CCSA Treinamento_CheckPoint.pptx

1
©2020 Check Point Software Technologies Ltd.
CHECK POINT CERTIFIED
SECURITY ADMINISTRATOR
R80.40 CCSA

2
Check Point: The Largest Global Cyber Security Company
Global Leader – 100,000+ Customers, 88+ Countries, 6,200+ Partners
Over 25 years of cutting edge technologies, Industry’s most visionary player
Traded on Nasdaq since 1996 - CHKP
5000+ Employees worldwide, top talent
Innovation leadership - more than twice the developers of closest competitor
TRUSTED BY FORTUNE 500 COMPANIES

3
Mission Statement
BUILDING SECURITY FOR THE FUTURE
SECURE ANY ENVIRONMENT WE OPERATE IN
DO IT EFFICIENTLY KEEPING THE ATTACKS OUTSIDE

4
• Infinity architecture: Consolidated security platform providing full threat prevention
across the organization
• New technology: Assist customers to securely innovate and grow by deploying new
security technologies
• Broader reach: Provide more companies with the ability to prevent attacks
Check Point Strategy

5
Best Threat Prevention Across Entire Enterprise
MOBILE
Shared Threat Intelligence
Consolidated Security
Management
ENDPOINT
Hybrid Cloud
NETWORK
Perimeter & Data centers
CLOUD

6
PREFACE
CCSA R80.40

7
Check Point CHECKMATES
CHECKMATES is a community of people passionate about cyber
security!
It is an interactive platform with a large crowd of users where they can discuss various topics, talk about
challenges they face, develop and share API tools and scripts, discuss benefits of products and
solutions, exchange ideas, ask questions related to all Check Point products and services, and
interconnect through local CheckMates Live (local user group) events.
To boost your professional career with Check Point, become a member of the CheckMates community
and share your thoughts and experiences, follow technology trends, learn about the most recent
products and features, and participant in your local CheckMates community. Use your UserCenter
account to sign in and get started: https://community.checkpoint.com/

8
CCSA is recommended for the following professionals:
 System Administrators
 Support Analysis
 Network Engineers

9
CCSA Course Chapters
• Chapter 1: Introduction to Check Point Technology
• Chapter 2: Introduction to Check Point Deployment
• Chapter 3: Check Point Management Operations
• Chapter 4: Licensing
• Chapter 5: Security Policy Management
• Chapter 6: Policy Layers
• Chapter 7: Managing User Access
• Chapter 8: Working with NAT
• Chapter 9: Traffic Visibility
• Chapter 10: Monitoring System States
• Chapter 11: Security Events
• Chapter 12: Basic Concepts of VPN
• Chapter 13: Working with ClusterXL
• Chapter 14: Compliance Tasks

10
Internal
DMZ
EXT
Internet
Name: A-GW-01
Mgmt Address: 10.1.1.2/24
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
IP Address: 10.1.1.201/24
Default GW: 10.1.1.1
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Default GW: 192.168.12.1 Name: B-GW
Mgmt Address: Interface Disabled
Int Address: 192.168.21.1/24
Sync Address: interface Disabled
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

11
Security administrators fill one of the most important roles in
the information technology (IT) industry. They oversee issues
related to IT security safety and ensure organizations’
computer networks and systems remain protected from all
types of cyber threats. This includes configuring policy and
adding passwords to servers, setting up firewalls and anti-virus
protection, and restricting what users can and cannot do on the
network.
THE ROLE OF
THE SECURITY
ADMINISTRATOR

12
INTRODUCTION
TO CHECKPOINT TECHNOLOGY
Chapter One

13
• Describe the key elements of
Check Point’s unified security
management architecture.
• Learn how Check Point firewalls
are managed and network traffic is
monitored.
• Gain insight on how Check Point
security features are enabled and
policies applied.
Learning
Objectives

14
Security Architecture
When connecting to the Internet,
protecting the network against
intrusion is of critical importance.
The most effective way to secure
the Internet link is to put a
Firewall system between the local
network and the Internet.
• Security Management Server
• SmartConsole
• Security Gateway

15
Controlling Network Traffic
• Packet Filtering
• Stateful Inspection
• Application Layer Firewall
The Firewall, or the Security Gateway
with a Firewall enabled,
will deny or permit traffic based on
rules defined in the Security
Policy. The following technologies
are used to deny or permit
network traffic:

16
Packet Filtering
Handling individual packets,
the packet filter firewall
applies rules to determine
whether a packet can be
allowed or disallowed. The
firewall examines each
packet based on the following
criteria:
• Source IP address
• Destination IP address
• TCP/UDP source port
• TCP/UDP destination port

17
The most basic form of a Firewall.
PACKET FILTERING
Packets include the following
elements:
• Source address
• Destination address
• Source port
• Destination port
• Protocol

18
Technology developed
and patented by Check Point.
STATEFUL INSPECTION
• Examines the context of a packet.
• Monitors the state of the connect.
• Uses Check Point’s INSPECT Engine to extract
state related information from the packet.

