R76 Security Administration

Check Point
SOFTWARE TECHNOLOGIES LTD.
Student Manual
R76 Edition
FEATURING
GRiR
Check Point Education Series
Security Administration
Student Manual
R76 Edition
P/N: 705320
jj Check Point'
SOFTWARE TECHNOLOGIES INC.
C 2013 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distrib-
uted under licensing restricting their use, copying, distribution, and de-compilation. No part of this
product or related documentation may be reproduced in any form or by any means without prior
written authorization of Check Point. While every precaution has been taken in the preparation of
this book, Check Point assumes no responsibility for errors or omissions. This publication and fea-
tures described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subpara-
graph (c)( I )(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-
7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.htmI) for a list of our trade-
marks.
Refer to the Third Party copyright notices (http:// www.checkpoint.com/
3rdjarty_copyright.html) for a list of relevant copyrights and third-party licenses.
International Headquarters: 5 Ha'Solelim Street
Tel Aviv 67897, Israel
Tel: +972-3-753 4555
U.S. Headquarters: 959 Skyway Road, Suite 300

San Carlos, CA 94070
Tel: 650-628-2000
Fax: 650-654-4233
Technical Support, Education 6330 Commerce Drive, Suite 120

& Professional Services: Irving, TX 75063
Tel: 972-444-6612
Fax: 972-506-7913
E-mail any comments or questions about our courseware to courseware@us.check-
Point.cotn.
For questions or comments about other Check Point documentation, e-mail CP_Tech-
Pub_Feedback(wcheckpoint.com .
Document #: DOC-Manual-CCSA-R76
Revision: R76.2013
Content: Mark Hoefle, Joey Witt
Graphics: Chunming Jia
Contributors Beta Testing and Technical Review
Chris Alblas - Arrow ECS - UK
Robin Bay - Arrow ECS - Cz Republic
Kishin Fatnani - K-Secure - India
Patrick Feistier - Arrow ECS - Austria
Tim Hall - Shadow Peak - USA
Thomas Norbeck - Glasspaper - Norway
Alejandro Dicz Rodriguez - Afina - Spain
lrnrich Tarhanic, - INTAS - Slovakia
Erik Wagemans - JCA - Belgium
Test Development:
Ken Finley - Check Point
Check Point Technical Publications Team:
Rochelle Fisher, DalyYam, Eli Har-Even, Paul Grigg, Richard
Levine, Rivkah Albinder, Shira Rosenfield, Yaakov Simon
Contents
Preface: Security Administration ................................... I

Security Administration Overview .......................................................................................2
CourseLayout ..................................................................................................................2
Prerequisites.....................................................................................................................2
CertificationTitle .............................................................................................................2
CourseChapters ...............................................................................................................3
SampleSetup for Labs .....................................................................................................4
Chapter 1: Introduction to Check Point Technology ....................7

Check Point Technology Overview ......................................................................................8
LearningObjectives ........................................................................................................8
The Check Point Security Management Architecture (SMART) ......................................... 9
SmartConsole.................................................................................................................10
Security Management Server .........................................................................................10
SecurityGateway ...........................................................................................................10
TheCheck Point Firewall ...................................................................................................11
Mechanisms for Controlling Network Traffic ...............................................................12
PacketFiltering ..............................................................................................................13
StatefulInspection .........................................................................................................14
ApplicationIntelligence .................................................................................................15
Security Gateway Stateful Inspection Architecture ............................................................16
INSPECT Engine Packet Flow ......................................................................................16
Deployment Considerations ................................................................................................18
Check Point SmartConsole Clients .....................................................................................21
SmartDashboard.............................................................................................................21
SmartViewTracker ........................................................................................................23
SmartLog........................................................................................................................24
inistration
Check Point Security Administration I
Table of Contents
SmartEvent....................................................................................................................24
SmartViewMonitor .......................................................................................................26
SmartReporter...............................................................................................................27
SmartUpdate..................................................................................................................28
SmartProvisioning.........................................................................................................29
SmartEndpoint...............................................................................................................3 1
Security Management Server .............................................................................................32
Managing Users in SmartDashboard .............................................................................32
UsersDatabase ..............................................................................................................33
Securing Channels of Communication ..............................................................................34
Secure Internal Communications ..................................................................................34
Testing the SIC Status ...................................................................................................35
Resetting the Trust State ...............................................................................................36
Practiceand Review ...........................................................................................................38
PracticeLabs .................................................................................................................38
Review...........................................................................................................................38
Chapter 2: Deployment Platforms .................................39

DeploymentPlatforms .......................................................................................................40
LearningObjectives: ..................................................................................................... 40
Check Point Deployment Platforms ...................................................................................41
SecurityAppliances .......................................................................................................41
SecuritySoftware Blades ..............................................................................................46
Remote Access Solutions ..............................................................................................48
CheckPoint Gaia ...............................................................................................................50
History - Power of Two .................................................................................................50
Gala...............................................................................................................................52
Benefitsof Gala .............................................................................................................52
GalaArchitecture ..........................................................................................................53
GalaSystem Information ..............................................................................................58
PracticeLabs .................................................................................................................60
Review...........................................................................................................................60
ii Check Point Security Administration

Chapter 3: Introduction to the Security Policy ....................... 61
Introduction to the Security Policy ....................................................................................62
LearningObjectives: .....................................................................................................62
SecurityPolicy Basics ........................................................................................................63
TheRule Base ...............................................................................................................63
Managing Objects in SmartDashboard .........................................................................63
SmartDashboard and Objects ........................................................................................64
Obj ect -Tree Pane ...........................................................................................................64
Obj ects- List Pane ..........................................................................................................65
Obj ectTypes .................................................................................................................65
RuleBase Pane ..............................................................................................................65
ManagingObjects ..............................................................................................................66
Classic View of the Objects Tree ..................................................................................67
Group View of the Objects Tree ...................................................................................67
Creatingthe Rule Base .......................................................................................................68
Basic Rule Base Concepts .............................................................................................68
DefaultRule ..................................................................................................................69
BasicRules ....................................................................................................................70
Implicit/Explicit Rules ..................................................................................................71
ControlConnections ......................................................................................................71
DetectingIP Spoofing ...................................................................................................72
ConfiguringAnti-Spooling ...........................................................................................73
Rule Base Management .....................................................................................................74
Understanding Rule Base Order ....................................................................................75
Completingthe Rule Base .............................................................................................76
Policy Management and Revision Control ........................................................................77
Policy Package Management ........................................................................................77
Database Revision Control ............................................................................................78
Multicasting...................................................................................................................80
PracticeLabs .................................................................................................................82
Review...........................................................................................................................82
St,ujc'nt 1%/taflual iii

Table of Contents
Chapter 4: Monitoring Traffic and Connections ......................83

Monitoring Traffic and Connections ..................................................................................84
LearningObjectives ......................................................................................................84
SmartViewTracker ............................................................................................................ 85
LogTypes ...................................................................................................................... 85
SmartView Tracker Tabs ..............................................................................................87
ActionIcons ..................................................................................................................88
Working with Smartview Tracker ......................................................................................89
Log-File Management ...................................................................................................89
Administrator Auditing .................................................................................................89
Global Logging and Alerting ........................................................................................90
TimeSettings.................................................................................................................91
BlockingConnections ...................................................................................................92
SmartViewMonitor ...........................................................................................................94
CustomizedViews .............................................................................................................95
GatewayStatus View ....................................................................................................95
TrafficView ..................................................................................................................95
TunnelsView ................................................................................................................96
RemoteUsers View .......................................................................................................97
Cooperative Enforcement View ....................................................................................98
Monitoring Suspicious Activity Rules ...............................................................................99
MonitoringAlerts ........................................................................................................100
GatewayStatus .................................................................................................................102
OverallStatus ..............................................................................................................103
Software Blade Status .................................................................................................104
Displaying Gateway Information ................................................................................104
SmartView Tracker vs. SmartVicw Monitor ...................................................................105
Practiceand Review .........................................................................................................106
PracticeLab .................................................................................................................106
Review.........................................................................................................................106
Chapter 5: Network Address Translation ..........................107

Network Address Translation ..........................................................................................108
LearningObjectives: ................................................................................................... 108
Introductionto NAT .........................................................................................................109
IPAddrcssing..............................................................................................................110
iv Check Point Securit y Administration

Hide NAT .110
Choosing the Hide Address in Hide NAT ...................................................................Ill
StaticNAT ...................................................................................................................111
OriginalPacket ............................................................................................................112
ReplyPacket ................................................................................................................112
NAT - Global Properties .............................................................................................113
Object Configuration - Hide NAT ..............................................................................114
Hide NAT Using Another Interface IP Address .........................................................116
StaticNAT ...................................................................................................................117
ManualNAT ....................................................................................................................118
ConfiguringManual NAT ...........................................................................................118
Special Considerations ................................................................................................119
ARP.............................................................................................................................119
PracticeLabs ...............................................................................................................120
Review.........................................................................................................................120
Chapter 6: Using SmartUpdate ..................................121

UsingSmartUpdate..........................................................................................................122
SmartUpdate and Managing Licenses ..............................................................................123
SmartUpdate Architecture ................................................................................................124
SmartUpdate Introduction ................................................................................................126
Overview of Managing Licenses .....................................................................................128
LicensingTerminology ...............................................................................................129
UpgradingLicenses .....................................................................................................131
Retrieving License Data from Security Gateways ......................................................131
Adding New Licenses to the License & Contract Repository ....................................131
ImportingLicense Files ...............................................................................................132
Adding License Details Manually ...............................................................................132
AttachingLicenses ......................................................................................................133
DetachingLicenses .....................................................................................................133
Deleting Licenses From License & Contract Repository ............................................133
InstallationProcess ......................................................................................................133
Viewing License Properties .............................................................................................134
Checking for Expired Licenses ...................................................................................134
Student Manual V
Table of Contents
To Export a License to a File ................................ 134

Service Contracts ....................................................... 135
Managing Contracts .............................................. 135
Updating Contracts ................................................ 136
Practice and Review ................................................... 137
Review................................................................... 137
Chapter 7: User Management and Authentication ................... 139

User Management and Authentication .............................................................................140
LearningObjectives ...................................................................................................140
Creating Users and Groups ..............................................................................................141
UserTypes ...................................................................................................................141
Security Gateway Authentication ....................................................................................142
Types of Legacy Authentication .................................................................................142
Authentication Schemes ..............................................................................................143
Remote User Authentication .......................................................................................145
Authentication Methods ..............................................................................................147
User Authentication (Legacy) ..........................................................................................148
User Authentication Rule Base Considerations ..........................................................148
Session Authentication (Legacy) .....................................................................................149
Configuring Session Authentication ...........................................................................151
Client Authentication (Legacy) ........................................................................................152
Client Authentication and Sign-On Overview ............................................................152
Sign-On Methods ........................................................................................................153
WaitMode ...................................................................................................................153
Configuring Authentication Tracking .........................................................................154
LDAP User Management with UserDirectory .................................................................156
LDAPFeatures ............................................................................................................156
DistinguishedName ....................................................................................................157
MultipleLDAP Servers ...............................................................................................158
Using an Existing LDAP Server .................................................................................158
Configuring Entities to Work with the Gateway .........................................................159
Defining an Account Unit ...........................................................................................160
Managing Users .................................................... 161

UserDirectory Groups 162
P rq rt,,.c. nnA ? ouion, I Al
vi Check Point Securit p A d,nin,stratio,z

PracticeLab ............................................................. 163

Review ..................................................................... 163
Chapter 8: Identity Awareness ...................... 165

I dentity Awareness ............................................................................ 166
Learning Objectives...................................................................... 166
Introduction to Identity Awareness ................................................... 167
ADQuery ..................................................................................... 168
Browser-Based Authentication .................................................... 173
IdentityAgents ............................................................................. 180
Deployment.................................................................................. 186
Practice and Review .......................................................................... 188
PracticeLabs ................................................................................ 188
Review.......................................................................................... 188
Chapter 9: Introduction to Check Point VPNs 189

Introductionto VPNs .......................................................................................................190
TheCheck Point VPN ......................................................................................................191
VPNDeployments ...........................................................................................................192
Site-to-Site VPNs ........................................................................................................192
Remote-Access VPNs .................................................................................................193
VPNImplementation .......................................................................................................194
VPNSetup ................................................................................................................... 195
Understanding VPN Deployment ................................................................................195
VPNCommunities ......................................................................................................195
RemoteAccess Community........................................................................................196
VPNTopologies ...............................................................................................................197
MeshedVPN Community ...........................................................................................197
StarVPN Community .................................................................................................198
Choosinga Topology ..................................................................................................198
CombinationVPNs .....................................................................................................199
Topology and Encryption Issues .................................................................................200
Special VPN Gateway Conditions ...................................................................................201
Authentication Between Community Members ..........................................................202
Domain and Route-Based VPNs .................................................................................203
Student Manual VII

Table of Contents
Domain-Based VPN ....................................................................................................203

Route-Based VPN .......................................................................................................203
Access Control and VPN Communities ...........................................................................204
Accepting All Encrypted Traffic ................................................................................. 205
ExcludedServices .......................................................................................................206
Special Considerations for Planning a VPN Topology ...............................................206
Integrating VPNs into a Rule Base ..................................................................................207
Simplified vs. Traditional Mode VPNs .......................................................................208
VPN Tunnel Management ...........................................................................................208
PermanentTunnels......................................................................................................208
Tunnel Testing for Permanent Tunnels .......................................................................209
VPNTunnel Sharing ...................................................................................................210
RemoteAccess VPNs ......................................................................................................212
Multiple Remote Access VPN Connectivity Modes ...................................................213
Establishing a Connection Between a Remote User and a Gateway ..........................213
PracticeLabs ...............................................................................................................215
Review.........................................................................................................................215
Appendix: Chapter Questions and Answers .......................217

Chapter 1 -Technology Overview ...................................................................................218
Chapter 2 - Deployment Platforms ..................................................................................219
Chapter 3 - Introduction to the Security Policy ...............................................................220
Chapter 4 - Monitoring Traffic and Connections .............................................................221
Chapter 5 - Network Address Translation .......................................................................222
Chapter 6 - Using SmartUpdate .......................................................................................223
Chapter 7 - User Management and Authentication ..........................................................224
Chapter 8 - Identity Awareness ........................................................................................225
Chapter 9 - Introduction to VPNs ....................................................................................226
viii Check Point Securit y Administration

PREFACE Security Administration
Check Point Securit y A din inistration

Security Administration Overview

Welcome to the Security Administration course. This course provides an
understanding of basic concepts and skills necessary to configure Check Point
Security Gateway and Management Software Blades. During this course, you
will configure a Security Policy, and learn about managing and monitoring a
secure network. In addition, you will upgrade and configure a Security Gateway
to implement a virtual private network for both internal and external, remote
users. (See "Course Objectives" in this course book for a list of objectives.)
Follow along as the class progresses, and take notes for future reference.
Course Layout
This course is designed for Security Administrators and Check Point resellers,
and for those who are working towards their CCSA (Check Point Certified
Security Administrator) certification. The following professionals benefit best
from this course:
System administrators
Support analysts
Network engineers
Prerequisites
Before taking this course, we strongly suggest you have the following knowledge
base:
General knowledge of TCP/IP
Working knowledge of Windows and/or UNIX
Working knowledge of network technology
Working knowledge of the Internet
Certification Title
The current Check Point Certified Security Administrator (CCSA) certification is

designed for partners and customers seeking to validate their knowledge of
Check Point's Sollwarc Blade products.
2 Check Point Security Administration

Course Chapters
Chapter 1: Introduction to Check Point Technology
Chapter 2: Deployment Platforms
Chapter 3: Introduction to the Security Policy
Chapter 4: Monitoring Traffic and Connections
Chapter 5: Network Address Translation
Chapter 6: Using SmartUpdate
Chapter 7: User Management and Authentication
Chapter 8: Identity Awareness
Chapter 9: Introduction to Check Point VPNs
Student Manual 3

Sample Setup for Labs
Most lab exercises will require you to manipulate machines in your network and
other labs will require interaction with the instructor's machines.
Security Administration Lab Topology

Na A-GW'Ol
Ext Addresc 17221.1011/8 the A WIN ardA-DMZ
mt Address. 10.1 1.1/24 n'ianhirres must be in the
alpha.cp domain,
Name: A-fu1GMT-01 DMZ Address: 192.02.1/24
controlled by the local
P Address: 10.1,1.10104 Sync Address: 192.168.1.1/24 Active Directory terse,
DefaoltGW: 10.1.1.1 Default 0W: 172.29.109.1
Class: All Class: All
F Name:0-GW
Ext Address. 172.29.109.1/8
LAN 4c1dress! It GW:

10.1.9.1/24 1
LAN 3
Name: A-DMZ
Ext Address: 192.0.2.100/24
LAN?
Name: AWIN Default OW: 192.0.2.1
P Address Class. All
Default 0W: 10,1.1.1
Class' All LA44
Name: B-GUI
IP Address: 10.1.9.201/24
Default OW. 10.1.9.1
jo
Site Alpha
j : Site Bravo
Topology Conxentloos
172D 0,0 addresses represent all external interfaces.
10.000 addtessxs represent all internal interlaces.
192.0.0.0 addresses represent all server communication, interfaces (sync and DM0
All addsesses ending i n the .200 range are Windows 081 Clrents
All addresses endinginthe .100 range are Servers IMartagement or DM71
Figure 1 - CCSA Lab Topology
Computer
ter
VM/Object Name Description
1\-WIN /\dt11lI(f1n(tor client machine used to connect to Security
Management server.
Active Directory server for corporate office.
A-MGMT Security Management Server at corporate office
A-GW Security Gateway at corporate office
A-DMZ Multi-purpose server in the DMZ of the corporate office

Computer
VMiObject Name Description
B-GW Security Gateway at branch office
B-GUI PC at branch office
Student Manual
6 ('heck Point See neil v A 1111 in is/ration

CHAPTER 1 Introduction to
Check Point Technology
Check Polizi Security A din inisiralion

Introduction to Check Point Technology
Check Point Technology Overview

Check Point technology is designed to address network exploitation,
administrative flexibility and critical accessibility. This chapter introduces the
basic concepts of network security and management based on Check Point's
three-tier structure, and provides the foundation for technologies involved in the
Check Point Software Blade Architecture, as discussed in the introduction. This
course is lab-intensive, and in this chapter, you will begin your hands-on
approach with a first-time installation using standalone and distributed
topologies.
Learning Objectives:
Describe Check Point's unified approach to network management, and the key
elements of this architecture.
Design a distributed environment using the network detailed in the course
topology.
Install the Security Gateway in a distributed environment using the network
detailed in the course topology.

The Check Point Security Management Architecture (SMART)
The Check Point Security Management Architecture (SMART)

The Check Point Security Management Architecture (SMART) is a core
component of our unified security architecture. This object-oriented architecture
maps real-world entities, such as networks and users, to graphical representations
that can be manipulated in a database.
The SMART architecture enables a rich set of sophisticated management

capabilities in Check Point solutions. Starting with core components such as an
Integrated Digital Certificate Authority and advanced state table synchronization
capabilities, SMART technologies allow Check Point to offer management tools
to meet the needs of all organizations, from small businesses to larger distributed
enterprises to global service providers.
With SMART security administrators can centrally configure, manage, monitor

and report on all security devices, including endpoints, from a single console -
the SmartDashboard. It also helps administrators update and implement the latest
threat defenses from a central control point. Integrated log analysis and reporting
delivers real-time and historical information on the state of network and security
systems.
The Check Point core system consists three inter-connected components:

SmartConsole
Security Management Server
Security Gateway

SmartConsole Security Gateway
Figure 2 - Check Point's Three-Tier System
Student Manual
SmartConsole
The SmartCenter GUI, SmartConsole is comprised of several clients, used to
manage the Check Point security environment.
One of these SmartConsole clients is SmartDashboard, which provides a single

GUI interface for defining and managing multiple elements of a Secure Virtual
Network: firewall security, VPNs, Network Address Translation, Quality of
Service, and VPN client security. All object definitions (users, hosts, networks,
services, and so on) are shared among all applications, for efficient Policy
creation and security management.

The Security Management Server stores and distributes Security Policies to
multiple Security Gateways. Policies are defined using SmartDashboard, and
saved on the Security Management Server. The Security Management Server
maintains the Check Point databases, which include network-object definitions,
user definitions, Security Policies, and log files for firewalled gateways.
Once policies are created or modified, they are distributed to Security Gateways.
Centralized Policy management increases efficiency, when compared to solutions
that require either multiple management interfaces or per-device policy
installation. Security is strengthened, because the Security Policy is always up-
to-date on all networked Security Gateways.
Security Gateway
The Security Gateway is the firewalled machine on which the firewall software is
installed, and is based on Stateful Inspection. SmartConsole and Security
Management Server may be deployed on the same or separate machines, in a
client/server configuration.
The Security Gateway is deployed on an Internet gateway and other network-
access points. Security Policies are defined using Smart Dashboard, and saved to
a Security Management Server. An Inspection Script is generated from Policies.
Inspection Code is compiled from the Inspection Script, and is installed on the
Security Gateway, which protects the network.
10 Check Point Securit y Admini.siraiion

The Check Point Firewall

To understand the capabilities of the basic firewall, it is useful to examine the
aspects of the Open Systems Interconnect (OSI) model. It is meant to represent
network communication between computer systems and network devices.
Layer 7 - Application
Layer 6 - Presentation
Layer 5 - Session
Layer 4 - Transport
Layer 3 - Network
Layer 2 - Data Link
Layer 1 - Physical
Figure 3 - OSI Model Example
Layer I: Represents physical-communication hardware or media required,

such as Ethernet cards, cables and hubs.
Layer 2: Represents where network traffic is delivered to the local area
networks (LAN); this is where identification of a single specific machine
takes place. Media Access Control (MAC) addresses are assigned to network
interfaces by the manufacturers. An Ethernet address belonging to an Ethernet
card is a layer 2 MAC address. An example of a physical device performing
in this layer would be a switch.
Layer 3: Represents where delivery of network traffic on Wide Area
Networks (WANs) or more commonly, the Internet, takes place; addressing in
this layer is referred to as Internet Protocol. (IP) addressing, and creates
unique addresses, except when Network Address Translation (NAT) is
employed. Network Address Translation makes it possible to address multiple
physical systems by a single layer 3 IP address. An example of a physical
device performing in this layer would be a router.
Student Manutil 11
Layer 4: Represents where specific network applications and communication

sessions are identified; multiple layer 4 sessions may occur simultaneously on
any given system with other systems on the same network. This layer
introduces the concept of ports, or endpoints, for sessions. The session on an
originating system is identified by the source-port number, and similarly for
the destination system.
Layers 5, 6 and 7: Represent end-user applications and systems; the
application layer is not the actual end-user software application, but a set of
services that allow the software application to communicate through the
network. Distinctions among layers 5, 6, and 7 are not always clear, and some
competing models combine these layers, as does this handbook.
The more layers a firewall is capable of covering, the more thorough and
effective the firewall. Advanced applications and protocols can be
accommodated more efficiently with additional layer coverage. In addition, more
advanced firewalls, such as Check Point's Security Gateways, can provide
services that are specifically oriented to the user, such as authentication
techniques and logging events to specific users.
Mechanisms for Controlling Network Traffic
Any firewall must deny or permit traffic based on explicitly defined rules. Check
Point utilizes the following technologies to grant or deny network traffic:
Packet filtering
Stateful Inspection
Application Intelligence
12 - - ('heck Point Securi/v Ahninisfrution

Packet Filtering
Fundamentally, messages are divided into packets that include the destination
address and data. Packets are transmitted individually and often by different
routes. Once the packets reach their destination, they are recompiled into the
original message.
[Appllcatil
40e^
Application
Presentation Presentation
Session1 Session
Transport Transport
Network 0
Data Link
Network
Data Link Data Link
Physical Physical Physical
ROUTER
PROS CONS
Application Independence Low Security
High Performance No Screening Above
Scalability Network Layer (No state' or
application-context information)
Figure 4 - Packet Filtering

Packet filtering is a firewall in its most basic form. Primarily, the purpose is to
control access to specific network segments as directed by a preconfigured set of
rules, or rule base, which defines the traffic permitted access. Packet filters
usually function at layers 3 (network) and 4 (transport) of the OSI model.
In general, a typical rule base will include the following elements:

Source address
Destination address
Source port
Destination port
Protocol
Packet-filter fircwalls are the least secure type of firewall, because they cannot
understand the context of a given communication, making them easier for
intruders to attack.
.St,uh,zt Muiiiia/ - - 13

Stateful Inspection
Stateful Inspection, a technology developed and patented by Check Point,

incorporates layer 4 awareness into the standard packet-filter firewall
architecture. Stateful Inspection differs from static packet filtering, in that it
examines a packet not only in its header, but also the contents of the packet up
through the application layer, to determine more about the packet than just
information about its source and destination. The state of the connection is
monitored and a state table is created to compile the information. As a result,
filtering includes context that has been established by previous packets passed
through the firewall.
For example, stateful-inspection firewalls provide a security measure against port

scanning, by closing all ports until the specific port is requested.
10
Application
Application i Presentation Applicatkfl
Presentation Session Presentation
Session Transport Session
Transport Network Transport
?ork
Data Link
0
Data Link Data Link
Physical Physical
j Physical -
iNs p ecT ENGINE
PROS
Good Security
FuN ApplcatsOn-iaye I i-
High P.rtornlenc* III State Tabte
Extensibility
Transparency
Figure 5 - Stateful Inspection
There are many state tables that hold usellil infbrmation in regards to monitoring
performance through a Security Gateway. State tables are used to keep state
information needed to correctly inspect packets. The tables are key components
of Check Point Stateluil Inspection technology.
Check Point's INSPECT Engine is the mechanism used for extracting the state-
related information from all application layers, and maintains this information in
these dynamic state tables needed for evaluating subsequent connections. The
14 ('luck P)jn/ Securilt ,l(InhinLctr(1t!o,l

INSPECT Engine enforces Security Policies on the Security Gateway on which

they reside.
Application Intelligence
A growing number of attacks attempt to exploit vulnerabilities in network

applications, rather than targeting firewalls directly. Application Intelligence is a
set of advanced capabilities, integrated into the firewall and IPS, which detect
and prevent application-level attacks.
Application Intelligence works primarily with application-layer defenses. In

practice however, many attacks aimed at network applications actually target the
network and transport layers.
Sample Protocols
Layer 7 - Application
Layer 6 Presentahon
HT1R FTP
------ RPC, SMTP
Layer 5- Session
Layer 4 - Transport <t> TCP, UDP
Layer 3- Network IP
Layer 2 - Data Link <1111 111> Ethernet
Layer I - Physkal
Figure 6 - Protocol Examples
The Application Control software blade implements Application Intelligence,

enabling IT teams to easily create granular policiesbased on users or groups-- -
to identify, block or limit usage of over 4,800 Web 2.0 applications and 300,000
widgets.
St!u/L'n! tt'Iu,uu,I 15
Security Gateway Stateful Inspection Architecture

The Security Gateway integrates both network-level and application level
protection by combining Stateful Inspection and Application Intelligence. All
inbound traffic is routed through the Security Gateway, as this is the logical place
for active defenses to reside.
System resources and processing time are saved by processing packets in an

operating system's kernel. Applications and processes in the kernel layer suffer
little, if any, performance degradation, and can support data throughput rates
ranging in the multi gigabits. The Security Gateway kernel is placed between
NICs and the TCP/IP stack, solving the problem of protecting the TCP/IP stack
itself.
INSPECT Engine Packet Flow

If packets pass inspection, the Security Gateway passes the packets through the
TCP/IP stack and to their destination. Packets pass through the NIC, to the
Inspection Module, and up through the network stack. Some packets are destined
for an operating system's local processes. In this case, the Inspection Module
inspects the packets and passes them through the TCP/IP stack. If packets do not
pass inspection, they are rejected or dropped and logged, according to rules set in
the Check Point Rule Base.
Packets are not processed by higher protocol-stack layers, unless the Security
Gateway verities that they comply with Security Policies.

Security Gateway Stateful Inspection Architecture
The diagram presents a sample flow of a new inbound packet initiating a TCP/IP
session through the Inspection Module, at the kernel level:
NIC
lo
New
Connection
Inspection Module
Packet ________ _______ Pass TCP/IP

Matches Log/Alert the
Rule? Packetq Stack
0 0
1I
Is there Packet
Another Rejected Send NACK
Rule? by Rule?
4
p Drop the
P Packet
0
Figure 7 - Inspection and Packet Flow
StiuJeni ,4cn,,tc; -
Deployment Considerations
As a brief introduction to Gateway deployments, consider the network topology.
The network topology represents the internal network (both the local access
network (LAN) and the demilitarized zone (DMZ)) protected by the Gateway.
The Gateway must be aware of the layout of the network topology to:
Correctly enforce the Security Policy.
Ensure the validity of IP addresses for inbound and outbound traffic.
Configure a special domain for Virtual Private Networks.
-.
LqM I/
SswWy 0. UThIt Elgs
C4.
Figure 8 - Secure Network
Each component in the network topology is distinguished on the network by its

IP address and netinask. The combination of objects and their respective IP
information make up the topology. It is important to take into consideration your
existing corporate network when deciding the best deployment strategy for your
Security Gateway. Installing a new Gateway in an existing network often requires
reconfiguration of the routing scheme. In more complex deployments, however,
you may find that the reconfiguration necessary to enable a new routing scheme
is prohibitive. In this case, Bridge mode may be your best option.
It may also be necessary to consider adding a cluster to your security network. A

cluster environment provides reliability through high availability, and enhanced
18 Check Point eciiriiv A cI,,i,nisirai ion

Deployment Considerations
reliability and performance through load sharing. Clustering is discussed in more

detail in the Check Point Security Expert course.
Standalone Deployment
In a standalone deployment, the Security Management Server and Security
Gateway are installed on the same computer or appliance.
Item Description
Standalone computer
Security Gateway component

a
Security Management Server component
Figure 9 - Standalone Deployment
Distributed Deployment
In a distributed deployment, the Security Gateway and the Security Management
Server are installed on different computers or appliances.

Item Description

2 Network connection

3 Security Gateway

a
0
:,..
Figure 10 Distributed Deployment
$'ti,deni ItIa,,ual - 19

Standalone Full HA
In a standalone full high availability deployment, the Security Management
server and Security Gateway are each installed on one appliance, and two
appliances work in High Availability mode.
Item Description

M] 1 Primary appliance
2 Direct appliance to appliance connection

2f
3 Backup appliance
0
3

a
Figure 11 - Standalone Full HA
Bridge Mode
A bridge mode deployment adds a Security Gateway to an existing environment
without changing IP Routing.
Item Description
1 and 2 Switches
Security Gateway Firewall bridging Layer-2

traffic over the one IP address, with a subnet
on each side using the same address.
Figure 12 - Bridge Mode
20 Check Poifli Security Administration

Check Point SmartConsole Clients

SmartConsole is comprised of several clients, used to manage the Check Point
security environment.
SmartDashboard
SmartDashboard is the SmartConsole client that lets you manage security

policies and network objects.
In SmartDashboard, you can manage all aspects of your network security. The
settings defined in the various tabs are applied to gateways and/or endpoints to
enforce the security that you choose to implement.
19
oexpired
0 zero hjt
Figure 13 SmartDashboard
The tabs that you see in the SmartDashboard may depend on the Software Blades
that you have deployed
Firewall In this window you can see the important current data for the
Firewall Software Blade and its Security Gateways.
Application Control & URL Filtering - In the Application and URL
Filtering Overview pane, you can quickly see the status of computers and
incidents. Use the windows for the most urgent or commonly-used
management actions.
Si,,de,,i A/tcl,!UaI 21
Data Loss Prevention (DLP) In this window you can quickly see the
status of DLP Security Gateways and Exchange Security Agents. You can
also see incidents and access the windows for the most urgent or commonly-
used management actions.
IPS (Intrusion Prevention System) - In this window you can quickly view
and handle urgent security issues that deal with IPS management.
Anti-Bot &Anti-Virus In the Anti-Bot and Anti-Virus Overview pane,
you can quickly see the gateways in your organization that are enforcing Anti-
Bot and Anti-Virus and maiware details. Use the windows for the most urgent
or commonly-used management actions.
Anti Spam and Mail In this window you can configure enforcing
gateways, enable database updates, and review and adjust your messaging
security settings.
Mobile Access - In this window you see the important current data for the
Mobile Access Software Blade. Mobile Access gives remote users secure
connectivity to read emails and to access web applications.
IPSec VPN In this window you can easily see status and quickly access
data for your VPNs.
QoS (Quality of Service) In this window you can view and manage the
QoS policy.
Desktop In this window you can view and modify the Desktop policy Rule
Base.
From Smart Dashboard, you can also access some of Check Point's other
SmartConsole components. These are a group of software modules including:
SmartView Tracker
SmartLog
SmartEvent Intro
SmartEvent
SmartView Monitor
SmartReporter
SrnarttJpdate
Smart Provisioning
SmartEndpoint
22 Check Point Securit; Administration

SmartView Tracker
SmartView Tracker is used for managing and tracking logs and alerts. It provides
real-time historical and visual tracking, monitoring, and accounting information
for all logged connections. Additionally, SmartView Tracker logs administrator
actions, such as changes to object definitions or rules, which can dramatically
reduce the time needed to troubleshoot configuration errors. Security
Administrators can filter or perform searches on log records, to quickly locate
and track events of interest. In the case of an attack or otherwise suspicious
network activity, Security Administrators can use SmartView Tracker to
temporarily or permanently terminate connections from specific IP addresses.
Al i R- U .uJ :rvr.'I..vF
,3* 10240 310l*11*
I
ID U
.4
324 10 1 IU 24.
322 E2.*,U.,,G4 2*2

2110 III ',
13* 11*1.124
X.'.' . ' 9*
9
-101113,20*
p *l
4l21*
'FI 424 [32
I.1*.1t1C.....
iwo 132110
. 3*21 3142
II .3...'Xl 11142 1010 IU.II.U21,(0, 39

I- 3*llI2*9ft1l 224., 1
U
.
2*3.... 3*0.3 1!,, *4* 41
II
.
1II,..'oli 111*1 1010 14124.".....
2211.I1ISI..41 10 32 IU*24.U2.....
22124212* fl&l* L2ISIU.I.I.,,,,
30
"C
lUtO.,,,01V.d0
249224 2212*114 4.121324104212t**.,b
U [
144.101* 441010 *11 10 124

F 13*121* 27 lI1lo2714 22232 S32..*n..,,
IS 43100.2119 22*2 113(3 ....
U
U
*-,*4222.I.l *222
2211122*21 10(3.,,.*,., 222* .02
- 4229422* 43*0 104(3.,*.*10 1L(i1 1113
U 244321*,4144 4230 *1110 ...... (14 *111
U %I.o...**l....o,9,.o..
11 41122411* 10*22 514(3 *223*1114.. 91*1
. .0
I ....... 1.4.0,3*9.3 o
13'-'
.....22219 40232* [3110
2*20,414* 201,1, 01. 10 12*2l*.d,2l0
IU11I.U2....
(2
3*10
3*2*44
1*22*414024
.
221043 304(324*1,,.....
O31r22l(024*l9011U1*22.0*r9n3 1010
Ill 01 0*9 1201* ''. S 1.UO2,,2..42U
2 0.,21,*03.l*3*2*, U a 14114* *03 (3 14101011,1*1
lt 452*&124223119
U
01.111,1 3* 23.3009 2230 .....[32 C......

