SECURITY ENGINEERING Student & Lab Manual R80.10 CHECK POINT INFINITY Gd Check Point© 2017 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and de-compilation. No part of this praduet or related documentation may be reproduced in any form or by any means without priar written authorization of Check Point. While every precaution has been taken in the preparation of this boak, Check Point assumes no responsibility for errors ar omissions. This publication and features described herein are subject to change without notice, RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (MU\(i) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52,227-19. TRADEMARKS. Refer to the Copyright page (http://www checkpoint.com/eop yright.html) for a list of ourtrademarks. Refer to the Third Party copyright notices (http) www.checkpoint.com! 4rd_party copyright.himl) for a list of relevant copyrights and third-party licenses Taternational 3 Ha Solelim Suet Headquarters iv 6797, ened U.S. Headquarters 959 Skyway Road, Sue 300) San Carlos, CA 94070 TechnicalSupport, $530 Commerce Drive, Suite 120 Education & Professional | teving, TX 75063, Services anal comments or question about oar cou rarailecebec kp oan For guise orseeinnas aoa dee Chock Pa ces a CP Teche Feat ceric Document F DOC-Manwal-CCSE-RAD.10 Revision Rw.10W2 ‘Content “ouy Win, Vanesea lohason, Whitney Bentley ‘Grapes (Cihuaming Jia, Wanessa lolason, Angels Abendan‘Contributors Beta Tevting, Content Contilbutlon, or Teehaleal Review Michael Adj. Wick Mil- United King dom ete Alan England Pace Czopk C1100 - Pound Brent Beany-Dinensna Data Learning oktinas- Aussi VideryPevermaa - Dia Master La - Ress Aiea Gat - MTech Padus Singapoce Destend Gook -M.Tesh Padus Siaapere AAntoay foubuie - Anon ECS. Fone Saohy Kanecimcety -Red bdseaina Aseria [Ao Koby - Ret Eeition- Ansa [wea Kecbir- Worera-Gemmmy Fabrics Lamia - Check Pine Software Tesbeslogs Drie Mesens- Westen Helgean Caden Mons - Rese ahenbia Tamas Norbeck -Glispuper- Norway Richand Baki Arco ECS England ign ute fuel Chock Point Sotwae Techeckgien- USA Mita Ratan Hakware Trai -Filand NiklisSarsem- Inf pte Sweden Fede Taygaton-Sotine Group - Resa Maihiva\ - MeSya Tech slgis- aia Ek Wages Prosimas CT aden Belin /Spectal Thanks: Kins Winfield Chas Point Softwa Tachsslogies USA Duss Sy Red Edation- Awsrala (Syey Bea Hoth KinWeauel. Antow ECS. Fisind (ekiak Bea Hos) |Certification Exam Development: Jasco Tugwell Cheek Point Technical Publicatlous Team: Noctll: Fakes, Daly Van,Eh Haven, Pal sige, Rachel Tots, Ronit Sepa Shin Ronald, Vashon Simon, Devers HonnalTable of Contents Preface: Security Engineering ....... Cheek Point Security Engineering Course Prerequisites Course Chapters and Learning Objectives Lab Topol Related Certification Chapter 1: System Management .. Advanced Gaia : Gaia Features and Benefits Upgrades Hotfixes CLI Commands Pinto Advanced Firewall Check Point Firewall Infrastructure The Firewall Kernel Packet Flow au Chain Modules 33 Statefual Inspection 36 Security Servers a7 Kernel Tables 38 Policy Installation aL Network Address Translation 46 Firewall Administration st Review Questions cette tere ceeee ieee cece we 86 Tasks: 7 Performance Objectives: stCheck Point Cre Secarihy Engineer Lab 1.1: Upgrading to R80.10.. Migrating Management Server Data 58 Installing the Security Management Server m1 Configuring Security Management Server Using the Gaia Portal 16 Installing SmartConsole a Importing the Check Paint Database 98 Launching SmartConsole and Reconfiguring Existing Security Policies 6.00... 00 00eeeeeeeeeees elOS Lab 1.2: Applying Check Point Hotfixes . Locating the CPUSE Identifier Installing the Hotfix on the Security Gateway Lab 1.3: Configuring a New Security Gateway Cluster ..... Installing a Second Security Gateway : Configuring the Bravo Security Gateway with the First Time Configuration Wizard Mal Using the Gaia Portal ta Configure the Security Gateway 182 Re-configuring the Primary Gateway Lol Configuring the Alpha Security Policy to Manage the Remote Security Gateway Cluster 114 Lab 1.4: Core CLI Elements of Firewall Administration... Managing Policy and Verifying Status from the CLI Recanfiguring the Security Policies Using fw monitor Using tepdump Lab 1.5: Viewing the Chain Modules . . . Evaluating the Chain Madules Moditying the Security Policy anslation. oe. .eeeeeeeeChock Point Cyber Secerity Eng Chapter 2: Automation & Orchestration ..........04+ = 265 Automation & Orchestration. web tee tent eeee beteeeeeee wee teens 266 Check Point APIs 266 Check Point API Architecture 268 Management APE Commands an Management APL Support. ...c0cccsceccseeeecceeseesesescncesetiteeessaessanees DT Review Questions 278 Tasks: 279 Performance Objectives: 279 Lab 2.1: Managing Objects Using the Check Point API... ... : -279 Configuring the Check Point APL 280 Defining and Editing Objects inthe APL 283 Chapter 3: Redundancy ... beens ete ee ees aeeune eens 293 Advanced ClusterXL 294 Load Sharing 294 Proxy ARP. 297 vMAC 208 Cluster Synchronization 300 Cluster Connectivity Upgrade 302 Adda Member to an Existing Cluster . ” . . . . . . . +303 Sticky Connections 303 Management High Availability 304 OPSEC Certified Clustering Products 308 VRRP Clusters 309 WRRP Types: 310 Review Questions 314 Tasks: 3s Performance Objectives: . . . . . . . . . . . . als Lab 3.1: Deploying a Secondary Security Management Server . =315 Installing the Secondary Management Server 316 Configuring Management High Availability Fe BID Testing Management High Availability 0 0...000ccceeeeeeeeeeeeeeeeeeeeeee tesa entrees 2 B28:hack Fasn Cy Lab 3.2: Enabling Check Point VRRP : : 341 Viewing ClusterXL Failover 342 Defining a Virtual Router for VRRP 346 Configuring the Security Policy for VRRP 358 Chapter 4: Acceleration ....... : : : -367 SceureXL: Security Acceleration 368 Using SecureX 368 Packet Acceleration Fee renter ttt r entice cree oo 369 Session Rate Acceleration 370 SecureX L Connection Templates 372 Packet Flow 374 VPN Capabilities... Fe eee eet ntti rent wee BIS CoreXL: Multicore Acceleration 336 Using CoreXL 376 Processing Core Allacation 398 Dynamic Dispateher 380 Packet Flow with CoreXL and SeeureXL Enabled 383 Multiple Traffic Queues 384 Using Multi-Queue 384 Review Questions 387 Tasks: 389 Performance Objectives: 389 Lab 4.1: Working with SecureXL, : : : = 389 Identifying Status of Current Connections 390 Lab 4.2: Working with CoreXL. .. 399 Enabling Com XL weet weet eee settee ee 400 Reviewing CoreXL Settings 407Cheek Point Cober Security Engineering Chapter 5: SmartEvent . The SmanE-vent Solution 410 SmartEvent Components. - . . . . . . . ALL SmantE-vent Clients 412 SmartE vent Workflow. 413 Smartk-vent Deployment Ald Defining the Internal Network AIS Identifying an Event Al6 Monitoring the Network we - . . . . wee . . A422 Event Queries 4z3 Investigating Security Events - . . . . wee . . A2S Ticketing 427 Importing Offline Log Files - . . . . wee . . AQ? Remediating Security Events 428 ‘Configuring Event Policy A28 ‘Configuring IPS Policy AB Reporting Security Events 432 Using Predefined Reports A432 Defining Custom Reports 433 Preventative Measures 4M Creating a New Event Definition 4M Reporting an Event ta Check Point 435 Eliminating False Positives ABS SmarEvent Example 436 High Availability Environment Aa? Security CheckUp 438 Review Questions 440 Tasks: . . wee a . . . . a . . Aah Performance Objectives: 44h Lab 5.1: Evaluating Threats with SmartEvent ..... wees Configure the Network Object in SmartCansole a2 Monitoring Events with Smart vent AstCheck Poin Cyher Securiny Engineering Chapter 6: Remote and Mobile Access ....... Mobile Access Software Blade Mobile Access Wizard Mobile Access Workflow Gateway Security Features Mobile Access Deployment Choosing Remote Access Solutions Installation Types oe Secure Connectivity and Endpoint Security SSL VPN versus IPSec (Layer 3) VPN Clients Mobile Access Portal SSL Network Extender Check Point Mobile : Check Point Capsule Workspace SecuRemote Additional Remote Access Options Cheek Point Capsule Capsule Workspace Capsule Docs Capsule Cloud Mobile Access Policy Mobile Access Rule Base Best Practices Review Questions Tasks: Performance Objectives: Lab 6.1: Managing Mobile Access . Enable Mobile Access Blade . Configure the Chae Point Capsule Policy Testing Cheek Paint Capsule 462 462 468 468 469 4T0 470 an ane ars ans ars am4 am ana ama ATS ATs 479 48 483 483 485 486 487 487 488 497 sisCheck Pom! Cyber Security Engineering ‘Chapter 7: Threat Prevention The Threat Landeape Zero-Day Attacks Advanced Persistent Threats Intrusion Prevention System IPS Profile Settings and Protections IPS Tuning and Maintenance Geo-Protection Antivirus Anti-Bot Sandboxing Operating System-Level Sandboxing CPU-Level Sandboxing Check Point SandBlast Zero-Day Protection SandBlast Components Sand Blast Appliances SandBlast Cloud SandBlast Agent SandBlast Deployment Public Cloud Service Private Cloud Hybrid Solution (SandB last Appliance and Cloud) Mobile Threat Prevention MTP Components Mobile Threat Prevention Warkflow Review Questions Tas Performance Objectives: nderstanding IPS Protections figuring the Protection Profile Configuring the IPS Demonstration Tool Testing the Default Protections Modifying the Protection Profile Settin Working with Logs & Monitorto Iny Modifying an Existing Protection Profile gate Threats Lab 7.2: Deploying IPS Geo Protection . . Modifying Anti-Spoofing Setting Configuring 1PS Geo Protection vii S17 S18 sis sis s19 S19 sz0 S21 S23 soa 528 S28 s2s so7 S27 S30 S34 say S30 sso S39 s40 SAL sat sas 546 say say S48 S62 S68 st? 580 SeL 591 S92 596Cheek Point Cy Lab 7.3: Reviewing Threat Prevention Seitings and Protections ... Review Threat Prevention Settings and Protections 604 Testing EICAR Access . . . - . . . . . 14 Lab 7.4: Deploying Threat Emulation and Threat Extraction ....... 0.0.5 617 Use ThreatCloud to Verify Pile Safety 618 Configure Threat Emulation to Inspect Incom ing Traffic 621 Appendix A: Questions and Answers ......... : os 22 633 ‘Chapter 1 634 System Management ” . . - . . . . . 634 Chapter 2 635 Automation and Orchestration . . a wee . . . . 35 ‘Chapter 3 636 Redundancy 636 Chapter 4 637 Acceleration 37 Chapter 5 638 SmanEvent 638 Chapter 6 639 Remote and Mobile Access 639 Chapter 7 640 Threat Prevention 640Security Engineering vU Welcome to the Check Point Cyber Security Engineering course. This course provides an advanced and in-depth explanation of Check Point technology. It includes advanced upgrading, key techniques for building, deploying and enhancing network performance, and management and troubleshooting features to mitigate security risks. The course is intended to provide you with an understanding of the skills necessary to effectively design, maintain and protect your enterprise network. Preface Outline Prerequisites Course Chapters and Learning Objectives Lab Topology Related CertificationCheck Peins Seeurty Engineering Check Point Security Engineering Course This course is designed for security experts and Check Point resellers who need to perform advanced deployment configurations of a Security Gateway and are working towards their Check Point Certified Security Engineering (CCSE) certification. The following prafessionals benefit best fom this course: + System Administrators + Support Analysts + Network Engineers Prerequisites Successful completion of this course depends on knowledge of multiple disciplines related to network-security activities including: * UNIX and W indows operating systems + Certificate management + System administration + COSA trainingicerti + Networking (TCP/IP) tion Course Chapters and Learning Objectives Chapter 4: System Management + Understand system management procedures, including how to perform system ‘upgrades and apply hatfixes + Identify advanced CLI commands Understand the Check Point Firewall infrastructure and other advanced Firewall processes and procedures. Chapter 2: Automation and Orchestration Recognize haw Check Point's flexible API architecture supports automation and ‘orchestration of da ily operations. Understand bow to use the management APE. command Line tools and web services to read information, create objects, work on Sesurity Policiss, and send commands to the ‘Check Point Security Management Server\Chook Paint Seu rnsering Chapter 3: Redundancy * Discuss advanced ClusterXL functions and redundaney. + Deseribe VRRP network redundancy and its advantages, Chapter 4: Acceleration + Understand haw SccureXL acceleration technology enhances and optimizes Security Gateway performance, + Understand haw CoreXL acceleration technology enhances and improves Security Gateway performance, Chapter 5: SmartEvent + Identify SmartEvent components used to store network activity logs and identify events. + Discuss the SmartE vent process that determines which network activities may lead ta critical security issues, + Understand how SmartEvent can assist in detecting, remediating, and preventing security threats targeting organizations, Chapter 6: Mobile Access + Discuss the Mobile Access Software Blade and how it secures communicationand data exchange during remote comections. + Understand Mobile Access deployment aptions + Recognize Check Point Remote Access solutions and how they differ. + Discuss Check Point Capsule components and haw they work to protect mobile devices and business documents, Chapter 7: Threat Prevention + Discuss different Check Point Threat Prevention solutions for dangerous attacks such as zero-day and Advanced Persistent Threats. + Understand haw SandBlast, Threat Emulation, and Threat Extraction helps to prevent security incidents + Identify how Cheek Point Mobile Threat Prevention helps protect an organization from threats targeting company-issued smartphones and tabletsChock Paint Secu Engincering Lab Topology Labs forthis course were developed using VMware Workstation, ¥ ourinstmuctor will have information forthe specific settings and configuration requirements of cach virtual machine. Most lab exercises will require you to manipulate machines in the virtual network. Review the starting lab topology pictured below. Note the location of each server in relation to the Security Gatewaysandhow they are routed. Make sure you understand the purpose of each machine, and the credentials and applications used throughout the course. Check Point R80.10 CCSE Lab Topology Se 3) Saleen by | isin nati Figure 4 — GCSE Lab Topology Related Certification The Check Point Cemtified Cyber Security Engineer (CCSE) certification is designed for partners and customers secking to validate their expert level knowledge of Check Point's software products and security solutions. Students must havea valid CCSA certification before challenging the CCSE examCheck Point R80.10 CCSE Lab Topology ! ! see ea | eae r extranet | she mai | | lal Ve ves OI Se | aes onan aie g Figure 1 — CCSE Lab TopologySystem Management - Cyber Security experts are expected to acquire and apply in-depth knowledge of systems used to securely manage the organization’ snetwork infiastructure, This course begins with a deep dive into the Check Point Gaia operating system, with how to use essential CLI commands, perform upgrades, and apply hotfixes, We will also take a closer look at the Check Point Firewall infrastructure, chain modules, kemel tables, packet flow, and many more advanced Firewall processes and procedures. Learning Objectives + Understand system management procedures, including, how to perform system upgrades and apply hotfixes, + Identify advanced CLI commands. + Understand the Check Point Firewall infrastructure and other advanced Firewall processes and procedures.