19
• Examines the packet
header
• Requires two rules for
each connection
Packet Filtering
• Examines the packet
header and contents
• Only one rule required
for each connection
Stateful Inspection
How does Stateful Inspection and Packet Filtering Differ?

20
Includes the traditional functions of Packet Filtering
and Stateful Inspection.
• Provides granular level
filtering, antivirus scanning,
and access control.
• Inspects traffic through the
lower layers of the TCP/IP
model and up to and including
the application layer.
APPLICATION FIREWALL

21
Review Questions
1. What are the three main components of the Check Point Architecture?
2. Why are State tables key components of the Stateful Inspection technology?
3. What is the main purpose for Security Gateways?

22
INTRODUCTION TO
CHECK POINT
DEPLOYMENT
Chapter Two

23
• Understand Check Point
deployment options.
• Describe the basic functions of the
Gaia operating system.
Learning
Objectives

24
Deployment Options
Check Point appliances and open servers are the two main options for deploying
Check Point technology. These deployment options encompass the processes
typical of launching new software or hardware in an environment that runs properly.
Examples include the following:
• Check Point Appliances
• Open Servers
• Cloud Computing
• Scalable Platforms
Maestro Hyperscale Orchestrator

25
Check Point Appliances
Strong and proven, Check Point security appliances provide reliable
services for thousands of businesses worldwide.
• Small Business and Branch Office
• Enterprise Network Security
• Data Center Security Systems
• Chassis Systems
• Rugged Appliances
• And More Rugged Appliance

26
Deployment Considerations
Each component in the
network topology is
distinguished by its IP address
and netmask. The
combination of components
and their respective IP
information make up the
network topology.

27
Standalone Deployment
In a Standalone deployment, the Security Management Server and
Security Gateway are installed on the same computer or appliance.
1 Security Management Server
2 Standalone Server
3 Security Gateway Component

28
Distributed Deployment
In a Distributed deployment, the Security Gateway and the Security
Management Server are installed on different computers or
appliances.
1 Security Management Server
2 Network Connection
3 Security Gateway

29
Bridge Mode Deployment
A Bridge Mode deployment adds a Security Gateway to an existing
environment without changing IP routing.
1 Switch
2 Router
3 Security Gateway Firewall bridging Layer-2
traffic over the one IP address, with a subnet
on each side using the same address.

30
Introduction to the Gaia Operating System
Gaia is Check Point’s operating system for all Check Point appliances
and open servers. It supports the full portfolio of Check Point Software
Blades, gateways, and security management products. It also supports:
• IPv4 and IPv6 network protocols
• High connection and virtual systems capacity (64 bits)
• Load sharing
• High availability
• Dynamic and multi-cast routing

31
Gaia Portal
The Gaia Portal (also known
as WebUI) is an advanced,
web-based interface
used to configure Gaia
platforms. A majority of
system configuration tasks
can be done through the
Gaia Portal.

32
Gaia Portal Users Page
The Gaia Portal and CLI can be used to manage user accounts
and perform the following actions:
• Add users to your Gaia system
• Edit the home directory of the user
• Edit the default shell for a user
• Assign a password to a user
• Assign privileges to users

33
• AdminRole
Gives the user read/write
access to all features.
• MonitorRole
Gives the user read-only
access to all features.
Gaia Pre-Defined Roles
Gaia includes these pre-defined roles:

34
Roles are defined on the
“Add Role” page of the
WebUI. To add a new role
or change an existing
role select User
Management > Roles in
the WebUI navigation tree.
Gaia Portal Add Role Window

35
• Gaia provides the ability to
directly receive updates for
licensed Check Point
products.
• With the Check Point
Upgrade Service Engine
(CPUSE), you can
automatically update
Check Point products.
Check Point Upgrade Service Engine

36
Assigning Users to Roles in Gaia Portal
1. Select User Management > Roles in the WebUI navigation tree.
2. Click Assign Members.
3. In the Assign Members to Role window:
• Double-click on user in the Available Users list to add that user to the role.
• Double-click on user in the Users with Role list to remove that user from the role.

37
Gaia Commands
Commands have the following syntax: operation feature parameter
• To view all commands that the user has permissions to run:
show commands
• To view a list of all features:
show commands feature <TAB>
• To show all possible operations:
show commands op <SPACE> <TAB>
• To show the full system version information:
show version all

38
Review Questions
1. What’s the difference between a Distributed Deployment and a Stand Alone Deployment?
2. What are the two main options for deploying Check Point technology?
3. What is a private package?

