Checkpoint

Difference between fwstop/fwstart and cpstop/cpstart? Using fwstop/ fwstart will only restart VPN-1/FireWall-1, and using cpstop/ cpstart will restart all Check Point components, including the SVN foundation.

What do you know about CPD, FWM, and FWD processes ? CPD – It helps to execute many services, such as Secure Internal Communcation (SIC), Licensing and status report. FWM – It is responsible for the execution of the database activities of the SmartCenter server – responsible for Policy installation, Management High Availability(HA) Synchronization, saving the Policy, Database Read/Write action, Log Display, etc. FWD – It is required for logging. It is executed in relation to logging, Security Servers and communication with OPSEC applications.

How to check clustering on checkpoint firewalls which command? Use command cphaprob stat

How to check/capture traffic on checkpoint firewall? Fw monitor is being used for traffic capturing in checkpoint, it is in built. For example, Display all packets from 10.1.0.1 to 10.2.0.1 fw monitor -e ‘accept src=10.1.0.1 and dst=10.2.0.1;’

Smartview tracker also will be useful to see if traffic is allowed on certain ports via certain policies. What is Anti-spoofing? Anti-Spoofing feature ensures that the IP addresses of the packets entering the FireWall are valid. It verifies that packets originate from and are destined to the correct interfaces on the

gateway. It confirms which packets actually come from the specified internal network interface. It also verifies that once a packet is routed, it goes through the proper interface.

A packet coming from an external interface, even if it has a spoofed internal IP address, is blocked because the firewall anti-spoofing feature detects that the packet arrived from the wrong interface.

Configuring Anti-Spoofing: It is important to configure anti-spoofing protection on every interface of every Security Gateway, including internal interfaces.

Configuration on R75, see below, Source: Firewall R75 Administration Guide. (Free available) Configuring Anti-Spoofing: It is important to configure anti-spoofing protection on every interface of every Security Gateway, including internal interfaces.

Configuring Anti-Spoofing for External Interfaces: To define a valid address for external interfaces: 1. 2. 3. 4. 5.

6. 7. 8. 9.

 

In SmartDashboard, select Manage > Network Objects. Select a gateway and click Edit. From the list of pages, click Topology. Click Get > Interfaces to obtain interface information of the gateway machine. Click Accept. (If SmartDashboard cannot retrieve the topology information, check that the gateway General Properties are listed correctly and that the gateway, the Security Management server, and the SmartDashboard all have functioning communications.) In the Topology page, select the interface to the Internet and click Edit. In the Interface Properties window, open the Topology tab. Select External (leads out to the Internet). Under Anti-Spoofing action is set to, select one of the following:

Prevent - to block packets that have been spoofed. Detect - to allow packets that have possibly been spoofed. This option is used for monitoring purposes and should be used in conjunction with one of the tracking options.

It serves as a tool for learning the topology of a network without actually rejecting packets.

1. Under Spoof Tracking, select Log and click OK. 2. Repeat step 1 to step 8 for all internal interfaces. 3. Install the security policy: Policy > Install.

Configuring Anti-Spoofing for Internal Interfaces: To define a valid address for internal interfaces: 1. 2. 3. 4.

In SmartDashboard, select Manage > Network Objects. Select the Check Point gateway and click Edit. In the gateway window, select Topology. In the Topology window, click Get > Interfaces to obtain interface information of the gateway machine. 5. Under the Name column, select the internal interface and click Edit. 6. 6. In the Interface Properties window, click Topology, and then select Internal (leads to the local network). 7. Under IP Addresses behind this interface, do one of the following:  

If there is only one network behind the interface, select Network defined by the interface IP and Net Mask. If there is more than one network behind the interface, define a group network object that consists of all the networks behind the interface by selecting Specific and the group.

1. Select Perform Anti-Spoofing based on interface topology. 2. Under Anti-Spoofing action is set to, select one of the following:  

Prevent - to block packets that have been spoofed. Detect - to allow packets that have possibly been spoofed. This option is used for monitoring purposes and should be used in conjunction with one of the tracking options. It serves as a tool for learning the topology of a network without actually rejecting packets.

