet is translated if a match is found. Then the packet arrives at the TCPUP stack of the Firewall Module machine and is routed to the Outbound interface. yaaaz1264 10023 | 1014161 ad |6 0) weorate1 | ao | tosaz12s4 jonas |e i] worsier | a0 | i004 05 6 Next Port Enty Used Port Entry 194532 4.256,6,10022 19.52.2546, 10023 Figure 20—Hide NAT During the NAT Rule Base trayemsal, both NAT source and destination are decided. However, ‘they ars actually performed at the Following locations + ere matonthe server side + dst nat depending an the relevant GUI property The Reply packet arrives at the Inbound interfase of the Firewall machine. The packet is passed by the Security Policy since itis found in the Connections table. The packet's destination, whieh is the source of the original packet, is translated aceording to the NAT information. This takes place when the packet was translated in the first initial connection. The packet arrives at the TCP/IP stack of the Firewall machine and is routed to the Outbound interface. The packet goes thraugh the Outhound interface and its souree, the destination of the ‘original pack, is translated according to the information in the NAT tables. The packet then leaves the Firewall machine. a7Check Paint Secu Emeincering Manual NAT Many organizations prefer ta define their awn NATrrules rather than relying on the system ‘generated miles, There are also certain situations when manual NATrules must be used, such as when: + Rules exist that are restricted to specified destination IP addresses and to specitied source IP addresses, + Both source and destination IP addresses translate in the same packet. + Static NA Taccurs in only one direction, + Rules exist that only use specified services (ports). + [Paddresses translate for dynamic objects The NAT Rule Base is processed one rule at a time from top to bottom, similarly to the Firewall Rule Base. Therefore, Manual NAT rules must be placed in the right order to be applied correctly. Manual NAT rules are added to the NAT Rule Base either above or below any already existing Automatic NA Trules, Forexample, inthe figure below, the first NAT rule was manually created and the other NAT rules were automatically generated based on the NAT. settings applied ta the respective network abjects. The Manual NAT rule is placed at the top af the NAT Rule Base so that il is the frst rule to be matched, The Automatic NAT rules ean be identified by the comments scetion where the automatic comment, “Automatic mule (see the network ohject data)” is applied to each ane. Sa SS Bieoete be Goa ce fe ce ee ee wre evant ome ete tener Figure 24 — Manual NATExample The NAT Rule Base consists of two main section headings: one for the Original Packet here NATiis applied by the Firewall and the other for the'Translated Packet after the Firewall has applicd NAT. Ths processing onicr for the overall inspestion and routing of packets by the Security Gateway isas follows: 1. Firewall — Inspection onthe Original Packet. 2. NAT— Translatethe IP and/or part number as required. 3. Routing — Forward on the resulting packet a8When configuring Manual NATin Global Properiics, check the Translate destination an client side checkbox inthe Manual NATrules section, TF enbiP Bena Loponiaee oan Tats ‘FEEL Seco Ho Figure 22 — Global Properties for NAT Rules Proxy ARP for Manual NAT For Manual NATrales, it is necessary to configure proxy ARPs toassociate the translated IP address. A proxy ARP allows the Security Gateway to answer ARP queries for a network: address that is lacated on that same network. The ARP proxy is aware of the location of the When the data is orwards the data to the relevant traffic’ destination, offering itsown MAC address as the destin received from the external network, the Security Gateway host on the internal network 49Check Poins Se Engine The configuration of proxy ARPs is necessary for situations such as when a manual Static NAT rule has been created and the Security Gateway daes not answer the ARP requests for the StaticN AT'dIP address in the Manual NATrule, Another situation would be when a Security Gateway replies to ARP requests with an incorrect MAC address, mostly for the NAT traflis In situations where incoming connections are required to a specific internal h public IP addres: Secondary IP addresses (or aliases). The IP addresses are added on the external interface of the Gaia operating system through cither the Gaia Webpartal or through Clish using the following command: 1, additional which are necessiry far use with Manual NAT rules can be added as add interface ethO alias This will create the automatic proxy ARP in the Gaia operating system, which is needed to accep! the connections for the required public IP addresses used as objects in the NAT Rule Base configuration Yo configure a proxy ARP: 1. Match the IP addresses of the relevant hosts on the internal network to the MAC address ‘of the Security Gateway on the external network, This is saved in the ¢PWDIR/eons / local. arp i 2. Create the relevant Manual NAT rules. 3. Install the Security Policy Lab 1.6 Configuring Manual NAT(Chock Point Secarey Empancriog Firewall Administration In addition to understanding the Firewall kernel structure, itis important to familiarize yourself with configuration file structure and commands typically used for troubleshooting problems. To begin with, Isis consider how the Firewall configuration files are broken down, The main sub. srouping of configuration files are divided into directories located under fopt. + CPsuite-R80 — Manages Firewall modules (R75.20 - R8Q), CPsuite is the generic installation + CPshrd-R80 — Stores what used to be called SVN foundation, including ¢pd database, licenses, registry and generic Low level Check Point infrastructure. (nat version related). + CPEdgeemp-R80 — Manages Edge devises, The /14% and /eoms directories store definition files that are important to take into consideration. For instance, the $FWDIR/1ib/* .def files include Rule Base and protocol definitions. User definitions are stored in $HD 18 /con£ / fwauth. NDB and Security server configuration scltings are stored in $FWDIR/con£/ fwauthd.cont $PWDIR/conf/classes.C defines fields for each object used inthe objects _§ 0.C file, such as color, num/string and default value. Though the $FWDIR/database/ directory onthe Management server hasno relevancy, this directory is particularly noteworthy on the gateway itself, where specific object entries are stored for that particular gateway. There are different ways to view and edit database files such as these. + @bedi t — A command line utility on the Management server itself. + GuipBedit.exe — An executable tool on the Windows-based GUI client machine under: c:\program files (x86)\CheckPoint\smartconsole\Ré0\Program, NOTE ‘The objecis_S 0.C file is still used for legacy gateways on R77.20 and ‘older. The database for R80,10 is located in PostgreSQL. x86 was added to the path because mast computers now runin 64-bit mode. 51(Check Point Scour Engincoring Common Commands + cpcon£ig — This command is used to run a command line version of the Check Point Configuration tool and configure orreconfigure a Security Gateway/Management installation, + eplic print — Located in $¢PDIR/bin, this command prints details of Check Point licenses on the local machine, eplie print -s prints the licenses with signatures and eplie del deletes license. + epatart — This command is used to start all Check Point processes and applications running on a machine, + epatop — This command is used to terminate all Check Point processes and applications running on a machine. The commands epatop and cpstart are actually calling £watop and Ewatart scripts forall Check Point products, including the Firewal | stop/start scripts located in $2WDIR/bin. ‘These are scripts that run when you perform cpstop, cpstart and cprestart with different flags. cpr es tart is an internal command used for Dynamically Assigned IP (DAIP) devices, such as Edge devices. Not all Check Point processes are brought down when cprestart is used; therefore, eps top and cpstar t should always be used. 52Check Point Seeunty Enpinsering FW Monitor ‘The Check Point tool, £w moni tor, is a packet analyzer tool which is on every Check Point Security Gateway and is essential for packel capture and Firewall traffic analysis, ft provides kemel level inspection; but will not run in indiscriminate mode, €w momit oz works for layers 3 and above in the OSI Network layer stack. The syntax is the same regardless of the pplatiorm and supports the . cap output format used in Ethereal and Wireshark packet analyzer tools. Desktop VPN Firewall Internet Figure 23 —fw monitor The easiest way to use fw monitor is ta invoke it without any parameters, However, in a busy system, running £w moniter without any filters can create a great detail of owiput and makes the analysis difficult. Filter expressions are used to specify packets to be captured and limit the amount of output. The general syntax is: fw monitor -e “accept ;" -o cfilemame> Filter expressions include: + host [] * net [, ] * port [] NOTE Check Point recommends tuming SecureXL (Ewaccel o££) when using iw monitor io avoid misleading traffie captures, If SeewreXL is on, the tool will only show non-accelerated packets. SecureXL is discussed in a later chapter.\Chook Paint Senn Engineering For example, to capture everything between host X and host Y: [Bxpertevostwane}# fv monitor -e “host[x.x.x.2] and host (y-y-y-y]- accept:” -o/var/log/fw_mon.cap For more £w monitor capture examples, refer to sk30583. C25 Connections and $2C Packets fw moni tox captures packets as they enter and leave the Firewall kemel and when the packet enters and leaves the Inbound and Outbound chains. In the case of Client-ta-Server (C25) communication, a client designated as Hostl, according to the policy, sends traffic destined for a web server located behind the Firewall. Since the traffic is permitted passage ‘through the Firewall based on the policy Rule Base, the packet must traverse and be inspected bby both chains of the Firewall The command €W moni tox works by loading a special filter that is applied to suspicious packets. This filters different from the INSPECT filter used ta implement a Rule Base. Where the Rule Base determines which packet is accepted, rejected or dropped, the INSPECT filter generated by £w monitorsimply captures kernel packet flows. You can capture everything ‘through the kernel using Ew mond tor, even a particular type of traffic or source. ‘Once fw moni tor is executed, the specified INSPECT filter is compiled and loaded tathe ‘kernel. Any parameters following accept in the fw mond tor command will be displayed by fw moni tor. The same filteris executed on alll interfaces in all directions. ‘The Ew monitor output uses specific expressions to explain the location af the packet as it moves. ‘through the Firewall Cry cl Figure 24 —€2S and $2C Connections(Check Point Security Engincering There are four inspection points as a packet passes through the kernel + i— Before the virtual machine, in the Inbaund direction (pre-Inbound) + 1 —Afer the viriual machine, in the Inbound dircetion (postInhound) + 0 — Before the virtual machine, in the Outbound direction (pre-Cutbhound) 0 — After the virtual machine, in the Outbound direction (post-utbound) In our C28 scenario, i represents the packet as it lef the elient. The [represents the packet already checked agninst the tables and Rule Base. In case of Static NAT, the destination IP address will be changed. The © means the packet is before the Outbound kernel (sameas 1) and O means the packet is in the Outbound kernel chain, as it will appear at the wel server. In the case af Hide NAT, the source IP address will be different here. For packets traveling from Server-to-lient (S2C), the inspection points are the reverse. [ could be the NAT’ dpacket on its way aut of the Inbound chain in the Firewall in the case of Static NAT. At this point, the packet has already heen checked by the tables and Rule Base. The Q is the packet asit will appear ta the client. 35Review Questions 1. What is CPUSE and what isit used for? 2. Name at least three Statefil features provided with the Connection table.L Upgrading to R80.10 A sie =) ‘This lab illustrates how to perform an upgrade of a Security Management Server from R77.30 to R80.10. Youwill export the configuration of your old server toa Windowsmachine before installing a new R80.10 server, Once the fiesh installation of the new OS is complete, you can then import the rules, objects, and seitings of the previous server into the database of the new, upgraded server ‘Once the upgrade of the Security Management Server is complete, use CPUSE to upgrade a Security ‘Gateway, Tasks: * Save the database information. + Access the migrate file and transfer via SSH/SCP. + Perform a clean installation of R8O. 10 Security Management Server, * Configure the Security Management Server + Install R80.10 SmanConsole. + Import the database. * Upgrade the Security Gateway. Performance Objectives: + Use the migrate export command to prepare to upgrade a Security Management Server + Perform an installation of a Security Management Server « Use the migrate import command to populate the database of'a Security Man \gement Server. + Perform an upgrade of Security Gateways in a clustered environment.Migrating Management Server Data Export the rules and objects off of the existing Security Management Server so that they can be imported into the new server 1, From A-GUI, open a Web browser and use HTTPS to connect to A-SMS (10.1.1. 101): Cfeneedinaa Figure 25 — Gaia Portal 2. Use the follow ing credentials to log into the Gaia Portal on A-SMS: Username: admin Password: Chkp!234 3. In the navigation pane, click User Management > Users. 4. Use the information below to create a new user Real Name: sepadmin Password: Chkp!234 Home Directory: /home/sepadmin Shell: /bin‘bash Assigned Roles: adminRole Access Mechanisms: Web Command Line 5. Click OK, 58(Check Pins Seeuriy Engineering 4. Close the web browser, 7. From A-GUI, use the following credentials to log into WinSCP and connect to the A-SMS: Host Name: 10.1.1.101 User Name: sepadmin Password: Chkp!234 Figure 26 — WinSCP Login 4. In WinSCP,confirm that the left pane displays the local directory and the tight pane displays the remote directory. 