Professional Documents
Culture Documents
Checkpoint Firewall Interview Questions
Checkpoint Firewall Interview Questions
In Asymmetric Encryption there is two different key used for encrypt and decrypt to
packet. Means that one key used for Encrypt packet, and second key used to for
decrypt packet. Same key can not encrypt and decrypt.
Secure Internal Communications (SIC) is the Check Point feature that ensures
components, such as Security Gateways, SmartCenter Server, SmartConsole, etc. can
communicate with each other freely and securely using a simple communication
initialization process.
In case of SNAT
Antispoofing
Session lookup
Policy lookup
Routing
Netting
In case of DNAT
Antispoofing
Session lookup
Policy lookup
Netting
Routing
What is Anti-Spoofing?
Stealth Rule Protect Checkpoint firewall from direct access any traffic. Its rule
should be place on the top of Security rule base. In this rule administrator denied
all traffic to access checkpoint firewall.
CPD � CPD is a high in the hierarchical chain and helps to execute many services,
such as Secure Internal Communication (SIC), Licensing and status report.
FWM � The FWM process is responsible for the execution of the database activities
of the SmartCenter server. It is; therefore, responsible for Policy installation,
Management High Availability (HA) Synchronization, saving the Policy, Database
Read/Write action, Log Display, etc.
Central License
Local Licenses
Central licenses are the new licensing model for NG and are bound to the
SmartCenter server. Local licenses are the legacy licensing model and are bound to
the enforcement module.
Gaia is the latest version of Checkpoint which is a combination of SPLAT and IPSO.
Here are some benefits of Gaia as compare to SPLAT/IPSO.
Core Technologies: Check Point uses a common set of core technologies, such as
INSPECT for security inspection, across multiple layers of security.
Central Management: All Check Point products can be managed and monitored from
a single administrative console.
Open Architecture: Check Point has built its security architecture to be open
and interoperable in a heterogeneous environment. For example, Check Point products
can interoperate with other network and security equipment from third-party vendors
to enable cooperative enforcement of Security Policies.
Smart Console.
Security Management.
Security Gateway.
What is NAT?
NAT stand for Network Address Translation. It is used to map private IP address
with Public IP Address and Public IP address map with Private IP Address. Mainly it
is used for Provide Security to the Internal Network and Servers from Internet. NAT
is also used to connect Internet with Private IP Address. Because Private IP cant
route on Internet.
Source NAT used to initiate traffic from internal network to external network. In
source NAT only source IP will be translated in public IP address.
What is IP Sec?
IP Sec (IP Security) is a set of protocol. which is responsible for make secure
communication between two host machine, or network over public network such as
Internet. IPSec Protocol provide Confidentiality, Integrity, Authenticity and Anti
Replay protection.
AH (Authentication Header).
What are the protocols of IPSec? And what are the Protocol numbers of IPSec
Protocols?
IPSec use two Protocols AH (Authentication Header) and ESP (Encapsulated Security
Payload). AH works on Protocol number 51 and ESP works on Protocol number 50.
What is VPN (Virtual Private Network)
VPN (Virtual Private Network) is used to create secure connection between two
private network over Internet. Its used Encryption authentication to secure data
during transmission. There are two type of VPN
ESP � ESP Protocol is a part of IPsec suit , Its provide Confidentiality, Integrity
and Authenticity. Its used in two mode Transport mode and Tunnel mode.
AH � Its is also part of a IPsec suit, Its provide only Authentication and
Integrity, Its does not provide Encryption. Its also used to two mode Transport
mode and Tunnel mode.
Its a rule in ruse base which is manually created by network security administrator
that called Explicit rule.
Hide NAT used to translate multiple private IP or Network with single public IP
address. Means many to one translation. Its can only be used in source NAT
translation. Hide NAT can not be used in Destination NAT.
When request to translate Destination IP address for connect with Internal Private
network from Public IP address. Only static NAT can be used in Destination NAT.
What is SIC.
SIC � SIC stand for �Secure Internal Communication�. Its a checkpoint firewall
feature that is used to make secure communication between Checkpoint firewall
component. Its used when Security Gateway and Security management server installed
in Distributed deployment. Its Authentication and Encryption for secure
communication.
Secure Internal Communication (SIC) lets Check Point platforms and products
authenticate with each other. The SIC procedure creates a trusted status between
gateways, management servers and other Check Point components. SIC is required to
install polices on gateways and to send logs between gateways and management
servers.
The ICA is created during the Security Management server installation process. The
ICA is responsible for issuing certificates for authentication. For example, ICA
issues certificates such as SIC certificates for authentication purposes to
administrators and VPN certificates to users and gateways.
Note - For SIC to succeed, the clocks of the gateways and servers must be
synchronized.
The Internal Certificate Authority (ICA) is created when the Security Management
server is installed. The ICA issues and delivers a certificate to the Security
Management server.
To initialize SIC:
In the Communication window of the object, enter the Activation Key that you
created in step 2.
Click Initialize.
The ICA signs and issues a certificate to the gateway. Trust state is Initialized
but not trusted. The certificate is issued for the gateway, but not yet delivered.
SSL negotiation takes place. The two communicating peers are authenticated with
their Activation Key.
The certificate is downloaded securely and stored on the gateway.
After successful Initialization, the gateway can communicate with any Check Point
node that possesses a SIC certificate, signed by the same ICA. The Activation Key
is deleted. The SIC process no longer requires the Activation Key, only the SIC
certificates.
IP Layer (Network Layer and provide security services Network Layer and above).
SAM Database.
Address Spoofing.
Session Lookup.
Policy Lookup.
Destination NAT.
Route Lookup.
Source NAT.
Layer 7 Inspection.
VPN.
Routing.
Avoid Routing.
Overlapping Network.
There are two different keys in Asymmetric Encryption used for packet
encryption/decryption. One key is used to encrypt packet whereas the second one is
used to decrypt the packet. But, the same key cannot encrypt and decrypt.
Smart Console
Security Gateway
Security Management