1. Under Spoof Tracking, select Log and click OK. 2. Repeat step 1 to step 8 for all internal interfaces. 3. Install the security policy: Policy > Install.

Excluding Specific Internal Addresses In some cases, it may be necessary to allow packets with source addresses that belong to an internal network to enter the gateway through an external interface. This may be useful if an external application assigns internal IP addresses to external clients. In this case, you can specify that anti-spoofing checks are not made on packets from specified internal networks.

I was thinking how to explain this in better way and found following link in my bookmarks. Source: Essential Check Point FireWall-1 NG: An Installation, Configuration, and Troubleshooting Guide by Dameon D. Welch-Abernathy

Topology and Anti-Spoofing: It is important to understand which hosts are being protected by the firewall. It is also important to know on which interface any given host is supposed to appear. When a host IP address appears on the “wrong” interface, this is a potentially serious problem – a misconfigured host or router, or an intruder! To catch these sorts of issues, we establish anti-spoofing on the firewall, that is, preventing the use of IP addresses on interfaces where the hosts should not appear. When you define anti-spoofing, you assert that only packets with source IPs defined for an interface are allowed to originate traffic on the interface. For example, if a valid address is 192.168.182.0/24 and the interface is le0, the following are true. This is different from FireWall-1 4.1, which also validated that a packet being routed to a specific interface was also valid. This caused all sorts of problems with address translation.    

A packet with source IP address 192.168.182.4 can come into le0. A packet with source IP address 192.168.1.8 cannot come into le0. A packet with destination IP address 192.168.182.4 can come into le0. A packet with destination IP address 10.0.0.4 cannot come into le0.

In FireWall-1 4.1 and earlier, this was defined in the Valid Address setting in the Interface portion of the gateway object. In the NG version, the setting is now called Topology, and we define it in the Topology frame of the gateway object. Unlike the Valid Address setting in FireWall-1 4.1, the Topology setting is also used to define “external” interfaces, which is important for licensing.

Interface Properties, Topology tab The options on the Topology tab include the following. External: All IP addresses not specified on other interfaces are considered valid on this interface. This is similar to the “others” option in FireWall-1 4.1 and earlier. This is also relevant for node-limited licenses in that it indicates no hosts should be counted on this interface for licensing purposes. Internal: Only the IP addresses specified are considered valid on this interface. The next three options allow you to specify which IPs are valid. Not Defined: The IP addresses reachable from this interface are undefined. This option disables anti-spoofing on this interface. In addition, any IPs behind this interface will not be included in your encryption domain, assuming it is defined by topology instead of manually. Network defined by the interface IP and Net Mask: This option specifically means “the logical network this interface is on.” It is defined by the interface’s IP address and netmask per the configuration screen. All other networks are not considered valid. In FireWall-1 4.1 and earlier, this option was titled the more confusing This Net. Specific: This option refers to a defined group of network objects (networks, hosts) that make up the valid addresses for this interface. This is typically used where there are multiple networks reachable from this interface. Perform Anti-Spoofing based on interface topology: If this option is checked, anti-spoofing will be performed on this interface, assuming that Not Defined is not selected. If unchecked, anti-spoofing will not be performed on this interface. Spoof tracking can be set to None (no logging), Log, or Alert. If you enable anti-spoofing, it is highly recommended that you enable logging of this property. All anti-spoofing drops will log as Rule 0. If you want to log IP Options drops, go to the Log and Alert frame of the Global Properties screen and enable IP Options Drop logging. Question 1 – Which of the applications in Check Point technology can be used to configure security objects? Answer: SmartDashboard Question 2 – Which of the applications in Check Point technology can be used to view who and what the administrator do to the security policy? Answer: SmartView Tracker