59\Chook Paint Secu Empnwering 9. Inthe right pane, navigate to the /var/tmp directoyy of theold R77.30 Security Management Server: Baro-rpeomnmieanamncwmeee Tet ae Be Eh ee me BSD scteoree MP D1 Pqueve ~ | trorsterseings Oot ee Ditty deamens mane ene - em ie- OAD rnin su x ae aoe 2% ea Boe tore Te ome rane Sat Owes er : posta Ba Va via shea ay Sewnteie Gum encore LS ec Bee Seana at ad lla 3 Saas = ery aS ae eae Figure 27 —WinSCP Directories Displayed 10. In the left pane (local directory), browse to the location of the Upgrade Tools, NOTE ‘Ask your instructor for the location and name of the upgrade tools file, By default, the upgrade tools are called: pi_upgrade_tools.tgzCheck Paint Security Engineering 11. Move the file ftom A-GUI to the /varitmp directory on A-SMS, and the system displays the following window: Up I wend e septs eda wens cecry = * Toes ses aati ary (Charter prasad ta uae mie Geter) (sc) (cet Gao! [2)dsnot tho cg eeu Figure 28 — Upload 12. Click the Transfer Settings button, and configure the transfer to be in Binary mode: Sphedanine seercens weer fn) cronpemeenera (loader et Figure 29 — Binary Mode 13, Click OK. 14, Click OK, to continue the file transfer. 15. Highlight the copied file in the right pane of WinS CP and right-click. 61(Check Paint Secusin Exgincering 16, From the Context Menu, select Custom Commands > UnTar/Gzi EB trcmerce PE Qs Gome- stasis De -@ 1B serreginizim “rede: : ae TESTES boronic i tn 9 Carrs (| EOF 7 be ang ee ‘er me se Dewldreoy ES 20051 a 2RIEDSALAD ween Plapimcessdess MDD Mnigiin VM na) ews duormeae aos le it |oneriannceme on Chao eruaaEea ee [atari onan onsets) Figure 30 — Special Commands -Unar/Gzip ick OK, to extract the directory to the following location: fvax/ tay(Check Pains Securiy Engineering 18, After the extraction completes, verify that the following folder now appears in ‘var/tmp: migrate_tool cep ese davmasatan am azarae asia iazwom0 ‘Figure 31—migrate_tool Folder19, From the WinSCP window, click the PuTTY Login button, 20, PUTTY logs into the A-SMS server (10.1.1,101) atthe ¢hom Luo ===) admin directory Figure 32 — PuTTY Session NOTE Ifyou are asked to enter the password for scpadmin, enter the following: Chkp123421, Verifythat alle nsoles are closed by issuing the following comma cpetat ag 2a = —<_ | Figure 33 — cpstat mg NOTE ‘The Connected Clients list should be empty. If it is not, execute the epstop command to force close all open clients. 22, Change lo the following directory by executing the following command cd /var/tmp/migrate_tool 65Check Point Secu £ 23, Type the following command and press Enter, to view the contents of the folder: 1s (B vient isharinpinigrteed [=a Figure 34 — igrate_toolFolder 24, Type the following command: ./migrate export A-SMS-from-r7730-to-r8010.tgz 6625. Press Enter, to run the script. The system asks the following question BB winnie iivmphigate ical — a Figure 35 — Waming 626. Type y, and press Enter. The system exports the data, creates the export file, and identifies its location on the server BB onto Suara ool = ea) Figure 36 — Export Complete NOTE The time it takes for this process to complete may vary depending on the size of your Security Policy, number of objects in the database, and database revisions, Once complete, the system provides the location of the exported file and returns to the Expert mode command prompt. 27. Minimize the PuTTY window 68Check Pais Secury Engineoring 28, While still in the PuTTY session on A-SMS, initiate an FTP session back to A-GUI (10.1.1.201): 29, Type the following commands and press Enter, to prepare to transfer the file bin hash 30, Type the following command, and press Enter: put A-SMS-from-r7730-to-r8010.tgz NOTE ‘You may want to transfer the file using WinSC! Binary Mode for the transfer. instead of FTP. Just be sure to use 31, Verify that the A- sHs-£rom-r7730-to-r8010. tgz file has been transferred to A-GUI.Check Pains Seurtty En 32. In the PuTTY session to A-SMS, issue the following command: shutdown now -h Figure 37 —shutdown now-4 33, Exit PUTTY 34, Verify that the A-SMS virtual machine is powered down. 70sk Pins See Installing the Security Management Server Install the R80.10 Management Server. It will manage the Security Gateway cluster for this site 1. In VMware, verify that the settings forthe new A-SMS Virtual Machine is defined as follows: » Name: A-SMS ° Memory: 10GB © Processors:4 ° Hard Disk: 80GB + CDIDVD (SATA)-Points to R80.10 180 * Network Adapter: One Interface + Connected + Connect at power on + LAN Segment: LAN | NOTE ‘Your classroom configuration may be different. Cheek with your instructor before continuing to the next step. 1\Chook Paint Sune Engneering 2. Poweronthe A-SMS virtual machine, and the Welaome to Check Point Gaia R8D.10'screen appears: H Point Gaia WO.18 reece) Figure 38 — Welcome to Check Point Gaia P8010 3. Within 60 seconds, highlight the option Install Gaia om this system,4. Press the Enter ke’ Cron res Da you Figure 39—Wekome n, highlight OK, and press Enter At the Welcome scr 5. 4. Select the keyboard to suit your region, At the Partitions Configuration screen, modify the Logs partition to be 30GB rat Cetera Figure 40 — Partitions Configuration(Check Pains Security Engineering 8. At the Account Configuration screen, enter and confirm Chkp!234 as the password for the OS Level admin account, NOTE Verify that NumLock is on. It is not on by default after installation. If you haven't already tumed it on, do so now and re-enter and confirm your password. Ifyou enter this password without turing NumLock on, you will not be able to log into the system. 9. Tab to OK, and press Enter. 10. Use the following information to configure the Management Interface (eth0) screen: IP Address: 10.1.1,101 Netmask: 258,255.255.0 Default Gateway (IP): 10.1.1. Figure 44 —Management Interface (eth0) Configured 11, Select OK, and press Enter. The system displays the Confirmation screen, 4(Check Pains Security Emgincoring 12, Inthe Confirmation screen, select OK, and press Enter to proceed, After the drive is formatted and the installation is complete, the system displays the Installation Complete sereen: encores co eee ee eet eT a Tear arse ran Figure 42 — Installation Complete 13. Press Enter to reboot A-SMS. 8Check Poias Seeunty Eng Configuring Security Management Server Using the Gaia Portal Follow these steps to configure the primary Security Management Server for your configuration. 1, From the A-GUI virtual machine, launch an Internet browser 2. In the address field, type the following: hetps://10.1.1.101 NOTE Be sure that you are using HTTPS. You may also need to verify that the LANs in VMware are configured properly before you are able to connect. Both the GUI client machine (A-GUI) and the Security Management Server (A-SMS) reside on LAN 2, if you are following the recommended classroom topology. Consult your instructor, if you are using a different configuration 4. Press Enter, and your browser should wam you that the site's Security Certificate is ftom an untrusted source NOTE Ignore this waming and continue to the site 4. Log into A-SMS.with the following credentials: Login: admin Password: Chkp!234 16Check Paint Secustn Engincering $. Press Enter, and the system displays the following message: eas Welcome to the Check Point First Time Configuration Wizard Youre just few steps away tar using your sycemt ck est to configure yeur sytem. vmware atone Viaware Figure 43 — R80.10 First Time Configuration 6. k Next, and the system displays the deployment Options page 7. Verify that the following option is selected Continue with Gaia R80.10 configuration WCheck Point Security Engineering 8. Click Next, and the system displays the Management Connection window: Calero (eomusny Figure 44 — Network Connection Use the information below to verify that the Security Management Server's network connectio configured properly Interface: eth0 Configure IPv4: Manually [Pv Address: 10.1.1.101 Subnet Mask: 25§.255.255.0 DefaultGateway: 10.1.L.1 Configure IPv6: Off 10. Click Next, and the system displays the Device Information window. 8Use the following information to configure the Device Information window: Host Name: A-SMS Domain Name: alpha.cp Primary DNS Server: 192.168.11.101 ua tcny heck Point roy Settings Figure 45 — Device Information Configured NOTE Check Point prohibits the use of underscore object names. . Click Next, and the system displays the Date and Time Settings window. Select the option Use Network Time Protocol (NTP). 14, In the Primary NTP server field, type 192.168. 11.101Check Paina Se 18. 16. Select the correct Time Zone for your location: Pree Stine mn 1) Ue vet ane rete: srezens Cowape tenes 6-600, ln Figure 46 — Date and Time Settings Configured Click Next, and the system displays the Installation Type window: Installation Type Figure 47— Network Configuration-Host Name Options 80Check Poias Secutty Eng 11, Select Security Gateway or Security Management, and click Next. The system displays the Products window. 18. Inthe Products window, clear the Security Gateway option. 419. Use the information below to configure the Products window. Products: Security Management Advanced: Define Security Management as Primary NOTE Clear the Security Gateway option before continuing. This option must NOT be selected, 20, Verify that the Products window is configured as follows: at Clseeaeycitenny ZT senwny Management etn seu Managemen os nay doin BCs tn ntact iia © Fermereneomaen cna Figure 48 — Produets Configured 21. Click Next, and enter newadmin for the Administrator name. 81Check Poins Secuty Eng 22, Enter and confirm Chkp!2¥ as the password: miapitienes, n Clement Figure 49 —Security Management Administrator 23, k Next, and confirm that the option Any IP Address is selected in the Security Management GUI ents windowCheck Point Scusily Engineering 24. Click Next, and the system displays the Summary page: IB Check Point TUE Yow dese be eine hte allowing prodots sur Munagenent rman Ser Manageme Z arora praus penance cy senna aa See. © Ferner creme cia ie Figure 50 — Summary 25, Clear the following option Improve product experience by sending data to Check Point NOTE Though this option is recommended, it is not necessary in our lab, We are not in a production environment and only have limited connection to the Internet. 26, Click Fi hh, and the system prompts you for a response to the following question: eter equine yen saepsene mint Figure 54. —First Time Configuration Wizard Message(Check Point Security Engincering 27, Click Yes,and the system proceeds with the configuration iGomA Sagi! tty Cetin seer namgenent ‘Oconemay aaanes Figure 52—Summary (Progress) 24, Once complete, a message displays indicating that the configuration was successful: © “imoreempentucestiny Figure 53 — Message(Chock Point Secursy Engineering 29, Click OK, and the Gaia Portal di Management Server: lays the configuration settings of the newly configured Security Figure $4 — Check Point Gaia Portal-Security Managem ent Sewer Configured 85‘Chock Paint Seca gineering 30, Inthe System Maintenance section, click Messages. 31, Enter the following for the Banner Message: a-sus Unauthorized access of this server is prohibited and punishable by law. Figure 55 — Messages Configured 32, Click Apply.Check Paint Sour Engineering Figure 56 — Users 87(Check Pant Senn Eaincoring 34. Click the Add bution, and the system displays the Add User window: i veermus eongepessworaatnert 920 eease Menarians Figure 57 —Add User RBChock Paint Seustn Engineering 35, Use the following information to configure the new user: Login Name: adminbash Password: Chkp!234 Real Name: Adminbash Home Directory: /home/adminbash Shell: /bin/bash Access Mechanisms: Web ‘Command Line Assigned Roles: adminRole Eh veermue ange picwors net 920 ‘cass Mechanlions Figure 58 — Add User Configured NOTE When you log into the Security Management Server as adminbash, the correct shell is now available for adminbash to connect and transfer files, There is no longer a need to specifically define the shell in the command line. Since this is an OS level user, you must perform this action on every module you want to have the adminbash user defined.(Check Point Securty Engineering ick OK, and the system adds the new userto the Users page: Figure 59 — Users(Check Point Securty Emgincering Installing SmartConsole Inthis section, you will install SmartConsole on the A-GUI virtual machine, 1, Inthe navigation pane of Gaia Portal, click Overview 2. On the Overview page, click the Download Now button to download the SmartConsole installer file: ‘Yeu hive cavente open ‘abc iy Fe tom fp e/2011300 oldu She toseethi fl Figure €0 —Web Portal-Overview NOTE You may neod to reaequire the configuration lock before downloading the application, The system will prompt you, if this is necessary. 91Check Poias Seeunty Engine 3. Save the installer file tothe Downloads folder of A-GUL 4. Browse the Downloads folder and locate the SmartConsole.exe file |) CMe siersce tors rs Crome = lcidein ity = Shrew ~ Bum Newer a Fre, tare Diteroded ve Figure 61—Downloads FokierChock asm Seunsy Enginesring Double-click the SmariConsole.exe file. The Welcome screen dis plays. chy Welcome bo SmartConsole’ the rad ad agra the Ch Pin nn be lesa Breton | Gitroga es licheaonnaartoncaeAAOdd Figure 62 — Welcome Select the option confirming you agree to the Check Point End User License Agreement Click Install, to begin the installation process. The system displays installation progress information CHANGE THE WAY ¥ AND COLLABORATE Efficient Automated Operations Routine tasks can be automated and delegated, empowering ee 18% bgt srcate Figure 63 — Installationok Point Scour Engin Verify that the system displays the Thank You window once the installation completes ee Thank you for astating SmartConsole SF lninchEranCone 9. Click the Finish button, to complete the SmartConsole installation, 10. Log into A-SMS with the following credentials. Loy Password: Chkp!234 IP Address: 10.1.1.101 newadminCheek Paint Seusny» Engineer 11, Click Login, and the system displays the Fingerprint for verifical Fist connection to server 20.1101, To-venty trv identity. compare the fesowine fngarpent ith tha ane played i te waver, @ Fingerprints SEW FIRM 10 OLAF PAD WIRE JOEY LEND SWAB AHEM WOVE KIND See Figure 64 — Fingerprint 12, Click Proceed, and the system displays the Welcometo SmartConsole R80. 10 page: sid pati eons @® rma views S Poi yes Figure 65 — Welcome to SmartConsole 95Chock Poon Seeusny Engineer 13. Close the What's New window 14, Inthe Gateways & Servers tab of SmartConsole, identify that there are no Security Gateways managed by this Security Management Server: Figure 66 — Gateways & ServersChock Point Sonny Enginooring 15, In the navigation pane, click Security Policies: Figure 67 — Security Policies 16. Verify that no rules are present inthe Rule Base and that only the A-SMS object is present, as is typical in a default installation before the Security Policy is configured. 