00(10 ,.....
31*23013091124 .....(321*33*3101*
1413912114410541*,1.U2122,,
-'I
_L_______J J...1 1410 0*10
Figure 14 - SmartView Tracker
1. Network & Endpoint tab Network and Endpoint mode is the default view
for Smart View Tracker. Network and Endpoint mode displays entries for
security-related events for different Check Point products as well as Check
Points OPSEC partners.
2. Active tab - In the Active mode you can view connections that are currently
open through the Security Gateways that are logging to the active Log file.
3. Management tab In the Management mode you can show audit entries in
the SrnartView Tracker. The Management All Records Query is displayed.
Student Manual -- 23

SmartLog
SmartLog, part of the Logging and Status Software Blade and unified security
management console, enables enterprises to centrally track log records and
security activity across all Software Blades with split-second Google-like search
results that provides instant visibility over billions of log records. The intuitive
search box delivers real-time search results from any log field displaying top-
down results, saving security administrators valuable time. Administrators can
search multiple log files, time periods, gateways and domains, or search by
action, user, time or geography for powerful granular security investigation. The
Logging and Status Software Blade transforms data into security intelligence
with real-time visibility over billions of log records from a single, integrated
security management console.
+ (U
311103412 IOIIU a WI 332201 Q &43.**4?? a..l10s CIL_.I..* .1 .23131? .1.1 I.
a 1 :;::,:'ats:. .131l1&U 1-t..11..l
1'.1.,c:1:;4c.l:1u:; QToW* .114-131.2 Il(.11,1

..0
.131.11.1.3 I131 I
X 41014141111?l0I* It 14,312111 0 431,2* .l31_.3110 1302.0*, I 11(31*
13110.431134331 - 30 11111131
0 341.3 .14I1.(,lld 110 I .Ii.Pll
'p13.31(1.1021? * 0-401 111431 0 .0.122 .3111.133 1331.1*1(1 I
lrn WJ-
... .., 111I._nc:2 .1.: * I08 0 I-1011 1034(10311. 00(4 00.131
3 I 11l.31.31
1 131I31 02311*
1' t'X4 (*11110 'I01I341tIl* ...,.1.12 00 *310.
0' I10..11i1]13111
1?l..4tIII3IIl( V
30 1.14121 III

1101101131*
I) 22,11.1,131 .1100112*1
.'l
1U1,.lU. I *111*
1'*3*1C1U1.,(, 1 S 0- 11311131 0 '.3101131 31*1.1*_I 1(103.34 1 p no.

" l,3411111fl1011 1*110*1111* 0 1343111 *10 4*3*?.
410.43321:31101. 5 0 144 III II: ID 1.313*

1?.t_411111 III??? * 30 0131(431
#D #0.1* .Id(..1t*l 110.310*. 1
31' 3133114(111.1111 30 (111(211 1*11* - 3303111. I
130 1.(..
I'3U-,IIll21Il, ( 1101*11111* .1.111*11?
I1II,,15.11Itl(*? - 30 I11131211 0 I.o1. *11.111.1 ?It.,.. I '10.113

?'*_.11,flll'( 0 11 11111111 ,.fl,-.**) II34'*330 *01031.. '.1* 0*1*1.13._Il.?
:1(1031*11 :0:1 30 114.34311 I*IU* W*o31* 110.*.*l, I ll40.
'((*1*14 3*0141 5 10 011:1.111 '41,3*1,11' 0*101*1*1*'? ((10*3*, I *7.314,
'l,*'1I:1:10,.1130l:,:ll:1 53*34,1*31-1 1?'l3433 (111*031 *1111.
:1,:.,I,la:II,:,:I 0'.*.I*l.,l" ,*.1l.I'4,l:,Il**1.
t3#fl n,$wWaJOI:l. 433.1*
Figure 15 SmartLog
SmartEvent
SmartEvent provides centralized, real-time event correlation of log data from
Check Point perimeter, internal, and Web security gateways-as well as third-party
security devices-automatically prioritizing security events for action. By
automating the aggregation and correlation of raw log data, SuiartIvent
24 Check Point Securit y Administration

minimizes the amount of data that needs to be reviewed and collates and
prioritizes security threats.
t4 G.N.cB,
Ss. SflflOhl 1P
EA.S, *. 1.. * CP. A .... C P.1W .
L5A7DCF F_.th *F5A
F/A F/F/A
Tk.,.R,.d.trn I[,p . M/.1. BCF/j A/H9 U.S., P9LN.IIS,P.a,A/V.yF_. UUF/,.,.

F// C/AF/AF// N
1
ftp
UP-
NA.AA 404UO2 CJ Aol 00/15 CF MS.*l0.*.4*s A/A
AN CNIOHIIP PU
AS
..J p.ls N0/.A.5,*NPs. F_PUN .
Figure 16 SmartEvent
With SmartEvent, security teams no longer need to comb through the massive
amount of data generated by the devices in their environment. Instead, they can
focus on deploying resources on the threats that pose the greatest risk to their
business.
SmartEvent is capable of managing millions of logs per day per correlation unit
in large enterprise networks. Through its distributed architecture, SmartEvent can
be installed on a single server but has the flexibility to spread processing load
across multiple correlation units and reduce network load.
Whats New in SmartE vent

Enhanced Reporting - Easily configure and schedule reports to be sent
automatically to your email or view them on the Reports tab.
Overview Customization -- One-stop view, easily changed to show the security

information that you need to see.
User Privacy User identity can be hidden by default or shown by request

from authorized administrators.
Student Manual 25
Group By - Create groups of events by name, source, destination, or other

fields, to focus on what is important to you.
Data Visualization - See real time information, trends, anomalies, and statistics
at a glance with events displayed graphically by timelines, charts, pies, or on a
world map.
Forensics Drill down to event information by double-clicking on timelines,

charts or maps. For applicable events, retrieve raw logs and associated packet
captures.
Ticketing Assign events to administrators with ticketing workflow.
SmartView Monitor
Managing network and security performance today can be a difficult juggling act.
Security teams have to deal with many networks and VPN gateways, large
numbers of users with different needs, and a fast-growing array of security
threats that can quickly congest networks. SmartView Monitor shows the
complete picture of network and security performance, enabling fast response to
changes in traffic patterns or security activities.
SmartView Monitor centrally monitors Check Point and OPSEC devices,
presenting a complete visual picture of changes to gateways, tunnels, remote
users and security activities. This enables administrators to immediately identify
changes in network traffic flow patterns that may signify malicious activity.
Benefits
Maintains high network availability

Improves efficiency of bandwidth use
Tracks SLA compliance
Increases security ROI
Responds quickly to network and security changes
26 Check Point .Secwitv AcI,ninistration

_.
I5'! O :- ::, , B 32 tG2LV
Ffl* 31 IT 33 0 2320 32030.2
(orporatr-WA- proxy
. ..... . ....
Figure 17 - SmartView Monitor
SmartReporter
The Check Point SmartReporter Software Blade increases the visibility of
security threats by centralizing network security reporting of network, security
and user activity into concise predefined or custom-built reports. Easy report
generation and automatic distribution save time and money and allow
organizations to maximize security investments.
t'
r ra.r32.dI 3 ..0 -
Blocked Traffic Report

32, 2p.I,.OT*3 .......2 '---. 03 fl 2210 11.23
01fl32*2q
r 0.0*2 0&*..22
r 2,00o,es#-22.T
--
0321 023.4 .23 0.32321
=3=3 12 2*3.
or
In III, 323323323
r .......
3313.2 4,1.1, 1232034 4323dt1& 1122312,21
1133 StflL'SSLS914S42
I - .s .a,.. L.19a3xJ*U.*1.1123342 204
I - 1141 ,p., 11011023114322312&T2
1, 4 ''3
32 LISITI232IISI1.tTlPA.2..
t3232431112t0*L4403
,.131

2.13232 Bloc ked Soiir ome 11
_______ 3404 32
Figure 18 SmartReporter
Student it'iianu,aI 27
Centralizes access to security data for easy analysis, trending and

compliance
Centralized reporting of network, security, user activity
Custom reports can be tailored for unique information requirements
Provides reporting for regulatory compliance
Maximizes operational efficiency, saving time and cost

Predefined report template options
Automatic reporting and report distribution
Streamlines security and network activity trend reporting
Integrated into Check Point Software Blade Architecture

Activate SmartReporter on any Check Point management server
Save time and reduce costs by leveraging existing security infrastructure
SmartUpdate
SmartUpdate extends your organization's ability to provide centralized policy

management across enterprise-wide deployments. SmartUpdate can deliver
automated software and license updates to hundreds of distributed security
gateways from a single management console.
SmartUpdate ensures that security deployments are always up-to-date by

enforcing the most current security software. This provides greater control and
efficiency while dramatically decreasing maintenance costs of managing global
security installations.
By turning time-consuming tasks that could otherwise be performed only by

experts into simple point and click operations, SmartUpdate enables remote
upgrade, installation and license management to be performed securely and
easily. A system administrator can monitor and manage remote gateways from a
central location, and decide whether there is a need !br software upgrades, new
installations or license modifications.
28 Check Point Securit y A dminist ration

I4..3.3,db 1?? 13 -
15331' -
Figure 19 SmartUpdate
Sma rtProvis ion i ng
SmartProvisioning provides centralized administration and provisioning of

Check Point security devices via a single management console.
F4
O.*.3..*. c
-fl'] 353M''i SOS
c',a.... ]c C,,S4M ]Q211']3 SMflE5GlO.^0 dJOS t.Ct SO'.

Ii ]M3fl OZ
Figure 20 - Smartprovisioning
Check Point SmartProvisioning enables you to manage thousands of Gateways

from a single Security Management Server or Multi Domain Security
Management Server, with features to define, manage, and provision large-scale
deployments of Check Point Gateways.
Student Manual 29
The SmartProvisioning management concept is based on profiles; a definitive set

of Gateway properties and when relevant, a Check Point Security Policy. Each
profile may be assigned to multiple Gateways and defines most of the Gateway
properties per profile object instead of per physical Gateway, reducing the
administrative overhead.
Maximizes operational efficiency, enables consistent policy

management
Automated device management reduces errors and improves security
Reduced administrative overhead and rapid deployment of devices
Scalable to manage thousands of devices across multiple, disparate networks
Centralizes visibility and management of company-wide security

posture
Configure and manage all Check Point security devices via a single console
Centralized control over appliance deployment, maintenance and recovery
Easy management via an intuitive Graphical User Interface (GUI)
Integrated into Check Point Software Blade Architecture

Activate SmartProvisioning on any Check Point Security Management
system
30 Check Point Securit y A thu inLct ration

SmartEndpoint
Endpoint Security is a Software Blade in a Check Point Security Management
server. SmartEndpoint is the management console for endpoint clients and their
features.
Ovew
...
187 Etsdpo sty Active Alerts

1 y .Isyd thths '.usv tIt St. . 0.' - ' 5''
.tR tv,. vstn,,ttj 2'S/tv 0: td.v 5 .vttv tv 0 ttttts
0;4y,n,,-,,vt . v's I, .' .vtv 9 tvwy,rtMt.t
0 t,.,.,.v, ty .Udt5t it S.
t
Securi y Statvs
______ I ttvet,
FJjI
__
TIIT ..
Figure 21 - SmartEndpoint
Endpoint Security Features:

One management console for endpoint security management.
Monitor your security status with a customizable, at-a-glance dashboard.
Quickly deploy the required protection for users using software-blade
deployment rules.
Use Pre-configured and customizable policies.
Easily change and report security policy changes at all levels of the
organization.
Drill-down to users and all their associated machines to investigate security
status.
Enforce and resolve endpoint compliance issues before permitting access to
the corporate network.
StIIJL'flt Manual 31

The Security Management Server is used by the Administrator to manage the
Security Policy. The organization's databases and Security Policies are stored on
the Security Management Server and downloaded to the Gateway(s). The
Security Management Server also maintains the Security Gateway databases,
including object definitions, Security Policies, and log files for all Gateways.
Policies are defined using SmartDashboard, and saved on the Security
Management Server. To make the most of Check Point products and to best use
their capabilities and features, it is helpful to review some basic concepts and
components.
Managing Users in SmartDashboard
Your network can be accessed and managed by multiple users and administrators.
A secure network is efficiently managed by centrally controlled user and
administrator accounts. SmartDashboard - Desktop Tab manages users,
administrators and their groups as objects using the standard object
administration tools; i.e., the Objects Tree pane and the Users and Administrators
window.
I,
a-- ,-
11
Figure 22 - Objects Tree and the Users and Administrators
The user's definition includes access permissions to and from specific machines
at specific times of the day. The user definition can be used in the Rule Base's
Authentication Rules and in Remote Access VPN.
32 - ('lice/c Point Securit y Administration

SmartDashboard further facilitates user management by allowing you to define

user and administrator templates. Templates serve as prototypes of standard user
account properties that are common to many users. Any user you create based on
a template inherits all of the template's properties, including membership in
groups.
Users Database
The users defined in SmartDashboard - Desktop Tab (as well as their

authentication schemes and encryption keys) are saved to the proprietary Check
Point Internal Users Database on the Security Management Server.
The Users Database is automatically downloaded to Check Point hosts with

installed Management Software Blades as part of the Policy installation process.
Alternatively, you can manually install the Users Database by selecting Policy>
Install Database.., from the menu. Security Gateways that do not include a
Management Software Blade do not receive the Users Database.
Student Manual 33
Securing Channels of Communication

The Security Management Server must be able to communicate with all
components and partner-OPSEC applications that it manages, even though they
may be installed on different machines. The interaction must take place to ensure
that the components receive all necessary information from the Security
Management Server (such as the Security Policy). While information must be
allowed to pass freely, it also has to pass securely. This means that:
The communication must be encrypted so that an impostor cannot send,
receive or intercept communication meant for someone else.
The communication must be authenticated; there can be no doubt as to the
identity of the communicating peers.
The transmitted communication should have data integrity; that is, the
communication must not be altered or distorted in any form.
The SIC setup process allowing the intercommunication to take place must be
user-friendly.
If these criteria are met, secure channels of communication between

intercommunicating components of the system can be set up and enforced, to
protect the free and secure flow of information.
Secure Internal Communications
Secure Internal Communication (SIC) lets Check Point platforms and products
authenticate with each other.The SIC procedure creates a trusted status between
gateways, management servers and other Check Point components. SIC is
required to install polices on gateways and to send logs between gateways and
management servers.
These security measures ensure the security of SIC:

Certificates for authentication
Standards-based SSL for the creation of the secure channel
3DES for encryption
The Internal certificate Authority (ISA)
The ICA is created during the Security Management server installation process.
The ICA is responsible for issuing certificates for authentication. For example.
34 Check Point SccuritY il (Inhiflistration

ICA issues certificates such as SIC certificates for authentication purposes to

administrators and VPN certificates to users and gateways.
Initializing the Trust Establishment Process
Communication Initialization establishes a trust between the Security

Management server and the Check Point gateways. This trust lets Check Point
components communicate securely. Trust can only be established when the
gateways and the server have SIC certificates.
Note: For SIC to succeed, the clocks of the gateways and servers
must be synchronized.
The Internal Certificate Authority (ICA) is created when the Security

Management server is installed. The ICA issues and delivers a certificate to the
Security Management server.
Administrative Login Using SIC
The login process, in which Administrators connect to the Security Management

Server, is common to all Check Point SmartConsole components
(Smart Dashboard, SmartUpdate, etc.). This process consists of a bidirectional
operation, in which the Administrator and the Security Management Server
authenticate each other and create a secure channel of communication between
them using SIC. Once both the Administrator and the Security Management
Server have been successfully authenticated, Security Management launches the
selected SmartConsole.
Testing the SIC Status
The SIC status reflects the state of the Gateway after it has received the
certificate issued by the ICA. This status conveys whether or not the Security
Management server is able to communicate securely with the gateway. The most
typical status is Communicating. Any other status indicates that the SIC
communication is problematic. For example, if the SIC status is Unknown then
there is no connection between the Gateway and the Security Management
server. lithe SIC status is Not Communicating, the Security Management server
is able to contact the gateway, but SIC communication cannot be established. In
this case an error message will appear, which may contain specific instructions
how to remedy the situation.
Studcizt A//annul 35

Resetting the Trust State
Resetting the Trust State revokes the gateway's SIC certificate. This must be done
if the security of the gateway has been breached, or if for any other reason the
gateway functionality must be stopped. When the gateway is reset, the Certificate
Revocation List (CRL) is updated to include the name of the revoked certificate.
The CRL is signed by the ICA and issued to all the gateways in this system the
next time a SIC connection is made. If there is a discrepancy between the CRL of
two communicating components, the newest CRL is always used. The gateways
refer to the latest CRL and deny a connection from an impostor posing as a
gateway and using a SIC certificate that has already been revoked.
Important - The SIC reset must be performed on the gateway's object using
SmartDashboard, and from a command prompt on the gateway using the
cpconfig tool. Performing the SIC reset on the gateway will cause an outage
until SIC is reestablished and policy reinstalled. The fw stat command can
be used to verify a Gateway's Policy installed status.
SIC Between Security Management Servers and Components

The following is an example of the SIC process:
SmartConsole
Co,tI?k.to
0 delivers certificates to
the Check Point Modules
Security I Ce,1,h,Io I
Management Server JI
I I
0 The ICA on the I

Security
T Router
Internet
Security
Management Server i Gateway
, Router
Intranet ( Intranet
Internal
Security
Security
Gateway
Gateway
Figure 23 - SIC Among Security Management Servers and Components
The graphic illustrates the SIC process in a distributed environment:

36 Check Point Security A dminivt ration
1. The ICA creates a Certificate for the Security Management Server during the
Security Management Server installation. The ICA is created automatically
during the installation procedure.
2. Certificates for the Security Gateways, and any other communicating compo-
nents, are created via a simple initialization from the SmartConsole. Upon ini-
tialization, the ICA creates, signs, and delivers a Certificate to the
communication component. Every component can then verify the Certificate
for authenticity.
Communication between a Security Management Server and its components
depends on a Security Policy specified in a Policy file on each machine. Com-
munication using Certificates will take place, provided that the communicat-
ing components are of the appropriate version, and agree on the
authentication and encryption methods. The Security Management Server and
its components are identified by their SIC name, also known as the Distin-
guished Name.
Student Manual - --
Practice and Review
Practice Labs
Lab 1: Distributed Installation
Lab 2: Branch Office Security Gateway Installation
Review
1. What is the strength of Check Point's Stateful Inspection technology?
2. What are the advantages of Check Point's Secure Management Architecture

(SMART)? In what way does it benefit an enterprise network and its adminis-
trators?
3. What is the main purpose for the Security Management Server? Which func-
tion is it necessary to perform on the Security Management Server when
incorporating Security Gateways into the network?
38 - - - - -- - - Check Point Securitt' Admi,,ivt,ation

CHAPTER 2 Deployment Platforms
Check Point Seeuri(r Administration

Deployment Platforms
Before delving into the intricacies of creating and managing Security Policies, it
is beneficial to know about Check Point's different deployment platforms, and
understand the basic workings of Check Point's Linux operating systems such as
Gaia, that support many Check Point products - and what those products are.
Given network specifications, perform a backup and restore the current
Gateway installation from the command line.
Identify critical files needed to purge or backup, import and export users and
groups and add or delete administrators from the command line.
Deploy Gateways from the Gateway command line.
40 -- Check Point Security Administration

Check Point Deployment Platforms
Security Appliances
Check Point Security Appliances are integrated hardware devices that are pre-
installed with essential software blades to produce a comprehensive, turnkey
security gateway solution.
Data Center:
61000 Security System - The Check Point 61000
Security System is the industry's fastest security appliance,
offering scalable performance for data centers and
telecommunication companies. Its robust multi-bladed
hardware architecture delivers up to 200 Gbps of firewall
throughput today and up to 1 Tbps in the future. Further
more, its ability to support 70 million concurrent
connections and 600,000 sessions per second brings
unparalleled performance to multi-transaction
environments.
21000 Appliance The 21000
Appliances deliver the industry's
best security performance in their I
class and offer unmatched
scalability, serviceability and port
density. Benefiting from Check
Point's advanced SecureXL, CoreXL and SecurityCore technologies, the
21000 Appliances are capable of delivering stunning performances while
maintaining a compact 2 rack-unit physical footprint. With the support of the
Software Blade Architecture, up to 110 Gbps lirewall throughput and sub 5
micro second latency, the 21000 Appliances are designed to secure the most
demanding network environment.
lAS Bladed Hardware Check Point Integrated
Appliance Solutions (lAS) Bladed Hardware
provides organizations with the ultimate choice in
carrier-grade chassis. lAS Bladed Hardware
delivers integrated software and hardware
solutions that are customized to your exact security
needs--all while maintaining the network
performance you require.
.S/,I(Iefl( Manual 41
Large Enterprise
12000 Appliance - The 12000
Appliances, featuring multi-core
security technology and high port ---
density, are ideally suited for
perimeter security of large network
environments as well as business-
critical internal network segments. High business continuity and
serviceability are delivered through features such as hot-swappable redundant
power supplies/disk drives, a Lights-Out-Management card, and High-
Availability features such as Check Point ClusterXL and Load-Sharing.
IP Appliance Proven for years in
complex networking and high
performance environments, Check
Point IP Appliances offer turnkey
and modular security functionality.
With integrated firewall, VPN. IPS,
Application Control, Identity Awareness and more, lP Appliances deliver
unmatched extensibility, broad deployment options and lower total cost of
ownership.
IAS-D, M, and R Appliance
Powered by HP, the lAS -Series of
appliances provide integrated
software and hardware bundles and
direct support that are customized to
organizations exact specifications, enabling the provisioning of security
services based on exact corporate needs.
Medium-Sized Business
4000 Appliance - Check Point 4000
Appliances offer complete and -
integrated security solutions in a -----.---- --.--
compact I U form factor. Delivering
firewall throughput up to II Ghps and IPS throughput up to 6 Gbps, these
enterprise-grade appliances deliver superior performance for their class.
42 Check Point Secwilv A dm,,,,ct ration

Small Business & Branch Office

2200 Appliance The Check Point
2200 Appliance offers enterprise-
grade security with leading .,
performance in a compact desktop
form factor. With its multi-core
technology and six 1-gigabit Ethernet ports, the 2200 Appliance is easily
capable of securing any branch office or small office.
Series 80 Appliance The Check Point
Series 80 Appliance raises the bar on branch
office security by extending Software Blades .:
to the edge of the network. Series 80
Appliances deliver the same enterprise-grade
security used by 100% of the Global 100all in an industry-leading small
desktop form factor, at the best price/performance and with simple, hassle-
free deployment.
UTM-1 Edge Check Point UTM-1 Edge N
appliances deliver proven, best-in-class
securityright out of the box. These simple,
all-in-one appliances allow branch offices to
deploy comprehensive security quickly and
easily. These appliances offer robust
performance, powerful central management and
advanced wireless options.
Safe@Office Appliances The Check Point
Safe@Office UTM appliances deliver proven,
cost effective and best-in-class security-right out
of the box. These simple, all-in-one appliances
allow the deployment of comprehensive security
quickly and easily. Safe@Office appliances
integrate firewall, IPS, anti-malware. URL
Filtering and more.
Cloud-Managed Security Service Check Point Cloud-
Managed Security Service offers you proven and cost-
effective security in a simple All-in-One solution. Let us
help you manage your security, so you can focus on growing
your business.
Studew Manual 43
Virtualized
Virtual Systems Check Point
Virtual Systems taps the power of
virtualization to consolidate and
simplify security for private clouds
while delivering a lower total cost
of ownership. It enables customized
security against evolving network threats with the extensible Software Blade
Architecture. Virtual Systems is supported on Check Point Appliances,
including the 61000 Security System as well as open servers.
Lj
Security Gateway Virtual Edition The Check Point
Security Gateway Virtual Edition (VE) protects dynamic
virtualized environments and external networks, such as
private and public clouds, from internal and external threats
by securing virtual machines and applications with the full
range of Check Point Software Blades.
Virtual Appliance for Amazon Web Services -
Check Point Virtual Appliance for Amazon Web
Services enables customers to extend their security
to the cloud with the full range of protections using
Check Point Software Blades. This easy to deploy
virtual appliancea security gateway for virtual
environments in the Amazon Cloudprevents
network attacks and data breaches while enabling secure connectivity in
dynamic cloud computing environments.
Dedicated Appliance
Secure Web Gateway Appliance
Embracing the current paradigm shift from
simple URL filtering to comprehensive
malware protection, the Check Point
Secure Web Gateway provides an intuitive
solutions that enables secure use of Web
2.0 with real time multi-layered protection against web-borne malware,
largest application coverage in the industry, advanced granular control,
intuitive centralized management, and essential end-user education
functionality.
44 Check Porn! Security Administration

Threat Prevention Appliance Unified

solution that prevents advanced threats and
maiware attacks.
DDOS Protector The Check

Point DDoS ProtectorTMAppliances
block Denial of Service attacks
within seconds with multi-layered
protection and up to 12Gbps of
performance.
Security Power - Choosing a Security Appliance

Check Point's SecurityPowerTM is a new benchmark metric that allows customers
to select security appliances by their capacity to handle real-world network
traffic, multiple advanced security functions and a typical security policy.
SecurityPower helps customers to accurately size and determine the appropriate
appliances that can best meet their network security needs today, as well as
support anticipated future traffic increases and additional security functions.
Leveraging the new Check Point Appliance Selection Tool, the Check Point
account team or Check Point partners can take criteria of the customer's network
- including the required throughput performance and desired security functions -
as inputs, and produce a SecurityPower requirement value. That value is then
compared against the SecurityPower capacities of the range of Check Point
appliances to determine and present candidates that can best meet the customer's
network security and performance requirements.
Throughput
1.3 Giaps
IL
'W
Figure 24 - Security Power
ide,it A4czniiaf 45
Security Software Blades
Threat Prevention
ThreatCloud Feeds security gateway software
blades with real-time security intelligence. THREATCL')UD
SFCUTY SVICS
Security Gateway Software Blades

Firewall - The Check Point Firewall Software Blade
builds on the award winning technology first offered in
Check Point's FireWall-I solution to provide the industry's
strongest level of gateway security and identity awareness.
Check Point's firewalls are trusted by 100% of the Fortune
100 and deployed by over 170,000 customers, and have
demonstrated industry leadership and continued innovation since the
introduction of FireWall-I in 1994.
IPSec VPN The Check Point IPSec VPN Software
Blade provides secure connectivity to corporate networks
for remote and mobile users, branch offices and business
partners. The Software Blade integrates access control,
authentication and encryption to guarantee the security of
network connections over the public Internet.
Application Control The Check Point Application
Control Software Blade provides the industry's strongest
application security and identity control to organizations of
all sizes. It enables IT teams to easily create granular
policiesbased on users or groups to identify, block or
limit usage of over 240,000 Web 2.0 applications and
widgets.The Application Control Software Blade is a key component of' the
Secure Web Gateway Appliance.
URL Filtering The Check Point tiRl. Filtering Software
Blade provides optimized web security through full
integration in the gateway to prevent bypass through
external proxies. Integration of policy enforcement with
Application Control means full Web and Web 2.0
protection, and User('hcck technology empowers and
U
educates users on web usage policy in real time. The URI, Filtering Software
Blade is a key component of the Secure Web Gateway Appliance.
46 Check Poj p,( .St'( uriti' .4 Imjnjstp'afioS

Anti-Bot The Check Point Anti-Bot Software Blade

detects bot-infected machines, prevents hot damages by
blocking bot C&C communications, and is continually
updated from ThreatCloudTM , the first collaborative
network to fight cybercrime.
Antivirus The enhanced Check Point Antivirus
Software Blade uses real time virus signatures and
Li
anomaly-based protections from ThreatCloud TM , the first
collaborative network to fight cybercrime, to detect and
block maiware at the gateway before users are affected. The
Antivirus Software Blade is a key component of the Secure
Web Gateway Appliance.
Identity Awareness Check Point Identity Awareness
Software Blade provides granular visibility of users, groups
and machines, providing unmatched application and access
control through the creation of accurate, identity-based
policies. Centralized management and monitoring allows
for policies to be managed from a single, unified console.
DLP The Check Point DLP Software Blade combines
kA
technology and processes to revolutionize Data Loss
Prevention (DLP), helping businesses to pre-emptively
protect sensitive information from unintentional loss,
educating users on proper data handling policies and
empowering them to remediate incidents in real-time.
Web Security The Check Point Web Security Software
Blade provides a set of advanced capabilities that detect and
prevent attacks launched against the Web infrastructure.
The Web Security Software Blade delivers comprehensive
protection when using the Web for business and
communication.
Anti-Spain & Email Security --- The Check Point Anti-
Spam & Email Security Software Blade provides
comprehensive protection for messaging infrastructure. A
multidimensional approach protects email infrastnicttire, fl___
provides highly accurate anti-spam coverage and defends
organizations Irom a wide variety of virus and malware
threats delivered within email.
47
Advanced Networking & Clustering The Check Point

Advanced Networking and Clustering Software Blade
simplifies network security deployment and management
within complex and highly utilized networks, while
maximizing network performance and security in multi-
Gbps environments. This combination is ideal for high-end
enterprise and datacenter environments where performance and availability
are critical.
Voice over IP (V0IP) The Check Point VoIP Blade
enables you to deploy VoIP applications such as telephony
or video conferencing without introducing new security
threats or needing to redesign your network. Because
worms and VoIP-specific Denial of Service attacks can take
IP phone services down, the Check Point family delivers an
evolving solution that understands and protects against existing and new
threats that may disrupt business continuity. Check Point solutions also
reduce the complexity of VolP deployment by eliminating such common pain
points as incompatibility between VoIP and Network Address Translation.
Security Gateway Virtual Edition The Check Point
Security Gateway Virtual Edition (VE) protects dynamic
virtualized environments and external networks, such as
private and public clouds, from internal and external threats
by securing virtual machines and applications with the full
range of Check Point Software Blades.
Li
Remote Access Solutions
Mobile Access Software Blade - Check Point Mobile
Access Software Blade is the safe and easy solution to
connect to corporate applications over the internet with
your Smartphone, tablet or PC. The solution provides
enterprise-grade remote access via both Layer-3 VPN and
SSL VPN, allowing you simple, sale and secure
Li
connectivity to your email, calendar, contacts and corporate applications.
Endpoint Security with Remote Access - The Check
Point Remote Access VPN Software Blade provides users
With secure, seamless access to corporate networks and
resources when traveling or working remotely. Privacy and
integrity of sensitive infbrrnation is ensured through multi-
factor authentication, endpoint system compliance scanning
and encryption olall transmitted data.
Li
48 Check Powf Securit y .4/mi,,i.strufwn
Check Point GO Check Point GO instantly

turns any PC into your corporate desktop,
allowing users to access files and applications
anywhere, anytime. Its plug-and-play USB form
factor allows users to easily launch a secure
virtual workspace that keeps mobile data secure
by segregating the virtual workspace from the
host PC. Users can work offline from the
F :
encrypted USB drive or online using the Check
Point GO integrated VPN client.
tudent A'1,,,uaI 49
Check Point Gaia

Check Point GaiaTM is the unified cutting-edge secure operating
system for all Check Point Appliances, open servers and virtualized
gateways. Gaia was derived from IPSO and SecurePlatform.
History - Power of Two
Ipso
Ipsilon Networks, the developers of IPSO, was a computer networking company

specializing in IP switching. The company was a key player in the introduction of
label switching, and published early proposals on the subject. Label switching, or
tag switching (Cisco Systems), was a technology that eventually became
standardized as MPLS (Multiprotocol Label Switching). Nokia purchased
Ipsilon Networks in 1997, and incorporated the IPSO operating system into their
network appliances. Check Point bought Nokia's Security business unit in April
2009.
IPSO 3.x and 4.x were based on FreeBSD 2.x. IPSO 6.x is based on FreeBSD
6.x. As a stripped down operating system, IPSO provided enough functionality to
run Check Point firewalls, along with the incorporation of some standard Unix
commands, such as top, ps, df. It also provided a hardened, secure operating
system (no compilers included). IPSO also provided great visibility into kernel
statistics, such as network counters, interrupts, and more.
IPSO contained many key differentiators from mainline FreeBSD, as well as
From SecurePlatform:
ipsctl: comparable to sysctl (BSD) and /proc (Linux)
ipsrd: comparable to GateD or Quagga
xpand and configuration database: Single system configuration repository
Voyager: Web based management GUI for the operating system
dish: command line shell supporting same features as Voyager
iclid: ipsrd command line interface daemon
VRRP and IP Clustering: Iligh Availability solutions
ADP: Accelerated Data Path
Boot Manager: Similar to OpenBoot on Sun boxes
CST: Configuration Summary Tool
50 - - Check Point Securili' Administration

Check Point Gala
SecurePlatform
Check Point's secure operating system, SecurePlatform is based on a kernel from

Red Hat Software, which allows SecurePlatform to benefit from the
compatibility and stability testing performed by Red Hat Software.
SecurePlatform has been hardened to eliminate any components that are not
necessary for a network security device. Components that could present security
exposure were removed or modified. The hardening of SecurePlatform
components was audited by both Check Point staff and an independent security
consulting organization.
Any software package not needed by network security services was removed
from SecurePlatform. Required services, that might present security risks, were
modified as necessary. Where the existing software could not be made secure, it
was replaced. For example, the Web server used by the Web interface for system
administration, was developed internally at Check Point. The Web server is a
small server, designed to perform only the functions required to allow Web-based
system administration.
Routine management and maintenance of SecurePlatform is performed through a

restricted shell, called Standard Mode. Most utilities needed to managed
SecurePlatform and other installed Check Point products are accessed in
Standard Mode. Many Standard Mode commands are 'wrapped' in custom
scripts to disable unnecessary options and make the utility easier to use. Standard
Mode enhances the security of SecurePlatform, by restricting access to utilities
that, if used improperly, could damage system stability. Because of the usability
enhancements in Standard Mode, extensive Linux knowledge is not required to
perform routine management of SecurePlatform.
Because SecurePlatform does not include unnecessary software, superior

performance is achieved. Resources are not consumed by software such as
graphical user interfaces, office applications, and network file systems. All
system resources are dedicated to the operating system and the installed Check
Point products. SecurePlatform fully supports Check Point SecureXL, which can
boost throughput rates for SecurePlatform installations to speeds up to three
times faster than the throughput realized on similar hardware, with other
operating systems, without SecureXL.