39
Lab 2.1- Installation of Primary Management Server
Site Alpha Site Bravo
Internal
DMZ
EXT
C h e c k P o i n t R 8 0 . 4 0 C C S A L a b T o p o l o g y
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

40
Performance Objectives:
• Configure the Security Management Server
• Use the WebUI to run the First Time Wizard
• Install SmartConsole
Tasks:
• Install the Gaia OS
• Configure the system as a Security Management Server
Lab 2.1: Installation of Primary Management Server

41
Lab 2.2- Configuration of a Security Gateway
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

42
• Install the Alpha Cluster using the network detailed in
the course topology
Tasks:
• Install Gaia on the A-GW-01 and A-GW-02
• Configure the Security Gateway with the First Time Configuration
Wizard
Lab 2.2: Configuration of a Security Gateway

43
CHECK POINT
MANAGEMENT
OPERATIONS
Chapter Three

44
• Receive introduction to Security
Internal Communication (SIC).
• Recognize SmartConsole
features, functions, and tools.
• Understand how SmartConsole is
used by administrators to grant
permissions and user access.
Learning
Objectives

45
Network Communication Secure Internal
Communication (SIC)
• Creates trusted connections.
• Required for policy installation and to send logs.
• SIC methods include:
• Certificates
• Standards-based SSL for the creation of secure channels
• 3DES or AES128 for encryption

46
Administrative Tasks in SmartConsole
• Manage Security Policies
• Monitor Events
• Install Updates
• Add New Devices and Appliances
• Manage Multi-Domain Environments

47
The SmartConsole
SmartConsole is a Graphical User
Interface (GUI) used to manage the
objects that represent network
elements, servers, and gateways.
These administrative activities are
organized into the following tabs:
• Gateways & Servers
• Security Policies
• Logs & Monitor
• Manage & Settings

48
Logs & Monitor View
The Logs & Monitor tab
allows you to view graphs
and pivot tables in
an organized dashboard,
search through logs, and
schedule customizable
reports.

49
Review Questions
1. Name one task that takes place in the Gateways & Servers tab:
2. When does a session occur?

50
Lab 3.1- Establishing Secure Internal Communication
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

51
Performance Objects:
• Demonstrate how the Security Management Server
and Gateways communicate
• Test SIC status
Tasks:
• Create the Cluster and Gateway objects in SmartConsole
• Establish SIC
Lab 3.1: Establishing Secure Internal Communication

52
Lab 3.2- Administrator Access
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

53
• Create multiple administrators and apply different roles and
permissions for current administration
Tasks:
• Create new administrators with varying permission profiles
• Configure IPS
• Test administrator access based on assigned profiles
• View concurrent administrator activities
• Disconnect an administrator session
Lab 3.2: Administrator Access

54
LICENSING
Chapter Four

55
• Learn how Check Point security
solutions and products work and
how they protect networks.
• Understand licensing and contract
requirements for Check Point
security products.
Learning
Object

56
Licensing Overview
Components of a License:
• Features and functionality of purchased product
• Specifies its terms of use
• Maximum number of users, devices and/or IP addresses allotted for
the product
• Signature key
• Certification key
• Service contract data

57
Central & Local Licenses
• Central licenses require
an administrator to
designate a gateway for
attachment.
• Local licenses are
automatically attached to
their respective Security
Gateways.

58
Using the Gaia First
Time Configuration
Wizard, the appliance
connects to the Check
Point User Center and
downloads all
necessary licenses
and contracts.
License Activation

59
The automatic licensing
feature performs the following
operations:
• Verifies Licenses
• Activates New Licenses
• Automatically Adds New Blades
Automatic Licensing

60
Using SmartUpdate
SmartUpdate tabs are divided into a tree structure that displays the
packages installed and the licenses attached to each managed
Security Gateway. The tree has the following three levels:
• Root
• Second
• Third

61
Add & Install Licenses
To install a license, you must first add it to the License & Contract
Repository:
1. Launch SmartDistributer.
2. Navigate to the Licenses
& Contracts tab.
3. From the Launch menu,
choose Licenses &
Contracts > Add
License.

62
Steps to Export a License
1. In SmartUpdate, select a
license from the License
Repository and right-click.
2. From the menu, select
Export License to File.
3. In the Choose File to Export
License(s) To window, name
the file or select an existing file
and browse to the desired
location.

63
License Status
SmartConsole allows
you to quickly
reference the license
status for each
Software Blade per
gateway.

64
Saving & Exporting License Status
You may also save the
status information as a
PDF report or export
the information to a file.

65
License Reports
To generate a report of all
licenses allocated for your
full network environment:
1. Launch SmartConsole.
2. In the License Repository,
right-click the object.
3. From the menu bar, select
Action and then License Report.
4. Select the desired report
format to be generated.

66
Service Contracts
The Service
Contract file
enables
compliance
with current
Check Point
licensing
standards.

67
Updating Contracts
Contracts can be
updated in
SmartUpdate by
using the Licenses
& Contracts option
provided under the
Licenses & Contract
tab menu.

68
Review Questions
1. Name the three types of Software Containers:
2. What are Subscription Blades?
3. Name one reason for generating and installing a new license?