17. Close SmartConsole. 7Check Peint Security Eng I Importing the Check Point Database Use the migrate import command to load the objects, rules, and settings from the previous server into the newly configured R80.10 one 1, From A-GUI, use the following information to connect to the newly configured Security Management Server via WinSCP. Host Name: 10,1.1.101 User Name: adminbash Password: Chkp!234 teams: er nee Figure 68 — WinSCP Login NOTE In Gaia, the User Name and Password are both case sensitive Click Log and WinSCP logs into A-SMS. osCheck Poin Securiy Emginering 3. In the right-pane, navigate to the following location: {var/log 4. In the toolbar, click New > Directory sea aectcne) (ceact) (ace) Figure 69— Create Folder NOTE An alternative method to performing the import from the /var/log location would be to move the migrate file into the up rade_tools folder and perform the import from that location, 5. Name the new folder Migrate 6. Click OK. In the left pane of WinSCP, verify that the following file is visible: A-SMS-from-r7730-to-r8010.tgzChock Paint Secustn Engancering 4, In the right pane of WinSCP, verify that the Migrate folder is vis orl Mae Fes Some ast Op Bete Hy Pw ery Figure 70 — Wing CP 100Check Boom Secure Engincering ng Binary mode from its location on A-GUI Copy the A-SMS-from-17730-to-r8010, tgz file u to the Migrate folder on A-SMS. eal Mak Fin Comma in Cyan Bate ha FEB Birovnne PO | @ EG Tae sts Sr e (asrece0131 | he Baaes DMtemes = (eo X oF perros FEE = i= Sis) Sa0e ame aa eS Se Cages Pye Ome ‘usustmmomemt. twanee inaaamisha ae nm Figure 71—Copy NOTE When transferring files, make sure you configure the transfer settings to work in Binary mode. SCP, after the file wansfer is complete. 10. Exit 101Check Pain Seca 11. Once the file is copied to the server, log into A-SMS (10.1.1.101). 12, Toenter Expert Mode, type the following and press Enter expert NOTE The system asks you to set the Expert Mode password because, as a new installation this value is not currently configured, 13, E: ute the following command to set the Expert Mode password: set expert-paseword 14, Enter and confirm the following as the Expert Mode password: chkpi234 pert passuard, use the command “s Figure 72 —set expert-password 15, Next, type the following command and press Ent expert nfirm the followings the Expert password chkpi234 17, Typethe following command, and press Enter, to change the directory to the location of the imported file ed fvar/log/Migrate 10218, Execute ans commando verify that the file is present. cae Figure 73 —Is 19, Type the following command, and press Enter, to chan application: e the directory to the migration tool cd $PWDIR/bin/upgrade_tools Figure 74— Change Directories 20, Execute ane commando verify that the file migrate function is present: oe Te Figure 75 — 21. Toimport the file into the new Security Management Server, type the following command: -/migrate import /var/log/Migrate/A-SMS-from-17730-to- 18010. tgz 22, Press Enter, and the system wams you that services must be stopped. 103Check Poins Security £ 23, Type y, and press Enter, The system unzips the fileand imports the configura displays the following question ion. Once complete, it Bh Mate oes TEER er mm Unit fe mot runnin fate Figure 76 —Question 24. Press Enter, to restart Check Point services. 25, Wail for the services to start before proceeding to the next section. 104Check Peins Se me Launching SmartConsole and Reconfiguring Existing Security Policies jeand connect to the Security Management Server Launch SmanCor 4, From the Start menu on A-GUI, click All Programs > Check Point SmartConsole RR0.10 and the system displays the login window. 2. Use the following information to configure the Login window: User Name: newadmin Password: Chk p!234 IP Address: 10,1.1.101 B~ enacinin ery ead One Dems Mose @ ou Figure 77 —Login Window 105ok Point Securtty Eng 3. Click the Login button, and the login attempt should fail: Caan Authentication to server failed. a = Figure 78— Check Point SmariConscle NOTE The login failure confirms that the database import completed successfully, because newadmin was not configured in the imported policy. 4. Use the following information to Login’ User Name: admin Password: Chkp!234 IP Address: 10,1.1.101 106Chock Paint Seusry Engineering 8, Click the Login button, and SmartConsole displays the Gateways & Servers tab: Figure 79 — Gateways & Servers 107Check Paint Security Enygincering 6. In the navigation pane, click Security Policie Figui 80 — Security Policies 4. Verify that the rules and objects previously configured on the old server are present. 8. Editthe Alpha-Net group object and add an “s” to it’s name. 108,% 10, u ‘Cheek Paint Seeuiny Engineer Edit the A-GW-Cluster object In the navigation pane of A-GW-Cluster, select Cluster Members. In the object properties of each member gateway, use sie123 as the one-time password to reset SIC. Figure 84—Com munication 109Check Pam Seeusry Engmeering 12, Verify that the Version setting on the General Properties page to be the following: Re0.10 © Ps Droteons ar pasted sere Figure 92 — General Properties Configured 13, In the Network Management page, click the Get Interfaces button. 14. Click OK. 110Check Paint Secu Engineering 15, Click Publish, to commit the changes to the database: Click ‘Publizh’ to make this change available: toall Secon none: (meena dd Desist: (Feunge publtedy dino 202 (Pain | [cance Figure 83 —SmartConsole 1(Check Point Secunty Empincering 16, Click the Install Policy button in the Alpha Standard Policy Package and the system displays the Install Policy window: Alpha Standard © BZ rcwecster Samson. | Hes RD ever @ neo ee ys nan stesso mete Got gemay us ane once ea oth ce Figure 84 —Install Policy NOTE Ifthe Threat Prevention option is selected, clear it before installing the Security Policy. 112Check Point Security Engincering 17. As the policy installation is proceeding, identify the Recent Tasks pop-up window displayed by the system in the bottom left of SmantConsole 18, For the Policy Installation task, click the Details link. The system displays the following window: ® ey ntaticnA Sd a er ES] A om. 18 ee Me | Venn | Ste peareane) © de aon 9 sat Mon © sa Figure 85 — Install Poliey Details 19, Confirm that the Alpha Standard policy was successfully installed on both A-GW-Cluster members, 20, Close the Install Policy Details window. 21. Next, edit the B-GW object. 13Chock Paint Secu Engineering 22, Reset SIC using the one-time password of sie123: Coit te © Tareas (Gee) feaceoe) (eS) Eteet Figure 86 — Trusted Communieation 13, Click OK, and the system displays the Get Topology Results window: Teteesoprnsrnteven:casiy ‘Retmocganenans wey actcatandierma gue sche ewete rs pom ln fr msn sesrinfcr on dro sowmone are fotos uae mae re Manta — maneaae Wn Ban vaezut wx Figure 87 —Get Topology Results 4Check Pains Security Engincering 24, Click Close. 25, In the General Properties page, verify that the B-GW displays a Version of R77.30 cx Ee © Pet Aste 200578900 (TPesseteetiene ) oer sree Corman: av Bae Gnoay rom herd Comuncier: Ta eaaboted eens ces etueed Mek Ct aiPescve ers © OpearicRng iter Sever Earn © seas [lmeeae scene (Plteeadatce vpn tt Eithewmcc Phurrary [ensean Enact (eipwatent Reston | let mmm Debanaae os Elvana © Data Awareness ain eens vr bince rome ai irae ecoremant one Senco Figure 88 — General Properties Configured 26. Click OK. 27, In the toolbar, click the Application Menu button, 28, Select Global Properties, 115Check Poon Senor Engineering 29, Verify that the following settings are defined: + Accept ICMP First + Log Implied Rules oy ‘atc floerg remo chow conn et Fl Bao Newsom seer corcicometens ie ty Somme [2 Acet Rare cee et cece (UT Ee Gaon sera aca Accel Smt ete arts Gwce ert ee tree bees PS nareganert crt Aes sugeng smn engrengton Cats Asn gg pak nrg an Cary \Sopeanthe Bittconey Spey Else AP © cect man ane ue UP ie [Aes ere Nao TEP Ba Trl (sco CHP eas ced Whar SEH crc a nay addin. ‘Se cm (2 oe cg fice DACP and OS cnn pene ‘Sea fee rebree et Dt lee hn oping Hil ea: scone Yee paces raat eae ‘ipso we 17 cot erty en cn omit eg rtd Pd Figure 89 — Global Properties 30, Click OK. 116Chock Pain Seusny Engineering 31, In the Alpha Security Policy, remove the B-GW object from the Stealth Rule: Bowens ogee Biocon eter Qtemiete ee Sue a mmiee Figure 90 —Stesith Rule Modified uy(Check Point Security Engineering 32, Next, publish and install the A pha Security Policy: Bove snee BE orm mest Dimer tee Oramennnennenchen Once mre Figure 91.—Policy Installation in Progress 118Check Paint Sour Engineering 33. Click the + tab, to view the recent policies availableto view Moccia WMO mtmcn erie HNO orm Mower MOR eto Figure 92 — Recent Policies 119Cheek Paint Suny Engineering 4M, Select Bravo_Siandard, and the system displays the followi Beenie Sm Teno ramon Deen nae Guo ttee Figure 93 — Bravo_Standard Ta 120Check Point Security Engincering 45. In the Bravo_Standard Security Policy page. click the Install Policy button: IM brevo stondacd Micon Chrgndenet aie ty merreaton Son Boctsecnty omew asnesnnue | Yosser se ver era] @ nao 0 Figure 94 — Install Policy 36, Click Install, to install the Bravo_Standard Security Policy. 121Check Point Seouny Engiooring 37. Confirm that the Security Policy for Bravo installed successfully Tote fg Bn Std Tesh roars Sn: bests ABN =) Gaen, : SS ae) freee Sion aeetcrmanas tums rae sete Figure 95 — Install Polley Details 122Check Point Seouny Engiooring 38. In the navigation pane, select the Gateways & Servers tab: 39, Confirm that all Check Point modules show a status of OK. Figure 96 — Gateway& Servers 123END OF LAB 1.1Applying Check Point Hotfixes Inthis lab, you will use the CPUSE utility to patch an existing R77.30 gateway Tasks: + Locate the CPUSE Identifier for the necessary upgrade + Install the hotfix on the Security Gateway Performance Objectives: + Perform an on-line jumbo hotfix application to a remote Security Gateway a 1.2(Check Point Securty Engineering Locating the CPUSE Identifier Locate the hotfixes available for an R77.30 Security Gateway. 1, In SmartConsole, define a new Host object with the following information: Name: A-GULNAT Comment: NATed Alpha SmartConsole Color: Orange IP Address: 203.0.113.1 |. A-GUENAT Grane Machine ewcatMieagiment — asae (mien [Beaks har Pe attree anced sees eas ag Figure 97 —New Host Configured 2. Click OK, and the system displays the following waming: A Multiple objects have the same IP address 203.0.113.1 (you wiehtasseetha changes amy? Figure 98 —SmartConsole 3. Click Yes. 126Check Pain Seuss Engineering 4. In the Bravo Security Policy, add the new Host to the Source field of the Management rule: vam sues Bee Ti eccm rama Qresonee nae Sucme conte Figui 99 — Bravo Security Policy Configured $. Publish the changes, 4. Install the Bravo Security Policy, 107Check Point Sceurity Engincering From A-GUI, use HTTPS to log into the Gaia Portal on B-GW (203.0.1 13.100): a a ary tay 97 Figure 100 — Gala Portal In the navigation pane, locate the Upgrades (CPUSE) section. 128(Check Paint Securin Engineering 9. In the navigation pane, select Status and Actions, The system displays the following page: Figure 101 — Status and Actions 10, Identify the hotfix to apply. 129Check Pains See Installing the Hotfix on the Security Gateway Apply the recommended hotfix to update the Bravo Security Gateway. 1 2 3 From the filtered list, select the hotfix to apply. Inthe main toolbar, click the More button. Select the following option, and the system begins the update process: Install update NOTE When the system finishes the installation of the hotfix, itreboots automatically. END OF LAB 1.2 130Configuring a New Security Gateway Cluster Install and configure a second cluster member for Bravo. Convert the existing Bravo gateway tobe a luster member and upgrade it to R80.10, Complete the configuration by defining a Bravo Cluster object in SmartConsole. Tasks: + Install a second Security Gateway at the Bravo site + Reconfigure the Primary Gateway for integration into the cluster + Define the Bravo Security Gateway Cluster © Upgrade the old Bravo Security Gateway from R77.30 to R&0.10. + Verify Bravo Gateway Cluster status of Active/Standby. Performance Objectives: + Install the remote Security Gateway ina distributed environmentand establish SIC + Configurea new Security Gateway cluster object and verify its status.Check Peins Security Eng Installing a Second Security Gateway Inthis section you-will install and configure the second Bravo Security Gateway, which will be managed by the Alpha Security Management Server. 1, In VMware, create a new Virtual Machine (VM) using the ISO image provided by your instructor. Verify that the VM is defined as follows: + Name: B-GW-02 + OS: Other * Vasion: Other + Disk Space: 60GB + Memory: 2GB + Four interfaces > ethO + Donot power on > eth + Connect al power on + LAN 21 = eth? + Com sct at power on + LAN? = eth3 + Com set at power on + vmnel8. NOTE ‘Yourclassroom configuration may be different. Check with your instructor before continuing to the next step. 2. Before powering on your VM, verify that configured as de(Check Pam Secnmiy Engineering Power on the B-GW-02 virtual machine, and the Welcome to Check Point Gain R80.10 screen appears: foeeor eter at Figure 102 — Welcome to Check Point Gaia R80.10 Highlight the following option: Inetall Gaia on thie eystem Press the Enter key, to launch the installation 1336, When the syst Welcome screen 1 is prepared for you to by g system installation, it displays the ae ee) ce 7 Perenrig? Figure 103 — Wecomo 7. Tabto OK, and press Enter, The system displa ss the Keyboard Selection sereen: Figure 104 — KeyboardSelection & Select the keyboard type to suit your region. 134(Check Pains Securiy Engineering ‘Tab to OK, and press Enter. The system displays the Patt 1s Configuration sereen: 135)(Check Point Security Engincering 10, Tabto OK, and press Enter. The system displays the Account Configuration sereen: Figure 106 — Account Configuration NOTE ‘Again, at this step, you are configuring the password for the admin user, the default OS level administrator. 11, Enterand confirm Chkp!234 as the admin account password, NOTE Verify that NumLock is on. It is not on by default after installation. If you haven't already turnedit on, do sonow and re-enter and confirm your password. If'you enter this password without turning NumLock on, you will not be able to log into the system. 12, Tabto OK, and press Enter. The system displays the Management Port screen, 136Check Pains Security Engincering 18, Use the arrow keys to highlight eth3: Figure 107 — Management Port NOTE In this classroom environment, all external interfaces are eth3. This Security Gateway is remotely managed by the A-SMS, so the management interface must be the external interface. 