CCSA R75 Manual

;:e.
Check Point
SOFTWARE TECHNOLOGIES LTD.
We Secure the Internet.
Check Point
Certified Security Administrator R75
STUDENT MANUAL
3D
SECURITY
Check Point Security Series
Check Point Certified Security Administrator

R75 Training Manual
PIN: 704735
Check Point"
SOFTWARE TECHNOLOGIES INC .
Copyright Check Point Software Technolog ies

Ltd. A ll rig hts reserved.
Printed by Check Point Press
A Division of Check Point Software Technologies Ltd.

RESTRICTED RIGHTS LEGEND:
Usc. dupli cation. or disdosurc by the government is subject to restrictions as SCI forth in
subpaJ'llgra ph (c)( I Xii) of the Rights in Technical Data and Com puter Soflwarc clause 31
DFARS 252.2277013 and FAR 52.217-19.
Q 2003-20 I I Check Point Software Technologies Ltd.
CO PYR IGHT NOTICE
No part o f this publication may be reprod uced, stored in a retrieval system or transmitted. in any form or by any means, photocopying, recording or otherwise. without
prior written consent of C heck Point Software Technologies Ltd. No patent liability
is assumed with respect to the usc oflhc infonnation contained herein. while every
precaution has been taken in the preparation of this publication. Chcck Point Software Technologies Ltd. assumes no responsi bility fo r errors Of o missions. This publication and features desc ribed herein are subject to change without notice .
Copyright
e Check Point Software Technologies Ltd. At! rights reserved.
TRADEMARKS
0 2003-201 I Check Point Software Technologies Ltd. All rights reserved. Check
Po int. Check Point Abra. AlenAdvisor, Application Intelligence. Check Point
Application Control Software Blades, Check Point Data Loss Prevention. Check
Point DLP. C heck Point DLP-I, Check Point Endpoint Security, Check Point Endpoint Security On Demand. the Check Point logo, Check Point Full Disk Encryption. Check Point Horizon Manager, Check Point Identity Awareness, Cheek Point
IPS. Check Point IPSec VPN, Check Point Media Encryption, Check Point Mobile.
Check Point Mobile Access, Check Point NAC, Check Point Network Voyage r,
Check Point OneCheck. Check Point R75. Check Point Security Gateway. Check
Point Update Service, Check Point WebCheck. ClusterX L, Confidence Indexing,
ConnectControl. Connectra. Connectra Accelerator Card. Cooperative Enforcement. Cooperative Security Alliance, CoreX L. DefcnseNet. Dynamic lD. Endpoint
Connect VPN Client, Endpoint Security, Evenlia. Eventia Analyzer. Eventia
Reporter. Eventia Suitc, FireWall-I, FireWall-I GX, FireWall-1 SecureServer.

FloodGme-l. Hacker 10. Hybrid Detection Engine, IMsccure. INSPECT. INS PECT
XL, Integrity, Integrity Clientless Security, Integrity SecureClient, ImerSpcct, IP
Appliances, IPS-I, IPS Software Blade. IPSO, R75, Software Blade, 10 Engine.
MailSafe. the More, belter. Si mpler Security logo. Multi- Domain Securit y Management. MultiSpect. NG NGX. Open Security Extension. OPSEC , OSFirewall. Ilointsec. Pointsec Mobile. Pointsec Pc. Pointsec Protector. Policy Lifecycle
Management.Power-l. Provider- I. PureAdvantage. PURE Security, the pure$ecurity logo. Safc@ Homc. Safe@Office. Secure Virtual Workspace. SecureCliem.
SecurcClienl Mobile, SecureKnowledge. SccurePlat form, SecurePlatfonn Pro.
SecuRemolc. SecllrcScrver. SccureUpdate. SccureX L. SecureXL Turbocard. Security Management Portal. Series 80 Appl iance. SiteManager-l, Smart-I. SmartCenter. SmartCenter Power. Smart Center Pro. SmarlCemcr UTM, SmartConsolc.
Smart Dashboard. Smart Defense. Smart Defense Advisor. SmartEvent. Smarter
Security, SmartLSM, SmartMap. Smart Portal. SrnartProvisioning. SmartReponer,
Smart Update. SmurtView. SmartView Monitor. SmanView Reporte r. SmartVicw
Status, SmartVicwTracker. SmartWorkflow. SMP. SM P On-Demand, SoeialGuard.
Sofa Ware. Software Blade Architecture. the softwurebladcs logo, SSL Nctwork
Extender. Staleful Clustering, Total Security, the wtalsecurity logo. TrueVector.
VserCheck. UTMI, UTM -I Edge. VTM-I Edge Industrial. VTM-I Total Security,
VPN- l. VPN-J Edge, VPN-I MASS. VPN-l Power. VPN- J Power Multi-core.
VPN- I Power VSX. VPN-I Pro. VPN- I SecureCl ient. VPN-I Secu Remote. VPN-I
SecureServer. VPN-I VTM, VPN-J UTM Edge. VPN-I VE, VPN- I VSX, VSX.
VSX-I. Web Intelligence. ZoneAlarm, ZoneAlarm Antivi rus. ZoneAlarm DataLock, ZoneAlann Extreme Security, ZoneAlann Force Field. ZoneAlann Free Firewall, ZoneAlarm Pro. ZoneAlarm Internet Security Suite. ZoneAlarm Security
Toolbar, ZoncAlarm Secure Wireless Router. Zone Labs, and the Zone Labs logo
arc trademarks or registered trademarks of Check Point Software Technologies ltd.
or its affiliates. ZoneAlarm is a Check Poinl Software Technologies. Inc. Company.
All other product names mentioned herein arc trademarks or registered trademarks
of the ir respective owners. The products described in this document are protected by
U.S. Patent No. 5.606.668.5.835.726.5.987.611. 6,496,935. 6.873.988. 6.850.943.

