Sie sind auf Seite 1von 7

Page 1 of 7

TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709
CPX-002 Check Point Security Administration
NGX II (CCSE NGX)

Duration: 3 days (9:00 am to 5:00 pm)

Course Description
Check Point Security Administration NGX II offers advanced training on VPN-1/FireWall-1, and
delivers in-depth information on VPN and encryption technologies. This course is designed for
Security Administrators and resellers, who require in-depth knowledge of VPN-1/FireWall-1 that
goes beyond basic installation, setup, and methodologies. Designed for more experienced security
professionals, CCSE NGX certification is one of the most highly recognized and respected vendor-
specific security certifications available. CCSE NGX is an advanced Core security certification
built on CCSA NGX, confirming in-depth skills and expertise in managing and supporting Check
Point products. Proficiencies include configuring and managing VPN-1/FireWall-1 as an Internet
security solution and virtual private network (VPN), using encryption technologies to implement
site-to-site and remote access VPNs, and configuring content security by enabling Java blocking
and anti-virus checking.
You will learn:
Use NGX tools to install NGX on Windows Server 2003 and SecurePlatform
Use NGX tools to upgrade to NGX, from VPN-1/FireWall-1 NG or VPN-1 NG with
Application Intelligence
Use advanced NGX features to minimize the information-security management
burden, when working with objects and rules
Determine whether Database Revision Control or Policy Package Management is the
appropriate solution, given a variety of scenarios
Identify the features and limitations of Management High Availability
Use fw monitor to capture and view packets
Use fw ctl pstat to verify the health of the NGX Security Gateway and SmartCenter
Server
Review VPN-1 debugging and troubleshooting commands, including cpinfo
Given a variety of Check Point QoS configurations, determine how bandwidth will be
allocated
Identify situations where Low Latency Queueing and Differentiated Services are an
appropriate part of a QoS solution
Configure NGX to allow VoIP traffic to pass through a corporate Security Gateway
Identify different modes in ClusterXL configuration, and configure ClusterXL VPN
Configure a Policy Server and SecureClient Rule Base
Configure route-based VPN and dynamic VPN routing






Page 2 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

Lab Exercises:
Installing VPN-1/FireWall-1
Setting up SecuRemote and SecureClient for remote-access VPNs
Configuring logical servers for load balancing
Using content security to enable Java blocking, URL filtering and anti-virus checking
Configuring two-gateway IKE encryption

Target Audience

Systems administrators, security managers, or network engineers implementing VPN-
1/FireWall-1 for VPN deployments.
Individuals seeking the Check Point Security Expert (CCSE) NGX certification.

Course Objectives
Use NGX tools to install NGX on Windows Server 2003 and SecurePlatform
Use NGX tools to upgrade to NGX, from VPN-1/FireWall-1 NG or VPN-1 NG with
Application Intelligence
Use advanced NGX features to minimize the information-security management
burden, when working with objects and rules
Use the commands fw monitor, fw ctl pstat and cpinfo to debug and troubleshoot NGX
issues
Given a variety of Check Point QoS configurations, determine how to allocate
bandwidth
Configure NGX to allow VoIP traffic to pass through a corporate Security Gateway
Identify different modes in ClusterXL configuration, and configure ClusterXL VPN
Configure a Policy Server and SecureClient Rule Base, a route-based VPN, and
dynamic VPN routing
Course Outline

Chapter 1: Check Point Security Administration NGX II
Course Objectives
Course Layout
Prerequisites
Check Point Certified Security Expert (CCSE)
Recommended Setup for Labs






Page 3 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

Chapter 2: Installing VPN-1 NGX and Upgrading
Objectives
Key Terms
Preinstallation Configuration
Distributed Installation
Upgrading To NGX
Upgrade Guidelines
Upgrade Order
Upgrade Export / Import
Upgrading via SmartUpdate
NGX Backward Compatibility
Supported Versions
Licensing NGX
Obtaining Licenses
Deploying Licenses
Upgrading Licenses to NGX
Licensing and Troubleshooting
Viewing Licenses in User Center
Viewing Licenses in SmartView Monitor
Lab 1: NGX Distributed Installation
Lab 2: Installing VPN-1 Pro Gateway on SecurePlatform Pro
Lab 3: Upgrading NG with AI R55 to NGX
SmartCenter Server Pre-Upgrade Overview
Pre-Upgrade Verification-Tool Syntax
SmartCenter Server Upgrade
SmartCenter High Availability Upgrade
SecurePlatform Upgrade
Advanced Upgrade
Upgrading on Windows
Security Gateway Upgrade
Clustered Deployment Upgrade
SmartUpdate Upgrade
SmartUpdate Upgrade
SecurePlatform R54, R55, and Later Upgrade
SecurePlatform NG FP2, FP3, or FP3 Edition 2 Upgrade
Upgrading Gateway on Windows
Lab 4: Upgrading NG with AI Security Gateway via SmartUpdate
Review
Review Questions
Review Answers






