Beruflich Dokumente
Kultur Dokumente
Check Poinf
Version 2
3e
SECURITY
Check Poinf
DISCLAIMER OF WARRANTY
Check Point Software Technologies Ltd. makes no representation or warranties,
either express or implied by or with respect to anything in this document, and shall
not be liable for any implied warranties of merchantability or fitness for a panicular
purpose or for any indirect special or consequential damages.
COPYRIGHT NOTICE
No pan of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise. without
prior written consent of Check Point Software Technologies Ltd. No patent liability
is assumed with respect to the use of the information contained herein. while every
precaution has been taken in the preparation of this publication, Check Point Soft~
ware Technologies Ltd. assumes no responsibility for errors or omissions. This publication and features described herein are subject to change withou t notice.
Copyright (:I Check Point Software Technologies Ltd. All rights reserved.
TRADEMARKS
0 2003-2012 Check Point Software Technologies Ltd. All rights reserved. Check
Point, AlertAdvisor, Application Intelligence, Check Point 2200, Check Point 4000
Appliances, Check Point 4200, Cheek Point 4600, Check Point 4800, C heck Point
12000 Appliances, Check Point 12200 , Check Point 12400, Check Point 12600,
Check Point 2 1400, Check Point 6100 Security System, Chcck Point Anti-Bot Software Blade, Check Point Application Control Software Blade, Check Point Data
Loss Prevention, Check Point DLP, C heck Point DLP-l, Check Point Endpoint
Security, Check Point Endpoint Security On Demand, the Check Point logo, Check
Point Full Disk Encryption, Check Point GO, Check Point Horizon Manager, Check
Point Identity Awareness, Check Point IPS, Check Point IPSec VPN, Check Point
Media Encryption, Check Point Mobile, Check Point Mobile Access, Check Point
NAC, Check Point Nctwork Voyagcr, Check Point OneCheck, Check Point R75,
Check Point Security Gateway, Check Point Update Service, Check Point WebCheck. ClusterXL, Confidence inde)(ing, ConneetControl, Connectra, Conneetra
Accelerator Card, Cooperative Enforcement, Cooperative Seeurity Alliance, CoreXL, DefcnseNet. DynamiclD, Endpoint Conncct VPN Client, Endpoint Security,
International Headquaners:
Document # :
DOC-Manual-CCSE-R75
Revision :
R75. 2
Content:
Graphics :
Contributors
Contents
. .46
.. . 51
Table or Contents
Appendix A: User Mode Debug . . . ... .. .. ... . .... .. .... ... .. ...... 157
Running User-Mode Debug ... . ....... .. ..... ...... .. ..... ........ . . ..... 158
Appendix B: Chapter Questions and Answers ... . .... .... ... ... 173
Chapter I - Advanced Upgrading . . . . . . . . . . . . . . . .
. . ...... . . . .. .... ... 174
Chapter 2 - Advanced Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . .. 175
Chapter 3 - Clustcring and Acceleration ..... . ... . .... ... .. , .. . . . . ... . . J76
Chapter 4 - Advanced User Management. . . . . . . . . . . . . . . . . . . . .
. ......... \ 77
Chapter 5 Advanced IPsec VPN and Remote Access ..... .... .... .. ..... . . 178
Chapter 6 Auditing and Reporting ....... .... .. . ..... . .. . . . . .. . . . . .. . .... 179
Preface
Introduction
Welcome to the Check Point Certified Security Expert (CCSE) course.
This course is intended to provide you with an understanding of key concepts and
skills necessary to effectively build, modify, deploy and troubleshoot a network
using the Check Point Security Firewall .
The CCSE course provides you with the following key clements:
e Advanced and in-depth explanation of FireWall- l technology
This course provides hands-on training for bui lding and co nfiguring a network
using the Check Point Security Gateway Software Blade using Windows &
SecurePlatfonn. You will configure a Security Gateway in standalo ne and
clustered deployments while imp[ememing certificate-based and re mote access
VPNs using SmartConsole clients. You will also leam how to pcrfonn advanced
troubleshooting tasks on the firewall.
Course Design
This course is designcd for expert users and resellers who need to perfonn
advanced deployment configurations of a Security Gateway.
The following professionals benefit best from this course:
System administrators
e Support analysts
Network engineers
Introduction
System administration
CCSA certification
Networking (TCP!IP)
10
Introduction
We begin our course with a study of firewall processes and procedures for
Security Management Servers and Gateways. We will take a close look at user
and kemel process, stateful inspection, and kernel tables, and note important
troubleshooling guidelines. Take note of issues you have encountered in your
experiences, and how they might have been addressed differently in your
infrastructure.
Review the course topology. Note the location of each server in relation to the
Gateway, and how they are routed. Make sure you understand the purpose fo r
each server, and the credentials used for accessing each scrver and the
applications used.
Finally, read through the chapter objectives. These guide you in understanding
the purpose for the lectures and lab exercises.
Lab Setup
The following is the sctup of your lab:
The city sites arc configured expressly for the purposes of exercises in this
course.
Unless otherwise noted by your inslluctor, the root password to all systems is:
vpn123
Lab Topology
This CCSE course was developed using VMware Workstation and as such all
systems in the lab topology are vinual machines running on a single host
machine.
Your instructor will have information as to the specific settings and configuration
requirements ofcach vinual machine configuration, if you nccd them.
..---.... ...
--_
-.-- -.-------~- ~
'---'='--'- ----------Figure 1 -
The topology changes throughout the course of the labs. The fina l lopology is:
Final Topology
--,
--,---.... .....--....--------_
. .. ...
._-.-.0_....
Figure 2 -
Atlantis_ GUI
GUI_Atlantis
cthO
10.1.1.201124
AT_MGMT_ I
AT_MGMT_ I
,thO
10.1.1.10 1/24
AT_MGMT_ 2
AT_MGMT_2
ethO
10.1.1.102/24
AT_GWY_I
AT_GWY_I
,thO
10.1.1.1 /24
ethl
eth2
172.21.101.1 /8
\92.168.10.1 /24
elhO
eth2
10.1.1.3/24
\72.21 . 101.318
\92.168. 10. 3/24
ADServer
elhO
10.1.1.125/24
UK GWY
elhO
eth l
AT_GWY_2
AT_GWY_2
,thl
ADServer
UK_GUI
UK GWY
Security is a Process
What sets apart expert network administrators is the understanding that nothing
in a network is ever 100% secure. New vulnerabilities in software become
apparent daily, and security products must rush to keep pace with the ever
growing threats to our data. Though product patches, upgrades, and new product
releases provide some level of protection. there is a need to apply strict processes
that recognize this inherent insecurity in products. Regular maintenance cycles
must be implemented. Constant monitoring of evol ving eyber-attacks has
become almost mandatory so that attack signatures arc updated.
In order to be compliant according to the highest IT security standards today, a
company's IT security policies must be transparent. Transparency in information
security and information technology is all about having good processes, knowing
how and why they work, documenting them thoroughly, and reponing on the
result.
The challenges to IT involve security, deployment, management, and fina lly
compl iance. Sccurity is the number one concern, but though security can never
be perfect, risk to your organization is still manageable.
A common way of thinking about security products is that they prevent threats to
resource data. A better way to look at them is as tools to avoid risk. Threats will
always eltist, and more will evolve that were never considered by the code
developers, simply because the potential for threats is enonnous and impossible
to predict. Some amount of risk is acceptable. however, and some amount is not.
depending on the needs of an organization. Avoiding risk is a continuous process,
or to put it another way, security processes define how an organization
minimizes risk.
In the same way banking institutions conduct double audits, and prov ide
monitoring of your ATM card. organizations can implement safeguards on
network traffic by creating strategic policies and automating IT processes. By
automating monitoring, enforcement, and reporting of these policies,
organizations learn employee and partner behavior regarding IT assets and
intellectual property. In learning how the data is used, processes can be fine-tuned
to mitigate risks even further. For eltample. despite malware protections, an
endpoint is found to be infected by a key logger trojan. Unless a process is put in
place that isolates that endpoint from infecting an entire enterprise network.
much of the corporate data is at a high risk of being stolen.
The followin g summarizes some guidelines to incorporating IT sC(;urity best
practices, which directly apply to a typica l task list fo r a network administrator:
1. Perform a risk assessment, Know where your risks lie. Identify areas that
show any potential for problems and assess the likelihood and level of impact
accordingly.
2. Develop and enforce a policy. Use best practices and implement them
heaviest at your most weakest point in your network. Consider the strictest
enforcement at first, then apply eltceptions carefully based on needs
assessments and role specific guidelines in order to minimize impact to
productivity.
3. Address known vulnerabilities. Most common vulnerabilities exist in
operating systems, popular applications. Web browsers, and virtual platfonns.
4. Control and Monitor devices. It is necessary to control what is moved on
and off these devices. Monitor the devices for malicious software and provide
sufficient controls to minimize impact to the corporate network in the event
that safeguards don'c succeed. Also, decide what personnel or processes must
be involved for the control to be implemented successfully.
5. Conduct audits. Periodic audits provide usefu l insight into the effectiveness
of the policies and enforcement measures. Adjustments to the policies are
made more effective by this insight, and should be part of the necessary
maintenance process.
Deployment Scenario
For this course, assume you are a network administrator for a company called,
Atlantis Corp. which provides out-sourccd customer contact management
solutions for a wide range of call center services. The company employs about
2,000 employees worldwide, maintaining key departmcnts in finance, human
resources, MIS, products, sales and corporate development.
All of the major dcpartments are located at headquarters, and somc sales staff,
technical support, MIS and data center personnel are located at the branch offices
in the UK. A corporate firewall is already implemented. You have a dedicated
server installed for the management, and SmartConsole clients running on a
separate endpoint.
In addition, you have remote users employed by Atlantis Corp., i.e., sales staff
and technical services personnel that need to connect via VPN to headquarters:
,-.,..,
,.
~.
"--
10
CHAPTER 1
Advanced Upgrading
Advanced Upgrading
Upgrades are used to save Cheek Point product configurations, Security Policies,
and objects, so that Security Administrators do not need to re create Gateway and
Security Management Server configurations.
Chapter Objectives:
12
Upgrade_export I Export
Each of these methods backs up certain parameters and has relative advantages
and disadvantages (i.e., file size, speed, and portability).
anapshot_
13
Advanced Upgrading
When the Snapshot command is run, the system displays a serics o f options, as
shown below:
Figure 1 - Snapshot
Initiating Snapshot without any flags will put the file in the default location :
.
- --"---'- -.. - _-_._-"-.-._-_ - .--.-
~--
~~~.~
.,-- ....., ~::'!,".--.."-------------------------------------~
.
..-.--.-.
--
-r-
...
Figure 2 - Snapshot
15
Advanced Upgrading
Figure 3 - Restore
/var/CPbackup /backups
On the UTM I and Power I appliances, the default location for storing
backups is:
It is possible to backup from the WebUI interface. This is typically the method
used on UTM-l and Power-I Appliances. However, restore is not possible via thc
WebUI in these instances.
Upgrade Tools
The upgrade tools backs up all Cheek Point configurations, independent of
hardware, operating system and Check Point version. Usc this utility to backup
Check Point configuration settings on the management station. The migrate
utility is intended for upgrades or migration of database information to new
systems with hardware changes, and will not work when downgrading to an
earlier Check Point version. The fil e size is smaller and depends on the size of
your policy. Assuming the CPU on the machine is not over-loaded, it can be
initiated on a live system without interrupting services.
Run the migrate utility on SecurePlatfonn and Unux machines via the expert
command line only, and via the command prompt in Windows.
The upgrade tools can be found in the following R75direetory:
$FWDIR/bin/upgrade_ tools.
The upgrade tools can also be downloaded from the Check Point Support site:
http://supportcenter.checkpoint.com
17
Advanced Upgrading
...
'.
Windows
Windows
SecurePlatform
SecurePlatfonn
copy /etc/syseonfig/
netowrk.C <location>
~,--..",
-.~-
.~
Test your backups with either the backup, upgrade_export, or migrate export
files.
18
Performing Upgrades
Before upgrading a gateway or Security Managemenr server (SMS) to R75, you
need to have a valid suppon contract that includes the software upgrade and
major releases registered to your Check Point User Center account. The contract
file is stored on Set:urity Management server and downloaded to security
gateways during the upgrade process.