14, Tabto OK, and press Enter. The system displays the Management Interface sereen 137Choo Pain Seeassn Engineering 15, Use the following information to configure the Management Interface screen: IP address: 203.0.113.103 Netmask: 255.258.255.0 Default gateway: 203.0,113.254 Figure 408 — Management interface 1B816, Tab to OK, and press Enter. The system displays the Confirm: ion scx Ton eee! ee eens Figure 109 — Confirmation In the Confirmation screen, tab to OK, and press Enter 18, After the dri is formatted and the installation is complete, the system displ (Check Fomnt Gna HBB Figure 110 — Installation Complete 139 the following screen:19, Press Enter, to reboot your system 20, After reboot, the system displays the following prompt Figure 414 — Login Prompt 140Check Paint Seurtty Eng Configuring the Bravo Security Gateway with the First Time Configuration Wizard Follow these steps to configure the branch office Security Gateway and activate its default trial license. NOTE Your instructor will provide alternate directions if you use other licenses. 1, From the A-GUI Virtual Machine, launch an Intemet browser, such as Firefox or Internet Explorer. 2. In the address field, type the following: httpe://203.0.113,103 NOTE Be sure that youare using HTTPS. 4. Press Enter, and your browser should wam you that the site's Security Certificates from an untrusted source 4. Ignore this warning and continue to the Login screen: 1. Log into B-GW with the following credentials: Username: admin Password: Chkp!234 141ok Point Securtty Eng 2. Press Enter, and the system displays the following window: sae tia Clee das Welcome to the Check Point First Time Configuration Wizard ‘Youre st few seps aay trom using your ayer! ‘lick Nest to configure your system. Figure 112 — Gala First Time Configuration Wizardnoon ening sani © Figure 113 — Deployment Options 4. Verify that the following option is selected: Continue with Gaia Ra0.10 configurationse atm Seeusny Eng 5. Click Next, and the system displays the Management Connection page reason enaty WY Figure 1:14 — Management Connection 6. Use the information below to verify that the Security Gateway’s network connection is configured properly Interface: eth3 Configure IPvd: Manually Configure [Pv4: 203.0,113.103 Subnet Mask: 285.255.2550 Default Gateway: 203.0,113.254 Configure IPv6: Off 44ok Poins Secunty Enna Click Next, and the system displays the Connection to UserCenier page ceotigwte ne mace te ene tote deere stoma @ Figure 125 — Connection to UserCenter 8. Click Next, and the system displays the Device Information page. 9. Use the following information to confi gure the Device Information page Host Name: BeGW-02 Domain Name: Leave Blank 145Check Boom Se Bag 10, Click Next, and the system displays the Date and Time Settings page: en serum maaaty rezone {sem cos it 505 ee wos Tine tes Figure 146 — Date and Time Settings 11. Verify that the time and date is correct for your area 146Check Point Security Enna 12, Click Next, and the system displays the Installation Type page: Installation Type 1 secry Gren nate Seay anogenest Figure 117 —installation Type 147Chack Foam Se Eng 13, Select Security Gateway or Security Management, and click Next. The system displays the Products page 14, On the Products page, uncheck the Security Management option 18. Use the information below to configure the Produets page Security Gateway: Selected Security Management: Deselected Unit isa part of cluster type: ClusterXL Automatically download Blade Contracts and ‘other imporiant data (highly recommended): Selected T searty stems senotynmaperent Bumtapacors owen 1 santiay oases Ode Com abd wring NY 0 Feemeceneomatien ebceae Figure 428 — Products mgok Point Securtty Eng 16, Click Next, and the system displays the Dynamically Assigned IP page. 17. Verify that No is selected 18, Click Next, and the system displays the Secure Internal Communieations (SIC) page sata te » inenmeveanout Figure 119 — Secure Internal Communications (SIC) 19, Enterand confirm sicl 23 as the Activati n Key. 149Check Paint Secu Engineering 20, Click Next, and the system displays the Summary page: eT ‘Source nt be cotipued nthe ong rete Seely ote ‘more moaua emenence by serang at to Cece Pent 0 Feemsee main cute Figure 120—Summary a1. Click Fi hand the system asks you if you want to start the configuration @_ Perteteecetgutingcentemuneeynmete cin! Figure 124 — First Time Configuration Wizard 22. Click Yes. 23. Once the configuration process is complete, the system prompts you wi restart message Figure 122— First Time Canfiguration Ware 150Chck Poin Sous Eng 24, Click OK, and the system displays the Login window after reboot: (© 1s opstmis tor sumorzes use cy Ceneeneu ae Figure 123— Login Window 1, Log into B-GW-02 with the following credentials: Username: admin Password: Chkp!234 2, Click the Log In button, and the Gaia Portal displays the configuration settings of the newly configured Security Gateway. 151(Check Point Securty Engineering Using the Gaia Portal to Configure the Security Gateway Define the interfaces and login message for the second Bravo gateway. 1, Review Gaia Portal’s Overview page: Figure 124 — Overview 2. Inthe Navigation pane, identify the Network Management section, 152Check Paint Secasiy Enganceriog Click Network Interfaces, and the system displays the Network Interfaces page: Figure 125 — Network Intertaces NOTE Notice how only eih3 is configured. This is your management interface. In this lab, this also represents your external network. 153Check Paint Security Enygincering 4. Select eth, and click Edit. The system displays the Edit window: © Uareteionng Dassen: Figure 126 — Edit etna 8. Use the information below toconfigure eth! Enabl Checked Comment: Internal IPv4 Address: 192.168.21.3 Subnet Mask: 25$.255.255.0 154Chock Pain Seung Engineering ick OK. and the system saves the new eth | configuration. —— Dr a nine ee Se, = fens mamas sn vw sonecinace = PS hee eee es Figure 127 — Network interfaces 7. Double-click eth3, and the system displays a warning. 8. Click OK, and the system displays the Edit window. 9, Use the information below to configure eth3: Enable: Checked Comment: External IPv4 Address: 203.0.1 13.103 Subnet Mask: 258,255.255.0 155(Check Point Securty Engineering 10, Verify that the newly configured eth3 appears as follows: © Usetooung ads Figure 128 — Edit eth3 11. Click OK, to return to the Nebyork Interfaces page 12. Select eth2, and click Edit. 13, Use the information below to configure eth?: Enable: Checked Comment: Syne IPv4 Address: 192.168.20.3 ‘Subnet Mask: 255.255.255.0 ick OK, 156(Chock Pan Sonn Enooring 15, Verify thal your interfaces appear as follows: Figure 129 — Network Interfaces 16, In the Management Interface section of the page, notice that the current Management Interface is set to eth3. 157Check Point Security Engincering 17. In the Navigation pane, under Network Management, click IPv4 Static Routes: Figure 130 — Network Management -IPv4 Static Routes 18. Verify that the default gateway is 203.0.1 13.254. 19, Add the following Static routes for the following networks: + Alpha Management (10.1.1,0/24 203.0.113.1) + Alpha Intemal (192.1 68.1 1,0/24 203,0,113.1) + Alpha DMZ (192.168, 12.0/24 203.0,113.1) 158(Check Point Scour Engincoring 20, In the Navigation pane, under System Management, click Messages Figure 134 — System Management -Messages 159‘Cheek Paint cust Engineering 21. In the Banner Message field add the following text: B-GW-02 Unauthorized accese of this server is prohibited and punishable by law. Figure 132 — System Management -Messages 22, Click the Apply button, 23, From the toolbar, click Sign ut, 160Check Point Security Engincering Re-configuring the Primary Gateway Reconfigure the primary Security Gateway at Bravo to function as part ofa cluster. From A-GUI, use HTTPS to connect to the Gaia Portal on B-GW (203.0.1 13.100): Figure 133 — Gala Portal - Overview In the navigation pane, select Network Management > Hosts and DNS. In the Hosts and DNS page, change the Host Name to the following B-GW-02 161(Check Point Scour Enpincoring 4. Click Apply. Figure 134 — Hosts and DNS Configured 4. In the navigation pane, select Sysiem Management > Messages. 162Check Point Seounty Engmosring 4. Click Apply. Figure 434 — Hosts and DNS Configured 8, In the navigation pane, select System Management > Messages. 162(Check Paint Secustn Engincoring 4. Modify the Banner Message to reflect the new name of this Security Gateway (B-GW-O1): Figure 135 — Messages Configured 7. Log out of the portal on B-GW-O1. 1638, From the virtual syste of the first Security Gateway (B-GW-01),run the epeon£ ig script Seat reer erst eee erent) een Seer cee Figure 136 — cpcontig 9. From the Configuration Options, review the available options. 10, IFoption six reads as follows, type 6 and press Enter 6 Enable Cluster membership for this gateway If option six displays the following, exit epean £4g and skip to step 11 Disable Cluster menbership for this gateway 11, Press Y to confirm that you want to enable the cluster membership: Figure 137 — Cluster Membership Enabled 12, Reboot B-GW-0 to enable the changes. 164Check Paint Security Enygincering 13. At A-GUL open SmartConsole, and remove B-GW from all rules inal! Rule Base: | es Ti Tea] eM oo Meee hee Hm 2 Nugent katt oo ti Ome © ae Bo pantie rere) 1 sen? 2S het ot = oe Boe Cc) me Kamut «ow tm ae © ae a te © Puss 5 eases Bemus # ag ti Oe Ose Be pastes 8 ime ae «ome so i tit @ oe Bes antes Lae : : nT a Figure 138 — Brave Security Polley 14. Next, remove all references of B-GW from the IPSec VPN > Mylntranet > Participating Gateways 18, mae = oo Ty or = fe | © Putin i me 2 meet ncn inn] oo [Oe Ose Cla lear Shean 1 nyeningt . : . . ® a Ramune # dy ty Mae Crd ate Horton Amat 8 ay ti Oe se Bes ptteoe oie haw «nme oo oe byt he @ oe Bie Pwteee ene : : : : Go Figure 139 — Stealth Rule Disabled 165Check Point Security Engincering 16, In the toolbar, click the application Menu button. 17, Select Manage Policies and Layers, and the system displays the following: Gene Sw [ieee | em Figure 140 — Manage Policies and Layers Target 166‘Chock Paint Secustn Engncering 19, Select the Bravo_Standard policy and click the Edi icon. The system displays the following: . Brave Standarel coed Poti Types tee eons SM Ac Cnt NG Tw reten fc = setp cy Om Accesconet 1 | Seeuty ages BE $2 Apptewon | aae B Be Ten beneton + © a8 Node [Reread = B vance @ sastep Figure 141—Policy-General 20, In the navigation pane, select installation Targets. 167Check Point Secunty Emgincering 21, Remove the B-GW object from the Specific Gateways list 22. Select the following option: All Gateways Brave Standard Instatation targets A gates ‘Specie gun @ sas ig Figure 442 — Policy Installation Targets Configured 23, Click OK, 168(Check Point Securty Engineering 24, Perform the above edits on all other policies that have B-GW as a Installation Target: Bene S Rees) Soe Figure 143 — Manage Policies and Layers 25, Click Close 26, Edit the B-INT-NET object. 169Check Paint Security Enygincering 27. In the NATpage, change the Install On Gateway setting to All A: BINENer ‘ales for address translation © Hie betindthe gunn Nie teint scene Ins ates Trswtongrewns [@ aR =] seep Figure 144 — Network Configured 28, Editall remaining objects that reference B-GW. 29, Next, locate the B4GW object in the objects list. 30, Right-click B-GW and select Delete, The system displays the following window: @ 2 v.00 sure you want to delete object'8-GW'? ie] Figure 145 — SmartConsole 31. Click Yes. 32, Publish the changes to the database. 33, From the Clish prompt on B-GW-0 1, type the following, and press Enter: set interface eth} ipvé-address 203.0.113.102 mask-length 24 170ree Figure 146 —set intertace 34. Now, run the following command to reconfigure the internal interface: set interface ethl ipvé-address 192.168.21.2 mask-length 24 38, Run the following command to reconfigure the syne interface: set interface eth? ipv4-address 192.168.20.2 mask-length 24 36. At the prompt, type the following and press Ent gave config rar Figure 147 —Save Config 37. Runepeensig to reset SIC, using eic123 for th tivation key, 38. Exitepeontig. 39. At the prompt, type th following, and press Enter twice exitCheek Pain sun Engineering 40. After the services restart, use HTTPS to log back into the Gaia Portal on B-GW-0! (203.0.1 13.102): er eat Figure 148 — Login Window 41, Confirm that the newly configured IP addresses appear as follows: ar Figure 149 — Re-configured B-GW-04 Interfaces: 172Cheek Pa 42, Enable the Syne interface, if itis not already enabled 43, Perform the upgrade of B-GW-01 from R77.30 to R80. 10Check Peins See 2 Configuring the Alpha Security Policy to Manage the Remote Security Gateway Cluster Define the remote Security Gateway objects and incomporate it into the Alpha and Bravo Security Policies. 1, From SmartConsole on A-GUI, expand the Objects pane from the right sidebar 2, Inthe Home page of the Objects pane, click New > More > Network Object > Gateways & Servers. 3. Select Gateway. 4. Use the information below toconfigure the new Security Gateway object Name: B-GW-01 Color: Firebrick Iva: 203.0.113.102 Comment: Bravo Security Gateway Cluster Member - One Version: 80.10 174(Check Point Securty Engineering 3. Verify that the new object appears as follows: ee GHEE HTPMTTPsPey | PetAdhen POTTS PedorPond es rience Fenty Cert Soden Own Cr re aoe SeunhuedComnesen iid a roman] on (=) 28 Go = [ise Ti ST a) rim ces | Aswceanensngs ung: reer Esai © yee Ply See ani © Seen [imetaecon Tet Eadaen me peated Eitheseaexe ‘ amspanstnasecuiy | nN ideo Aner ibasdnaenee HE Firewall ten gr ent il aon ame Gea Figure 150— Check Point Gateway - General Properties Configured NOTE Use the IP address of the management interface to define the cluster member gateways. In the case of the Brave cluster, that's the external interface, 175Cheek Paint cust Engineering Click OK, and thesystem displays a message indicating that no interfaces are defined NOTE You will define the interfaces later, after establishing SIC. You are defining thi object here to make the Alpha cluster aware of the Bravo members. This will ensure that A-GW-Cluster allows control connections to and from the Bravo gateways. Click Yes, to clear the message Use the information below toconfigure the new Security Gateway abject Name: B-GW-02 Color: Firebrick IPvd: 2030.13.03 Comment: Bravo Security Gateway Cluster Member - Two Version 80.10 176(Check Pant Seenmay Engincoring Verify that the new objectappears as follows: saa coer Fre Fasawieatine | F]onenc Acne Came Bp Sec Gnonn Oe Nee Too Sener hes Cormeen: Uae (Geena) ser (ean) Yon ESOTET] 5 (a =) (eas) (lteter Eyres eames [Epson tea Sera let Arse (hus enc | Cosaenaeres HE Firewall nonce pein, Figure 151 — Check Point Gateway - General Properties Configured 11, Click Yes, to clear the message. 