Page 4 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

Chapter 3: Advanced NGX Management Concepts
Objectives
Key Terms
Advanced Rule Base Functions
Object Cloning
Lab 5: Creating Objects Using Object Cloning
Rule Base Management
Database-Revision Control and Policy Package Management
Database Revision Control
Policy Package Management
Lab 6: Using Database Revision Control
Management High Availability
Primary vs. Secondary
Active vs. Standby
Restrictions
Synchronization
Lab 7: Deploying Management HA
Review
Review Questions
Review Answers

Chapter 4: Administrative Utilities
Objectives
Key Terms
Protocol Analyzers Overview
NGX fw monitor
Lab 8: Capturing Information with fw monitor
NGX Debug Commands
fw ctl pstat
fw ctl debug
Using the fw tab command
Debug Mode with fwd
Debugging cpd Process
OPSEC Related Issues
General cpd Issues
Redirecting Output






Page 5 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

The cpinfo File
VPN Debugging Tools
SecureClient Debugging Tools
Debugging Logging
Lab 9: Using fw ctl pstat
Lab 10: Using cpinfo
Review
Review Questions
Review Answers

Chapter 5: Check Point QoS
Objectives
Key Terms
Check Point QoS Overview
Check Point QoS Architecture
Check Point QoS Deployment Considerations
Check Point QoS Policy
Check Point QoS Rule Base
QoS Action Properties
Bandwidth Allocation and Rules
Differentiated Services
DiffServ Markings for IPSec Packets
Interaction Between DiffServ Rules and Other Rules
Low Latency Queuing
Low Latency Classes
Low Latency Class Priorities
When to Use Low Latency Queueing
Advanced Features
Authenticated QoS
Citrix MetaFrame Support
Load Sharing
Monitoring QoS Policy
SmartView Tracker
SmartView Monitor
Eventia Reporter
Optimizing Check Point QoS
Lab 11: Configuring Check Point QoS Policy
Review
Review Questions
Review Answers






Page 6 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

Chapter 6: Enabling Voice Over IP Traffic
Objectives
Key Terms
Voice Over IP Basics
Supported Protocols
Configuring NGX for H.323-based VoIP Traffic
Enabling VoIP Traffic in an H.323 Environment
Gatekeeper Object Configuration
Configuring Gatekeeper Routing Mode
Gateway Object Creation (Optional)
Configuring Gateway Routing Mode
Configuring Global Properties
Configuring the Rule Base for H.323 Traffic
Enabling VoIP Traffic in a SIP Environment
Defining the VoIP SIP Domain
Configuring Global Properties
Configuring the Rule Base for SIP Traffic
SIP Services
Lab 12: Configuring Security Policy for VoIP Communications
Review
Review Questions
Review Answers

Chapter 7: ClusterXL
Objectives
Key Terms
High Availability
Load Sharing
State Synchronization
CPHA Commands
cphastart
cphastop
cphaprob
fw hastat
Debugging ClusterXL Issues
ClusterXL Configuration Issues
Lab 13: Deploying New Mode High Availability
Lab 14: Manual Failover (Optional)






Page 7 of 7
TO REGISTER
Email: mtc_register@mtechpro.com
Tel: (65) 6822 8708
Fax: (65) 6822 8709

Lab 15: Configuring Load Sharing Unicast (Pivot) Mode
Lab 16: Configuring Load Sharing Multicast Mode (Optional)
Review
Review Questions
Review Answers

Chapter 8: Advanced VPN
Objectives
Key Terms
SecureClient
Network Configuration
Licensing
SecureClient Policy
Installing Desktop Policies
Lab 17: Configuring the Policy Server
VPN Routing
VPN Routing with DAIP
Remote-Access Clients and VPN Routing
Security and Connectivity
Remote Client to Remote Client
DAIP Environment
Hub / Satellite Environment
SecuRemote / SecureClient Environment
Lab 18: Configuring VPN Routing
Route-Based VPN
Example
VPN Tunnel Interface
Numbered / Unnumbered VTIs
Configuring VTIs
Directional VPN Rule Match
Dynamic VPN Routing
Configuring Dynamic VPN Routing Using OSPF
Wire Mode in Route-Based VPN
How Wire Mode Works
Wire Mode in Route-Based VPN
Lab 19: Route-Based VPN Using Static Routes
Lab 20: Dynamic VPN Routing
Using OSPF
Review
Review Answers