69
Lab 4.1- Managing Licensing & Contracts in SmartUpdate
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

70
Performance Objective:
• Validate existing licenses for products installed on the network.
Tasks:
• Verify the status of existing licenses in SmartConsole
• Import Licenses
• Attach Licenses
• Verify the status of existing licenses in Gaia portal
Lab 4.1: Managing Licensing & Contracts in
SmartUpdate

71
SECURITY POLICY
MANAGEMENT
Chapter Five

72
• Describe the essential elements of
a Security Policy.
• Understand how traffic inspection
takes place in a unified Security
Policy.
• Summarize how administration
roles and permissions assist in
managing policy.
• Recall how to implement Check
Point backup techniques.
Learning
Objectives

73
A Security Policy consists of a set of rules that define network
security using a Rule Base. Once a Rule Base is defined, the
Security Policy can be distributed to all Security Gateways
across a network. Rules are comprised of network objects such
as gateways, hosts, networks, routers, and domains and
specifies the source, destination, service, and action to be
taken for each session.
Rules

74
A default rule is added when you add a rule to the Rule Base.
These rules are configured using all objects, services and
users installed on your database.
Default Rule – AQUI!!!!

75
Object Management
• Administrators can
add, edit, delete,
and clone objects.
• The Object Explorer
window in
SmartConsole
allows you to create
new objects and edit
existing objects.

76
Configuring Anti-Spoofing
The Topology tab of the
Interface Properties window
allows you to configure Anti-
Spoofing properties of a
gateway.

77
• Cleanup Rule — A Cleanup rule is recommended to determine how
to handle connections not matched by the rules above it in the Rule
• Stealth Rule — A stealth rule is a rule that should be located as early
in your policy as possible, typically immediately after any
Management rules.
Cleanup and Stealth Rules

78
Global Properties
The Security Policy includes numerous
settings that are configured as Global
Properties. These settings apply to:
• The Firewall
• VPN
• Reporting Tools
• Check Point Products
• Check Point Services & Functions

79
Sections
When managing a large network, it can be helpful to divide the
policy into smaller sections. Use section titles to more easily
navigate between large rule bases.

80
Publish Policy
Publishing updates the policy
on the management server
and/or Log Server and
makes the changes visible in
SmartConsole.

81
Policy Types
There are four policy types
available for each policy
package:
• Access Control
• QoS
• Desktop Security
• Threat Prevention

82
Shared Policies
The Shared Policies
section in a policy
package provides
access to these
granular Software
Blades and features:
• Mobile Access
• Data Loss Prevention
• HTTPS Inspection
• Geo Policy

83
Additional Policy Management Tools
Access Control Tools
Include:
• VPN Communities
• Client Certificates
• Application Wiki
• Installation History

84
Install Policy
There are two types
of installation modes:
• Installs the policy on
each target gateway
independently.
• Installs the policy
on all target gateways.

85
Review Questions
1. Name one thing that a basic rule consists of?
2. What are the building blocks of Security Policy rules?
3. What is the purpose of the UserCheck?

86
Lab 5.1- Creating Security Policy – Creating Objects
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

87
• Create and configure host, network and group objects
Task:
• Create new host, network and group objects
Lab 5.1: Creating Security Policy – Creating Objects

88
Lab 5.2- Creating Security Policy – Creating Rules
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

89
• Use SmartConsole to create the network policy
Tasks:
• Create rules using the objects created in previous lab
• Create Check Point recommended rules
Lab 5.2: Creating Security Policy – Creating Rules

90
Lab 5.3 – Monitoring Policy Status
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

91
• Install the Security Policy
• Monitor and review the status
Tasks:
• Install policy
• Monitor and review the policy install status
• Review an Audit log for the policy install
Lab 5.3: Monitoring Policy Status

92
POLICY LAYERS
Chapter Six

93
• Understand the Check Point policy
layer concept.
• Understand how policy layers
affect traffic inspection.
• Understand how to enable the
Application Control and URL
Filtering software blades to block
access to various applications.
Learning
Objectives

94
Policy Layer Concept
When working with Policy Layers,
the Manage Layers window is
used. To open the Manage
Layers window, select Menu >
Manage Policies and Layers in
SmartConsole.

95
Manage Policies and Layers
The window below serves as a dashboard for policies and layers. The specific
columns on the dashboard are identified with a corresponding number and
definition in the list below:
• Layer - Shows the name of the layer
• Number of Rules - Shows the number
• of rules
• Modifier - Shows the last user
• Last Modified - Shows the date and time
• Blades - Shows the Blades
• Used in policies - Specifies the
• policy package
• Mode - Shows ordered or inline layer

96
Manage Policies and Layers
When possible, it is a best
practice to share policy
layers with other policy
packages. To enable this,
check the “Multiple policies
and rules can use this
layer” checkbox.

97
Review Questions
1. How does a Rule Base work with a Security Policy?
2. Which blades can be enabled on a layer?
3. What are the two layer options?