\Chook Paint Seu rnsering Advanced Gaia Check Point Gaia is the unified, revolutionary, secure operating system for all Cheek Point appliances, open servers, and virtualized gateways. The cutting-edge technology combines the best features af IPSO and Check Point's original secure operating system, SecurePlatfarm, into single, harmonious operating system ta provide greater operatiana| efficieney and rabust performanee. The Makings of Gaia Gaia was derived from IPSO and SecurePlatfarm. The [PSO operating system was developed hy Ipsilon Networks, a computer networking company specializing in IP switching during the 1990s, Nokia purchased Ipsilon Networks in 1997 and incerporatsd IPSO into their secure network appliances. Check Point acquired Nokia's Security business unit in April 2009. As a stripped down operatin: SO provided enough functionality to run Check Point Firewalls, along with the incorporation of some standard Unix commands, such as tep, ps, and A£. Italso provided great visibility into kemel statistics, such as network counters, interrupts, and more. em, Check Point's SecurePlatform operating system is based an a kernel from Red Hat Software. ScourePlatform’s hardened and optimized operating sysicm eliminated software package Component that were amecescary fora network security deve and modified or removed component hat could retent severity rw x eney-tocue command shell provided set commands required for configuration, administration, and system diagrontie including network settings, back up and restore utilities, upgrading, and system log viewing. Routine ‘management and maintenance of SecureP latform was performed through a restricted shell called Standard mode. Standard mode enhanced the security of SecurePlatform by restricting access to utilities that, if used im property, would damage system stability SecurePlatform also consisted of'a Web Graphical User Interface (WebUI), which enabled users to easily configure settings and perform first time installations SccurePlatform allowed all system resourees to be dedicated to the operating system and the installed Check Point products. With SecurePlatform, resources were no longer consumed by sofware such as GUls, office applications, and netwark file systems. Gaia Features and Benefits Gaia supports the full suite of Cheek Point technologies, giving you improved connection capacity and the full power af Check Point security.Check Pain Security Engincering Check Point Gaia offers these key values: + Combine the best Features of PSO and SecursPlatform, + Increase operational efficiency with a wide range of features + Providea secure platform for the most demanding enviranments. Gaia simplifies and strengthens management with the segregation of duties by enabling role- based administrative access. Additionally, Gaia greatly increases operational efficiency with an advanced and intuitive software update agent, commonly referred to as the Check Point Update Service Engine (CPU SE). Gaia management is made simple with the intuitive and feature-rich WebUI, and instant search options fr all commands and properties. The same powerful CLI commands from IPSO and SecurePlatform have been seamlessly integrated into Gaia, along with new commands and capabilities, Figure 2 — Gala PortalCheck Point Security Engineering Key Features Key features of Gaia inelude: Web-based User Interface with search navigation — This interface integrates all Gaia operating system management functions into a dashboard that is accessible via the ‘most popular Web browsers, such as Internet Explorer, Chrome, Firefox, Opera, and Safari. The built-in search navigation tool delivers instant results, and for the CLI- inclined users, a Shell Emulator pop-up window is only a single click away. Full Software Blade support — Gaia provides support for comprehensive Security Gateway and Security Management Software Blade solutions deployed on Check Point appliances and open servers, High connection capa Gaia is capable of boosting the connection capacity of existing Check Paint appliances Role-based administrative access — Segregation of duties is part of a good Security Policy because it improves operational efficiency and auditing of administrative events. Role-based administrative aceess gives Gaia customers the ability and granularity to customize their security management policies to meet their business needs, User authentication and authorization is based on industry standard RA DIUS and TACACS+ protocols. Specific levels of access can be granted based on each individualsrote and responsibility. Intelligent software updates — With Gaia, software updates times are shoriened and post-updatc testing is performed automatically. New releases and patches can be scheduled for automatic download and installed during off-peak hours for minimal business impact, Notification emails are sent about recommended updates and update statuses, Native IP y4 and IPy6 support — Check Point Gaia allows easy interoperability with hoth networking protocols Clustering protocol support — Gaia fully supports ClusterXL, Check Point’ proprietary network redundancy protacol, and standard VRRP an all Check Point appliances, open servers, and virtualized environments. Manageable dynamic routing suite — Multiple dynamic routing and Multicasting protacols are supported by Gaia, providing flexible and uninterrupted network connectivity, All can he managed from both the Gaia partal ar the CLICheck Point Security Engowering Upgrades Supported Protocols Dynamic Routing Protocols Multicasting Protocols + RIP RPC 1058, + IGMPy2 RFC 2236 * RIPV2 (with authentication) REC | « IGMPV3 REC 3376 1723 + PIM-SM RFC 4601 + operating systemPFv2 RFC 2328 | + PIM-SSM RFC 4601 + opsmating systemPFy3 RFC $340 | PIM-DM RFC 3973 * opemting systemPF NSSA REC | « PIM-DM state refresh draft-ietf-pim-refresh-02.txt S101 + BGP4 RFCs 1771, 1963, 1966, 1997, 2918, Table 4: Gala Supported Dynamic and Multicasting Protocols As a Cyber Security Engineer, itis important to evaluate the averall health, compliance, and performance of your netwark. This often entails the task of deciding whether to install new hardware to fit business needs or ta upgrade to newer software versions ta ensure the efficiency of the existing environment, Check Point recommends installing the most recent sofware release to stay up-to-date with the latest funetional improvements, stability fixes, security enhancements, and protections against new and evalving attacks, Upgrades provide added enhancements aver an carlier version and eliminate the complexities of re-creating product configurations, Security Policies, and objects. Before upgrading appliances or open servers, verify the interoperability and upgrade path of your existing environment and make use of the appropriate Check Point upgrade tools. To upgrade from R77.XX to RRO,10, an advanced upgrade with database migration pracess must be performed. Upgrades from R80 ta R8G.10, are performed through the software update agent, CPUSE NOTE Upgrades to R80 and above are not supporied from IPSO- and SccurePlatform. For more information, refer to Check Point's Upgrade Map.Check Peins Seeurty Engineering Upgrade Tools Upgrade tools back up Check Point configurations, independent of hardware, operating system, and Check Paint security management platform version. Use the upgrade tools to back up-Cheek Point configuration settings ondisk partitions of Check Point appliances and open servers, Disk space requirements for upgrades vary based on the upgrade version. Before starting an upgrade, refer to the release notes of the desired platform version‘to verify the space requirements for each disk partition, such asthe /vax/Log / and root partitions There is a different package of upgrade tools for each platform. Download the latest version of upgrade tools from the Check Point support site. Before upgrading, a valid service contract that includes sofiware upgrades and major releases must be registered 10 your organization's Check Point User Centeraccount. The upgrade tools package consists of several files, including the files noted in the table below. Package File Description migrate.conf Holds configuration settings for Advanced Upgrade with Database Migration, migrate Runs Advanced Upgrade with migration pre_upgrade verifier — |Analycescompatibility of the currently installed Jeonfiguration with the upgrade version. It gives a report Jon the actions to take before and after the upgrade. Table 2 Upgrade Took Package Files Advanced Upgrade with Database Migration ‘As in all upgrade procedures, itis best practice to upgrade the Security Management Server or Multi-Domain Server before upgrading the Security Gateways. To upgrade from an earlier sofware version, suchas R77.30, to Check Point's R80, 10 security management platform, use the Advanced Upgrade with Database Migration method to migrate the databaseand install the software. With this method of upgrading, the current environment must meet these requirements for database migration: + Availabledisk space of at least five times the size of the exported database an the target machine. + Size of the /var/1og folder of the target machine must be at least 25% of the size of the /vax/1og directory on the source machine. + Source and target servers must be connested to a network and the connected network interface must have an IP address, + Ifthe soures environments uses only IPy4 or only LPv6, the target must use the same LP address configuration, Por example, you cannot migrate to an IPv6 configuration if the source environment uses only IPv4, 10Chick Point Secunny Empanscring get must have the same or higher version and the same set of installed praduets. + The appropriate package of upgrade tools must be download for each source platform + The correct ports for SmariCansole must be open in order for SmartConsole ta communicate with the Security Management Server. “After the requirements far database migration have been met, create a backup copy af the existing from the Gaia WebUL Gaia operating system settings are not backed ‘upand must be configured manually if the database is restored later due to issues with the ‘stem setting upgmde. Take note of operating system settings (interfaces, servers, routes, system setti ‘cte,) before upgrading, It is important to use the correet migration toal package to perform the upgrade. Use the ‘upgmde tools package for the software version you are upgrading too. For example, if upgmding from R77.30 to R80.10, use the migration tools package for R80.10. Download and ‘extract the tools to the old server (R77.30). Use the migrate uiility of the upgrade tools package, to export the source Security Management Server database (R77.30) to a file, and ‘then import the file to the new server (R80, 10), NOTE SmartEvent databases are net migrated during an advanced upgrade ‘because the databases can be very large. Migration of these databases must bbe performed separately. Refer to sk110173 for information on how to ‘migrate the SmariEvent database. The Upgrade Verification Service ‘Check Point's Upgrade Verification Service is an upgrade verification and environment simulation service created ta help custamers transition to R8O.XX as seamlessly as passible, guration files from your current platform to simulatetheenvironment and verify that the upgrade can be successfully applied across the key features of the software. The service will use con The simulation will also ensure that the database is not corrupted during the upgrade process. Upon completion, a status update of the simulation results along with advice on how best to procesd will be provided. For more detailed information grade Verification Service, refer to ski 10267. Lab 1.1 Upgrading to R80.10‘Check Pasn Sccuriy Engineering Hotfixes Holfixesare updates that are released to correst an issue discovered within the operating system orsoftware, They ean be released to address security vulnerabilities and inconsistencies or to provide enhancements and improvements, A Hotfix Accumulatar (HFA) is a collection of stability and quality fixes that resolve multiple issues in different products, When installed, HEAs will overwrite the current hotfixes insialled on the sysiem, The name of «a hotfix identifies the version it is compatible with. For example, R80_JUMBO_HF 1 Bundle _190 isa very large bundle of hotfixes for R80. In addition to hotfixes, same versions may have new features which require the installation ofan Add-on. Check Point recommends installing the add-on only ifthe features enabled are required When providing a fix to customers, Cheek Point supplies the updated file and installation package which will interactively install the fix. Gaia automatically provides a list of update packages available for download that are relevant to the operating system version installed. The Status.and Actions page of CPUSE displays hotfixes that are available for download and hotfixes that have previously been downloaded, imported, and installed Figure 3 — CPUSECheck Point Seuriy The CPUSE Agent CPUSEis an advanced and intuitive tool used to update the Gaia operating system and Check Point software products. It supports the deployment of majar and single hotfixes, and HAs. A major release intraduces new functionali wrsofiware releases, -sand technologies Examples of a major release would be R77 and R80. Minor releases include the latest fixes released to customers. R77.30 is an example af a minarrelease. The CPUSE tool automatically lacates and displays so fiware update packages and full images relevant to the Gaia operating sysiem version installed on the sompuisr. It also considers the role of the computer (management server, gateway, oF Gaia standalone) and other properties. The CPUSE agent is installed on every Gaia-hased machine and is responsible for all software deployment on that machine. The machine must be connectedto the Internet to-obtain software updates from the Check Point Cloud. Prior to every installation, CPUSE runs several verification tests to ensure that the package is compatible and can be installedon the machine without canilicts. To view available packages in the Gaia Portal navigate to the Upgrades (CPUSE}sectionand select Status and Actions. All are displayed in categories and are filtered to show recommended packages only by default hotfix and minor version pack: Check Point recommends downloading the Latest build of the CPUSE agent prior to applying a hotfix, In most cases, the latest build is downloaded automatically, To check the current build ofthe agent, elick the Hatfixes link next to the CPUSE version number, near the top of the Status and Actions page. A pop-up window will appear displaying hotfix information, The installed build of the deployment agent is displayed at the bottom ofthe build ean also be checked by using Clish and running the following com mand: indow. The current HostName:0>show installer status build Figure 4 —CPUSE > Status and Actions > Hotfixes Link NOTE ‘The latest buildof CPUSE is gradually released to all customers, therefore, all machines may not receive the latest build at the sime time. Hot fixes can be scheduled to download automatically, manual ly, or periadically; hawever, full installation and upgrade packages must be installed manually. 