7, J65.076. 7,540,013. 7,725.737 and 7,788.726 and may be protected by other U.S.
Patents. foreign patents. or pending applications.
DISCLAIMER O F WARRANTY
Check Point Soft ware Technologies Ltd, makes no representation or warranties.
either express or implied by or with respect to anyth ing in this document, and shall
not be liable for any impl ied warranties of merchantability or fitness for a particular
purpose or for any indirect spec ial or consequemial damages.
International Headquarters :
5 Ha' Solelim Street

Tel Aviv 67897, Israel
Tel: +972-3-753 4555
U.S. Headquan crs:
800 Bridge Parkway

Redwood City. CA 94065
Tel : 650-628-2000
Fax: 650-654-4233
Technical Support, Education & Professional Service!>:
6330 Commerce Drive, Suite 120

Irving, TX 75063
Tel : 972-444-6612
Fax: 972-506-7913
E-mail any comments or questions about aU f
courseware to coursewarc@us.chcckpoint.com.
For questions or comments about other Check
Po int documentation, c-rnail
CP_TechPubJeedback@checkpoint.com.
Document # :
DOC-Manual-Lab-CCSA-R 75
Revision:
R75
Content:
Mark Hoefle, Steven Luc, Joey Witt
Graphics:
Jeffery Holder, Chunming l ia
Contributors
Alpha & Beta Testing

Allen Land. Austin Stubblefield. Carlos
Moreira, Charles Singleton, Francine Nguyen,
John Michcal son, Justi n Sowder, Kim
Winfield. Ron Brace, Sara Jones
Test Development:
Ken Finley ~ Check Point
Check Point Technical Publications Teanl:

Rochelle Fisher. Daly Yam, Eli Har-Even.
Micky Sapir. r aul Grigg, Richard Levine. Shira
Rosenfiel d. Yaakov Simon
Check Point Technical Review:

Allen Land, Austin Stubblefield. Carlos
Moreira. Charles Singleton. Francine Nguyen.
John Michcaison, Justin Sowder. Ron Brace.
Sara Jones
Contents
Preface: Check Point Security Administrator R75 ................ . .. . 1

CCSA R75 Overview. .................
. .... .. . . . .............. 2
Chapter 1: Introduction to Check Point Technology . ..... . .. ........ 5

Check Point Technology Overview
Th e Check Point Firewall . ....... .
Mechanisms for Controlling Network Traffic .........
.. .... . .
Sc-<:urily Gateway Inspection Architecture.. ... .... . . . . . . . . . . . . .. . . .
Deployment Considerations .....
... .. .. ... .. ... . .... . .
Security Pol icy Management
. .6
. ... 8
.10
.14
. . 16
.. . ............. ........ ... ... 19
SmnnConsolc Components
... .. ...... .. .. ... .
Security Management Server
...... _. . . . .. . . .. . . ... .. . . . . . .. . ... .
Securing Channels o f Communication
...... . . . ........ .
Practice and Review ........... ....... . . ..
. . . . . . . . . . . . . . . . .
.20
. .31
.34
.38
Chapter 2: Deployment Platforms . . ..... .... .. . .. . . ............. 39

Deployment Plm!onns .... .. .
. ... . .. . . . . ... ... .. 40
UTM- I Edge Appliance . . . .... . . .
IP Appliance . . ... .
IP Network Voyager . ..... . . .
IPSO ............. .. . . .. .
Sec ure Platform
Practice and Review
. .. .. ........ .......... ..... ... .. 41

. ..... . .. . ......... . 45
. .. .... ........ .
... . . .... . .
. .. .. 46
. .... 48
....... 51
.. 59
Table of Contents
Chapter 3: Introduction to the Security Policy . .. . ... . . . . . .. .. .... 61