St ilcie,,! AIa,,,ia/ 51
Gaia
Check Point Gala is the next generation Secure Operating System for all Check
Point appliances and open servers. Gaia combines the best features from IPSO
and SecurePlatform (SPLAT) into a single unified OS providing greater
efficiency and robust performance. With the support of the full suite of Software
Blades, customers will benefit from improved connection capacity and the full
breadth and power of Check Point security technologies by adopting Gaia.
Check Point Gaia announced on April 17th 2012 offers 3 key value propositions:
Combining the best features of IPSO & SecurePlatform
Increase operational efficiency with wide range of features
A secure platform for the most demanding environments
Gala combines the best features from IPSO and SecurePlatform (SPLAT) into a
single unified OS providing greater efficiency and robust performance. As a 64-
bit operating system, Gaia increases the connection capacity of select appliances.
Customers migrating from lPv4 to lPv6 networks are secured with Gala utilizing
the Check Point Acceleration & Clustering technology. Gala fits into the most
complex networks by supporting dynamic routing, bridge mode and 802.3ad link
aggregation.
Benefits of Gaia
Gala simplifies and strengthens management with segregation of duties by

enabling role-based administrative access. Furthermore, Gala greatly increases
operational efficiency by oliring Intelligent Sollware Updates, Security
management is made simple with the intuitive and feature-rich Web-based user
interface and instant search lbr all commands and properties. Gaia is fully
compatible with IPSO and SPLAT command line interlace (CLI) commands,
making it an easy transition from existing Check Point operating platforms.
52 Check Point Securit y A /,fliflistratwfl

Check Point Gala
Existing IPSO Users Existing SecurePlatform

Users
Ease of Use Poverlu1 1anagenient
Configuration wizards WebUl and CLI
One-step install Role-based administration
One-click registration Multiple configuration sets
Full Software Blade support Manageable dynamic routing
Higher connection capacity Higher connection capacity
64 Bit OS 64 Bit OS
IPv6 I Pv6
Supports Dual stack and Tunneling Supports Dual stack and Tunneling
SecureXL and CoreXL acceleration SecureXL and CoreXL
acceleration
Clustering options Clustering options
ClusterXL and CoreXL acceleration ClusterXL and CoreXL
acceleration
Enhanced device management Enhanced device management
Image snapshot Image snapshot
Device replication Device replication
Automated software update Automated software update
Table 2-I: Benefits of Gaia for SecurePlatform and IPSO Users
Gaja Architecture
Full compatibility with IPSO and SPLAT CL commands

iransitioning to (Iaia is a breeze for security administrators. The same powerful
command line interfoce (CLI) commands from IPSO and SPLAT are seamlessly
integrated into (iaia. Additional new commands and capabilities are also added to
the Gala CLI making a powerful ('LI interface even more intuitive to use.
tI(Iep ?f Manual -
Web-Based User Interface with Search Navigation

The intuitive WebUl delivers a refreshing user experience for security
administrators. This interface integrates all management functions into a Web-
based dashboard that is accessible via the most popular Web browsers - Internet
Explorer, Chrome, Firefox and Safari. The built-in search navigation delivers
instant results on commands and properties. For the CLI-inclined users, a Shell-
Emulator pop-up window is only a single click away.
Role-Based Administrative Access

Segregation of duties is part of a good security policy and it improves operating
efficiency and auditing of administrative events. The role-based administrative
access gives Gaia customers the ability and granularity to customize their
security management policies that are particular to their business needs. Specific
levels of access can be granted based on each individual's role and responsibility
- building a stronger security environment.
Support for Industry Standard Authentication

The AAA component of the Gaia manages user access to the appliance.
Generally, AAA includes Authentication (identifying a user), Authorization
(determining what a user is permitted to do), and Accounting (tracking some
aspects of a user's activity). Gaia implements Pluggable Authentication Modules
(PAM), an industry-standard framework for authenticating and authorizing users.
Using PAM, authentication, account management, and session management
algorithms are contained in shared modules that you configure on your appliance.
Support for Industry Standard Monitoring

Gaia supports the user-based security model (USM) component of SNMPv3 to
supply message-level security. With USM described in RFC 3414, access to the
SNMP service is controlled on the basis of user identities. Each user has a name,
an authentication pass phrase to identify the user, and an optional privacy pass
phrase for protection against disclosure of SNMP message payloads. Managed
devices use trap messages to report events to the Network Management Station
(NMS). SNMP traps may be sent to the NMS in the event ofa hardware or
product change.
Intelligent Software Updates

Software updates is an important process to maintain robust security performance
and high network integrity. It is also a process that can sometime cause
disruptions to the network services or to your business. With the intelligent
54 - - - - - - - ( 'heck Poinl&curit.V ,lcl,ninisiration

Check Point Gaia
software updates offered by Gaia, new releases and patches can be pre-scheduled
for automatic download and deployment at a time with minimum business
impact. Update times have been reduced to only a few seconds and post-update
checks automatically rollback to the previous configuration if a problem is found.
Notification emails are sent about new and recommended updates and update
statuses
Automate Security Gateway Deployments

Gaia simplifies the deployment process with a couple of new tools. Create a
First-Time Installation Wizard answer file template and then use this to during
the deployment process to automatically configure the gateway:
config_system \--createtemplate <path>
To facilitate IPSO migrations, upgrade one IPSO gateway and create a

customized IPSO to Gaia upgrade package. This upgrade package can be used to
quickly upgrade multiple gateways without having to repeat the configuration
details in the original upgrade. This upgrade package can also be used as a
SmartUpdate upgrade package.
Manageable Dynamic Routing Suite

Eleven dynamic routing and multicasting protocols are supported by Gaia
providing flexible and uninterrupted network connectivity. All can be managed
according to your preference from the Web lii or from the CLI.
Dynamic Routing Protocols Multicast Protocols

RIP RI(' lftS NIP' RI:( 2230
RIPv 2 (with authentication) RFC IGMPv3 RFC 3376

1723
PIM-SM RFC 4601
OSPFv2 RFC 2328
PIM-SSM RFC 4601
OSPF NSSA RFC 310!
PIM-DM RFC 3973
BGP4 RFCs 1771, 1963, 1966, 1997,
PIM-DM state refresh draft-ietf-
2918
pim-refresh-02.txt
Table 2-2: Routing & Multicast Protocols
S!,,ck,,, 11(11111(g/
55
Native IPv4 and IPv6 Support

With the support of both IPv4 and IPv6 networking protocols Gaia is designed to
provide effective and comprehensive security for all modern networks, including
the next-generation of IP networks. Acceleration and Clustering Blade support
for lPv6 is included. Customers migrating to IPv6 will benefit from the Dual
Stack and Tunneling transition methods in Gaia.
Dual Stack is the concept of running IPv4 and lPv6 at the same time in parallel.
That is, lPv4 and lPv6 packets will flow over the same wire and are transmitted
and received on the same interface. It is still the best transition strategy for most
enterprise networks. Security policies can be implemented for IPv6 that match
the security policies implemented for IPv4. Internal services can be made
available on IPv6 in a gradual manner. Clients that are not able to run IPv6 will
still be able to access services via IPv4.
Tunneling is the concept of running one protocol over another, for example
carrying an IPv6 packet as the data portion of an lPv4 packet. A common use
case is a home or small remote office that wants access to lPv6, but the ISP does
not yet provide support for IPv6. With Gala lPv6 packets can be tunneled inside
of lPv4 packets in order to reach the part of the Internet that supports lPv6. An
enterprise use case of IPv6 over lPv4 tunnels is to use it to bridge the parts of the
Enterprise network that are lPv4 only. Gaia supports configured tunnels "lPv6 in
lPv4" (RFC4213) which is the main approach to tunnel IPv6 in lPv4. Similarly,
"Generic Packet Tunneling in lPv6" is the main approach to tunnel lPv4 in lPv6.
These may be host to host, host to router, or router to router. These tunnels are
very similar to VPNs except they do not secure or authenticate the traffic. IPSEC
VPN technology can also be used to create secure and/or authenticated tunnels.
Unencrypted tunnels are appropriate inside an Enterprise, but using VPN
technology is preferred for creating tunnels between the main Enterprise network
and remote sites.
RFC 2460: lPv6 Basic specification
RFC 2464 Transmission of lPv6 Packets over Ethernet Networks
RFC 191: Path Maximum Transmission Unit Discovery for lPv6
RFC 462: lPv6 Stateless Address Auto-configuration
RFC 4007: IPv6 Scoped Address Architecture
RFC 4193: Unique Local IPv Unicast Addresses
RFC 4291: lPv6 Addressing Architecture
RFC4443: l(MPv6
RF('486I: Neighbor Discovery
REC3596: DNS kxtensions to Support IP
56 - - Check Pulpit Securit y Adpninixiraiio,z

Check Point Gaia
RFC42 13 - Basic Transition Mechanisms for IPv6 Hosts and Routers - 6in4
tunnel is supported.
Link Aggregation
Link Aggregation is a technology that joins multiple physical interfaces into one
virtual interface known as a bond interface. The bond interface gives fault
tolerance and increases throughput by sharing the load among many interfaces
CiusterXL or VRRP Clusters

Whether your preferred network redundancy protocol is Check Point ClusterXL
technology or standard VRRP protocol (RFC 3768), it is no longer a "platform
choice" you will have to make with Gaia. Both ClusterXL and VRRP are fully
supported by Gaia, and Gaia is available to all Check Point Appliances, open
servers and virtualized environments.
High Connection capacity

Utilizing the efficiency of a 64-bit operating system, Gaia is capable of boosting
connection capacity of existing Check Point Appliances. Boosting connection
capacity to IOM concurrent connections on 2012 Appliances, and to 70M
concurrent connections on the 61000 Security System, makes it an ideal solution
for all network environments - including the high-demanding and high-
performance networks. All supported appliances with a minimum of 6 GB of
memory will benefit from the increased connection capacity of the 64-bit
operating system.
Full Software Blade Support

Comprehensive security and multi-layered protection is enabled by Gaia and the
full suite of Check Point Software Blades it supports. Software Blade full support
for both Security Gateway and Security Management, including Multi-Domain
Management.
Silic/en, Mw,,,,/
57

Gala System Information

Gala system information is accessible through the WebUl, and some CLI
commands. In the WebUl the Overview page contains a collection of
configurable status display widgets.
I c
L4. L - 144' 8
0
).4.2Thed 4wt.flneed --
i.
o4,
- -
34__
_
44 4Ub,t., 141G4
2W
.e.ee.n e.e 4-444.- R
M.4.I, Pew., I IIS
S..I.I N..",: 12M
Ia.lI.,a 0.
4
cm
-
*.ltS*. en.* .i,s ft.AC,t:

OPw,....d - T4de4
ke44.. T,I
' '4 " 4
' a. S...w.
F . pnaa co.,tpe.o..
0 ,,a,oaoLoss,.c.s.w..ew.
IL I' II
Figure 25 - Gaia Overview Page
58 - check Point Security Administration

Check Point Gaia
Widget Description
System Over ie Shows system in formation, includinz:
Installed product
Product version number
Kernel build
Product build
Edition (32 bit or 64 bit)
Platform installed on
Hardware serial number (if applicable)
Network Configuration Shows interfaces, interface status, IP addresses

Memory Monitor Graphical display of memory usage

CPU Monitor Graphical display of CPU usage
Security Configuration Lets you download the SmartConsole applica-
tions (Security Management Server installa-
tions only)
Table 2-3: Gaia Overview Page Widgets
You can use the CLI command: show uptime to show how long the system has
been running. The command show version all shows the full system version
information.
SilI(/elIt Manual
Practice and Review
Practice Labs
Lab 3: CLI Tools
Review
1. What are some of the advantages in deploying UTM-1 Edge Appliances?
2. How do you manage the Gaia Appliance?
3. How would you get Gaia system information?
60 -- ('heck Point Secu,-ifi' Administration

CHAPTER 3 Introduction to the
Security Policy
C'I,c. ck Point Security Administration 61

Introduction to the Security Policy

The Security Policy is essential in administrating security for your organization's
network. This chapter examines how to create rules based on network objects,
and modify a Security Policy's properties. In addition, this chapter will teach you
how to apply Database Revision Control and Policy Package management, to
decrease the burden of management when working with rules and objects.
Given the network topology, create and configure network, host and gateway
objects.
Verify SIC establishment between the Security Management Server and the
Gateway using SmartDashboard.
Create a basic Rule Base in SmartDashboard that includes permissions for
administrative users, external services, and LAN outbound use.
Evaluate existing policies and optimize the rules based on current corporate
requirements.
Maintain the Security Management Server with scheduled backups and policy
versions to ensure seamless upgrades and minimal downtime.
62 - - Check Point Securit y Athuinisiratiop:

Security Policy Basics

The Security Policy is a set of rules that defines your network security using a
Rule Base, rules comprised of network objects, such as gateways, hosts,
networks, routers, and domains. Once a Rule Base is defined, the Policy is
distributed to all Security Gateways across a network.
The Rule Base

Each rule in a Rule Base specifies the source, destination, service, and action to
be taken for each session. A rule also specifics how a communication is tracked.
Events can be logged, and then trigger an alert message. The figure is an example
of a Rule Base:
?= ?- !'=
LAC.Ga* 'C.'CO
ICC?.fl X C, , CC.M,, gO_C * EC fl
- C:. *PWCCT..VC, *
.1W CIIMIIC.11. (CCC CCCCWM,-C.( CC AIV C ,W-C -
S .Sfl.*.....: (CCC CC CC C, - 'CCC C 'CIPI In 'C Pl.qCId
I CS?' CThI.?dHTW P SC'CI I, * (!( QCI.Ith I*I flSPl%*C..I..
CWPP-E,,. W * P CC'IE - U.S (CI C'CC(Pfr.W*
flCC
OCCWC?C(( C.EI'C...CCIS.'C.'CmC.,I
Figure 26 - Rule Base
Managing Objects in SmartDashboard

Objects are created by the System Administrator to represent actual hosts and
devices, as well as intangible components, such as services (for example, I-ITTP
and TELNET) and resources (for example, URI and FTP). Each component of an
organization has a corresponding object that represents it. Once these objects are
created, they can be used in the rules of the Security Policy. Objects are the
building blocks of Security Policy rules and are stored in the Objects database on
the Security Management Server.
Objects in Smart Dashboard are divided into several categories, which can be
viewed in the different tabs of the Objects Tree. For instance, the Network
A 1(1,111(1/ 63

Objects tab represents the physical machines and logical components, such as
dynamic objects and address ranges, that make up your organization.
When creating objects, the System Administrator must consider the needs of the
organization:
What are the physical and logical components that make up the organization?
Each component that accesses the Security Gateway most likely needs to be
defined.
Who are the users and Administrators, and how should they be divided into
different groups?
a .,..
- K Pc ).. F , 1 --
Q . a.,..c., ...a.c... ...a... .a. a.c.. i..,
*- ;.- .- . i'..
-. --
a. ..a..... a.., *..,'-. *1*. $.a..... a..... *.
3....... *,-fr..t,#, .3. .30.3*. ' 1.**.. *..

* *._._,
Tree
:i I--
Figure 27 - Smartoashboard
SmartDashboard and Objects
SmartDashboard is comprised of three principal areas, known as panes. From

these panes, objects are created, manipulated, and accessed. From these panes,
objects are created, manipulated, and accessed. The following section describes
the functions and characteristics of each pane.
Object-Tree Pane
The Objects tree is the main view Ibr managing and displaying objects. Objects
are distributed among logical categories (called tabs), such as Network Objects
and Services. Fach tab orders its objects logically. For example, the Services tab
locates all services using ICMP in the Ibider called ICMP.
64 -. - - - - ( 'heck Point 3S'eurit p /1cI,nh,w.tr(,Iion

Objects-List Pane
The Objects tree works with the Objects list. The Objects list displays current
information for a selected object category. For example, when a Logical Server
network object is selected in the Objects tree, the Objects list displays a list of
Logical Servers, with certain details displayed.
Object Types
The objects lists are divided into the following categories:
Network
Services
Resources
Servers and OPSEC Applications
Users and Administrators
VPN Communities
Rule Base Pane
Objects are implemented across various Rule Bases, where they are used in the
rules of various Policies. For example, network objects are generally used in the
Source, Destination or Install On columns, while time objects can be applied in
any Rule Base within the Time column.
St,c/L,,( Manual - - - -- ---

Managing Objects
The Objects Tree is the main view for adding, editing, and deleting objects,
although these operations can also be performed from the menus, toolbars and
other views, such as in Rule Bases. You create objects to represent actual hosts
and devices, intangible components (such as HTTP and TELNET services) and
resources (for example, URI and FTP). Make an object for each component in
your organization. Then you can use the objects in the rules of the Security
Policy. Objects are stored in the Objects database on the Security Management
server.
Network Objects
Check Point
i Nodes
Network.
L Network...
Groups '
Address I
> Dynamic
Query Objects.
Import...
Sort Tree
Figure 28 - Object Tree
When you create your objects, consider the needs of your organization:
What are the physical components in your network?
What are the logical components - services, resources, and applications?
What components will access the firewall?
Who are the users, and how should they be grouped?
Who are the administrators, and what are their roles'?
Will you use VPN, and ifso, will it allow remote users'?
66 Check Point Security AcI,ni,,isfrution

Managing Objects
Creating an Object with the Objects Tree

To add a new object, right-click the object type you would like to add. For
example, in the Network Objects tab, right-click Networks and select Network
from the displayed menu, or click the Action button on the Object List menu bar.
Editing an Object with the Objects Tree

To edit an existing object, right-click the desired object in the Objects tree and
select Edit from the displayed menu. Or double-click the object you would like to
modify.
Deleting an Object with the Objects Tree

To delete an existing object, right-click the object in the Objects tree and click
Delete from the displayed menu.
Classic View of the Objects Tree

In Classic view, network objects are displayed beneath their object type. For
example, a corporate mail server would appear under the Node category.
Check Point management stations and Security Gateways appear under the
category Check Point, DAIP servers appear in the category Dynamic Objects,
etc. Organizing objects by category is preferred for small-to-medium-sized
deployments. SmartDashboard opens to classic view by default, unless set to
Group view.
Group View of the Objects Tree

In Group view, network objects are organized by the group objects to which they
belong. For instance, group GW-group could include all of the gateway objects in
an organization. You can switch to Group view by right-clicking Network
Objects, and selecting Arrange by groups. As changing views can at first be
disorienting, a warning appears.
Student Manual 67
Creating the Rule Base

Each rule in a Rule Base defines the packets that match the rule based on
source, destination, service, and the time the packet is inspected. The first rule
that matches a packet is applied, and the specified Action is taken. The
communication may be logged and/or an alert may be issued, depending on what
has been entered in the Track field.
- j0.dkl.how IVPN S.J

So.wno
: T.th-5A000lt CM R,00t,1-w.b- *1 AnyT,.8ll

.,.... bo.e CKlnAftnA
*
Add QOS am
Set. DS
U:. 288 F-join,, Allow 4 t,na,cn_uc,rs. Fn.nc,j,rfl. *1 Any T,iTh, *
71.4 *1 Any 11101 *
I
12 98 "' ny
IAliDo..n.U,
Figure 29 - Adding a Rule
Basic Rule Base Concepts

The SmartDashboard allows you to create a Rule Base, which builds your
Security Policy from a collection of individual rules. Choose from the Ibilowing
options:
Add Rule The position where the rule is to be placed: Bottom, Top. After,
Bel 'ore.
Delete Rule Deletes the currently selected rule from the Rule Base.
Disable Rule Disables a rule when testing a Security Policy; disabling a

rule can also allow access to a previously restricted source or destination.
Hide I fides, unhides, views, and manages hidden rules; hidden rules still
apply, they are just not visible in the Sinartl)ashboard. This fature is nor-
mally used to temporarily move groups of rules out of view, to minimize con-
tusion when an Administrator is working on a complex Rule Base.
Rule Expiration Allows a rule to be set with an activation date and time,
and an expiration date and time, or a rule can be restricted to specific hours
and days.
!uift tnlfilltl
6,.' (7j -k /' i,ii ,t,
Default Rule
The Default Rule is added when you add a rule to the Rule Base. You can
configure this rule with all objects, services, and users installed on your database.
1 0 Any * Any Any *

Traffic * Any () drop - None Al Poticylargeta
Figure 30 Default Rule
The Default Rule is defined with the following information:

No. - Defines the number order of each rule; the first rule in the Rule
Base is No. I.
Hits Tacks the number of connections each rule matches on this gateway
Name Gives Administrators a space to name the rule, helping to annotate

the Rule Base; by default, it is blank.
Source - Displays the Object Manager screen, from which you can select
network objects or a group of users, to add to the Rule Base; the default is
Any.
Destination Displays the Object Manager screen, from which you can
select resource objects to add to the rule; the default is Any.
VPN - Displays the Add Objects VPN Communities screen, from which
you can select a VPN Community to add to the rule; the default is Any Traf-
lie.
Service Displays the Service Manager screen, from which you can select
services to add to the rule; the default is Any.
Action -- Accepts, drops, or rejects the session, or provides authentication

and encryption; the default is drop.
Track Defines logging or alerting for this rule; the default is none.
The options are: Account, Alert, Log, Mail, None, SnmpTrap. and UserDe-
lined.
Install On Specifies which lirewalled objects will enforce the rule; the
default is Policy Targets, which means all internal lirewalled objects.
(Throughout this handbook, all labs and examples assume this default, and the
Install On column is not shown.)
St ldtr pit
69
Time Specifies the time period for the rule; the default is Any. (Through-
out this handbook, all labs and examples assume this default and the Time
column is not shown.)
Comment Allows Administrators to add notes about this rule; the default
is a blank comment field.
Basic Rules
There are two basic rules used by nearly all Security Gateway Administrators:
the Cleanup Rule and the Stealth Rule.
01.1 Hft j Name Somce I.-..-&lr.m VPN j Service I ActIoi Track
1 IM stnn L Any (n Corporate-gw W Any Traffic Any ( drop [) Log
0 Cleanup * Any *1 Any 1*1 Any Traffic I Any () drop Log

2
Figure 31 - Basic Rules
Both the Cleanup and Stealth Rules are important for creating basic security
measures, and tracking important information in Smart View Tracker.
Cleanup Rule The Security Gateway follows the principle, "That which is
not expressly permitted is prohibited". Security Gateways drop all communi-
cation attempts that do not match a rule. The only way to monitor the dropped
packets is to create a Cleanup Rule that logs all dropped traffic. The Cleanup
Rule, also known as the "None of the Above" rule, drops all communication
not described by any other rules, and allows you to specify logging for every-
thing being dropped by this rule.
Stealth Rule - - To prevent any users from connecting directly to the Gate-
way, you should add a Stealth Rule to your Rule Base. Protecting the Gateway
in this manner makes the Gateway transparent to the network. The Gateway
becomes invisible to users on the network. The figure above displays a sam-
ple Stealth Rule.
In most cases, the Stealth Rule should he placed above all other rules. Placing the
Stealth Rule at the top of the Rule Base protects your Gateway from port
scanning, spooling, and other types of direct attacks. Connections that need to be
made directly to the Gateway, such as Client Authentication, encryption and
Content Vectoring Protocol (CVP) rules, always go above the Stealth Rule.
70 ('heck Poi,zt Security ,J,iixtraIiol

Implicit/Explicit Rules
The Security Gateway creates a Rule Base by translating the Security Policy into
a collection of individual rules. The Security Gateway creates implicit rules,
derived from Global Properties and explicit rules, created by the Administrator in
the SmartDashboard.
I
Figure 32 - Implicit/Explicit Rules
An explicit rule is a rule that you create in the Rule Base. Explicit rules are
displayed together with implicit rules in the correct sequence, when you select to
view implied rules. To see how properties and rules interact, select Implied
Rules from the View menu. Implicit rules appear without numbering, and
explicit rules appear with numbering.
Implicit rules are defined by the Security Gateway to allow certain connections to
and from the Gateway, with a variety of different services. The Gateway enforces
two types of implicit rules that enable the following:
Control Connections
Outgoing packets
C ontrol Connections
The Security Gateway creates a group of implicit rules that it places first, last, or
before last in the explicitly defined Rule Base. These first implicit rules are based
on the Accept control connections setting on the Global Properties window.
The Gateway anticipates other possible connections relating to Gateway
communication, and also creates implicit rules for those scenarios.
There are three types of Control Connections, defined by default rules:
Gateway specific traffic that facilitates functionality, such as logging,
management. and key exchange
- - -------- -
71
Acceptance of IKE and RDP traffic for communication and encryption

purposes
Communication with various types of servers, such as RADIUS, CVP, UFP,
TACACS, LDAP, and Logical Servers, even if these servers are not
specifically defined resources in your Security Policy
Implied rules are generated in the Rule Base through Global Properties. Check
the properties enforced in the FireWall Implied Rules screen, then choose a
position in the Rule Base for the implied rule:
First - first in the Rule Base
Before Last - before the last rule in the Rule Base
Last last rule in the Rule Base
Detecting IP Spoofing
Spooling is a technique where an intruder attempts to gain unauthorized access
by altering a packet's IP address. This alteration makes it appear as though the
packet originated in the part of a network with higher access privileges. The
Security Gateway has a sophisticated anti-spooling feature that detects such
packets, by requiring that the interface on which a packet enters a gateway
corresponds to its IP address.
1J .J
I PoI 7op6o
1
ISP X Q.
Py
OAT I 1 IP4M,.. I IPV4N*,* I I
hO 152 65 75 1 2552552550 50
HrTPS
'''I .t.-,S 721521 "' -
tITIPUTIPS P,y
M. 1d O2 :7216 I 2052552550 II A
PI6,,, Po.l 53 l-*IT" I 0 1 2152552552 50 11,. Ntwo5
Ry I - 2552552150 1 A I1 It.0
, . 'IA 20I8ffcJ42802934 IsI4wo1
'PS
IPS. 0111
Toody 10.5 I l&.a
TI, 1
[5oc.
P.Icb Pok r E,.t..nl I..d. os to it.. 61.00)
( nrnW kad. to 110 IOC flwOl)
III Cofl
00-
VPN O......n P b.hold do. olo.t.c*
6 ('1506 D*t.,ed
c M.,.
550 ,ly. Pi. A.

fl I'twf.c.50.5.toOMZ
I
r Notwoik dd*..d by thO .'. .4 00. Pond 1506 06.1.
A14 $pod"
Pod...,, .go
.t Spoth. b..md w, 044s. toc.yt
AM Sooth, .d.wo .50 to F,-t
SPodT.diCddo... Lao r'M.i

1LJ
Figure 33 - Anti-Spooling
72 C/h'sk I'Oiflt Securu A cl,ninisiraiion

Anti-spoofing verifies that packets are coming from, and going to, the correct
interfaces on a gateway. Anti-spoofing confirms that packets claiming to be from
the internal network are actually coming from the internal-network interface. It
also verifies that, once a packet is routed, it is going through the proper interface.
Co nfiguring Anti-Spoofing
To properly configure anti-spoofing, networks that are reachable from an

interface need to be defined appropriately. For anti-spoofing to be most effective,
it should be configured on all gateway interfaces. If antispoofing is implemented
on a specific interface, spoof tracking for that interface should also be defined.
This will help with both intrusion detection and troubleshooting.
To activate anti-spooling, configure the firewalled-interface properties. The

Topology tab of the Interface Properties window allows you to configure anti-
spooling properties of a gateway.
73
Rule Base Management

As a network infrastructure grows, so will the Rule Base created to manage the
network's traffic. If not managed properly, Rule Base order can affect Security
Gateway performance and negatively impact traffic on the protected networks.
Here are some general guidelines to help you manage your Rule Base effectively.
Before creating a Rule Base for your system, answer the following questions:
1. Which objects are in the network? Examples include gateways, hosts, net-
works, routers, and domains.
2. Which user permissions and authentication schemes are needed?
3. Which services, including customized services and sessions, are allowed
across the network?
As you formulate the Rule Base for your Policy, these tips are useful to consider:
The Policy is enforced from top to bottom.