1B(Check Pains Securer Engineering Download and Install Hotfixes Hatfixes are applied by first downloading or importing the CPUSE package and then instal the package on the machine, In the Gaia Portal, click the lock icon to obtain the lock aver the configuration database before applying a hotfix and then navigate to the Status and Actions 6 Every haifix displayed as available for download may or may not be allowed or needed for installation onio your machine, Check Point rsvommendds verifying the package to determine if it can be installed without conflicts. To verify a package, perform one of the following actions + Select the package and click the Mare button on the toolbar. Fram the list of options, click Verifier.Or, + Rights the package and ¢liek Verifier The Verifier Results window will display, indicating whether or not installation is allowed. If installation is allowsd, proceed to download the package. The download progress is displayed in the Status column of the hotfix. The dawnload may be paused at any time. When paused, the status of the package will change to Pausing Download and then to Partially Downloaded and may be resumed at any time. Install the package after it has been successfully downloaded. To install a downloaded package, select the package and click the Install Update button, ar right-click the package and select Install Update. Hotfixes can also be downloaded and installed all at once, by simply clicking the Install Update bution, Most Jumbo Hotfix packages and private hotfix packages are posted ta the Check Point Cloud. Click the Add Hotfixes from the cloud button to search, or enter a package identifier pasted to the cloud. Contact Cheek Point Support ta get the package"s CPUSE Identifier, or copy and paste the file name from the Check Point Download Center, Use the CPUSE Identifier search string to add the relevant CPUSE package from the Cheek Point Claud. Once the package is added, its status will display as Available far Dovwalxad. To import a package, click the More button located on the toolbar of the Status and Actions page, and select Import Package. In the Import Package window, browse to the package file, and click Upload.CPUSE Software Updates Policy The WebUI afters different methods for dawnloading hotfixes via CPUSE: + Manually — This is the defiult method, Downloads ean also be manually deployed in Clish, + Scheduled — The CPUSE agent can check for and download hotfixes at a specified time, such as daily, weekly, monthly, or on a selected date. + Automatic — The CPUSE agent will check for updates every three hours and automatically download hoifixes as they become available. The CPUSE agent can also send email notifications to administrators, which can inform them of update events, such as when new packages are available for download ,and the success ot failure ofa package installation. To define the CPUSE update policy and configure email notifications, under the Upgrades (CPU SE) section, select Software Updates Ps Figure 5 — Software Updates Polley Software update packagescan be imported and installed offline if: + the Gala machine has no access to the Check Point Cloud. + the desired CPUSE package isnot available in the Check Point Cloud, + the administrator prefers to manually import the CPUSE package. 15Check Poias Secuny Ei The Central Deployment Tool System Administrators can automatically install CPUSE offline packages on multiple Security Gateways and cluster membersat the same time using the Central Deployment Tool (CDT). The CDT is utility that runs on Gaia operating system Seeurity Management Servers and Multi-Domain Servers using software versions R77.30 and higher. The tool communicates with gateways and cluster members aver SIC via TCP port 18209. Automatic installation on multiple managed gateways and cluster members is supported for the following package types + Upgnides to R77.30 + Minor version upgrades + Hotfixes + Jumbo Hotfixes (bundles) or HF AS Priorto using the CDT, all Security Gateways and cluster members must be already installed and configured with SIC established and Security Policies installed. There are also several file requirements that must be met before the utility ean be run, This includes the CDT executable and configuration files as well as several optional shell script files. The latest build of the CPUSE agent is also required. CDT uses CPUSE agents to perform package installation on remotely managed giteways and cluster members. The entire process is monitored and managed by the management server, lag into Expert mode, and then access the ditestory that contains the CDT files, YT. To begin using the CDT, connect to the command line onthe Do not use CDT for clean instal sofa major jon, Also, CDT does not support upgrades or installs of Clust egarding the CDT utility, refer to the Check Point Central Deployment Tool Administration Guide. XL in Load Sharing mode. Far moredetailed information Lab 1.2 Applying Check Point Hotfixes Lab 1.3 Configuring a New Security Gateway Cluster 16\Chook Paint Suny rnsering CLI Commands Check Point Gaia's powerful CLI commands and Clish shell are designed forusers wha prefer to interact with the system by executing commands or sexipts.,The most commen operations + aaa + set * show + delete CLI commands can be entered in two modes; Standard mode and Expert mode, Standard mode is the default Check Point shell (Clish) and provide commands for easy configuration and routine administration such as epetax t and cpstop. Hawever, most system commands are not supported. The prompt for standard mad= commands is Uhostname] > Expert mode allows advanced Check Poii the Gaia operating system and underlying Linux functions access to sstem. Toenter Expert mode, use the expert command in Clish. This commandopens the Bash shell."The prompt for Expert mode is: [Expert@hostnane] # ‘An Expert made user can run Linux.commands such as 18, e@ and pwd as they would on any Linux system to directly manipulate the Gaia operating system file system. Basic Check Point commands such as £w ver and cpconfig can alse bs run from the Expert mode CLI, similar to Gaia Clish. CLL inelined users can also use CLI commands and taols in Export mode to ereate automation scripts, These tools include: * abedit — creates and configures objects and rules in the database for the Security Policy. © fwm Load — installs the specified Security Policy on Security Gateways. = send_command — runs functions which are not included with standard Check Point CLI commands and tools CLI commands and multiple shells are available forall Check Point Gaia-based operating systems, software blades and features. Several useful commands are noted in this section, however many other commands are discussed in greater detail throughout this course. WChick Point Se Environment Commands Use these commands to set the CL environment for a user. The syntax ta set the client environment is; get clienv To save the client environment permanently: eave client To acquire the confi guration lack from another administrator: lock database override To set inactivity timeout when working with CLL set inactivity-timeout With this command, is the timeout in minutes, Parameter Description config-lock [onjeff) | Default value of the Clisheanfiguration lock pammeter. Ifset to om, Clish will lack the configuration and no jconfiguration changes can be made in the WebUL debug (0 - 6] Debug level. Zero is the default level; do not debug, display error messages only. Level 6 will shaw handler invocation parameters and results, echo-cma [on/off] When sella on, echacs all commands before excouling them. The default is of €. on-failure [continue| — |When the system encounters an error, commands from a stop] file or script will either continue to run ar stop running, The default is stop. output [pretty Determines the command line output format, The |etructured|xm1] default is pretty prompt cwalue> [Command prompt string. Defines the appearance of the Jcommand prompt. Can consist of any printable Jchamacters and a combination of variables. rows «integer Number of rows to display in the terminal window eyntax-check [on|off] [When settoon, puts the shell into syntax-check mode, }Commands are checked syntactically and are not Jexecuted, but values are validated. The default is of £. Table 3: Environment Command Parametersc wh Point Sceurity Eg System Configuration Commands Gaia system configuration settings ean be saved as a ready-to-nin CLL seript. Tosave the system configuration toa CLI script: gave configuration To restore confi guration settings: load configuration Tossee the latest configuration settings: show configuration This example shows part of the configuration settings as last saved to a CLI script: mem103> show configuration 4 # Configuration of mem103 # Language version: 10.0v1 # Exported by admin on Mon Mar 19 15:06:22 2016 # eet hostname mem103 eet timezone London / Europe eat paseword-controle min-paseword-langth 6 est paseword-controle complexity 2 eet paseword-controle palindroms-check true eet paseword-controle hiestory-checking true set password-controle history-length 10 set paseword-controls paseword-expiration never set ntp active off eet router-id §.6.6.103 eat Ipvé-state off eet enmp agent off eet snmp agent-vereion any eet enmp community public read-only set snmp traps trap authorizationError disable get snmp traps trap coldstart disable eet snmp traps trap configurationChange disableCheck Peins Seeurty Engineering System Management Commands There are a multitude of system management tasks that can be perfonned and configured using CLI, suchas managing users, synchronizing system clocks, configuring SNMP banner . core dumps, and mare. Examples of several af these tasks are noted below. messagi To add a user account add user uid 200 homedir To modify user accounts: eet user To sct a user password: eet user paseword To show the current system date and time: show clock To display the current system day, date, and time: Thu Aug 25 15:25:00 2016 ceT ‘A Banner message can be canfigured to show users when they log in, To set a banner message: set message banner megvalue Example of a banner message: eet message banner on megvalue “This eystem is private and confidential” To enable SNMP: eet enmp agent on To enable or disable core dumps: set core-dump [enable|disable] To cnableor disable [P v6 support set TPvé-state [on|off] show IPv§-stateA Pains Security Network Administration Commands The syntax to configure physica! interfaces is eet interface IPv4-addrese mask-length cMask> eubnet-mask IPv6-addrese maek-length 1Pv6-autoconfig [on |of£] comments mac-addr mtu state [on | off] link-speed auto-negotiation [on | off] Parameter Description interface ‘Configures a physical or virtual interface with an Interface Tpvé-addese | Assigns the [Pod or [Pub address Ipv6-addrese TPvé-autoconfig | lfon, automatically getsthe IPvé address from the DHCP fon |ofe] fmaek-length Masks | Configures IPv4 or [Pv6 subnet mask length using CIDR (/xx) notation, subnet-mask | Configures IPy4 subnet mask using dotted decimal notation: comments ‘Adds free text comments to an interface definition, fmac-addr Configures the inlerface hardware MAC address meu | Configures the Maximum Transmission Unit(MTU) size fr an imterface with an integer greater than or equal to 68. The default is 1500. state [on/off] Seis interfaces slatus to enabled ordisabled Link-epeed ‘Configures the interface link speed in Mbps and duplex status values, such as 1M/half or 10M fall Buto-nego tiation | Configures auiomaiic negotiation of interface [ink speed and [on | of) duplex settings to enabled ar disabled. Table 4: Network Administration Command Parameters 21Check Fam suty Engineering Examples! eet interface eth? IPv4-address 40.40.40.1 eubnet-mask 255.255.255.0 eet interface eth? mtu 1500 eet interface eth? estate on eet interface eth? link-speed 1000M/full Todelete an interface settin delete interface eth? Ipvi-addrese Gaia automatically identifies physical interfaces, such as NICs, installed on a computer, Therefore, they cannot be added ordeleted using the WebULor the CLL. Gaia devices can also be conti igured to be a Dynamic Host Configuration Protocol (DHCP) server. DHCP servers allocate [Paddresses and other network parameters to network hosts, ‘thus eliminating the necessity of configuring cach host manually. DHCP server subnets can be ‘configured on the Gaia device interfaces to allocate network parameters, such as [PV4 addresses and DNS parameters, to hosts behind the Gaia interface, Use DHCP commands to ‘configure the Gaia device as a DHCP server for network hosts. To create DHCP server subnets: add dhep server netmask cvalue> include-ip-pool start end exclude-ip-pool start end To change DHCP server subnet configura set dhep server subnet Parameter subnet end The IP\4 address that starts orends the allocated IP. pool range: The range of [Pv addresses to include in the IP pool, For example 192.0,220-192.0.2.90 exclude-ip-pool enable disable The range of IPv4 addresses to exclude