2. VPN-1/FireWall-1 NG
Management I
Course Description
Objectives
Identify the basic components of VPN-1/FireWall-1
NG
Successfully configure VPN-1/FireWall-1 NG (NT
and/or Solaris)
Identify the VPN-1/FireWall-1 NG elements that you
will need to manage
Successfully create and manage management
objects
Demonstrate how to use the: Security Policy, Log
Viewer, and System Status
Successfully apply NAT rules
Successfully demonstrate the ability to authenticate
users
3. VPN-1/FireWall-1 NG
Management I
Course Layout
Course Requirements
Prerequisites
Check Point Certified Security
Administrator (CCSA)
4. Course Requirements
The course is geared towards
System administators
Support analysts
Network engineers
5. Pre-requisites
Each delegate should have :
General knowledge of tcp/ip
Working knowledge of Windows and/or
Unix
Working knowledge of network
technology
Working knowledge of the Internet
6. Checkpoint Certified Security
Administator (CCSA)
The exam is wide ranging and covers
all aspects of Checkpoint Firewall 1
NG. Some of the topics can be found
on pages 2-3, however all
documentation covered on the course
CD should be reviewed including
PDFs
7. VPN-1/FireWall-1 NG
Management I
Course Map
Module 1: VPN-1/FireWall-1 NG
Architecture
Module 2: Security Policy Rule Base and
Properties Setup
Module 3: Advanced Security Policy
Module 4: Log Management
Module 5: Authentication Parameters:
User, Client, and Session Authentication
11. VPN-1/FireWall-1 NG
Management I
VPN-1/FireWall-1 NG System
Requirements
Management Client
Platform : Windows 9x, ME, NT 4.0,
Windows 2000 Pro.
Disk Space : 40 Mbytes
Memory : 128 Mbytes
Network I/f : All interfaces supported
: by Operating System
12. VPN-1/FireWall-1 NG
Management I
VPN-1/FireWall-1 NG System
Requirements
Firewall-1 NG FP2 Modules on Windows
Platform
OS : Windows NT and
Windows 2000
Processor : Intel Pentium II 300+ MHz
or equivalent
Disk Space : 40 Mbytes
Memory : 128 Mbytes
Network I/F : All interfaces supported
: by Operating System
13. VPN-1/FireWall-1 NG
Management I
VPN-1/FireWall-1 NG System Requirements
Management Server or Firewall-1 Module on
Solaris
OS : Solaris 7 (SunOS 5.7)
Solaris 8 (SunOS 5.8)
CPU Architecture Solaris 7 - 32 Bit mode
Solaris 8 – 32 Bit & 64 Bit
mode
Disk Space : 40Mbytes (software
installation only)
Memory : 128 Mbytes
CPU : 360 MHz
Required OS : Check latest release notes
Patches for requd. patches
14. VPN-1/FireWall-1 NG
Management I
VPN-1/FireWall-1 NG System
Requirements
Management Server or Firewall-1 Module
on a Linux Platform
OS : Red Hat Linux 6.2 and 7.0
CPU Architecture 32 bit and 64 bit
Disk Space : 40 Mbytes
Memory : 128 Mbytes
CPU : Intel Pentium II 300+ MHz
16. Module 1:
Introduction
Objectives
Describe the purpose of a firewall
Describe and compare firewall architectures
Identify the different components of
VPN-1/FireWall-1 NG
18. Module 1:
Check Point Product Overview
Securing the Internet
An emerging requirement
Securing Networks, Systems, Application and
Users
19. Module 1
Secure Virtual Network (SVN) is a true
security architecture
Integrates multiple capabilities, including
firewall security, VPNs, IP address
management etc, all within a common
management framework
enables security to be defined and
enforced in a single policy incorporating
all aspects of network security
20. Module 1
Emerging requirements
To enjoy benefits of an eBusiness model
a robust security infrastructure needs to
be deployed
Integrating the security infrastructure
with application environment
providing full security for eBusiness
allowing easily established and maintained
trusted relationships
21. Module 1
SVN Architecture designed to meet
the challenges of eBusiness
connects the four elements common to
any enterprise network
Networks
Systems
Applications
Use
25. Module 1:
Internet Firewall Technologies
A firewall is a system designed to
prevent unauthorised access to or from a
secured network
act as a locked security door between internal
and external networks
data meeting certain criteria will be allowed
through
However, note that a firewall can only
protect a network from traffic filtered
through it
26. Module 1
Stateful Inspection Technology
invented by CheckPoint Software
Technologies
utilises the INSPECT Engine
Programmable using the INSPECT language
Provides for system extensibility
Dynamically loaded into the OS kernel
Intercepts and inspects all inbound and
outbound packets on all interfaces
Verifies that packets comply with the security
policy
27. Module 1:
Firewall Technologies
Packet Filters
Application-Layer Gateway
Stateful Inspection
VPN-1/FireWall-1 NG Enforcement Module
INSPECT Language
VPN-1/FireWall-1 NG Advantages
28. Module 1:
Packet Filtering Path in the OSI Model
31. Module 1:
VPN-1/FireWall-1 NG Enforcement Module
32. Module 1:
How VPN-1/FireWall-1 NG FP-1 Works
INSPECT Allowing Packets
if a packet passes inspection,the Firewall
Module passes packets through the TCP/IP
stack to their destination
if packets are destined for the OS local
processes, are inspected then passed through
the TCP/IP stack
if packets do not pass inspection, they are
rejected, or dropped and logged.