Introduction to the Security Policy
.................
. .. .62
. .. 63
Security Policy Basics
.......
. . . . . . . . . . . . . . . . . . . . .
Managing Objects
........
............
. . .66
Creating the Rule Base
.........
.... .. . .
. . .69
Rule Base Management
.. . . . .
. .. . . . .
. . .. . . . ... . . . . . .. 75
Pol icy Management and Revision Control . .... . . . . .. . .... . . . . . . .. . . . . . .. . . . .. 78
Network Address Translation
. . ... . . . .... . .. ... .. ... .. . . . .. .. 8 1
. . . . . . . . . . .. . . ...... ... ... 90
Man ual NAT . . . . . .
Practice and Review
.. 94
Chapter 4: Monitoring Traffic and Connections . .. . . . . . .... .. . . . ... . 95

..
Monitoring Traffic and Connections . . .. .. . . . . ... . . . . . ... . .. .... .
. . . . . . . . . . . ... .. .. .
Smart View Tracker . .. . .. . . .
Working with Smartview Tracker . . ..... . ... . . . . . . . . ... . .. . . . . ... . ... .
Smart View Monitor . ... . ... . .. .. ... . . . . .. . . ... . . . . . .. . .. . . . ... . . . .
Customized Views
. . ..... . . . .. ... ... . . . .. . . . . .. .. . . . ....
Monitoring Suspicious Activity Rules ... .
Gateway Status
. . .... .. .
SmartView Tracker vs. SrnanVicw Monitor
Practice and Review
............
. . 10 I
..107
.. 109
.114
.117
.121
.. 122
....... ..... ........ ...... ... .....
123
Chapter 5: Using SmartUpdate
Using SrnanUpdate . .
. . . . .. . ..... . .
SmartUpdate and Managing Licenses.
. ...... . . .. .. . ...............
Smart Update Architecture .
SmanUpdate Introduction . . . .. . .. . .. . .
Upgrading Licenses .
. .. . . ... .
Viewing License Propenies . . ... .. . . .
Service Contracts
.. . . .. .. .
Licensing R75 .......... .
Licensing SmanEvent
Practice and Review . .
.. .96
.97
.124
.125
. . . . 126
.128
.133
. .. 1)7
. .... . . . . 138
.140
.142
.143
Chapter 6: User Management and Authentication . .. . .... ....... .. 145

User Management and Authentication
Creating Users and Groups
Security Gateway Authentication
User Authentication ..
Session Authentication
Cl ienl Authentication ..
Resolving Access Conflicts
LDAP User Management with Sman Directory
Practice and Review
.... ........ . , . ....
..... 146
. ... .. 147
..... 148
. ........ 153
...... 156
. .... IS8
...... 162
... , ....... 164
. ..... 172
Chapter 7: Identity Awareness . .... . ' , ...... . ... . . . .. . , . .. . . 173

Identity Awareness ......... ....... ........ .... .
. ....... ...... . 174
Introduction to Identity Awareness ... . ............. , .
. . , ......... .... . 175
Enabling Identity AWareness
. ..................... . . . .. ............... 176
Defining Access Roles .. .
. .... ............ . . ,
. . . .... , . .
. .182
Using Access Roles in the Firewall Rule Base. . . . . . . . . .
. ...... . ....... 183
Practice and Review ...... .... .
. ..... . ......... 184
Chapter 8: Introduction to Check Point VPNs . . ,., . . .. . . ... . . .. . . 185

Introduction to VPNs ... ......... . . .. . ..... .............. . . . ... ..
.186
The Check Point VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.187
VPN Deployments . . ........... .. ...
. .......... . .. . ............. 188
VPN Implementation .............. . . . .. . . . . . . . . .. . . . . . .. . . .... ... 190
VPN Topologies...... ...... ............ . .. .
. ... .. . . .. . . .. . .. ... . 194
Special VPN Gateway Conditions ...
. .. .. ...
.198
Access Control and VPN Communities ..... ... ... . ......... ................ 20 1
Integmting VPNs into a Rule Base .......... . . . . . ... . . . . .. . . . . ... . ...... 204
.. ... ..
....... 209
Remote Access YPNs .. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Practice and Review .......... . ............... . ...... .
. . . . . ...... . .. 212
Table or Contents
Appendix: Chapter Questions and Answers .. . .. . . . .. . . .. . .. .. . .. . 213

Chapter I - Technology Overview
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . .
.214
Chapter 2 - Deployment Platfonns . .
.......
..... . .. ... .. ... .
.215
Chapter 3 - Introduction to the Security Policy ....... .. . .. . . . . . .. . . . . .
.21 6
Chapter 4 - Monitoring Traffic and Connections . .............. . . . . ...... . . .2 17
Chapter 5 - Using SmartUpdate .. . . .....
.... .... . .. .
.2 I 8
Chapter 6 - User Management and Authentication. . . . . . . . . . . . . . . . . . .
. .... 219
Chapter 7 - Identity Awareness .
. . ... . .. . . . . . . .. .. . . .. . ...
.220
Chapter 8 -Introduction to VPNs ... ... . . . ....... . ... .. . . . . . . . ........... .221
PREFACE
Check Point Security