Always upgrade your SMS before upgrading any gateways. As you proceed
through the upgrade process, note that the process verifies a contract file is
already present on the server. If not, you have the option of either downloading a
file from the User Center, or importing a local contract file. You can e lect to
continue without contract infonnation at a later date, but note that your licensing
agreement with Check Point will remain in violation until you obtain the contract
file.
For addilional infonnation, refer to the R75 Installation and Upgrade Guide.
The target computer must have the same set of products (or more) than the set
of products installed on the source computer.
The SMS version on the new computer must be the same or greater than the
version installed on the original.
,n
Workflow
Typically, the procedure is as follows:
Expon the archive backup file to the new machine using SCP or some secure
method of transfer.
Workflow
R7~
T,."i"i"., Matuml
21
Advanced Upgnllding
Zero Downtime
Zero Downtime
This method asswnes there is no network downtime pennitted, and all cluster
members apan from one are upgraded first. To do this, you must enable broadcast
mode on all the cluster members before beginning in order to avoid switching
problems around the cluster. The command cphaconf set _ ccp
broadcast must be applied to all the members. This action survives reboot
and must be set back to multicast mode manually after aUthe members have been
upgraded.
Ensure upgraded licenses arc assigned to each cluster member using
SmanUpdate. The upgrades on each member can be accomplished either in-place
or by using SmanUpdate.
Do not change the cluster mode on any of the cluster members prior to
completing the upgrade. For example, if you arc running Load Sharing on the
corporate cluster, do not change it to High Availability (HA) mode. Changes to
the cluster mode should be appl ied after the upgrade.
Push policy to the standby members after the secondary members have been
upgraded. When you've done this. the primary member pol icy installation will
fail. Run the cphaprob stat command to verifY the Ready status on the
upgraded members, and a down status on the primary. Run cphastop on the
primary member, and proceed with the final upgrade on this member. Traffic will
be routed to the other members as you perfonn this upgrade.
22
You must rcmember to run cphaconf set ccp mul ticast (assuming
you don 't want to continue running in broadcast mode) and cphastart on all the
clustcr members aftcr the primary has been upgraded.
fw ctl conn
If your cluster has two members, you can treat the upgrade similarly to
perfonning a Zero Downtime procedure, but before running cphastop on the final
member, you must run the command fw fcu </P address o/the nOli-upgraded
member on the synch network> on the upgraded mcmber, then continue with thc
proccss.
Ifpcrfonning FeU on a clustcr with three or more mcmbers, you can either
upgrade two members first using the Zero Downtime procedure, or upgrade only
one member using the Zero Downtime procedure. In either cnse, you must run
the command fw feu </P address o/the synch network> on the upgraded
members bcfore continuing. For more than Ihree cluster members, you can divide
the upgrade equally to ensure Ihe remaining members can handle the traffi c load
during the upgrade proccss.
The cphaprob feustat provides statislieal information regarding the
upgrade process. You can run this command on any of the upgraded members.
23
Advanc.cl Upgrading
Review Questions
1. How long can it take to pcrfonn a snapshot?
Advanced Firewall
25
Advanced Firewall
Chapter Objectives:
26
GUI Clients
SmanConsole applications, such as SmartView Tracker, SmartEvent,
SmartReponer and SmanDashboard are ell:ecutable files available for Windows
operating systems and most versions of Solaris. These GUJ applications offer the
administrator the ability to configure, manage and monitor security solutions,
perform maintenance tasks. generate reports and enforce corporate policy in realtime.
Check Point periodically releases new ell:ecutables that include updates for these
applications, also known as "GUI HFAs". These, however, are not re lated or
aligned with Security Gateway HFAs and are considered a separate, unrelated
release track.
Management
The management component is responsible for all management operations in the
system. It contains several different components, such as the management,
reporting suite, log server, etc. All ofthc functionality of the management server
is implemented in User-Mode processes, where each process is responsible for
several operations. The most significant processes are:
FWM
FWD
CPD
fWSSD
CPWD (Check Point WatchDog)
27
Advanced Firewall
Security Gateway
The Security Gateway, usually referred to simply as the "Firewall," is the
component in the system responsible for security enforcement,
encryption/decryption, authentication and accounting.
The fun ctionality of the security gateway is implemented both in User Mode and
in the Kernel. As the security gateway is first and foremos t a network device
running an OS, it is inherently vulnerable to various network layer attacks. To
mitigate this risk and others, some of the firewall functionality is implemented in
the OS kernel. This allows the traffic to be inspected before even getting to the
OS IP stack.
Security Gateway
Figure 4 -
28
... ...-
as Kernel
Security Gateway
Security Gateway
_-
.... ...
Figure 5 - Processes
The Firewall- I kernel is responsible for the majority oflhe security gateway's
operations, such as security enforcement, encryption/decryption NAT. etc. In
order to detect which part of the kernel might be responsible for a specific issue,
sian by considering the inner structure of the FW kernel and it's interaction with
the OS kernel, the hardware, and other kernel components, such as acceleration.
The Kernel mode resides in the lowest possible location. Every packet that goes
through the FW is inspected. Whereas in the Network layers, you would not sec
all those packets.
29
Advanced FirrNall
The User Mode is actually not mandatory, but it allows the FW to function more
efficiently in the application layer. The FW employs scrvices that the OS
provides and allows easier inspection of files on open connections .
It is possible and, in some cases, required for user and kernel processes to
communicate. To allow Ihis, there are two mechanisms: IOctl (Input/Output
Controls) and traps. When a kernel process wishes to signal to a user mode
process it sets a "trap", i.e., changes a value in a registry key. The user mode
process monitoring that flag "stumbles" on the trap and performs the requested
operation. When a user mode entity needs to write information to a kernel
process, it uses 10cti, which is an infrastructure allowing the entity to call a
function in the kernel and supply the required parameters.
FWM
FWM is available on any management product, including Multi-Domain Security
Management, and on products Ihal require direct GUI access, such as
SmartEvent:
aUIClient communication - This is communication between the Management
Server and the GUJclient.
DB manipulation - This includes all actions that arc pcrfonned on the MGMT,
such as object crcalion, rules, and users.
Policy compilation - FWM handlcs the policy compilation that is later
applied to network tramc during the inspection process.
Management HA sync - The sync management is handled in Management
High Avai lability as well as UTM-I hybrid deployments.
30
Security Gateway
FWD
FWD allows other processes incl uding the kernel to forward logs to external log
servers as well as the Management Server. It is related to policy installation and
also used to communicate with the kernel using command line tools such as the
fW commands; for example, when sening kernel variables or using kernel control
commands
FWSSD
FWSSD is a child process of FWD responsible for maintaining the Security
Servers. Each Security Server will be invoked according to activated features,
such as DLP, and corresponding rules with URI resource, SMTP resource, and
authentication. The processes that actually run as the security servers are
"in.xxxx".
Security Gateway
Figure 6 -
R 75 Training Manllal
....
_...
Firewall Kemel
31
Advanced Firewall
Each part of the kernel acts independent and docs not assume that a packet was
inspected or processed by the other. So, some functionality is implemented both
on the inbound and on the outbound. Some key points include:
Each direction has its own ordered chain of modules (packet processing
handlers).
The inspection process does expect that a packet in the outbound that hasn't
visited the inbound first originated from the gateway itself. It is also assumed that
a packet not originating from the gateway was inbound.
Figure 7 -
Inbound Chain
In this figure, we sec the inbound chain, though this is just one example and in
different configurations some chain modules will not appear and others might be
added.
Between different releases, we sometimes add or completely remo ve chain
modules, depending on the version specific design decisions.
32
Security Gateway
FlgtJre 8 -
Outbound Chain
Shown in this figure. the outbound chain shows roughly the same chain modules
as seen on the inbound. The most significant difference is that in the inbound, the
vpn decrypt and vpn decrypt verify chain modules are seen. This makes sense
because you would expect a packet to be decrypted on the inbound. In addition,
the outbound chain also has the vpn encrypt chain module in case the packet
needs to be encrypted on the outbound.
33
Advanced Flntwall
Columns in a Chain
Consider the following chain example:
ModulI' l oorion in th e Ch~1n
] -All Padeu
fff - All Packets lidenlk .,1 to 3)
The location of the module in the chain is a relative, serial number to the location
of this chain module for this panicular gateway configuration. For example, as in
the above the "fw VM outbound" is the 6th chain module. It might be in a
different location in other gateway scenarios.
The chain position is an absolute number that never changes.
In the VPN chapter. we wi ll learn that in wire mode wc do not want the fi rewall
to enforce stateful features on a packet. To address conccrns such as this, in the
firewall kernel each kernel chain is associated with a key. This key spccifies the
type of traffic appl icable to this chain module. For wi re-mode configuration ,
chain modules marked with "\" will not apply and for statcful mode, the chain
modules marked with "2" will not apply. Chain modules marked with "fR"... " ( IP
options miplrcstore) and "3" will apply to all traffic.
Security Gateway
To try this on a firewall in your lab, run the following command:
fw ctl chain
Stateful Inspection
Statefullnspection was invented by Check Point, providing accurate and highly
efficient traffic inspection. It implements all necessary firewa ll capabilities
between the Data and Network layers (layers 2 and 3), but is capable of
processing data from layers 4-7 for improved security.
Application
Preseotallon
Application
Presentalloo
5ession
PresentatJon
Transport
Sessioo
Networlc
Transport
Transport
I NS P E
N GIN E
PROS
Good 5erurity
FueAppIIca1ioo-layer
High p-.n:.nce
ExtEnsibility
Transparency
Figure 10 - Statelul lnspection
The inspection engine examines every packet as they are intercepted at the
Network layer. The connection state and context infonnalion arc stored and
updated dynamically in the kernel tables.
35
Advanced Firewall
To review the process flow of the inspectio n engine, review the flow c hart below:
---
Inspection
Module
4. Packets that pass inspection are moved through the TCPIIP stack to their des-
tination.
5. For packets that do not pass inspection and are rejected by the rule definition,
6. The packets that do not pass inspection and do not apply to any of the rules,
are dropped without sending a negative acknowledgement.
36
Kernel Tabte.
Kernel Tables
There are dozens of Kernel tables, eaeh storing information relevant to a specific
firewall function. Using the information saved in the Kernel tables, very
elaborate and precise protections can be implemented. To view all the existing
Kernel tables, type the command fw tab -t at the command prompt. To
view only the table names and get a perspectivc on the number of Kemel tables
available, on SmartPlatform, usc the following command:
fw tab -t
grep -ve
~ ____ H
more
-i #eore number
Most of the traffic relatcd information is saved in the Kernel tables. (There are is
also information stored in htabs, ghtabs, arrays, kbufs , and other
devices.) Tables, however, may be created, delcted, modified and read. In
particular, consider the Connections table.
The connections table is essentially an approved-connections list. The firewall, as
a network security device, inspects every packet coming in and out of each
interface. After the first packet is matched against the rule base, we need to
assume that the returning packet might not be accepted in the rule base.
Let's discuss this scenario. Say that we allow 10.10.10.10 to browse to
10.10.10.20 via HTTP in the rule base and drop everything else. The syn packet
will match the rule base and pass, but as the Syn-Ack packet comes back with the
reversed tuple (source IP 10.10.10.20, Destination lP 10. 10. 10.10) and source
port 80 with a "random" destination pon.
To mitigate this, for every recorded connection, a matching, reversed - tuple entry
is also added to the list of approved connections. Some scenarios such as NAT,
data connections and elaborate protocols, such as Vo[P, introduce more
complexity to the logic behind maintaining the connections table.
37
Connections Table
To understand more about how the connections table works, let's consider its
important features:
Enhanced perfonnance
As we saw in the INSPECT module flowchart, the action of matching
a packet against the rule base may be very costly (especially if there is
a very large rule base w ith dynamic objects and logical servers that
need to be resolved). By maintaining the li st of approved connections
in the connections table, not every packet is matched against the rule
base, thus saving valuable time and computing power.
Allow server replies
We noted earlier that sometimes Server to Client packets might not
match the rulebase. In these cases, they would be handled by the
connections table.
Stateful Features
Streaming based applications (Web security, etc.)
Sequence verification and translation
Hide NAT (when the Server to Client packets returning to the
firewall might not match the rulebase, need to add explicit
entries to the connections table).
Logging, accounting, monitoring, etc .
.. Client and server identification
Data connections
38
KemtITabl
'
,~_.
__
~,
__ . _ _ _
<0 , 212.150.141.5. 23, 192.168." .1 5. 30235, 6" <0, 192.168.4.15, 30235, 212.150. 14 1.5. 23. 6>
Allow ou tbound packets from the server 10 the client.