from the IP pool Enable or disable the DHCP server subnet, of the DHCP server process (depending an the context). default-gateway The [v4 address of the del ult gateway for the network hosts. domain The domain name of the network hosts, Far example, testdomaineom ane The Domain Name Service (DNS) servers that the network hosts will use to resolve host names Optionally, specify a primary, secondary and tertiary server in the order af precedence. all All DHCP server configuration settings. eubnet DHCP server subnet configuration settings subnet ip-poole statue [enabled|disabled] The IP pools in the DHCP server subnet, and their status: enabled or disabled. The stalus of the DHCP server process: enabled or disabled Table 5: DHGP Gammand ParametersCheck Poias Seeunty Gaia uses the Domain Name Service (DNS) to translate host names in to IP addresses. To enable DNS lookups, the primary DNS server must be entered for your system, The system ‘will consult the primary DNS serverto resolve hast names, A DNS-suffix, which is a search for host-name lookup, cam also be defined To configure the DNS server: eet dne primary cvalue> To configure the DNS suffix: eet dne suffix cvalue> The value parameter for both examples is an [Pv4 or IPV6 address. Additional CLI Commands There are many more CLI commands available, such as commands which allow you to define static routes and configure system logging. To view a list of all possible CLI commands, log imo Clish and press the Ese tab on your keyboard twice. For operation specific commands, press the tab key twice. Lab 1.4 Core CLI Elements of Firewall Administration‘Check Paint Securty Engineering CPinfo ‘CPInfa is a Check Point utility that collects diagnostic data ona machine at the time of execution, The CPinfo output file allows Check Point's support engineers to analyze customer setups remotely. The support engineer opens the CP Inf file in demo mods, while viewing actunil customer Security Policiesand objects. This process allows fora more in-depth analysis ‘of all of the customer's onfiguration options and environment settings. CPInfo collects the ‘sntise gateway installation directory, including $F WDIR/Iog/* files. Some of the other ‘viewable information includes routing tables, system message lags, and the output of various ‘command, such as 1feon£ ig and fw etl petat commands. CPlnfo files are sent to ‘Check Point Technical Support via email or FTP. Touse CPInfo, make sure that the platform's current version of epinfo is installed to extract the CPInfo file. Run the epin£o command with the relevant flags in Clish or in Expert mode: lg records + -£ <£ile>— This flag uploads additional files ta the Check Point server. It should be used in combination with -n and -4, Ifthe file to be uploaded is not compressed, CPinfo will first compress it and then upload it, + -0 <£ilename> — This flag directs the output toa file and ta the screen. Italso specifiesa filename, : is flag instructs the utility to display all installed hotfixes, sis for non-interactive mode instructs the utility not to check for updates is flag forces the update check. By default, the update check of CPInfo uiility is once a week. + -u— This flag connects to the User Center with username and password. + -e — Spscificsa single email or multiple smails of people that should be notified about upload status. Multiple emails must be enclosed in double-quotations and separated by semiscolons. For example: “cemail #1>;cemail #2>" + -8 — Specifies the Service Request mumber opened with Check Point Support. For example, -8 26-123456785 + -7 ctimeout>— Specifies the timeout in seconds for the commands executed by the utility. This does not apply to collection of the CPInfo ouput file itself, The default timeout is 600 seconds (5 minutes) + “bh — The flags displays the built-in help. 25(Check Paint Secaver Empancring Advanced Firewall The Check Point Firewall Software Blade builds on the award-winning technology first offered in Check Point's Firewall solution and provides the industry's best cyber secur demonstrated industry leadership and continued innovation since the introduction of the Firewall-I in 1994, Check Point Firewalls are trusted by 100% of the Fortune 100 companies, Check Point Firewall Infrastructure As a security expert considering the needs of your organization, in-depth knowledge of Sceurity Gateways must be applied as you implement them beyond a simple distributed deployment. To establish a framework for assessing gateway performance in a complex network topology, you must understand the infrastructure. ‘Youshould weall from the CCSA that fundamentally, Check Point security components are divided inta the following com ponent © GUI Clicat + Security Management + Security Gateway GUI Client GUI applications, for object manipulation, log Monitor and SmariEvent, are all unified into one console (SmantConsole). These GUL applications offer you the ability to configure, manage and monitorsceurity solutions, perform jena reports and enforce corporate policy in real-time. maintenance tasks, Check Point periodically releases new executables that include updates for SmartConsole applications. These updates are not always related to oraligned with Security Gateway hoifines and are considered a separats, unrelated release track Security Management the system. It server, ete. All The management component is responsible far all management operation contains several elements, suchas the management server, reporting suite, of the functionality of the Management server is im plemented in User-Mode processes, where each process is responsible for several operations, 26Check Paint Secu Empincering Check Point Management (epm) is the main management process. It provides the architecture for a unified security environment. CPM allows the GUI client and management serverto communicate via web services using TCP port 19009. It empawers the migration from legacy Client-side logic to Server-side logic. The epm pracess performs database tasks, such as creating, deleting, and modifying objects, and compiling policy. Processes controlled by CPM include: + web_services — Transfers requests to the dle_server. + dle_server — Contains all the logic af the server and validates information before it ‘written into the database. + object_store — Translates and writes data to the database CPM saves all data in the Postgres $QL database and stores mast of the data in Solr, a standalone search server powered by the Lucene Java search library. The Posigres SQL database contains objects, policies, users, administrators, licenses, and management data.The dats is segmented into multiple database domains, Salr generates indexes of the data ta be used for fill text searching capabilities, ‘Clantand tener commana via Webserices wing TCP port 19000 dle_server ‘object store Peigies sr Figure 6—CPM Architecture a(Check Point Scour Engincoring “Additional significant management processes include: fwm — Firewall Management (£wm) is on all management products, including Multi- Domain Security Management, and on products that require direct GUI access, such as SmariEvent, The £wm process is used mainly for backward compatibility of gateways. It provides GUI client communication, database manipulation, policy compilation, and Management High Availability synchronization. fwd — Check Point Firewall Daemon {£wd) allows other processes, including the kernel, to forward logs to external Log servers, aswell asthe Security Management Server. It communicates with the kernel using command line tools, such as the £w commands, kernel variables, and kemel control commands. fwsed— A child process of fwd. It is responsible for managing Firewall Security Servers which provide a higher level of pratacol enforcement. epd — Check Point Daemon (epd) isa core process on every Check Point product. It allows Secure Internal Cammunieation (S1C) funetionality, pulls application monitoring status, transfers messages between Firewall processes, fetches and installs, policy, and more. such epwd — Check Point WaichDog (cpwd) invokes and monitors critical pros: as Check Point daemons on the local machine, and attempts to wslart them if they fail. Among the pracesses monitored by epwd are epd, fwd, and fwm, The epwd_admin utility shows the status of processes.and configures epwa. 28‘Cheek Paint Seusry Engineering Security Gateway ‘The Security Gateway, sometimes referred to simply as the Firewall, is the com ponent in the system responsible for security enforcement, encryptionidecryption, authentication, and accounting ‘The functionality of the Security Gateway is implemented both in User-Mode and in the kernel. The Security Gateway is a network device running an operating system which makes it vulnerable to possible Network layer attacks. To mitigate this vulnerability, some af the Firewall functionality is implemented inthe kernel mode. This allows the traffic to be inspected before even getting to the opemting system IP stack, Security Gateway Figure 7 — Operating System Kemet The Firewall Kernel ‘The Firewall kemel is responsible for the majority of the Security Gateway’s operations, such as security enforcement, encryptionidectyption, Na T,etc. In order tadetect which part of the kernel might be responsible fara specific issue, start by considering the inner struc ture of the Firewall kernel and its interaction with the aperating system kernel (Gaia), the hardware, and other kernel components, such as aeceleration, There are certain processes that operate at the operating system level in the User Mode space and others that operate in kernel mode space.‘Check Paint Secasin Engineering User and Kernel Mode Processes ‘The Kernel Mode resides in the Data Link layer af the OSI model, The Firewall kernel inspects packets between the Data Link layer and the Network layer. Every packet that goes through the Firewall is inspected. In the Netwark layers, you wauld not see all those packets, User Mode is not mandatory, however, itallows the Firewall to fiction more efficiently in the Application layer. The Firewall employs services of the operating system and allows easier inspection of files on open connections, Itis possible and, in some cases, required for user and kernel processes to communicate, To allow this, there are two mechanisms: Input/Output Controls (IOct!) and traps, When a Kernel process wishes to signal to a User Mode process, it sets a trap by changing a value in a registry key. The User Mode process monitoring that flag stumbles on the trap and performs the requested operation, When a User Mode entity needs to write information to a kernel prosess, it uses IOectl, which is an infrastructure allowing the entity to call a function in the kernel and supply the required parameters. User Mode TE = Kernel Mode Figure 8 Processes As administrators trying to debug the Firewall, the first observation to make is to decide which Firewall functionality is implemented in the user space and which is implemented in the kemel. Once that distinction is made, decide the best approach to use in addressing the problem, including which tool is the most appropriate to use.Packet Flow Check Point Seeuny Enpineering ‘Taunderstand how packets are inspected, consider the Firewall keme! more clasely Inbound and Outbound Packet Flow Traffic first arrives into the Firewall through one af the Firewall Network Interface Cards (NICS). The Cheek Point Firewall kemel is installed on each Firewall NIC that is enabled in ‘the operating system, The Firewall kernel consists of two completely separate, logical parts called the Inbound and Outbound, which represents the pracess of packets coming in and out ‘ofthe Firewall, These processes work on each packet thraugh another process called inspection. Each part acts independently and does not assume that a packet was inspected or processed by the other. Therefore, some functionality is implemented hath on the Inbound and ‘on the Outbound, Some key points include: handlers, © Each direction has its own ordered chain of modules, ot packet processi + Handlers decide whether to continue, terminate or hold the processing of a packet. + Inspection is performed on virtually defragmented packets The inspection process does expect that a packet in the Outbound that has not entered the Inbound first originated from the Security Gateway itself, It also assumed that a packet not ‘originating from the gateway was Inbound, Frcoat Kern inspection pootansccracmente’ | Firewall 4 tnbaund chain o-Outbound Chain Figure 9 — Check Point Firewall Kemel Inspection Points(Check Point Security Engincering Packet Inspection Flow ‘The following diagram describes a packet flow through the Firewall kemel and haw the User Made processes work to contral the traffic Geant Figure 10 — Packet Inspection Flow 1. The packet amives at the Security Gateway and is intercepted by the NIC on the Inbound. 2, The Firewall kernel Inbound chain begins inspecting the packet. 3. The packet is matched against the Rule Base. A log is generated and sent from the kernel to the User Mode process, £wa, located in the Security Gateway. 4. The £wd processon the Security Gateway sends the log ta the £wa_processon the Management server, where it is forwarded to cpm via cpa. Spm sends the log to the relevant SmartConsole GUI application, such as SmartView Monitor. 6. Atthe same time, depending on routing decisions made by the operating system and excluding specific scemrios such as VPN routing, the packet is routed to a selected NIC ‘The packet must go through the Firewall kernel again, only this time through the Outbound chain to the appropriate NIC and to the network. 