Administrator R75
Cheek Point Security Administrator R75
CCSA R75 Overview

Welcome to the Security Administrator course. This course provides an
understanding of basic concepts and skills necessary to configure Check Poin!
Security Gateway and Management Software Blades. During this course. you
will configure a Security Policy. and learn about managing and monitor ing a
secure network. In addition. you will upgrade and configure ::l Security Gateway
to implement a virtual private network for bOlh internal and ex ternal. rem Ole
users. (See "Course Objectives" in this course book for a list of objectives.)
Follow along as the class progresses. and lake notes for ful ure reference,
Course Layout
Thi s course is designed for Security Admin istrators and Check Point resetters.
:md for those who arc working towards the ir CCSA certification. The fo llowing
professionals benefit best from this course:
System administrators
Support analysts
Network engineers
Prerequisites
Before taking this course. we strongly suggest you have the following knowledge
base:
General knowledge ofTCP/IP
Working knowledge of Windows and/o r UNIX
Working knowledge of network technology

Working knowledge orthe Internet
Certification Title
The current Check Point Certified Security Administrator (CCSA) cert ification is
designed for partners and customers seeking to validate their knowledge of
Check Point's Software Blade products.
CCSA R75 Overview
Course Chapters
Chapter I: Introduction to Check Point Technology
Chapter 2: Deployment Platfonns
Chapter 3: Introduction to the Security Policy
Chapter 4: Monitoring Traffic and Connections
Chapter 5: Using SmanUpdate
Chapter 6: User Management and Authentication
Chapter 7: Identity Awareness
Chapter 8: Introduction to Chcck Point VPNs
Sample Setup for Labs

See l'Ollr Lab Manual for a complete set of Lab Topology diagrams.
Most lab exercises will require you to manipulate machines in your network and
other labs will require interaction with instructor 's machines.
Check Point Security Administrator R75
Lab Terminology
Consider the following:
Corporate Otlice
,
~
guicliem
AT_GU I
AdministralOr client machine used

10 connect to Security Management
server
smcorp
AT MGMT
Management Server at
corporate office
sgcorp
AT_GWY
Security Gateway at corporate

office
AT DMZ
Multi-purpose server in the DMZ

ot
office
ADserver
Active Directory server for

corporate office
adscrvcr
t ~ ....
Branch Office
Security Gateway at branch office

pcbranch
PC at branch office
-CH- A-P T-ER- 1 --
Introduction to
Check Point Technology
Int roduclion to Check Poin t Te c hnology
Check Point Technology Overview

Check Point technology is designed 10 address network exploi tation.
administrative flexibility and critical accessibility. This chapter introduces the
basic concepts of network security and management based on Cheek Po int 's
three-tier structure. and provides the foundation for technologies involved in the
Check Point Software Blade Architecture. as discussed in the introduction. This
course is lab-intensive. and in this chapter. you wil! begin your hands-on
approach with a first-time installation using standalone and distributed
topologics.
Learn ing Object ives:

Describe Check Point's unified approach to network management. and the key
clements of thi s architecture.
Design a distributed environ mcnt using the network dctailed in the course
topology.
lnstallthc Security Gateway vcrsion R75 in a distributed environment using

the network. detailed in the course topology.
Check Point Technology Overv iew
Network Access Control

Network administrators need the means to securely control access to network
resources. A Check Point Security Gateway at the network boundary inspects and
provides aCl;ess control for all gateway traffic.
Check Poijnt
S~I""1y
Gaw...-uy
Intemet
Figure 1 -
Check Point Security Gateway Enforcement
Check Point security policies can be enforced consistenliy across multiple

gateways. To do (his, the administrator defines a company-wide security policy
Rule Base using Smart Dashboard and install s it to the Security Management
server. Granular security policy control is possible by applying specific rules 10
specific gateways.
Check Point Security Gateways provide secure access control because of its
granular understanding of all underlying services and applications traveling on
the network. Check Point 's Statefullnspection technology provides full
application level awareness and comprehensive access control for morc than 150
predefined applications, services and protocols, as well as the ability 10 specify
and define custom services .
$tateful Inspection extracts state-related infonnation required for security
decisions from all application levels and maintains this information in dynamic
state tables that are used to evaluate subsequent connection anempts. For
additional technical information on Stateful Inspection, refer to the Check Point
Technical Note at:
http: //www.checkpoint.com/ products / d ownl oad s /
firewall-l statefulinspection.pdf
Introduction to Check Point Techno logy
The Check Point Firewall