-~.
&
-_.
, . -
- - -
<1, 212.150. 141 .5. 23, 192.168.4.15. 30235, 6> <0. 192.168.4 .15, 30235. 212. 150.141 .5. 23. 6 >
Figure 12 -
Connections
Table
Thc symbolic link format provides the "6-tuplc" of the connection we want to
pass, and the arrow is a pointer to the tuple of the real entry in the connection
table. The first 6 attributes in every entry in thc connections table state the
connection 's " 6 tuplc". The 6-tuple is a unique identification of the connection
within the system. The direction can be either "0 " for Inbound or " I" for
Outbound.
In the above slide, we see a simple connection representation in the connections
table. The first entry is the "Real Entry", this entry holds all of the rele vant
information for that traffic, such as state, sequencc numbers, matching rule and
so on. The entry allows the Client to Server (C2S) packet to enter the firewall on
the inbound, The second entry is a symbolic link, allowing for the same packets
(C2S) to enter the firewall on the outbound. The third entry is another symbolic
link, allowing for the Server to Client (S2C) traffic to enter the firewall on the
inbound. The last entry is also a symbolic link, allowing for the S2C packet to
enter the firewall on the outbound.
39
Advanced Firewall
Policy Installation
Figure 13 -
40
Packellnspection
----
1. The packet arrives at the Security Gateway, intercepted by the NIC on the
inbound.
2. The firewall kernel inbound chain begins inspecting the packet.
3. Once the packet is matched against the rule base, a log is generated and sent
from the kernel to the user-mode process, FWD, located in the Security
Gateway.
<t. The FWD process on the Security Gateway, sends the log to FWD on the
Management Server, where it is forwarded to FWM via CPO.
Figure 14 -
-. _...
Policy Installation
41
Advanced Firewall
1. The policy is defined in the SmartDashboard QUI, Le., in the Fi ...ewall tab.
2. When the policy is saved, a new file is created called $FWDIR/ eonf/
.... w.
All the'" W files are stored in the rulebases _ 5 _ 0 fwa location.
0
3. fwm _ gen compiles the $PWDIRI eonf /'" W into a machine language
creating a new fil e called $P'WDIR/ eonf/'" pf.
0
The $FWDIR/eonf / '" opf is actually the input from the $FWDIR/
eonf/ .... Wand the $FWDIR/eonf/objeets . C file.
The $PWDIR/eonf/'" W file is actually the exact same infonnation
defined in the aUI, just in a text fonnat instead ofa graphic one.
0
42
Policy Installation
Figure 15 -
--~
43
Advanced FIl'flwaU
Figure 16 -
44
-_.-
3. CPO invokes the Check Point Policy Transfer Agent (CPTA) command which
" _.... . ,
45
Advanced FIJlIwall
NAT
Network Address Translation (NAT) and Network Address Port Tr anslation
(NAPT) arc the two primary technologies traditionally used as methods to:
Features
Rule Priorities
When NAT is defined on a network object, NAT rules are automatically added to
the NAT Rule Base. Those are called Automatic NAT rules. NAT is translated
during policy installation to tables and performed on the first packet of the
connection. The NAT rule base is very efficient and can match two NAT rules on
samc connection; this is called bi-directional NAT and only applies for
Automatic rules.
NAT
outbound interface.
to-M'
ConnKtICn T~
10.0.0.1
3105
180.14.16.1
80
194.32. 1.254
10023
180. 14 .16.1
80
180.14.16.1
80
0023
180.14.16.1
80
10.0.0.1
105
0
I
twx_aloc
Next Port Entry
Hide NAT
During the NAT rule base traversal, both NAT source and destination arc
decided. However, they arc actually performed at the appropriate locations:
D 7~
47
Advanced Firewall
Security Servers
Another important feature ofFirewall.J, Security Servers are a necessary and
crucial clement to firewall functionality. Some Firewall! features require a
higher layer protocol enforcement such as the application layer. In addition,
authentication schemes such as User, Client and Session authentication requires
that the firewall maintain the connection during the user session, so that
processes must be maintained and monilOred. To accomplish this, the firewall
acts as a proxy, and the user mode processes are employed to manage this
activity.
48
NAT
Point\SmartConsole\R75\Program.
49
Advanced Firewall
Common Commands
Note the following commonly used commands in troubleshooting gateways:
cpstart This command is used 10 start all Check Point processes and
applications nmning on a machine.
cpstop - This command is used to tenninatc all Check Point processes and
applications. running on a machinc.
Cpstop and cps tart are actually calling fwstop and fwst a rt scripts
for all Check Point product, including the firewall stop/start scripts located in
$PWDIR/ bin. These are scripts that actually run when you perform cps top,
cpstart and cprestart with different flags. Cpresta rt is an
"internal" command used for DAIP (Dynamically Assigned IP devices) such as
Edge devices. Not all CP processes are actually brought down when you use
c prestart, so always use cps top and c psta rt, and nOI cpres t a rt.
50
FWMonitor
FW Monitor
As an aid to understanding the Firewall " undcr-thehood" and developing good
debugging skills, the Cheek Point tool, FW Monitor is key and essentia l in packet
capture and firewall traffic analysis.
Traffic Flow
.-
~-. ':"
,-
Internet
Figure 18 -
VPN-l
Web
Firewall
Server
FW Monitor
51
Advln ~d
Firewall
Packet Flow
Operatfnc
system
Kemel
Figure 19 -
52
FW Monitor
The fw monitor output uses specific expressions to explain the locatio n of the
packet as it moves through the firewall. There are four inspection points as a
packct passes through the kernel (or vinual machine):
i -Befo re the vinual machine, in the inbound direction
(PRE INBOUND)
1 - Aftcr the vin ual machine, in the inbound direction
(POST. INBOUND)
0-
fw monitor
In a busy system, running fw monitor without any filtcrs can create a great detail
of output, and makes the analysis difficult. Filter expressions are available used
to specify packets to be captured and limit the amount of output. The general
syntax is:
fw monitor -e
R75
Trainin~
Manllal
~accept
<express!on>;n
53
Advanced Firewall
Review Questions
1. The core process CPO provides what main functions?
2. The firewall's kernel consists of two completely separate logical parts representing the process of a packet coming into and out from the firewall, these
are referred to as .. .
3. If a heavily loaded machine makes using the FW Tab command d ifficult, what
is the alternative?
4. What table stores information about pon allocations for hide translation connections?
54
CHAPTER 3
Clustering and
Acceleration
Objectives
Build, test and troubleshoot a ClusterXL Load Sharing deployment on an
enterprise network.
Build, test and troubleshoot a ClustcrXL High Availability deployment on an
enterprise network.
57
Clustering Terms
Check Point uses the following tenns when discussing clustering:
Active Up -When the High Availability machine that was Ac tive and
suffered a failure becomes available again, il returns 10 the cluster, nOI as the
Active machine but as one of lhe standby machines in the cluster.
C ritical Device - A device that the Administrator has defined to be critical
to thc operation of the cluster member. A critical device is a lso known as a
Problem Notification (pnote). Critical devices are constantly m o nitored. If a
critical device stops functioning, this is defined as a failure . A device can be
hardware or a process. The fwd and cpbad processes, as well as the
Security Policy itself are predefined by default as critical devices. The
Administrator can add to the list of critical devices using the cpbaprob
command.
a fai lure by having another machine in the cluster take over the connection,
without any loss of connectivity. As opposed to Load Sharing, in this case,
only the Active machine filters packets. One of the machines in the cluster is
configured as the Active machine. Ira failure occurs on the Active machine,
one of the other machines in the cluster assumes its responsibilities
ClusterXL
As a network and security professional, you are often required to cons ider the
needs of an organization and weigh them against available resources, to provide
the most cost effcctive solution . Often this requires addressing risk management
without significantly increasing cost. A direct result from risk assessments is
often the concern for hardware backups and resource utilization due to increasing
network tmffic. To address this, we will look at the clustering and acceleratio n
solutions provided by C heek Point, how they should be implementcd into the
working network, and how to troubleshoot issues whencver they occur.
Ensuring that Security Gateways and VPN connections arc kept alive in a
corpomle network is critical to maintain "business as usual". The failure of a
Security Gateway or VPN connection can result in the loss of active connections
and access to critical data. As a network security expcn, it is your job to maintain
the dependability of these business-critieal deviccs.
ClustcrXL supplies an infrastruc ture that ensures that no data is lost in case of a
system failure. Essentially. a cluster is a group of identical security gateways
connected in such a way that if one fails, another immediately takes its place.
Check Point ClustcrXL provides both Load Sharing as well as High Availability
solutions.
High Availability ensures gateway and VPN redundancy for transparent
failover betwecn machines.
Load Sharing provides reliability and enhances perfonnancc because a ll
cluster members are active.
ClusterXL must be installed in a distributed configuration in which the Security
Management server and the cluster members arc on different machines.
ClusterXL is part of the standard Security Gateway installation.
Both the plug-and.play and the evaluation licenses include the option to work
with up to three ClusterXL Load Sharing clusters managed by the same Security
Management server.
ClusterXL supponed platforms are listed in the platform support matrix, which is
available online at:
http://support.checkpoint.com
ClusterXL uses unique physicallP and MAC addresses for the cluster members
and vinual lP addresses to represent the cluster itself. VirtuallP addresses do not
belong to an actual machine interface.
.. ....._,
59
When using ClusterXL, ensure that you synchronize the c locks of all of the
cluster members. You can synchronize the clocks manually or using NTP.
Features such as VPN function properly only once the clocks of all of the cluster
members arc synchronized.
Cluster Synchronization
In order to make sure each gateway cluster member is aware of the connections
going through the other members, a mechanism called State Synchronization
exists which allows status information about connections on the Security
Gateways to be shared between the members.
State Synchronization enables all machines in the cluster to be aware of the
connections passing through each of the other machines. It ensures that if there is
a failure in a cluster member, connections that were handled by the failed
machine will be maintained by the other machines.
Every IP based service, including TCP and UDP, recognized by the Security
Gateway is synchronized.
State Synchronization is used both by ClusterXL and by third-party OPSECcertified clustering products.
State Synchronization works in two modes:
Full synchronization is used for initial transfers of state information, for many
thousands of connections. If a cluster member is bro ught up after failing down, it
will perform full sync. Once all members are synchronized, only updates are
transferred via delta sync. Delta sync is much quicker than full sync.
Synchronized.Cluster Restrictions
The following restrictions apply to synchronizing cluster members:
Only cluster members running on the same platfonn can be synchronized. For
example, it is nOI possible to synchronize a Windows 2000 cluster member
with a Solaris 8 cluster member.
The cluster members must be of the same software version. For example, it is
not possible to synchronize an NG FP3 cluster member with an NOX R65
cluster member.
,,-~
or
, __,_._
'~ _.
__ . _ I
61
For all TCP services whose protocol type is HTTPorNone, you can configure
the Security Gateway to delay a connection so that it will only be synchronized if
it still exists after the connection is initiated for x seconds. This capability is only
avai lable if a SccureXL-enabled devices is installed on the gateway to which the
packet passes. (SccureXL will be covered later in this chapter.)
Unieas!
Machines in a C lusterXL Load Sharing configuration must be synchronized.
Machines in a ClusterXL High Availability configuration do not have to be
synchronized. though if they arc nOI, connections will be lost upon failover.
63
After the Pivot firs t receives the packet from the router or switch, the Pivot's
Load Sharing decision function decides which cluster member should handle the
packet. This decision function is made in a similar fashion to the regular
multicast Load Sharing decision. The Pivot may also decide to handle the packet
itself. In such a case, Pivot Load Sharing will hand the packet to the Pivot's
Firewall component for processing.
Because the Pivot is busy distributing traffic, the Pivot panicipates to a lesser
ell-lent in the actual load sharing function. The other cluster members lake on
more traffic load. Since the Check Point Pivot Mode feature is based on unicast
addresses only, it can work: with all routers and Layer 3 switches.
o~ l l~~
..
.
/" ll"M'"
___________
Router
OeibMtion
64
Sticky Connections
A connection is sticky when all of its packets arc handled, in either direction. by a
single cluster member. This is the case in High Availability mode, where all
connections are routed through the same cluster member.
In Load Sharing mode, there are cases where it is necessary to ensure that a
connection that starts on a specific cluster member will continue to be processed
by the same cluster member in both directions. To that end, cenain connections
can be made sticky by enabling the Sticky Decision Function.