36. Module 1
Management Module
security policy is defined using the policy
editor on the Management client
it is then saved to the Management
module
Management Module maintains FW-1 NG
databases including
network object definitions
user definitions
security policy
log files
37. Module 1
VPN-1/Firewall-1 NG Enforcement
Module
deployed on the Internet gateway
an Inspection script written in INSPECT is
generated from the security policy
inspection code is compiled from the
script and downloaded to the
enforcement module
38. Module 1
SVN Foundation
CheckPoint SVN Foundation NG (CPShared) is
the Operating System integrated with every
CheckPoint product
All CheckPoint products use the CPOS services
via CPShared
The SVN Foundation includes :
Secure Internal Communications (SIC)
CheckPoint registry
CPShared daemon
Watch Dog for critical services
Cpconfig
License utilities
SNMP daemon
39. Module 1:
Secure Internal Communication (SIC)
Communication Components
Security Benefits
SIC Certificates
Communication Between Management
Modules and Components
Communication Between Management
Modules and Management Clients
40. Module 1
Communication Components
SIC secures communication between
CheckPoint SVN components such as
management modules
management clients
VPN-1/Firewall 1 NG modules
customer log modules
SecureConnect modules
policy servers
OPSEC applications
41. Module 1
Security Benefits of SIC
confirms a management client
connecting to a management modules is
authorised
verifies that a security policy loaded on a
firewall module came from an authorised
management module
SIC ensures that data privacy and
integrity is maintained
42. Module 1
SIC Certificates
SIC for CheckPoint VPN uses certificates
for authentication and standards-based
SSL for encryption
enables each CheckPoint enabled
machine to be uniquely identified
certificates are generated by the Internal
Certificate of Authority (ICA) on the
Management module
a unique certificate is generated for each
physical machine
43. Module 1
Communication between Management
Modules and Components
the ICA automatically creates a certificate
for the Management module during
installation
certificates for other modules are created
via a simple initialisation from the
Management Client
upon initialisation, the ICA creates, signs
and delivers a certificate to the
communication component
44. Module 1
Communication between Management
Modules and Management Clients
the management client must be defined as
authorised
when invoking the Policy Editor on the
Management client, the user is asked :
to identify themselves
specify the IP address of the Management Module
the Management Client then initiates an SSL
based connection
the Management Module verifies the Client’s IP
address
Management Module sends back it’s certificate
45. Module 1:
Distributed VPN-1/FireWall-1 NG
configuration showing the components
with certificates
48. Module 1:
Review Question #1:
What is Stateful Inspection?
Class Discussion
49. Module 1:
Review Question #2:
Why is Stateful Inspection more reliable
than packet filtering and application layer
gateways for protecting networks?
Class Discussion
50. Module 1:
Review Question #3:
What process does VPN-1/FireWall-1 NG
use to accept, drop, or reject packets?
The NG Enforcement Module
51. Module 1:
Review Question #4:
What three components make up
VPN-1/FireWall-1 NG?