Question 3 – What are the two types of Check Point NG licenses? Answer: Central and Local licenses Central licenses are the new licensing model for NG and are bound to the SmartCenter server. Local licenses are the legacy licensing model and are bound to the enforcement module. Question 4 – What is the main different between cpstop/cpstart and fwstop/fwstart? Answer: Using cpstop and then cpstart will restart all Check Point components, including the SVN foundation. Using fwstop and then fwstart will only restart VPN-1/FireWall-1. Question 5 – What are the functions of CPD, FWM, and FWD processes? Answer: CPD – CPD is a high in the hierarchichal chain and helps to execute many services, such as Secure Internal Communcation (SIC), Licensing and status report. FWM – The FWM process is responsible for the execution of the database activities of the SmartCenter server. It is; therefore, responsible for Policy installation, Management High Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log Display, etc. FWD – The FWD process is responsible for logging. It is executed in relation to logging, Security Servers and communication with OPSEC applications. Question 6 – How to Install Checkpoint Firewall NGX on SecurePlatform? Answer: 1. Insert the Checkpoint CD into the computers CD Drive. 2. You will see a Welcome to Checkpoint SecurePlatform screen. It will prompt you to press any key. Press any key to start the installation,otherwise it will abort the installation. 3.You will now receive a message saying that your hardware was scanned and found suitable for installing secureplatform. Do you wish to proceed with the installation of Checkpoint SecurePlatform. Of the four options given, select OK, to continue. 4.You will be given a choice of these two: SecurePlatform SecurePlatform Pro Select Secureplatform Pro and enter ok to continue. 5.Next it will give you the option to select the keyboard type. Select your Keyboard type (default is US) and enter OK to continue.

6.The next option is the Networking Device. It will give you the interfaces of your machine and you can select the interface of your choice. 7.The next option is the Network Interface Configuration. Enter the IP address, subnet mask and the default gateway. For this tutorial, we will set this IP address as 1.1.1.1 255.255.255.0 and the default gateway as 1.1.1.2 which will be the IP address of your upstream router or Layer 3 device. 8.The next option is the HTTPS Server Configuration. Leave the default and enter OK. 9.Now you will see the Confirmation screen. It will say that the next stage of the installation process will format your hard drives. Press OK to Continue. 10.Sit back and relax as the hard disk is formated and the files are being copied. Once it is done with the formatting and copying of image files, it will prompt you reboot the machine and importantly REMOVE THE INSTALLATION CD. Press Enter to Reboot. Note: Secureplatform disables your Num Lock by over riding System BIOS settings, so you press Num LOck to enable your Num Lock. For the FIRST Time Login, the login name is admin and the password is also admin. 11.Start the firewall in Normal Mode. 12.Configuring Initial Login: Enter the user name and password as admin, admin. It will prompt you for a new password. Chose a password. Enter new password: check$123 Enter new password again: check$123 You may choose a different user name: Enter a user name:fwadmin Now it will prompt you with the [cpmodule]# prompt. 13. The next step is to launch the configuration wizard. To start the configuration wizard, type “sysconfig”. You have to enter n for next and q for Quit. Enter n for next.

14.Configuring Host name: Press 1 to enter a host name. Press 1 again to set the host name. Enter host name: checkpointfw You can either enter an ip address of leave it blank to associate an IP address with this hostname. Leave it blank for now. Press 2 to show host name. It now displays the name of the firewall as checkpointfw. Press e to get out of that section. 15.Configuring the Domain name. Press 2 to enter the config mode for configuring the domain mode. Press 1 to set the domain name. Enter domain name:yourdomain.com Example: Enter domain name: checkpointfw.com You can press 2 to show the domain name. 16. Configuring Domain Name Servers. You can press 1 to add a new domain name server. Enter IP Address of the domain name srever to add: Enter your domain name server IP Address HERE. Press e to exit. Network Connections. 17. Press 4 to enter the Network Connections parameter. Enter 2 to Configure a new connection. Your Choice: 1) eth0 2) eth1 3) eth2 4) eth3