65
66
67
68
Management HA
Management HA
The Security Management server consists of sevcral databases with information
on different aspects of the system, such as objects, users and policy information.
This data changes each time the system administrator makes modifications to the
system. It is important to maintain a backup for this data, so that crucial
information is not pcrmanently lost in the event of Security Managcment Server
failure.
Moreover, if the Security Management server fails or is down for administrative
purposes, a backup server needs to be in place in order to take over its activities.
In the absence of the Security Management Server, essential operations
performed by the gateways, such as the fetching of the Security Policy and the
retrieval of the CRL. cannot take place.
In Management HA, the Active Security Management servcr (Active SM5)
always has one or more backup Standby Security Management servers (Standby
SMS) which are ready to take over from the Active SMS. These 5MS must all be
of the same Operating System and version. The existence of the Standby SMS
allows for crucial backups to be in place:
In a Management HA deployment, the first installcd SMS is specified as the
Primary Security Management server. This is a regular SMS used by the system
administrator to manage the Security Policy. When any subsequent SMS is
installed, these must be specified as Secondary SMS. Once the Secondary SMS
has been installed and manually synchronized. the distinctions between Primary
versus Secondary is no longer significant since either SMS an function as the
Active SMS.
69
Certificate information such as Certificate Authority data and the CRL which
is available to be fetched by the Check Point Security Gateways
The latest installed Security Policy. The installed Security Policy is the
appl ied Security Policy. The Security Gateways must be able to fetch the
latest Security Policy from either the Active or thc Standby SMS.
Synchronization Modes
There are two ways to perform synchronization:
Security Policy
70
Management HA
Synchronization Status
The synchronization starus indicates the status of the peer SMSs in re lation to
that of the selected 5MS. This slarus can be viewed in the Management High
Availability Servers window or in SmartView Monitor, depending on whether
you are connected to the Active or Standby SMS.
Lagging - the peer SMS has not been synchronized since the Active SMS
had changes applied to it.
Advanced -
Collision - the Active SMS and its peer have different installed policies and
databases. The administrator must perfonn manual synchronization and
decide which of the SMSs to overwrite. For e)l;ample, when SMS A fails
before a synchronization takes place, the changes made (to databases or to the
Security Policy) cannot be synchronized with SMS B. When SMS B takes
over from SMS A, the system administrator may decide to modify the
Security Policy.
71
Packet Acceleration
Packets attempting to establish a ncw TCP conncction, or a comparable UDP
conncction table entry in the firewall, are handled in the "slowpath". Once the
first packet is seen by the firewall and suitable conncctions/flows infonnation is
off-loaded to an appliance OS, for example, further packets are handled at the
OS's intcrrupt-Ievel codc.
The round-trip processing-interrupt drivcr to application and back to drivcr-Icvel
code, is vcry lime consuming and, compared to the minimal processing necessary
for later packets that can be done entirely at the driver Icvel. Those later packets,
determincd to be pan of an cxisting, already validated flow, are forwarded
directly from the driver level without the addcd overhead of firewal l application
involvement.
SccurcXL improved non-encrypted fi rewall traffic throughput, and encryptcd
VPN traffic throughput, by nearly an order-of-magnitude particularly for small
packets flowing in long duration conncctions.
Packct acceleration is also rcferred to as throughput acceleration as it matches
on the familiar 5-tuple of sourcc addrcss, destination address, source pon,
destination pon, and protocol. However, only packets during the specific TePI
UDP connection can be accelerated.
72
-=
.,A'
--
~~
~,
"
.""...........
' m~
-.,
rE:
To examine how pons are used in establishing TCP connections, consider the
following scenario:
73
In all cases between a Web Client and a Web Server, TCP connection
establishment is initiated by the Web Client, which then sends an HITP request.
The Web server responds by sending the HTTP component
HTTP Request (- - Each of the packets from the Web elient that requests an
HTTP component from the Web Server has the same source address,
destination address, destination port (80), and protocol (HTTP). Only the
source port, assigned by the Web clicnt's operation system, one per
connection, differs in order to creatc unique socket addresses at the Client for
each HITP request/component (via separate I CP connections for each
component).
HTIP Component -) - Going the othcr direction, each ofthc packets from
the Web server that build the Web page components on the Web elien! has the
same source addrcss, destination address, source pan (80), and protocol
(HITP). Only the destination pon differs (it's been assigned by the client
operating system to that connection).
74
HTTP 1.1
HTTPversion 1.0 operates as described above, and SecureXL increases the
connection establishment rate of the firewall fo r tracking these connections. This
is because HTTP 1.0 creales a separale connection for each HTTP component.
The newer HTTP version 1. 1 improves the protocol's pcrfonnance by pennitting
not only parallel, but also persistent and pipclined server connections. The server
may keep the connection alive after sending the end ofa component, which
avoids the need to create a new connection to send the next componenl. HTTP
1.1 is supported by most Web servers and the current generation of browsers
as well.
High connection-rale network environments involve primarily HTTPtraffic.
While HITP 1. 1 is significantly less connection-intensive, HTTP likel y remains
the protocol that generales most of the new connection requests in enterprise and
Internet traffic . At the same time, while overall traffic levels continue to g row,
connection rates grow less quickly as network environments usc primarily
HITP 1. 1.
SecureXL conncction templates create the opponunity 10 generate extremely
impressive conncction rate pcrfonnance. Given the benefit of connection
templates in heavy HITP environments, the significant perfonnance increase
can, in facl, be renected in real-world traffic environments, particularly Web
server fanns and in enterprises where there is a great deal o f Web traffic 10 a
small, concentrated sct of servers.
75
Other layer protocols such as UDP create many short lived connect ions in an
HTTPpagetransfer,orextendedstreaming infonnation can all be accelerated on
a session basis and can greatly reduce resource overhead on a busy firewall. FTP
and many types of VOIP have handlers which preclude acceleration.
Multicast packets
76
Packet Flow
The figure shows the decision logic for packets flowing thro ugh an SecureXL
accelerated IP Security Appliances.
---
-_--. _- - -_
.....
~-
c - ___ ..
_., I .
.......
_
A new packet arrives at the inbound imerfacc. The packet is checked against
IPSO's connection table, which mirrors the Security Gateway 's connection table.
If there is a 5-tuple match (src, dst, sport, dpon, proto), then the new packet is
pan of an existing flow and is forwarded to the outbound interface for handling
(forward, drop, or reject). This path involves the least amount of forwa rding
overhead and accelerates throughput for packets that are part of an existing flow.
Jf the new packet docs not match an entry in IPSO's connection table, then the
new packct represents a new flow and requires a ncw connection table entry.
However, if the packet matches an existing connection template, thcn the new
connect ion table entry can be created; (based on infonnation in the connectiontemplate table entry) without a round trip to the Firewall appl ication. The packct
is then forwarded to the outbound interface for handling. This path reduces the
over-head involved in creating a new connection table emry and aceelemtes
connection rate for new connect ions that match existing connection templates.
77
If the new packet does not match an existing connection template, t hen a round
trip to the Firewall applicalion is required to apply the Security Policy (rules).
This path involves the greatest overhead.
SecureXL API
The Firewall application communicates with IPSO software through the
SccureXL API. The API suppons the exchange ofinfonnation between the
Firewall and IPSO relating to packets and packet streams, enabling IPSO to take
over validation of subsequent traffic only initially validated by the Firewall
application itself. The type of information exchanged via the API includes
initialization, configuration, flow, security association and connection handling,
and statistics. The figure illustrates the relationship between the Firewall
application software and IPSO operating system software running on Intel x86
hardware and the network processor hardware.
Connections
Templates
IPSO
Connections
Flows
Figure 2 -
SecureXL API
The API improves connection rates by delegating hand ling of the connection
setup packets (except the very fi rst one - the SYN packet) to IPSO. That means
when the firewall omoads a connection, it supplies the connection's initial TCP
stat..: so IPSO can pick up from thaI state and continue handling the connection
from that point on.
78
The connection rate is increased with the concept of connection templates which
look at fou r attributes for a match. The anributes are SrcAddr, SrcPon, Proto,
DestAddr, and DestPort (the SrcPort is masked out). When the very first packet
comes into the ingress pon of the Security Appliance, it goes up to the fire wall
for processing since no connections have been validated. Afte r the firewall
processes and validates the packet, it stores the connections in the connection
table, and offloads the connections to IPSO via SecureXL API. At the same time,
the firewall also creates a template containing four attributes for a match through
the SecureXL API.
The template stays within IPSO. When an inbound packet arrives and there is no
match in the SecureXL connection table, a template match can now be attempted
to avoid a round-trip to the firewall appl ication for connection validation.
There are further enhancements to connection rates and security by:
AUowing IPSO to delete connections without getting delete requests from the
firewall (auto-expire).
Allowing IPSO to handle certain shon connections completely on its own
(delayed notifications). This feature is particularly beneficial fo r systems
processing many shon-lived connections because it syncs less often (as
opposed to syncing on every connection) requires less CPU cycle.
Allowing IPSO to implemcnt an enhanced method of tracking the TCP state
ofTCP connections, including examining the TCP sequence and ACK
numbers in addition to the TCP flags (TCP sequence validation).
rcp sequence validation by default is disabled in IPSO. To use this feature, users
should enable it in both SmartDashboard and in IPSO using Voyager. The auto
expiry and delayed notification features can also be enabled or disabled using
Voyager. They arc enabled by default. After enabling/disabling any of these
features, the policy needs to be pushed for the change to take effect.
R75
Trainin~
Manllal
79
VPN Capabilities
SecureXL also adds VPN routing capabilitics and enhances connectivity to
support VPN in dynamic routing environment, configured in Smart Dashboard:
80
Route-based VPN
IP Pool NAT
IPv6
Overlapping NAT
SMTP resource
Default Configuration
Upon installation of Core XL, the number ofkemel instances is derived from the
total number of cores in the system as described in the following table:
81
f'
NumberOi"'c:o....
CoreXL is disabled
More than 8
82
The default affinity setting for all interfaccs is Automatic. Automatic affinity
mcans that if Perfonnance Pack is running, the affinity for each interface is
automatically reset every 60 seconds, and balanced between available cores. If
Perfonnance Pack is not running, the default affinities of all interfaces are with
one available core. In both cases, any processing core running a kernel instance,
or defined as the affinity for another process, is considered unavailable and will
not be set as the affinity for any interfacc.
In some instances, SND cores can be overloaded due to high traffic on multiple
interfaces assigned to the same SND core. Manual sim affinity can alleviate this
symptom. Use aim affinity -1 and the /proc/interrupta file
to see affinity distribution. Each busy interface should be assigned its own IRQ
and distributed among SNO corcs. Refer to sk33250 on how to edit sim affinity.
In some cases, which arc discussed in the following sections, it may be advisable
to change the distribution of kernel instances, the SNO, and other processes,
among the processing cores. This is done by changing the affinities o f different
NICs (interfaces) and/or proccsses. However, to ensure CoreXL's efficiency, all
interface traffic must be directed to cores not running kernel instances . Therefore,
if you change affinities of interfaces or othcr processes, you will need to
accordingly sct the number of kernel instances and ensure that the instances run
on other processing cores.
Under normal circumstances. il is not recommended for the SND and an instance
10 share a core. However, it is necessary for the SND and an instance to share a
core when using a machine with exactly two cores.
83
Reinstalling the gateway will change the number of kernel instances if you havc
upgraded the hardware to an increased number of processing cores . or if the
number of processing cores stays the same but the number of kcrnel instances
was manually changed from the default. Use cpconfig to reconfigure the number
of kernel instances.
In a clustered deployment, changing thc number of kernel instances, such as by
reinstalling CoreXL, should be treated as a version upgrade. Follow the
instructions in the Upgrade Guide, in the "Upgrading ClustcrXL Deployments"
chapter, and pcrfonn either a Minimal ElTon Upgrade using networ k downtime
or a Zero Downtime Upgrade (no downtime, but active connections may be lost),
substituting the instance number change for the version upgrade in the procedure.
A Full Connectivity Upgrade cannot be perfonned when changing t he number of
kernel instances in a clustered cnvironmcnl.
84
'-.-
..
I
I
I I
...
At..Jtn~
I I
l- .I. I
Cf-i-;;;;::-U
._._- _._.
~11I:
, - - - - - ... -
'
,,, ,,,
, ,
,, ,,
I
I
",
L ____ J-t_---------a
,, ''
I
a --: ."::<..-al!
j'ac I:....... ---'
... _----_ ..