The Policy Editor
The Management Server
The Enforcement Point
52. Module 1a
Installation of VPN-1/Firewall-1
module
Installation of Management Module
Installation of Management Client
53. Module 1a:
Pre-installation Configuration
Network Configuration
ensure network is properly configured
(especially, routing)
on WinNT & Solaris enable IP
routing/forwarding
for WinNT, disable the NetBUI protocol (not an
IP protocol so not intercepted by Firewall-1)
environment variables are set automatically
(via the installation wrapper) on WinNT,
Win2000 & Solaris
54. Module 1a:
VPN-1/FireWall-1 NG Client-Server
Configuration
a distributed installation is supported
55. Module 1a:
Installing VPN-1/FireWall-1 NG
Enforcement Module and
Management Module on Windows NT
Server
62. Module 2:
Introduction
Objectives
Explain the function and operation of a
Security Policy.
Demonstrate the creation of network objects
and groups, using the Management Client.
Demonstrate the setup of anti-spoofing on the
firewall.
Demonstrate the setup and operation of an
active Security Policy.
63. Module 2
Key Terms
Security Policy
Rule Base
Rule Base Elements
spoofing
anti-spoofing
implicit rules
explicit rules
implicit-drop rule
64. Module 2:
Security Policy Defined
What is a Security Policy?
a set of rules that defines network security
Considerations
what kind of services, including customised
services and sessions are allowed across the
network
what users’ permissions and authentication
schemes are needed
what objects are in the network e.g. gateways,
hosts, networks, routers and domains
65. Module 2:
Check Point Policy Editor
enables administrators to define security
policy
66. Module 2:
Access Control for Administrators
Concurrent Sessions
only one administrator with read/write
permissions can be logged in at any one time
Management Module Fingerprint
at the first log-on to a management server, the
management client will receive the
management server’s fingerprint
this can be checked against a copy of the
fingerprint for verification
67. Module 2:
Rule Base Defined
Rule Base Elements
the individual components that make up a rule
No.
Source
Destination
If/Via
Services
Action
Track
Install on
Time
Comment
68. Module 2
Rule Base Defined Ctd.
Rule Base Element Options
to customise the element options in
the rule base
71. Module 2:
VPN-1/FireWall-1 NG Licensing
License Types
central – the license is linked to the IP number
of the management server
local – tied to the IP number to which the
license will be applied
Obtaining Licenses
locate certificate key on the CD cover of the
CP CD
contact www.checkpoint.com - selecting User
Center to obtain eval or permanent license
Check Point User Center
72. Module 2:
SecureUpdate
Made up of two components – Installation
Manager and License Manager
allows tracking of currently installed versions
of CP and OPSEC products
updating of installed CP and OPSEC software
remotely from a centralised location
centrally managing licenses
75. Module 2:
Detecting Spoofing
Spoofing is a technique used by intruders
attempting to gain unauthorised access
a packet’s source IP address is altered to
appear to come from a part of the network with
higher privileges
Anti-spoofing verifies that packets are
coming from, and going to, the correct
interfaces on the gateway
i.e. packets claiming to originate in the internal
network, actually DO come from that network
76. Module 2
Detecting Spoofing
Configuring Anti-Spoofing
networks reachable from an interface need to
be defined appropriately
should be configured on all interfaces
spoof tracking is recommended
anti-spoofing rules are enforced before any
rule in the Security Policy rule base
78. Module 2:
Creating the Rule Base
Basic Rule Base Concepts
each rule in a rule base defines the packets
that match the rule based on Source,
Destination, Service and the Time the packet is
inspected
the first rule that matches a packet is applied
79. Module 2
The default rule
added when you add a rule to the Rule
Base
80. Module 2:
The Basic Rules
Cleanup Rule
CP follows the principle “that which is not
expressly permitted, is prohibited”
all communication attempts not matching a
rule will be dropped
the cleanup rule drops all the communication
but allows specific logging
81. Module 2
The Basic Rules
The Stealth Rule
prevents users from connecting directly to the
firewall
83. Module 2:
Implicit and Explicit Rules
Completing the Rule Base
Firewall-1 NG creates implicit rules derived
from the policy properties and includes
explicit rules created by the user in the Policy
Editor
Understanding Rule Base Order
viewing implied rules will show both sets of
rules merged in the correct sequence
86. Module 2:
Command Line Options for the
Security Policy
Basic Options
cpstart/cpstop starts and stops all CP
applications running on the machine
cplic print displays the details of the Firewall
licenses
fwstart/fwstop starts and stops the Firewall
NG module, firewall daemon (fwd),
management module (fwm), SNMP daemon
(snmpd) and authentication deamons
88. Module 2:
Review Question #1:
What are the steps for creating and
enforcing a Security Policy?