32Chock Paint Se Chain Modules Chain Modules are packet processing handlers. Handlers decide which modules will inspect the packet and, based on the inspection, may then madify, pass, or drop the packets, Bach module in the chain has an unique job. The number of chains on a Security Gateway is based t gateway, Inbound and outbound packets are inspected in both directions by chain modules. Familiarity with the elements of a chain module is an important step in understanding how traffic moves through the firewall, and will ely be af grea on the number of blades and features enabled for th ultin assistance when debugging is required. Consider the following chain module example. The location af'the module in the chain is a in module for this particular gateway configuration, For example, above the fw VM outbound is the 6th chain module, Itmay be in a different lovation in ather gateway scenarios, The chain positionis an absolute number that h kernel is ascocia ted with a key, which specifies the type of traffic applicable to the chain module, For Wire Mode configuration, chain modules marked with 1 will notapply and for State ful Made, the chain modules marked with 2 will not apply. Chain Modules marked €£ ££, such as IP Options Strip/Restore,and 3 will apply toall trafic relative, serial number ta the location af this ch never changes. In the Firewall kernel, e Figure 44 — Chain Module Example To take a look atan actual chain, use the £w etl chain command. This willshaw you the chain modules actually loaded on your machine and their order.Inbound fw ctl Chain Modules View the chain modules displayed below. In this fi aple and in different configurations some chain modules will not app be added. Between different releases, chain modules are added or removed, others mi dependit on the version specific design decisions. Figure 12 — Inbound Chain Outbound Chain Modules View the chain modules displayed below. Shown in this figure, the Outbound chain shows roughly the same chain modulesas seen on the Inbound. The most significant difference is that inthe Inbound, the vpn decrypt and vpn decrypt verify chain modules are present This makes sense because it is expected that a packet would be decrypted on the Inbound. In addition, the Outbound chain also has the vpn enexypt chain module, if the packet needs to be encrypted on the Outbound. Figure 13 — Outbound ChainWire Mode Wire Mode enables VPN connections ta successfully maintain a private and secure VPN session without employing Stateful Inspection. Using Wire Made, the Pirewall can be bypassed for VPN connections by defining internal interfaces and communities as “trusted”. This improves the performance of the WPN tunnel and reduces downtime. With Stateful Inspection no longer taking place, dynamic-routing protocols that do not survive state verification innon-Wire Made configurations can now be deployed. Wire Made is based on a trusted source and destination and uses internal interfaces, such as the Security Gateway and VPN Communities, Lab 1.5 Viewing the Chain Modules(Check Point Security Engincering Stateful Inspection Stateful Inspection was invented by Check Point ta provide accurate and highly efficient traffic inspection, Apart from checking the IP Header of a packet, Statsful Inspection also implements checks on other characteristics of a packet, such as TCP stream, sequence numbers, UDP communication and port mumbers ta monitor the state of a packet operating primarily at the Transport layer of the aperating system. The Inspection Engine examines every packet as they are intercepted at the Network layer. The comection state and context information are stored and updated dynamically in the kemel tables. Kernel tablesae also known as State tables Tasee the process flow ofthe Inspection Engine, review the flaw chart below. ‘ew cometan Inperiontaeue = ! taps | $+ [fat DS or Figure 14 — Inspection Process Flowchart 1, Packets pass through the Network Interface Card (NIC) to the Inspection Module, which inspects the packets and their data. 2. Packets are matched to the policy Rule Base one rule at a time, Packets that do not match any rule are dropped. 3. Loy 4. Packets that pass inspection are moved through the TCP/IP stack to their destination, 5. Forpackets that do not pass inspection and are rejected by the rule definition, a negative acknowledgment (NACK) issent (ise. RST packet on PCP and ICMP unreachable on and/or alerts that have been defined are started UDP). 6. Packets that do not pass inspection and do not apply to any of the rules are dropped without sending a NACK,Security Servers Security servers are a necessary and crucial element to Firewall funetionality. Some Firewall fe higher level of protocol enforcement and RFC compliance, such as in the ures require Application Layer. Sceurity servers are the individual processes within the Firewall system that are responsible for the detailed protocol-specifie security inspection such as FP, HTTP, or SIP and other inspection services like DLP. NOTE When Identity Awareness is deployed, this process operates differently. How a Security Server Works Essentially, when a client initiates a connection to Is the Ewa process using a trap. Ewd spawns the fweed child service, which runs the Security server. Then, the Security server binds to a sacket and mai server, the Firewall kernel si Ewa waits for connections on the ports af other servers (daemons) and starts the corresponding server when the connection is made. Ewd also talks to its children processes on ather servers usinga pipe and signals The $PHDIR/coné /Ewauthd. cong file contains the structure of the security servers showing the port numbers, corresponding protevol name, and status. If the real port is 0, then a higher random port is assig Figure 15 — Example of $ FWDIR/cont/fwauthd contCheck Point Secunty Emgincering Kernel Tables There are dazens of'kemel tables, each storing information relevant ta a specific Firewall function, Using the information saved in the kemel tables, very elaborate and precise protections can be implemented. To view all existing kere! tables, type the command fw tab -t at the command prompt. To view only the table namesand get a perspective on the number of kernel tables available, use the fw tab =s command, Most traffic related information is saved in the kernel tables. Information is also stored in habe, ghtabe, arrays, kbufe, and other devices, Tablesmay be created, deleted, fied, and wad. In particular, consider the Connections table, Connections Table The Connestions table is essentially an approved list of connections, The Firewall, as a network security device, inspects every packet coming in and out of each interface, After the firstpacket is matched against the Rule Base, weassume that the netuming packet might not be accepied in the Rule Base. For example, we allow 74.100.100.1 to connect with 212,150,141,5 using Telneton port 23 in the Rule Base and drop everything else, The syn packet will match th Rule Base and pass; but the Syn-Ack packet comes back with the reversed tuple (source IP 212.150.141.8, Destination IP 74.100.100.1) and source port 23 with a random destination port. (Reference the Connections Table figure inthe following section) To mitigate this, for every meorded connection, a matching, reversed-tuple entry fs also added to the list of approved connections. Some seenaries sueh as NAT, data connections and elaborate protocols, such as Voiceover IP (VolP), introduce mare complexity to the logic behind maintaining the Connections table. The Connections table provides enhanced performance. As we saw in the Inspection Process Flowchart, the action of matching a packet against the Rule Base may be very cosily (especially if there is a very large Rule Base with dynamic objects and logieal servers that need to be resolved), By maintaining the list of approved eonncetions in the Connections table, the gateway can enforce an intelligent analysis for assumed rule-matching, thus saving valuable time and computing power. 38(Check Point Scour Engincoring The Connections table also allows server replies, We noted earlier that sometimes Server to ‘Client ($2C) packets might not match the Rule Base. In these cases, they would be handled by ‘the Connections table. To view the Connections table, use the following command: fw tab -t connections -£ NOTE Using the fw tab -t connections -£ command could impact performance. ‘The following Stateful features are provided with the Connections table: + Streaming based applications + Sequence verification and translation + Hide NAT(Eaplicit entries to the Connections table may need to be added when the $2€ packets returning ta the Firewall may nat match the Rule Base.) + Logging, accounting, monitaring, ete. + Clisntand server identification + Data connections(Check Pan Sccuriy Engineering Connections Table Format Each new packet is recorded inthe table in all available entries. In FireWall-1 version 4.1, only one entry was made to each new connection, Each packet had to go through the Connections table several times to verify all available types of connection. Today, each packet goes through asingle lookup as all available entries are already recorded in the table. on ro easy 9 a SAS a [rewctent [pane Pstemonces [aie] <—— Seo Lea Crates Envy) 3 SBA EDT, DE CLOT, COTS > a oh (ireionre [sears Tatoorans [aa [ey] > [0 [ra sco01 [sons [ae cows |] a Abc nc ahs nthe afte (w[eraoonns | a3 [ranooreos fours] 6) > Lo [7.1010 | suze [aratsarers | oT a |_| ‘ow bund pace fo te ret oie he (Dereon | 2a: [raomcreos Panes] 6) > Lo [re teor0 | anes [ere tonra | eo | 6 Figure 16 — Connections Table The Symbolic Link format pravides the 6-tuple of the camection we want to pass. The arrow is a poinierio the tuple of the Real Eniry in the Connections table. The first six attributes in every entry in the Connections table state the connection’s 6-tuple. The 6-tuple isa unique identification of the connection within the system. The direction can be cither @ for Inbound or 1 for Outbound. Inthe Connections Table figure, we see a simple connection representation in the Connections table. The first entry is called the Real Entry and holds all of the relevant information for that traffic, such as state, sequence numbers and matching rule, The Real Entry allows the Client to Server (C2S} packet to enter the Firewall on the Inbound The second entry isa Symbolic Link, allowing for the same C2 packets to enterthe Firewall on the Outbound, The third entry is another Symbolic Link that allows for the $2C traffic to enter the Firewall on the Inbound. The last entry is also a Symboli¢ Link and allows for the S2€ packet to enter the Firewall on the Outbound\Chook Paint Secu Empnwering Policy Installation ‘The policy installation process is divided into three main stages: Verification & Compilation, ‘Transfer (CPTA), and Commit, Figure 17— Polly Installation Process 41(Chock Poin Seusny Engineers Verification & Compilation The Verification & Compilation stage of policy installation occurs om the management side. It involves the following steps: er from SmartConsole or from the commandline, Information required for the policy instal lation, Fgateways ‘on which the policy is to be installed, is provided. User permissions for policy installation will also occur prior to continuing to the next step in the proc 1, Initiation — Policy installation is initiated such as the listo! 2. Database Dump — A database dump from postgres to old file formats for epmit able only if changes occurred. A dump from non epma will occur any time, 3. Verification — Information in the database is verified to comply witha number of mules, specific to the application and package for which policy installation is requested. If this verification fails, the process ends here, and an errarmessage is passed to the initiator. The system can also issue warnings in addition to failisuccess messages. 4. Conversion — The information in the database is converted from its initial format to the format understandable by later participants in the flow, such ascade generation and gateway. $. Fem rexee — Pum loader takes a lot of memory. To release memary after verification and conversion, wm state is sived toa file located in the $FWDIR/ tmp/ directory. fwm is then re-cxecuted as a fwm load command to push the files far code generation and compilation 6. Code Generation and Compilation — Policy is translated to the INSPECT language and compiled with the INSPECT compiler. Also, some additional data transformations are complied, Afler verifying and converting the database, the £wm process compiles the relevant files, such as objects _§ 0. C,and AccessCTRRules_0.€, into several compiled files (loeal. ft, local. set, etc.). The complied policy will he copied to the §FWDIR/state/ directory on the management server Transfer (CPTA) The Transfer stage occurs between both the management server and the galsway.Onse the policy is successfully compiled and moved to $PWDIR/state/ on the ‘management server, the Check Point Policy Transfer Agent (CPTA) transfers the compiled policy to the gateway using SKC, Using SIC will ensure that the management server is 1o install policy on the gateway. Italso encrypts the conneetion via SSL. so thatthe policy data ‘ransferred to the gateway is trusted, Once SIC is initialized, SIC authentication will oss ur for every policy installation a2(Chock Point Secnsiy Engineering Commit During the Commit stage, the Firewall is instructed to load the new policy it has just received from the management server. The following steps will oecur: + The epd process on the gateway will execute the following command to load the policy which was just transferred to the gateway: fw fetchlocal -4 $PWDIR/state/_tmp/Pw1 + The policy will then be loaded into the kernel + Ifsuccessful, the new policy will be copied to the $FWDIR/etate/EW1 folder on the gateway. + Ifthe £etch1ocal process fails, cpd will get a notification regarding the failed pracess and will inform the £ wm process that loading the policy has failed(Check Point Security Engincering Policy Installation Flow The graphic belaw displaysa general process flow for policy installation. Differences are version specific, so $8MDIR is replaced with the compatibility package when other products or versions are used. @ ® (e) @ Pe vn “sreornyecner x erway cuner pe a= > @ HEED» “Oa a Figure 18— Policy Installation Flow 1, The policy is defined in SmariConsole, ished, itis saved in the postgres database. At a push, ‘erification of user permission is performed, 3. Datahase dump from postgres taold file formats (ob Ject_5_0. ¢ and others) for epmitable, only if changes occurred, and a dump for non epmi will accur. All * .¥ files are soredin rulebases § 0. fws. 2. _Afler the policy is pul 4. Afer the policy is saved, files are created under $FHDTR/coné/* .¥. 5. fwm_gen compiles the new $2WDIR/coné/*..W into a machine language, creating a new file called $EWD2R/con£/*.p£, The $FWDIR/conE/*.pé is actually the input from the $#WDIR/con£/*.Wand the $EWDIR/con£/objects.€ files. The SPWDIR/cons /*. W file isthe exact same information defined in the GUI. justin a text format instead of a graphic one. 6. © preprocessor compiles the*.pfand 14b/*.deg files, creating anew file called ¥epp 7, Allnew gencrated files aw stored under $PWDIR/ ta te/ on the management server + cep is compiled and translated to a:machine language and transferred to the gateway 8. $FWDIR/etate/ directory is pushed to the enforcement module (gatew ay) 9, pd and the kemsl on the enforcement module performs an automatis load 44Chock Paint Scustn: Engancering Policy Installation by User Mode Now we will examine how policy installation ishandled by User Mode processes. Figure 19 — Policy Installation Pracess Flow 1. Assuming the initiation was made by a SmartConsole applisation, as opposed to using command line options such as €wm load orfw fetch, the Check Point Manigement Interface (cpmi ) policy installation command is sent to wm on the Management server where verification and compilation takes place. 