------------D
85
Review Questions
1. What does ClusterXL use to represent the cluster itself?
86
-:CCH-:-:A-:CpT=E=-R-:-4- -
Advanced User
Management
87
Chapter Objectives:
Using an external user database such as LDAP, configure SmartDirectory to
incorporatc user information for authentication services on the network.
Manage internal and e",ternal user access to resources for Remotc Access or
across a VPN.
Troubleshoot user access issues found when implementing Identity
Awareness.
88
U.er Management
User Management
Aside from knowing how to create intcrnal users, organizing them into groups,
and creating uscr objects to sct up in a policy, it is important to administrate users
authorized from a local or external database. This requires some knowledge
about those databases, and then how to integrate their use with Check Point.
Active Directory
au Structure
Active Directory is a database technology based on Lightweight Directory
Access Protocol (LDAP) created by Microsoft, and is primarily used as a
management tool for organizational structures in Windows environments. Active
Directory is based on objects and containers set up in a hierarc hical
organizational structure. Each tier of the hierarchy is comprised of containers
which contain objects, or a container that contain other containers and objects.
Each object or entry in the directory is made up ofa set of attributes. An
attribute has a name, such as an attribute type or attribute description, and one or
more values. The set of rules which governs the types of objects in the directory
and their associated anributes is called the schem a. Each obje<:t has a unique
identificr, its Distinguished Name (ON). This is its Relative Distinguished
Name (RON) constructed from some auribute(s) in the object, followed by the
parent entry's DN.
The container in this structure is called an Organizational Unit or OU. OU's are
tiers in the hierarchy and contain objects, which can be defined in three
categories:
e resources - commonly defined as device objects such as printers, user PC 's,
and servers.
e services - any service that may be used within the company network, i.c.
e-mail, chat, file server access.
e users -
89
Advanced UH r Management
Much like DNS domains, AD hierarchies are nested within each other, stemming
from a root or "enterprise" leveL For example, the OU atlantiscorp.cp.local will
have sub-OU's such as prodllcls.atlamiscorp.cp.local,
sales.allantiscorp.cp.local,jinance.otiontiscorp.cp./ocal, and
mis.atlanliscorp.cp.local. Each of these arc distinct containers at th e ir own level,
but they are all part of the enterprise container, atlamiscorp.cp.local. This
extends down to the specific device objcct level , so that a uscr in M IS could have
an Active Directory designation of:
~
--
Figure 1 -
90
U.. r Management
Authenticate users
91
Default port numbers are TCP 389 for standard connections, and TCP 636 for
Secure Sockets Layer (SSL) connections (LOAPS or LDAP over SSL).
92
User Management
Quick setup of AD
Schemas
An LDAP schema defines the typcs of objects and objcct attributes in the
directory. A default schema ex ists which incl udes user definitions for that
proprietary LDAP server. When all users use the same authentication scheme and
are defincd according to a dcfault template, the default schema is sati sfactory. But
for cases whcre users are must be defined differently, a Check Point schema can
be employed. The Check Point schema complements the structure of the
information in the LDAP Server, but includes Security Management Server and
Security Gateway specific information as well. It can be used to enhance objcct
definitions in the directory for more granular user authentication.
For more infonnation about the object classes defined in the Check Point schema,
reFer to thc R75 Security Management Admin Guide.
93
94
"""
95
NClseapc_DS -
Microsoft_AD -
96
www . opsec.com/solutions/
sec authentication . html.
4. Check the AU object is configured correctly, i.e., profile, correct branches and
administrator ON.
5. Check the LOAP group objects configuration. How did you configure the
LOAP groups? If you selected the option:
All AccountUnit's Users or Only Sub Tree the groups defined on the
LDAP server are irrelevant
Only Group in branch the group must point to a group on the LDAP
server. Is it a dynamic group?
6. Where do you usc authentication? The relevant LOAP groups should be used
in the authorizations of the product that uses authentication. For example,
when using Endpoint Connect, the user groups should be defined on the
RemoteAccess object.
Once all the above are configured correctly and you have all the answers you
need, obtain the following debugging information:
A capture ofa successful and unsuccessful login will help you in investigating
the problem, but be sure yo ur AU object is configured not to work with SSL
so that you have a clear connection. When you have the capture, try 10 see
whieh attributes are being used to query for group membership.
97
The AUs are assigned to the Sa, but the AU is not selected.
The LOAP schema is not extended and the AU is not assigned with an
authentication scheme. Even if the schema is extended, the authentication
schema on the user record could still be undefined. It will remain undefined
even though the AU defines a scheme.
ldapsearch
For example: Idapsearch -D cn::ad:ministrator,cn_users,dc . boaz,dc_cam -w zuburll -b
cn_users,dc=boaz,dc_cam -h 20 . 20 . 20 . 100
' (&(objectclass _user) (sAMAccountName=zaza)
mobile otherMobile
) '
98
RADIUS
SecurlD
TACACS
OS password
cpldapcl, ldap
ace5sdk
In addition, when examining log entries, search for the following infonnation
help with the debugging:
Usemame
10
99
Identity Awareness
This section devotes attention to troubleshooting Identity Awareness to address a
typical network security expert's job task requirements. Advanced User
Management must take into account this product because of its importance in
controlling corporate resources and increased visibi lity of user activities.
Identity Awareness includes these key features:
Configurable access roles - Use the Identity Awareness software blade to
easily add users, user-groups and machine identity intelligence to your
security defenses. This information is obtained from the corporate directory
services.
Multiple user identification methods - Provides multiple me thods to
obtain a user's identity; Clientless, Captive Portal or Light Agent. Identity
information can be utilized by relevant software blades to apply and enforce
user-based policies.
Deployment wizard for fast & simple deploymenl - Adding identity
intelligence via the Identity Awareness Software Blade is fast and easy with
the built in deployment wizard. In a few steps user, user-group, and machine
information can be made available to utilize in policies throughout the
security infrastructure.
100
Identity Awarene
Once you enable an identity source on the gateway, the gateway will map IP
addrcsses in your network to the respective user active for each IP. When traffic
arrives from/to the IPs, the gateway will include the user and computer name in
the logs.
The following infonnation provides somc tips for troubleshooting cases when
Identity Awareness cannot identify users in your network, and when traffic logs
do not contain user infonnation.
The troubleshooting procedure includes:
1. Verifying AD Query Sctup
2. Identifying users behind an HTTP proxy
3. Verifying there's a logged on AD user in the source IP
4. Checking the source computer OS and activating captive panal
5. Using SmanView Tracker for further troubleshooting
Enabling AD Query
Once you enable AD Query on a gateway, the gateway will register to the
configured domain controllers in order to receive security event logs. By
analyzing these logs, the gateway will map IPs on your network to their
respective users and computers.
AD Query does not detect all users and computers immediately. Depending on
the activity in your network, AD Query may take up to a few hours to complete
the mapping of users and computers to IPs.
To quickly identity a user, lock the user computer, wait a few seconds and then
unlock it. This will generate a security event log and mapping of the user name to
the IP will take place.
101
AD Query Setup
In addition to enabling AD Query in your policy, verify that the following
conditions are met:
Active Directory event logging is setup.
Verify that domain controllers are configured to audit authentication success
events. This is the default behavior in AD but may have been cha nged in your
organization. In the domain controller Event Viewer, look for the following
event numbers:
Windows 2003: events 672, 673 and 674.
Windows 2008: events 4624, 4768, 4769 and 4770.
The LDAP Account Unit is setup.
Verify that all domain controllers to which users authenticate are configured
in the LDAP Account Unit Servers list. The Security Event log is not synchronized between domain controllers.
The gateway successfully connects to all domain controllers.
Use SmanView Monitor to see the status of connections to domain controllers or run "adlog a de" in expen mode on the gateway to see connection status from the gateway to domain controllers. Typical reasons for Jack of
connectivity to domain controller:
A fircwalVIPS device en route 10 the domain controller is blocking DCOM
(pon 135 or high port used by DCOM).
Check Point Firewall or IPS may be blocking DCOM. See SK 58881 for
resolution.
Non-English user names: To suppon non-English user names, you must set an
anribute using dbedit or GuiDBEdit. Set the SupportUnicode attribute
to true on the LOAP Account Unit object. The LOAP Account Unit object is
found in the Servers table.
That users reach the gateway and domain controller with the same
endpoim IP.
Users will reach the gateway with a different IP in the follow ing cases:
When there's a NAT device between the users and the AD domain controller
or gateway.
When users connect through a Citrix or Tenninal Server.
When many users authenticate to one server such as Outlook Web access
server.
102
Identity Awareness
Users connecting behind NAT or via Citrix or Terminal Servers arc not
supported. When AD Query detects 7 or more users on the same IP, Ihis IP is
disregarded.
check " For Application Control blade, detect users located behind HTTP
proxy using X-forwarded-For header".
3. Install the
policy.
103
as
If you cannot connect to the source IP C$ share or with WMJ Expl o rer, it is
likely that this IP is a computer that is not a member of the domain _ II is also
possible but less likely, that thi s IP is a domain computer but RPC and WMI
traffic is blocked in your network or on the target computer.
To help detennine the OS at the JP, use remote endpoint profiling to ols such as
nmap to detect the as. For example run "nmap -A 10.0.0 . 1." to detect
the OS on this IP:
FIgure 3 -
nmap Example
If this is not a Windows computer, turn on the captive portal on the gateway so
that Web traffic will be intercepted and the user will have to authenticate. (The
AD Query identifies computers logged on the domain.)
104
Identity Awarene
105
Review Questions
1. What objects make up an Organizational Unit container?
3. What long does it take for an AD Query to map users and computers to IPs?
4. If you cannot connect to the souree IP C$ share or with WMI Explorer, what
is the likely cause?
106
-CH-AP-T-ER-S- -
107
Objectives
Using your knowledge of fundamental VPN tunnel concepts, troubleshoot a
site-to--site or certificate-based VPN on a corporate gateway using IKEView,
VPN log files and command-line debug tools.
108
Manage and test corporate VPN tunnels to allow for greater monitoring and
scalability with multiple tunnels defined in a community incl uding other VPN
providers.
IPsec
IPsec is an open standard protocol suite for secure IP communications using
authentication and encryption techniques on IP packets. The following are used
to perform various functions:
109
110
Example
The IKE exchange uses six packets for Phase I (Main mode) and three packets
fo r Phase 2 (Quick mode):
For Main mode packet I, the initiator 172.24.1 04.1 provides the following
information:
.. _ _ - . _ ..... _
B _ _
a _. . . . . .
.. _-_ _ 0
:O<ZlIQ
1I _
. )(" .12IQ
,-
-o
.-- ""'....."
,,-
Figure 1 - IKEVIew
111
1. Packet 2 is from the responder to agree on one encryption and hash algorithm:
. . . 1&1
11
: .~;-~;;.~~":.-~
1I .... _ .n ~Z>~
. ....o<i. . n Z>~
, _
Figure 2 - Packet 2
2. Packets 3 and 4 perform key exchanges and include a large number never
used before, called a nonce. A nonce is a set of random numbers sem to the
other pany. signed and returned to prove the pany's identity. These two packets are not generally used in troubleshooting a key exchange with IKEvicw.
5 """' _ _ "'...... .
1I "'_~ lI"121Q
Ij "'--' I"~
. ......... In Z>~
........... "..,2l1li
-..
" "....
............................. '"
...........................
. , . . . . . . . . . . . . . . . . . . . . . . . . . M
.............................
.............
_.......... .
"' . . . . . . d . . . . . . U . . . . . . . . . . .
.. n ........................ ..
u .. ., . . . . . .
Figure 3 -
112
1-1
Packets J and 4
3. Packcts 5 and 6 perform authentication bctwcen the pcers of the tunnel. The
peer's lP address shows in the 10 field undcr MM packet 5:
... 1lIt _
'!Ui!I
. ..
~. ':!:llJ
"
z>lD ' ~
' n:
H.
'~. "'IDI
._....
. _
-.....M,'.UOOI>"'''''''' _F_ 'U' IlI,. "UIII
..... -...In u lDI
n u",
~
", _ _ , n'
-__-.... .
...
lUI
........
- _ .... ;1
.. '" .. III
,,'1.... I.Q.1.)
11" _
,,..
..... '
___
Figure 4 -
"".~
Packets 5 and 6
4. Packet 6 shows the peer has agreed to the proposal and has authenticated the
initiator:
--- _
li e.( ~ ",
........._- , "'.,.,,"'.