Press 2 to configure eth1. (We will configure this interface as the inside interface with an IP address of 192.168.1.1 and a subnet mask of 255.255.255.0. The default gateway will be configured as 1.1.1.1.) Press 1) Change IP settings. Enter IP address for eth1 (press c to cancel): 192.168.1.1 Enter network Mask for interface eth2 (press c to cancel): 255.255.255.0 Enter broadcast address of the interface eth2 (leave empty for default): Enter Pres Enter to continue…. Similarly configure the eth2 interface, which will be acting as a DMZ in this case with 10.10.10.1 255.255.255.0. Press e to exit the configuration menu. 18.Configuring the Default Gateway Configuration. Enter 5 which is the Routing section to enter information on the default gateway configuration. 1.Set default gateway. 2.Show default gateway. Press 1 to enter the default gateway configuration. Enter default gateway IP address: 1.1.1.2 19. Choose a time and date configuration item. Press n to configure the timezone, date and local time. This part is self explanatory so you can do it yourself. The next prompt is the Import Checkpoint Products Configuration. You can n for next to skip this part as it is not needed for fresh installs. 20. Next is the license agreement.You have the option of V for evaluation product, U for purchased product and N for next. If you enter n for next. Press n for next. Press Y and accept the license agreement. 21.The next section would show you the product Selection and Installation option menu. Select Checkpoint Enterprise/Pro.

Press N to continue. 22. Select New Installation from the menu. Press N to continue. 23. Next menu would show you the products to be installed. Since this is a standalone installation configuration example, select VPN Pro and Smartcenter Press N for next 24.Next menu gives you the option to select the Smartcenter type you would like to install. Select Primary Smartcenter. Press n for next. A validation screen will be seen showing the following products: VPN-1 Pro and Primary Smartcenter. Press n for next to continue. Now the installation of VPN-1 Pro NGX R60 will start. 25. The set of menu is as follows: Do you want to add license (y/n) You can enter Y which is the default and enter your license information. 26. The next prompt will ask you to add an administrator. You can add an administrator. 27.The next prompt will ask you to add a GUI Client. Enter the IP Address of the machine from where you want to manage this firewall. 28. The final process of installation is creation of the ICA. It will promtp you for the creation of the ICA and follow the steps. The ICA will be created. Once the random is configured ( you dont have to do anything), the ICA is initialized.

After the ICA initialized, the fingerprint is displayed. You can save this fingerprint because this will be later used while connecting to the smartcenter through the GUI. The two fingerprints should match. This is a security feature. The next step is reboot. Reboot the firewall. Question 7 – What are the types of NAT and how to configure it in Check Point Firewall? Answer: Static Mode – manually defined

CHECKPOINT

Q.1 Q.2 Q.3 Q.4 Q.5 Q.6 Ans.

What is Checkpoint Architecture? How Checkpoint Component communicate and Syns with each other? What are the major differences between SPLAT and GAIA? What are the different – different Checkpoint Ports and purpose of these ports? How SIC work? What are the different ports of SIC? Checkpoint Packet flow for SNAT and DNAT?

In case of SNAT Antispoofing Session lookup Policy lookup Routing Netting

In case of DNAT Antispoofing Session lookup Policy lookup Netting Routing Q.7 Q.8 Q.9

How to configure perform DNAT before routing via Global Properties? What are the different – different modules of Checkpoint? What is Anti-Boat?

Q.10 Q.11 Q.12 Q.13 Q.14 Q.15 Q.16 Q.17 Q.18

How to block ICMP tunnel in checkpoint? Difference between fwstop and cpstop? What are the services which impacted during cpstop and spstart? What is CPinfo? And why it is used? What are Cluster_XL, Secure_XL and CORE_XL? What is Provider1? What is MDF Database? How to configure SMC HA? How to check License via Smartview Monitor?

CHECKPOINT CLUSTER Q.1 Q.2 Q.3 Q.4 Q.5 Q.6

Which protocol use in Checkpoint for Clustering? How Cluster_XL works? What the ports used by Cluster_XL? What are the New and Legacy Mode in Clustering? What are Delta and Full Mode in Clustering? Step by Step Process of configuring Checkpoint Cluster? How to use VRRP for Checkpoint Clustering?

CHECKPOINT VPN Q.1 Difference between IPSec and SSL VPN? Q.2 Difference between Domain Base and Route Base VPN? Q.3 What are the protocols of IPSec? And what are the Port numbers of various IPSec Protocols.? Q.4 What is NAT traversal? Where it used? Q.5 How use NAT in VPN Tunnel? Q.6 What is Norm in IPSec? Q.7 What the Phases of IPSec VPN? And many messages being exchanged in MAIN and QUICK Mode? What are these messages? Q.8 What is Encryption Domain?