Difference between fwstop/fwstart and cpstop/cpstart?

Using fwstop/ fwstart will only restart VPN-1/FireWall-1, and using cpstop/ cpstart will restart
all Check Point components, including the SVN foundation.

What do you know about CPD, FWM, and FWD processes ?
CPD It helps to execute many services, such as Secure Internal Communcation (SIC),
Licensing and status report.
FWM It is responsible for the execution of the database activities of the SmartCenter server
responsible for Policy installation, Management High Availability(HA) Synchronization, saving
the Policy, Database Read/Write action, Log Display, etc.
FWD It is required for logging. It is executed in relation to logging, Security Servers and
communication with OPSEC applications.

How to check clustering on checkpoint firewalls which command?
Use command cphaprob stat

How to check/capture traffic on checkpoint firewall?
Fw monitor is being used for traffic capturing in checkpoint, it is in built.
For example,
Display all packets from 10.1.0.1 to 10.2.0.1
fw monitor -e accept src=10.1.0.1 and dst=10.2.0.1;

Smartview tracker also will be useful to see if traffic is allowed on certain ports via certain
policies.
What is Anti-spoofing?
Anti-Spoofing feature ensures that the IP addresses of the packets entering the FireWall are
valid. It verifies that packets originate from and are destined to the correct interfaces on the
gateway. It confirms which packets actually come from the specified internal network interface.
It also verifies that once a packet is routed, it goes through the proper interface.

A packet coming from an external interface, even if it has a spoofed internal IP address, is
blocked because the firewall anti-spoofing feature detects that the packet arrived from the wrong
interface.

Configuring Anti-Spoofing: It is important to configure anti-spoofing protection on every
interface of every Security Gateway, including internal interfaces.

Configuration on R75, see below, Source: Firewall R75 Administration Guide. (Free
available)
Configuring Anti-Spoofing: It is important to configure anti-spoofing protection on every
interface of every Security Gateway, including internal interfaces.

Configuring Anti-Spoofing for External Interfaces:
To define a valid address for external interfaces:
1. In SmartDashboard, select Manage > Network Objects.
2. Select a gateway and click Edit.
3. From the list of pages, click Topology.
4. Click Get > Interfaces to obtain interface information of the gateway machine.
5. Click Accept. (If SmartDashboard cannot retrieve the topology information, check that
the gateway General Properties are listed correctly and that the gateway, the Security
Management server, and the SmartDashboard all have functioning communications.)
6. In the Topology page, select the interface to the Internet and click Edit.
7. In the Interface Properties window, open the Topology tab.
8. Select External (leads out to the Internet).
9. Under Anti-Spoofing action is set to, select one of the following:

Prevent - to block packets that have been spoofed.
Detect - to allow packets that have possibly been spoofed. This option is used for
monitoring purposes and should be used in conjunction with one of the tracking options.
It serves as a tool for learning the topology of a network without actually rejecting
packets.

1. Under Spoof Tracking, select Log and click OK.
2. Repeat step 1 to step 8 for all internal interfaces.
3. Install the security policy: Policy > Install.

Configuring Anti-Spoofing for I nternal Interfaces:
To define a valid address for internal interfaces:
1. In SmartDashboard, select Manage > Network Objects.
2. Select the Check Point gateway and click Edit.
3. In the gateway window, select Topology.
4. In the Topology window, click Get > Interfaces to obtain interface information of the
gateway machine.
5. Under the Name column, select the internal interface and click Edit.
6. 6. In the Interface Properties window, click Topology, and then select Internal
(leads to the local network).
7. Under IP Addresses behind this interface, do one of the following:
If there is only one network behind the interface, select Network defined by the
interface IP and Net Mask.
If there is more than one network behind the interface, define a group network object that
consists of all the networks behind the interface by selecting Specific and the group.

1. Select Perform Anti-Spoofing based on interface topology.
2. Under Anti-Spoofing action is set to, select one of the following:
Prevent - to block packets that have been spoofed.
Detect - to allow packets that have possibly been spoofed. This option is used for
monitoring purposes and should be used in conjunction with one of the tracking options.
It serves as a tool for learning the topology of a network without actually rejecting
packets.
1. Under Spoof Tracking, select Log and click OK.
2. Repeat step 1 to step 8 for all internal interfaces.
3. Install the security policy: Policy > Install.