7(Check Point Security Empincering 12 1B, Publish the changes to the database: Click ‘Publish’ to make these changes available to all, sonnei ~~} « bom stowspin Puvten | [Cane ca Cue) Figure 152—Smartconsole Install the Alpha Security Policy: (Mi Alpha standard @ serrate Btathenin 8 Oe oon ‘Bocsnascs © Barcwchster sraenasins | vesesnense even rg] nag 1 bl ech eel pd (gem dars felch de (a) [coe Figure 153 — Install Policy 178Check Point Security Engincering 14, From the Home page of the Objects pane, click New > More > Network Object > Gateways & Servers: Bian Figure 154— objects Menu 15, Select Cluster, and the system displays the following window: Figure 185 — Check Point Security Gateway Cluster Creation 179(Check Point Security Engineering 16, Select the following option: Don’t show thie again. 17. Use the information below to configure the new Security Gateway object Name: B-GW-Cluster IPv4 Address: 203.0.113.100 Comment: Bravo Security Gateway Cluster Network Security: Firewall IPSec VPI Save | nee sana coe Wwe + é rvtAsies: BOTS. 100 Fae ne Nar a HTTPMMTTPS Prone a meres | mente Oc Oa Oar ser | ae 3s Fray ‘ete ee] es (] Soe a ae Firewall nds gn re an ha cnr anf wan, Figure 156 — Check Paint Gateway - General Properties 180Chock Paint Secu Engineering 18, Verify that the version selected for the Bravo Cluster object is defined as R80.10, 19, In the navigation pane, select Cluster Members: EERIE | enay Ga nares it rely set @ tite tragenee| [Same Foe Hessen iro Fe HTP MTTPS Pome Paseo PH —a Sven al ae Felt Hoare ore Figure 157 — Gateway Cluster Properties - Cluster Members 20, In the Cluster Members page, click the Add button 181Chock Poon Senor Engameccing 21, Select Add Existing Gateway, and the system displays the following window Se ng ede team SERENE Figure 159 — Add Gateway to Cluster 22, Select BAGW-01 ick OK, and the system displays the following message: j you 24 8-60-01 tothe cer til beconveres toaster erin Semestenge wt be ee heflloning sting illreman NAT eacege tare Pl peeps ate jouer ented ea) aaa Figure 159 — Cheek Paint SmartCansole 182(Check Pains Securiy Engineering 24, Click Yes,and the system adds the gateway to the Member Gateways ray hrm Uk ey ie ene Wise paw: 3030 113102 Figure 160 — Member Gateways Gateway Added 183Check Poon Seumsy Engineering 25, Select the B-GW-01 object and click Edit: Gusertienoetopeter 6c [Sa [ar Tae te Vretaooes: 200 111 era sme Cane: Bere Sey Glen Or Hane Ore oe Fk . (error) Figure 164.— Cluster Member Properties. 26. Click the Communication button, 27. Enter and confirm the following as the one-time password: eie123 184‘Check Pain Securiy Eagan coring lick Initialize, to establish trust: = Tigcone pero ou ech mut on bearded Cacao |} Sete possnon Tet ee Tat ee co) Goxgtame] ote) c= Es ‘Figure 162— Communications 29, -k Close. 18s‘Cheek Paint Seusry Engineering 30, Next, add B-GW-02 to the Member Gateways list Gren errr Ut end yi we Foor mono 29011 102 Figure 163 — Member Gateways- Gateways Added 31, Establish SIC with the second member gateway, 186Check Paint Seeusrn Engancering . In the navigation pane, select Network Management: Figure 164 — Network Management 187Chek Pains Secu Empincering 33. Click the Get Interfaces bution, and the system retrieves and displays the interface information from the cluster members: BGs Nee Fase BO Seon Mane | Topalogy | Vitwi=? = gwar | Bw Bam Mineo Fate smaueezizay iszuse1ace Boa miner pte waiemaa iuazace mst inte aaaipame sansa Figure 165 — Network Management -Get Interfaces 188,Chock Pain Seung Engineering 34. Double-click eth, to edit the interface. 35. Use the information below to configure eth: Name: eth Comment: Internal Network Type: Cluster ual IPv4: 192.168.21.1/24 _ eth Geant) General os Ao Tyee Advanced Yeu Ps Member Ps “ean “eon Be Med Topology Lente Secu oe: sesisectge Ned. # Aad tes Figure 166 — Network otha. 36. Confirm that the interface Topdogy settings are as follows: Leads To: This Network (Internal) Security Zone: None Anti-Spoofing: Prevent and Log 189Chock Pain Seusny Engineering 37. Double-click eth2, to edit the interface. 38, Use the information below to configure eth2: Name: eth2 Comment: Syne Network Type: Syne Virtual [Pv4 Address: N/A Gen) General os Nemort hoe [Sm Membr woman mee y9pnenz02 # 24 ecwsze — aaeneazo # 24 ea Topotogy Seay Zone rt Seti: Ned. as 09 Figure 167 — Netwark ath2 39. Confirm that the interface Topology settings are as follows! Leads To: This Network (Internal) Security Zone: None Anti-Spoofing: Prevent and Log 190Chock Point Secasiy Engincering Double-click eth3, to edit the interface. 41, Use the information below to configure eth3: Name: eth} Comment: External ‘Network Type: Cluster Virtual IPv4: 203.0,113.100224 - eth3 eet Comment Gem) General oe HetwortType [Chater Member IPs eowdthe mania 78 equa ie moaatiaam 26 Topology Lene ‘Secu Boo es Sect: #4 Tes Figure 168 — Network eth3 . Confirm that the interface Topology settings are as follows: Leads To: Internet (External) Security Zone: Anli-Spoofing: Prevent and Log None 191Check Paint Seeusrn Engancering Confirm that the interfaces are configured as follows: Giticn Net Pieams B) OQ sock name | Topsiogy | Yenmtt?@ —s.Gwol ewe Set minemak wetseesiiat aeoenan teeiseze ee aeawamiai suena Piao oh Sms tema SLESIONe OHIO msALTAMEOL VPN tee Fh Ply Caren Hare oe Figure 169 — Network Managem ent Configured 192Check Point Secu Engineering . Click OK, and verify that the new B-GW-Cluster object appears in the Gateways and Servers section of the Objects pane: game a == Faicaeta Figure 170 — Security Policies - Access Control 193(Check Point Securty Emgincering 4, Enable the Stealth Rule in the Bravo Security Policy: 46. Figure 174— Stealth Rule Enabled Beery Se Ta coc eam QD coarse nae Que mena Add the B-GW-Cluster to the Destination column of the Stealth Rule: Figure 172 —Stealth Rule Modified Bvaone 194 Boe iu aoe (Ost aoeCheck Paint Sour Engineering 47, From the Application Menu, select Manage Poli window: 's and Layers. The system displays the following Bones NX Plow |/Q som Figure 173 — Manage Policies and Layers 195,(Check Paint Security Engincering 48. Select the Bravo_Standard policy. 49. Click the Edit button, and the system displays the Policy window: iste Senders = Policy Types nt gt see Crt ZN Toe toe Oss 2 tpt IMR accessConat 1 Secvity dee HEE 2 | Aptian | tdae 9B + © ot Mode [Recommended vaiace @ s009 Figure 174— Policy 196Check Point Sonny Engineering 50. 51, Select the following option: in the navigation pane, select Installation Targets, Specific Gateways 52, Add B-GW-Clusterto the Specific Gateways i ave Sted Seer Instaation targets aati Tapae | © At ostenos Spee gueunys +« Figure 175 — Policy Configured 53. Click OK, 54. Click Close. 197Check Point Security Engincering $8. Publish the changes to the database. $6, Install the Bravo Security Policy Ml Brave stendare 2 Bicester Garand aie Benen oo [B oetsecaty BZ sow-custer © vou ni] @ htm Figure 176— Install Poliey $7. Verify that only the B-GW-Cluster (203,0,113.100) is listed as a policy target $8. Click the Install button. 49. From the B-Host virtual machine, launch a web browser. 40, Use HTTP to connect to A-DMZ (203.0.1 13.171) 198,61. In SmartConsol Check Peint Seeunty Engineering _ select Logs & Monitor from the Navigation bar: Figure 177— Logs & Monitor - Logs 199(Check Point Secunty Empincering 62, View the log showing the accepted HTTP traffic from B-Host to A-DMZ: @ vt ay te Imp Wate seceptestiom 2813810016 2030813191 Logie 5 Trafic ~ uae aca, feu © Fav cote aah Asi) rime © rotons me Soucereet aso rodutfaniy AQ Aen etraien poses “yee gus Seriratentent tent eve hi ess “ esac aan Die PN ina. DME 828K) sie pan sauce Petey a nee pan oesuna. 0 peter @ hecst hatte tances 2 Putesne pn Star pe peor Co Seve hie Poterhmagenert As Figure 178 —Log Details 200Check Peint Seeuriy 63, Close the log file, END OF LAB 1.3 201202Core CLI Elements of Firewall Administration Use a selection of common commands and tools to manage the firewall and monitor and capture traffic logs for troubleshooting purposes. Security Policy and verify status with fw stat + Uninstall the Policy and verify status with fv stat + Runcpinfo on + Find information from epinfo output. curity Gateway. + Open cpinfo from InfoView + Run the fw ell pstat command, + Run basie fw moniter and tepdump commands on a curity Gatew Performance Objectives: + Perform basic tasks related to Security Policy management from the Command Line Interface. + Use common commands to evaluate the condition of a Security Gateway.Check Point Secu £ Managing Policy and Verifying Status from the CLI Policy status for a Gateway is regularly verified in SmartConsole. The ew stat command is also useful to verify Policy status, In circumstances where you cannot log in to SmartConsole, fw unloadlocal ean be used to uninstall the Policy 1 From the A-GW-01 virtual machine, run the following command: fw stat ad Foe re Serene ere) Figure 179 —fwstat 2, Run fw unloadlecal from the command line: Pere ements Figure 180 — fw unloadlocal NOTE Only sunthe fw unloadlocal command when absolutely necessary. Now that the Security Policy is no longer installed, all interfaces are currently open and passing traffic without inspection, 2043. Figure 181 — fw stat 4. Rungw fete 10.1.1.101 fromthe command line: eee ee eee Figure 182 — fw fetch localhost NOTE Ignore any error messages for services that have not started 5, Runthe £w etat commandto Security Management § was able to fetch the policy from the Figure 183 — fw stat 205Check Point Secasin Ex Using cpinfo Inthis section, you will view a list of hotfixes applied to the Security Gateway and collect server configuration files. 1. From A-GUI, use Putty to log into A-GW-01 (10.1.1.2). Once logged in, enter Expert mode 2. At the Expert mode prompt for A-GW-01, run the following command cpinfo -y all Figure 184—cpinfo all 3. Review all hotfixes applied to the Security Gateway. 2064. Next, run the following command: epinfo -1 -0 A-GW-01-cpinfo.ext NOTE Inthe command above (epinfo - 1), that is a lower ease L, nota number 1 Press Ente and the system asks if you for an SR number. fozar Fguemms—epnfoio 2076. Type 5, and press Enter. The filecollection runs for about a minute, As cpio runs, status messages will display Bou AM Ss Figure 186 — cpinfo4 2 7. Once ep ino has finished, the output file A-eW-01-cpinéo. ext will be created in the following default directory for the administrator Phome /admin 208Check Pains Seeurty Eng 8. From A-GUL, use HTTPS to connect to A-GW-01 Orca Clenedae aa Figure 187— Login Window 9, Use the following credentials to log into the Gaia Portal: Username: admin Password: Chkp!234 209‘Check Point Seurity Engineering 10. In the navigation pane, select User Management > Users Figure 188 —Users 210Chock Pain Seu Engineering 11. In the Users page, click the Add button 12, Using the information below, configure a new user Login Name Password: Real Name Home Directory: Shell: Assigned Roles: Access Mechanisms: ‘Access Mechnisms om gaiaAdmin Chkp!234 Gaiaadmin Jhome/gaiaAdmin ibin/bash adminRole Web Command Line Figure 189 — Aad User Configured 2u1Check Point Sceusily Engineering 13. Click OK, and the system adds the new userto the Users list: Sone Figure 190 — Users 14. Log out of the Gaia Portal 212Check Point Security Engincering 15, From A-GUI. use the following credentials to start a WinSCP session to A-GW-01: Host Name: 10.1.1.2 User name: gaiaAdmin, Password: Chkp!234 Figure 194 — Lagin- WinSCP 23(Check Point Securty Engineering 16, Navigate to and locate the compressed A-GW-01-cpingo. txt. info. gz file: (ea Ti cenmet obn pes psmcruvece BF GE D+ Pauw ~ Te Senings Betaat ae Sua Tat Cari Deetaney 2am) 10a isnsteminse. mmm Wecp lin Wm 1238 Eppgeomeney usin cpt San Sa Qo ame Figure 492 — WinSCP Session 17. Transferthe file to A-GUL. NOTE ‘fusing FTP from the Security Gateway toa FTP server, make sure to use Binary mode, 214‘Check Point Seurily Engineering 18, Navigate to the directory to which you transferred the text file, and open it in WordPad: [owner in ja | were 2 a eae cheek Point support Information Grinfo 5.0 Soild 514000173, Figure 193 — CPINFO File 25(Check Point Security Enpicoring 19, Scroll down to view the CP Status section of the file. 20, Using the Edit menu’s Find option, identify the following: » FireWall-1! Version Information s Vasion > CP License Buse ko owner [a -|ila) cca pO wen 2 fw mm eee eee SO eo oftware varaicn #0.10 ~ Build OOS Figure 194 — Find 21, Exit WordPad, 216Chock Paint Secnsiy Engineering Reconfiguring the Security Policies Modify both Security Policies to allow FTP traffic between the sites. 1, In the Bravo_Standard policy, add a new rule above the Cleanup rule. 2, Use the information below to configure the new rule: Name: Incoming Any B-INT-NET . re oo =n | + tal ome 2 eagrne sn Cro Bie + venta 5 air Brent 3 tem ay ‘Bom wae Bio + vets . we naman oo Toei to a os 5 cag eau a se Oo Bie sonia em he 7 2 aoe oo hee @ hee or oye Tes aT Tose Tos od Bie + vente ot Figure 195 — Incoming Rule 1, Inthe Alpha_Standard policy, add a new rule above the LDAP rule. 27(Check Point Security Engincering 2. Use the information below toconfigure the new rule: Name: FTP Souree: Any Destination: Alpha-Nets Services & ‘Applications: FTP Action: Accept Track: Log BRS ey a ory ry ow time Aon ete tr 2 get A Reewome + ur © om 8 tot Bey Become a 2 sme ae Zrowoume ime ory oo BiB acwoue | _—ewwl oe 5 reas 1 +r an Dat Bis B sonooen sae GE Dey re @ me Coe Ben |B atete Se Soeeg 5 awaae oo + © ms @ toe Bey BR acmoum Se hn ie 3 aaa 7 hme Ce Bie Bsonooe 3 sweats Bao + br ‘aps Det Bin & sonoeen lao xm Fgh sme See + aw the oy aoe Bes |B Alten one + * + : ame = Figure 196 — FTP Rule 3. Publish the changes to the database. 4. Install the Bravo Security Policy $. Install the Alpha Security Policy 28(Chock Pant Seen Eagan coring 6. From A-GUI, log into the Gaia Portal on A-GW-01 7. Define a new user ealled sepAdmin with the adminR ole and seponly shell access: erm eungeperworsstnent gen eeess eshanisos Figure 197 — Ada User 219(Check Paint Secasty Enganceriog 8. Click OK, to add the user to the Users list: Figure 198 — Users 9, Log out of Gaia Portal 20Using fw monitor In this section you will test fw monitor. I's important to remember that in a production environment where a Security Gateway is already under heavy load, the £v moniter command can dramatically affect performance because we have to tum offacceleration, It is always best to test packet captures during off- peak times. 