To understand the capabilities of the basic firewall . it is use ful to exam ine the
aspects oflhe Open Systems Interconnect (OSI) model. It is meant to re present
network communication between computer systems and network devices.
Layer 7
Application
Layer 6 - Presentation
Layer 5 ~ Sess/on
Layer 4
Transport
Layer 3
Network
Layer 2 - Data Unk
Layer 1 - Physical
Figure 2 -
OSI Model Example
Layer I: Represents physical-communication hardware or media required.

such as Ethernet cards. cables and hubs.
Layer 2: Represents where network traffic is delivered to the local area

networks (LAN); this is where identification of a single specific machine
takes place. Media Access Control (MAC) addresses are assigned 10 network
interfaces by the manufacturers. An Ethernet address belonging to an Ethernet
card is a layer 2 MAC address. An example ofa physical device performing
in this layer would be a switch.
Layer 3: Represents where delivery ofnelwork traffic on Wide Area

Networks (WANs) or more commonly. the Internet, takes place: addressing in
this layer is refe rred to as Internet Protoeol. (IP) addressing, and creates
unique addresses. except when Network Address Translation (NAT) is
employed. Network Address Translation makes it possible to address multiple
physical systems by a single layer 3 lP address. An example of a physical
device performing in this layer would be a router.
The Check Point Firewall
Layer 4: Represents where specific network applications and communication

sessions are identified; multiple layer 4 sessions may occur simultaneously on
any given system with other systems on the same network. Th is layer
introduces the concept of ports. or endpoints. fo r sessions. The session on an
originating system is identified by the source-pon number, and similarly for
the destination system.
Layers 5. 6 and 7: Represent end user appl ications and systems; the
application layer is not the actual end-user software application, but a set of
services that allow the software application 10 communicate th rough the
network. Distinctions among layers 5. 6, and 7 arc not always clear. and some
competing models combine these layers. as does this handbook .
The more layers a firewall is capablc of covering, the more thoroug h and
effcct ivc the firewall. Advanced applications and protocols can be
accommodated more efficiently with additional layer coverage. In addition. more
advanced firew alls. such as Chec k Point's Security Gateways. can provide
services that are specifically oriented to the user. such as authentication
techniques and logging events 10 specifi c users.
Introduction to Check Point Technology
Mechanisms for Controlling Network Traffic

Any fi rcwall must deny or pennit traffie based on explicitly defined rules. Check
Point utilizes thc following technologies to grant or deny network traffic :
Packct filtering
Stateful Inspection
Application Intclligence
Packet Filtering
Fundamentally, messages are divided into packcts that include thc destination
address :md data. Packets are transmiucd individually and often by differcnt
routes. Oncc thc packcts reach thcir dcstination. thcy arc recompiled into the
origina l mcssage.
,.....,
>
Application
Application
....""
......,
Presentation
~tatlOn
T~-,
TU""","
Data I.k'Ik
OOtaUnk
Data I.k'Ik
Physical
Phy>1eoJ
ROUTER
PROS
CONS
. ~~
" l.-Sect.Otty
.. No ScteerIIt>g ACoov
High ~
.. Sc:lIot>iHIy
Ntt~
l..Iy_1No
'Jtaq;' Of
IoPJIIil:at0000COI'II'>CI. .,brnl'llolll
Figure 3 -
Packet Filtering
Packet filte ring is a firewal! in its most basic foml. Primaril y, the purpose is 10
control access to specific network segments as directed by a preconfigured set of
rules, or nile base. which defines the traffic pcnnitted access. Packct fillers
usually func tion at layers 3 (network) and 4 (transpon) of the OS ! modeL
In general. a typical rule base will include the following clements:

Source address
Destination address
Source port
Destination pan
Protocol
Packet-filter fi rewalls are the least secure type of firewall. because they cannot
understand the comext of a gi ven communication. making them easier for
intruders to attack.
Statefullnspection
Statefui inspection. a technology developed and patented by Chec k Point,
incorporates layer 4 awareness into the standard packet-filter firewall
architecture. Statefullnspcclion differs fro m static packet filtering. in that it
examines a packet nOI only in its header. but also the contents of the packet up
through the application layer, to detennine more about the packet than just
infomUlIion about its source and destination . The state of the connection is
monitored and a slate table is created to compile tile info nnalion. As a result,
filtering includes context that has been established by previous packets passed
through the firewalL
For example, statefu l-inspection firewalls provide a security measure against port
scanning, by closing all ports until thc specific port is requcsted.
_."""
.......
_.,
Applocaticn
~Ioc .. llon
......,.,
""'-"ration
T_
Tra"sport
Data link
Oe.ta Link
Figure 4 -
PhyslC.1
Stateful lnspection
Therc are many state tables that hold uscful infonnation in regards to monitoring
performance through a Security Gatcway. State tables are uscd to kcep state
infonnation needed to corrcctly inspect packets. The tables are key components
of Check Point Statc fullnspection technology.
Check Point 's INSPECT Engine is the mechanism uscd for extracting the Slalerelated infonnation from all application layers. and maintains this infonnation in
thcse dynamic state tables needed for eval uat ing subsequent connections. The
INS PECT Engine enforces Security Policies on the Security Gateway on which
they reside.
Application Intelligence
A growing number of anacks attempt to exploit vulnerabilities in network
applications. rather than targeting firewalls directly. Application Intelligence is a
sel of advanced capabilities. integrated into the fi rewall and IPS. w hich detect
and prevent application-level unacks.
Application Intelligence works primarily with application-layer defenses. In
practicc however. many attacks ai med at network applications actually target the
network and transpon layers.
<:::===:>
:--,_=.:.'.:."_:.:...=_--,<:::===:>
:--=-=':..".:."""=""'=-_<:::===:> """'"'"
L..ayIr 4 .llJn'PQ1
:----'----'---
TC P. UDP
IP
LAywl'~
Figure 5 -
Protocol Examples
Security Gateway Inspection Architecture

The Security Gateway integrates both network-level and application level
protection by combining Staleful Inspection and Application Intelligence. A n
inbound traffic is routed through the Security Gateway, as this is the logical place
for active defenses to reside.
System resources and processing time are saved by processing packets in an
operating system's kernel. Applications and processes in the kernel layer sufTer
little, if any, perfonnance degradation. and can suppon data throughput rates
ranging in the multi gigabits. The Security Gateway kernel is placed between
NICs and the TCP/IP stack, solving the problem of protecting the TCP/ IP stack
itself.
INSPECT Engine Packet Flow

If packets pass inspection. the Security Gateway passes the packets through the
TCP/IP stack and to their destination. Packets pass through the NIC, to the
Inspection Module. and up through the network stack. Some packets are destined
for an operating system's local processes. In this case. the Inspection Module
inspects the packets and passes them through the TCP/IP stack. If packets do not
pass inspection, they are rejected or dropped and logged, according to r ules set in
the Check Point Rule Base.
Packets are not processed by higher protocol-slack layers, unless the Security
Gateway verifies that they comply with Security Policies.
Security Gateway Inspecti o n Architecture
The diagram presents a sample flow of a new inbound packet initiating a TCPIIP
session through the Inspection Module. allhe kemel level:
.-
~.~ "
.
Nle
1
0
con~~IIIII-------------------------------'1
T
.
.
.
.
.
r;;;-. a. -
M'!"u,"- - -
Packet
~:;s
/"""IA/on _
-..
. 7:::
TCPIIP
Packet? _
Steck
T
e~
~;::t::-_~--=NACK---,
Ii)
N'IOther
RuItI?
Inspection and Packet Flow
s-d
RDteCt80 _
Oy Rule?
"
L\f)~7~
'"
Deployment Considerotions
As a brierinlroduetion to Gateway deployments, consider the network lopology.
The network topology represents the internal network (both the local access
network (LAN) and the demilitarized zone (DMZ protected by the Gateway.
The Gateway must be aware orthe layout of the network topology to:
Correctly enforce the Security Policy.
Ensure the validity of IP addresses for inbound and outbound traffic.
Configure a special domain for Virtua l Pri vate Networks.

Each component in the network topology is distinguished on the network by its
IP address and net mask. The combination of objects and their respective lP
infonnation make up the topology. It is important to take into consideration your
existing corporate network when deciding the best deployment strategy for your
Security Gateway. Installing a new Gateway in an existing network olicn rcquires
recontiguration of the routing scheme. [n more complex deployments. however.
you may find that the reeonfiguration necessary to enable a new routing scheme
is pro hibit ive. In this case, Bridge mode may be your best option.
It may also be necessary to consider adding a cluster to your security network. A
cluster environment provides rel iability through high availability, and enhanced
reliability and pcrfom1ance through load sharing. Clustering is discussed in more
detail in the Check Point Security Expert course.
Figure 6 - Deployment Considerations
Deployment Consid erations
The DMZ
Ir you have servers that are externally accessible from the Internet. it is
recommended to create a de militarized zone (D MZ). T he DMZ isolates all
servers that are acccssible from untrustcd sources, such as the Internet. so that if
one of those servcrs is compromised. the intruder only has li mited access to other
externally accessi ble servers. Serve rs in the DMZ are accessible rrom any
network. and all externally accessible servers should be located in the DMZ.
Servers in the DMZ should be as secure as possible. Do not allow the DMZ to
initiate connections into the internal network . other than for specifi c ap plications
such as UscrA ut hority.
C!,eck Pow &.cuol) GaIE\.-ay
ASaska.GW
Alaska-,}f>Q.ftp
A!CIsl.:a_Of..mail
Figure 7 -
Configuration with a DMZ
Bridge Mode
Bridge mode allows for the placement of a Security Gateway without changing
the existing IP routing.
A Security Gateway in Bridge mode operates as a firewall. inspecting traffic and
dropping or blocking unauthorized or unsafe traffic. A Gateway in Bridge mode
is invisible to alllayer 3 traffic. When authorized traffic arrives at the Gateway, it
is passed from one interface to another through a procedure known as bridging.
Bridging creates a layer 2 relationship between two or more interfaces, where any
traffic that enters one interface always exits the other. This way, the firewall can
inspect and forward traffic without interfering with the original lP routing.
Bridge mode is supponed on the operating system Check Point SecurePlatfonn.
Figure 8 -
Bridge Mode
Note: Current ly, there is no suppon for NAT in bridge m ode.
Bridge Mode and STP