Place the most restrictive rules at the top of the Policy, then proceed with the
generalized rules further down the Rule Base. If more permissive rules are
located at the top, the restrictive rule may not be used properly. This allows
misuse or unintended use of access, or an intrusion, due to improper rule
configuration.
Keep it simple. Grouping objects or combining rules makes for visual clarity
and simplifies debugging. If more than 50 rules are used, the Security Policy
becomes hard to manage. Security Administrators may have difficulty
determining how rules interact.
Add a Stealth Rule and Cleanup Rule first to each new Policy Package. A
Stealth Rule blocks access to the Gateway. Using an Explicit Drop Rule is
recommended for logging purposes.
Limit the use of the Reject action in rules. If a rule is configured to reject, a
message is returned to the source address, informing that the connection is not
permitted.
Use section titles to group similar rules according to their function. For
example, rules controlling access to a DMZ should be placed together. Rules
allowing an internal network access to the Internet should be placed together,
and so on. This allows easier modification of the Rule Base, as it is easier to
locate the appropriate rules.
74 Check Pojfl( Security Administration

Rule Base Management
Comment each rule! Documentation eases troubleshooting, and explains why

rules exist. This assists when reviewing the Security Policy for errors and
modifications. This is particularly important when the Policy is managed by
multiple Administrators. In addition, this Comment option is available when
saving database versions. See the Database Revision Control section in this
chapter.
For efficiency, the most frequently used rules are placed above less-frequently
used rules. This must be done carefully, to ensure a general-accept rule is not
placed before a specific-drop rule.
Un derstanding Rule Base Order

Before you can define Security Policy properties, you must consider Rule Base
order. The Security Gateway inspects packets by comparing them to the Security
Policy, one rule at a time. For this reason, it is important to define each rule in the
Security Policy in the appropriate order. Firewall implied rules are placed first,
last, or before last in the Rule Base and can be logged. Rules are processed in the
following order:
IP spoofing/IP options:
1. First: This rule cannot be modified or overwritten in the Rule Base because
the first rule that matches is always applied to the packet and no rules can be
placed before it. Implied rules are processed before administrator explicitly-
defined rules.
2. Explicit: These are the administrator-defined rules, which may be located
between the first and the before-last rules.
3. Before Last: These are more specific implied rules that are enforced before
the last rule is applied.
4. Last: A rule that is enforced after the last rule in the Rule Base, which nor-
mally rejects all packets, usually referred to as the Cleanup Rule.
5. Implicit Drop Rule: No logging occurs.
lie It Manual - -- --
Completing the Rule Base

When you have defined the desired rules, you must install the Security Policy.
The installation process specifies the network object on which the Security
Policy is installed. Only managed objects are available for Policy installation. In
contrast, the Install On element in the Rule Base specifies the network object that
is to enforce a specific rule.
There are times when verifying a Security Policy is useful to System

Administrators. By verifying a Security Policy, you check that rules are
consistent, and that there are no redundant rules before Security Policy
installation.
76 - - Check Point Secu,itv Ad,ninistration

Policy Management and Revision Control
Policies are created by the system administrator and managed via the Security
Management server. Different versions of these policies can be saved. Each
version includes backups of the various databases (objects, users, Certificate
Authority data, etc.). This information is zipped and saved.
The existing versions are recorded in a "Version table. This table can be viewed
and the versions which are displayed can be modified. It is possible to:
Create a Version
Export and Import a Version
View a Version
Revert to a Previous Version
Delete a Version
Versions can be created manually by the system administrator, or the system can
be set to automatically create a new version every time Security Policy
installation takes place. It is recommended to create a version before upgrading
the system. This enables the administrator to back out to a functioning
environment in case of problems during the upgrade operation.
Important - The Revision Control feature is not supported when the Security
Management database contains VSX objects. You must not select the Create
database version option in SmartDashboard when you install a policy..
P olicy Package Management
Some circumstances require multiple versions of a Security Policy, but the object
database needs to stay the same. Often this will be when adding or consolidating
rules in an existing Rule Base, or creating a new set of rules on a Gateway. In
these circumstances, using Policy Package management is better than creating
multiple versions of the system database.
These two points are worth consideration when saving your Policies:
The new Policy Package includes Firewall, Address Translation, Application
& URL Filtering, Anti-Bot & Anti-Virus, QoS and Desktop Security policies.
It is an ideal management utility for a distributed installation with multiple
Security Gateways; specific Policies are created for specific Security
Gateways.
77
The Security Management Server provides a wide range of tools that address
various Policy management tasks, both at the definition stage and at the
maintenance stage:
Policy Packages Allow you to easily group different types of Policies, to
be installed together on the same installation target(s).
Predefined Installation Targets - Allow you to associate each Policy
Package with the appropriate set of Gateways; this feature frees you of the
need to repeat the Gateway selection process every time you install (or install)
the Package, with the option to easily modify the list at any given time. In
addition, it minimizes the risk of installing Policies on inappropriate targets.
Section Titles Allow you to visually break your Rule Base into subjects,
thereby instantly improving your orientation and ability to locate rules and
objects of interest.
Queries Provide versatile search capabilities for both objects and the rules
in which they are used.
Sorting Using the Objects tree and Objects list pane is a simple and quick
way to locate objects; this feature is greatly facilitated by consistent use of
naming and coloring conventions.
Database Revision Control

Database Revision Control gives the Administrator freedom to create fallback
configurations when implementing new objects and rules, or adjusting rules and
objects as networks change. This can help the Administrator test new Rule Base
and object configurations, or can be used to revert to an earlier configuration for
troubleshooting.
Consider these points when saving your Policies:
The database version consists of all Policies on a single Gateway, and objects
and users configured, including settings in SmartDeknse and Global
Properties.
It is an ideal management utility for a stand-alone or distributed deployment
with a single Gateway.
It is configurable to automatically create new database versions on Policy
installation.
78
('htuk Pmisi Seeurj1r
This table compares the advantages of using Database Revision Control and
Policy Package Management:
Policy or Database
Management Utility Considerations
Database Rc\ ision Control Database version consists of all Policies,

objects and users configured, including
settings in SmartDefense and Global
Properties
Ideal management utility for a stand-alone
deployment, or distributed with a single
Gateway deployment
Configurable to automatically create new
database versions on Policy installation
Policy Package Management Policy Package including only Security and
NAT. QoS, and Desktop Security settings.
Ideal management utility for a distributed
installation with multiple Security
Gateways; specific Policies created for
specific Security Gateways.

ii 79

Multicasting
Multicasting transmits a single message to a select group of recipients. A typical
use of multicasting is to distribute real-time audio and video to a set of hosts that
have joined a distributed conference. IP multicasting applications send one copy
of each IP packet, and address it to a group of computers that want to receive it.
This technique addresses datagrams to a group of receivers at a multicast address,
rather than to a single receiver at a unicast address. Network routers forward the
datagrams to only those routers and hosts that need to receive them.
p
O .
C
I.
Figure 34 - Multicast Address Range Properties
The Muiticast Restrictions tab in the Interface Properties window drops multicast
packets according to configured conditions. Security Administrators can
configure a list of address ranges to drop or accept.
O.wI ToIQS
P D.*ii 08aes by ft'i
*au ia.s *$ISS 4I*. .004
d.,.4.. g
e& . 0O. *1,4.1 *, I 004W
c I i . I Lee .i I rp
:i
II
AW
Tq C e- AM
OK C4.Od
J
Figure 35 - Interface Properties
80 ('J,k 110j,7 S,r:i'

To configure multicast access control:

1. In the Topology window of the Gateway's General Properties, edit the appro-
priate interface.
2. In the Interface Properties window's Multicast Restrictions tab, select Drop
Multicast packets by the following conditions.
3. After selecting your drop option and clicking Add, you are prompted to select
a Multicast Address Range in the Add Object window. Click Add, and in the
Multicast Address Range Properties window, define either an IP address
range or a single IP address that is in the range 224.0.0.0-239.255.255.255.
4. In the Rule Base, add a rule to allow the required multicast groups. In the des-
tination of the rule, specify the multicast groups defined in step I.
5. Save and install the Policy.
\,, h
h
H
Practice and Review
Practice Labs
Lab 4: Building a Security Policy
Lab 5: Configuring the DMZ
Review
1. Objects are created by the Security Administrator to represent actual hosts
and devices, as well as services and resources, to use when developing the
Security Policy. What should the Administrator consider before creating
objects?
2. What are some important considerations when formulating or updating a Rule

Base?
(heck I'oini Sec univ ,jjuistra(i0S

CH APTER 4 Monitoring Traffic and
Connections
('/wck P0k,,, .e(,ui,v 4(InhI#li\t,'(J,1()p)

Monitoring Traffic and Connections

To manage your network effectively and to make informed decisions, you need to
gather information on the network's traffic patterns.
Learning Objectives
Use Queries in SmartView Tracker to monitor IPS and common network
traffic and troubleshoot events using packet data.
Using packet data on a given corporate network, generate reports,
troubleshoot system and security issues, and ensure network functionality.
Using Smart View Monitor, configure alerts and traffic counters, view a
Gateway's status, monitor suspicious activity rules, analyze tunnel activity
and monitor remote user access based on corporate requirements.
84 Check Paint Security Administration

istraikm

SmartView Tracker
SfllarJ7fJTracker
Check Point's SmartView Tracker provides visual tracking, monitoring, and
accounting information for all connections logged by Check Point components.
Online viewing features enable real-time monitoring of network activity.
SmartView Tracker provides control over every event, including those causing
alerts, as well as certain important system events, such as Security Policy
installation or uninstallation.
To log in to SmartView Tracker, select SmartConsole > SmartView Tracker

from the SmartDashboard main menu, or click Start> Programs> Check Point
SmartConsole R76> SmartView Tracker:
12h.
12
2p..L.c.h2r, 2fl 122X i 12 ............ 0 11!
22222 OC ...........
U012 2
222 Mom
12h2h
222 2225
2212 ...........
.............
@2.tl2 G&SCI,
'2 22h,12222O 222'2h
2 . 1.212
2212 ..... 222 012.2.2
.2,22222 .............
22222224C...............
.222 2 ..............
nis.a., ::s,s.s.s c.................

22.25202 22129'
22220220! 2202' .... 12 22202,..',,, 2 12 022

221202',
SI......... ......... ..J
Figure 36 - SmartView Tracker
Log Types
The format of log entries requested by a rule is determined by the log type
specified in the rule. You can select the log entries and data fields to display.
SniartView Tracker also allows you to navigate the log file. You can display one
of several log types from the Network & Endpoint Queries tree, as shown.
Log types are defined as either predefined or custom. The predefined types
include log details specific to that type. For instance, UA WebAccess displays
tJscrAuthority Web access log data for SecureClient entries, and the Account
type displays changes made to fields over time.
SIifl12Pt,.iUflhiUI . .-- 85
-
Mint I MM4dffit0lt
UA WebALces (lvwarnrecsIws)
L t.ttislM & &300+nt Q4050l NO S Dolt 7 nm Psodud 7 O.11n V Type tows. V Destination
SPtt0et,td
Ill 3003503 i 12Ot.2XS 013720 UAWONMUSS 1020046 (I 109 1020045 10.20345
2 120102000 114620
UAV,00*(ltll 10 L.9 40:0345 1020249
6.905,5 50(420/ .
3 120452000 115925 02 Wtb4050:i 10208*6 Li; 1010 615 020245
, ,, 4 420032030 443513 UI WtbAiiOii 1020046 190 40 204.45 10201.45
. n sloan
I DOsS 3,09,045
000set!0000d 164 FIt,
osryntiloio.i,on
4 A Aflt..001&2315..I!at
20 !4,M tyAs,wtfleIi aMa.
+ U0lInaiti3 Blade
20S)J0nt .5po.& Onall
23 OttO 100 P,slnit,OflNIaI
23 PsyiPtI 91020
23 Ad 5,4 1.9450 0 F
TitdII:0I,eI5,l
45.540,0
F to. Ill. 0(5? 001

flat.? lFdt
Morlotlo 83131
El Dg 1043531 6034310 9314,3
44
.23 MeatS Iflltnnd, 00 & Pod
4toan,i.toncont,or
^ P111 CIt 103109,33
2.09 14.1.0.11
V ClQnttstntI
2J Reedy
Figure 37 - Log Types
SmartView Tracker toolbar buttons also enable Administrators to define custom

log queries that can be saved for recurring use. The custom query allows the
column widths to be modified, and also allows selection of various log
information to display.
86 - - Check Point S(uritv A/iniflist,ation

SmartView Tracker
S mailView Tracker Tabs

Smart View Tracker has three predefined, optional views. These views can be
modified and saved. Select views with tabs located above the main log-viewing
area, as shown in below:
Network & Endpoint tab Displays the default view for Smart View
Tracker, and shows all security-related events.
Active tab - Shows currently open, active connections in Smart View

Tracker. The Active Connections screen displays as shown in Figure 5- 3, and
also includes the Elapsed or duration of the connection, the Bytes or amount
of data passed on the connection, and any additional information about the
connection.
Management tab Displays only audit entries in Smart View Tracker; this
enables you to track changes made to objects in the Rule Base, and tracks
general SmartDashboard use.
I -eflTL TiMiM1
.
Active Management
I
1..' Network & Endpoint Queries

No,Date _Time On
8 L' Predefined
1 1Nov2008 1:11:29 Alaska-
2 lNov2008 15:00:41 Califori
8 Network Security Blades
3 lNov2008 15:06:33 Califorr
Firewall Blade
4 1Nov2008 15:41:29 Califon
J IPS Blade
5 1Nov2008 16:43:13 Califorr
EEJ t DDoS Protector 6 1Nov2008 17:43:28 Califori
Application and URL Fitte 7 1Nov2008 18:35:11 Califori
HUPS Inspection 8 lNov2008 18:35:14 Califon
Anti-Bat & Anti-Virus 9 1Nov200S 13:39:42 Alas
Figure 38 - Smartview Tracker Tabs
Ai,,,11/
Action Icons
Each tab displays log fields regarding both the product that generated the log, and
the type of operation performed. Action icons provide a visual representation of
the log's operation. The following table gives a description of some of the
different types of actions recorded by SmartView Tracker:
Icon Action
Accept -The connection was allowed to proceed.
Reject The connection was blocked.
0
Drop - The connection was dropped without noti-
fying the source.
Encrypt The connection was encrypted.

I-.'
+ .1
Decrypt - The connection was decrypted.
Key Install - The encryption keys were created.

0-Il
88 ('/w(k PointSecurit y Athninistratiofl

Working with Smartview Tracker
W orking with Smartview Tracker
L og-File Management
The SmartView Tracker toolbar allows you to perform the following tasks:
1. Open Log File - When you select Open, you can open other log files.
2. Save Log File As - When saving a log file, the current log entries will be
written to file. Only the records that match the selection criteria will be saved
to the file; both entries that are visible in the screen, and those that are not vis-
ible.
3. Switch Log File In this window, you can select the default log file or spec-
ify a particular log file name. This operation actually performs a log file
switch.
4. Remote Files Management In this window, you can transfer log files
from a remote machine to the machine to which the SmartView Tracker is
currently connected.
5. Show or hide Fetch Progress After clicking (let File List from the
Remote Files Management window, you can click Fetch Files and toggle the
display of the Files Fetch Progress window. The file transfer operation will
continue even if the Files Fetch Progress window is closed. It is interrupted
only if you click the Abort button.
6. Query Options These buttons allow you to toggle the display of the query
tree pane, open an existing quely, save a custom query, or save a custom
query under a new name.
Admi nistrator Auditing
Sniari View Tracker logs Securit y Administrator activities, including:

Administrator login and logout.
Object creation, deletion, and editing.
Rule Base changes.
Administrator auditin g simplifies the process of tracking and troubleshooting

Security Policy changes, especially in environments with more than one
Administrator. Via the Management tab, it is possible to see the changes made by
it particular Administrator, or see who modified an object and what changes were
inadc.
Fne/aI Leg and /4cl

NAT Nwodo OGes T,do Options
kithisirdicat-
. yEN yEN rceoidU ney, ex&ooge Los .ij
kieetity Awareness
yEN packet handling ILog
UrN-I Edge Gateway
PiflOtO VPN confrguron & key exokange enexs LW
Check Ford GO
U,er DneOory P Opeons coop None
Aaan grsjve nottications Log

SinatMap
FeeWak! GE p 1
SLAcroletra N.na .iJ
UserAdliorit)-
User aid PdrrrdraI;r Coarectnar reached by SiNd Pcpp dec
Management Hgrr So piareac ok,ect eeokiton fa&,e
O None
necdCcoitrid
ONE -Opec Se.ocrtj N Packet is 000rrecky tagged. I Log
SnecI napeotne
SrnartLNM ProNe &P
Packet tagging bcote force attack I Popop Oert
Loggeag ModI,en
RegodrW loot,
OP SEC F Log eves authenticated MIFF canracten
Sncrni I-lana nt
W log VoIP coexectron
on to cci, P cidUres:
Conm.saty Default Rue
PS
Sri,tDadordCcino Log Traffic og
UreChect
,-it i
OK Cancel
Figure 39 - Auditing
Logging provides a historical record of logged connections. Logs are essential for
security management, so properly configuring Security Gateway to log
connections of interest is important.
Global Logging and Alerting
The Global Properties Log and Alert window, accessed by clicking Policy>
Global Properties> Log and Alert, allows you to define global log-and-alert
parameters.
VPN successful key exchange Specifies the action to be taken then VPN keys
are successfully exchanged.
VPN packet handling errors Specifies the action to be taken when

encryption or decryption errors occur.
VPN configuration and key exchange errors Specifies the action to be taken
when logging configuration or key-exchange errors occur; for example, when
C ht' k Pt,iiit .Sec,iiitr Acl,ninislralio!I

attempting to establish encrypted communication with a network object inside

the same VPN Domain.
IP Options drop Specifies the action to take when a packet with IP options is
encountered; the Security Gateway always drops these packets, but you can log
them or issue an alert.
Administrative notifications - Specifies the action to be taken when an

administrative event occurs, for example, when a Certificate is about to expire.
SLA violation - Specifies the action to be taken when an SLA violation occurs,
as defined in the Virtual Links window.
Connection matched by SAM Specifies the action to be taken when a

connection is blocked by Suspicious Activities Monitoring (SAM); for
information about SAM, see http://www.opsec.com .
Dynamic object resolution failure Specifies the action to be taken when a

dynamic object cannot be resolved.
Log every authenticated HTTP connection - Specifies that a log entry should
be generated for every authenticated HTTP connection.
Log VoIP connection Generates additional log entries for every VoIP
connection; additional log entries for SIP contain information about the user (SIP
URL, for example, fred@bloggs.com ). Additional log entries for H.323 contain
inlrmation about phone numbers.
T ime Settings
The Time Settings window allows you to configure time settings associated with
system-wide logging-and-alert parameters.
Excessive log grace period - Specifies the minimum amount of time
between consecutive logs of similar packets: two packets are considered simi-
lar, if they have the same source address, source port, destination address and
destination port, and the same protocol was used. After the first packet, simi-
lar packets encountered within the grace period will be acted upon according
to the Security Policy, but only the first packet generates a log entry or an
alert.
SmartView Tracker resolving Aller a specified amount of time, displays

a log page, without resolving names and showing only IP addresses.
Silk/c,,, 91
Virtual Link statistics logging interval - Specifies the frequency with

which Virtual Link statistics will be logged; this parameter is relevant only for
Virtual Links defined with Log SLA values enabled in the SLA Parameters
tab of the Virtual Link window. Virtual Links are defined by clicking Manage
> Smart View Monitor> Virtual Links from the main menu.
Status fetching interval Specifies the frequency at which the Security

Management Server queries the Security Gateway, Check Point QoS, and
other software it manages for status information; any value from 30 to 900
seconds can be entered in this field.
Blocking Connections
You can terminate an active connection and block further connections from and
to specific lP addresses, using the SmartView Tracker Block Intruder function.
To block an active connection with Block Intruder, select the connection you
want to block, then select Tools> Block Intruder from the menu.
5J
Comect,o,tD
Connectior Parameters.
From twoso to 172 22.255.255 INough rwoio, forservice rtdatagrn
Bbckrig scope.
( Block all connections with the ume source, destination aix jelyce,
C Block access from this souce.
C Block access to thi* destetmn
Blocking 1tneiit:
6 Ind&ri
4et
Force thu blockmQ

Orontwoslo
C On anyVPN .1 & FrW41
OK Camel HeO
Figure 40 - Block Intruder
The Block Intruder window displays. In the Blocking Scope fields, select one 01
the options:
Block all connections with the same source, destination and service
Block the connection or any other cuiiflectjofl with the same service, source or
destination.

92 Check I'oipit
Block access from this source The connection is terminated, and all fur-
ther attempts to establish connections from this source IP address will be
denied.
Block access to this destination The connection is terminated, and all fur-
ther attempts to establish connections to this destination IP address will be
denied.
In the Blocking Timeout field, select one of the options: Indefinite - Block
all further access. For... minutes - Block all further access attempts for the
specified number of minutes.
In the Force this blocking field, select one of the options:
Only on... Block access attempts through the indicated Security Gateway.
On any Security Gateway - Block access attempts through Security Gate-
ways defined as gateways or hosts on the log server. The connection will
remain blocked, until you choose Tools > Clear Blocking from the main
InC 110.
I( III 1 /
Smart View Monitor

SmartView Monitor is a high-performance network- and security analysis system
that helps you easily administer your network, by establishing work habits based
on learned system-resource patterns. SmartView Monitor provides a single,
central interface for monitoring network activity and performance of Check Point
applications. SmartView Monitor allows Administrators to easily configure and
monitor different aspects of network activities. Graphical views can easily be
viewed from an integrated, intuitive GUI.
IEI[ lit

II
Figure 41 - SmartView Monitor
Predefined views include the most frequently used traffic, counter, tunnel,
gateway, and remote-user inlormation. For example. (heck Point system
counters collect information on the status and activities of ('heck Point llades
(tr example, Firewall). Using custom or predefined views, Administrators can
drill down on the status ofa specific gateway and/or segment ol traffic to i(lefltitY
top bandwidth hosts that may he affecting network perIrmance. It',uspiciouS
activity is detected. Administrators can immediately apply a security rule to the
appropriate Security Gateway to block that activity. These security rules can hen
8
created dynamically via the graphical intert.tce, and can be set to expire withi
certain time period.
Real-time and historical reports of monitored events can be generated to provide

5ecurity, ad
a comprehensive view of gateways. tunnels, remote users, network,
Security Gateway performance over time. To log in to Smart Vicw Monitor, select
Window - Smart View Monitor from the Smart Dashboard main menu. Or, click
Start - Programs ('heck Point Smart('onsolc R76 - Smart View Monitor.

Ih I I" iii 1I It
R
Customized Views
C ust5zed Views
Smart View Monitor enables graphical views depicting data for several types of
measurements, including bandwidth, round-trip time, packet rate, CPU use, etc.
The most efficient way to yield helpful information is to create a view based on
your specific needs. It is possible to create customized views for view types (for
example, status, traffic, system statistics, and tunnels). The customization
provides the ability to filter specific data and how the data is to be displayed.
--
'. c____-____. it
.Q."-.
i S
1..
a'

1% w.--'-, * ' Sr

Z.
IS,..
.5,-., C. C
5
- (ornofate wileqn lev,.eM Sn,??
lo
Figure 42 - Customized Views
G
ateway Status View
SmartView Monitor enables information about the status of all (iate\ays in a

network. The data in the results pane (upper right) provides information about all
Gateways in the organization, as well as pertinent information about the Gateway
(such as its IP addresses, the last time it was updated. and its status). This
information is directly linked to the view selected in the tree pane (lell). Each row
in the table represents a Gateway.
Traffic View
Smart View Monitor makes Administrators aware of traffic associated with

specific network activities, servers, clients, etc., as well as activities, hardware.
and sofiware use of'diflrent ('heck Point products in real time. Among othet
things, this knowledge enables Administrators to:
Block specific traffic when a threat i' imposed.
.
1104,111
14 11111 , 11
0'S
Assume instant control of traffic flow on a Gateway.

Learn about how many tunnels are currently open, or about the rate of new
connections passing through the Security Gateway.
You can generate fully detailed or summarized graphs and charts for all
connections and for numerous rates and figures when calculating network use.
System Counters provides in-depth details on Gateway use and activity. As a
Security Administrator, you can generate system status information about:
Resource use for the variety of components associated with the Security
Gateway.
Gateway performance statistics for a variety of firewalled components.
Detect and monitor suspicious activity.
Tunnels View
VPN tunnels are secure links between Security Gateways, and ensure secure
connections between an organization's gateways and its remoteaccess clients.
Once tunnels are created and put to use, Administrators can keep track of their
normal functions, so possible malfunctions and connectivity problems can be
accessed and solved as soon as possible.
r1]!fl1
a
aa
aa
aa
aa
a
IlL aa
aa
a
Figure 43 - Tunnels
To ensure this security level, Smart View Monitor can recognize malfunction"
fl
connectivity problems, by constantly monitoring and analyzing the statUS o1
organizations' tunnels. With the use of tunnel queries. Administrators can
generate fully detailed reports that include intirmation about all tunnels that
'ujtv .f/,flfl,stra('"
96 ( Ileck /'()ifl( ,Se

Customized Views
fulfill specific tunnel-query conditions. With this information, it is possible to

monitor tunnel status, the VPN Community with which a tunnel is associated, the
Gateways to which a tunnel is connected. etc.
Remote Users View

The Remote Users view allows you to keep track of VPN remote users currently
logged in (i.e., SecuRemote, SecureClient and SSL Network Extender, and in
general any IPSec client connecting to the Security Gateway). It provides you
with filtering capabilities, making it easier to navigate through the entries.
.. 0 -- -
C--
ai$. WSM I
1._ . ** ' SiI 131'ii
1*.. fl. It. it. I'O.it 58313

1*
n__ -. .-. ,IfihIit I 313
'-"I-. C--
a,,--
WIE )S
a its IUMPI LYSI
S .....Si U" 'It,..irttu
. 31 3. IMOPY 2*311
S. -Ti it. IUaa 2.itlI
I I.21. 3a tillJn
t
aZ::* '.4r itgtI ala,,
SCits,. tar.. rat,
.1.)r LW S2'S ISNiI
Stt. a" 12113* 12313
a. ULa 3WI
I, Ill 1., ltdt ra.. it lIt)
Figure 44 - Remote Users

The Remote Users view provides detailed real-time information about remote
users' Connectivity, using data collected from sources such as current open
Cl(i1. ()\ erIappin e'ion, mute tral e. and Connection tiflie.
Cooperative Enforcement View
Cooperative Enforcement is a feature that works in conjunction with the

Endpoint Server. The Cooperative Enforcement view utilizes the Endpoint Server
compliance capability to verify connections arriving from various hosts across
the internal network. Easily deployed and managed, the Endpoint Server
mitigates the risk of hackers, worms, spyware, and other security threats.
RM
--
1 I.'' I I.; -
-
113202315
1--'.-
9 II. 1122041?
20'' II. 11 0.1,0,1 .M
0
In "a IlIZS%'
.9
'9 t*
'9laL
.9 To
.9
ad..
fi CWft.0 kTIdS
a .n..
On... ....-
:. 0- Gd...,
nc..., auw.
flG.,,., .TS0.
Figure 45 - Cooperative Enforcement
Using Cooperative lnfircement, any host initiating a connection through a

Gateway is tested for compliance. ('l'hc Gateway generates logs for unauthori/vIl
hosts. The logs generated for both authorized and unauthorized hosts can be
viewed in Smart View Monitor.) This increases the integrity of the network.
because it prevents hosts with malicious sofiware components from accessing the
network.
This feature acts as a middleman between hosts managed by an Endpoint SCr."'

and the Endpoint Server itself. It relies on the Endpoint Server complianCe
t hat do
t.uture, which defines whether a host is secure and can block connections
not meet the defined prerequisites of software components.
.f(/,flIfljStr(
99 ('heck P,inI .S'eeuritt'
Monitoring Suspicious Activity Rules
Mo
nitoring Suspicious Activity Rides
The fast-changing network environment demands the ability to immediately react
to a security problem, without having to change the entire network's Rule Base
(for example, to instantly block a specific user). All inbound and outbound
network activity should be inspected and identified as suspicious when necessary
(for instance, when network or system activity indicates that someone is
attempting to break in).
.0JLJ
Is
Custom
Is - Gateways StIsu;
t_ I)
Firewall;
t 0o.t P Iactm.r
T.
r
T.
I,
eP A SA4 Fthr
5.
5 COOl) CoOl - .00 (o.urorarv-O. 00:50
00,, 91.96 11- 56 f'50(TJ2l) R..ot LOO Coroor.q. 0956 OlLIo.y 11..
&
T. 201162.116.33 a'v 00rs 09 .060 Cw.00 .gw 09:56 'u.,v
I. 43.103,181.1&3 1650 ICW 6056st ;o9 Coe0or0I09 09:50 5).
"5.9955,
"Is
"IF
Aid o*
I - '-'-"l I a.s.
I
'I Cor4*,#I,,.st,u.rI.
'I Fu,.0 0,01007
'I o 54.ow
000oIsq
5O
I
I tow.I9 00 Co09.nst
0105910.00 OSOSO44S
:e D.r P0,waaWoI
'I G.mI,
1u05s16, 00
(0 ao 09cr
Figure 46 External Suspicious Activity Rules
Smart View Monitor enables the integration of a suspicious-activity monitoring

program that is used to modify access privileges, upon detection of any
suspicious network activity. This detection is based on the creation of Suspicious
Activity rules. Suspicious Activity rules are security rules that enable the
Administrator to instantly block suspicious connections that are not restricted by
the currently entirced Security l't)Ikv. I lieNe rules can he applied immediately.
iihotst tile uced to .1 llkT\
kh-
Monitoring Alerts
Alerts provide real-time information about vulnerabilities to computing systems
and how they can be eliminated.
Check Point alerts users to potential threats to the security of their systems, and
provides information about how to avoid, minimize, or recover from the damage.
Alerts are sent by the Security Gateways to the Security Management Server. The
Security Management Server then forwards these alerts to the SmartView
Monitor SmartConsole, which is actively connected to the Security Management
Server. Alerts are sent to draw the Administrator's attention to problematic
Gateways, and are displayed in SmartView Monitor. These alerts are sent:
If certain rules or attributes, which are set to be tracked as alerts, are matched
by a passing connection.
If system events, also called System Alerts, are configured to trigger an alert
when various thresholds are surpassed.
The Administrator can define alerts to be sent for different Gateways. These
alerts are sent under certain conditions, such is if they have been defined for
certain Policies, or if they have been set for different properties. By default, an
alert is sent as a message to the Administrator's desktop when a new alert arrives
in Smart View Monitor. Alerts can also be sent for certain system events. If
certain conditions are set, you can receive System Alerts for critical situation
updates; for example, if free disk space is less than 10 percent, or if Security
Policy has been changed. System Alerts are characterized as follows:
They are defined per product. For instance, you may define certain System
Alerts for (heck Point Q0S that would not apply to (onnectra.
They may be global or per Gateway. You can set global alert parameters for
all Gateways in the system, or you can specify a particular alert for a
particular Gateway.
They are displayed and viewed via the same user-friendly window. The
information Smart View Monitor gathers also includes status in format ion
about OPSl(' gateways and network objects.
After reviewing the status of certain clients in SmartVicw Monitor, YOU may
decide to take decisive action for a particular client or cluster member, for
instance:
Disconnect client If you have the correct permissions, you can choose 10
disconnect one Or more of the connected Smart('onsole clients. (lick the
Disconnect Client button oil Results pane toolbar.
Start/Stop (luster Member All cluster members of a given gateway
cluster can he viewed via Smart View Monitor. You can start or stop a selected

100 Check Pmnt Securit y Ad,ni,1iS(rhhb0hn
Monitoring Suspicious Activity Rules
Cluster member. To do this, right-click the cluster member. From the pull-
down menu, select Start Member or Stop Member.
To configure an alert in SmartView Monitor from Smart Dashboard, select Policy

> Global Properties> Log and Alert> Alerts. To view the active alerts from
SmartView Monitor, select the Alerts icon from the toolbar.
A1( pn;/ - -- -
-b_i
Gateway Status
Check Point enables information about the status of all gateways in the system to
be collected by the Security Management server and viewed in SmartView
Monitor. The information gathered includes status information about:
Check Point gateways
OPSEC gateways
Check Point Software Blades
A Gateways Status view displays a snapshot of all Check Point Software Blades,
such as VPN and ClusterXL, as well as third party products (for example,
OPSEC-partner gateways). Gateways Status is very similar in operation to the
SNMP daemon that also provides a mechanism to ascertain information about
gateways in the system.
All,, SIC ha; been imliahzed, the Securly

Marat,ernnt evvrw r,trlev.i att&n nlcznrrrtjcn tram
SnUrMew Morite r,itrtr .reteed Sottwt. Sled., u,Irn the arrur P,OIOCOI
SnrtV1,e Monfloq retrieve, --- rtormaaon from the

Security MannUamant ..
Firewell
Firewall VPN
01
LI
SeuJuY:a9enreri
VPN
I owl
Figure 47 - Gateway Status Example

10? ( A /iiilf 10M 1, /,,,,,,j(ratjofl
Gateway Status
The Security Management server acts as an AMON (Application Monitoring)

client. It collects information about specific Check Point Software Blades
installed, using the AMON protocol. Each Check Point gateway, or any other
OPSEC gateway which runs an AMON server, acts as the AMON server itself.
Each gateway makes a status update request, via APIs, from various other
components such as:
The "kernel"
Security Servers
An alternate source for status collection may be any AMON client, such as an
OPSEC partner, which uses the AMON protocol.
The information is fetched at a subscribed interval which is defined by the system

administrator. The AMON protocol is SIC- based so information can be retrieved
once SIC has been initialized.
Note: There are general statuses which occur for both the gatewa y or
machine on which the Check Point Software Blade is
installed, and the Software Blade which represents the
components installed on the gateway.
Ov erall Status
An Overall status is the result of the blades statuses. the most serious Software
Blades status determines the Overall status. For example, if all the Software
Blades statuses are OK except for the SrnartReporter blade, which has a Problem
status, then the Overall status will be Problem.
OK indicates that the gateway is working properly.

Attention at least one of the Software Blades indicates that there is a
minor problem but it can still continue to work. Attention can also indicate
that, although a Software Blade is not installed, it is selected in the General
Properties> ('heck Point Products associated with a specific gateway.
Problem indicates that one of the Software Blades reported a specific
malfunction. To see details of this malfunction open the gateways status
window by double-clicking it in the Gateways view. Problem can also
indicate a situation in which the Firewall, VPN and ClusterXL Software
Blades are selected in the General Properties Software Blades but are not
installed.
Waiting 1'1-0111 the time that the view starts to m.uii until the time that the first
status message is received. This lakes no more than thirty seconds.
Disconnected the Securit y ( ateo.av cannot he rcached.
S/1
"" 111 lhjlln^d
1I
Untrusted Secure Internal Communication failed. The gateway is

connected, but the Security Management server is not the master of the
gateway.
Software Blade Status

Software Blades include components such as VPN, SmartReporter, Endpoint
Security, and Q0S.
OK indicates that the blade (for example, SmartReporter, VPN, Firewall,
etc.) is working properly.
Attention - the blade indicates that there is a minor problem but it can still
continue to work.
Problem indicates that the blade reported a specific malfunction. To see
details of this malfunction open the gateways status window associated with
the blade by double-clicking it in the Gateways Status view
Waiting displayed from the time that the view starts to run until the time
that the first status message is received. This takes no more than thirty
seconds.
Disconnected the gateway cannot be reached.
Untrusted - Secure Internal Communication failed. The gateway is
connected, but the Security Management server is not the master of the
gateway.
Displaying Gateway Information
Gateways Status, information is displayed per Check Point or OPSFC gateway-
To display infbrmation about the gateway, click the specific gateway in the
Gateway Results view. Details about the gateway will he displayed in the
Gateway Details pane.
This information includes general infrmation such as the name, IP Address,

version, operating system, and the status of the specified gateway, as well as a
myrid of gateway specific inkrmation.