Excluding Specific Internal Addresses
In some cases, it may be necessary to allow packets with source addresses that belong to an
internal
network to enter the gateway through an external interface. This may be useful if an external
application assigns internal IP addresses to external clients. In this case, you can specify that
anti-spoofing checks are not made on packets from specified internal networks.

I was thinking how to explain this in better way and found following link in my bookmarks.
Source: Essential Check Point FireWall-1 NG: An Installation, Configuration, and
Troubleshooting Guide by Dameon D. Welch-Abernathy

Topology and Anti-Spoofing:
It is important to understand which hosts are being protected by the firewall. It is also important
to know on which interface any given host is supposed to appear. When a host IP address
appears on the wrong interface, this is a potentially serious problem a misconfigured host or
router, or an intruder! To catch these sorts of issues, we establish anti-spoofing on the firewall,
that is, preventing the use of IP addresses on interfaces where the hosts should not appear.
When you define anti-spoofing, you assert that only packets with source IPs defined for an
interface are allowed to originate traffic on the interface. For example, if a valid address is
192.168.182.0/24 and the interface is le0, the following are true.
This is different from FireWall-1 4.1, which also validated that a packet being routed to a
specific interface was also valid. This caused all sorts of problems with address translation.
A packet with source IP address 192.168.182.4 can come into le0.
A packet with source IP address 192.168.1.8 cannot come into le0.
A packet with destination IP address 192.168.182.4 can come into le0.
A packet with destination IP address 10.0.0.4 cannot come into le0.
In FireWall-1 4.1 and earlier, this was defined in the Valid Address setting in the Interface
portion of the gateway object. In the NG version, the setting is now called Topology, and we
define it in the Topology frame of the gateway object. Unlike the Valid Address setting in
FireWall-1 4.1, the Topology setting is also used to define external interfaces, which is
important for licensing.