98
Lab 6.1 – Ordered Layers
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

99
• Demonstrate how to share a layer between Security Policies
Tasks:
• Add a Data Awareness layer to the Standard policy
• Configure the Application Control and URL Filtering Rule Base
• Share the new Data Awareness layer
Lab 6.1: Ordered Layers

100
Lab 6.2 – Inline Layers
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

101
• Demonstrate how to create an inline layer and share this layer
between policies
Task:
• Create an Inline layer
Lab 6.2: Inline Layers

102
MANAGING USER ACCESS
Chapter Seven

103
• Recognize how to define users and
user groups.
• Understand how to manage user
access for internal and external
users.
• Describe Identity Awareness
components and configurations.
Learning
Objectives

104
Overview of User Management Components
• Services allowed
• Locations allowed to access
network
• Allowed network
destinations
• Time frame to connect
• Time frame to access
network
• Authentication process
• Working remotely process
Users are created for use as network objects in Security Policies and
to define the different terms under which users can operate, such as:

105
User Directory
• Leverages LDAP Servers to obtain identification
• Eliminates Risk of manual maintaining & synchronizing data
• Enables centralized user management
• Query user information, CRL retrieval, authenticate users
• Recommended with large user count
• requires a special license- included in Mobile access Blade

106
Identity Awareness
• Network location
• The identity of a user
• The identity of a machine
Identity Awareness lets you
easily configure network
access and auditing based on
one or more of the following
items:

107
Active Directory (AD) Query
The Active Directory Query is a clientless identity acquisition method that allows the
Security Gateway to seamlessly identify Active Directory users and computers.

108
Captive Portal for Guest Access
When users try to access a
resource, they are directed
to a web page requiring
them to enter login
credentials for verification.

109
Adding a User from LDAP
Managing users internally
differs when incorporating
LDAP:
• User management in User
Directory is handled externally
and not locally.
• User Directory server
templates, unlike internal user
templates, can be modified
and applied to users
dynamically.

110
Access Roles
Access roles are objects
that allow you to configure
network access according
to:
• Networks
• User and user groups
• Computers and computer
groups
• Remote access clients

111
Access Policy Rules
After Identity Awareness has been activated, you can create access
role objects and use them in the Source and Destination columns of
Access Control policy rules.

112
Rule Base
Using Identity Awareness, you can define a policy rule for specified
users who send traffic from specified computers or from any
computer. The following is an example of a rule that redirects the
user to the Captive Portal.

113
Review Questions
1. What purpose does the User Directory serve?
2. Name one of the items the Identity Awareness lets you configure network
access and auditing based on?
3. Name one authentication scheme that Check Point supports:

114
Lab 7.1 – Provide User Access
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

115
• Enable Identity Awareness
• Deploy user access roles for more granular control of the
Security policy
Tasks:
• Configure the Security Policy for Identity Awareness
• Define the user access role
• Test Identity Awareness connection
Lab 7.1: Provide User Access

116
WORKING WITH NAT
Chapter Eight

117
• Articulate how Network Address
Translation (NAT) affects traffic.
• Describe how to configure manual
and automatic NAT.
Learning
Objectives

118
NAT Rules
NAT rules modify the IP address
information associated with traffic
packets as they pass through the
Security Gateway. The expected
behavior of the gateway is based
on the type of NAT rule
configured and how the rule is
applied within the flow of traffic.
NAT can be configured on Check
Point hosts, nodes, networks,
address ranges and dynamic
objects.

119
Manual and Automatic NAT
• Automatic NAT
• Configured through the Network Object, the Host Object, and the Address
Range Object
• Supports Hide and Static NAT
• Manual NAT
• Offers more flexibility
• Can allow the translation of both the source and destination of the packet
• Supports Hide and Static NAT

120
NAT Configuration
NAT can be configured by
manually creating rules in the
NAT policy or enabling NAT
on the desired network object.
Then the rules are created
automatically.

121
Review Questions
1. What is the difference between Hide NAT and Static NAT?
2. What are the three ranges of IP addresses that are designated by RFC
1918 as private and non-routable on the Internet?

122
Lab 8.1 – Automatic NAT Configuration
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

123
• Configure Network Address Translation for server and network
objects
Tasks:
• Configure Hide NAT on network objects
• Configure Static NAT on the servers
Lab 8.1: Automatic NAT Configuration

124
TRAFFIC VISIBILITY
Chapter Nine

125
• Identify tools designed to monitor
data, determine threats, and
recognize opportunities for
performance improvements.
• Identify tools designed to respond
quickly and efficiently to changes
in gateways, tunnels, remote
users, traffic flow patterns, and
other security activities.
Learning
Objectives

126
Analyzing Logs
Collecting logs helps with analyzing network traffic patterns and meeting
compliance requirements.

127
Deploy Logging
The following steps detail
the workflow for deploying
logging:
1. Install one or more
standalone Log Servers.
2. In SmartConsole, enable
logging on the management
server.
3. Configure the Security
Gateways to send logs to the
Log Server.

128
SmartConsole Logs View
Using the Logs
View, administrators
can examine audit
logs from
administrator
activities and run
custom queries
using pre-defined
search filters.