Bridge mode allows a transparent deployment of a Check Point Security
Gateway. The figure illustrates how a Security Gateway in Bridge mode does not
alter the IP routing of an existing network.
Security Policy Management
Security Policy Management

Check Point provides for security across the four most critical layers of network
security: the network perimetcr. the network core. the Web. and the endpoints.
This unified security architecture centralizes Policy configuration. monitoring,
logging. analysis and reporting within a single control center.
This centralized-management capability docs not require command-line
interaction on a device-by-device basis. which can save hours of time. One
security architecture runs through one management console. and eliminates the
need for separate management logios. servers, and reports.
All Check Point applications and devices are linked to the same system. This
allows Security Gateway to offer increased visibility for real-time dctection of
security problems and anomalies. With the appropriate license. an integrated IPS
tab enables network Administrators to globally update Check Point Security
Gateway. download updates. and apply defenses for new protocols, applications.
and threats. without service intemlptions.
A single application, SmartConsole. is used to provide all necessary elements to
complete the unified approach.
Sinor/Console Components
SmanConsole is comprised of several soft ware modules including:
SmanDashboard
SmanEvent
SmanProvisioning
SmanRcponer
SmanUpdate
SmanView Monitor
SmanView Tracker
SmartOashboard
SmanDashboard is a single, comprehensive user interface for defining and
managing mu ltiple elements of a Security Policy: Firewall security. IPSec VPN,
Nct\vork Address Translation. IPS, SSL VPN. QoS. Anti Spam and Mail. Data
Loss Prevention. Ant Virus and URL Filtering, and desktop security. TIle Check
Point SmartDashboard allows you to define Security Policies and rules in tenns
of network objects. All such object definitions are shared among all applications
for efficient Policy creation and security management.
......
~-
..
. ~
,t_._
:,--
,
..........
......
......
""
~..
..
..
~ ,
---~
Figure 9 - SmartDashboard
--'-"--
If ..
._
SmartConsole Components
Tabs are available to define, con figure or manage Check Point networks:
1. Firewull - Provides parameters useful to define the Rule Base for your net
work; here, you specify how connections are allowed or disallowed, authenticated and encrypted.
2. NAT (Network Address Translation) -
Specifics how reselVcd intcmal IP

addresses will be translated to valid. external IP addresses .
3.
IPS (Intrusion Prevemion System) - Gets an ovelView of various attacks and

their corresponding mechanisms of protection; configures network sccurity.
Application Intc!ligence and Web Intelligence; and creates and assigns profiles for different Gateways.
4. Application Control -
Configure application specific rules with Access
Roles.
5. Anti Sparn and Ma il -
Configure integrated ami virus scanning. secure messaging and appropriate Wcb filtering parameters.
6. Mobile Access -
Configure network access for users on mobile devices.
7. Data Loss Prevention (DLP) -
In this window you can quickly sec the status of machines and inc idents. and access the windows fo r the most urgent or
commonlyused management actions.
8. And-Virus & URL Filtering- Automatic or manual updates the Anti-Virus

scanning and URL filte ring Database with the latest defense signatures from
Check Point.
9. IPSec VPN -
Used to manage VPN Communities.
10. QoS (Quality of Service) - Specifies the allocmion of bandwidth resources

among connections, maximizing throughput.
11 . Desktop - Used to control access to desktops, both those wit hin a local network and those connecting remotely.
Introductio n to Check Point Technology
SmartEvent
SmanEvent provides centralized, real-time event correlation of log data from
Check Point perimeter. intemal, and Web security gateways-as well as third-pany
security devices-automatically prioritizing security events for action. By
automating the aggregation and correlation of raw log data, SmanEvent
minimizes the amount of data that needs 10 be reviewed and collates and
prioritizes security threats.
,~
";.:
"1.,'
~:
'-:.I'
.,..
....
'l:.,~
--- ._...... ...... - ---..