":'!!i!"-
. ........
n.ZI.
__ 'n
'''''''...
_."",u,., __ , _
-_.....M
li4'> _
Figure 5 -
Packet 6
11 3
In Phase 2, the IPsec Security Associatio ns (SAs) are negotiated, the s hared-secret
key material used fo r security algorithms is determined, and an additional DH
exchange occurs. Phase 2 failures are frequently due to a misconfigurcd VPN
Domain, which could include omitted objects, duplicated objects or choosing all lP
addresses behind the Security Gateway. Typically, Check Point recommends a
manually defined VPN Domain, which includes all network objects that will
participate in the VPN communication.
Phase 2 Stages
Phase 2 can be broken into the following general stages:
Peers exchange more key matcrial, and agree on encryption and integrity
methods for IPSec.
The DH key is combined with the key material to produce the symmetrical
IPSec key.
e
_--
.-
,.,
Ll....
.. Ia<
1. . nu
. Ia<_ l ...., .
114
.
---_.-
~ ~ '''''''~~=~::-
In the ID field, the initiator 's VPN Domain confi guration displays. In the fol
lowing figure, the VPN Domain for the inilialor is the 10.2.4.0124 network :
....'"
_
_ _ ' ' ' ' _ _ .l>o<._1It1>1IIi
" .9 .... .....
_ _ _ ..... <IO<_.I>IIIi "O<
-_._.a.."RJ.......
._,-
,-..
........
-_......
.. 10
.It,
.,d,
MIll.......
FIg ure 7 -
VPN Domain
.._-
_ , PfIOl 0. ~c...(SI'
. ..' 1....... '
Figure 8 -
-...
.10
II ..
-..---
. . II... . . .
' .......
-__
_ "
...
,,, II.
,1,
tII"~ot l
"'.1.1.1 .........".(
VPN Domain
liS
3. Packet 2 from the responder agrees to its own subnet or host 10 . and encryption and hash algorithm:
1110 , _
8 .. 0 ......, .
>_. . .
:ro; ' _
.-"~
e
"5 ""
__ 11ot!1,06i
""",",010. 1PI[(..[Sf'
. ...1[ SP""'S
Figure 9 -
m ~H
Ii
T~ot "
OIi
""oz.",.,
Packet 2
Figure 10 -
Packet 3
Pre-Shared Secrets
Hybrid Mode
One-Time Password
Security Gateway Password
OS Password
- RADIUS
TACACS
-SAA
Once authentication is successful, the final IKE negotiation is attempted (phase
2), and the VPN tunnel is established.
However, in order for encrypted connections to exist for SecuRemotel
SecureClient remo te users, the organization 's internal network (topology) must
be known. The Security Gateway downloads this information which includes IP
addresses of network resources and host addrcsses of other Security Gateways
that are part of the YPN domain. This topology information, along with client
configuration properties, is downloaded to the client over a secured connection
using SSL over IKE.
11 7
The connection type in which a client connects with the gateway is called the
Connect Mode. The initial connection is made directly to the gateway, but all
subsequent connections to internal resources will be made through transparently
initiated VPN links. Recall that there are five connection methods w hich can be
used seperatcly, or together:
Office Mode - Where a Gateway assigns a remote client an IP address after
connection and authentication takes place.
Visitor Mode - When the client needs to have a tunnclto the gateway site
through a TCP connection on port 443.
Hub Mode -
Link Selection
There arc times when having more control over VPN traffic is useful, particularly
when high-traffic demands are applied to the gateway and its performance is
impaired. Link Selection provides the means to specifY which interfaces arc to be
used for incoming and outgoing VPN traffic. The Administrator can also choose
the IP addresses used for VPN traffic on each Security Gateway.
Among the configuration options, the administrator can choose to:
Probe links for availability
11 8
If the link is set to the wrong IF address, VPN connectivity configured for a
remote site can be damaged, unless it is configured to "auto-probe". For example,
assume a client creates a site with the extemallP address of the gateway. During
the creation process, the topology is downloaded, including the link selection IP,
which was set to the internal interface of the gateway_ From that point, the client
will attempt to establish a tunnel with the IP address set in the Link Selection
settings (the internal IP address), instead of the pre-configured external lP
selected during site creation. In this case, the connection to the site will most
likely fail.
11 9
Explicit MEP
Only Star VPN Communities using more than one central Security Gateway can
be defined expl icitly as MEP VPNs. This is the recommended method. Explicit
MEP VPNs can be configured to have the entry-point Security Gateway chosen
eithcr by:
Sclecting the closest gateway to the source (First to respond)
Selecting the closest gateway to the destination (By VPN domain)
Sclecting randomly (for Load distribution)
Selecting from a priority list (MEP rulcs)
120
Implicit MEP
If fully or panially overlapping encryption domains exist, or where primary or
backup gateways are configured, then the MEP VPNs can be implicitly defined.
Implicit MEP VPNs can be configured to have the entry-point Security Gateway
selected either by:
Load Distribution - If all the Security Gateways share equal priority and
the same VPN domain, the traffic load can be distributed so that the
connections are shared evenly between all the gateways.
For remote access MEP VPNs. each c1icnt must usc Office mode and assigncd its
own pool of addresses. lf the clients arc connected via a routing backbone, then
each pool must be routed to the appropriate site. If the client is connected via siteto-site, then il needs to be included in the encryption domain of each gateway.
R 75 Trainine Manllal
12 1
Tunnel Management
There are two types ofVPN tunnel management:
Permanent Tunnels - This feature keeps VPN tunnels active, allowing realtime monitoring capabilities.
Permanent Tunnels
As companies have become more dependent on VPNs for communication to
other sites, uninterrupted connectivity has become more crucial than ever before.
It is essential to make sure VPN tunnels are kept up and running. Permanent
Tunnels are constantly kept active, and as a result, make it easier to recognize
malfunctions and connectivity problems. Security Administrators can monitor
the two sides of a VPN tunnel, and identify problems without delay. Each VPN
tunnel in a Community may be set to be a Permanent Tunnel .
Since Pennanent Tunnels are constantly monitored, if a VPN tunnel fails for
some reason, a log, alen, or user-defined action can be issued. A VPN tunnel is
monitored by periodically sending tunnel-tcst packets. As long as responses to
the packets are received, the VPN tunnel is considered "up". Ifno response is
received within a given time period, the VPN tunnel is considered " down".
Permanent Tunnels can only be established between Check Point Gateways. The
configuration of Permanent Tunnels takes place on Community objects. There
arc three options to configure a Permanent Tunnel :
122
For a single VPN tunnel - this feature allows con figuring specific tunnels
between specific Gateways as permanent.
Tunnel Management
Tunnel Testing
Tunnel Test is a proprietary Check Point protocol that is used to test w hether
VPN tunnels arc active. A tunnel-test packet has an arbitrary length, w ith only
the first byte containing meaningful data - the type fiel d.
The type field can take any of the following values:
e
I - Test
2 - Reply
e 3 - Connect
4 - Connected
Tunnel testing requires two Gateways, one configured as a " Pinger" and one as a
"responder". The Pinger Gateway uses the YPN daemon (vpnd) to send
encrypted tunnel-testing packets to the responder Gateway. The responde r
Gateway is configured to listen on port 18234 for special tunnel-testing packcts.
The Pinger sends type I or 3. The responder sends a packet of identical length,
with type 2 or 4 respectively. During the connect phase, tunnel testing is used in
two ways:
e A connect message is sent to the Gateway. Receipt ofa connect message is
the indication that the connection succeeded. Connect messages are
retransmined for up to 10 seconds after the IKE negotiation is over, ifno
response is received.
123
TunnelManagement Configuration
Tunnel management is configured in the community object:
r.o.. ..
_~
.... _
rDlo .. _,. . . . ~
r: 0. _ _ _ _ .... - . .
r_._
r;
~ _ _ _ _ "".,,=.;;===~
1P..c.-::J
T........... - .
ILog
::::J
...".t.t.oI
r........."'"""'
....-otJPM _ _ _ _ G_
rr.Ont
Ont~
I*""""
_ ........
__
_...
...oI_
r Ont _ _
I*~_r*
..
Figure 11 -
124
Tunnel Management
Tunnel Management
Permanent-Tunnel Configuration
To set VPN tunnels as pennanent, select Set Permanent Tunnels. The following
Permanent Tunnel modes are then made available:
Tracking options
Several types of alerts can be configured to keep Administrators up-lo-date on
the status ofVPN tunnels. Tracking settings can bc configured on the Tunnel
Management screen of the Community Properties window for all VPN tunnels,
or they can be sct individua lly when configuring the permanent tunnels
themselves. The different options arc Log, Popup Alert, Mail Alert, SNMP Trap
Alert, and User Defined Alcrt. Choosing one of these alert types will enable
immediate identification of the problem and the ability to respond to these issues
more effectively.
125
One VPN tunnel per subnet pair; Once a VPN tunnel has been opened
betwecn two subnets, subsequent sessions betwecn the same subnets will
sharc the same VPN tunnel. This is the default setting, and is compliant with
the IPSec industry standard.
One VPN tunnel per Gateway pair; One VPN tunnel is created between peer
Gateways and shared by all hosts behind each pecr Gateway.
126
Troubleshooting
Troubleshooting
The first step in troubleshooting a VPN tunnel and lKE negotiation is to ensure
packets destined for the VPN tunnel from the peer arrive at the Securi ty Gateway,
and vice versa. The SmartView Tracker log is a good way to confinn that IKE
packets arrive at the Gateway.lftherc are no messages in SmanView Tracker,
fw moni tor is helpful for confinning if IKE packets arrive and leave the
Gateway.
Once you verify IKE packets arrive at both sides, run a debug for IKE traffic with
the vpn debug on command. Generate some traffic from your VPN Domain
to the peer's VPN Domain. If the ike . elg file does not contain useful
information, an invalid runnel may have been initiated previously, and it is
necessary to remove related SA keys from the table.
Use the vpn tu command to remove site-to-site IKE and/or IPSec keys and
initiate traffic across the tunneL This should place useful information into
ike . elg. In the new ike. elg file, if you can identify on which packet the
IKE negotiation fails. you can check relevant configuration parameters and
correct accord ingly. Also, look al the vpnd. elg file. This file contains useful
information about other crrors that might have occured on the VPN tunnel
establishment process.
127
VPNDebug
128
VPN Debug
129
Windows -
Unix -
setVPN DEBUG=l
IS
vpn Command
The vpn command displays and controls various aspects ofa Gateway. The
following table lists other options for the vpn command that can be useful when
troubleshooting/debugging a VPN related issue:
command ;-:-_
:>- .,,-
DescrIption
'0' _
vpn crt_zap
"pn crlview
vpn runncltuil
Displays a list of options to manage a VPN tunnel session; vpn tu can be used to stop all VPN or individual runnels.
vpn ru
vpn drY <on ] off ] stat>
vpn compstat
vpn compreset
vpn export....r 12
130
VPN Debug
vpn tu
The command vpn tu is short for vpn tunnel uti 1, and is useful for
deleting IPSec or IKE SAs to a specific peer or user without interrupting other
VPN activities.
Comparing SAs
The following is a quick process to verify that you and a potcntial VPN partner
are configured correctly:
1. Enable VPN debugging on both your site and your partner's site w ith vpn
debug on trunc.
2. Use vpn tunne1uti1 (vpn tu) to remove all SAs for either the peer
with whicn you are about to create the tunnel, or all tunnels.
3. Have your peer initiate the tunnel from its site to yours.
4. Use vpn tunneluti1 (vpn tu) to remove all SAs for either the peer
with which you arc about to create the tunnel, or all tunnels.
5. Initiate the tunnel from your site to your pecr.
s. Disable debugging on both sites.
7. Examine ike. elg and vpnd. elg, as they will now contain records of
the SA sent by your gateway, as well as what was received from your
partner site.
13 1
Examples
You have several site-Io-site VPN tunncls among Gateways.
You want to rcmove the IKE SAs for a particular peer, without interrupting the
other VPNs. How do you do that?
Run vpn tu from the Gateway Command Line Interface, and select delete all
IPSec and IKE SAs for a given Peer (GW) option.
Check the Shared Tunnel settings in the Tunnel Management section ofthe
VPN community. Make sure both sides agree on either host based or subnet
based.
Interoperable devices do not support the Gateway to Gateway option.