129
Track Options & Settings
The Track Settings window
displays these two advanced
tracking options if one or
more Application & URL
Filtering, Content Awareness,
or Mobile Access Software
Blades are enabled on the
layer:
• Detailed Log
• Extended Log

130
Log Details
• Log details include log
information, policy and
traffic flow details.
• Details can be viewed by
double clicking on the log.

131
Custom Queries
• Custom queries can
also be created and
saved for future use.
The Favorites list
stores saved custom
queries.
• Additional folders can
be created to organize
the customized
queries.

132
Field Keywords
Use pre-defined
fields, followed by a
colon, as keywords in
filter criteria.
A table displays pre-
defined fields and
keyword aliases that
can be used as
alternatives.

133
Review Questions
1. What is the purpose for collecting logs?
2. Name at lease one single search filter when creating log queries?
3. What are Boolean operators?

134
Lab 9.1 – Generate and View Traffic
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

135
• Generate network traffic and use traffic visibility tools to
monitor the data
Task:
• View live logs and perform searches to gather historic data
Lab 9.1: Generate and View Traffic

136
MONITORING SYSTEM STATES
Chapter Ten

137
• Articulate how Security Management Servers
and Security Gateways work together to
monitor the state of the Security Enforcement
System
Learning
Objectives

138
Monitor Gateway Status
To see gateway status
in SmartConsole, in
the Gateways &
Servers tab, select a
gateway, right click,
and select Monitor.

139
Users View
• Open Sessions
• Overlapping Sessions
• Route Traffic
• Connection Time
• And More
The Users view of SmartView Monitor shows users that have a current VPN
connection to the Security Gateways. It displays the following:

140
System Counters View
The System
Counters View
in SmartConsole
shows collected
information on
the status and
activities of
Check Point
products.

141
Tunnels View
• The SmartView Monitor
Tunnels view shows the
status of gateway-to-
gateway VPN tunnels.
• Use this view to identify
VPN tunnel malfunctions
and connectivity
problems.

142
Traffic View
SmartConsole
Traffic Monitoring
provides in-depth
details on network
traffic and activity.

143
Review Questions
1. The monitoring views of SmartConsole and SmartView Monitor show real-time and
historical graphical views of:
2. What does SAM stand for and what does it monitor?
3. Where can alerts be seen?

144
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

145
• Use SmartView Monitor to view status, alerts and block suspicious
traffic
Tasks:
• Monitor status of the systems
• Configure alerts
• Configure Suspicious Activity Rules
Lab 10.1: Monitoring System States

146
SECURITY EVENTS
Chapter 11

147
• Understand how SmartEvent
functions to identify critical
security issues.
• Identify SmartEvent components
used to store network activity logs
and identify events.
• Explain how SmartEvent
eliminates security threats
targeting organizations.
• Understand how SmartEvent can
assist in reporting security threats
targeting organizations.
Learning
Objectives

148
Threat Detection
Increasingly, Security Administrators have to know how to prevent,
detect and mitigate a range of sophisticated cyber security attacks.
Check Point’s SmartEvent Software Blade identifies critical security
events such as intrusion, Bot incidents, and potential data loss before
they occur.

149
The SmartEvent Solution
SmartEvent correlates logs
and detects real security
threats. SmartEvent is a
licensed Software Blade
and can be installed on a
single server or across
multiple correlation units to
reduce the network load.

150
SmartEvent Management
To enable SmartEvent on the
Security Management Server,
take the following steps:
• Open SmartConsole.
• Open the Security Management
Server network object.
• On the Management tab, enable
Software Blades.
• In the SmartConsole main
toolbar, click Publish.

151
Event Analysis
SmartConsole, SmartView
Web Application, and the
SmartEvent GUI client
consolidate billions of logs
and show them as prioritized
security events so you can
immediately respond to
security incidents, and do the
necessary actions to prevent
more attacks.

152
Reporting Security Events
Pre-defined and
customized reports
can be generated to
provide security
information on a
schedule (daily,
weekly, or monthly),
or as needed.

153
Using Pre-Defined Reports
To open
the catalog of
predefined and
customized
reports, click
the [+] tab.

154
Security CheckUp
With Check Point Security Checkup tools, administrators can
generate a comprehensive security analysis report that summarizes:
• Security Events
• Security Risks
• Remediation

155
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

156
Review Questions
1. What is a Certificate Sharing Event?
2. Name one component in the SmartEvent architecture?
3. Why does the SmartEvent Server communicate with the Security Management Server?