1. In Expert Mode on A-GW-0 1, navigate to the following directory: ed /var/log/tmp NOTE Check Point recommends that you run the fy monitor command from a directory with plenty of space, such as /var/log, so that you do not fill up the hard drive 2, At the prompt, type the following, and press Enter: fwaccel off eee Figure 199— twaceel off NOTE This command turns off SecureXL acceleration and ensures a complete capture in the next step.nt Seeursty Ey Type the following at the prompt to start £w moniter fw monitor -o moniterfile.peap Figure 200 — fw monitor 4. Generate FTP traffic from B-Host (192.168,21.201) to A-GUI (10.1.1.201). s. From A-GW-O1, type CTRL + C to end monitoring 6. Use WinSCP to transfer the monitorfile.out to A-GUI from A-GW-01 Bp peep c — ‘aed Ms Tas Cora Sen Ome Renate 1 EBB inowne MP BD Ge tatetnna Dome e ora (| Liston Dee ler OA trate |e eG mente ct men a : n= aan lg asta pe stepmania nope a_i cos‘Check Point Security Engineering 7. On A-GUI, double-click the transferred peap file to review the ereated output in Wireshark: Figure 201 — monitorfile.pcap in Wireshark 223Secunyy Engineering 8. Locate the FTP traffic from 192.168.21.201 to 10.1.1.201 Figure 202 — FIP Traffic entified 9, Identify additional traffic, from the 10.1.1.1 interface on the gateway to the GUI client (10.1.1.201). maCheck Peint Seeuriy E pert mode 10, Log in to A-GW-01, and type the following in E fw monitor -e “accept erce192.168.21.201 or det~10.1.1.2017" -ei 20 -o nonitorfile2.pcap Pees Figure 203 — tw monitor 2 NOTE This monitors traffic to and from specific addresses and only captures twenty inbound events. 11, Generate FTP Traffic from A-GUI to B-Host B-Host to A-GUI 12, From A-GW-01, type CTRL + C to end monitoring. NOTE When you return to A-GW-O1, the fw monitor may have already ended. This happens when it reaches the specified number of records collected, which, in this case, is 20. 13, From A-GUI, use WinSCP to transfer the monitorfile2. peap off the Security GatewayCheck Poins Seeunty Engineering 14, Review the created output file tosee that only the FTP traffic to and from 192, 168.21.201 is shown: Qucouteoieearimimaaae Figure 204 — maniterfile2.peap in WireShark 226Check Poin Secu & Using tcpdump Use tcpdump to retrieve Layer 2 information from the Security Gateway 1, From A-GW-O1, run the followi and in expert mode tepdump -i ethl demp -w dumpfile.peap Figure 205 — tepdump-ieth4 icmp -w dumpfile.out 2, Generate ICMP traffic from A-GUI to the B-Host virtual machine. 3. On A-GW-OL type CTRL +C toend monitorin, ee eee Pec ee eter eee teres Th eet ae TL Stee sear eee TT Figure 206 — Ending tcpdumpUse WinSCP to transfer the newly created tepaump file to A-GUI Use WireShark to view the contents of the tep dump file. From A-GW-O1, type the following, and press Enter fwaccel on END OF LAB 1.4 228Viewing the Chain Modules One way to help understand how the Security Gateway handles traffic is to review the inbound and outbound chain modules. These modules show how the kernel processes traffic as it enters and exits the gateway. Imthis lab, you will make changes to the Security Policy and identify how those changes affect the chain modules. Tasks: + Evaluate the Chain Modules. + Modify the Security Policy. + Review Changes to the Chain Modules. Performance Objectives: + Demonstrate an understanding of how different Check Point software blade deployments can affeet traffic inspection on the Security Gateway. + Evaluate how changes inthe environment affect the Chain Modules.ew the chain module in place for kemel level traffic inspection. 1, Connect with SSH and use the following credentials to log into the A~GW-01 virtual machine Usemame: admin Password: Chkp!234 IP Address: 10.1.1.2 2, Type the following command and press Enter fw ctl chain Buea aaa) Figure 207 — fw ctichain 8ck Poin See Engin 3. Consider the following questions when evaluating the chain modules: + Can you see how the traffic flows through the kernel? > Besides the Firewall, what other modules are engaged? » Can you tell if IPS is currently deployed? » Could you tell if this is a cluster by looking at the inspection chain? 231Check Boom Se 1 Engin Modifying the Security Policy Make changes to the Security Policy that will be visible in the chain modules. 1. From A-GUI, use the following eredentials to log into SmartCot Username: admin, Password: Chkp!234 IP Address: 10.1.1.101 2. In SmartConsole, edit the A~GW-Cluster object. 3. Im the Network Security tab, clear the following option: Ipsec VPN(Check Point Securty Engineering Verify that the object is configured as follows: Seaerleecer | Mie gecsere| Tiukienmee —— WTS | sevens HIeMTTPS roe SRP mt aS Si Fey < Camas wen suo [ieetamae oe) ee (ROT) 98 (Ge (] | Heck acct) Eten He Pec WRN Saphiiaed vse marae Stet Ste Un ce Rens cee ‘wring omer we vont SVEN agers Ge Ree Figure 208 — General Properties Configured Click OK In the Alpha Security Policy, add the A-SMS to the Source field of the Management rule 233n ‘Check Paint Seuss Engineer Add SSH to the Services & Applications field of the Management rule: : femmes + ae mee rae lee crs =e eereee rar gone nat Elaine Ww ems acer Bie Bierce aos sn ec es Basie tw or oon Bus Bcreenie me 3 sows ta cet Ho ® son Ria & sewcuee swan Aer see os On © sewn Bis B seen 2 Gar . = : © ° 5 3 7 nome | 30 ama say om © me © scot Bie kero orm km : oo a Tae ae Boe @ sot Bie Beers 2 x awa aur or tae © ss Bio Barrow ioe 2 ome ay or tm wie oon Bie 8 arene ene : : : Boe = Figure 209 — Management Rule Configured 234Check Paint Secu Engineering Publish the changes and install the Alpha Security Policy (Mb alphs standard Monaeain 205 SB octescnty |B repo hones teeta ave neater ainmactentsiow emke Vy losils © Frcwcuster a0n04824 | esos nad 2 rex nese | @ tg es poy tet Figure 240 — installation Process 235Reviewing Changes to the Chain Modules Run the €w ct] chain command to view the chain modules. 1, In the Gateways & Servers tab, expand the A-GW-Cluster object, 2, Right-click the A-GW-O1 and select Actions: are Figure 211 Aetions Menu 236Check Paint Secunia Eagnooring 3. Select Open Shell, and the system displays the following window: Open et tA. Uamene ernment GF Resembarpuireurs Figure 242 —Open Shell 4. Use the following information to log into the she Usemame: admin Password: Chkp!234 Remember Password: Selected $. Click Login, and the system displays the Fingerprint Confirmation window: @ Tiss the frst SSH connection to ‘A-GW-01' The fingerprint of "A-GW-O1' is: ‘95/5: L8:af-1¢80:91:¢2'53:44:68:97:85:22:21:75 Do you want to continue? Figure 213 — Fingerprint Confirmation 2376. Click Yes.and the system opens an SSH session with A-GW-0 Figure2i4—SsHConnection =Scowty Ey 7. Typeth modules: following command and press Enter, to view the chain fw ctl chain sdeeeib 212 -smantoniol =) Figure 215— fw ctl chain Review the inbound chain andthe outbound chain and consider the following questions: What changes do you making modificationsto the A NAT. 7. Confirm that A-DMZ is not included in the Static NAT rules: Figure 224 — Network Address Translation Rules $8. Publish the changes to the database 9, In the objects pane of SmartConsole, create a new Host object. 250Chock Paint Seustn Engineering 10, Use the information below to define the General page of the new Host Name: A-DMZ-NAT Comment: Static NAT address of A-DMZ Color: Dark Blue IP Address: 203.0.113.171 _ A-DMZ-NAT Gent Machine nar Pe ore dec Sees e808 13 Figure 225 — A.DMZ-NAT 1. Click OK. 251(Check Point Security Engincering : oT rr Bo = |S eroe 3 Steam [ew [ome @ no Bue Bicone 3 oer Sere tom cme 2 Smee em seer | on tim a =a EE 7 I 5 o ° Bo |e = [= |e fem om [mm Om G/B soroe Soe ne > es en Tor moot ior 2 [ee [tenner now ee BiB oro Res eensnene a or i Peo or Bi | sore : q : Oem 352Chock Paint Suny Engineering 13. Use the following information to configure the new rule: Name: Incoming Source: Any Destination: A-DMZ-NAT Services & Applications: http Action: Accept Track: Log Install On: A~GW-Cluster ro Beunlse A oo tom Bete oom nee B Anette P Maapene wnat vw © Bee Bes Basson sree a oe ow ay oom Bue B soca | ef te 1 sora oe tm oe Ont Bue 8 scnoate re 3 teu aie 2 me sent Bue + Se * ° + e 5 7 exewe 26 sma or os O he © et Bus Bsc om hm som to i pene tm hme Ons Bee 8 sawn 1 2 synanen ws we apa © eet Bus B sont flee Sensor Se [nm ora] ier} oS om Bie socom oun . . . . oe Figure 227 — Incoming Rule 253Check Paint Secunw Engineering View the NAT Rule Base: me Ota Figure 228 — NAT Rule Base18, 16. 1 18, 19, (Check Pains Security Enincering Add anew rule to the top of the NAT Rule Base: 2 mane + miso tie = orn ion Lee 2 tm se Some aie = hot Ant 7 aise cre BinsraN a ones = Send Aone 7 Seon B oncwm 7 = ym oa Kurs ot oi a top so Soene = cme = cree Reset a oo Acsenunties = cient = Sundial Figure 229 — Default Rule Added to NAT Rule Base In the Original Destination field, add the A-DMZ-N AT object. In the Original Services field, add HTTP. In the Translated Destination field, add A-DMZ. In the Install On field, add A-GW-Cluster. 255Cheek Paint Sunn Engneering 20, Verify that the new rule appears as follows: PaRpr spars Figure 230 — Manual NAT Rule Configured 256(Check Point Seourty Enincoring 21, Add a new rule below the first manual NAT rule. 22, In the Original Source column, add A-DMZ., 23. In the Original Services column, add HTTP. 24, In the Translated Source column, add A-DMZ-NAT, 28, In the Install On column, add A-GW-Cluster. 26, Verify that the new reciprocal manual NAT rule appears as follows: wat oy oo we nstinie = Goma B Hrcure aw sano a) some Sue specu 5 aoe a oe Baseman = cen B ewcute « Baw B uecnde Gascmaes + 2 newer sence + a, Some B korovie 2 Aapenr + ay oy hips Lavoe Baar A amet 8 ey Scat Lowcue ze ee eS vo come How ove a awamser —& sannent —§ a ome towne i) Sewn [oa ae, Shes Mtoe Bo Reams Aamo oy = om sora Ween ae so = eam B tow cee Figure 234 — Reciprocal Manual NAT Rule Configured 257Chock Pains Sonny Enmooring 27. Publish the changes to the database: Click ‘Publish’ to make these changes available-te all. Sen noe: (nea Dereatne (tanger ublaad by adn an 28/7 (Cee) (eoree Figure 282 — SmartConsole 28, Install the Alpha Security Policy. 258Check asm cunty Engineering Configuring the ARP Table ‘Configure the ARP table for manual NAT to work suecessfully. 1. Log intothe A-DMZ virtual machine 2. Wiew the details of the Network Connection, 3. Make a notof the MAC Address (Physical Address): awahiCersaten Or [meee Tete Camecionemtc ON Pescetee ea PROM GOT ne cre Pres Atees — DILERTEDETA IHEP Eid te tSaratNek SSIES tana Gtonny — ETEEED sme Se Lrkcea evs ee ebb eTOhSeeteeramesat Gena Sense Figure 233 — Network Communication Detals 259Check Point Secursy Engineering From A-GUI, connect to the Gaia Portal on A-GW-01: Figure 234 — Gala Portal -Ovewiew 260Chock Paint Seustn Engineering 8, In the navigation pane, select Network Management > ARP: Figure 235 — ARP 6. In the Static ARP Entries section of the ARP page. click Add. 7. Use the information below to configure the Add Static ARP Entry window: IPv4 Address: 203.0.113.171 MAC Address: Enter the MAC address you noted earlier. acc [0 asa Figure 238 — Add Static ARP Entry Configured 261Chock Paint Secnsiy Engineering 8 Click OK, and the system adds the Static ARP Entry: Figure 237 — ARP Configured 9% Next, log into the Gaia Portal of A-GW-02 and add the same Static ARP Entry to the ARP page: marae [ee oT or ][ cone Figure 238 — Add Static ARP Entry Configured 10. Publish the changes and install the Alpha Security Policy 262Chock Pain Seu Engineering 11, From B-Host, open a Web browser 12, Use HTTP toconnect to the static NAT address of A-DMZ (203.0.113.171), 13, From A-GUI, identify the accepted HTTP traffic, 14, View the lag details to see the NAT taking place: @ root op Tati cept om 1216812 08 182268. Log Info . ne @ Foom. sav 8 eae fini Aes ee ais ner ~ re pamsouce. ROMZAT aeLOI351T rte puansouee— 0 ne prambestna.. 0 Figure 239 — Log Details Trae Ply More 263 @ som cnesiaiza0n nto ers @ ment ‘eon sta oc 73057 #8 tana ) FepertLog to check PointEND OF LAB 1.6 264Automation & Orchestration ie) Trusted Application Programmi, Interfaces (APIs) enable enterprises using network or orchestration systems to securely integratea security management solution that has automation capabilities into their workflow processes. The Check Point API makes it easy to integrate securely with orchestration, change management and ticketing systems. With the ability to control exactly what that integration can and cannot do, organizations have the confidence to embed security into their IT ecosystem. Learning Objectives + Recognize how Check Point's flexible API architecture supports automation and orehestration of daily operations. + Understand how to use the management API command line tools and web services to read information, create objects, work on Security Policies, and send commands ta the Cheek Point . Security Management SerChock Paint Secnsiy Engineering Automati Check Point on & Orchestration ‘Automation is the process of automating tasks normally performed by human intervention to to providing efficiency and minimizing human error. Orchesination is the choreography of automating the arrangement, coordination and management of processes performed within complex computer systems and services into a bs performed by a machine as a meai logical work low. It reduces the time and effort for deploying multiple instances ofa single ‘of tasks whish previously could only be performed task by automatically performing a » by multiple administrators, How Automation and Orchestration Differ Automation and Orchestration differ in that automation relates to codifying tasks whereas orchestration relates to codifying processes, Automation is concemed with executing a single a service, in a repeatable, consistent manner. Orchssiration takesa series of automated tasks developed through automation and puts them all together into a process workflow which can simplify the complex management of today"s task, such as launching a web server or stoppi network security infrastructures. For example, an organization may use a cloud orchestrator programming to manage the interconnections and interactions among their cloud-based and on in exchange of te business units, Orchestration also involves the process of coordina i formation through web service interactions, suzh as XML and ISON, APIs Check Point's R80.10 Security Management platform provides the framework ta support both Automation and Orchestration through its flexible API architecture, An API isa set of routines, protocols, and tools for building sofware applications. Check Point provides a complete CLI and API interface far security management which will enable the automation of daily operations and full integration with 3rd party and ather systems, such as network management systems, ticketing systems, virtualization servers, and cloud orchestrators Automation and SmantConsale management operations are allowed based on the same privilege profile Check Point APIs allow system engineers and developers to make changes ta their organization's Security Policy with CLI toals and Wcb Services. An API can be used to: + Execute an automated seriptto perform common tasks + Integrate Check Point products with 3rd party solutions: + Create products that use and enhance the Check Point solution. 