Interface Properties, Topology tab
The options on the Topology tab include the following.
External: All IP addresses not specified on other interfaces are considered valid on this
interface. This is similar to the others option in FireWall-1 4.1 and earlier. This is also relevant
for node-limited licenses in that it indicates no hosts should be counted on this interface for
licensing purposes.
Internal: Only the IP addresses specified are considered valid on this interface. The next three
options allow you to specify which IPs are valid.
Not Defined: The IP addresses reachable from this interface are undefined. This option disables
anti-spoofing on this interface. In addition, any IPs behind this interface will not be included in
your encryption domain, assuming it is defined by topology instead of manually.
Network defined by the interface IP and Net Mask: This option specifically means the
logical network this interface is on. It is defined by the interfaces IP address and netmask per
the configuration screen. All other networks are not considered valid. In FireWall-1 4.1 and
earlier, this option was titled the more confusing This Net.
Specific: This option refers to a defined group of network objects (networks, hosts) that make up
the valid addresses for this interface. This is typically used where there are multiple networks
reachable from this interface.
Perform Anti-Spoofing based on interface topology: If this option is checked, anti-spoofing
will be performed on this interface, assuming that Not Defined is not selected. If unchecked,
anti-spoofing will not be performed on this interface. Spoof tracking can be set to None (no
logging), Log, or Alert.
If you enable anti-spoofing, it is highly recommended that you enable logging of this property.
All anti-spoofing drops will log as Rule 0. If you want to log IP Options drops, go to the Log and
Alert frame of the Global Properties screen and enable IP Options Drop logging.
Question 1 Which of the applications in Check Point technology can be used to configure
security objects?
Answer:
SmartDashboard
Question 2 Which of the applications in Check Point technology can be used to view who and
what the administrator do to the security policy?
Answer:
SmartView Tracker
Question 3 What are the two types of Check Point NG licenses?
Answer:
Central and Local licenses
Central licenses are the new licensing model for NG and are bound to the SmartCenter server.
Local licenses are the legacy licensing model and are bound to the enforcement module.
Question 4 What is the main different between cpstop/cpstart and fwstop/fwstart?
Answer:
Using cpstop and then cpstart will restart all Check Point components, including the SVN
foundation. Using fwstop and then fwstart will only restart VPN-1/FireWall-1.
Question 5 What are the functions of CPD, FWM, and FWD processes?
Answer:
CPD CPD is a high in the hierarchichal chain and helps to execute many services, such as
Secure
Internal Communcation (SIC), Licensing and status report.
FWM The FWM process is responsible for the execution of the database activities of the
SmartCenter server. It is; therefore, responsible for Policy installation, Management High
Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log
Display, etc.
FWD The FWD process is responsible for logging. It is executed in relation to logging,
Security
Servers and communication with OPSEC applications.
Question 6 How to Install Checkpoint Firewall NGX on SecurePlatform?
Answer:
1. Insert the Checkpoint CD into the computers CD Drive.
2. You will see a Welcome to Checkpoint SecurePlatform screen. It will prompt you to press any
key. Press any key to start the installation,otherwise it will abort the installation.
3.You will now receive a message saying that your hardware was scanned and found suitable for
installing secureplatform. Do you wish to proceed with the installation of Checkpoint
SecurePlatform.
Of the four options given, select OK, to continue.
4.You will be given a choice of these two:
SecurePlatform
SecurePlatform Pro
Select Secureplatform Pro and enter ok to continue.
5.Next it will give you the option to select the keyboard type. Select your Keyboard type (default
is US) and enter OK to continue.
6.The next option is the Networking Device. It will give you the interfaces of your machine and
you can select the interface of your choice.
7.The next option is the Network Interface Configuration. Enter the IP address, subnet mask and
the default gateway.
For this tutorial, we will set this IP address as 1.1.1.1 255.255.255.0 and the default gateway as
1.1.1.2 which will be the IP address of your upstream router or Layer 3 device.
8.The next option is the HTTPS Server Configuration. Leave the default and enter OK.
9.Now you will see the Confirmation screen. It will say that the next stage of the installation
process will format your hard drives. Press OK to Continue.
10.Sit back and relax as the hard disk is formated and the files are being copied.
Once it is done with the formatting and copying of image files, it will prompt you reboot the
machine and importantly REMOVE THE INSTALLATION CD. Press Enter to Reboot.
Note: Secureplatform disables your Num Lock by over riding System BIOS settings, so you
press Num LOck to enable your Num Lock.
For the FIRST Time Login, the login name is admin and the password is also admin.
11.Start the firewall in Normal Mode.
12.Configuring Initial Login:
Enter the user name and password as admin, admin.
It will prompt you for a new password. Chose a password.
Enter new password: check$123
Enter new password again: check$123
You may choose a different user name:
Enter a user name:fwadmin
Now it will prompt you with the [cpmodule]# prompt.
13. The next step is to launch the configuration wizard. To start the configuration wizard, type
sysconfig.
You have to enter n for next and q for Quit. Enter n for next.
14.Configuring Host name: Press 1 to enter a host name. Press 1 again to set the host name.
Enter host name: checkpointfw
You can either enter an ip address of leave it blank to associate an IP address with this hostname.
Leave it blank for now.
Press 2 to show host name. It now displays the name of the firewall as checkpointfw.
Press e to get out of that section.
15.Configuring the Domain name.
Press 2 to enter the config mode for configuring the domain mode. Press 1 to set the domain
name.
Enter domain name:yourdomain.com
Example:
Enter domain name: checkpointfw.com
You can press 2 to show the domain name.
16. Configuring Domain Name Servers.
You can press 1 to add a new domain name server.
Enter IP Address of the domain name srever to add: Enter your domain name server IP Address
HERE.
Press e to exit.
Network Connections.
17. Press 4 to enter the Network Connections parameter.
Enter 2 to Configure a new connection.
Your Choice:
1) eth0
2) eth1
3) eth2
4) eth3
Press 2 to configure eth1. (We will configure this interface as the inside interface with an IP
address of 192.168.1.1 and a subnet mask of 255.255.255.0. The default gateway will be
configured as 1.1.1.1.)
Press 1) Change IP settings.
Enter IP address for eth1 (press c to cancel): 192.168.1.1
Enter network Mask for interface eth2 (press c to cancel): 255.255.255.0
Enter broadcast address of the interface eth2 (leave empty for default): Enter
Pres Enter to continue.
Similarly configure the eth2 interface, which will be acting as a DMZ in this case with
10.10.10.1 255.255.255.0.
Press e to exit the configuration menu.
18.Configuring the Default Gateway Configuration.
Enter 5 which is the Routing section to enter information on the default gateway configuration.
1.Set default gateway.
2.Show default gateway.
Press 1 to enter the default gateway configuration.
Enter default gateway IP address: 1.1.1.2
19. Choose a time and date configuration item.
Press n to configure the timezone, date and local time.
This part is self explanatory so you can do it yourself.
The next prompt is the Import Checkpoint Products Configuration. You can n for next to skip
this part as it is not needed for fresh installs.
20. Next is the license agreement.You have the option of V for evaluation product, U for
purchased product and N for next. If you enter n for next. Press n for next.
Press Y and accept the license agreement.
21.The next section would show you the product Selection and Installation option menu.
Select Checkpoint Enterprise/Pro.
Press N to continue.
22. Select New Installation from the menu.
Press N to continue.
23. Next menu would show you the products to be installed.
Since this is a standalone installation configuration example, select
VPN Pro and
Smartcenter
Press N for next
24.Next menu gives you the option to select the Smartcenter type you would like to install.
Select Primary Smartcenter.
Press n for next.
A validation screen will be seen showing the following products:
VPN-1 Pro and Primary Smartcenter.
Press n for next to continue.
Now the installation of VPN-1 Pro NGX R60 will start.
25. The set of menu is as follows:
Do you want to add license (y/n)
You can enter Y which is the default and enter your license information.
26. The next prompt will ask you to add an administrator. You can add an administrator.
27.The next prompt will ask you to add a GUI Client. Enter the IP Address of the machine from
where you want to manage this firewall.
28. The final process of installation is creation of the ICA. It will promtp you for the creation of
the ICA and follow the steps. The ICA will be created. Once the random is configured ( you dont
have to do anything), the ICA is initialized.
After the ICA initialized, the fingerprint is displayed. You can save this fingerprint because this
will be later used while connecting to the smartcenter through the GUI. The two fingerprints
should match. This is a security feature.
The next step is reboot. Reboot the firewall.
Question 7 What are the types of NAT and how to configure it in Check Point Firewall?
Answer:
Static Mode manually defined