IMIJ Check Iinf Sec univ 4 t/mj,zis1r11h"
SmartView Tracker vs. SmartView Monitor
Smart / Tracker vs. Smart View Monitor

Here are some key points when considering which product addresses your needs
better:
SmartView Tracker Benefits - Administrators can use SmartView Tracker to:
Ensure network components are operating properly.
Troubleshoot system and security issues.
Gather information for legal or audit purposes.
Generate reports to analyze network-traffic patterns.
Temporarily or permanently terminate connections from specific IP
addresses, in case of an attack or other suspicious network activity.
Smart View Monitor Benefits - Administrators can use Smart View Monitor to:
Centrally monitor Check Point and OPSEC devices.
Present a complete picture of changes to Gateways, tunnels, remote users, and
security activities. Immediately identify changes in network-traffic flow
patterns that may signify malicious activity.
Maintain high network availability.
Improve efficiency of bandwidth use.
Track SLA compliance.
'(1icI.,, %1,/
Practice and Review
Practice Lab
Lab 6: Monitoring with SmartView Tracker
Review
Discuss the benefits of using SmartView Monitor instead of SmartView
Tracker in monitoring network activity.
2. Why is there a warning message when switching to Active mode in Smart-

View Tracker?

106 ('Jiet 'k Poin! .cl'(U,itv 1/m,nis1rhh10fl
CH APTER 5 Network Address
Translation
1'k Ijfl( Se(Urj(. ThlFi ,l

Network Address Translation

In computer networking, network address translation (NAT) is the process of
modifying IP address information in IP packet headers while in transit across a
traffic routing device
Configure NAT rules on Web and Gateway servers

108 ( 'hk /(,I?1( Se 'uritv
Introduction to NAT
mt iidt ion to NAT

Network Address Translation (NAT) allows Security Administrators to overcome
IP addressing limitations, allowing private IP-address allocation and unregistered
internal-addressing schemes.
Enterprises employ NAT for a variety of reasons, including:

Private IP addresses used in internal networks.
Limiting external network access.
Ease and flexibility of network administration.
Network Address Translation (NAT) can be used to translate either IP address in

a connection. When translating the IP of the machine initiating the connection
(typically the "client" of the connection) this is referred to as Source NAT. When
translating the IP address of the machine receiving the connection this is referred
to as Destination NAT.
The Security Gateway supports two t y pes of NAT where the source and or the
destination are translated:
Hide NAT - Hide NAT is a man y -to-one relationship, where multiple
computers on the internal network are represented by a single unique address.
This enhances securit y because connections call he initiated from the
protected side of the Securit y Gate a y. This type ofNAl is also referred to as
Dynamic NAT.
Static NAT - Static NA F is a one-to-one relationship, where each host is
translated to a unique address. This allows connections to be initiated
internally and externally. An example would be a Web server or a mail server
that needs to allow connections initiated externally.
NAT can be configured oil Point hosts, nodes, networks, address ranges
and dynamic objects. NAT can he configured automatically or by creating
manual NA1' rules. Manual NAT rules oiler flexibility because it can allow the
translation of both the source and destination of the packet and allow the
translation of services.
109

IP Addressing
In an IP network, each computer is assigned a unique IP address. Because public

lP addresses are scarce and expensive, many enterprises choose to use private
addresses for their internal networks. The following blocks of IP addresses were
set aside for internal-network use in RFC 1918, "Address Allocation for Private
Networks":
Class A network numbers: 10.0.0.0-10.255.255.255
Class B network numbers: 172.16.0.0-172.31.255.255
Class C network numbers: 192.168.0.0-192.168.255.255
Best practices recommend using only these address ranges for intranets. RFC
1918 addresses cannot traverse public networks.
Hide NAT In Hide NAT, the source is translated, the source port is modified and translation
occurs on the server side. As shown in the illustration below, notice the source
packet with address 10.1.1.101 going to destination x.x.x.x. As the packet hits the
interface on pre-in, 'i', it is processed by the firewall kernel and forwarded to
1,
post-in, '1' where it is then routed to the external interface. It arrives, pre-out, 1 0
and is then processed by the NAT rule base. The firewall modifies the source port
and adds the port information to a state table. The packet translates on post-out,
'0' as it leaves the Gateway. For protocols where the port number cannot be
changed, Hide NAT cannot be used.
Original Packet (Translated) Original Packet
00
4 II1VI
- intfl
Rcre
ii I

1.101
t i
* ii 00 IF1JF iii4l
Hepy Packet \RCiJY Pckct (ftanslatcd)
Hide NAT
Figure 48 - Hide NAT

110 Check Paint Securili' Idministr,1io"
Introduction to NAT
C hoosing the Hide Address in Hide NAT

The Hide Address is the address behind which the network, address range, or
node is hidden. It is possible to hide behind either the interface of the Gateway or
a specified IP address.
Choosing a fixed public IP address is a good option if you want to hide the
address of the Security Gateway. However, it means you have to use an extra
publicly routable IP address. Choosing to hide behind the address of the Gateway
is a good option for administrative purposes. For example, if the external IP
address of the Gateway changes, there is no need to change the NAT settings.
Static NAT
A static translation is assigned to a server that needs to be accessed directly from
outside the Security Gateway. So, the packet is typically initiated from a host
outside the firewall. When the client initiates traffic to the static NAT address, the
destination of the packet is translated.
Original Packet Original Packet (Translated)

-- it In ., . In (
i I 00 _______
www.ripe.net - www. alta. CCIII
Ititernat
Router
85.10.1.4 10.1.1.101
.Ir(_INWUT1U A.
_____________ 00
Reply Packet (Translated) . Reply Packet
II
Static; NAI .
Figure 49 - Static NAT

Mwiva/ Ill
In the past, all destination NAT occurred at the "server side" of the kernel, i.e., on
the outbound side of the kernel closest to the server. When NAT occurs in this
configuration, a host route is required on the Security Gateway to route to the
destination server. As of VPN-I NGX, the default method for Destination NAT is
"client side", where NAT occurs on the inbound interface closest to the client.
Assume the client is outside the Gateway, and the server is inside the Gateway
with automatic Static NAT configured. When the client starts a connection to
access the server's NAT IP address, the following happens to the original packet
in a client-side NAT:
Original Packet
1. The packet from outside the Gateway arrives at the inbound interface, 'i', des-
tined for the Web server, and passes Security Policy and NAT rules.
2. If accepted, the packet information is added to the connections table and the
destination is translated on the post-in side of the interface, 'I' before it is
routed.
3. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the
outbound interface, V.
4. The packet is then forwarded through the kernel, '0' and routed to the Web
server.
Reply Packet
1. The Web server replies and hits the inbound interface, 1', of the Gateway.
2. The packet is passed by the Policy, since it is found in the connections table
and arrives at the post-in side of the kernel, 'I'.
3. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the
outbound interface, V.
4. The packet goes through the outbound interface and is translated to the static
NAT III address as it leaves the Security Gateway, 0'. The source port does
not change.
When the external server must distinguish between clients based on their IP
addresses, hide NAT cannot he used, because all clients share the same IF
address under Ihide NAT.
To allow connections from the external network to the internal network, only
Static NAT can he used.
t1jo ll
V. I. /i!t
Introduction to NAT
NAT - Global Properties
Several Global Properties influence how NAT is handled by a Security Gateway.

The figure shows the default Global Properties for NAT.
NoeW& NAT - Nok M,. Trio

NAT Meo
kohero,cthon ALAw NAT 4eo -
VPN
drUy Aaranese P40w tx *ecbcnai NAT frmcoe dads ,ee h elp)
UTM . 1 Edge Gay P Tr.e deon on chant ode
Check Port GO
W Aulanwbc ARP wftm.
uw r isee wwo4 vwy AP

M&oA NAT ,eo ----
FeeWaI-1 S x f denon on dul
uI.
^E User and IF Pod NAT
Monagemer* -4 Avo r fraLde P Pod NAT
Co.nedCod,d
OSE Open Secody E r -.. -
StodVIecOon
So.OLSM P,oNe Edo.
--,- - r
1 Log and Ae't
Ro4ng Tode
OP SEC
S-LAY Man
Non 1flQ.e IF Ad&,,
Proly
'PS
Vood O.dc
Uselolock
Co,,1
It
I oElCI
Figure 50 - NAT Settings
In most cases. the Security Gateway automatically creates NA1' rules, based on
information derived from object properties. The following three Global
Properties can be modified to adjust the behavior of Automatic NAT rules on a
global level:
Allow hi-directional NAT Ii more than one Automatic NAT rule matches
a connection, both rules are matched. If'Allow bidirectional NAT is selected.
the Gateway will check all NAT rules to see if there is a source match in one
rule, and a destination match in another rule. The (iatewav will use the first
matches found. and apply both rules concurrently.
Translate Destination on client side For packets from an external host
that are to he translated according to Static NAT rules, select this option to
translate destination 11' addresses in the kernel nearest the client.
hill/w/

Automatic ARP configuration Select this option to automatically update

ARP tables on Security Gateways. For NAT to function properly, a Gateway
must accept packets whose destination addresses differ from the addresses
configured on its interfaces. Automatic ARP configuration adds the ARP
entries needed to accomplish this task. This property applies to automatically
created NAT rules only.
Merge manual proxy ARP - Select this option to merge automatic and
manual ARP configurations. Manual proxy ARP configuration is required for
manual Static NAT rules. If a manual ARP configuration is defined in the
local.arp file and automatic ARP configuration is enabled, both definitions are
maintained. If there is a conflict between the definitions (the same NAT IF
address appears in both), the manual configuration is used. If this option is not
enabled and automatic ARP configuration is enabled, the Gateway ignores the
entries in the local.arp file.
Object Configuration - Hide NAT
Hide NAT can be configured to hide networks using a Security Gateway IF

address or another, externally accessible IF address. The figure illustrates how to
configure the NAT properties for a network using a Security Gateway's IF
address when dynamically translated. To configure Hide NAT with automatic
NAT rule creation, select the appropriate options and click OK, which
automatically creates the necessary NAT rules for the object.
NAT
fr4a.. T,..,n
Add ktA. Add,, T,.nd,
Add Id,
(
C bel
P4 Add.s.
PG Ad&m
rid

ptw .J J
r
OK I
Figure 51 - NAT Configured Object

114 ('heck PojizI SecuriIi At/,ninistriliOt'
Introduction to NAT
Address-translation rules are divided into two elements: Original Packet and
Translated Packet. The elements of the Original Packet section inform a Security
Gateway which packets match the rule. The Translated Packet elements define
how the Security Gateway should modify the packet. Configuring the network
object as described above creates two rules in the Address Translation Policy.
The first rule prevents translation of packets traveling from the translated object
to itself. The second rule instructs the Security Gateway to translate packets
whose source IP address is part of the Corporate-finance-net's network. This rule
translates packets from private addresses to the IP address of the exiting interface
of the Security Gateway.
10 11L Corpct f.c i JTL Copt f ret * Any 0 = 0 =CWgin. 1 C po 1 g-
11LrL Copo, f A
* ny * Any Co,po,e t1c = =0,9nd co,po, jw
Figure 52 - NAT Rules
Because Hide NAT also modifies source ports, there is no need to add another
rule for reply packets. Information recorded in a Security Gateway's state tables
will be used to modify the destination IP address and destination port of reply
packets.
St1 (/C'II Ai01111111

115
Hide NAT Using Another Interface IP Address
Hiding internal addresses behind a Security Gateway's IP address is not the most
secure way to configure Hide NAT. Using another externally accessible IP
address for Hide NAT is considered best practice. The figure illustrates how to
configure the NAT properties for a network that will use another externally
accessible IP address when dynamically translated.
6 61,.,t 4am Tms' 'A..
tdm.d
6,__ 6a
I ..J
Figure 53 - Hide NAT Configured Object
For Automatic NAT rule creation, the Security Gateway makes all necessary
route and ARP table entries on the Security Gateway. In the example above, the
Security Gateway will process packets destined for the HR Server, even though
that IP address is not bound to its interface. For routing to work properly, the
address selected to hide internal networks should be on the same subnet as the IP
address of the interface where packets will arrive.
Like Hide NAT behind a Security Gateway's IP address, configuration for Hide
NAT using another externally accessible I address also creates two rules. The
first rule instructs the Security Gateway not to translate traffic whose source and
destination is the object for which Hide NAT is configured. The second rule
translates the source address of packets not destined for the object for which II ide
NAT is configured.

116 ( lu k Point Security pjjfljtI'lt1OIl
Introduction to NAT
Static NAT
Configuring a Security Gateway to perform Static NAT for a host is similar to

configuring a Security Gateway to perform Hide NAT using another externally
accessible IP address.
NT
P Add hAoobC Atd,o,. '1..
1%,n.thod
to IP Pd&000
Pv4P4 j21:21I2
IPV6 Ad&.
* - J
OK
F H ur 54 Stntj NtT Cmfic1wrnd Ot.je
I Ii Iiiuc II 1iilc }h\\ 5 iIui \ \ I jmperlic. ltlic \XI ucd

to translate a host's II I addre
For routing to work properly, the I raio!aie to II \ddtess 111LISt be on thc inic
subnet as the Security Gateway's IP address. When Automatic NAT rule eleitun
is used, it makes the necessary adjustments to the ARP configuration.
Configuring an object for automatic creation olSiatic NAT rules adds tvo rule
to the Address Translation Policy. For Static NAT, both rules are translating rules.
In the example above, the Securit y Gateway changes the '.oui'ee tddi'e hiotti a
ate dres to the public addrc.y, (I 7222.102.112).
II
kkk-
Manual NAT
The Security Gateway allows Security Administrators to create Manual NAT
rules. Manual NAT involves more configuration than automatic NAT rule
creation, but provides additional flexibility in Rule Base design.
Automatic NAT rule creation is appropriate for most installations. Properly

configured objects, well-planned networks, and Global Properties settings make
Manual NAT rule creation unnecessary for most enterprises. For Security
Administrators faced with legacy networks where design issues prevent the use
of automatic NAT rules, Manual NAT rules may provide solutions.
Some of the situations where Manual NAT rule creation may be warranted
include:
Instances where remote networks only allow specific IP addresses.
Situations where translation is desired for some services, and not for others.
Environments where more granular control of address translation in VPN
tunnels is needed.
Enterprises where Address Translation Rule Base order must be manipulated.
When port address translation is required (port forwarding).
Environments where granular control of address translation between internal
networks is required.
When a range of lP addresses, rather than a network, will be translated.
Configuring Manual NAT

Manual NAT requires configuration of objects and rules. The amount of
configuration varies between Hide NAT and Static NAT. Global Properties for
Manual NAT Rules On the NAT window of Global Properties, only one global
property can be set for manually created NAT rules. The Translate destination on
client side property performs the same function lbr Manual NAT rules as it does
for automatic NAT rules.
Translate destination on client side - For packets from an external host

undergoing Static NAT, translate destination I addresses in the kernel nearest the
client.
Enable I Pool NAT - If I pools are used on a Gateway, SecuRemote/

SecureClient connections are modified, so a target host sends reply packets to the
appropriate Gateway.
119 Check Point .Sccuritv A1,njnis!,atiofl

Manual NAT
Sp ecial Considerations
When Automatic NAT rule creation is used, it makes all necessary adjustments to
the Security Gateway's ARP and routing tables. Using Automatic NAT rule
creation also eliminates potential anti-spooling issues. If Manual NAT rule
creation is used, special consideration must be paid to ARP and routing-table
entries, and anti-spooling issues.
ARP
When Automatic NAT rule creation is used, the Security Gateway makes all
necessary adjustments to the Security Gateway's ARP table. If Manual NAT rule
creation is used, the Security Administrator must edit the Security Gateway's
ARP table (local arp), as follows:
Hide NAT, Security Gateway in Translated Packet, Source field No
additional ARP table entries are required.
Hide NAT, hiding behind an IP address not assigned to the Security
Gateway Add an ARP table entry to the Security Gateway for the hiding
address.
Static NAT Add ARP table entries to the Security Gateway for all hiding
addresses.
For information creating persistent ARP table entries, consult your OS

documentation, and sk30 197.
Practice and Review
Practice Labs
Lab 7: Configuring NAT
Review
What are some reasons for employing NAT in a network when requiring pri-
vate IP addresses in internal networks, to limit external-network access, or to
ease network administration?
2. When would an Administrator favor using Manual NAT over automatic NAT?
1-)0 ('/wr/c i'i,,F ,ce( !i,i1 1(/!IljIjj.V!(1!!O1

C HAPTER 6 Using Smart Update
Check '
>( Ji!II S iuiIr .1 lininislratuni 121
Using SmartUpdate
Using Smart
automated software and license updates to hundreds of distributed Security
Gateways from a single management console.
Monitor remote Gateways using SmartUpdate to evaluate the need for
upgrades, new installations, and license modifications.
Use SmartUpdate to apply upgrade packages to single or multiple VPN-1
Gateways.
Upgrade and attach product licenses using SmartUpdate.
122
Check Point Securit y Athninist ratiOfl
SmartUpdate and Managing Licenses
maiTipdate and Managing Licenses

S
SmartUpdate automatically distributes applications and updates for Check Point

and OPSEC Certified products, and manages product licenses.
automated software and license updates to hundreds of distributed Security
Gateways from a single management console. SmartUpdate ensures security
deployments are always up-to-date by enforcing the most current security
software. This provides greater control and efficiency while dramatically
decreasing maintenance costs of managing global security installations.
----...---.-. .
.........
..-..--.
-" !J _-.
-.
C) - p
.___,__ '2' t......... -..
!_i L
flNSI'I
Figure 54 - Managing Licenses
SrnartUpdate enables remote upgrade, installation and license management to be

performed securely and easily. It is possible to remotely upgrade:
Check Point Security Gateways.
Hotlixes, Hotfix Accumulators (HFAs) and patches.
Third-party OPSEC applications.
UTM-1 Edge Gateways.
Operating System
Manual - 123
Using SmartUpdate
Smart Update Architecture

SmartUpdate installs two repositories on the Security Management Server:
1. License & Contract Repository, which is stored on all platforms in the direc-
tory $FWDIR\conf\.
2. Package Repository, which is stored on:
Windows machines in C:\SUroot.
UNIX machines in /var/suroot.
in
tn
O UM Cer.SWW C*. O%Wk PONI CD
IJcrnw & P..e
Figure 55 - SmartUpdate Architecture
Packages and licenses are loaded into these repositories from several sourccS
Download Center Web site (packages)

('heck Point DVI) (packages)
User Center (licenses)
Running eplic from the command line
OF the many processes that run oil Gateways distributed across the
corporate network, two in particular are Used fr Smarttipdate. Upgrade
operations require the cprid daemon, and license operations use the cpd daenl01L
These processes listen and wait lr the information to be summoned by the
Security Management Server,
1.14 ( ' 1 / Pww ' it/ i(r ,ldmin,s1ra10i

SmartUpdate Architecture
From a remote location, an Administrator logged into the Security Management

Server initiates operations using the SmartUpdate tool. The Security
Management Server makes contact with the Security Gateways via the processes
that are running on these components to execute the operations initiated by the
System Administrator (e.g., attach a license or upload an upgrade). Information is
taken from the repositories on the Security Management Server. For instance, if a
new installation is being initiated, the information is retrieved from the Package
Repository; if a new license is being attached to a remote Gateway, information is
retrieved from the License & Contract Repository.
This entire process is SIC based, and is completely secure.

Using SmartUpdate
Smart Update Introduction

SmartUpdate has two tabs:
The Packages tab shows the packages and Operating Systems installed on
the Check Point Security Gateways managed by the Security Management
server. Operations that relate to packages can only be performed in the
Packages tab.
The Licenses & Contracts tab shows the licenses on the managed Check
Point Security Gateways. Operations that relate to licenses can only be
performed here.
These tabs are divided into a tree structure that displays the packages installed
and the licenses attached to each managed Security Gateway. The tree has three
levels:
The root level shows the name of the Security Management server to which
the GUI is connected.
The second level shows the names of the Check Point Security Gateways
configured in SmartDashboard.
The third level shows the Check Point packages or installed licenses on the
Check Point Security Gateway.
. S
- a afl.a h
Ill ,.l 13
l. I112
o m C.....
1_....Ql_. I1IUIUI
01l344Q
,0L? 10131143
10)1013
1721921
- CaSlSeS. 0.
M40
0 MP a'o
- q..s..,r. Ill III '0 I,... 0'
0 o.,. *p-_, pie
alt..' I 10141122
l4.ap. r23
RN
0 '.i' *
0* RX
lliljo
17411
la4..,(.. l4(lflfl
qlI....hp 13Il 1,,.l1
't... 0*N" Pie
I ...r*, ...P.i All
Figure 56 - SmartUpdate
126 (heck Point Security Admi'liStFhi0Fl

SmartUpdate Introduction
Additionally, the following panes can be displayed:
The Package Repository shows all the packages available for installation. To
view this pane, select Packages> View Repository.
The License & Contract Repository shows all licenses (attached or
unattached). To view this pane, select Licenses & Contracts> View
Repository.
The Operation Status shows past and current SmartUpdate operations. To
view this pane, select Operations > View Status.
The Operations performed (i.e., Installing package <X> on Gateway <Y>, or
Attaching license <L> to Gateway <Y>).
The status of the operation being performed, throughout all the stages of its
development (i.e., operation started, or a warning).
A progress indicator.
The time that the operation takes to complete.
27

Using SmartUpdate
Overview of Managing Licenses

With SmartUpdate, you can manage all licenses for Check Point packages
throughout the organization from the Security Management Server. SmartUpdate
provides a global view of all available and installed licenses, allowing you to
perform such operations as adding new licenses, attaching licenses and upgrading
licenses to Check Point Security Gateways, and deleting expired licenses. Check
Point licenses come in two forms, Central and Local.
1.
R43iI"tR5O32R 1* 134 Ism

e -.. ,. 32021 PI
- a Z,..,-..-D.,, I.. 32342 11
-aC,,,..Qafl I5QIOiW1 Pt
ISO 1.
10311243 03
a f. .32.1*rM. 054125 PlO
pWht. '27123 575
332 332 RI2344 4
- ,.q. 352 361351 535
- :n..3.... 17214711 RIO -

343132 03
- Ia1325..* .3 112251'lI RIO
1721(1251 678
375
e 1*_32L 1071372
lbs 1..7*0 c:u 1221 578
P7223
'I. 774
PS IS flfl 4h (iSA,,.. 5J3
Figure 57 SmartUpdate - Licenses
The Central license is the preferred method of licensing. A Central license ties
the package license to the IP address of the Security Management Server. That
means that there is one IP address fbr all licenses; that the license remains valid if
you change the lP address of the gateway; and that it license can be taken from
one Check Point Security Gateway and given to another with ease.
The Local license is an older method of licensing, however it is still supported by
SmartUpdate. A Local license ties the package license to the IP address of the
specific Check Point Security Gateway, and cannot be transferred to a Gateway
with it different IP address.
128 ('Ii (-k PHI/If 3 ( li/ -if- I /,ii i,,,ct,.i

When you add a license to the system using SmartUpdate, it is stored in the
License & Contract Repository. Once there, it must be installed to the Gateway
and registered with the Security Management Server. Installing and registering
license is accomplished through an operation known as attaching a license.
Central licenses require an administrator to designate a Gateway for attachment,
while Local licenses are automatically attached to their respective Check Point
Security Gateways.
Li censing Terminology
Common terms used with respect to licensing include the following:
Add Licenses received from the User Center should first be added to the
SmartUpdate License & Contract Repository. Adding a local license to the
License & Contract Repository also attaches it to the gateway.
Attach Licenses are attached to a Gateway via SmartUpdate. Attaching a
license to a Gateway involves installing the license on the remote Gateway,
and associating the license with the specific Gateway in the License &
Contract Repository.
Central License - A Central License is a license attached to the Security
Management server IP address, rather than the gateway lP address. The
benefits of a Central License are:
Only one IP address is needed for all licenses
A license can be taken from one gateway and given to another
The new license remains valid when changing the gateway IP
address. There is no need to create and install a new license.
Certificate Key The Certificate Key is a string of 12 alphanumeric
characters. The number is unique to each package. For an evaluation license,
your Certificate Key can be found inside the mini pack. For a permanent
license, you should receive your Certificate Key from your reseller.
CPLIC A command line for managing local licenses and local license
operations. For additional information, refer to the R76 Command Line
lntcrfuice Relrence Guide.
Detach Detaching a license from a Gateway involves uninstalling the
license from the remote Gateway, and making the license in the License &
Contract Repository available to any Gateway.
State Licenses can be in one of the following states: Requires Upgrade, No
License, Obsolete or Assigned. The license state depends on whether the
license is associated with the Gateway in the License & Contract Repository,
-
- 129
Using SmartUpdate
and whether the license is installed on the remote Gateway. The license state
definitions are as follows:
Attached indicates that the license is associated with the Gateway
in the License & Contract Repository, and is installed on the remote
Gateway.
Unattached - indicates that the license is not associated with the
Gateway in the License & Contract Repository, and is not installed on
any Gateway.
Assigned is a license that is associated with the Gateway in the
License & Contract Repository, but has not yet been installed on the
Gateway as a replacement for an existing NG license.
Upgrade Status - A field in the License & Contract Repository
that contains an error message from the User Center if the upgrade process
fails.
Get - Locally installed licenses can be placed in the License & Contract
Repository, to update the repository with all licenses across the installation.
The Get operation is a two-way process that places all locally installed
licenses in the License & Contract Repository and removes all locally deleted
licenses from the License & Contract Repository.
License Expiration Licenses expire on a particular date, or never. After a
license has expired, the functionality of the Check Point package may be
impaired.
Local License - A Local License is tied to the JP address of the specific
gateway and can only be used with a gateway or a Security Management
server with the same address.
Multi-License File - Licenses can be conveniently added to a Gateway or
Security Management Server via a file, rather than by typing long text strings.
Multi-license files contain more than one license, and can be downloaded
from the User Center. Multi-license tiles are supported by the cplic put, and
cplic add command-line commands.
Features --- A character string that identifies the features of a package.
130 - Check Point Securit y Adininist raliofl

Up grading Licenses
When a Central license is placed in the License & Contract Repository,

SmartUpdate allows you to attach it to Check Point packages. Attaching a license
installs it to the remote Gateway and registers it with the Security Management
Server.
New licenses need to be attached when:

An existing license expires.
An existing license is upgraded to a newer license.
A local license is replaced with a central license.
The IP address of the Security Management Server changes.
Attaching a license is a three-step process:

1. Get real-time license data from the remote Gateway.
2. Add the appropriate license to the License & Contract Repository.
3. Attach the license to the device.
Re trieving License Data from Security Gateways
To know exactly what type of license is on each remote Gateway, you can
retrieve that data directly from the Gateway.
To retrieve license data from a single remote Gateway, right-click the gateway
object in the License Management window, and select Get Licenses.
To retrieve license data from multiple Check Point Security Gateways, select
Get All Licenses from the Licenses menu.
A dding New Licenses to the License & Contract Repository
To install a license, you must first add it to the License & Contract Repository.
You can add licenses to the License & Contract Repository in the following
ways:
Downloading from the User Center
1. Select Network Objects Licenses & Contracts > Add License> From User
Center.
2. Enter your credentials.
Manual 131
Using SmartUpdate
3. Perform one of the following:
Generate a new license If there are no identical licenses, the

license is added to the License & Contract Repository.
Change the IP address of an existing license (Move IP).
Change the license from Local to Central.
Upgrade the license.
Importing License Files

1. Select Licenses & Contract > Add License> From File.
2. Browse to the location of the license file, select it, and click Open.
A license file can contain multiple licenses. Unattached Central licenses appear
in the License & Contract Repository, and Local licenses are automatically
attached to their Security Gateway. All licenses are assigned a default name in the
format SKU@ time date, which you can modify at a later time.
Adding License Details Manually
You may add licenses that you have received from the Licensing Center by e-
mail. The e-mail contains the license-installation instructions.
1. Locate the license - If you have received a license by e-mail, copy the
license to the clipboard. Copy the string that starts with cplic putlic... and ends
with the last SKU/feature. For example:
cplic putlic 1.1.1.1 06Dec2002 dw59Ufa2-
eLLQ9NBgPuyHzvQ- WKreSo4Zx CPStJITE-EVAL- . 3DES-NGX CK-
1234 5 67 890
2. Select the License & Contracts tab in SrnartUpdate.

3. Select Licenses & Contracts> Add License> Manually. The Add License
window appears.
4. Enter the license details. If You copied the license to the clipboard, click Paste
License. The fields will be populated with the license details.
Alternatively, enter the license details from a printout.
5. ('lick Calculate, and make sure the result matches the validation code
received from the User Center.
6. You may assign a name to the license, if desired. If you leave the Name field
empty, the license is assigned a name in the format SKU@ time (late.
7. Click OK to complete the operation.
132 - ('I,ek /'iiii .S((!1/1t 1//fr!//lj.S'fr(iIiO?l

A ttaching Licenses
After licenses have been added to the License & Contract Repository, select one
or more licenses to attach to a Security Gateway.
1. Select the license(s).
2. Select Network Objects Licenses & Contracts> Attach.
3. From the Attach Licenses window, select the desired device.
If the attach operation fails, the local licenses are deleted from the Repository.
De taching Licenses
Detaching a license involves deleting a single Central license from a remote

Check Point Security Gateway and marking it as unattached in the License &
Contract Repository. This license is then available to be used by any Check Point
Security Gateway. To detach a license, select Licenses & Contracts > Detach and
select the licenses to be detached from the displayed window.
D eleting Licenses From License & Contract Repository
Licenses that are not attached to any Check Point Security Gateway and are no
longer needed can be deleted from the License & Contract Repository. To delete
a license:
1. Right-click anywhere III License & Contract Repository and select View
Unattached Licenses.
2. Select the unattached license(s) to he deleted, and click Delete.
Installation Process
ihe following operations are pert oriiied during the installation process:
Check Point Remote Installation Daemon connects to Check Point gateway.
Verification for sufficient disk space.
Verification of the package dependencies.
The package is transferred to the gateway if it is not already there.
The package is installed on the gateway.
Enforcement policies are compiled for the new version.
The gateway is rebooted if the Allow Reboot option was selected and the
package requires it.
The gateway version is updated in SniartDashboard.
The Installed packages are updated in Smarttjpdate..
tI(1Il,I(1/ I 33
Using SmartUpdate
Viewing License Properties

The overall view of the License & Contract Repository displays general
information on each license such as the name of the license and the IP address of
the machine to which it is attached. You can view other properties as well, such
as expiration date, SKU, license type, certificate key and signature key. To view
license properties, double-click on the license in the Licenses & Contracts tab.
Checking for Expired Licenses

After a license has expired, the functionality of the Check Point package will be
impaired; therefore, it is advisable to be aware of the pending expiration dates of
all licenses. To check for expired licenses, select Licenses & Contracts> Show
Expired Licenses. To check for licenses nearing their dates of expiration
1. In the License Expiration window, set the Search for licenses expiring within
the next x days property.
2. Click Apply to run the search.
To delete expired licenses from the License Expiration window, select the
detached license(s) and click Delete.
To Export a License to a File

1. In the Licenses Repository select one or more license, right-click, and from
the menu select Export to File.
2. In the Choose File to Export License(s) To window, name the file (or select an
existing file), and browse to the desired location. Click Save.
All selected licenses are exported. lithe file already exists, the new licenses are
added to the file.
034 Check Point Securit y AdministratiOfl

Service Contracts
Seon tracts
Before upgrading a Gateway or Security Management Server, you need to have a
valid support contract that includes software upgrade and major releases
registered to your Check Point User Center account. The contract file is stored on
Security Management Server and downloaded to Check Point Security Gateways
during the upgrade process. By verifying your status with the User Center, the
contract file enables you to easily remain compliant with current Check Point
licensing standards.
- -
- 132323
-- iJ
Ct,sct,66c.t1,.,. 1322.22 R6
_ 1.-03226'29 l2533
Cts.-c g 2. 152 164 401 06 1821641437
- 13232880
10 33 1245
Cc.sfl.-.8,,345 At. 103832
- Ctt,t.*-WA5,,. 1121623
De
Ctr*e-o,. rho
72 Ill 1
a EflCfll 3011 1112
-I632t,,e,4 72231"1
_ OKl
-.-o
307161 201
a 1374673
6X0
a 3.,_kc..._8wY 0445623
13133 Ix l
lit- in-c
Figure 58 - Service Contracts

As in all upgrade procedures, lirst upgrade your Security Management server or
Multi Domain Management before upgrading the Gateways. Once the
management has been successfully upgraded and contains a contract file, the
contract file is transferred to a Gateway when the Gateway is upgraded (the
contract lle is retrieved from the management).
Ma naging Contracts
Once you have success iii I ly upgraded the Security Management Server. you can
use SmartUpdate to display and manage your contracts. From the License
Management window, it is possible to see whether a particular license is
associated with one or more contracts. The Licence Repository window in
Smartt Jpdate displays contracts as well as licenses.
Mw,,,21! 135

Using SmartUpdate
Updating Contracts
The Licenses & Contracts on the menu bar has enhanced functionality for
handling contracts.
Licenses & Contracts> Update Contracts Installs contract information
on the Security Management Server. Each time you obtain a new contract,
you can use this option to make sure the new contract is displayed in the
license repository.
Licenses & Contracts > Get all Licenses Collects licenses of all
Gateways managed by the Security Management Server, and updates the
contract file on the Server if the file on the Gateway is newer.
Ede 0
zlew 1, H1J Licenses & Contracts
Tree 0
IPv4 Mas I tPv M pu I Veron I State I
Eackeces
P76
Lcense & Ca.*acts
NGX / Rio

Operations tath...
R76

ToIs all Asirsed NGX / 17170

Lndow All lice c; P76
Help
P76
dd LiCtrc
- CorporateDLP P76

- Corporate-Identity-Awa P76

-i fm Corporats-WAosroxyi. P76
Show Eared..
J eval licensee U.