157
• Configure a SmartEvent Server to monitor relevant patterns
and events.
• Demonstrate how to configure event Alerts in SmartEvent.
• Demonstrate how to run specific SmartEvent reports.
Tasks:
• Configure the SmartEvent Suite.
• Generate Reports based on available data.
Lab 11.1: Evaluating Threats with SmartEvent

158
BASIC CONCEPTS OF VPN
Chapter Twelve

159
• Understand Site-to-Site and
Remote Access VPN deployments
and communities.
• Understand how to analyze and
interpret VPN tunnel traffic.
Learning
Objectives

160
VPN Components
• VPN Domain
• VPN Gateway
• VPN Community
• VPN Trust Entities
• VPN Management Tools
The following components are used to construct VPN communication
in the network:

161
Site-to-Site VPN Deployment
Handles secure communication between offices that are connected by
the Internet.

162
Remote Access VPN Deployment
A Remote Access VPN deployment handles secure communication
between internal corporate resources and remote users using VPN
tunnels.

163
VPN Communities
When configuring a
VPN gateway in
SmartConsole, decide
which IP address
objects are included in
the VPN domain. The
System Administrators
combine multiple VPN
domains into a VPN
community.

164
Meshed VPN Community
A Meshed VPN community
consists of VPN gateways that
create VPN tunnels with all the
other VPN gateways in the
community.

165
Star VPN Community
A Star VPN community can be
used when a company must share
information with external partners
or companies.

166
VPN Routing
VPN Routing is a way of
directing communication
through a specific tunnel
in order to enhance
existing connectivity or
security.

167
Combination VPN Communities
Combination VPN Communities are more complex VPN deployment
scenarios. A combination VPN community can be defined by using for
example, two Star VPN communities and one Meshed VPN
community.

168
Access Control for VPN Connections
Configure rules in the Access Control policy to allow the connections
between the VPN gateways. The VPN column in the Access Control
policy is used to configure how VPN connections are matched to
the rules.

169
Access Control for VPN Connections
Allow All Connections
Allow All Site-to-Site VPN Connections
Allow Specific VPN Communities

170
Site-to-Site Communities — Allow All Encrypted Traffic
Configure a Site-to-Site VPN
community to automatically
allow all encrypted
connections. Use the Accept
all encrypted traffic option to
configure the Firewall to
allow all VPN traffic to the
internal networks for the
VPN communities.

171
Permanent Tunnels can only be
established between Check Point VPN
gateways. Permanent VPN Tunnels can
be set on the following:
• On all tunnels in the community
• On all tunnels for specific gateways
• On specific tunnels in the community
Permanent VPN Tunnels

172
The SmartView Monitor
GUI displays the status of
the VPN tunnels in the
network.
Monitoring VPN Tunnels

173
Review Questions
1. How does a VPN provide privacy and security?
2. Why are Permanent VPN tunnels constantly kept active?
3. What is Tunnel Testing?

174
Lab 12.1 – Basic VPN Establishment
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

175
• Configure and deploy a site-to-site VPN
• Test the VPN connection and analyze the tunnel traffic
Tasks:
• Define the VPN domain
• Define the VPN community
• Create the VPN rule and modify the Rule Base
• Test the VPN connection
Lab 12.1: Basic VPN Establishment

176
WORKING WITH CLUSTERXL
Chapter Thirteen

177
• Understand the basic concepts of
ClusterXL technology and its
advantages.
Learning
Objectives

178
Overview of ClusterXL
• Provides Security Gateway redundancy and load sharing.
• Uses State Synchronization to keep active connections
alive and prevent data loss when a member fails.
• Two or more Security Gateways configured to act as one
unit.

179
ClusterXL Topology
ClusterXL uses unique physical IP
and MAC addresses for the cluster
members and virtual IP addresses
to represent the cluster itself.
Each cluster member has at least
three interfaces:
• One External Interface
• One Internal Interface
• One for Synchronization

180
Configuring Member Priority
Gateway cluster members are
listed in SmartConsole by
priority. The highest priority
member is the active cluster
member by default.

181
There are two High Availability
modes available: ClusterXL and
VRRP. ClusterXL High Availability
mode designates one of the cluster
members as the Active machine,
while the rest of the members are in
a Standby mode.
Configuring High Availability

182
Use SmartView Monitor to
stop ClusterXL on a Security
Gateway and cause a failover.
In SmartView Monitor, right-
click the cluster member, and
select Cluster Member > Stop
Member.
Perform Manual Failover

183
Monitoring a Cluster
In order to ensure that
clusters and cluster
members are operating
correctly, the
cphaprob state
command from the
CLI is used to monitor
cluster members and
critical devices.

184
Review Questions
1. What is the Cluster Control Protocol (CCP)?
2. Which command is used to monitor cluster members ?
3. Describe a situation that causes a failover to take place on the active
cluster member?

185
Lab 13.1 – Working with ClusterXL
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

186
• Test ClusterXL High Availability
Tasks:
• Review High Availability settings
• Test High Availability
Lab 13.1: Working with ClusterXL

187
COMPLIANCE TASKS
Chapter Fourteen

188
• Knowledge about how to perform
periodic administrator tasks.
• Introduction to the Compliance
Software Blade.
• Understand how to use CPView to
gather basic gateway status
information.
Learning
Objectives

189
Understand how to perform
periodic administrator tasks as
specified in administrator job
descriptions.
Administrator Task
Implementation

190
Compliance Software Blade
The Compliance Software Blade is used to continuously scan the
Security Policy and configuration settings defined within the following:
• Check Point Software Blades
• Security Gateways
• Security Management Server

191
Best Practices
The Compliance Software
Blade compares policy and
configuration changes
against best practices
before any changes are
installed.