Name your policy, add rules with objects,
install the policy
89. Module 2:
Review Question #2:
What is the difference between implicit
and explicit rules?
Implicit (or pseudo) rules are created by
VPN-1/FireWall-1 NG, and are derived
from the security properties.
Explicit rules are created by the user.
90. Module 2:
Review Question #3:
What order are policies and rules
matched?
Policies and rules are matched in order
on the Rule Base, one rule at a time.
92. Module 3:
Introduction
Objectives
Demonstrate how to perform the following:
Hide and unhide rules
View hidden rules
Define a rule mask
Apply rule masks
Show how to install and uninstall a Security
Policy
93. Module 3:
Introduction
Objectives (continued)
List the guidelines for improving
VPN-1/FireWall-1 NG performance, using a
Security Policy
Key Term
masking rules
94. Module 3:
Masking Rules
Overview
rules in a rule base can be hidden to allow
easier reading of a complex rulebase (masking
rules)
all other rules will be visible however their
numbers wont change
hidden rules are still enforced on the gateway
95. Module 3
Masking Rules
Viewing Hidden Rules
if View Hidden in the Rules>Hide menu is
checked, all rules set as hidden are displayed
Unhiding Hidden Rules
select Unhide All from the Rules>hide menu
96. Module 3:
Disabling Rules
Disabling Rules
a disabled rule will only take effect after the
security policy is reinstalled
the rule will still be displayed in the policy
editor rulebase
Enabling a Disabled Rule
select the disabled rule and right click
select Disable Rule to deselect
remember to reinstall the policy
97. Module 3:
Uninstalling a Security Policy
Steps for Uninstalling a Security Policy
select Policy>Uninstall from the Security
Policy Editor main screen
click Select All to select all items on the
screen (specific items may be deselected)
click OK
98. Module 3:
Guidelines for Improving
VPN-1/FireWall-1 NG Performance via
a Security Policy
Management Module
listing machine names and IP addresses in a
hosts file will decrease installation time for
created network objects
/etc/hosts (Solaris)
winntsystem32drivershosts (Windows)
99. Module 3
Guidelines for Improving
VPN-1/FireWall-1 NG Performance via
a Security Policy
Enforcement Module
keep the rulebase simple
position the most frequently used rules at the
top of the rulebase
don’t log unnecessary connections
use a network object in place of many
workstation objects
use IP address ranges in rules instead of a set
of workstations
101. Module 3:
Review Question #1:
If a rule is masked or hidden, is it
disabled and no longer part of the Rule
Base?
No, masked or hidden rules are still part of
the Rule Base, and are installed when a
Security Policy is installed.
102. Module 3:
Review Question #2:
When you select a rule, and then select
“Disable Rule(s)” from the menu, what
must you also do before the rule is
actually disabled?
Install the Security Policy
103. Module 3:
Review Question #3:
How does masking help you maintain a
Rule Base?
Discussion
104. Module 3:
Review Question #4:
Define some guidelines for improving
VPN-1/FireWall-1 NG’s performance via a
Security Policy.