H. Corpocate-gw Update Con acts tr

View Repository From Ftl.,.
Figure 59 - Updating Contracts

136 Check Point S(/(ii' Athninistratioll
Practice and Review
Praj and Review
Review
1. What can be upgraded remotely Using SmartUpdate?
2. What two repositories does SmartUpdate install on the Security Management

Server? Management Server?
3. What does the Pre-Install Verifier check?
Studetit Mantitil137
Using SmartUpdate
138('/w('k Pvjnj S&'urjtp ,4Jfljflj%((1tiOl

C HAPTER 7 User Management and
Authentication
Check ' 01fl tSeieit, l/mIn,ctratum

139
User Management and Authentication

If you do not have a user-management infrastructure in place, you can make a
choice between managing the internal-user database or choosing to implement an
LDAP server. If you have a large user count, Check Point recommends opting for
an external user-management database, such as LDAP.
Check Point authentication features enable you to verify the identity of users
logging in to the Security Gateway, but also allow you to control security by
allowing some users access and disallowing others. Users authenticate by
proving their identities, according to the scheme specified under a Gateway
authentication scheme, such as LDAP, RADIUS, SecurlD and TACACS.
Centrally manage users to ensure only authenticated users securely access the
corporate network either locally or remotely.
Manage users to access to the corporate LAN by using external databases.
140 Check Point Stc,witv /,p,,,?jsf!(!t"

Creating Users and Groups
Creating Users and Groups

Authentication rules are defined by user groups rather than individual users.
Therefore, you must first define users and then add them to groups to define
authentication rules. You can define users using the Security Gateway proprietary
user database or using an LDAP, RADIUS or ACE server.
For the procedure describing how to create Security Gateway users using a
template, create a group, adding users to the group and installing user
information in the database, refer to the lab "Creating Users and Groups" in this
chapter.
User lypes
SmartDashboard allows you to manage a variety of user types:
External User Profiles - Externally defined users who are not defined in the
internal users database or on an LDAP server. External user profiles are used to
avoid the burden of maintaining multiple Users Databases, by defining a single.
generic profile for all external users. External users are authenticated based on
either their name or their domain.
LDAP Groups - An LDAP group specifies certain LDAP user characteristics.

All LDAP users defined on the LDAP server that match these characteristics are
included in the LDAP group. LDAP groups are required for performing a variety
of operations, such as defining LDAP user access rules or LDAP remote access
communities. For detailed information on LDAP groups, see chapter. "User
Managenient and Autlient Ication.
Templates User teniplates facilitate the user definition process and pre em
mistakes, by allowing you to create a new user based on the appropriate template
and change only a few relevant properties as needed.
User Groups User groups consist of users and of user sub-groups. Including
users in groups is required for performing a variety of operations, such as
defining user access rules or remote access communities.
Users - These are either local clients or remote clients, who access your
network and its resources.
Stilcie,,,
141
Security Gateway Authentication

The Security Gateway authenticates individual users using credentials, and
manages them using different authentication schemes. All authentication
schemes require a username and password.
Types of Legacy Authentication
There are three ways to access a network resource and authenticate using the
Legacy Authentication in the Security Gateway:
User Authentication Grants access on a per-user basis. This method can

only be used for Telnet, FTP, HTTP, rlogin and HTTPS services. User
Authentication is secure, because the authentication is valid only for one
connection, but intrusive, because each connection requires another
authentication. For example, accessing a single Web page could display
several dozen User Authentication windows, as different components are
loaded.
Session Authentication Provides an authentication mechanism for any
service, and requires users to supply their credentials for each authentication
session; a Session Authentication Agent must be installed on every
authenticating client. Therefore, this method is not suitable for authenticating
HTTP services, as they open multiple connections per session. Session
Authentication can be used to authenticate any service on a per-session basis.
After the user initiates a connection directly to the server, the Security
Gateway located between the user and the destination intercepts the
connection. The Gateway recognizes that user-level authentication is
required, and initiates a connection with a Session Authentication Agent.
Similar to Client Authentication, Session Authentication is best used on
single user machines, where only one user can authenticate from a given IP at
any one time.
Client Authentication Permits multiple users and connections from the
authorized IP address or host; authorization is performed per machine. For
example, ii' linger is authorized for a client machine, all users on the client are
authorized to use linger and are not asked to supply a password during the
authorization process. Client Authentication is slightly less secure than User
Authentication, because it allows any user access from the I address or host,
but is also less intrusive than Session Authentication. Client Authentication IS
best used when the client is a single-user machine, such as a desktop
computer. The main advantage of this method is that it can he used on any
number of connections tbr any service, and authentication call validated
for a specified time period.
- 1 *1 (71' / / Ill , ill 1,I/H/HI \f/-(/fIHfl

This table presents a comparison of the three Security Gateway authentication

methods:
Authentication
User Session Client
Services Telnet. FTP. All services All Ser\ ices

riogin. HTTP,
II TTPS
Authentication is per- Connection Session IP address

formed once per
Authenticates when ... Each time a Each time a user Only once, and
user uses one of uses any service uses any service
the supported (requires a Ses- until signing out
services sion Authentica-
tion Agent on the
client)
Authentication is required for remote-access communication such as SSL VPN,

IPSec VPN and Endpoint clients. However, these authentication methods are not
often employed in such environments. For more information about user access
and VPNs, see chapters. "Encryption and VPNs" and "Introduction to VPNs" in
this manual.
Authe ntication Schemes
Authentication schemes employ usernames and passwords to identify valid users.

Some schemes are maintained locally and store usernames and passwords oil
Security Gateway, while others are maintained externally and store User
Authentication information on an external authentication server. Certain
schemes, such as SecurlD, are based on providing a one-time password. All of
the schemes can be used with users defined on an LDAP server. For additional
inlirmation on configuring the Security Gateway to integrate with an LDAP
server, refer to the "UserDirectory and User Management" section in this chapter.
Check Point Password - The Security Gateway call a static password in

the local user database of each user configured oil Security Management
Server. No additional software is required. Alternatively, to permit alteration of
this credential, store the Check Point password in UserDirectory.
Operating System Password - The Security Gateway call using

the uscrnaine and password that is stored on the operating system of the machine
143
on which the Security Gateway is installed. You can also use passwords that are
stored in a Windows domain. No additional software is required.
RADIUS - RADIUS is an external authentication scheme that provides security

and scalability by separating the authentication function from the access server.
Using RADIUS, the Gateway forwards authentication requests by remote users
to the RADIUS server. The RADIUS server, which stores user account
information, authenticates the users.
The RADIUS protocol uses UDP to communicate with the Gateway. RADIUS
servers and RADIUS server-group objects are defined in SmartDashboard.
SecuriD - SecuriD requires users to both possess a token authenticator and to

supply a PIN or password. Token authenticators generate one-time passwords
that are synchronized to an RSA ACE/server, and may come in the form of
hardware or software. Hardware tokens are key-ring or credit card-sized devices,
while software tokens reside on the computer or device from which the user
wants to authenticate. All tokens generate a random, one-time-use access code
that changes approximately every minute. When a user attempts to authenticate
to a protected resource, the one-time-use code must be validated by the ACE!
server.
Using SecurlD, the Security Gateway forwards authentication requests by remote

users to the ACE/server. ACE manages the database of RSA users and their
assigned hard or soft tokens. The Security Gateway acts as ACE/Agent 5.0, and
directs all access requests to the RSA ACE/server for authentication. For
additional information on agent configuration, refer to your ACE/server
documentation.
There are no specific parameters required for the SecurlD authentication scheme.
TACA CS - TACACS is an external-authentication scheme that provides

verification services. TACACS provides access control for routers, network
access servers and other networked devices through one or more centralized
servers. Using TACACS, the Gateway forwards authentication requests by
remote users to a TACACS server. The TACACS server, which stores user-
account information, authenticates users. The system supports card-key device',
or token cards and Kerberos secret-key authentication. TACACS encrypts the
username, password, aut hent icat ion services, and accounting information Of II
authentication requests to ensure secure communication.
Undefined - The authentication scheme for a user can be undefined. If a user

with an undefined authentication scheme is matched to it rule with some firm O
authentication, access is always denied,
-H ( In - 4 / ') / I/I Vi 10 1h 1, Immisli . illion

Remote User Authentication

Configure the authentication method that all users will use to authenticate to the
Mobile Access portal or to IPsec VPN Clients.
You can configure one authentication method for Mobile Access on the
Authentication for Mobile Access page and a different method for IPsec VPN
clients on the Authentication for IPsec VPN page. You can configure different
Authentication methods for the different blades, even if they are on the same
gateway
For Mobile Access, you can also configure if the settings for Two Factor
Authentication with DynamiciD are Global or specific to the gateway.
If you do not configure authentication settings on this page, the gateway , takes
authentication settings from Gateway object Properties > Legacy
Authentication.
U FK
-.
'
O..
r S.p.A, On D
U..., ..4 .4,

.. #

,
t.w-,' .,.,
1O
"-u'"
4. L
t IWII t'l 11W44.
Figure 60 - Remote User Authentication
Stzi/en, .\ /4 //lI.'(j/
Authentication Types
Defined on user record Takes the authentication method from Gateway
object Properties> Legacy Authentication.
Username and Password - Uses a username and password defined for the user
on the gateway.
RADIUS Users are challenged for a response, as defined by the RADIUS

server.
SecurlD - Users are challenged to enter the number displayed on the Security
Dynamics SecuriD card.
Personal certificate Digital Certificates are issued by the Internal Certificate

Authority or by a third party OPSEC certified Certificate Authority.
For Mobile Access: Two Factor Authentication with DynamiciD

Global Settings - The gateway takes the global settings from the
Authentication to Gateway page of the Mobile Access tab
Custom Settings for this Gateway - This gateways has its own two-
factor authentication settings. Click Configure to change the settings
for this gateway.
rI Popt Authentication for Mobile frccr,s

Topooy
NAT ent,c*on Method
HTTPS hethon
NTTP/HTTPS Proxy C Defined on userrecord (Legacy htcon)
P1aticm Pta4 C usemame and Password
(
RADIUS
J ___J
C Sacz1D
J J
A I Ct ZOi0 C Pamo ceta'lce
raI
SSL cio Two-Factor Authentication with DitwocIO
HTTP Proxy
Joe ReioU,cn 6 Global isttrgs Nad"Authentication to Gateway" on the Mobile Accu. tab)
L4 Translation
Erdpoat Conpan C Custom uttz,gsfothe gstewey
(_tmck Foal Secu,
Logo PAllow DIesItCID for mobile devices
Fetch Poky
Capacity Optrmo
H
lWCot,l
Figure 61 - Authentication for Mobile Access
146 (/u,(A- M)huSccuritv. f(/jj/jj/.(JfjO1I

A uthentication Methods
Each method can be configured to connect and authenticate clients to the

Security Gateway before the connection is passed to the desired resource (a
process known as nontransparent authentication). Alternatively, each method can
be configured to connect clients directly to the target server (a process known as
transparent authentication).
This section describes how users authenticate using each authentication method,
along with guidelines for configuring each method.
S1l(10 8 tII(jl/I/(/
47

User Authentication (Legacy)

User Authentication provides authentication for the Telnet, FTP, HTTP, and
rlogin services. By default, User Authentication is transparent. The user does not
connect directly to the Security Gateway, but initiates a connection to the target
server.
Hj
-' ,EkLCc.'
M*,tt SRewt
P..?.ot. M0b$P*.*t.Ul. * ., : p ,.otnctss '00
s -
1wsc : c., .5 w -*1 *, - 500 0 U Ut
Figure 62 - Rule Base with User Authentication Defined
User Authentication Rule Base Considerations
Although it is true that the Gateway processes rules in order, an exception to this
is when User Authentication is employed. In this case, the most permissive rule
in the Rule Base is used by the Gateway. If a User Authentication rule matches a
packet, all rules are evaluated before authentication occurs, and the least
restrictive rule is applied.
148 CIitck Point Securit y A OIm in js(r(lliOu'

Session Authentication (Legacy)

In the Session Authentication Action Properties, you can define the session
authentication behavior for a connection that is matched on a Session
Authentication rule.
You can also define how to treat the user when the allowed location of the user is
different than the location allowed to the user in the Rule.
I .
S 40K
CI*efltttSS
a
V Ch.fltl,Ic-,,fl. fl C00oatt.WA * L0Oratc
L2'P-.pn-iltrt
M R.mot.-1.oIb *- AAyflh100
flttpt
hitS
(SI
cceo.
j1 - too * poltit Tn
*c,01
0 Ony
R,in'oq SoedtkS.tn IWleobli j

"-
s 3. Obo. ooe..'..nieo Ony ony n.,,o .Ote
cl-
yM. Cocoratt-hne
0 Sit y
% C!S5tiit .l CO3P,,fl-Ii- * tO +1) 1-' . t r, __
Figure 63 - Session Authentication
Session Authentication can be used for any service, but requires either a Session
Authentication agent to get the user identity, or UserAuthority. Like User
Authentication, it requires an authentication procedure for each connection.
UserAuthority can be used to get the user identity. It can do this in one of three
ways:
1. From a SecureAgent.
2. From SecureClient, if the user authenticated via SecureClient connected to
the Check Point Security Gateway.
3. From the Check Point Security Gateway, if the user authenticated via an
HTTP connection to port 900 or Telnet to port 259 on the gateway.
A Session Authentication agent can also be used to get the user identity. The
Session Authentication agent is normally installed on the authenticating client, in
which case the person who wants the connection to the destination host supplies
the authentication credentials. However, the Session Authentication agent can
also be installed on the destination machine, or on some other machine in the
network. In that case, the person at the machine oil the Agent is installed is
asked to supply the username and a password.
A Session Authentication agent can also be used to get the user identity. The
Session Authentication agent is normally installed oil authenticating client, in
which case the person who wants the connection to the destination host supplies
the authentication credentials. However, the Session Authentication agent can
also he installed oil destination machine, or o il other machine in the
Stl!(/(.1f A-1c g
,,51/ 149
network. In that case, the person at the machine on which the Agent is installed is
asked to supply the username and a password.
Source and Destination both have the following possible settings:

Intersect with User Database means that if a user who successfully
authenticates is at a source or trying to reach a destination which is allowed to
the user according to the rule, but the User Properties for that user do not
allow this location, the user will be denied.
Ignore User Database - Users who would otherwise denied as a result of the
allowed source or destination defined in the User Properties are allowed
anyway.
Contact Agent At tells the Check Point Security Gateway on which host to
attempt to contact. An Agent can be a SecureAgent installed on the client
machine, a SecureClient installed on the client machine, or a Session
Authentication Agent installed on the client machine or another host. The
possibilities are
Src to specify that the Agent on the rules Source object will authenticate the
session.
Other to specify that the Session Authentication Agent on the specified object
will authenticate the session. This allows authentication credentials to be
provided by someone other than the person requesting access.
Accept only SecuRemote/SecureClient encrypted connections applies the rule
only if the connection is encrypted (that is, only if the source is a SecureClient
machine.)
Single Sign On means that when a user opens a connection that matches this
rule, the Check Point Security Gateway queries UserAuthority for the user
identity. If UserAuthority replies with the username (and the user belongs to
groups, if delined), the connection is allowed. Otherwise, it is dropped.
r . ci
yy T 1i2J
GI
wdh u$eq database
Cortad Aqvi At II5rc

T Accoo orty SecuA'i,ot4/SectnO.i1 enayp.d
r
I OK CcS
Figure 64 - Session Authentication Action Properties
150 - Cheek /jn1 Securit y ,Iiistrati0Pl

C onfiguring Session Authentication

To configure Session Authentication:
1. If using the Session Authentication Agent, install and configure it for all
machine desktops with Session Authentication enabled.
2. Configure the required users and groups for authentication, and install the
user database.
3. In the Authentication window from the Gateway object's General Proper-
ties, enable the required authentication schemes. The Gateway must support
all user-defined authentication schemes. For example, if some users must pro-
vide a Check Point password and others RADIUS authentication, select both
schemes.
4. Define a Session Authentication access rule by following the same instruc-
tions as those under "Configuring User Authentications, except select Session
Auth in the Action column of the Rule Base.
5. If required, adjust the Failed Authentication Attempts settings for Session
Authentication in the Authentication window of the Global Properties:
ijI
F,reWal AAhthcioii
Faed aLitherticalm attenipts

AAhenticatm
. VP N Terminate dog.i ccmedon thcr 3 atterripts
Idesly Awareness
UTMl Edge Gateway Terininatetesiatconnedw after aBento
Re Accm Terisnate Dart kgte,thon connection after att.W.
Check Point GO
User Directory Tare Sessiomn Athertcatiori come ter 7_z, afterripts
QoS
S.ad Map with
Adhenticabon of eri certificates
FoeWaLl GX
User and Mres*ato, Iou.rseri O.M geernl opo56

Management Ii Av
Cmect(or*rol Users ctLcates w4ei weincised bs g not pAed. ,4 wpm ter days
OSE - Open Secs.nty E
Statehil Inspection Bode Force p.iawood Missing pededoon
SoseILSM Pmnte Base
r Enable Delayed hAnentution
., Log and e,t ____
Reporting Tools
OP S EC
Seo1y Managernerd
tJco 1kEqoe IP Addft
Proxy
'PS
Sn,1DeaftodCuc
UserCheck
F
cancei
Figure 65 - Session Authentication
151
Client Authentication (Legacy)

Client Authentication can be used to authenticate any service. It enables access
from a specific IP address for an unlimited number of connections. The client
user performs the authentication process, but it is the client machine that is
granted access. Client Authentication is less secure than User Authentication,
because it permits access for multiple users and connections from authorized IF
addresses or hosts. Authorization is performed on a per-machine basis for
services that do not have an initial login procedure. The advantages of Client
Authentication are that it can be used for an unlimited number of connections, for
any service, and is valid for any length of time.
Client Authentication and Sign-On Overview

Client Authentication works with all sign-on methods. The table below shows
how different sign-on methods provide a choice when selecting an authentication
method for authenticated services and others. For sign-on methods other than
Manual Client Authentication, the Security Gateway is transparent to users who
authenticate directly to the detnation host.
Authentication
Client Method for
Authentication
Authentication Authenticated
Method for Other
Sign-On Services:
Services
Method Telnet, FTP, HTTP,
riogin
Manual lelnet 1() port 2 () duet to port 259
on Gateway on Gateway
HTTP to port 900 l-ITTP to port 900
on Gateway on Gateway
Partially automatic User Authentication Not available
Fully automatic User Authentication Session Authentication
Agent automatic Session Authentication Session Authentication
Single Sign On I UserAuthority UserAuthority
1 52 ('Iwck Point Security Administration

The following are the two Client Authentication sign-on options:
Standard Sign-on - Enables users to access all services permitted by the

rule, without authenticating for each service.
Specific Sign-on - Enables users to access only the services that they
specify when they authenticate, even if the rule allows more than one service;
if users want to use another service, they must reauthenticate for that specific
service.
At the end of an authentication session, users can sign off. When users sign off,
they are disconnected from all services and the remote host.
Sig n-On Methods
Manual Sign On - Available for any service that is specified in the Client
Authentication rule; the user must first connect to the Gateway and
authenticate in one of the following two ways:
Through a Telnet session to the Gateway on port 259.
Through an HTTP connection to the Gateway on port 900 and a Web browser;
the requested URL must include the Gateway name and port number, for
example. http: //Gateway: 900.
Wait Mode
Wait Mode is a Client Authentication feature for Manual Sign On, when the user
initiates a Client Authenticated connection with a Telnet session on port 259 on
the Gateway. Wait Mode eliminates the need to open a new Telnet session to sign
off and withdraw Client Authentication privileges. In Wait Mode, the initial
Telnet session connection remains open, as long as Client Authentication
privileges remain valid. Client Authentication privileges are withdrawn when the
Telnet session is closed.
The Security Gateway keeps the Telnet session open by Pinging the
authenticating client. If for some reason the client machine stops running, the
Gateway closes the Telnet session, and Client Authentication privileges from the
connected lP address are withdrawn.
Partially Automatic Sign On - Partially Automatic Sign Oil available fir
authenticated services (Telnet, FTP, Hill', and rlogin), only if they are
specified in the Client Authentication rule. If users attempt to connect to a
remote host using one of the authenticated services, they must authenticate
with User Authentication. When using partially automatic Client
Authentication, ensure that port 80 is accessible on the Gateway.
Sil icle,,! Manual - - 153

Fully Automatic Sign On - Fully Automatic Sign On is available for any

service, only if the required service is specified in the Client Authentication
rule. If users attempt to connect to a remote host using an authenticated
service (Telnet, FTP, HTTP, and rlogin), they must authenticate with User
Authentication. If users attempt to connect to a remote host using any other
service, they must authenticate through a properly installed Session
Authentication Agent. When using fully automatic Client Authentication,
ensure that port 80 is accessible on the Gateway.
Agent Automatic Sign On Agent Automatic Sign On is available only if
the required service is specified in the Client Authentication rule, and the
Session Authentication Agent is properly installed. If users attempt to connect
to a remote host using any service, they must authenticate through a Session
Authentication Agent.
Single Sign On Single Sign On is available for any service, only if the
required service is specified in the Client Authentication rule and
UserAuthority is installed. Single Sign On is a Check Point address-
management feature that provides transparent network access. The Gateway
consults the user IP address records to determine which users are logged in to
any given IP address. When a connection matches a Single Sign On enabled
rule, the Gateway queries UserAuthority with the packet's source IR
UserAuthority returns the name of the user who is registered to the IP. If the
user's name is authenticated, the packet is accepted. If not, it is dropped.
Configuring Authentication Tracking

Successful and unsuccessful authentication attempts can be monitored in
SmartView Tracker or using other tracking options, for example, e-mail and
alerts. Authentication tracking can be configured for the following types of
authentication attempts:
Failed authentication attempts - Can be tracked for all forms of

authentication; to track foiled authentication attempts, in the Authentication
window of a gateway object, set the Authentication Failure Track property
to define the tracking option when authentication foilures occur.
Successful authentication attempts - Can only he tracked for Client
Authentication; in the Client Authentication Action Properties window, set
the Successful Authentication Tracking property to define the tracking
option for all successful Client Authentication attempts. These options
include None, Log, and Alert. The default setting is Log.
All Authentication attempts - Can he tracked for all Forms of
authentication select an option in the 'l'rack column of any rule that uses
some form of authentication. Some tracking options may not take ciThet if the
154 Check !i,:t Sec univ Ac/rn injsfrUtiOhZ

gateway object is set to log all failed authentication attempts. For example,
setting a rule to None has no effect, and failed authentication attempts are still
logged in SmartView Tracker. However, setting the rule to Alert causes an
alert to be sent for each failed authentication attempt.
Manual 155
LDAP User Management with UserDirectory

Lightweight Directory Access Protocol (LDAP) is an open industry standard
that is used by multiple vendors. It is used to maintain information about users
and items within an organization. LDAP is widely accepted as the directory-
access method of the Internet. One of the reasons that it is the obvious choice for
so many vendors is because of its cross-platform compliancy. LDAP is
automatically installed on different operating systems (e.g., the Microsoft Active
Directory) and servers (such as Novell, Netscape, etc.).
When integrated with Security Management, LDAP is referred to as

UserDirectory (LDAP).
LDAP Features
Features of LDAP are as follows:
LDAP is based on a client/server model, in which an LDAP client makes a
TCP connection to an LDAP server.
Each entry has a unique Distinguished Name (DN).
Default port numbers are 389 for standard connections, and 636 for Secure
Sockets Layer (SSL) connections.
Each LDAP server is called an Account Unit.
156 ('heck Point Securit y Administrotiofl

Dis tinguished Name

A Distinguished Name (DN) is a globally unique name for an entity, constructed
by appending the sequence of DN from the lowest level of a hierarchical
structure, to the root. The root becomes the relative DN. This structure becomes
apparent when setting up SmartDashboard user management.
Figure 66 - Distinguished Name
For example, if searching for the name John Brown, the search path would start
with John Brown's Common Name (CN). You would then narrow the search to
the organization he works for, then to the country. lIJohn Brown works for ABC
Company, one possible DN is show below:
cn=John Brown, ou=Marketing, o=ABC Company, c=US
This can be read as. "John Brown, in Marketing, of ABC Company, in the United
States". A different John Brown, who works at the XYZ Company, might have a
DN, as follows:
cn=John Brown,o=XYZ Company,c=US
The two CNs John Brown" belong to two different organizations with different
DNs. This can be outlined as an inverted tree, as in the figure.
Ia,,iiaI 1 57
Multiple LDAP Servers

There are several advantages to using more than one LDAP server, including the
following:
Compartmentalization, by allowing a large number of users to be distributed
across several servers
High Availability, by replicating the same information on several servers
Faster access time, by placing LDAP servers containing the database at
remote sites
IDAP P.
Cu - 1 pyt Support LI)AP Surcr
- U"r' StritCwit O=.AEC
C 1J Sorvr C=(JS
tcrriut
LDp Sprvr
C)LJ Mrkflnrj Users
C) ARC
C- cI,.JI9
Figure 67 - Multiple LDAP Servers
If the Security Gateway includes the appropriate license, account manageflicilt is

allowed for an unlimited number of LI)AP servers. Therefore, as many Ll)AF
servers as needed may be managed through SmartDashboard, as shown below:
Using an Existing LDAP Server

If there is an existing L!)AP user database, integration with the Security (iatCtY
is relatively simple, The Ll)Al' server maintains all user information, ludiflg
login name and password. Addition and deletion of users is performed on the
LDAP server through the l.l)AP user interfi.tce or Smartl)ashhoard.
158 ('heck Point Security ,4/miniS1p?110l

Co nfiguring Entities to Work with the Gateway

The predominant reasons for integrating the Security Gateway and UserDirectory
(LDAP) are:
To query user information.
To enable Certificate Revocation List (CRL) retrieval.
To enable user management.
To authenticate users.
The first step is to enable the option Use UserDirectory (LDAP) in Global
Properties. Then, it is necessary to define an Account Unit. If you are
implementing UserDirectory user management, you will need to know which
entities to define, and how to manage the users defined by the UserDirectory
Account Unit. UserDirectory user management requires a special license.
Global Properties
Fre'.aII User Ersdoy

NAT 4etwor4 Ac
jthec1icon E Use User Dreotoiy for Seosty Gateways 'icense reqtwed)
+1 VPN
User Directory Propeities:
ldery Awareness
UTMi Edge Gatev P Enable password change when a users Active Directory password expires
Remote Access
VPN klhenti Tmeotl on cached uses
VPN Advance
Cache ale licco Users
Certificates
secure Codigu r Password com after. days
SSL Network E
SeciseChecit M
ayU,er'sDNogei
Endpoint Conn
C Done Display C on Request
Display Display
H pt E4c't&
Chk- 'rd GO
D1L Password Strenh
Snisrl bIp
ial password ieh. 16 character,
FreWalli G r Pauword rmist include lowercase character

[4
Userfrdhonly
User and Amsti
fl Puaword must sidude an uppercase character
ManagementHigh. r Password mud ridude a iga
ComedCoilrot
0 S Open Secssf
r Password md include a symbol
Stalaful Inspection r Enforce iM for usarmanagemerl aoois

SmtLSM ProNe B
Figure 68 - Configuring Entities to Work with the Gateway
The graphic shows the global settings for UserDirectory (LDAP):
159
Defining an Account Unit

Create a new UserDirectory Account unit via the Servers tab of the Objects tree,
as shown.
IN- , riI-4 - ij.J

Isv,l Mmagmert AhmconI
H P
CQb r
foHe IOPSEC_DS
Acc=t Ur
r
r
Tok I cwc
Figure 69 LDAP Account Unit Properties
The LDAP Account Unit Properties window consists of several tabs:
General tab - Defines the general settings of the LDAP Account Unit
decide whether this Account Unit is to be used for CRL retrieval, user
management, or both.
Profile - Select a profile to be applied to the new Account Unit. Four
profiles are defined by default, each corresponding to a specific LI)AP server:
OPSFC_DS - The default profile for a standard OPSEC

certified Userl)irectory server.
NetscapeDS - The profile for a Netscape Directory Server.
Novell DS - The profile for a Novell Directory Server.
Microsoft AD - The profile for Microsoft Active Directory.