2. fwm forwards the command to epa for code generation and compilation, 3. epd invokes the epta command which sends the policy to all applicable Security Gateways, 4. epd.on the Security Gateway receives the policy and verifies it's integrity 5. epdoon the Gateway updates all of the User Mode processes responsible for enforcement aspects, These include vpnd for VPN issues, Ewaed. pracesses for Security server issues and so on. Once camplete, the epd then initiates the kernel replacement. 6. The new policy is prepared andthe kernel halts the traffic and starts queuing all incoming traffic, J. ‘The Atomic load takes place. This process should take a fraction of a second. 8 The Queue is released and all of the packets are handled by the new policy NOTE Additional sicps may be included for debugging purposes. 45Chack Foam Se Network Address Translation Network Address Translation (NAT Jand Network Address Port Translation (NAPT) are the two primary technologies traditionally used as methods to hide networks sa actual IP addresses sate not revealed or required to be publicly routable, This reduces the need for more publicly routable IPs, and allows aceess to intemal (sometimes non-roulable) resources from an external network, How NAT Works NAT is regarded as an infrastructure of services used, for example, to erate clustering solutions, security servers, office mode connections, ele. Infrastructure tures + INSPECT rulesand tables + NAT Rule Base is efficient + Performed on the first packet + Dual NAT (automatic rules) + Rule priorities Table 6: NAT When NATis defined on a neiwork object, NA Trules are aulomatically added to the NAT Rule Base, Those rules are called Automatic NAT ales, NAT is translated during policy installation 1o tables and performed on the first packet of the connection. The NATRule Base is very efficient and can match two NAT rules on the same connection. This is called bi-directional NAT and only applies for Automatic N AT rales. NOTE Even though NAT merges two Automatic NAT rules into one, this feaiure may be disabled and NAT rules may be manually defined for additional ‘options. NAT rules are prioritized according ta the list below: 1. Manual/Pre-A.utomatic NAT 2. Automatic Static NAT 3. Automatic Hide NAT 4. Post-Automatic/Marual NAT rulesChock Poon Seusry Enginesreng Hide NAT Process ‘Consider first the original packet. When the packet arrives at the Inbound interface, itis inspected by the Security Policy. Ifaccepted, the packet is entered into the Connections table. The first packet of the comestion is matched against NAT rules. The packet is translated if a match is found. Then the packet arrives at the TCPUP stack of the Firewall Module machine and is routed to the Outbound interface. yaaaz1264 10023 | 1014161 ad |6 0) weorate1 | ao | tosaz12s4 jonas |e i] worsier | a0 | i004 05 6 Next Port Enty Used Port Entry 194532 4.256,6,10022 19.52.2546, 10023 Figure 20—Hide NAT During the NAT Rule Base trayemsal, both NAT source and destination are decided. However, ‘they ars actually performed at the Following locations + ere matonthe server side + dst nat depending an the relevant GUI property The Reply packet arrives at the Inbound interfase of the Firewall machine. The packet is passed by the Security Policy since itis found in the Connections table. The packet's destination, whieh is the source of the original packet, is translated aceording to the NAT information. This takes place when the packet was translated in the first initial connection. The packet arrives at the TCP/IP stack of the Firewall machine and is routed to the Outbound interface. The packet goes thraugh the Outhound interface and its souree, the destination of the ‘original pack, is translated according to the information in the NAT tables. The packet then leaves the Firewall machine. a7Check Paint Secu Emeincering Manual NAT Many organizations prefer ta define their awn NATrrules rather than relying on the system ‘generated miles, There are also certain situations when manual NATrules must be used, such as when: + Rules exist that are restricted to specified destination IP addresses and to specitied source IP addresses, + Both source and destination IP addresses translate in the same packet. + Static NA Taccurs in only one direction, + Rules exist that only use specified services (ports). + [Paddresses translate for dynamic objects The NAT Rule Base is processed one rule at a time from top to bottom, similarly to the Firewall Rule Base. Therefore, Manual NAT rules must be placed in the right order to be applied correctly. Manual NAT rules are added to the NAT Rule Base either above or below any already existing Automatic NA Trules, Forexample, inthe figure below, the first NAT rule was manually created and the other NAT rules were automatically generated based on the NAT. settings applied ta the respective network abjects. The Manual NAT rule is placed at the top af the NAT Rule Base so that il is the frst rule to be matched, The Automatic NAT rules ean be identified by the comments scetion where the automatic comment, “Automatic mule (see the network ohject data)” is applied to each ane. Sa SS Bieoete be Goa ce fe ce ee ee wre evant ome ete tener Figure 24 — Manual NATExample The NAT Rule Base consists of two main section headings: one for the Original Packet here NATiis applied by the Firewall and the other for the'Translated Packet after the Firewall has applicd NAT. Ths processing onicr for the overall inspestion and routing of packets by the Security Gateway isas follows: 1. Firewall — Inspection onthe Original Packet. 2. NAT— Translatethe IP and/or part number as required. 3. Routing — Forward on the resulting packet a8When configuring Manual NATin Global Properiics, check the Translate destination an client side checkbox inthe Manual NATrules section, TF enbiP Bena Loponiaee oan Tats ‘FEEL Seco Ho Figure 22 — Global Properties for NAT Rules Proxy ARP for Manual NAT For Manual NATrales, it is necessary to configure proxy ARPs toassociate the translated IP address. A proxy ARP allows the Security Gateway to answer ARP queries for a network: address that is lacated on that same network. The ARP proxy is aware of the location of the When the data is orwards the data to the relevant traffic’ destination, offering itsown MAC address as the destin received from the external network, the Security Gateway host on the internal network 49Check Poins Se Engine The configuration of proxy ARPs is necessary for situations such as when a manual Static NAT rule has been created and the Security Gateway daes not answer the ARP requests for the StaticN AT'dIP address in the Manual NATrule, Another situation would be when a Security Gateway replies to ARP requests with an incorrect MAC address, mostly for the NAT traflis In situations where incoming connections are required to a specific internal h public IP addres: Secondary IP addresses (or aliases). The IP addresses are added on the external interface of the Gaia operating system through cither the Gaia Webpartal or through Clish using the following command: 1, additional which are necessiry far use with Manual NAT rules can be added as add interface ethO alias This will create the automatic proxy ARP in the Gaia operating system, which is needed to accep! the connections for the required public IP addresses used as objects in the NAT Rule Base configuration Yo configure a proxy ARP: 1. Match the IP addresses of the relevant hosts on the internal network to the MAC address ‘of the Security Gateway on the external network, This is saved in the ¢PWDIR/eons / local. arp i 2. Create the relevant Manual NAT rules. 3. Install the Security Policy Lab 1.6 Configuring Manual NAT(Chock Point Secarey Empancriog Firewall Administration In addition to understanding the Firewall kernel structure, itis important to familiarize yourself with configuration file structure and commands typically used for troubleshooting problems. To begin with, Isis consider how the Firewall configuration files are broken down, The main sub. srouping of configuration files are divided into directories located under fopt. + CPsuite-R80 — Manages Firewall modules (R75.20 - R8Q), CPsuite is the generic installation + CPshrd-R80 — Stores what used to be called SVN foundation, including ¢pd database, licenses, registry and generic Low level Check Point infrastructure. (nat version related). + CPEdgeemp-R80 — Manages Edge devises, The /14% and /eoms directories store definition files that are important to take into consideration. For instance, the $FWDIR/1ib/* .def files include Rule Base and protocol definitions. User definitions are stored in $HD 18 /con£ / fwauth. NDB and Security server configuration scltings are stored in $FWDIR/con£/ fwauthd.cont $PWDIR/conf/classes.C defines fields for each object used inthe objects _§ 0.C file, such as color, num/string and default value. Though the $FWDIR/database/ directory onthe Management server hasno relevancy, this directory is particularly noteworthy on the gateway itself, where specific object entries are stored for that particular gateway. There are different ways to view and edit database files such as these. + @bedi t — A command line utility on the Management server itself. + GuipBedit.exe — An executable tool on the Windows-based GUI client machine under: c:\program files (x86)\CheckPoint\smartconsole\Ré0\Program, NOTE ‘The objecis_S 0.C file is still used for legacy gateways on R77.20 and ‘older. The database for R80,10 is located in PostgreSQL. x86 was added to the path because mast computers now runin 64-bit mode. 51(Check Point Scour Engincoring Common Commands + cpcon£ig — This command is used to run a command line version of the Check Point Configuration tool and configure orreconfigure a Security Gateway/Management installation, + eplic print — Located in $¢PDIR/bin, this command prints details of Check Point licenses on the local machine, eplie print -s prints the licenses with signatures and eplie del deletes license. + epatart — This command is used to start all Check Point processes and applications running on a machine, + epatop — This command is used to terminate all Check Point processes and applications running on a machine. The commands epatop and cpstart are actually calling £watop and Ewatart scripts forall Check Point products, including the Firewal | stop/start scripts located in $2WDIR/bin. ‘These are scripts that run when you perform cpstop, cpstart and cprestart with different flags. cpr es tart is an internal command used for Dynamically Assigned IP (DAIP) devices, such as Edge devices. Not all Check Point processes are brought down when cprestart is used; therefore, eps top and cpstar t should always be used. 52Check Point Seeunty Enpinsering FW Monitor ‘The Check Point tool, £w moni tor, is a packet analyzer tool which is on every Check Point Security Gateway and is essential for packel capture and Firewall traffic analysis, ft provides kemel level inspection; but will not run in indiscriminate mode, €w momit oz works for layers 3 and above in the OSI Network layer stack. The syntax is the same regardless of the pplatiorm and supports the . cap output format used in Ethereal and Wireshark packet analyzer tools. Desktop VPN Firewall Internet Figure 23 —fw monitor The easiest way to use fw monitor is ta invoke it without any parameters, However, in a busy system, running £w moniter without any filters can create a great detail of owiput and makes the analysis difficult. Filter expressions are used to specify packets to be captured and limit the amount of output. The general syntax is: fw monitor -e “accept ;" -o cfilemame> Filter expressions include: + host [] * net [, ] * port [] NOTE Check Point recommends tuming SecureXL (Ewaccel o££) when using iw monitor io avoid misleading traffie captures, If SeewreXL is on, the tool will only show non-accelerated packets. SecureXL is discussed in a later chapter.\Chook Paint Senn Engineering For example, to capture everything between host X and host Y: [Bxpertevostwane}# fv monitor -e “host[x.x.x.2] and host (y-y-y-y]- accept:” -o/var/log/fw_mon.cap For more £w monitor capture examples, refer to sk30583. C25 Connections and $2C Packets fw moni tox captures packets as they enter and leave the Firewall kemel and when the packet enters and leaves the Inbound and Outbound chains. In the case of Client-ta-Server (C25) communication, a client designated as Hostl, according to the policy, sends traffic destined for a web server located behind the Firewall. Since the traffic is permitted passage ‘through the Firewall based on the policy Rule Base, the packet must traverse and be inspected bby both chains of the Firewall The command €W moni tox works by loading a special filter that is applied to suspicious packets. This filters different from the INSPECT filter used ta implement a Rule Base. Where the Rule Base determines which packet is accepted, rejected or dropped, the INSPECT filter generated by £w monitorsimply captures kernel packet flows. You can capture everything ‘through the kernel using Ew mond tor, even a particular type of traffic or source. ‘Once fw moni tor is executed, the specified INSPECT filter is compiled and loaded tathe ‘kernel. Any parameters following accept in the fw mond tor command will be displayed by fw moni tor. The same filteris executed on alll interfaces in all directions. ‘The Ew monitor output uses specific expressions to explain the location af the packet as it moves. ‘through the Firewall Cry cl Figure 24 —€2S and $2C Connections(Check Point Security Engincering There are four inspection points as a packet passes through the kernel + i— Before the virtual machine, in the Inbaund direction (pre-Inbound) + 1 —Afer the viriual machine, in the Inbound dircetion (postInhound) + 0 — Before the virtual machine, in the Outbound direction (pre-Cutbhound) 0 — After the virtual machine, in the Outbound direction (post-utbound) In our C28 scenario, i represents the packet as it lef the elient. The [represents the packet already checked agninst the tables and Rule Base. In case of Static NAT, the destination IP address will be changed. The © means the packet is before the Outbound kernel (sameas 1) and O means the packet is in the Outbound kernel chain, as it will appear at the wel server. In the case af Hide NAT, the source IP address will be different here. For packets traveling from Server-to-lient (S2C), the inspection points are the reverse. [ could be the NAT’ dpacket on its way aut of the Inbound chain in the Firewall in the case of Static NAT. At this point, the packet has already heen checked by the tables and Rule Base. The Q is the packet asit will appear ta the client. 