Discussion
106. Module 4:
Introduction
Objectives
Identify the three display modes of the Log
Viewer
Identify and define Status Manager icons
Assign network objects to display in Status
Manager
Enable automatic updating of Status Manager
107. Module 4:
Introduction
Objectives (continued)
Specify selection criteria and save log files
Describe the steps needed to block an intruder
List the three blocking scope options and their
uses
Describe how block request is used
109. Module 4:
Log Viewer
provides visual tracking, monitoring and
accounting information
provides control over the log files display
allows quick access to information
any event which causes an alert is
logged, including some system events
such as an install of a policy
111. Module 4
Log Viewer
Kernel Side
FWD merges log fragments producted the
FW-1 Kernel components into one log record
each log record is stamped with a Log
Unificiation Unique ID (LUUID)
Server Side
FWD transfers the log record to the log
database (fw.log) on the log
server/management module
a single connection is represented by one
entry in the log viewer
112. Module 4
Log Viewer
Log Viewer Logon
Select Window>Log Viewer from the security
policy main menu
Data (Column) Fields
the administrator can specify which of the
available data fields (columns) to display
Column Menu
right clicking anywhere in the column of the
log viewer will invoke the column menu
114. Module 4
Log Viewer
Log Types
there are seven types of log which can be
displayed from the toolbar
general predefined selection
firewall-1 predefined selection
account predefined selection
FloodGate-1 predefined selection
SecureClient predefined selection
UA Webaccess predefined selection
115. Module 4
Log Viewer
Log Viewer Mode
there are three different predefined selection
views
log mode
active mode
audit mode
116. Module 4:
Log Viewer (continued)
Log File Management
the File menu allows the administrator to
perform the following tasks :
Log Switch
Open
Save as
Purge
Print
Export
117. Module 4:
Configuring the Security Policy for
Logging
System-wide logging and alerting
Global Properties window allows an
administrator to define system-wide logging
and alert parameters for options such as
VPN successful key exchange
VPN packet handling errors
VPN configuration and key exchange
errors etc.
118. Module 4:
Blocking Connections
Terminating a Connection with Block
Intruder
it is possible to block an active connection
using the source IP address
the scope of the blocked connection can be
block only this connection
block access from this source
block access to this destination
120. Module 4:
Status Manager
Status Manager Logon
Working with the Status Manager
Interface
Modules View
Module Status
Product Details Windows
Critical Notifications
123. Module 4:
Review Question #1:
What are the three display modes of Log
Viewer?
Log
Audit
Active
124. Module 4:
Review Question #2:
What are the three blocking scope
options and their uses?
Block only this connection
Block access from this source IP
Block access to this destination
125. Module 4:
Review Question #3:
What option could you use to block an
intruder whose connection ID is known?
Block request
127. Module 5:
Introduction
Objectives
Demonstrate how to implement authentication.
Demonstrate the process of creating users
and groups.
Demonstrate the setup of authentication
parameters.
128. Module 5:
Introduction
Objectives (continued)
Demonstrate how to implement user authentication,
using various authentication schemes.
List types of services supported by
VPN-1/FireWall-1 NG requiring user name and
password.
Demonstrate how to implement client
authentication.
Demonstrate how to implement session
authentication.
130. Module 5:
Understanding Authentication
User Authentication
grants access on a per user basis
can be used for Telnet, FTP, RLOGIN, HTTP
requires separate authentication for each
connection
131. Module 5:
Understanding Authentication
Session Authentication
requires authentication for each connection
can be used with any service
requires a Session Authentication Agent
132. Module 5
Understanding Authentication
Client Authentication
grants access on a per host basis
allows connections for a specific IP address
after successful authentication
can be used for any number of connections
can be used for any service
most commonly used authentication method
134. Module 5:
User Authentication Overview
user authentication provided by the
security servers on the gateway
when a rule specifies user authentication
the corresponding security server is
invoked (TELNET, FTP, HTTP and
RLOGIN
if authentication is successful the
security server opens a separate
connection to target server
138. Module 5:
HTTP User Authentication with a
VPN-1 & FireWall-1 Password
139. Module 5:
Telnet User Authentication with a
VPN-1 & FireWall-1 Password
(Optional)
140. Module 5:
FTP User Authentication with a
VPN-1 & FireWall-1 Password
(Optional)
141. Module 5:
Client Authentication
How Client Authentication Works
enables administrators to grant access
privileges to a specific IP address
authentication is by username and password,
but access is granted to the host machine (IP)
can be used for any number of connections,
for any service, for any length of time
143. Module 5:
Sign On Methods
Source Field
sources field in the User Properties window
may specify that the user is not allowed
access from the source address – but the rule
allows access. This field specifies how to
resolve the problem
Destination Field
destination field in the User Properties window
may specify that that the user is now allowed
access to the destination address. This field
specifies how to resolve that problem
144. Module 5
Sign On Methods
Required Sign On
Standard Sign On – user is allowed to use all
the services permitted by the rule for the
authorisation period
Specific Sign On
only connections that match the original
connection are allowed without additional
authentication