Servers tab - Displays the l.t)AP servers to he used by the Account Unit,
the order in which they are displayed is the dcatult query order.
100 - ( ./ /', j
Objects Management tab - Allows you to select the LDAP server on

which objects are managed; the branches for the selected LDAP server can be
retrieved by selecting Fetch branches, or they can be added manually. Some
versions of LDAP do not support automatic branch retrieval using Fetch
branches. These branches will be searched when this LDAP server is
queried. The Administrator can add or modify the branches.
Authentication tab - Allows you to define an authentication scheme for
the LDAP account.
Note: For enhanced security, this Account Unit object can be locked
with a password that must be entered when this Account Unit
is accessed from SmartDashboard for managing users.
M anaging Users
Users defined in the Account Unit are managed in the Users tab of the Objects
tree. This intuitive tree structure enables users to be managed as if all the users
were actually sitting on the internal Security Gateway database. For instance, you
can add, edit or delete users by right-clicking them in the Objects tree, and by
selecting the option of your choice.
5.
Users and Administr a tors

Access Roles
Acwssator Groups
ffJAsators
Extemei User Profiles
WAPGroucs
r4l Tetates
ft] User Groups

1-] Ouse's
4% use, i Ne., User

ue
Last Mo1ied...
uw6
Sort
Figure 70 - Managing Users
-
- 161
UserDirectory Groups
UserDirectory groups are created to classify users within certain group types.
These UserDirectory groups are then applied in Policy rules. Define a
UserDirectory group in the LDAP Group Properties window in the Users and
Administrators tab of the Objects tree:
I!'L'JEJ !1?1
G"al
Bk
I
AccA,I
Gio,.cs Scope
( IAccflJJr*i Ute,:
.1
I
Figure 71 - LDAP Group Properties
Once UserDirectory groups are created, they can be applied in various Policy
rules, such as the Security Policy. In this window, you can select the Account
Unit on which the UserDirectory group is defined, and apply an advanced filter to
increase the granularity of a group definition. Only those users who match the
defined criteria will be included as members of the UserDirectory group. For
instance, you can include all users defined in the selected Account Unit as part of
the UserDirectory group, or only members of a specified branch, or only
members of a specified group on the branch.
162 Check Point Securit A I,nin1stra10'

Practice and Review
Practice and Review
Practice Lab
Lab 8:Configuring User Directory
Review
1. User Auth can be only used for what services?
2. When using Session Authentication, what is needed to retrieve a user's iden-

tity?
3. What are the advantages of using multiple LDAP servers?
4. Why integrate the Security Gateway and UserDirectory?
AiU,1141 j 163
164 - - (heck Point Securit y A/ninistratiOfl

C HAPTER 8 Identity Awareness
1
Identity Awareness
Identity Awareness
Check Point Identity Awareness Software Blade provides granular visibility of
users, groups and machines, providing unmatched application and access control
through the creation of accurate, identity-based policies. Centralized
management and monitoring allows for policies to be managed from a single,
unified console.
Use Identity Awareness to provide granular level access to network resources.
Acquire user information used by the Security Gateway to control access.
Define Access Roles for use in an Identity Awareness rule.
Implementing Identity Awareness in the Firewall Rule Base.
166 k Pini Sec,,riiv

Check
Introduction to Identity Awareness
Int roduction to Identity Awareness

Traditionally, firewalls use I addresses to monitor traffic and are unaware of the
user and machine identities behind those IP addresses. Identity Awareness
removes this notion of anonymity since it maps users and machine identities.
This lets you enforce access and audit data based on identity.
Identity Awareness is an easy to deploy and scalable solution. It is applicable for

both Active Directory and non-Active Directory based networks as well as for
employees and guest users. It is currently available on the Firewall blade and
Application Control blade and will operate with other blades in the future.
Identity Awareness lets you easily configure network access and auditing based
on network location and:
The identity of a user
The identity of a machine
When Identity Awareness identifies a source or destination, it shows the IP

address of the user or machine with a name. For example, this lets you create
firewall rules with any of these properties. You can define a firewall rule for
specific users when they send traffic from specific machines or a firewall rule for
a specific user regardless of which machine they send traffic from.
In SmartDashboard, you use Access Role objects to define users, machines, and
network locations as one object.
P c :.. Bk..
CV I' '.*c* a., Ira-c,
I,.-.
t*aaI
C - I_I
I
Ia
? u".
Now V AMM .:

10400
S I IThd
ri_- I
I iuri /' A InIt
107
Identity Awareness
Identity Awareness also lets you see user activity in SmartView Tracker and
SmartEvent based on user and machine name and not just IP addresses.
Next :py0etsh
Idrr;ISy Awaroucts
f)LJi Soody

Noduct dodyAwoxene,, Muon Log In

Dole 120 c42010 Axgh.nlixxdio. Sxxoeh4 109 In
To
2048
SteIn,
Axxthonlio.*ion MnotouAAoe4notun JAOroe
Noe 40 Method

1y Loc Deocion
1O01023 Idenht0 Son,ce AD Qoexy
El 10 10 10 20 Soxoon Urn. Gxoxxp AMUtexA . I.lotex toe

a JoeAoto.IeJ Source Moclone
Uxoop
Atnct.tex
0 peAD Axeocioled Rome
P.oloeol
Inl.d.co Idoe..tion
Soo.x. Pod
Figure 73 - Record Details
Identity Awareness gets identities from these acquisition sources:

AD Query
Browser-Based Authentication
Endpoint Identity Agent
Terminal Servers Identity Agent
Remote Access
AD Query
AD Query gets identity data seamlessly from Microsoft Active Directory (AD).
AD Query for Identity Awareness is recommended for:
Identity based auditing and logging
Leveraging identity in Internet application control
Basic identity entbrcement in the internal network
AD Query is an easy to deploy, clientless identity acquisition method. It is based

on Active Directory integration and it is completely transparent to the user.
169Chvck I)IF!I S'cuuit' 4(//)I/fl!(rlIIl

The AD Query option operates when:

An identified asset (user or machine) tries to access an Intranet resource that
creates an authentication request. For example, when a user logs in, unlocks a
screen, shares a network drive, reads emails through Exchange, or accesses an
Intranet portal.
AD Query is selected as a way to acquire identities.
The technology is based on querying the Active Directory Security Event Logs
and extracting the user and machine mapping to the network address from them.
It is based on Windows Management Instrumentation (WMI), a standard
Microsoft protocol. The Security Gateway communicates directly with the
Active Directory domain controllers and does not require a separate server.
No installation is necessary on the clients or oil Active Directory server.
Identity Awareness supports connections to Microsofi Active Directory on

Windows Server 2003 and 2008.
Firewall Rule Base Example
Security Ga(ewiy with

Identity Awareness
Internet
- --- 5
Ii.3
2
AA-
Figure 74 - Firewall Example
1. The Security Gateway registers to receive security event logs from the Active
Directory domain controllers.
2. A user logs in to a desktop computer using his Active Directory credentials.
3. The Active Directory DC sends the security event log to the Security Gate-
way. The Security Gateway extracts the user and lP information (user
iiameadoniain, machine name and source IP address).
4. The user initiates a connection to the Internet.
5. The Security Gateway confirms that the user has been identi lied and lets him
access the Internet based on the policy.
S110011 A1111111(d 169

Identity Awareness
When you set the AD Query option to get identities, you are configuring
clientless employee access for all Active Directory users. To enforce access
options, make rules in the Firewall Rule Base that contain access role objects. An
access role object defines users, machines and network locations as one object.
Active Directory users that log in and are authenticated will have seamless access
to resources based on Firewall Rule Base rules.
Scenario: Laptop Access
John Adams is an HR partner in the ACME organization. ACME IT wants to

limit access to HR servers to designated IP addresses to minimize malware
infection and unauthorized access risks. Thus, the gateway policy permits access
only from John's desktop which is assigned a static IP address 10.0.0.19.
He received a laptop and wants to access the HR Web Server from anywhere in
the organization. The IT department gave the laptop a static IP address, but that
limits him to operating it only from his desk. The current Rule Base contains a
rule that lets John Adams access the HR Web Server from his laptop with a static
I (10.0.0.19).
-u f dJ..hS - - [iJ u-v T-.fl- * ay LII
Figure 75 - Rule
1. He wants to move around the organization and continue to have access to the
HR Web Server. To make this scenario work, the IT administrator does these
steps:
2. Enables Identity Awareness on a gateway, selects Al) Query as one of the
Identity Sources and installs the policy.
3. Checks Smart View Tracker to make sure the system identifies John Adams Ill
the logs.
4. Adds an access role object to the Firewall Rule Base that lets John Adams
access the hR Web Server from any machine and from any location.
5. Sees how the system tracks the actions of the access role in Smart View
Tracker.
The Smart View Tracker logs show how the system recognizes John Adamsas the
user behind 1 1) 10.0.0. 19:
170 Cheek P01111 St'c',,rilv Ad,,,i,.c1'''"

Record Details
() Erevous Next COPY [] Colors
Identity Awazenetz
Sy
L^g In :
Psoduct lden1lyAweness Action I '!Log In

Dale 2ec01 0 Authentication Succesubi Logru
Status
Time 193636
Number 193 Authentication
User Authentication(Act i ve
Method Directory]
Type j Log Description
Oiigir louT 32
Identity Source AD Query
Source 1011019 Source User Group . i Ue

0 John Adam tadanu) Source Machine
Group
Service
Session ID 1c41 3451
Protocol
Associated Roes
Interlace
Source Port
Information
Figure 76 - John Adams
This log entry shows that the system maps the source IP to the user John Adams
from CORP.ACME.COM . This uses the identity acquired from AD Query.
Note: AD Query maps the users based on AD activity. This can take
some time and depends on user activity. If John Adams is not
identified (the IT administrator does not See the lo ). he S 11OLIId
lock and unlock the colilputer.
( iflL .lece.s.s Roles
To let John Adams access the II R \\ ci) Set- er from any machine, it is neccssar
for the administrator to change the current rule in the Rule Base. To do this, it is
necessary to create an access role for John Adams that includes the specific user
John Adams from any network and any machine.
171
Identity Awareness
limne. HR_Prtner Colon If Blue V
Comment:
Network Users Machines '' Authenticahon Role Preview.
- % HR-Partner
QAny user
Networks
O All identified users 1E gwl

hot_192.16816.62
Q bpecihc nsers/groups. - D Users
John Adams
Name Full NamefDescription Distinguished Name
John Ador' !.or
L el
Figure 77 - Access Role Change
Then the IT administrator replaces the source object of the current rule with the
HR Partner access role object and installs the policy for the changes to be
updated.
2 rn P&tneq Acc,r S Per .-ln, FOr Web o,,., r,OV * Mnv .cceA
-
Figure 78 - Rule Change
The IT administrator can then remove the static IP from John Adam's laptop and
give it a dynamic IP. The Security Gateway lets the user John Adams access the
1-IR Web server from his laptop with a dyn amic I as the llR_Partner access role
tells it that the user John Adams from any machine and any network is permitted
access.
172 Check Point Security Achninis(ratio"

Br owser-Based Authentication
Browser-Based Authentication acquires identities from unidentified users. You
can configure these acquisition methods:
Captive Portal
Transparent Kerberos Authentication
Captive Portal is a simple method that authenticates users through a web

interface before granting them access to Intranet resources. Captive Portal for
Identity Awareness is recommended for:
Identity based enforcement for non-AD users (non-Windows and
guest users)
For deployment of Endpoint Identity Agents
When users try to access a protected resource, they get a web page that must fill
out to continue.
U !fmfh
hwIocn.dbthe,dwat,pflfl In., yns c,Sfl*t
Figure 79 - Captive Portal
With Transparent Kerberos Authentication, the browser attempts to authenticate

users transparently by getting identity information before the Captive Portal
uscrname/password page opens. When you configure this option, the Captive
Portal requests authentication data from the browser. Upon successful
authentication, the user is redirected to its original destination. If authentication
fails, the user must enter credentials in the Captive Portal.
173
Identity Awareness
The Captive Portal option operates when a user tries to access a web resource and
all of these apply:
The Captive Portal is selected as a way to acquire identities and the
redirect option has been set for the applicable rule.
Unidentified users cannot access that resource because of rules with
access roles in the Firewall / Application Rule Base. But if users are
identified, they might be able to access the resource.
Transparent Kerberos Authentication was configured, but
authentication failed.
When these criteria are true, Captive Portal acquires the identities of users. From
the Captive Portal users can:
Enter an existing user name and password if they have them.

For guest users, enter required credentials. Configure what is required
in the Portal Settings.
Click a link to download an Identity Awareness agent. Configure this
in the Portal Settings.
Security Gateway with

Intranet Identity Awareness
1
'T
Internal
Data Center
I
Directory
Figure 80 - Captive Portal
The diagram shows how Captive Portal works - in the Firewall rule base:
1. A user wants to access the Internal Data Center.
2. Identity Awareness does not recognize him and redirects the browser to the
Captive Portal.
3. The user enters his regular office credentials. The credentials can he AD or
other Check Point supported authentication methods, such as LDAP, Check
Point internal credentials, or RADIUS.
174 Chet* Point Securitt' A1,nini,stratioF'

4. The credentials are sent to the Security Gateway and verified in this example
against the AD server.
5. The user can now go to the originally requested URL.
If Transparent Kerberos Authentication is configured, the browser attempts to

authenticate users transparently by getting identity information before the
Captive Portal Username/password page is shown to the user. Transparent
Kerberos for Identity Awareness is recommended for use in:
AD environments, when users are already logged in to the domain and
the browser obtains identity information from the credentials used in
the original log in (SSO).
Transparent Kerberos authentication works this way:

1. A user wants to access the Internal Data Center.
2. Identity Awareness does not recognize the user and redirects the browser to
the Transparent Authentication page.
3. The Transparent Authentication page asks the browser to authenticate itself.
4. The browser gets a Kerberos ticket from the Active Directory and presents it
to the Transparent Authentication page.
5. The Transparent Authentication page sends the ticket to the Security Gate-
way which authenticates the user and redirects it to the originally requested
URL.
6. If Kerberos authentication fails for some reason, Identity Awareness redirects
the browser to the Captive Portal.
Browser-Based Authentication lets you acquire identities from unidentified users

such as:
Managed users connecting to the network from unknown devices
such as Linux computers or iPhones.
Unmanaged, guest users such as partners or contractors.
If unidentified users try to connect to resources in the network that are restricted
to identified users, they are automatically sent to the Captive Portal. If
Transparent Kerberos Authentication is configured, the browser will attempt to
identify users that are logged into the domain using SSO before it shows the
Captive Portal.
175
Identity Awareness
Scenario: Recognized User from Unmanaged Device

The CEO of ACME, Jennifer McHanry, recently bought her own personal Wad.
She wants to access the internal Finance Web server from her Wad. Because the
Wad is not a member of the Active Directory domain, she cannot identify
seamlessly with AD Query. However, wants to be able to enter her AD
credentials in the Captive Portal and then get the same access as on her office
computer. Her access to resources is based on rules in the Firewall Rule Base.
To make this scenario work, the IT administrator must:

1. Enable Identity Awareness on a gateway and select Browser-Based Authenti-
cation as one of the Identity Sources.
2. In the Portal Settings window in the User Access section, make sure that
Name and password login is selected.
3. Create a new rule in the Firewall Rule Base to let Jennifer McHanry access
network destinations. Select accept as the Action.
4. Right-click the Action column and select Edit Properties. The Action Prope r
-tieswndop.
5. Select the Redirect http connections to an authentication (captive) portal.
Note: redirection will not occur if the source lP is already mapped to a user
checkbox.
6. Click OK.
7 From the Source of the rule, right-click to create an Access Role.
a. Enter a Name for the Access Role.
b. In the Users tab, select Specific users and choose Jennifer McHanry.
c. In the Machines tab make sure that Any machine is selected.
d. Click OK. The Access Role is added to the rule.
- Mp 0
Figure 81 - Access Rule
JenniIr Mcllanry does these steps:

1. Browses to the Finance server from her Wad. The Captive Portal opens
hccausc she is not identified and therefore cannot access the Finance Server.
2. She enters her usual system credentials in the Captive Portal. A Welcome to
the network window opens.
3. She can successfully browse to the Finance server.
176 ( 'hA /1 i,, ,Steuritv /Jflifli.SIh(

)t cy
c,,..A, c.a.....vnt,....0,...s
Po.ct esec.y Adion

G54g
Rion 12
15)29
Co.onI Rion Nabw 11.S5454d
10920 COO
R,jnN..e
Nb 2)
Us.o
1pe Lo)
0n, 1150 G11 110102254 1
So.ce 01011125411
C JmWO. McHs; Ircl&ovl
DndwSon. Oiq'isgq,in
81
1I
Sooe p .t OCLI)
Poc Hone e,0d

ocyUe lUo11 11U4I94LO.1
PeHoy Hn.geH PoHegeon4
Figure 82 - SmartView Tracker Log
This log entry shows that the system maps the source "Jennifer _McHanry" to the
user name. This uses the identity acquired from Captive Portal.
Stu,,,1 AoIci pi,,/ - 177

Identity Awareness
Scenario: Guest Users from Unmanaged Devices

Guests frequently come to the ACME company. While they visit, the CEO wants
to let them access the Internet on their own laptops.
Amy, the IT administrator configures the Captive Portal to let unregistered guests
log in to the portal to get network access. She makes a rule in the Firewall Rule
Base to let unauthenticated guests access the Internet only.
When guests browse to the Internet, the Captive Portal opens. Guests enter their
name, company, email address, and phone number in the portal. They then agree
to the terms and conditions written in a network access agreement. Afterwards
they are given access to the Internet for a specified period of time.

1. Enable Identity Awareness on a gateway and select Browser-Based Authenti-
cation as one of the Identity Sources.
2. In the Portal Settings window in the User Access section, make sure that
Unregistered guest login is selected.
3. Click Unregistered guest login - Settings.
4. In the Unregistered Guest Login Settings window, configure:

- The data guests must enter.
- For how long users can access the network resources.
- If a user agreement is required and its text.
4. Create two new rules in the Firewall Rule Base:
If it is not already there, create a rule that identified users can access the Inter-
net from the organization.
a. From the Source of the rule, right-click to create an Access Role.
b. Enter a Name for the Access Role.
c. In the Users tab, select All identified users.
d. Click OK.
e. The Access Role is added to the rule.
flrret 15 1ceMNW_.e,,ernoe nyTrtc rip I accept
Figure 83 - Access Role
Create a rule to let Unauthorized Guests access only the Internet.
178 ('Iwk 1'(tint Se',,ritv AJ,ninist rat iOFl


c. In the Users tab, select Specific users and choose Unauthenticated Guests.
d. Click OK. The Access Role is added to the rule.
e. Select accept as the Action.
f. Right-click the Action column and select Edit Properties. The Action
Properties window opens.
g. Select Redirect http connections to an authentication (captive) portal. Note:
redirection will not occur if the source IP is already mapped to a user.
h. Click OK.
z
Guests El, a^e [1 L,-a: sc:ec! rsza. :aul-e:t3
Figure 84 - Internet Rule
From the perspective of a guest at ACME, He or she does these steps:

1. Browses to an Internet site from her laptop.
The Captive Portal opens because she is not identified and therefore cannot
access the Internet.
2. She enters her identifying data in the Captive Portal and reads through and
accepts a network access agreement.
A Welcome to the network window opens.
3. She call browse to the Internet for a specified period of time.
St,i/,1, Manual - 79
Identity Awareness
The SmartView tracker log shows how the system recognizes a

guest.

0 Ore 0 W 'y 0 5v.ch colors
IdeMJy A,,,aneiz
Log In
Pioduct I4en&yAwnen
De 102OO
Source Uiri Group UredGuest3
T. 40442
So"'ce Machine
Nu.be. GIOUP
Type Log Session ID 841bd8
Orion
Fr.
- Authenscation Umrnved Guest
Method
So,sce 0 192 168 1 1
CewePrntd
Identity Soeco
' Ui.. Addition"d Coray Nan* Ch.dPon Emad
Destination lnSoisaon A*es.gieichec.00d corn
Narne guest Ph MW
S..v,c.
Piolocol
Interface
Source Pod
th.
Figure 85 - Guest Record
Identity Agents
Ihere are two types of Identity Agents:
Endpoint Identity Agents - dedicated client agents installed on users'

computers that acquire and report identities to the Security Gateway.
Terminal Servers Identity Agent - an agent installed on an application server
that hosts Citrix/Thrminal services. It identilics individual users whose source
is the same IP address.
180 Check /'oint 'wcuritp ,/,jjsfratWTl

Figure 86 - Identity Agent

Endpoint Identity Agent for Identit y Awareness is recommended for:
Leveraging identity for Data Center protection
Protecting highly sensitive servers
When accuracy in detecting identit y is crucial
Using Endpoint Identity Agents gives you:
User and machine identity
Minimal user intervention - all necessary conliguration is done h N.

administrators and does not require user input.
Seamless connectivity - transparent authentication using Kerberos

Single Sign-On (SSO) when users are logged in to the domain. If you
do not want to use SSO, users enter their credentials manuall y. YOU
can let them save these credentials.
Connectivity through roaming - users sta y automaticall y Identified

when they move between networks, as the client detects the
movement and reconnects.
Added security - you can use the patented packet tagging technolov
to prevent IP Spooling. Endpoint Identity Agents also gives you
strong (Kerberos based) user and machine authentication.
111 ,/ 181
Identity Awareness
These are the types of Endpoint Identity Agents you can install:
Full - requires administrator permissions for installation. If installed

by a user without administrator permissions, it will automatically
revert to installing the Light agent. The Full agent performs packet
tagging and machine authentication.
Light does not require administrator permissions for installation.

Cannot be configured with packet tagging or machine authentication.
The light agent supports Microsoft Windows and Mac OS X. For
supported version information, see the R75.40 Release Notes (http://
supportcontent.checkpoint.com/solutions?id=sk6758 I).
Custom a customized installation package.
Users can download and install Endpoint Identity Agents from the Captive Portal
or you can distribute MSl/DMG files to computers with distribution software or
any other method (such as telling them where to download the client from).
security Gateway with
4
Identity Awareness
Intranet
Is ___5 ---------
Internal
Data Center
Figure 87 - Captive Portal Download
This is how a user downloads the Endpoint Identity Agent from the Captive
Portal:
1. A user logs in to his P( with his credentials and wants to access the Internal
Data Center.
2. The Security Gateway enabled with Identity Awareness does not recognize
him and sends him to the Captive Portal.
3. The Security Gateway sends a page that shows the Captive Portal to the user.
It contains a link that he can use to download the Endpoint Identity Agent.
4. The user downloads the Endpoint Identity Agent from the Captive portal and
installs it on his PC.
182 Check I'oi,it Security /jnjs1!Vt10hn

5. The Endpoint Identity Agent client connects to the Security Gateway.

If SSO with Kerberos is configured, the user is automatically connected.
6. The user is authenticated and the Security Gateway sends the connection to its
destination according to the Firewall Rule Base.
Terminal Servers Identity Agent is used to identify multiple users that connect
from one IP address, where a Terminal Server Identity agent is installed on the
application server that hosts Terminal/Citrix services. The Terminal Servers
Identity Agent identifies users that use a Terminal Server or Citrix environment.
Scenario: Endpoint Identity Agent Deployment and User Group Access
The ACME organization wants to make sure that only the Finance Department
can access the Finance Web server. The current Rule Base uses static IP
addresses to define access for the Finance Department.
Amy. the IT administrator wants to leverage the use of Endpoint Identit y Agents
so:
Finance users will automatically be authenticated one time with SSO when
logging in (using Kerberos which is built-in into Microsoft Active Directory).
Users that roam the organization will have continuous access to the Finance
Web server.
Access to the Finance Web server will be more secure b y preventing IP
spoofing attempts.
Amy wants Finance users to download the Endpoint Identity Agent from the
Captive Portal. She needs to configure:
Identity Agents as an identity source for Identity Awareness.
Agent deployment for the Finance department group from the Captive Portal.
She needs to deploy the Full Identity Agent so she can set the IP spooling
protection. No configuration is necessary on the client for IP spooling
protection.
A rule in the Rule Base with an access role for Finance users, from all
managed machines and from all locations with IP spooling protection
cnahIc(l.
183
Identity Awareness

1. Enable Identity Awareness on a gateway and select Identity Agents and
Browser-Based Authentication as Identity Sources.
2. Click the Browser-Based Authentication Settings button.
3. In the Portal Settings window in the Users Access section, select Name and
password login.
4. In the Identity Agent Deployment from the Portal, select Require users to
download and select Identity Agent - Full option.
Note: This configures Endpoint Identity Agent for all users.
Alternatively, you can set Identity Agent download for a
specific group.
5. Configure Kerberos SSO.
6. Create a rule in the Firewall Rule Base that lets only Finance Department
users access the Finance Web server and install policy:

c. In the Networks tab, select Specific users and add the Active Directory
Finance user group.
d. In the Users tab, select All identified users.

c. In the Machines tab, select All identified machines and select Enforce IP
spooling protection (requires Full Identity Agent).
I. Click OK.
. The Access Role is added to the rule.
* Y,et Sine, % rrn._ckpt rence_wpo ei cc [*] Any TcgIrt ICCP1
Fjure 88 - Rule
7. Install Policy
I he Finance Department user call browse to the Finance Web server, where
the Captive Portal opens because the user is not identified and cannot access the
eFvCr.
8. /\ link to (loWIiloa(I the IT1 ( I I)oT!1I Identit y AceTil vill he displ;tvetl.
1 94
g)n1
hatQness *!t yw n,a.S.dIo nfl,. .Uy A
09- ^g
WM91w ywt. WI isim Id.yA0.fl_

c1a sqn I, no&.O.d yea cal mIce.. em ,tnk
Figure 89 - Endpoint Identity Agent Link
9. The user clicks the link to download the Endpoint Identity Agent. The user
automatically connects to the gateway. A window opens asking the user to
trust the server.
Note: The trust window opens because the user connects to the
Security Gateway with Identity Awareness using the File
name based server discovery option. (Note that there are other
server discovery methods that do not require user trust
confirmation).
10. Click OK. The user automatically connects to the Finance Web server. The
user can successfully browse to the Internet for a specified period of time.
Other options that can be configured for Endpoint Identity Agents:

A method that determines how Endpoint Identity Agents connect to a Security
Gateway enabled with Identity Awareness and trusts it.
Access roles to leverage machine awareness.
End user interfbce protection so users cannot access the client settings.
Let users defr client installation for a set time and ask for user agreement
confirmation.
185
Identity Awareness
Scenario: Identifying Users Accessing the Internet through Terminal

Servers
The ACME organization defined a new policy that only allows users to access the
Internet through Terminal Servers. The ACME organization wants to make sure
that only the Sales department will be able to access Facebook. The current Rule
Base uses static IP addresses to define access for Facebook, but now all
connections are initiated from the Terminal Servers' IP addresses.
Amy, the IT administrator wants to leverage the use of the Terminal Servers
solution so that:
Sales users will automatically be authenticated with Identity Awareness when
logging in to the Terminal Servers.
All connections to the Internet will be identified and logged.
Access to Facebook will be restricted to the Sales departments users.
To enable the Terminal Servers solution, Amy must:

Configure Terminal Server/Citrix Identity Agents as an identity source for
Identity Awareness.
Install a Terminal Servers Identity Agent on each of the Terminal Servers.
Configure a shared secret between the Terminal Servers Identity Agents and
the Identity Server.
After configuration and installation of the policy, users that log in to Terminal
Servers and browse to the Internet will be identified and only Sales
department users will be able to access Facebook.
Deployment
You can deploy Check Point Security Gateways enabled with Identity Awareness
in various scenarios that provide a maximum level of security for your network
environment and corporate data. This section describes recommended
deployment scenarios and options available with Identity Awareness.
Perimeter security gateway with Identity Awareness - This deployment
scenario is the most common scenario, where you deploy the Check Point
security gateway at the perimeter where it protects access to the DMZ and the
internal network. The perimeter security gateway can also control and inspect
outbound traffic, targeted to the Internet. In this case, you can create an
identity-based firewall security Rule Base together with Application Control
Data Center protection -- If you have a Data Center or server firm,
segregated from the users' network, you can protect access to the servers with
186 - Check Joj,,t Security

the security gateway. To do this, deploy the security gateway inline in front of
the Data Center. All traffic that flows is then inspected by the gateway. You
can control access to resources and applications with an identity-based access
policy. You can deploy the security gateway in transparent mode (bridge
mode) to avoid significant changes in the existing network infrastructure.
Large scale enterprise deployment In large scale enterprise networks,
there is a need to deploy multiple security gateways at different network
locations, such as the perimeter firewall and multiple Data Centers. Identity
Awareness capability is centrally managed through the Security Management
Server and SmartDashboard. You can distribute the identity-based policy to
all identity aware security gateways in the network. Identity information
about all users and machines obtained by each gateway is shared between all
gateways in the network to provide a complete Identity Awareness
infrastructure.
Network segregation - The security gateway helps you migrate or design
internal network segregation. Identity Awareness lets you control access
between different segments in the network by creating an identity-based
policy. You can deploy the security gateway close to the access network to
avoid malware threats and unauthorized access to general resources in the
global network.
Distributed enterprise with branch offices The distributed enterprise
consists of remote branch offices connected to the headquarters through VPN
lines. You can deploy the security gateway at the remote branch offices to
avoid malware threats and unauthorized access to the headquarters' internal
network and Data Centers. When you enable Identity Awareness at the branch
office gateway you make sure that users are authenticated before they reach
internal resources. The identity inforniation learned from the branch office
gateways is shared between internal gateways to avoid unnecessary
authentications.
Wireless campus Wireless networks are not considered secure for
network access, however they are intensively used to provide access to
wireless-enabled corporate devices and guests. You can deploy a security
gateway enabled with Identity Awareness inline in front of the wireless
switch, provide an identity aware access policy and inspect the traffic that
comes from WLAN users. Identity Awareness gives guests access by
authenticating guests with the web Captive Portal.
S!l1k,,(M,,7/ - - ----------
------
Identity Awareness
Practice and Review
Practice Labs
Lab 9: Identity Awareness
Review
1. Identity Awareness lets you configure network access based on what?
2. Browser-based Authentication lets you acquire identities from...?
3. What are the two types of Identity Agents?
188 ('/,'ck Point Securit y A /jnjs/ra(iO1

C HAPTER 9 Introduction to
Check Point VPNs
Check189
Introduction to Check Point VPNs
Introduction to VPNs
Virtual Private Networking technology leverages the Internet to build and
enhance secure network connectivity. Based on standard Internet secure
protocols, a VPN enables secure links between special types of network nodes:
the Gateways. Site-to site VPN ensures secure links between Gateways. Remote
Access VPN ensures secure links between Gateways and remote access clients.
Configure a certificate-based site-to-site VPN.
Configure permanent tunnels for remote access to corporate resources.
Configure VPN tunnel sharing, given the difference between host-based,
subnet-based and gateway-based tunnels.
I (heck I.ini Seeurin

The Check Point VPN
The Check Point VPN
A Virtual Private Network (VPN) is a secure-connectivity platform that both

connects networks and protects the data passing between them. For example, an
organization may have geographically spaced networks connected via the
Internet; the company has connectivity but no privacy. The Gateway provides
privacy by encrypting those connections that need to be secure. Another
company may connect all parts of its geographically spaced network through the
use of dedicated leased lines; this company has achieved connectivity and
privacy, but at great expense. Gateway offers a cheaper connectivity solution by
connecting the different parts of the network via the public Internet.
Extranet Partners
. "ChentlessVPN"
(S&Brows&oi
L2TP Client)
Corporate Network "dVPN.1 Remote Users
It IPSec SecuRenc*e
VPN
tea*ent
Do
%'re4ess
so
Integr
VPN.1
VPN1 Net Gateway SmailOtt,ce Appliance
Branch Offices
Figure 90 - Check Point VPN Deployment
A VPN employs encrypted tunnels to exchange securely protected data. The

Security Gateway creates encrypted tunnels by using the Internet Key Exchange
(IKE) and IP Security (IPSec) protocols - ESP (Encapsulating Security Payload).
IKE creates the VPN tunnel, and this tunnel is used to transfer IPSec encoded
data. Think of IKE as the process that builds a tunnel, and IPSec packets as trucks
that carry the encrypted data along the tunnel.
. I(uhl,tI/ 191
VPN Deployments
A VPN uses the Internet as its network backbone, allowing the establishment of
secure communication links among company offices, business partners, and so
on. VPNs are replacing more expensive leased lines, Frame Relay circuits, and
other forms of dedicated connections.
Site-to-Site VPNs
Site-to-site VPNs are built to handle secure communication between a company's
internal departments and branch offices. A site-to-site VPN's design
requirements include:
Strong data encryption, to protect confidential information.
Reliability for mission-critical systems, such as database management.
Scalahilit y , to accommodate growth and change.
OMIPublic Server(s)
E-mail
World Wide Web
File Transfer
Main Office Branch Office
Internet
' !
Security Secu
Gateway Gatos
i 1 to VI IN
192 Check /u,n1 .eurlli

VPN Deployments
R emote-Access VPNs
Remote-access VPNs are built to handle secure communication between a
corporate network, and remote or mobile employees. A remote-access VPN's
design requirements include:
Strong authentication, to verify remote and mobile users.
Centralized management.
Scalability, to accommodate user groups.
DMZ/Public Server(s)
E-mail
World Wide Web
File Transfer
Main Office
.) Mobile Users
0
Internet
S
Security
ateway
Figure 92 - Remote-Access VPN
Stli(Ie,,,
193
VPN Implementation
A complete VPN implementation supports both VPN categories: Site-to-site and
remote-access VPNs. This allows a company worldwide access to network
resources, links mobile workers to corporate intranets, allows customers to place
orders, and enables suppliers to check inventory levels - all in a highly secure
and cost-effective manner.
DMZ'Public Server(s) C'

E-mail
World Wide Web
File Transfer
Main Office
Partners
i$^ __ Internet
le
^11
I T.
I.
go
Security
1- Gateway
Mobile Users
Figure 93 - Check Point VPN Example
The complete VPN must include three critical VPN components:
VPN F;ndpints Gateways, clusters of gateways, or remote client 5oflware

(for mobile users) which negotiate the VPN link.
VII N Trust Entities For example, the ('heck Point Internal Certificate
Authority. The l('A is part of the Check Point suite used for establishing trust for
SIC connections between ( iateways, authenticating administrators and third party
ess
servers. The ICA provides certificates fr internal Gateways and remote acc
clients which negotiate the VPN link.
VPN Management Tools Security Management Server and Dashboard.