35Review Questions 1. What is CPUSE and what isit used for? 2. Name at least three Statefil features provided with the Connection table.L Upgrading to R80.10 A sie =) ‘This lab illustrates how to perform an upgrade of a Security Management Server from R77.30 to R80.10. Youwill export the configuration of your old server toa Windowsmachine before installing a new R80.10 server, Once the fiesh installation of the new OS is complete, you can then import the rules, objects, and seitings of the previous server into the database of the new, upgraded server ‘Once the upgrade of the Security Management Server is complete, use CPUSE to upgrade a Security ‘Gateway, Tasks: * Save the database information. + Access the migrate file and transfer via SSH/SCP. + Perform a clean installation of R8O. 10 Security Management Server, * Configure the Security Management Server + Install R80.10 SmanConsole. + Import the database. * Upgrade the Security Gateway. Performance Objectives: + Use the migrate export command to prepare to upgrade a Security Management Server + Perform an installation of a Security Management Server « Use the migrate import command to populate the database of'a Security Man \gement Server. + Perform an upgrade of Security Gateways in a clustered environment.Migrating Management Server Data Export the rules and objects off of the existing Security Management Server so that they can be imported into the new server 1, From A-GUI, open a Web browser and use HTTPS to connect to A-SMS (10.1.1. 101): Cfeneedinaa Figure 25 — Gaia Portal 2. Use the follow ing credentials to log into the Gaia Portal on A-SMS: Username: admin Password: Chkp!234 3. In the navigation pane, click User Management > Users. 4. Use the information below to create a new user Real Name: sepadmin Password: Chkp!234 Home Directory: /home/sepadmin Shell: /bin‘bash Assigned Roles: adminRole Access Mechanisms: Web Command Line 5. Click OK, 58(Check Pins Seeuriy Engineering 4. Close the web browser, 7. From A-GUI, use the following credentials to log into WinSCP and connect to the A-SMS: Host Name: 10.1.1.101 User Name: sepadmin Password: Chkp!234 Figure 26 — WinSCP Login 4. In WinSCP,confirm that the left pane displays the local directory and the tight pane displays the remote directory. 59\Chook Paint Secu Empnwering 9. Inthe right pane, navigate to the /var/tmp directoyy of theold R77.30 Security Management Server: Baro-rpeomnmieanamncwmeee Tet ae Be Eh ee me BSD scteoree MP D1 Pqueve ~ | trorsterseings Oot ee Ditty deamens mane ene - em ie- OAD rnin su x ae aoe 2% ea Boe tore Te ome rane Sat Owes er : posta Ba Va via shea ay Sewnteie Gum encore LS ec Bee Seana at ad lla 3 Saas = ery aS ae eae Figure 27 —WinSCP Directories Displayed 10. In the left pane (local directory), browse to the location of the Upgrade Tools, NOTE ‘Ask your instructor for the location and name of the upgrade tools file, By default, the upgrade tools are called: pi_upgrade_tools.tgzCheck Paint Security Engineering 11. Move the file ftom A-GUI to the /varitmp directory on A-SMS, and the system displays the following window: Up I wend e septs eda wens cecry = * Toes ses aati ary (Charter prasad ta uae mie Geter) (sc) (cet Gao! [2)dsnot tho cg eeu Figure 28 — Upload 12. Click the Transfer Settings button, and configure the transfer to be in Binary mode: Sphedanine seercens weer fn) cronpemeenera (loader et Figure 29 — Binary Mode 13, Click OK. 14, Click OK, to continue the file transfer. 15. Highlight the copied file in the right pane of WinS CP and right-click. 61(Check Paint Secusin Exgincering 16, From the Context Menu, select Custom Commands > UnTar/Gzi EB trcmerce PE Qs Gome- stasis De -@ 1B serreginizim “rede: : ae TESTES boronic i tn 9 Carrs (| EOF 7 be ang ee ‘er me se Dewldreoy ES 20051 a 2RIEDSALAD ween Plapimcessdess MDD Mnigiin VM na) ews duormeae aos le it |oneriannceme on Chao eruaaEea ee [atari onan onsets) Figure 30 — Special Commands -Unar/Gzip ick OK, to extract the directory to the following location: fvax/ tay(Check Pains Securiy Engineering 18, After the extraction completes, verify that the following folder now appears in ‘var/tmp: migrate_tool cep ese davmasatan am azarae asia iazwom0 ‘Figure 31—migrate_tool Folder19, From the WinSCP window, click the PuTTY Login button, 20, PUTTY logs into the A-SMS server (10.1.1,101) atthe ¢hom Luo ===) admin directory Figure 32 — PuTTY Session NOTE Ifyou are asked to enter the password for scpadmin, enter the following: Chkp123421, Verifythat alle nsoles are closed by issuing the following comma cpetat ag 2a = —<_ | Figure 33 — cpstat mg NOTE ‘The Connected Clients list should be empty. If it is not, execute the epstop command to force close all open clients. 22, Change lo the following directory by executing the following command cd /var/tmp/migrate_tool 65Check Point Secu £ 23, Type the following command and press Enter, to view the contents of the folder: 1s (B vient isharinpinigrteed [=a Figure 34 — igrate_toolFolder 24, Type the following command: ./migrate export A-SMS-from-r7730-to-r8010.tgz 6625. Press Enter, to run the script. The system asks the following question BB winnie iivmphigate ical — a Figure 35 — Waming 626. Type y, and press Enter. The system exports the data, creates the export file, and identifies its location on the server BB onto Suara ool = ea) Figure 36 — Export Complete NOTE The time it takes for this process to complete may vary depending on the size of your Security Policy, number of objects in the database, and database revisions, Once complete, the system provides the location of the exported file and returns to the Expert mode command prompt. 27. Minimize the PuTTY window 68Check Pais Secury Engineoring 28, While still in the PuTTY session on A-SMS, initiate an FTP session back to A-GUI (10.1.1.201): 29, Type the following commands and press Enter, to prepare to transfer the file bin hash 30, Type the following command, and press Enter: put A-SMS-from-r7730-to-r8010.tgz NOTE ‘You may want to transfer the file using WinSC! Binary Mode for the transfer. instead of FTP. Just be sure to use 31, Verify that the A- sHs-£rom-r7730-to-r8010. tgz file has been transferred to A-GUI.Check Pains Seurtty En 32. In the PuTTY session to A-SMS, issue the following command: shutdown now -h Figure 37 —shutdown now-4 33, Exit PUTTY 34, Verify that the A-SMS virtual machine is powered down. 70sk Pins See Installing the Security Management Server Install the R80.10 Management Server. It will manage the Security Gateway cluster for this site 1. In VMware, verify that the settings forthe new A-SMS Virtual Machine is defined as follows: » Name: A-SMS ° Memory: 10GB © Processors:4 ° Hard Disk: 80GB + CDIDVD (SATA)-Points to R80.10 180 * Network Adapter: One Interface + Connected + Connect at power on + LAN Segment: LAN | NOTE ‘Your classroom configuration may be different. Cheek with your instructor before continuing to the next step. 1\Chook Paint Sune Engneering 2. Poweronthe A-SMS virtual machine, and the Welaome to Check Point Gaia R8D.10'screen appears: H Point Gaia WO.18 reece) Figure 38 — Welcome to Check Point Gaia P8010 3. Within 60 seconds, highlight the option Install Gaia om this system,4. Press the Enter ke’ Cron res Da you Figure 39—Wekome n, highlight OK, and press Enter At the Welcome scr 5. 4. Select the keyboard to suit your region, At the Partitions Configuration screen, modify the Logs partition to be 30GB rat Cetera Figure 40 — Partitions Configuration(Check Pains Security Engineering 8. At the Account Configuration screen, enter and confirm Chkp!234 as the password for the OS Level admin account, NOTE Verify that NumLock is on. It is not on by default after installation. If you haven't already tumed it on, do so now and re-enter and confirm your password. Ifyou enter this password without turing NumLock on, you will not be able to log into the system. 9. Tab to OK, and press Enter. 10. Use the following information to configure the Management Interface (eth0) screen: IP Address: 10.1.1,101 Netmask: 258,255.255.0 Default Gateway (IP): 10.1.1. Figure 44 —Management Interface (eth0) Configured 11, Select OK, and press Enter. The system displays the Confirmation screen, 4(Check Pains Security Emgincoring 12, Inthe Confirmation screen, select OK, and press Enter to proceed, After the drive is formatted and the installation is complete, the system displays the Installation Complete sereen: encores co eee ee eet eT a Tear arse ran Figure 42 — Installation Complete 13. Press Enter to reboot A-SMS. 8Check Poias Seeunty Eng Configuring Security Management Server Using the Gaia Portal Follow these steps to configure the primary Security Management Server for your configuration. 1, From the A-GUI virtual machine, launch an Internet browser 2. In the address field, type the following: hetps://10.1.1.101 NOTE Be sure that you are using HTTPS. You may also need to verify that the LANs in VMware are configured properly before you are able to connect. Both the GUI client machine (A-GUI) and the Security Management Server (A-SMS) reside on LAN 2, if you are following the recommended classroom topology. Consult your instructor, if you are using a different configuration 4. Press Enter, and your browser should wam you that the site's Security Certificate is ftom an untrusted source NOTE Ignore this waming and continue to the site 4. Log into A-SMS.with the following credentials: Login: admin Password: Chkp!234 16Check Paint Secustn Engincering $. Press Enter, and the system displays the following message: eas Welcome to the Check Point First Time Configuration Wizard Youre just few steps away tar using your sycemt ck est to configure yeur sytem. vmware atone Viaware Figure 43 — R80.10 First Time Configuration 6. k Next, and the system displays the deployment Options page 7. Verify that the following option is selected Continue with Gaia R80.10 configuration WCheck Point Security Engineering 8. Click Next, and the system displays the Management Connection window: Calero (eomusny Figure 44 — Network Connection Use the information below to verify that the Security Management Server's network connectio configured properly Interface: eth0 Configure IPv4: Manually [Pv Address: 10.1.1.101 Subnet Mask: 25§.255.255.0 DefaultGateway: 10.1.L.1 Configure IPv6: Off 10. Click Next, and the system displays the Device Information window. 8Use the following information to configure the Device Information window: Host Name: A-SMS Domain Name: alpha.cp Primary DNS Server: 192.168.11.101 ua tcny heck Point roy Settings Figure 45 — Device Information Configured NOTE Check Point prohibits the use of underscore object names. . Click Next, and the system displays the Date and Time Settings window. Select the option Use Network Time Protocol (NTP). 14, In the Primary NTP server field, type 192.168. 11.101Check Paina Se 18. 16. Select the correct Time Zone for your location: Pree Stine mn 1) Ue vet ane rete: srezens Cowape tenes 6-600, ln Figure 46 — Date and Time Settings Configured Click Next, and the system displays the Installation Type window: Installation Type Figure 47— Network Configuration-Host Name Options 80Check Poias Secutty Eng 11, Select Security Gateway or Security Management, and click Next. The system displays the Products window. 18. Inthe Products window, clear the Security Gateway option. 419. Use the information below to configure the Products window. Products: Security Management Advanced: Define Security Management as Primary NOTE Clear the Security Gateway option before continuing. This option must NOT be selected, 20, Verify that the Products window is configured as follows: at Clseeaeycitenny ZT senwny Management etn seu Managemen os nay doin BCs tn ntact iia © Fermereneomaen cna Figure 48 — Produets Configured 21. Click Next, and enter newadmin for the Administrator name. 81Check Poins Secuty Eng 22, Enter and confirm Chkp!2¥ as the password: miapitienes, n Clement Figure 49 —Security Management Administrator 23, k Next, and confirm that the option Any IP Address is selected in the Security Management GUI ents windowCheck Point Scusily Engineering 24. Click Next, and the system displays the Summary page: IB Check Point TUE Yow dese be eine hte allowing prodots sur Munagenent rman Ser Manageme Z arora praus penance cy senna aa See. © Ferner creme cia ie Figure 50 — Summary 25, Clear the following option Improve product experience by sending data to Check Point NOTE Though this option is recommended, it is not necessary in our lab, We are not in a production environment and only have limited connection to the Internet. 26, Click Fi hh, and the system prompts you for a response to the following question: eter equine yen saepsene mint Figure 54. —First Time Configuration Wizard Message(Check Point Security Engincering 27, Click Yes,and the system proceeds with the configuration iGomA Sagi! tty Cetin seer namgenent ‘Oconemay aaanes Figure 52—Summary (Progress) 24, Once complete, a message displays indicating that the configuration was successful: © “imoreempentucestiny Figure 53 — Message(Chock Point Secursy Engineering 29, Click OK, and the Gaia Portal di Management Server: lays the configuration settings of the newly configured Security Figure $4 — Check Point Gaia Portal-Security Managem ent Sewer Configured 85‘Chock Paint Seca gineering 30, Inthe System Maintenance section, click Messages. 31, Enter the following for the Banner Message: a-sus Unauthorized access of this server is prohibited and punishable by law. Figure 55 — Messages Configured 32, Click Apply.Check Paint Sour Engineering Figure 56 — Users 87(Check Pant Senn Eaincoring 34. Click the Add bution, and the system displays the Add User window: i veermus eongepessworaatnert 920 eease Menarians Figure 57 —Add User RBChock Paint Seustn Engineering 35, Use the following information to configure the new user: Login Name: adminbash Password: Chkp!234 Real Name: Adminbash Home Directory: /home/adminbash Shell: /bin/bash Access Mechanisms: Web ‘Command Line Assigned Roles: adminRole Eh veermue ange picwors net 920 ‘cass Mechanlions Figure 58 — Add User Configured NOTE When you log into the Security Management Server as adminbash, the correct shell is now available for adminbash to connect and transfer files, There is no longer a need to specifically define the shell in the command line. Since this is an OS level user, you must perform this action on every module you want to have the adminbash user defined.