266Check Point Secursy Engineering There are different APIs for various Check Point products: Management API — Used to read information, create objects, work on Security Policies and send commands tothe Check Paint Security Management Server. The Management API hasa JSQN/XML web services option, a Gaia CLI from the R80.10 SmariConsole, the new mgmt_cli tool, and the Gaia Clish Threat Prevention API — A cloud-based serviee used to control Threat Emulation, Antivirus, and Threat Extraction products Mdentity Awareness Web Services API— A web services APL used to add, remove, and show the status of identity parameters. For example, using the API, a new user ean be added to an Access Role ara user can be allowed to connect to the internal network from a different IP address. OPSE€ SDK — These APIs are used to open and monitor connections between the Security Management Server and gateways, and other hosts and objects. During this course, we will focus solsly on the Management APL NOTE ‘OPSEC SDK contains APIs for commands that were originally used with ‘SeourePlatform. These commands can also be used on the Gaia operating system, 267‘Cheek Paint Seusry Engineering Check Point API Architecture ‘The Check Point API Architecture con: ‘The API server communicates with CPM in the same way as SmariConsole, An APL automated session will gene mite audit logs and will display the validation errors and warnings. ‘The API architecture also supports Concurrent Administration, The same permission profiles that control the GUI are enforced when usingan automation session, of the API server and API interaction mechanisms. ‘The API server uses JavaScript Object Notation (JSON) for data imerchanges. JSON is a lightweight data-interchanging format which is easy for individuals to read and write, and for machinss to parse and generals, Interaction mechanisms are command sources, such as Web Services and Management CLIs, All APL-lisnis use the same port as the Gaia Portal. HTTPS /443 me | (25-05 | RESTIUAP GLU base API ee | monn se Figure 240— API Architecture Command Sources Command sourcesallaw you to communicate with the API server and perform many tasks using management APIs ‘+ The SmartConsole GUL console — From SmariCansole, click the Command button to open a CLI window and enter API commands. Fer example, you can use the add host command to ¢reais anew host and then publish the changes. + ‘The mgmt_c1i Tool — Runs in Expert modeand|ets you enter commands fram a Windows orL inux computer, mgmt_c Ld uses the same authentication (username and password) as the GU client; however, it does not require a GUL installation + Gaia CLI— Log in to Gaia with an administrator account on the Security Management Server and enter API commands using Clish, + Web Services — Send HTTPS Post requests to the Security Management Server. 268we RESTful API RESTful APIsallow systems to use web services to access, manipulate, delete, change, and add resources. They use standard HTTP methods sent by script to GET, PUT, POST, and DELETE data. The management API uses RESTful API to send calls using the POST method Anexample of using a RESTful API to call the login would be: HTTP POST https:///web_api/login Content-Type: application/json The content type Header tells the client how to compose requests in the body to the server. 269(Chock Pan Sonn Enooring Operational Flow The chart below diagrams the operational flow of an API session togin + Get Session ae Perform Changests) Use Session-ID a “proof” punish eC necept Changes? >>| _scard Do Mate? an ws Figure 244— API Operational Flow 270Chock Paint Secnsiy Engineering API Server Configuration The management API server is part of ths R80,10 management server installation, To manage security through API and CLI, you must first configure the API server. The API server runs scripts that automate daily tasks on the Security Management Server. Ht alsa integrates Check Paint products with third party systems. To confi SmariConsols, go to Manage & Settings > Blade. In the Management API section, slick Advanced Settings and the Management API Settings window will open. Configure the Startup Settings and the Access Settings. Startup Settings start the API server when the Security Management Server starts. The Automatic start setling is selected by de fault inthe following environments: + Security Management Servers (without gateway functionality) with at least 4GB af RAM + Standalone Security Mangement Servers (with gateway functionality) with at least 8GB of RAM NOTE Verify your installation requirements prior to configuring the API a7rnserine Access Settings configure IP addresses fiom which the API server accepts requests. The Management server only option is selected by default, This option instructs the API server to accept seripts and web requests only from the Security Management Server. To send an APL request, open a command line interface on the server and use the mgm t_eLd utility Figure 242— Configure API Server To verify that the APLserver is rum nun the following command in Expert mode: api status To start the API server, run the following command in Expert mods: api start To stop the API server, run the following command in Expert mode: api etep 272Check Point Seen Management API Commands To type API commands from the SmartConsale GUI, click the command Ling interface button located in the bottom left corner ta open the Command Line interface window. Figure 243 — Command Line Interface Basic API Commands include: login ada eet show delete publish discard logoutCheck Poin rity Engineering In the GUI, seripting begins with a login dialag to receive a session token. A login command creates a session. User name and password parameters are always required, Here is the syntax for a login script format jeon login user paseword The output far this example isas follows: { “eid” : ~97BVpRENS361ogN-v2x0G rHNIDDWIhOSNOOgSP: KDAM", surl* : “httpe://192.0.2.1:443 /web_api", wuda® : *7a13a360-9b24-40a7-acd3-SbS0247b0336", “eeesion-timsout” : 600, “last-login-was-at” : ( “posixe + 1430032266851, “iso-e601" : "2025-04-26710: 1140300" NOTE “+-format json” is optional The aid string represents the session unique identifier, This identifier is entered in the *X- chkp-sid’ header of cach request. The ur parameter identifies the URL which was used to reach the API server. The wid string is the session abject identifier. It may be used in discard API to discard changes that were made in the session, when the administrator is working from anather session. API commands can be used to create scripts for key security management com ponents, including + Network Objects — Hosts, Networks, Groups, Access Roles + Services.and Applications — Service TCP, Service UDP, Application + Poliey — Install policy, policy package management + Access Control and NAT — Access rules, NAT rules + YPN — VPN Community Meshed, VPN Community Star Por example, tacreate a new hast, use the following command: add host name id.txt mgmt_cli add host name “New Host 1" ip-address “1.1.1.1 -& ddstxt mgmt cli publish -s dd.txe mgmt cli logout -e id.txt Inthe example above, the output from the login commandis redinected to a file called ad. txt. By using the -e pamimeter, the rest of the commands read id. tat and automatically extmet the session-id from this file, Users logged in to a management server as Root, can tun mgmt_e14 commands without providing their credentials. These are users with Super Administrator permissions. To use this option, add --re0t true to the end of the mgmt _e14 command. All mgmt_c1 4 commands can use CSV files for automation purposes as well. For example, the following command can be used to create multiple host objects from a Microsoft Excel spreadsheet: # mgmt_cli add host --batch hostel.cev Gaia CLI (Clish) Torun management API commands in Gaia"s shell, you must first log in asa.adm inistration user. The syntax is identical to the commands that you run in the SmartConsole GUL; however, all management commands begin with the mgmt command, For example: mgmt add host. 275Check Pein Seeuny Web Services Using Web Services to build an application that communicates with the Check Point management server requires the following components for the web request + HTTP Post to — Identifies the management server and port. The default port is 443, + HTTP Headers — Consists of the content-type, such as application/ json, and the x-chlep-eid header. The -chkep- edd is the session ID token and is mandatory in all API calls, except login Request payload — Textcontaining the different parmeters in the specified format (Jon or xm1). Management API Support ‘Check Point Management API utilizes the full potential of the R80.XX Security Management Server and can be used within any programming environment, Toassist you in building automation tools for your organization, Cheek Paint recommends the following reference tools. The Management API Reference v1.0 Guide This online guide provides an introduction to Check Point Management API. The guide may be accessed via the Check Point User Center and the management server (/api_does). Management ari Rates 10 Intrecuctien to check Point Figure 244 — Management API Reference vLO 276(Check Point Secu Engineering The Check Point Exchange Point Community Join the Check Point Exchange Point Community to browse the latest seripts built by experts, in the field, get code samples, network with developers, and access additional APL documentation, A direct link to the E xchange Point Community is lacated on the Check Point ‘website, orenter this URL into your browser: Anyps-dcommunity.chee kpoint.cam/ Ge Check Point =~ GHANGE POINT WELCOME TO Vr @ THE COMMUNITY «J [2g Mec =] tc aoe pone | exec Figure 245.— Check Point Exchange Point Community Lab 2.14 Managing Objects Using the Check Point API 277Chock Paint Sec Review Questions 1. What are the four command sources which allow you to communicate with the management server using management API? 2. What does the edd command string identity? 278: : . i Managing Objects Using the Check Point API 5 Pak Check Point’ s Application Programming Interface (API) allows administrators to quickly and easily perform common tasks through a command line interface Tasks: + Configure the Check Point API + Create and edit objects using the Check Point API Performance Objectives: * Demonstrate how to define new network and group objects using the Check Point API + Demonstrate how to modify existing objects using the Check Point API(Check Point Secu sincere Configuring the Check Point API Activate the API software blade, 1, Select the Manage & Settings tab Select the Blades icon In the Blades page, identify the Management API section: FR car Figure 246 — Management API Settings 280Seeurin & 4 Click the Advanced § {tings button, and the system displays the following window © Management seve coy uD ese Figure 247— Management API Advanced Settings Use the information below to configure the Management API window Startup Settings: Automatic Start Accept API calls from: Management Server Only Launch a Putty session from A-GUI to A-SMS Log into the server as admin: @ wuia-rarw Se) Figure 248 — Putty Session 281At the prompt, type the following command and press Enter api statue P wiia-paw S| Figure 249 — api status, NOTE The API should be running by default, If itis not, you can stop and start it using the following commands * api etart + apd stop Check Point recommends restarting the API with the api rest art command after making major changes. 4. Close the Putty session,Check Poi Defining and Editing Objects in the API Cre: ind edit basie objects through the API. 1, InSmartConsole, click the Command Line icon in the Lower left of the seteen. The system displays the following window: Figure 250— Command LineCheek 2, Todefine a new host from the API,execute the following command. add host name “myHostl" dp-addrese 192.168.0.201 Figure 254 — add new host 3. Tode a new network object, execute the following command: add network nama “myNetwork" subnet 192.168.0.0 subnet-mask 255.255.255.0 Figure 252 — add network name\Chook Paint Seeurtty Engineering 4. In the objects panel, verify that the following new objects are now listed » myHost + myNetwork Figure 253 — Objects Panel 285hack Poin Secunw £ From the API, execute the following command: ada group name “myGroup” members myHost1 faorra Figure 254 — add group name NOTE This will create a new group object and will include myHost! a member of this group. 286Chek Faint Se 6. Execute the following command add host name "My Test Host" ip-addrese 192.168.0.111 groupe myGroup Figure 256 — ada host name NOTE By defining the new object name with surrounding quotation marks, the system allows the name to include spaces.Check Peins Seeurnty Engineering 7. To edit an existing object, use the set command: set host “myHosti* color “blue* on Figure 256 —set host 288Chock Paint Se 8, Todefine a group with multiple member objects, execute the following command: add group name “myGroupi* members.1 “My Test Host* members.2 *A-GUI* Figure 287 — add group name 9. In SmartConsole, view the myGroup object to view the added member objects: SS uytetnen zuceazn nro taza. Figure 258 — myGroup 10. Click OK. 280Chock Poon Seung Engmeccing 11, View the myGroup! object to confirm its member objects: teat, myGroupl 188)" Gate ebjectenement +x Seren eon Sire tetaseoa esse Figure 259 — myGroupt, 1, OK. 13, Next, discard all the changes without publishin; A Discard all’7 draft changes? Figure 260 SmartConsole 14. Cl Discard 200Chock Point Secasiy Engincering 15, Verify that the objects created in the API are no longer listed in the objects pane: ow Oo» Reorene Figure 264.