145. Module 5
Sign on Methods
Sign On Method
Manual – the user has to initiate Client
Authentication by
telnet to port 259
http to port 900
Partially Automatic Client Authentication
Fully Automatic Client Authentication
Agent Automatic Sign On
Single sign on
146. Module 5
Sign on Methods
Successful Authentication Tracking
logging option for Client Authentication
attempts for the session
148. Module 5:
Additional Features of Single Sign On
Single Sign On For Multiple Users
privileged user can sign on and off on behalf
of other users
User Authority SecureAgent
extends UA capabilities to the LAN by having
the SecureAgent on the desktop
149. Module 5:
Single Sign On Example Network
User on Localnet would normally TELNET to port 259 on London and
authenticate then request access to BigBen. With the single sign on system
extension anther user can open the connection to BigBen in advance on behalf
of a user on Localnet
150. Module 5:
Additional Features of Client
Authentication
Redirection of HTTP Requests According
to Host Header
it is possible to configure Firewall-1 to
complete the connection according to the
destination specified in the HTTP host header
used when several http hosts share the
same virtual IP address
151. Module 5
Additional Features of Client
Authentication
Authorizing All Standard Sign on Rules
Firewall-1 will automatically open all standard
rules after successful authentication through
partial or fully automatic sign on
if user successfully authenticates according to
an automatic sign on rule all standard sign on
rules which specify that user and source are
opened.
152. Module 5:
Session Authentication Overview
How Session Authentication Works
based on a pre-session authentication method
can be integrated with any application
CP Session Agent must be loaded on the
client machine
authentication performed by the daemon
module
153. Module 5:
Session Authentication
1. User initiates a
connection directly to
the server
2. Firewall-1 Inspection
module intercepts the
connection and
connects to
Session Authentication
agent
3. Session agent prompts
for authentication data
and returns this to the
inspection module
4. if successful, Firewall-1
module allows the
connection to pass
through the gateway
156. Module 5:
Review Question #1:
What are the three types of
VPN-1/FireWall-1 NG authentication?
User Authentication
Client Authentication
Session Authentication
157. Module 5:
Review Question #2:
When you want a user to authenticate
once, and then be able to use any service
until logging off, which authentication
type would you use?
Client Authentication
158. Module 5:
Review Question #3:
When defining user authentication, where
do you add the authentication rule-above
or below the stealth rule?
Below the stealth rule
159. Module 5:
Review Question #4:
What is the advantage of using session
authentication, over client authentication
and user authentication?
The advantage session authentication has over
user authentication is that session authentication
can be used with any service.
The advantage session authentication has over
client authentication is that the user is prompted
automatically with session authentication, where
client authentication encompasses a manual
process the user has to remember.
160. Module 5:
Review Question #5:
Why would the client authentication rule
need to be placed above the stealth rule?
Client authentication requires a connection made
to the firewall, that the stealth rule prevents, so
either the client rule must be above the stealth
rule to allow the connection, or a rule must be
placed above the client authentication rule that
allows connections to port 259/900 on the
firewall.
162. Module 6:
Introduction
Objectives
List the reasons and methods for Network
Address Translation
Demonstrate how to set up Static NAT
Demonstrate how to set up Dynamic (Hide)
NAT
Describe basic network configurations using
NAT
164. Module 6
Network Address Translation
NAT conceals internal computers from
outside networks
as a component of VPN-1/Firewall-1 it is
used for three things :
to make use of private IP addresses on the
internal network
to limit external network access for security
reasons
to give ease and flexibility to network
administration
165. Module 6:
NAT
IP Addressing
RFC 1918 details the reserved address groups
Class A network numbers
– 10.0.0.0 – 10.255.255.255
Class B network numbers
– 172.16.0.0 – 172.31.255.255
Class C network numbers
– 192.168.0.0 – 192.168.255.255
166. Module 6
Network Security
additional benefit of NAT is increased network
security
internal host can connect both inside and
outside intranet
external unknown host outside the
network cannot connect to internal host
external connections with a spoofed
internal address will be recognised and
prevented from gaining access
internal public servers are made available
with inbound mapping of well know TCP
ports to specific internal addresses
167. Module 6
Network Administration
VPN-1/Firewall-1 supports two types of NAT
Static NAT
Dynamic (Hide) NAT
Static NAT
translates each private address to a
corresponding public address
two modes, static source and static
destination
168. Module 6
Static Source NAT
translates private internal source IP addresses
to a public external source IP address
initiated by internal clients with private IP
address
170. Module 6:
Address Translation Using Static Source
Mode
171. Module 6
Static Destination NAT
translates public addresses to private
addresses
initiated by external clients
172. Module 6:
Address Translation Using Static
Destination Mode
173. Module 6:
Address Translation Using Static
Destination Mode
174. Module 6
Dynamic (Hide) NAT
used for connections initiated by hosts in
an internal network where the hosts’ IP
addresses are private
private internal addresses are hidden
behind a single public external address
uses dynamically assigned port numbers
to distinguish between them
176. Module 6
Dynamic (Hide) NAT Ctd.