Check for multiple network objects in the VPN domain that overlap. For
example, I0.I.l.1I24 and 10.0.0.018 arc both in the VPN domain. It is
possible that a packet sourced from 10.I.x.x will usc 255.0.0.0 for the subnel
in phase 2 instead of255.255.255.0.
In some cases, particularly when network ovcrlaps exist in the VPN domain,
it is still required to modify the user. def file. See SecureKnowledgc
solution skl9243 and sk30919 on Check Point's Web site:
https://usercenter.checkpoint.com/support
132
VPN Debug
Example 1
Assume you have a site to-site VPN between two Check Point Security
Gateways. They are managed by their own Management Servers. You see a lot of
IKE Phase 1 failures in Smart View Tracker. You run IKE debug on one Gateway
and discover only one packet in Main mode is transferred. There is no packet in
Main mode after packet I. What might have caused this problem?
First, check VPN settings (including Encryption Algorithm, key length, and Hash
method) in the Community object. Make sure Phase I settings arc identical on
both sides. Also check Phase I settings in the Advanced settings in the
Community object, such as group I or group 2, aggressive mode. etc. They must
be defined idenlically on both sides.
Example 2
You are confi guring a site to-site VPN from a Check Point Security Gateway to a
Cisco device. You see that traffic initiated from the VPN Domain inside the
Security Gateway is dropped with the error, " Packet is dropped as there is no
val id SA". The C isco side is sending " Delete SA" to the Security Gateway. The
IKE debug indicates a Phase 2 (Quick mode) failure. What is causing the
misconfiguration?
A Quick mode failure usually indicates the VPN Domain is not configured
exactly the same for one or both peers. For example, if the Security Gateway's
VPN Domain is a Class 8 network. but the same network is defined with a Class
C subnet mask on the Cisco VPN configuration. then Ihis type of error occurs.
I II
Review Questions
1. What arc the stages ofa Phase 2 IKE exchange?
4. Quick mode packet I fails with error "No Proposal Chosen" from the peer.
What is likely the cause?
134
CHAPTER 6
\35
Objectives
136
Account logon
Logon
Account Management
Poliey Change
Process Traeking
Object Access
Privilege Use
System Events
137
Implementing these audit policies produces detailed records for the following IT
security aspects according to the Sarbanes-Oxley Act.
Password changes
All internal system activity including logins, file accesses and security
incidents.
13R
$martEvent
SmarlEvenl
SmartEvent is a management Software Blade that uses netWork security
information with real-time security event correlation and management for Cheek
Point Security Gateways and third-party devices. SmartEvent's unified event
analysis identifies critical security evcnts from thc cluttcr of data, while
correlating events across all security systems. Its automated aggregation and
correlation of data minimizes the time spent analyzing log data, and a lso isolates
and prioritizes thc real security threats .
._... _....._-_.-
-..
~
~ ---~
~
- ,.p . -
"
"..
~, ..
"' _,,"
__ . ..., _ _ "N
"
....
j. : ; : : ; __ ."u
... .. "
~
........
4'
- . -- .~
0_
_. ___ o
_-
__
-~ -
Figure 1 - SmartEvent
Thc full SmartEvcnt Softwarc Blade ean monitor events for all Cheek Point
products and third party dcvices. It includes pre-defined queries and event
dcfin itions for firewall, VPN , Endpoint Seeuriry, IPS, DLP, Identity Awareness
and Application Control.
139
As pan of the Software Blade architecture, the original Eventia Analyzer product
name was changed to Event Correlation Software Blade. The Eventia Correlation
Software Blade is renamed to SmartEvent Software Blade to better represent the
product's unique value proposition.
SmartEvent Intro
The SmartEvent lntro Software Blade provides centralized, real-time, security
event correlation and management for a single Check Point Security Software
Blade. For example, you could purchase the Smart Event Intro Software Blade for
either IPS or DLP event management.
The full reporting capabilities are a part of the SmartReporter Software Blade
(which is bundled with the full SmartEvent Software Blade). It is possible to
upgrade to the full SmartEvent version for full reporting. However, it is on ly
possible to install one SmanEvent Intro Software Blade per device. To obtain
monitoring and correlating firewall events, you would need the full SmartEvent
Software Blade.
140
Sm.rtEvent Architecture
SmartEvent Architecture
Three main components arc responsible for producing the log consolidation,
correlation and analysis resuhs:
Analyzer Server - Receives events from the CU and assigns a severity level
to the event. It invokes any defined automatic reactions, and adds the event to
the Events Database, which resides here. The severity level and a utomatic
reaction arc based on the Events Poticy. In addition, it impons certain objects
from the managemcm server to define the intemal network. Changes made to
the objects on the management server are reflected in the client. The Analyzer
Server defines automatic responses and manages the database.
e Analyzer Client - The Windows GUt that displays the received events, and
manages them for filtering and status (i.e., closed events). It provides tinetuning and installation of the Events Policy.
141
Un,
eranc"OI'II~11
....
OPSEC
oesEC
AM'"
""",C
A,pplcabon Monolonn9
"'"
C<PSEC
CPl OG
Irlemal
FWM Comll'lM>d
'"-
Iream81
IYTA
,-,
E"I!IIIIOk~
(',,""
Irt""'81
Uses CPMI
.......
.....
o"",c
RA
Figure 3 -
14'
"..
SmartEvenl Processes
"".
1"",aWon
SmartEvent Architecture
Referring to the ne",t graphic, notc that the Analyzer Server provides the event
definitions by way of the Evcnt Policy to the CU, which in turn. pulls the logs
originating from the log sources, i.e., third party log servers. The CU perfonns its
analysis based on the Event Policy and delivers the results to thc Server. The
Server communicates this infonnation to the client.
.- - -cu
Log
5_
,Milcline
'
,-------,
Figure 4 - Analyzer SeNer
143
iii
" ..........
[j [...-.I poky
'o"
"""'rIt......
~ ::-..:::::::::':
Figure 5 -
SmartEvenl Policy
This opens the main Edit Event Definition window. There are five tabs used to
configure the event.
We'll be paying close attention to the Filter tab.
,-
~_..e_<i
i4
Cfj
..
_t""'"
(", . . . octO> . . . _
... _
.._
0..:. .... . . -.. ........
_ _._
... _
--
'gAg
. . ... _
-~
.,
......
_ _ _... .....
J
Figure 6 -
144
SmartEvent~ch~~ure
The filter tab settings determine whether a log is considered for an event or not.
Events that don't match the defined filters are discarded.
10lil I ...
fl' ...."......
J:
160' _1
1 ____ 1
--
__J
----.-
145
In the Count Logs tab, you define the number of logs collccted over a period of
time that determines a new event.
--_ ...
Figure 8 -
When clicking on the Advanced bunon from here, you can decide to keep an
event open (i.e., Time to live), which means that after an event is generated, more
logs arc accumulated 10 the event until the event falls below the threshold time.
Q!<
Figure 9 -
II
111M>
SmartEvent Architecture
The Updated time means an event is updated a fter the designated length of time.
Actually, the event is repon ed several times:
When created
Up to five updates
When it is closed
The Event Format tab pcnnits mapping Event data to log fields so that the actual
Event is viewed with the corresponding (preferential) data.
---
,-
-~-
Figure 10 -
~
~
;I
~
Finally, the GUI representation tab allows the administrator to define which
fields (and how wide the field) will display in the exception and exclusion
sections of the pan icular event policy.
--
---'--
._- ........,-.......-
~-
Figure 11 -
R7~
Defining Events
147
When creating a new event, from the Event Definition Wizard, you can select an
event as the basis for the new event, or create a new event from scratch. If you
used the Save As option from the drop-down menu you saw earlier, you can
clone an existing event and then modify it for a new event.
(-..,.,
-. n
0 .... _
.~
.... _ _
.~
fi~
.'.
....",
;:! - ... i::l ~_
14.
SmartE....nt Architecture
The wizard will guide you through sening up the basics of the event, s uch as
name and description. In addition, you can decide if an event will be generated by
a single log that matches the event definition, or multiple logs. When making this
choice, ask yourself, " Is the receipt of a single log, enough 10 imply an event?"
';" -'r
,...
en
.
"':~ ~' - r""'
_"\~
'J dplll_~
SlepJd 6
{ <1iIO:k
Figure 13 -
II
HM .
I[
c-.I
OJ
149
The next step in the wizard guides you in building the filtcr. You stan by
designating the source product, then choosing among the available log fields as a
condition for the match. For example:
--- -_
..... _ _ _ _ a.do. _ _ .~
...----~--- .....
-~-
- . ..
'-
[;.:1::
:
::
----_._--
.......
'-
=
=
110 _ _ ... _ _
~.
1- - --1
Ftgure 14 -
Finally, you specify the threshold. timc, distinct values and unique values:
----so.',fi
_._
--_. .__.............. . _-... ...__...,",_-_c-.
_.._
....,----",-.--",-.
-_..._..-----....-
....'-'-_
_. _ _
.... - . r: _ _ _ _ _ _:;t_
.--- ...
Smartevent Architecture
Clicking Finish will save the new event under the list of User Defined Events.
In order for it 10 take effect however, you must remember to install the event
policy from the Actions menu, option Inslall Event policy.
avstart
Labels parameters
151
SmartReporter
The purpose ofSmanReporter is to provide an understanding of important events
(traffic) occurring on the network, and the overall security impact of those
events. It provides:
...-........----_-- ,.","--,.---"
,-,.-..
-.,--1......>,-----.,---..... --'1 " -
r .. _ _
-~
- --,~ -
,--
Figure 16 -
SmartReporter
'h _"~_
SmartReporter
A Consolidation Policy is similar to a Security Policy in tcnns of its structure and
management. For example, both Rule Bases arc defined through the
SmartDashboard's Rules menu and usc the same network objects. In a ddition,
just as Security Rules detennine whether to allow or deny the connections that
match them, Consolidation Rules detennine whether to store or ignore the logs
that match them. The ke y difference is that a Consolidation Policy is based on
logs, as opposed to connections, and has no bearing on security issues.
The Log Consolidation Solution diagram illustrates the Consolidation process,
defined by the Consolidation Pol icy.
I-
19"""
No record of this
log will be saved .
I-
As Is
After the Security Gateways send their logs to the Security Management server,
the Log Consolidator Engine collects them, scans them, filters out fields defined
as irrelevant. merges records defined as similar and saves them to the
SmartReporter Database.
The Figure illustrates how the Consolidation Policy processes logs: when a log
matches a Consol idation Rule, it is either ignored or stored. If it is ignored, no
record of this log is saved in the SmartReportcr system, so its data is not available
for report generation. Ifit is stored, it is either saved as is (so all log fields can
later be represented in reports), or consolidated to the level specified by the Rule.
153
The consolidation is perfonned on two levels: the interval at which the log was
created and the log fields whose original values should be retained. When several
logs matching a specific Rule are recorded within a predefined interval, the
values of their relevant fields arc saved "as is", while the values of t heir
irrelevant fiel ds are merged (for example, "consolidated") together.
The SmartReponer server can thcn extract the consolidated records matching a
specific report defini tion from the SmanReponer Database and prcsent them in a
rcpon layout.
Report Types
Two types ofrepons can be created:
SmartReporter Client -
154
Review Questions
1. What docs the Smart Reporter Consolidation Policy do?
2. What is the difference between a Consolidation Policy, and a Secu rity Policy?
'n~
T ..ninin" Mnmm/
155
Appendix A
R7~
T.."i"ino Mnnlm/
157
OPSEC
TDERROR
HERROR
OPSEC
OPSEC debugging infraslructure is " flat", meaning you can tum the debug on or
off for a specific process at a particular debug level (1-9), but can not isolate a
specific functionality! application within that process. Thus. setting the debug
using OPSEC_ DEBUG_LEVEl on FWD will debug all of the operations
handled by FWD.
Debug
Infra~truduHI
I.
OPSEC
.. CPsharec! libraries (Le .
.. TDERROR
commands)
.. HERRQR
'-9
Figure 1 - QPSEC
OPSEC_ DEBUG_LEVEL wiH provide debug for CPsharcd functions, which is
also known as OPSEC libraries (as the name of the debugging flag suggests).
Therefore, use the OPSEC_DEB UG_LEVEL infrastructure whenever debugging
an issue with one of the OPSEC-related features:
T? 7 ~
Logging infrastructure
159
TDERROR
The TOERROR debugging infrastructure is the newest of the three discussed and
is the recommended choice for debugging user-mode processes. It a llows the
Administrator to choose the process and within that process, the application and
topic which is of interest; that helps isolate the relevant infonnation within the
debug output.