— Objects Discarded END OF LAB 2.1 291292Redundancy Security Gateways can be configured to provide redundancy to prevent network downs ‘ime. The failure of a Security Gateway or VPN connection ean result in the loss of active connections, many of which can be mission critical and result in the loss of critical data, Whether your preferred network redundancy protocol is Check Point ClusterXL technology or standard Virtual Routing Redundancy Protocol (VRRP), it is no longer a platform choice you will have to make with Gaia, Both ClusterXL and VRRP are fully supported by Gaia, The concept of clustering was introduced in the CCSA course, Dur this chapter we will explore clustering in greater deta Learning Objectives + Discuss advanced ClusterXL finetions and redundancy. + Describe VRRP network redundancy and its advantages.Cheek Paint Seustny Engineering Advanced ClusterXL ClusterXL supplies an infrastructure that ensures na dala is lost in event of a system failure. This Check Point cluster solution uses unique physical [Pand MAC addresses for its cluster ‘members and virtual [P addresses to represent the cluster itself. The virtual [P addresses do not belong to anaciual machine interface, and it is recommended that sach cluster memberhays at least three interfaces: one external interface, ong internal interface, and one for synchronization, ClusterXL is pant of the standard Security Gateway installation and can beconfigured for Load Sharing or High Availability mods, Advantages of Using ClusterXL Both ClusterXL and WRRP are fully supported by Gaia and available to all Check Point appliances, open servers and virtualized environments, While both platforms provide the ability to monitor the state of their clusters, ClusterX L provides more in-depth operational and ‘monitering capabilities. For example, when using ClusterX L, System Administrators know ‘when their cluster has failed over and can also sce why it failed over by using the cphaprob 1 List command. In addition, if.an interface goes down, System Administrators can dcicrmine if it is fully down or partially down by wing the cphaprob -a 4£ command They can see which firewall is currently active, or in the case af Load Sharing, whieh gateway is carrying the load and the percentage of the load carried using the ephaprob stat command. Advantages of using ClusterXL. include: Fight integration with Check Point management and enforcement paints +) Transparent failover + Higher performance + Easy deployment + Cost-effective Load Sharing ClusterXL Load Sharing distributes traffic within a cluster'so that the total throughput of multiple members is increased. In Load Sharing clusters, all functioning members are active and handle network traffic. This is referred to as an Active/A tive configuration, Load Sharing clusters increase linear performance for CPU-intensive applications such as VPNs, security servers, policy servers, and User Directory (LD AP). With Load Sharing, if'any member of a cluster becomes unreachable, transparent failover ‘aceurs to the remaining operational members in the cluster, thus providing High Availability All connections are shared between the remaining Security Gateway, without imerruption, 204Chock Paint Secnsiy Engineering (Cluster L Load Sharing configurations require all machines to be synchronized, which differs from High Availability. Machines ina ClusterXL High Availability configuration do not have to be synchronized, however connestions will be lost upon failover if they are mot ClusterXL offers two different Load Sharing solutions: Multicast and Unicast, These modes differ in the way members receive the packets sent to the cluster. Multicast Load Sharing InClusterXL Multicast Load Sharing made, every member of the clusterreceives all of the packets sent to the cluster IP address. The Multicast mechanism allows several interfaces to be associated with a single Multicast MAC address, Therefore, when asouter or Layer 3 switch forwards packets to all of the cluster members using Multicast mode, a ClusterXL decision algorithm on the cluster members decides which cluster member shauld perform enforcement processing on the packet. Only that machine processes the packet and sends the packet to its dsstination. The other machines drop the packet, This decision-making process is the sore of the Multicast Load Sharing mechanism, It has to ensure that at least ane member will process each packet so that the traffic is nat blocked, and no two members will handle the same packets, so that traffic is not duplicated. Only routers or Layer 3 switches that accept a Multicast MAC address as a response to an ARP request with a Unicast IP address are supported for Multicast Load Sharing Unicast Load Sharing InClusterXL Load Sharing Unicast mode, one machine, called the Pivot machine, receives all traffic from a router with a Unicast configuration and redistributes the packets ta the other machines in the cluster. The Pivot machine is chosen automatically by ClusterXL. The Pivot is the only machine that communicates with the router, In this sshems, the router uses only the Pivat's Unicast MAC address ta communicate to the cluster. The Pivot functions as a cluster router, both from the internal network outwards and vice versa. This functionality alsa applies to DMZ networks. After the Pivot first receives the packet from the router or switch, the Pivat's Load Sharing decision function decides which cluster member should handle the packet. This decision function is made in a similar fashion ta the Multicast Load Sharing decision. The Pivot may alsa decide ta handle the packet itself In such a ease, Pivot Load Sharing will give the packet to the Pivot's Firewall component for processing. If the Pivot encounters a problem, a regular failover event occurs and another cluster member assumes the role of the new Pivot. The Pivot member isaluays the active member with the highest priority. Therefore, when the original pivot recovers, it will resume its previous sole, Because the Pivot is busy distributing traffic, the Pivot partisipaics to a lesserextent in the actual Load Sharing function. The other cluster members take on more traffic load. Since the 295(Check Poin: Securty Engineering ‘Check Point Pivot Mode feature is hased on Unicast addresses only, itcam work with all routers and Layer 3 switches. The following diagram and steps outline haw a packet travels through a Unicast Load Sharing cluster Mschiraeuter Figure 262— Unicast Load Sharing Mode Packet Path 296Check Paint Secunia Eagnooring Proxy ARP When the router sends a packet through the cluster, the fallow ing occurs: 1. The router sends an ARP request for the cluster IP address 2. The Pivot returnsan ARP reply with its own Unicast MAC address, to the router. 3. The router sends the packet to the Pivot, The Pivot decides which cluster member should handle the packet. 4. The Pivot forwards the packet to the designated cluster member without changing the packet. The destination IP address of the packet remains unchanged and neither decryption norNAT functionality is performed on the forwarded packet. When sending the packet, the Pivot uses the viral MAC address of the designated cluster member. The packet is forwarded through the original interface. S. The receiving eluster member performs inspection and sends the packet to its destination 6. The return packst first reaches the Pivot, The retum packet then goes through the same process although it may not necessarily he forwarded by the Pivot to the same cluster ‘member. 7. The Pivot assigns the cluster member to handle the packet 8. The receiving cluster member performs inspection and sends the packet to its destination Address Resolution Protocol (ARP) is used to convert system communications from Layer 3 IP protocol to Layer 2. To allow cluster members to communicate witheach other,a static ARP should be configured foreach cluster member, stating the MAC address of all other members in the cluster, IP packets sent hetween members are not altered and no changes are made to the routing table. Cluster synchronization does not rely on ARP. Proxy ARP is useful for environments that have NAT‘d Firewalls. [tis a Firewall feature that snables a router or switch to reply to any ARP requests with itsown MAC address. It is used mainly fornetworks that do not have a default Security Gateway. The Proxy ARP recognizes the destination of the network traffic and pravides its MAC address as the final destination. The tra fic is then routed tothe intended destination using another interface or via tunnel. When using static NAT, a cluster can beconfigured to automatically recognize the hosts hidden behind it and issue ARP replies with the cluster MAC address, on their behalf, This process is referred to as Automatic Proxy ARP. [fusing ClusterXL VMAC mode ar different subnets for the cluster IP, the Proxy ARP must be configured manually. 1. Configure Data Link laysr to Network laysr matching on each cluster member. Match the IP addresses of the relevant hosts on the network where they are Located to the MAC address of the Security Gateway on the network where the IP addres: should be published 2. Create relevant Manual NAT rules and install the policy. es of these hosts 297Check Paint Secu Engineering VMAC Check Point Security Gate way/cluster member matching is saved in this file: S$FWDIR/conf/local.arp Each entry in the file contains the hast address to be published, the MAC address that needs to be associated with the IP address, and the unigue IP of the interface that responds ‘te the ARP request. Proxy ARP can create denial-of-serviee (DoS) attacks on a network ifmis-configured Where Manual NAT rules ae configured as described above, another approach for getting the correct Proxy ARP will be to configure aliases (Sccondary IP addresses}, which are added to the relevant external interface for the public IP address that will be used for the Manual NAT rules, When this is done, the Gaia operating system automatically Proxy ARPs for those public IP addresses without the need ta statically configure them in a locaLarp file Cluster Virtual MAC (VMAC) is a VMAC address assigned to a Virtual Router. It is a variation of the High Availability (HA) and Load Sharing Unicast mods. Upon failover in High Availability/Load Sharing Unicast mode, a new Active! Pivot member will send Gratuitous-ARP requests (G-ARPs) for the virtual IP with the physical MAC address of the new Active/Pivot, When t occurs, a member with a large number of Static NA Teentries can transmit too many G-ARPs and network components may start to ignore them or refrain from updating them fast enough in their ARP cache table, As a result, traffic outages may occur, Configuring the cluster to use VMAC mode allowsall cluster members to use the same Virtual MAC address and minimizes possible traffic outages during a failover. In addition, G-ARPs. for NAT*AIP addressesare no longer needed MAC that is advertised by the cluster members through G-ARP requests, keeps the real MAC address of each member and adds another VMAC address on topof it. Keeping the real MAC address of each member is nec ‘sary in that connec tivity ta the IP address of the member itself is required. VMAC failaver time is shorter than a failover that involves a physical MAC address, 298(Check Point Seounty Engincering Configuring VMAC VMAC can be configured via SmartConsole or CLI. To configure WMAC via SmartConsale, select the cluster object and navigate to the Gateway Cluster Properties windaw. Select the Cluster Land VRRP menu option, and then enable the Use Virtual Md C option located under the Advanced Ssitings section Twhaeien tarp Figure 283 — Gateway Cluster Properties - Use Virtual MAC ure VMAC using the command line, you must first set the value of the global kernel parumeter, {wha wmae global param enabled to 1. (The default value is 0, The default value means that WMAC is disabled) To ensure tha VMAC mode is enabled, run the following command on all members fw ctl get imt fwhe_vmac_global_paream enabled Ifthe value returned is 1, the feature is enabled. If not enabled, use the following command: fw ctl set int fwha_vmac_global_param enabled 299Check Point Security Engincering To view the VMAC address of each virtual cluster interfuee, run the following command: ephaprob -a if Cluster Synchronization To make sure each Gateway cluster member is aware of the connections going through the ther members, a mechanism called State Synchronization exists, which allows status information about connections on the Security Gateways to be shared between the members. State Synchronization enablesall machines in the cluster to be aware of the connections passing through cach of the other machines. It ensures that ifthere is a failure ina cluster ‘member, sonnections that were handled by the failed mashing will be maintained by the other machines, Since the synchronization network carries the most sensitive Security Policy information in the organization, itis critical that system engineers protect it against malic ious and unintentional threats. Check Point recommends using one of the following strategies to secure the synehroni tion interfaces: + Use a dedicated synchronization network. + Connect the physical network interfaces of the cluster members directly using a cross cable. In a cluster with three or more members, use a dedicated hubor switch Every IP-based service, including TCP and UDP, recognized by the Security Gateway is synchronized. State Synchronization is used both by ClusterXL and by third-party OPSEC Certified clustering products, State Synchronization warks in the following two modes: + Full Synchronization — Transfers all Firewall kernel table information from one ‘cluster member to another. Full synchronization is used for initial transfers of state information for thousands of connections. Ifa cluster member is brought up after failing, it-will perform full sync. Once all members are synchronized, only updates are ‘transferred via delta syne, Full synchronization between cluster members is handled by ‘the Firewall kernel using TCP port 256 + Delta Synchronization — Transfers changes in the kemel tables between cluster members, Della syne is much quicker than full syne. Ibis handled by the Firewall kernel, using UDP Multicast or Broadcast on port £1 16. Running ephastart ona cluster member aetivates ClusterX L on the member is the recommended way ta start a cluster member. It docs not initiate full synchronization ephames et turns off the cluster pracess, State Synchronization alsa stops. It is still possible to open connections direeily to the cluster member. These cammands should only be run by the Security Gateway, not direcily by the user. To monitor the synchronization mechanism on ClusterXL or third-party OPSEC Certified clusteriny fw ctl patat 300