Smartl)ashhoard is the Smart( 'onsole component used to access the Secur i ty
Management Server, The VPN Manager is part of'Smartl)ashhoard.
194 (heck /'o jp:t St'eurir' .,h/mifliSIra0l

VPN Implementation
SmartDashboard enables organizations to define and deploy site-to-site, and

remote Access VPNs.
ON Setup
Configuring a VPN can be a complicated task for Security Administrators. Check
Point's management tools provide a simplified VPN setup mode, reducing the
VPN configuration process to essentials, and making setup straightforward and
simple.
Un derstanding VPN Deployment
The Check Point VPN management model enables Administrators to directly

define a VPN on a group of Gateways. Each Gateway in a group, and all (or part)
of its protected domain, constitute a new entity: a VPN site.
(A VPN site is not to be confused with a site that is defined for Endpoint Security
Secure Access clients.)
Each VPN site performs encryption on behalf of a VPN Domain - the protected
domain or part of the domain requiring encrypted connections to the peer VPN
Site. System Administrators group VPN sites together, creating a VPN
Communit y . A VPN Community is a collection of VPN sites and the enabled
VPN tunnels (secure connections) among them, with predefined properties that
are automatically applied to each Community member.
The structure of the VPN Community is automatically translated into encrypted

connections among its members, so the Administrator is relieved of the task of
designing and defining encryption rules. Just by defining a VPN Community, the
Administrator has completed the VPN configuration, once access control has
been set and the encompassing security system is in place. Since this VPN
management model separates the VPN as a secure connectivity platfbnii front
access control, 110 access-control related decisions will affect the VPN
( oinitlu;iitv.
ON Communities
(Ie;itini. \lN tunnels between (iateavs Is made easier through the
configuration of VI'N Communities. 1 0 undeNland VPN ('ommunitks
number of'terms need to he defined.
'PN ( 'ommunitv member lie ( ate av that resides at unc end of a \' l'N
I liii it.' I
VPN Domain - The hosts behind the Gateway; the VPN Domain can be the
whole network that lies behind the Gateway or just a section of that network.
For example, a Gateway might protect the corporate LAN and the DMZ. Only
the corporate LAN needs to be defined as the VPN Domain.
VPN site Community member plus VPN Domain; typical VPN site would
be the branch office of a bank.
VPN Community - The collection of VPN tunnels (secure connections) and
their attributes.
Domain-based VPN - Routing VPN traffic based on the VPN Domain
behind each Gateway in the Community; in a star Community, this allows
satellite Gateways to communicate with each other through center Gateways.
Route-based VPN Traffic routed within the VPN Community based on
the routing information, static or dynamic, configured on the operating
systems of the Gateways.
VPsde
VPN

EXCkMM /
'I
kIy
Figure 94 -- VPN Communities
The methods used tir encryption and ensuring data integrity determine the type
of tunnel created between the ( ateways. which in turn is considered a
characteristic ut that particular VPN Community.
Security Maiiagciiicnt Serer can inana ve l multiple VI'N Communities, which

I1llIi ( tit1IlliIIlliiIi iii hc iiId tinl ii '.iiii,ed .IcuNliin' iii pccitic nccds.
190( ih A /")III/ !i/711

VPN Implementation
Remote Access Community

A Remote Access Community is a type of VPN Community created specifically
for users who usually work from remote locations, outside the corporate LAN.
This type of Community ensures secure communication between users and the
corporate LAN.
VPN Topologies
The most basic topology consists of two Gateways capable of creating a VPN
tunnel between them. Security Management Server's support of more complex
topologies enables VPN Communities to be created according to the particular
needs of an organization. Security Management Server supports two main vPN
topologies:
Meshed
Star
Meshed VPN Community

A mesh is a VPN Community in which a VPN site can create a VPN tunnel with
any other VPN site in the community:
0 VPN-1
Gateway
WI N 1
OVPN,1
Gateway
7 Gatowa
VPN-1
Gateway
0
Figure 95 - Meshed VPN
VPN
Getaway
199('heck Point Security Adininist"'Ition

VPN Topologies
Star VPN Community

A star is a VPN Community consisting of central Gateways (or "hubs") and
satellite Gateways (or "spokes"). In this type of Community, a satellite can create
a tunnel only with other sites whose Gateways are defined as central:
0 VPN-1
Satellite
Gateway
VPN-1
Satellite
Gateway
0 A Satellite
0
Gateway
VPN-1
Central
Gateways
0v- VPN-1
Satellite
Gatoway
Figure 96 - Star VPN (Meshed)

VPN-1
Satellite
Gateway
A satellite Gateway cannot create a VPN tunnel with a Gateway that is also
defined as a satellite Gateway.
Central Gateways can create VPN tunnels with other central Gateways only ifthe
Mesh center Gateways option has been selected in the Central Gateways
window of Star Community Properties.
Ch oosing a Topology
Which topology to choose for it VPN Community depends on the overall Policy
of the organization. For example, a meshed community is usually appropriate for
an Intranet in which only Gateways that are part of the internally managed
network are allowed to participate; Gateways belonging to company partners are
not.
Iv/uii1/ 199
A star VPN Community is usually appropriate when an organization needs to

exchange information with networks belonging to external partners. These
Partners need to communicate with the organization, but not with each other. The
organization's Gateway is defined as a "central" Gateway; the partner Gateways
are defined as satellites."
Combination VPNs
For more complex scenarios, consider a company with headquarters (HQ) in two
countries, London and New York. Each headquarters has a number of branch
offices. The branch offices only need to communicate with the HQ in their
country, not with each other; only the HQs in New York and London need to
communicate directly. To comply with this Policy, define two star Communities,
London and New York. Configure the London and New York Gateways as
central" Gateways. Configure the Gateways of New York and London branch
offices as "satellites." This allows the branch offices to communicate with the
HQ in their country. Now create a third VPN Community, a VPN mesh consisting
of the London and New York Gateways.
01 1\
London
STAR
\0- -
7
London-New York
MESH
Now York
STAR
Figure 97 Combination VPNs
/)IiI! .\( 0/7(1

VPN Topologies
Top
ology and Encryption Issues
Issues involving topology and encryption can arise as a result of an organization's
Policy on security, for example the country in which a branch of the organization
resides may have a national Policy regarding encryption strength. For example,
Policy says the Washington Gateways should communicate using 3DES for
encryption. Policy also states the London Gateways must communicate using the
DES encryption algorithm.
/ ' Wahngton
/ M.ah
All Gateways in Wathngton

comintimcale with all the Gateways
DES lr. London IL
N..
\ ,-- - -
DES
LOfldOfl Stair
..$*th m.sh.d
.'
Figure 98 - Topology and Encryption Concerns
In addition, the Washington and London (iatewavs need to communicate with

each other using the weaker l)liS. Consider the solution in the figure.
In this solution, Gateways in the Washington mesh are also defined as satellites in
the London star. In the London star, the central Gateways are meshed. (Iatewavs
in Washington build VPN tunnels with the London Gateways using DFS.
Infernall y, the Washineton ( atewavs hti j fd \'PN tunnels using 31)1:S.
\II1(/(,j( .'hu;iju/
2() I

Special VPN Gateway Conditions

Individually, Gateways can appear in many VPN Communities; however, two
Gateways that can create a VPN link between them in one Community cannot
appear in another VPN Community in which they can also create a link; for
example.
---- -.-- N.
/ N
/
/
\
\
London New York
-
LONDON.
NY
tSH

---'
N
N
N

0 /
Paris
---
Figure 99 - asdi
The London and New York Gateways belong to the London-NY Mesh VPN
Community. To create an additional VPN Community which includes London,
New York. and Paris is not allowed. The London and New York Gateways cannot
appear "together" in more than one VPN Community.
Two Gateways that can create a Vl'N link between them in one Community can
appear in another VPN Community, provided that they are incapable ofacating a
link between them in the second Community.
202 Check Piiini SceurTh' A/niifliSI"'"

Special VPN Gateway Conditions
-- LONDON-NY -
MESH
London ------------New
\ York
I
\ /
-"I
I
I 1
\
Paris
STAR
Figure 100 - asdf
In the figure, the London and New York Gateways appear in the London-NY
mesh. These two Gateways also appear as satellite Gateways in the Paris Star
VPN Community. In the Paris Star, satellite Gateways (London and NY) can only
communicate with the central Paris Gateway. Since the London and New York
satellite Gateways cannot open a VPN link between them, this is a valid
configuration.
Auth entication Between Community Members
Before Gateways can exchange encryption keys and build VPN tunnels, the y first
need to authenticate to each other. Gateways authenticate to each other by
presenting one of two types of "credentials":
Certificates - Each Gateway presents a Certificate which contains
identifying information of the Gateway itself', and the Gateway's public key,
both of'which are signed by the trusted CA. For convenience. ('heck Point has
its own Internal CA that automatically issues Certificates for all internally
managed Gateways, requiring no configuration by the user. In addition,
('heck Point supports other PKI solutions.
Pre-shared secret A pre-shared is defined for a pair of Gateways. Each
Gateway proves that it knows the agreed-upon pre-shared secret. The pre-
shared secret can he mixture of letters and numbers, a password of some
it
kind.
Considered more secure, Certificates are the preferred means. In addition, since
the Internal ('A oil Security Management ('enter Server automatically
provides a Certificate to each ('heck Point Gateway it manages, it is more
convenient to use this type of authentication.
203
However, if a VPN tunnel needs to be created with an externally managed

Gateway (a Gateway managed by a different Security Management Server), the
externally managed Gateway:
Might support Certificates, but certificates issued by an external CA, in which
case both Gateways need to trust the other's CA.
May not support Certificates; in which case, VPN supports the use of a pre-
shared secret. A "secret" is defined per external Gateway. If there are five
internal Gateways and two externally managed Gateways, then there are two
pre-shared secrets. The two pre-shared secrets are used by the five internally
managed Gateways. In other words, all the internally managed Gateways use
the same pre-shared secret when communicating with a particular externally
managed Gateway.
Domain and Route-Based VPNs
VPN routing provides a way of controlling how VPN traffic is directed. There are
two methods for VPN routing:
Domain-based VPN
Route-based VPN
Domain-Based VPN
l'liis method routes VPN traffic based oil VPN Domain behind each Gateway
in the Community. In a star Community, this allows satellite Gateways to
communicate with each other through center Gateways. Configuration for
domain-based VPN is performed directly through Smartl)ashhoard.
Route-Based VPN
Traffic is routed within the VPN Community based oil routing ill
or dynamic, configured oil operating systems ofthe Gateways . V"4
Tunnel Interfwes (VIls) are used to implement route-based VI'Ns.
t ii A cr u,

Access Control and VPN Communities

Configuring Gateways into a VPN Community does not create a de facto access-
control Policy between the Gateways. The fact that two Gateways belong to the
same VPN Community does not mean the Gateways have access to each other.
Irdemag Web
Sv&
- 'h'iternet
Gat.way2
VPN Sit. VPN Site
Web
Serm
Figure 101 - Access Control VPN
The configuration of the Gateways into a VPN Community means that ii these
Gateways are allowed to communicate via an access-control Policy, then that
communication is encrypted. Access control is configured in the Rule Base.
Using the VPN column of the Rule Base, it is possible to create access-control
rules that appl y only to members of VPN communit y , for example:
Source I
Destination
I
VPN I Service I Action
\ ii \ 1k ( il \ II I' L LTI
It is also possible lot a rule in the Rule Base to he relevant lr both VPN
('oi1munities and host machines not in the Community.
The nile in the Rule Base allows an I hIP connection between any internal 11)
Ill III\ 1P.
Source I Destination I
VPN Service Action
I I
\ii iIltLIIl.11 \1ILIIIil. .\ii II l
20S
In the figure, an HTTP connection between Host I and the Internal Web Server
behind Gateway 2 matches this rule. A connection between Host I and the Web
Server on the Internet also matches this rule; however, the connection between
Host I and the Internal Web Server is a connection between members of a VPN
Community and passes encrypted; the connection between Host I and the
Internet Web Server passes in the clear.
In both cases, the connection is simply matched to the rule; whether or not the
connection is encrypted is dealt with on the VPN level. VPN is another level of
security separate from the access-control level.
Accepting All Encrypted Traffic

If you select Accept all encrypted traffic in the General window of the VPN
Community Properties, a new rule is added to the Rule Base. This rule is neither
a regular rule nor an implied rule, but an automatic community rule, and can be
distinguished by its beige-colored background.
Conn.s,y P,ophe - 1yInt,Wt
G.ns
Enc,yn t1. JMAM ,an e f

T Mg
.dSelt, I
C40
- T FU,dP&V
r
P*. The Nj, . 1. d IrE,m* M,4QId MftL
dsIm,d .,
I 0
Figure 102 - Encrypting All Traffic
jpnjp3iSt?*11I1o)
206 ('heck Poini Sec univ
E xcluded Services
In the VPN Communities Properties> Excluded Services window, you can
select services that are not to be encrypted, for example control connections.
Services in the clear means "do not make a VPN tunnel for this connection".
Note that Excluded Services is not supported when using route-based VPN.
Special Considerations for Planning a VPN Topology

When planning a VPN topology, it is important to ask a number of questions:
1. Who needs secure/private access?
2. From a VPN point of view, what will be the structure of the organization?
3. Internally managed Gateways authenticate each other using Certificates, but
how will externally managed Gateways authenticate?
Do these externally managed Gateways support PKI?
Which CA should be trusted?
814j(fl1 /tk1m ( 1 207

Integrating VPNs into a Rule Base

The type of Rule Base used determines how an Administrator integrates
encryption rules into a Policy. In Simplified Mode, the Administrator can
configure both star and mesh intranets. The Simplified Mode Rule Base also
includes an additional column, VPN, to incorporate configured intranet
Community objects:
VON *000,4 Onto, Rule, A
ftp-port
2 3M 54, to site VPtI 0] Any 0 .2fl1 All GwToGw .ccepy ii coo
hup
)$ CIF S
frttp
3 11 lOU Remote access 63 UobIle.vpn.uc *' Any Remoteyucess accept Log
rrttpo
4 SM ClientlOss ON Chentl,,c-,pn. Cn Corporate-WA. i Any Trattit trttpo 0005 .50th Li too
t2W,0,,uit, [l LOS
S - 3M urtet server ReSrof 5.1-web fr] Any IraNru . tlttp l accept
Figure 103 Rule Base
In the Rule Base above, several rules are shown. The first rule allows clearteXt
Telnet traffic to pass each way between net-oslo and net-madrid. The second
rule allows encrypted FTP traffic to pass each way between the two networks.
Although the second rule is an encryption rule, the Administrator cannot
configure the Action column for encryption. The only actions available in the
Simplified Mode of the Rule Base are as follows:
accept
drop
reject
Legacy> User Auth
Legacy > Client Auth
Legacy> Session Auth
The presence of a VPN Community in the VPN column means "if all other fields
match and the traffic is encrypting or decrypting into/out ofa tunnel that is part of
this community match it. If the traffic is passing in the clear or encrypting/
decrypting into a different VPN community's tunnel don't match it." The decision
about whether to encrypt or not is made by the V PN domain definitions (i I . the
source IP is in this firewall's VPN domain *AND* the destination IP address is Il
a peer's VPN domain encrypt it, otherwise let it go in the clear).
So a rule with "Any" in the VI'N column will match both cleartext traffic and
encrypting/decrypting VPN traffic into Any VPN Community
208 (_'heck I'oint Securill, r AcI,ninislra!i0Ft

Simplified vs. Traditional Mode VPNs

Simplified Mode makes it possible to maintain and create simpler, and therefore
less error-prone and more secure VPNs. It also makes it easier to understand the
VPN topology of an organization, and to understand who is allowed to
communicate with who. In addition, new VPN features such as VPN routing are
supported only with a Simplified Mode Security Policy. However, organizations
that have large VPN deployments with complex networks may prefer to maintain
existing VPN definitions and continue to work within Traditional Mode, until
they are able to migrate their policies to Simplified Mode.
VPN Tunnel Management

A Virtual Private Network provides a secure connection, typically over the
Internet. VPNs accomplish this by creating an encrypted tunnel that provides the
same security available as in a private network. This allows workers who are in
the field or working at home to securely connect to a remote corporate server, and
also allows companies to securely connect to branch offices and other companies
over the Internet. The VPN tunnel guarantees:
Authenticity, by using standard authentication methods.
Privacy, by encrypting data.
Integrity, by using standard integrity-assurance methods.
Types of tunnels and the number of tunnels can be managed with the following
features:
Permanent Tunnels This feature keeps VPN tunnels active, allowing real-
time monitoring capabilities.
VPN Tunnel Sharing - This feature provides greater interoperability and
scalability between Gateways. It also controls the number of VPN tunnels
created between peer Gateways.
The status of all VPN tunnels can be viewed in Smart View Monitor. For more
information on monitoring, see the SmartView Monitor user guide.
P ermanent Tunnels
As companies have become more dependent on VPNs fr communication to

other sites, uninterrupted connectivity has become more crucial than ever before.
rherelore, it is essential to make sure that the VPN tunnels are kept up and
running. Permanent tunnels are constantly kept active and, as a result. make it
easier to recognize malfunctions and connectivity problems. Administrators can
monitor the two sides of a V PN tunnel and identify problems without delay.
I(ifluUI 209
Each VPN tunnel in the Community may be set to be a permanent tunnel. Since
permanent tunnels are constantly monitored, if the VPN tunnel fails, then a log,
alert, or user defined-action can be issued. A VPN tunnel is monitored by
periodically sending "tunnel test" packets. As long as responses to the packets are
received, the VPN tunnel is considered "up." If no response is received within a
given time period, the VPN tunnel is considered "down." Permanent tunnels can
only be established between Check Point Gateways. The configuration of
permanent tunnels takes place on the Community level and:
Can be specified for an entire Community. This option sets every VPN tunnel
in the Community as permanent.
Can be specified for a specific Gateway. Use this option to configure specific
Gateways to have permanent tunnels.
Can be specified for a single VPN tunnel. This feature allows configuring
specific tunnels between specific Gateways as permanent.
Tunnel Testing for Permanent Tunnels
Tunnel testing is a proprietary Check Point protocol that is used to test if VPN
tunnels are active. A packet has an arbitrary length, with only the first byte
containing meaningful data. This is the type field.
The type field can take any of the following values:

1. Test
2. Reply
3. Connect
4. Connected
Tunnel testing requires two Gateways one configured to Ping and one to
respond. The Pinging Gateway uses the VPN daemon to send encrypted tunnel-
testing packets to Gateways configured to listen for them. A responder Gateway
is configured to listen on port 18234 for the special tunnel-testing packets.
The Pinging Gateway sends type I or 3. The responder sends a packet of identical
length with type 2 or 4. respectively. During the connect phase, tunnel-testing is
used in two ways:
1. A connect message is sent to the Gateway. Receipt of a connect message IS
the indication that the connection succeeded. The connect messages are
retransmitted for up to 10 seconds after the WE' negotiation is over, if no
response is received.
210 ( I'' !'HInt S'ecurit 1/flhj,1/\!FU1I?'

2. A series of test messages with various lengths is sent, so as to discover the

Path Maximum Transmission Unit (PMTU) of the connection. This may also
take up to 10 seconds. This test is executed to ensure that TCP packets that are
too large are not sent. TCP packets that are too large will be fragmented and
slow down performance.
VPN Tunnel Sharing
Since various vendors implement IPSec tunnels using a number of different

methods, Administrators need to cope with different means of implementation of
the IPSec framework.
VPN Tunnel Sharing provides interoperability and scalability by controlling the

number of VPN tunnels created between peer Gateways. There are three
available settings:
One VPN tunnel per each pair of hosts
One VPN tunnel per subnet pair
One VPN tunnel per Gateway pair
For a VPN Community, the configuration is set in the Tunnel Management

dialog box of the Community Properties window. For a specific Gateway, the
configuration is set in the VPN Advanced dialog box of the Gateway's
properties window.
VPN Tunnel Sharing provides greater interoperability and scalability by

controlling the number of VPN tunnels created between peer Gateways.
Configuration of VPN Tunnel Sharing can be set on both the VPN Community
and Gateway object:
One VPN Tunnel per each pair of hosts A VIN tunnel is created tor
every session initiated between every pair of hosts.
One VPIN Tunnel per subnet pair -- Once a VPN tunnel has been opened
between two suhnets. subsequent sessions between the same subnets will
share the same VPN tunnel. This is the defitult setting and is compliant with
the IPSec industry standard.
One VPN Tunnel per Gateway pair - One VPN tunnel is created between
peer Gateways and shared by all hosts behind each peer Gateway.
In case of a conflict between the tunnel properties of a VPN Community and a

Gateway object that is a member of that same Community. the "stricter" setting is
(llowed. For example, a Gateway that was set to One V PN Tunnel per each pair
S'tu(/.,,( 11,1111nd 2I I
of hosts and a Community that was set to One VPN Tunnel per subnet pair,
would follow One VPN Tunnel per each pair of hosts.
212 ('/zc'k / j izt Sc'(uriIV

Remote Access VPNs
Remote Access VPNs

Check Point offers several remote access solutions to provide the right product
for different types of mobile users. From client to clientless VPN solutions,
Check Point provides comprehensive solutions that maximize security to
corporate resources.
Check Point's IPsec VPN Software Blade is an integrated software solution that
provides secure connectivity to corporate networks, remote and mobile users,
branch offices and business partners. The blade integrates access control,
authentication and encryption to guarantee the security of network connections
over the public Internet.
The SmartDashboard enables administrators to define participating gateways

including third-party gatewaysin large-scale VPNs. VPN gateways can be
configured for both star and mesh topologies in minutes with an integrated
certificate authority to manage keys.
The IPsec VPN Software Blade provides flexibility to design a solution to meet
corporate needs with a number of reniote access VPN client choices:
Check Point Endpoint Security Check Point Endpoint Security is the first
and only single agent that combines all critical components for total security on
the endpoint while maintaining a transparent user experience. Market-leading
data security prevents corporate data loss, while collaborative endpoint and
network protections reduce complexity and cost. Unique features include Check
Point WebCheck, which secures endpoints against web-based threats, and Check
Point OneChcck, which oilers a secure single login for endpoint security
functions.
SSL Network Extender SSL connections are a great remote access solution
because they do not require IT departments to upgrade and manage client
software. All a user needs is a Web browser. However, remote users still need to
access network applications. SSL Network Extender (SNX) is a browser plug-in
that provides clientless remote access, while delivering lull network connectivity
for any IP-based application.
SSL Network Extender adds SSL VPN functionality to the IPSec \7PN
capabilities of Check Point Security Gateways, simplifying remote access
deployment while providing maximum flexibilit y for any type of remote access
scenario.
S,I(/( ',,t .%IUFiil(i/ 2 13

Multiple Remote Access VPN Connectivity Modes

The IPsec Software Blade provides various modes to address a variety of
connectivity and routing issues faced by remote users.
Office Mode - Addresses routing issues between the client and the Gateway by
encapsulating IP packets with the remote user's original IP address, thereby
enabling users to appear as if they were "in the office" while connecting
remotely. Office Mode also provides enhanced antispoofing by ensuring that the
IP address encountered by the Gateway is authenticated and assigned to the user.
Visitor Mode - Enables employees to access resources while they are working
at a remote location such as a hotel or a customer office, where Internet
connectivity may be limited to Web browsing using the standard I-ITTP and
HTTPS ports. The client tunnels all client-to- Gateway traffic through a regular
TCP connection on port 443.
Hub Mode Enables rigorous, centralized inspection of all client traffic,

removing the need to deploy security functions to multiple offices, and giving
employees secure client-to-client communications such as Voice over IP (VolP)
or Internet conferencing using applications like Microsoft NetMeeting.
Establishing a Connection Between a Remote User and a Gateway

To allow the user to access a network resource protected by a Security Gateway,
the following process must take place. First, a VPN tunnel establishment process
is initiated. An IKE negotiation takes place between the peers. During IKE
negotiation, the peers' identities are authenticated. The Gateway then verities the
user's identity and the client verifies that of the Gateway. The authentication can
be performed using several methods, including digital certificates issued by the
Internal Certificate Authority (ICA). It is also possible to authenticate using
third-party PKI solutions, pre-shared secrets or third party authentication
methods, such as Securll) and RADIUS.
214 -- - Cheek Point Securit y Ad,ninistrwio,i

Remote Access VPNs
VPN site 1
Him
Internet
-.
....:i1 Rcinot
Ceni
Figure 104 Remote Access Connections
After the IKE negotiation ends successfully, a secure connection (a VPN tunnel)
is established between the client and the Gateway. All connections between the
client and the Gateway's VPN domain (the LAN behind the Gateway) are
encrypted inside this VPN tunnel, using the IPSec standard. Except for when the
user is asked to authenticate in some manner, the VPN establishment process is
transparent.
1. The remote user initiates a connection to Gateway 1.
2. The user is not authenticated via the VPN database, but an LDAP server
belonging to VPN Site 2.
3. Gateway I verifies that the user exists by querying the LDAP server behind
Gateway 2.
4. Once the user's existence is verified, the Gateway then authenticates the user;
for example, by validating the user's certificate.
5. Once IKE is successfully completed, a tunnel is created; the remote client
connects to Host I.
-- 215
Practice and Review
Practice Labs
Lab 10: Site-to-Site VPN Between Corporate and Branch Office
Review
1. What is a VPN Community?
2. What is a riieIicd V PN ('ommun itv?
3. Which is the preferred means of authentication between VPN Community

members, and why?
4. \'licn pIiiiiiiiit a \PN t o l n I o L'\. \\ liii q11e.IiI)i1 .JiOiiI(I be a'ketI?
f, jflo/I
- 1 ( ( J / \ ii, ilt I /iio1
APPENDIX Chapter Questions
and Answers
('hk /)jfr,
4( ui 1(/u 217
Chapter Questions and Answers
Chapter 1 - Technology Overview
Review
1. What is the strength of Check Point's Stateful Inspection technology?
The contents of the packet is examined, not just the header infbrmation.
The state of the connection is monitored.
2. What are the advantages of Check Point's Secure Management Architecture

(SMART)? In what way does it benefit an enterprise network and its Admin-
istrators?
SMART is a unified approach to centralizing Polic y management and config-
uration, including monitoring, logging, analysis, and reporting within a sin-
gle control center.
3. What is the main purpose for the Security Management Server? Which func-
tion is it necessary to perform on the Security Management Server when
incorporating Security Gateways into the network?
Used b y the Security Administrator the Security Management Server man-
ages the Security Polic y. In order to per/brm that role, the Securit y Manage-
ilt'nt Server must establish SIC with other components, so that
(OflFflUPliC(ltiO!l IS verified and management can be performed on am' comj)O-
mien! on 11w network.
21 x ( A /'i)iiil iiiili
Chapter 2 - Deployment Platforms
Chapter 2 - Deployment Platforms

Review
1. What are some of the advantages in deploying UTM-1 Edge Appliances?
Easy to install and configure; Can participate in corporate VPNs; Security
Policy can be enforced on appliance; Status and traffic can be monitored;
Device firm ware can be automatically updated.
2. How do you manage Gaia?

Through the Web UI
Through the CLI
3. How would you get Gaia system information?

Gaia svsten information is accessible through the Web UI, and some CLI
commands.
S't:u/',,t 4Ii,iaI 219

Chapter 3 - Introduction to the Security Policy

Review
1. Objects are created by the Security Administrator to represent actual hosts
and devices, as well as services and resources, to use when developing the
Security Policy. What should the Administrator consider before creating
objects?
What are the physical and logical components that make up the organization?
Who are the users and Administrators, and how should they be grouped, i.e.,
access permissions, location (remote or local), etc.?
2. What are some important considerations when formulating or updating a Rule
Base?
Which objects are in the network, i.e., gateways, routers, hosts, networks, or
domains?
Which user permissions and authentication schemes are required?
Which services, including customized services and sessions, are allowed
wrossthe fl('t%t'ork?
220 ('Ih'ck l)UI Se,iritVllnhifliS(rat11'fn

Chapter 4 - Monitoring Traffic and Connections
Chapter 4 - Monitoring Traffic and Connections

Review
Discuss the benefits of using SmartView Monitor instead of SmartView
Tracker in monitoring network activity.
Smart View Monitor presents an overall view of changes throughout the net-
work. Smart New Tracker focuses on individual connections. Smart View Mon-
itor also helps the Administrator identf' traffIc-flow patterns that ma y signt'
malicious activity, maintain network availability, and improve efficient band-
width use.
2. Why is there a warning message when switching to Active mode in Smart-

View Tracker?
There are pemformance implications for mnenzorv and network resources in
Active mode, since data is being active/v logged.
StuIe,,j 221
Chapter 5 - Network Address Translation

1. What are some reasons for employing NAT in a network?
When requiring private JP addresses in internal networks
To limit external-network access
To ease network administration
2. When would an Administrator favor using Manual NAT over automatic

NAT?
Instances where remote networks only allow specic IP addresses.
Situations where translation is desired Jbr some services, and not for others.
Environments where more granular control of address translation in VPN
tunnels is needed.
Enterprises where Address Translation Rule Base order must be manipulated.
When port address translation is required portJbnvarding,.
Environmenl.s where granular control oJaddress translation between internal
networks is required.
When a range of IP addresses, rather than a network, will he translated.
222 Check F'oi,it S(Uri1V /l(J,flifli.V1F(11Wt'

Chapter 6 - Using SmartUpdate
Chapter 6- Using Smart Update

Review
What can be upgraded remotely Using SmartUpdate?
VPN- 1 Gateways
Hot/Ixes, HFAs, and patches
Third-party OPSEC applications
UTM Edge devices
Nokia operating systems
Check Point SecurePlatfbr,n
2. What two repositories does SmartUpdate install on the Security Management

Server?
License & Contract Repositor y in $CPDIR\conf
Package Repositori in C: SU,00t (U 7,klo%t,c), Aar/su,00t (LVLV
3. What does the Pre-Install Verifier check?

Operating-system comj)ati/)i/iI1
Disk-space availabiliit
Package not already installed
Pa kayc lepcnde,!ceL's met
Stl(/(f AI(IF11(1/
223
Chapter 7- User Management and Authentication

Review
1. User Auth can be only used for what services?
Telnet, FTP HTTP riogin, HTTPS
2. When using Session Authentication, what is needed to retrieve a user's iden-

tity?
Session Authentication Agent.
3. What are the advantages of using multiple LDAP servers?

Compartmentalization
High Availability
Faster access time
4. Why integrate the Security Gateway and UserDirectory?

To query user into
To enable CRL retrieval
To enable user management
To authenticate users
( h " , / ' HI/If , It/ III l'/iiiUI -jflo/)

:
Chapter 8 - Identity Awareness
Chapter 8 - Identity Awareness

Review
1. Identity Awareness lets you configure network access based on what?
Network location
Identity oja use,:
Identity of a machine
2. Browser-based Authentication lets you acquire identities from...?

unidentified users, such as managed users connecting to the Fiehi 0,-k fro,n
unknown devices, and guests, such as partners or contractors
3. What are the two types of Identity Agents?

Endpoint Identity Agent
Terminal Servers Identity Agent.
Sl i(Iep;( iIa?1lftl/
22
Chapter 9 - Introduction to VPNs
Review
1. What is a VPN Community?
A collection of VPN enabled Gateways capable of communication via VPN
tunnels.
2. What is a meshed VPN Community?

A VPN Community in which a VPN site can create a VPN tunnel with any
other VPN site within the community.
3. Which is the preferred means of authentication between VPN Community

members, and why?
Certificates, because the y are more secure than pre-shared secrets.
4. When planning a VPN topology, what questions should be asked?

Who needs secure/private access?
From the point of view of the VPN, what will be the structure of the
organization?
How will externally managed Gate%vavs authenticate?
226 ('heck Point Security AchninistrUU'1

Check Point Security Administration
Achieve the Preferred Core IT Security Certification!
Check Point Security Administration provides an understanding of the basic concepts and
skills necessary to configure Check Point Security Gateway and Management solutions.
During this course you will configure a security policy and learn how to manage and monitor
a secure network and implement a virtual private network for internal and external users.
Who Should Attend? Monitor remote Gateways using SmartUpdate

Technical persons who support, install, deploy to evaluate the need for upgrades, new
or administer Check Point Security solutions and installations, and license modifications
anyone seeking a Check Point Certification. Upgrade and attach product licenses using
SmartUpdate
Prerequisites Centrally manage users to ensure only
Persons attending this course should have general authenticated users securely access the
knowledge of TCP/IP, and working knowledge corporate network
of Windows, UNIX, network technology and the Use Identity Awareness to provide granular
Internet. access to network resources
Acquire user information to control
Course Objectives Include: gateway access
Deploy Gateways using the GAlA web interface Define Access Roles for use in an Identity
Create and configure network, host and Awareness rule
gateway objects Configure permanent tunnels for remote
Create a basic Rule Base In SmartDashboard access to corporate resources
Evaluate existing policies and optimize the
rules based on current corporate requirements Lab Exercises Include:
Maintain the Security Management Server Design and install a Security Gateway
with scheduled backups and policy versions in a distributed environment
for seamless upgrades Back-up and restore the gateway
Use packet data to generate reports, Build a Security Policy
troubleshoot system and security issues, Configure the DMZ and the NAT
and ensure network functionality Monitor with SmartView Tracker
www.checkpolnt.com/servIces/educatiOfl/
P/N 705320

R76 Security Administration

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

R76 Security Administration

Hochgeladen von

Copyright:

Verfügbare Formate

Check Point

SOFTWARE TECHNOLOGIES LTD.

RESTRICTED RIGHTS LEGEND:

U.S. Headquarters: 959 Skyway Road, Suite 300

Technical Support, Education 6330 Commerce Drive, Suite 120

Preface: Security Administration ................................... I

Chapter 1: Introduction to Check Point Technology ....................7

Chapter 2: Deployment Platforms .................................39

ii Check Point Security Administration

St,ujc'nt 1%/taflual iii

Chapter 4: Monitoring Traffic and Connections ......................83

Chapter 5: Network Address Translation ..........................107

iv Check Point Securit y Administration

Chapter 6: Using SmartUpdate ..................................121

To Export a License to a File ................................ 134

Chapter 7: User Management and Authentication ................... 139

vi Check Point Securit p A d,nin,stratio,z

PracticeLab ............................................................. 163

Chapter 8: Identity Awareness ...................... 165

Chapter 9: Introduction to Check Point VPNs 189

Student Manual VII

Domain-Based VPN ....................................................................................................203

Appendix: Chapter Questions and Answers .......................217

viii Check Point Securit y Administration

Check Point Securit y A din inistration

Security Administration Overview

The current Check Point Certified Security Administrator (CCSA) certification is

2 Check Point Security Administration

Chapter 1: Introduction to Check Point Technology

Chapter 2: Deployment Platforms

Chapter 3: Introduction to the Security Policy

Chapter 4: Monitoring Traffic and Connections

Chapter 5: Network Address Translation

Chapter 6: Using SmartUpdate

Chapter 7: User Management and Authentication

Chapter 8: Identity Awareness

Chapter 9: Introduction to Check Point VPNs

Sample Setup for Labs

Security Administration Lab Topology

LAN 4c1dress! It GW:

Figure 1 - CCSA Lab Topology

6 ('heck Point See neil v A 1111 in is/ration

Check Polizi Security A din inisiralion

Check Point Technology Overview

8 Check Point Security Administration

The Check Point Security Management Architecture (SMART)

The SMART architecture enables a rich set of sophisticated management

With SMART security administrators can centrally configure, manage, monitor

The Check Point core system consists three inter-connected components:

Security Management Server

Figure 2 - Check Point's Three-Tier System

One of these SmartConsole clients is SmartDashboard, which provides a single

Security Management Server

10 Check Point Securit y Admini.siraiion

The Check Point Firewall

Layer 2 - Data Link

Figure 3 - OSI Model Example

Layer I: Represents physical-communication hardware or media required,

Layer 4: Represents where specific network applications and communication

Mechanisms for Controlling Network Traffic

12 - - ('heck Point Securi/v Ahninisfrution

Figure 4 - Packet Filtering

In general, a typical rule base will include the following elements:

Introduction to Check Point Technology

Packet __ _ Pass TCP/IP

322 E2.,U.,,G4 22

1'31C1U1.,(, 1 S 0- 11311131 0 '.3101131 311.1_I 1(103.34 1 p no.

I1II,,15.11Itl(? - 30 I11131211 0 I.o1. 11.111.1 ?It.,.. I '10.113