.. OPSEC
TDERROR_ <Application>_
IWERRO. I
.. HERROR
Figure 2 -
<Topic>
TDERROR
HERROR
HERROR is an internal debug infrastructure and it is not usually invoked directly
(unlike OPSEC_DEBUG_LEVEL or TO ERROR). This debugging
infrastructure is usually invoked when a process is started with the "-d" flag (i.e.,
fwm -d, fwd -d, cpd -d .... ), which registers a runtime global variable
called dodebugprt. When TDERROR is turned-on, HERROR is also turnedon automatically.
. QPSEC
~
~'9ure
3-
HER ROR
fwdebug
The fw debug command is reserved for user-mode debugging, and can signal
any process to enter debug mode. It is also used to set system variables for the
debug.
The debugging infrastructures are not fully documented and there is no list of all
available nags and an explanation for the diffe rence in detail between the various
debug levels. Usually, for specifi c problems, SKs will detail whieh debug you
should use in specific cases, or Check Point support may be contacted. In general
however, simply run the debug in it's most verbose mode:
16 1
This provides the advantage of viewing only the new messages of the problem as
it is being reproduced, and written into the file just created.
While viewing the last few lines of the file (i.e., using the command tail, if
running a UNIX-based OS), reproduce the scenario which caused the problem.
Then, stop the debug and review the file to examine the entries.
In case turning the debug off is not successful, keep tailing the file to verify that
new messages are not being written to it. Tfthcy are, issue cps top; cps tart
to stop the debug from running.
Here are more examples of debugs:
WF on VSX:
>::"",, .. ih ,
163
Now, open the file and scarch for the keyword, "failed".
[I'\'VM 2)00 19930165281@splal_RI0_t~GI.li(13!.1.ty 12.51231 "_5efVIe(..,9tCK_tYpe 20
UC Lrty type ~ tpn~
[FIMI2306 19830785281>'t~al R70 tAGltHI 13 !.lay 12:5n3j poky_ query: 1ft
el'l::tp]ngITlI.o::!;)I3I_ 0_ r.fGMItiS c~ckpcmltom pp6:i list CN=Gui J:I:en
[F'M.l 2306 1983078528].msplal_R70_tAGLli( 131.1 ay 12 51231 'ilui_tonntCnon_Sle.J)lugil'l gl/l
clerll SIC name on connecnon 20
n.
Figure 4 -
elg File
In this case, the output of the debug as shown above shows that searching for the
word "failed" displays the relevant line showing that the IP address being used
docs not allow remote login and as a consequence, the attcmpt to login was
rejccted.
The function which failed reported: " Unauthorized client", and can be verified by
running cpconfig on the Management Server, and checking the GU I client list.
The GUlclient list confirms that the problem was indeed that the IP address fro m
which the connection was being made ( 192.168. 12 1. 1), was not defined in the
GUI client list of the Management Server.
By the way, a good hint to the root cause of the problem is in the line before the
failure, where the function is called to check the li st of the GU I clients.
The ex.ample was fairly simple and can usually be resolved without even having
to debug the system. But what happens if the Administrator fails to login, and it
is confinned by running cpwd_ admin list that a service failed to start?
You could simply run cps top; cpstart to restart all firewall processes, and
hope that the problem goes away, but that doesn't address why the problem
occurred in the first place and is not really a solution. Instead, attempt to run the
process while in dcbug mode and try to understand the root cause of lhc failure.
164
The debug file shows that before the failure, FWM was trying to open the file: /
opt/CPshrd-R70/conf/a!c.....p0licy .conf. After reviewing that
file , you confirm that for some reason the file got renamed and the "r' is missing
from the file extension ".conP'. Renaming the file and running fwm or cps top;
cpstart should solve the problem.
Sometimes things like fil e permissions or even changed file names cause simplc
lookup functions to fail, causing processes to fail to stan. By identifying thc
problematic file and checking it, the root cause of the problcm can be detected,
and solved immediately.
unlimited
In practice , other kcy pieces ofa program's status are usually dumpcd at the same
time, such as the processor registcrs, which may include the program countcr and
stack pointer, memory management information, and other processor and
operating system flags and information.
You sho uld be aware of the performance implications whcn enabling core dumps
and on ly usc it on a system which suffers from frequent process crashes. In
SecurePlatform, you can use the command, ulimi t -a fortesting ifthc core
file size is set to unlimited.
In SecurcPlatfonn, the core files arc saved in /var / log/dUJDp/
usermode. Usc a free utility for viewing the core fil e. Gdb is a free utility
(executable) that you may download from the internet. By running the process
from Gdb, you control the process flow and can trace thc failure . Import thc Gdb
utility into the core fil e path, and make sure the Gdb utility has execute
permissions (i.e., Is - Ia).
To open the core file, type. /gdb <process execution> <core
file>.
For example: ./gdb fwm fWIn. 983. core
RH Trnillin9 MWII/ol
165
(gdb) bt
#0 Ox08 I eb9aO in CNesStatusMgr:: RemoveClient(void
(*)(E GeneralState,
char const*, bool, void*), void*) 0
# 1 Ox082952b9 in CStatusAgentRequest::-CStatusAgentRequestO 0
#2 Ox082a12b4 in CStatusAgentRequest::ReleaseO 0
#20 Ox00857745 in T_event_ mainloop 0 from lopt/CPshrdR6S/lib/libComUtils.so
#2 1 Ox08lOedcd in fwm cmain 0
#22 Ox080ed2f9 in fwmbin_cmain 0
#23 Ox080eedd6 in main 0
(gdb)
Kernel Debug
Unlike the user space debug, where we need to explicitly tum the debug on or
off, the kernel always writes debug messages according to preset definitions.
In different operating systems, these debug messages arc handled differently.
These debug messages are referred to as "console messages", because in most
supported operating systems the messages are printed to the console and copied
to /var/log/messages or /var/adm/messages.
When no buffer is defined in the kernel, messages are sent directly to the OS.
When generated in debugging context, error messages are not directed to the
console, but to the debug buffer together with all other messages. In Windows,
"console messages" are viewed in the Event Viewer. Consequently, before
enabling kernel debugging, you must enable the debug buffer, othelWise all
messages will be directed to the console.
It is possible to run fw ctl debug - x, which completely turns off the kernel debug,
even Ihe default flags. You should never use the "x"-switch, beeause the default
flags should always be left on.
To run the debug, use the following commands:
To definc the buffer size, usc the command, fw etl debug -buf
[buffer size] .
To turn on rclevant debug flags, use the command fonnat, fw ctl debug
[-m <module
[+
1-]
<options
1 all> .
To run the user space process that collects the messages from the buffer, run
the command, fw ctl kdebug -f >& filename_out .
zdabug + dtop.
R 75 Trainillf! Mallllal
167
Oebugging Flags
You can check which debug flags are cnabled to each module by simply running,
fw ctl debug. Don't forget to tum debugging off, using fw ctl
debug O. Especially on production systems, it's important not to leave debug
flags set, as this might cause a dramatic decrease in performance and produce
unexpected messages.
This command de-allocates the buffer and automatically kills the "fw ctl kdebug"
process. Alternately, you can completely tum off the debug and dc-allocate the
buffer using, fw ctl debug -x. But note the earlier comments on this
command.
The slide depicts a description of the fw etl debug command with a list of the
associated flag options. For your reference, the most common flags used for
general troubleshooting and enforcement issues are used in the command, fw
ctl debug +conn drop vm (ld) .
The following detail the purpose for commonly used flags:
vm - Very useful for tracking decisions taken by the virtual machine chain
module
It is important to emphasize that the debugging mechanism docs not report errors
or warnings when you misspell a module name or flag , and it will only specify
" updated kernel attributes". Therefore, it is very important to run fw ctl
debug -m <module_name> after every time you make a change during
your debug to ensure that the change was indeed implemented.
169
Examples
The debug output in the next slide resulted from using the following commands
during a simple telnet session:
1. fwaccel off
2. fw ctl debut -buf 32000
3. fw ctl debug + vm conn drop nat
<t. fw ctl kdebug -f -T >&kdbg.out
As we said in the beginning of the chapter, each packet has to go through both the
inbound and outbound chains of the firewall kernel. Most chains arc identical but
perform different actions when running in the inbound and outbound.
Wc can see the connection's tuple starting with the "dir" where "0" means
inbound and " I" means outbound. The Arrow (. indicates thc direction (client
to server (C2S) or server to client (S2C)) depending on the IP addrcss. Every
connection starts with a " lookup" in thc connections table, and the function
responsible for this is fwconn _ lookup. Notice the outbound inspection
enny. "found in connections table dir-l ". because it was already processed and
applied to the connections table on the inbound chain. If the entry should read
"not found in the connections tablc", then the packet will have to go through
rulebasc inspection for the first time. In this case, it would likely be a SYN
packet.
Upon entering the inbound firewall chain, tenncd "Stateful VM inbound:
Entering ....., the rulebase lookup lakes place and the packet is marke d. "first
seen".
The debug may contain various errors and warnings. Some indicate a failure and
require investigation while others may be safely ignored.
Other than rulebase, the policy includes stateful checks (Le., ACK numbers. TCP
flags), antispoofing, IPS protections, etc. A "Final switch, action:::ACCEPT;"
referencc means a policy decision was made to accept the packet. The phrase,
"VM inbound Completed" means the kerncl inbound chain has completed its
inspection of the packet, and indicates that thc packet is forwarded to the OS IP
stack.
As the packet cntcrs the outbound kernel chain, thc first action is again 10
perform the fwconnJookup. The connection is matchcd on thc symbolic link
crcated in the inbound inspection. In this casc, no rulebasc lookup is nccessary.
170
The kernel debug shows the interface name as the firewall kernel sees it. To
associate the i fn (interface number) with the interface name in the OS, run the
command fw ctl iflist. Here is an example of the output:
0: ethO
1: ethl
2: elh2
In this case, the reference, ifn=1 refers to a packet arriving from e thl.
In these entries:
; 8Jun2009
10:46:3S . 425120;fwconn_chain_ update_anti_ spoof
ing_ cache: updating anti-spoofing interface
info. [cin. O, cout=-1, sin=1, sout=1] , dir=1 ,
cdir=2, new ifn=O, spoof offset=1 , previous
1fn=-1;
1 8Jun2009 10 : 46 : 35 . 425122,fw_ coDD_inspect :
Packet accepted (fast path) ;
; 8Jun2009
10:46 : 35.425124;fw_CODD-post_ inspect : Packet
accepted (fast path);
171
; 8Jun2009 10:46:35.420207;
----- Stateful VM outbound Completed ----... the connection is accepted, thc outbound chain inspection is completed, and the
SYN packet is sent out 10 the network .
."
APPENDIX B
Chapter Questions
andAnswers
173
On a clean instali, a snapshot can take about five minutes. When taking
a snapshot ofa Security Gateway ora Security Management Server in
a "real world" production environment can take two or m ore hours.
2. Is it possible to backup from the WebUI interface?
UTM~ I
and Power-I
174
representing the process of a packet coming into and OUI from the firewall,
these are referred to as ..
is the alternative?
Run debug on the gateway and set a kernel attribute that will cause the
firewall
10 print
fw monitor.
An example would be:
fw etl zdebug -e
4. What table stores infonnation about pan allocations for hide translation
connections?
fwx alloe
175
Virtual IP addresses
2. What two modes does State Synchronization work it?
first time.
176
177
Peers exchange more key material. and agree Of! encryption and
integrity methods for JPSec.
The DH key is combined with the key material to produce the
symmetricallPSec key.
Symmetric IPSec keys are generated.
2. What is the advantage of Link Seleclion for VPN traffic?
Only Star VPN Communities using more lhan one central Security
Gateway can be defined explicitly as MEP VPNs.
4. Quick mode packet I fails with error "No Proposal Chosen" from the peer.
What is likely the cause?
This failure is IIslially callsed when a peer does not agree to the proposal
fields. sllch as encryption strength or hash.
178
Th e Consolidation Policy goes over your orig inal, "raw" log file,
compressing similar events and writing the compressed list of events
into a relational databrue.
2. What is the difference between a Consolidation Policy, and a Security Policy?
When created
Up to five updates
When it is closed
179
180
CONTINUING
EDUCATION
CREDITS
Check Point
Certified
Professional
www.checkpoint.com
ISBN-13: 978-1-935862 13-0
PI N: 704575