192
Compliance Best Practice Test
A best practice test details compliance
status and recommends corrective
action. There are two types of tests -
Global and Object-Based.
• Global tests examine configuration
settings for the entire organization.
• Object-Based tests examine the
configuration settings for particular
objects, such as gateways and
profiles.

193
Alerts & Actions
When a best practice
test detects a
degradation to the
compliance status,
such as when a rule
is changed, an alert is
displayed with details
of the issue devices.

194
CPView
Use CPView to quickly view general system information
Basic syntax is: cpview [-c <file>] [history {on | off | stat}] [-t]

195
Overview View
The Overview view is
the main view of
CPView. It displays a
summary of the main
performance
components in the
system, such as
memory and network
bits per second.

196
SysInfo
The SysInfo view shows
general information
about the system such
as system uptime,
version, and hardware
information.

197
Network View
There are three sub-views
which provides additional
traffic information broken
down by network interface:
• Interfaces
• Top-Protocols
• Top-Connections

198
CPU View
The CPU view
displays an overview
of the current status
of each CPU. There
are two subviews:
• Top-Protocols
• Top-Connections

199
Software-blades View
The Software-blades
view shows statistics
related to specific
blades, including VPN,
IDA (Identity
Awareness), DLP,
Threat Extraction,
and Data Awareness.

200
Advanced View
The Advanced View provides detailed utilization and counter statistics for
advanced diagnosis. The main view displays CPU_Profiler information.
Sub-views include:
• Memory
• Network
• SecureXL
• ClusterXL
• CoreXL
• PrioQ
• Streaming
• RAD
• UP
• HTTP-Parser

201
Review Questions
1. How are best practice scores determined and displayed?
2. What key is used to save the current CPView page to a file?

202
Lab 14.1 – Policy Tuning
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

203
• Enable the compliance software blade
Task:
• Activate the compliance software blade
Lab 14.1: Policy Tuning

204
Lab 14.2 – CPView
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

205
• Perform periodic tasks as specified in administrator job
descriptions
• Understand how to use CPView to gather basic gateway
status information
Tasks:
• Review statistics in CPView
• Change the refresh rate of CPView
• View historical data
• Save CPView statistics to a file
Lab 14.2: CPView

206
Lab 14.3 – Backups
Internal
DMZ
EXT
Internet
Name: A-GW-01
Int Address: 192.168.11.2/24
Sync Address: 192.168.10.2/24
Ext Address: 203.0.113.2/24
DMZ Address: 192.168.12.2/24
Default GW: 203.0.113.254
SYNC
Name: A-GW-02
Int Address: 192.168.11.3/24
Sync Address: 192.168.10.3/24
Ext Address: 203.0.113.3/24
DMZ Address: 192.168.12.3/24
Default GW: 203.0.113.254
EXT
NAT
Management
Internal
Name: A-GW-Cluster
Mgmt VIP: 10.1.1.1/24
Int VIP: 192.168.11.1/24
Ext VIP: 203.0.113.1/24
DMZ VIP: 192.168.12.1/24
Name: A-GUI
IP Address: 10.1.1.201/24
Name: A-SMS
IP Address: 10.1.1.101/24
Name: A-Host
IP Address: 192.168.11.201/24
Default GW: 192.168.11.1
Name: A-LDAP
IP Address: 192.168.11.101/24
Default GW: 192.168.11.1
Name: A-DMZ
IP Address: 192.168.12.101/24
Int Address: 192.168.21.1/24
Ext Address: 203.0.113.100/24
Default GW: 203.0.113.254
Name: B-Host
IP Address: 192.168.21.201/24
Default GW: 192.168.21.1
eth0
eth1
eth2
eth3
eth4
eth3
eth1
Name: Router
IP Address: 203.0.113.254/24

207
• Prepare and schedule backups for the gateway.
Tasks:
• Schedule a Security Management Server backup to take place
every day at midnight
• Backup the Security Gateway cluster members from
SmartConsole
• Perform a backup via CLI
Lab 14.3: Backups

208
Thank you for participating in this course!!
Please take a few minutes to complete the
Student Satisfaction Survey. The survey will measure
your satisfaction with the training course delivery,
the instructor, training materials, and ATC facilities.
https://www.surveymonkey.com/r/CheckPointATC
Student
Satisfaction
Survey

209
THANK YOU!

CCSA Treinamento_CheckPoint.pptx

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à CCSA Treinamento_CheckPoint.pptx

Similaire à CCSA Treinamento_CheckPoint.pptx (20)

Dernier

Dernier (20)

CCSA Treinamento_CheckPoint.pptx