CHECKPOINT


Q.1 What is Checkpoint Architecture?
Q.2 How Checkpoint Component communicate and Syns with each other?
Q.3 What are the major differences between SPLAT and GAIA?
Q.4 What are the different different Checkpoint Ports and purpose of these ports?
Q.5 How SIC work? What are the different ports of SIC?
Q.6 Checkpoint Packet flow for SNAT and DNAT?
Ans.
In case of SNAT

Antispoofing

Session lookup

Policy lookup

Routing

Netting


In case of DNAT
Antispoofing
Session lookup
Policy lookup
Netting
Routing

Q.7 How to configure perform DNAT before routing via Global Properties?
Q.8 What are the different different modules of Checkpoint?
Q.9 What is Anti-Boat?
Q.10 How to block ICMP tunnel in checkpoint?
Q.11 Difference between fwstop and cpstop?
Q.12 What are the services which impacted during cpstop and spstart?
Q.13 What is CPinfo? And why it is used?
Q.14 What are Cluster_XL, Secure_XL and CORE_XL?
Q.15 What is Provider1?
Q.16 What is MDF Database?
Q.17 How to configure SMC HA?
Q.18 How to check License via Smartview Monitor?



CHECKPOINT CLUSTER

Q.1 Which protocol use in Checkpoint for Clustering?
Q.2 How Cluster_XL works? What the ports used by Cluster_XL?
Q.3 What are the New and Legacy Mode in Clustering?
Q.4 What are Delta and Full Mode in Clustering?
Q.5 Step by Step Process of configuring Checkpoint Cluster?
Q.6 How to use VRRP for Checkpoint Clustering?



CHECKPOINT VPN

Q.1 Difference between IPSec and SSL VPN?
Q.2 Difference between Domain Base and Route Base VPN?
Q.3 What are the protocols of IPSec? And what are the Port numbers of various
IPSec Protocols.?
Q.4 What is NAT traversal? Where it used?
Q.5 How use NAT in VPN Tunnel?
Q.6 What is Norm in IPSec?
Q.7 What the Phases of IPSec VPN? And many messages being exchanged in MAIN
and QUICK Mode? What are these messages?
Q.8 What is Encryption Domain?