hide mode packets’ source port numbers are
modified
destination of a packet is determined by the port
number
port numbers are dynamically assigned from two
pools of numbers :
from 600 to 1023
from 10,000 to 60,000
hide mode cannot be used for protocols where
the port number cannot be changed or where the
destination IP address is required
178. Module 6
Hiding behind 0.0.0.0
if the administrator specifies 0.0.0.0 as the
hide address, all clients will be hidden behind
the firewall’s server side interface
180. Module 6:
Automatic and Manual NAT Rules
NAT Rules
NAT rules consist of two elements
the conditions that specify when the rule is
to be applied
the action to be taken when the rule is
applied
each section in the NAT Rule Base Editor is
divided into Source, Destination and Service
181. Module 6
Automatic and Manual NAT Rules
NAT Rules
the action is always the same
translate source under original packet to
source under translated packet
translate destination under original packet
to destination under translated packet
translate service under original packet to
service under translated packet
182. Module 6
Network Address Translation Properties
several properties can be applied to
automatically generated NAT rules
these are enabled by default in new
installations however disabled by default when
upgrading from previous versions
these properties can be configured in the
network address translation page of the Global
Properties window
IP Pools
IP Pool NAT Track
Address Translation and Routing
183. Module 6
Network Address Translation Properties
(Ctd)
Allow Bi-directional NAT
the firewall will check all of the rules to see
if a source in one rule and destination in
another rule match
firewall will take the first source rule and
the first destination rule that are found to
match, applying both rules concurrently
184. Module 6
Network Address Translation Properties
(Ctd)
Translate destination on client side
prior versions of Firewall performed NAT
on the server side, requiring special anti
spoofing and internal routing
Automatic ARP configuration
ARP tables on the gateway are
automatically configured, enabling ARP
requests for a NATed machines, network
or address range are answered by the
gateway
185. Module 6
IP Pools
a range of IP addresses routable to a gateway
encrypted connections opened to a host will
have a substituted IP address from the IP Pool
for the source IP address
must be routable back to the gateway
186. Module 6:
Address Translation Example-
Gateway with Two Interfaces
Routing
the router routes IP addresses in the network
199.203.73.0 to the gateway
the gateway routes IP address 192.203.73.3 to
the internal interface (10.0.0.1)
the gateway routes IP addresses 199.203.73.64
through 199.203.73.80 to the internal interface
(10.0.0.1)
188. Module 6:
Address Translation Example-
Gateway with Three Interfaces
Routing
ensure router routes IP address in the network
192.45.125.0 to the gateway
the gateway should be able to route IP address
172.45.125.209 to the internal interface
(195.9.200.1)
192. Module 6:
Address Translation and
Anti-Spoofing
anti spoofing is performed correctly for
automatically generated NAT rules
(provided it is allowed in the Global
Properties)
there will be a conflict between anti-
spoofing and NAT if NAT takes place at
the server side
to correct the problem, add the translated
(i.e the Valid address) is added to the
public addresses on the Internal Interface
196. Module 6:
Review Question #1:
What is NAT?
Replacing one IP address in a packet with
a different IP address.
197. Module 6:
Review Question #2:
What is the reason for using NAT, as
related to IP addressing?
To conceal the network’s internal IP
addresses from the Internet
To translate private addresses to public
addresses, and back
198. Module 6:
Review Question #3:
What is the NAT Rule Base?
Automatically generated and manually
entered NAT rules