(Check Point Securty Engineering ick OK, and the system adds the new userto the Users page: Figure 59 — Users(Check Point Securty Emgincering Installing SmartConsole Inthis section, you will install SmartConsole on the A-GUI virtual machine, 1, Inthe navigation pane of Gaia Portal, click Overview 2. On the Overview page, click the Download Now button to download the SmartConsole installer file: ‘Yeu hive cavente open ‘abc iy Fe tom fp e/2011300 oldu She toseethi fl Figure €0 —Web Portal-Overview NOTE You may neod to reaequire the configuration lock before downloading the application, The system will prompt you, if this is necessary. 91Check Poias Seeunty Engine 3. Save the installer file tothe Downloads folder of A-GUL 4. Browse the Downloads folder and locate the SmartConsole.exe file |) CMe siersce tors rs Crome = lcidein ity = Shrew ~ Bum Newer a Fre, tare Diteroded ve Figure 61—Downloads FokierChock asm Seunsy Enginesring Double-click the SmariConsole.exe file. The Welcome screen dis plays. chy Welcome bo SmartConsole’ the rad ad agra the Ch Pin nn be lesa Breton | Gitroga es licheaonnaartoncaeAAOdd Figure 62 — Welcome Select the option confirming you agree to the Check Point End User License Agreement Click Install, to begin the installation process. The system displays installation progress information CHANGE THE WAY ¥ AND COLLABORATE Efficient Automated Operations Routine tasks can be automated and delegated, empowering ee 18% bgt srcate Figure 63 — Installationok Point Scour Engin Verify that the system displays the Thank You window once the installation completes ee Thank you for astating SmartConsole SF lninchEranCone 9. Click the Finish button, to complete the SmartConsole installation, 10. Log into A-SMS with the following credentials. Loy Password: Chkp!234 IP Address: 10.1.1.101 newadminCheek Paint Seusny» Engineer 11, Click Login, and the system displays the Fingerprint for verifical Fist connection to server 20.1101, To-venty trv identity. compare the fesowine fngarpent ith tha ane played i te waver, @ Fingerprints SEW FIRM 10 OLAF PAD WIRE JOEY LEND SWAB AHEM WOVE KIND See Figure 64 — Fingerprint 12, Click Proceed, and the system displays the Welcometo SmartConsole R80. 10 page: sid pati eons @® rma views S Poi yes Figure 65 — Welcome to SmartConsole 95Chock Poon Seeusny Engineer 13. Close the What's New window 14, Inthe Gateways & Servers tab of SmartConsole, identify that there are no Security Gateways managed by this Security Management Server: Figure 66 — Gateways & ServersChock Point Sonny Enginooring 15, In the navigation pane, click Security Policies: Figure 67 — Security Policies 16. Verify that no rules are present inthe Rule Base and that only the A-SMS object is present, as is typical in a default installation before the Security Policy is configured. 17. Close SmartConsole. 7Check Peint Security Eng I Importing the Check Point Database Use the migrate import command to load the objects, rules, and settings from the previous server into the newly configured R80.10 one 1, From A-GUI, use the following information to connect to the newly configured Security Management Server via WinSCP. Host Name: 10,1.1.101 User Name: adminbash Password: Chkp!234 teams: er nee Figure 68 — WinSCP Login NOTE In Gaia, the User Name and Password are both case sensitive Click Log and WinSCP logs into A-SMS. osCheck Poin Securiy Emginering 3. In the right-pane, navigate to the following location: {var/log 4. In the toolbar, click New > Directory sea aectcne) (ceact) (ace) Figure 69— Create Folder NOTE An alternative method to performing the import from the /var/log location would be to move the migrate file into the up rade_tools folder and perform the import from that location, 5. Name the new folder Migrate 6. Click OK. In the left pane of WinSCP, verify that the following file is visible: A-SMS-from-r7730-to-r8010.tgzChock Paint Secustn Engancering 4, In the right pane of WinSCP, verify that the Migrate folder is vis orl Mae Fes Some ast Op Bete Hy Pw ery Figure 70 — Wing CP 100Check Boom Secure Engincering ng Binary mode from its location on A-GUI Copy the A-SMS-from-17730-to-r8010, tgz file u to the Migrate folder on A-SMS. eal Mak Fin Comma in Cyan Bate ha FEB Birovnne PO | @ EG Tae sts Sr e (asrece0131 | he Baaes DMtemes = (eo X oF perros FEE = i= Sis) Sa0e ame aa eS Se Cages Pye Ome ‘usustmmomemt. twanee inaaamisha ae nm Figure 71—Copy NOTE When transferring files, make sure you configure the transfer settings to work in Binary mode. SCP, after the file wansfer is complete. 10. Exit 101Check Pain Seca 11. Once the file is copied to the server, log into A-SMS (10.1.1.101). 12, Toenter Expert Mode, type the following and press Enter expert NOTE The system asks you to set the Expert Mode password because, as a new installation this value is not currently configured, 13, E: ute the following command to set the Expert Mode password: set expert-paseword 14, Enter and confirm the following as the Expert Mode password: chkpi234 pert passuard, use the command “s Figure 72 —set expert-password 15, Next, type the following command and press Ent expert nfirm the followings the Expert password chkpi234 17, Typethe following command, and press Enter, to change the directory to the location of the imported file ed fvar/log/Migrate 10218, Execute ans commando verify that the file is present. cae Figure 73 —Is 19, Type the following command, and press Enter, to chan application: e the directory to the migration tool cd $PWDIR/bin/upgrade_tools Figure 74— Change Directories 20, Execute ane commando verify that the file migrate function is present: oe Te Figure 75 — 21. Toimport the file into the new Security Management Server, type the following command: -/migrate import /var/log/Migrate/A-SMS-from-17730-to- 18010. tgz 22, Press Enter, and the system wams you that services must be stopped. 103Check Poins Security £ 23, Type y, and press Enter, The system unzips the fileand imports the configura displays the following question ion. Once complete, it Bh Mate oes TEER er mm Unit fe mot runnin fate Figure 76 —Question 24. Press Enter, to restart Check Point services. 25, Wail for the services to start before proceeding to the next section. 104Check Peins Se me Launching SmartConsole and Reconfiguring Existing Security Policies jeand connect to the Security Management Server Launch SmanCor 4, From the Start menu on A-GUI, click All Programs > Check Point SmartConsole RR0.10 and the system displays the login window. 2. Use the following information to configure the Login window: User Name: newadmin Password: Chk p!234 IP Address: 10,1.1.101 B~ enacinin ery ead One Dems Mose @ ou Figure 77 —Login Window 105ok Point Securtty Eng 3. Click the Login button, and the login attempt should fail: Caan Authentication to server failed. a = Figure 78— Check Point SmariConscle NOTE The login failure confirms that the database import completed successfully, because newadmin was not configured in the imported policy. 4. Use the following information to Login’ User Name: admin Password: Chkp!234 IP Address: 10,1.1.101 106Chock Paint Seusry Engineering 8, Click the Login button, and SmartConsole displays the Gateways & Servers tab: Figure 79 — Gateways & Servers 107Check Paint Security Enygincering 6. In the navigation pane, click Security Policie Figui 80 — Security Policies 4. Verify that the rules and objects previously configured on the old server are present. 8. Editthe Alpha-Net group object and add an “s” to it’s name. 108,% 10, u ‘Cheek Paint Seeuiny Engineer Edit the A-GW-Cluster object In the navigation pane of A-GW-Cluster, select Cluster Members. In the object properties of each member gateway, use sie123 as the one-time password to reset SIC. Figure 84—Com munication 109Check Pam Seeusry Engmeering 12, Verify that the Version setting on the General Properties page to be the following: Re0.10 © Ps Droteons ar pasted sere Figure 92 — General Properties Configured 13, In the Network Management page, click the Get Interfaces button. 14. Click OK. 110Check Paint Secu Engineering 15, Click Publish, to commit the changes to the database: Click ‘Publizh’ to make this change available: toall Secon none: (meena dd Desist: (Feunge publtedy dino 202 (Pain | [cance Figure 83 —SmartConsole 1(Check Point Secunty Empincering 16, Click the Install Policy button in the Alpha Standard Policy Package and the system displays the Install Policy window: Alpha Standard © BZ rcwecster Samson. | Hes RD ever @ neo ee ys nan stesso mete Got gemay us ane once ea oth ce Figure 84 —Install Policy NOTE Ifthe Threat Prevention option is selected, clear it before installing the Security Policy. 112Check Point Security Engincering 17. As the policy installation is proceeding, identify the Recent Tasks pop-up window displayed by the system in the bottom left of SmantConsole 18, For the Policy Installation task, click the Details link. The system displays the following window: ® ey ntaticnA Sd a er ES] A om. 18 ee Me | Venn | Ste peareane) © de aon 9 sat Mon © sa Figure 85 — Install Poliey Details 19, Confirm that the Alpha Standard policy was successfully installed on both A-GW-Cluster members, 20, Close the Install Policy Details window. 21. Next, edit the B-GW object. 13Chock Paint Secu Engineering 22, Reset SIC using the one-time password of sie123: Coit te © Tareas (Gee) feaceoe) (eS) Eteet Figure 86 — Trusted Communieation 13, Click OK, and the system displays the Get Topology Results window: Teteesoprnsrnteven:casiy ‘Retmocganenans wey actcatandierma gue sche ewete rs pom ln fr msn sesrinfcr on dro sowmone are fotos uae mae re Manta — maneaae Wn Ban vaezut wx Figure 87 —Get Topology Results 4Check Pains Security Engincering 24, Click Close. 25, In the General Properties page, verify that the B-GW displays a Version of R77.30 cx Ee © Pet Aste 200578900 (TPesseteetiene ) oer sree Corman: av Bae Gnoay rom herd Comuncier: Ta eaaboted eens ces etueed Mek Ct aiPescve ers © OpearicRng iter Sever Earn © seas [lmeeae scene (Plteeadatce vpn tt Eithewmcc Phurrary [ensean Enact (eipwatent Reston | let mmm Debanaae os Elvana © Data Awareness ain eens vr bince rome ai irae ecoremant one Senco Figure 88 — General Properties Configured 26. Click OK. 27, In the toolbar, click the Application Menu button, 28, Select Global Properties, 115Check Poon Senor Engineering 29, Verify that the following settings are defined: + Accept ICMP First + Log Implied Rules oy ‘atc floerg remo chow conn et Fl Bao Newsom seer corcicometens ie ty Somme [2 Acet Rare cee et cece (UT Ee Gaon sera aca Accel Smt ete arts Gwce ert ee tree bees PS nareganert crt Aes sugeng smn engrengton Cats Asn gg pak nrg an Cary \Sopeanthe Bittconey Spey Else AP © cect man ane ue UP ie [Aes ere Nao TEP Ba Trl (sco CHP eas ced Whar SEH crc a nay addin. ‘Se cm (2 oe cg fice DACP and OS cnn pene ‘Sea fee rebree et Dt lee hn oping Hil ea: scone Yee paces raat eae ‘ipso we 17 cot erty en cn omit eg rtd Pd Figure 89 — Global Properties 30, Click OK. 116Chock Pain Seusny Engineering 31, In the Alpha Security Policy, remove the B-GW object from the Stealth Rule: Bowens ogee Biocon eter Qtemiete ee Sue a mmiee Figure 90 —Stesith Rule Modified uy(Check Point Security Engineering 32, Next, publish and install the A pha Security Policy: Bove snee BE orm mest Dimer tee Oramennnennenchen Once mre Figure 91.—Policy Installation in Progress 118Check Paint Sour Engineering 33. Click the + tab, to view the recent policies availableto view Moccia WMO mtmcn erie HNO orm Mower MOR eto Figure 92 — Recent Policies 119Cheek Paint Suny Engineering 4M, Select Bravo_Siandard, and the system displays the followi Beenie Sm Teno ramon Deen nae Guo ttee Figure 93 — Bravo_Standard Ta 120Check Point Security Engincering 45. In the Bravo_Standard Security Policy page. click the Install Policy button: IM brevo stondacd Micon Chrgndenet aie ty merreaton Son Boctsecnty omew asnesnnue | Yosser se ver era] @ nao 0 Figure 94 — Install Policy 36, Click Install, to install the Bravo_Standard Security Policy. 121Check Point Seouny Engiooring 37. Confirm that the Security Policy for Bravo installed successfully Tote fg Bn Std Tesh roars Sn: bests ABN =) Gaen, : SS ae) freee Sion aeetcrmanas tums rae sete Figure 95 — Install Polley Details 122Check Point Seouny Engiooring 38. In the navigation pane, select the Gateways & Servers tab: 39, Confirm that all Check Point modules show a status of OK. Figure 96 — Gateway& Servers 123END OF LAB 1.1Applying Check Point Hotfixes Inthis lab, you will use the CPUSE utility to patch an existing R77.30 gateway Tasks: + Locate the CPUSE Identifier for the necessary upgrade + Install the hotfix on the Security Gateway Performance Objectives: + Perform an on-line jumbo hotfix application to a remote Security Gateway a 1.2(Check Point Securty Engineering Locating the CPUSE Identifier Locate the hotfixes available for an R77.30 Security Gateway. 1, In SmartConsole, define a new Host object with the following information: Name: A-GULNAT Comment: NATed Alpha SmartConsole Color: Orange IP Address: 203.0.113.1 |. A-GUENAT Grane Machine ewcatMieagiment — asae (mien [Beaks har Pe attree anced sees eas ag Figure 97 —New Host Configured 2. Click OK, and the system displays the following waming: A Multiple objects have the same IP address 203.0.113.1 (you wiehtasseetha changes amy? Figure 98 —SmartConsole 3. Click Yes. 126Check Pain Seuss Engineering 4. In the Bravo Security Policy, add the new Host to the Source field of the Management rule: vam sues Bee Ti eccm rama Qresonee nae Sucme conte Figui 99 — Bravo Security Policy Configured $. Publish the changes, 4. Install the Bravo Security Policy, 107Check Point Sceurity Engincering From A-GUI, use HTTPS to log into the Gaia Portal on B-GW (203.0.1 13.100): a a ary tay 97 Figure 100 — Gala Portal In the navigation pane, locate the Upgrades (CPUSE) section. 128(Check Paint Securin Engineering 9. In the navigation pane, select Status and Actions, The system displays the following page: Figure 101 — Status and Actions 10, Identify the hotfix to apply. 129Check Pains See Installing the Hotfix on the Security Gateway Apply the recommended hotfix to update the Bravo Security Gateway. 1 2 3 From the filtered list, select the hotfix to apply. Inthe main toolbar, click the More button. Select the following option, and the system begins the update process: Install update NOTE When the system finishes the installation of the hotfix, itreboots automatically. END OF LAB 1.2 130