_--- --- _--...... .---- .......
.--- ....
-~,..-.,-
:'''-
...
"
"'
~"
,"."
~
'"
~"';O
"
'- '-''"'-'---"'~
...
.:: ",J ....'....
~
~
.II.
we
-.
,. ,~ ,~
Figure 10 -
SmartEvent
With SmartEvent, security teams no longer need to comb through the massive
amount of data generated by the devices in their environment. Instead. they can
focus on deploying resources on the threats that pose the greatest risk to their
business.
SmanEvent is capable of managing millions oflogs per day percorrelation unit in
large enterprise networks. Through its distributed architecture. SmartEvcnt can
be installed on a single server but has the flexibility to spread processing load
across multiple correlation units and reduce network load.
Centralized Event Correlation

SmanEvent provides centralized event correlation and management for all Check
Point products such as Security Gateway. [nterSpect. and Connectra. as wel! as
third-party firewalls. routers and switches, intrusion detection systems. operating
systems. applications and Wcb servers. Raw log data is collected v ia secure
connections from Check Point and third-party devices by SmanEvent correlation
units where it is central!y aggregated, normalized. correlated. and analyzed. Data
reduction and correlation functions are performed at various layers. so only
significant events are rcponed up the hierarchy for further analysis. Log data that
exceeds the thresholds set in predefined event policies triggers security events.
These events can be unauthorized scans targeting vulnerable hosts. unauthorized
logging, denial of service attacks, nctwork anomalies. and other host-based
activity. Events are then furthcr analyzed and severity levels assigned. Based on
the severity level, an automatic reaction may be triggered at this point to stop the
harmful activity immediately at the gateway. As new information flows in.
severity levels can be adjusted to adapllo changing conditions.
RealTime Threat Analysis and Protel.:t;on

SmanEvent performs real-time event correlation based on pattern anomalies and
previous data, as well as correlation based on prcdefined security events. Once
installed on the network, Smart Event has an intelligent. self-learning mode where
it automatically learns the normal activity pattern for a given site and suggests
policy changes to reduce false-alarm events. By weeding o ut irrelevant data and
by correlating data between multiple devices, SmartEvent is able to zcro in on
threats that pose greatest risk to the enterprise. SmartEvent is fully integrated
with the Security Management server and can access all Check Point gateways
and enforce automatic actions on these gateways against critical threats, for realtime, dynamic threat mitigation.
Intelligent Event Management

Smart Event enables administrators to customize event thresholds. assign severity
levels to event calegories, and choose to ignore rules on specific servers and
services- greatly reducing the number of false alarms. Administrators may
perform event search queries, sorts and filters , as well as manage event status.
With new in formation the open event may easily be closed or changed to a false
alann. Daily or weekly events reports can be distributed auto matically for
incident management and decision support, and any actions taken to resolve a
threat are tracked using work tickets. allowing an administrator to keep a record
of progress made using statuses and comments.
Th e SmartEl-'ent Architecture
Sman Event has scveral components that work together to help track down
security threats and make your network more secure:
Correlation Unit - analyzes each log entry as it enters a Log servc r, looking
for patterns according to the installed Event Policy. The logs contain duta
from both Check Point products and cenain third-pany devices. When a
threat pattern is idemified. the Correlation Unit forwards what is known as an
event to the SmanEvent server.
Sma rtEvent server - receives eventS from a Correlation Unit, and assigns a
severity level to the event. invokes any defined automatic reactions. and adds
the event to the Events Database. which resides on the server. The severity
level and automat ic reaction are based on the Events Policy.
SmarlEvent client - displays the received events, and is the place to manage cvents (such as filte ring and closing events) and fine-tunc and install the
Events Policy.
l og s...-(sl
Corr~alion
SmiirlEVfilI
CI"",I
Figure 11 -
SmartEvent Architecture
SmartConso le Components
The SmanEvent components can be installed on a single machine (Le., a

standalone deployment), or spread out over multiple machines and sites (i.e., a
distributed deployment) 10 handle higher volumes of logging activity.
The Sman Event and Sman Reporter can be installed together on the same
machine. In addition to generating Check Point repons. Smart Reporter provides
reponing services for SmanEvcll1.
SmanEvent Intro lets you open SrnanDashboard from a specific event and
manage the policy accordingly. SmartEvent Intro has two modes:
IPS mode shows e vents from the IPS blade
DL P mode - shows events from the DLP blade
The mode is determined by the Software Blades activated and the licenses
installed on the management server. If both IPS and DL P are installed and
licensed. a message will ask you in which mode, IPS or DLP. you want to open
SmanEvent.
SmartEvent uses filt ered event views. called queries, to allow you to precisely
definc the types of events you want to view. l ocated in the Queries Tree, these
queries filter and organize event data for display in the Events, Chans and Maps
tabs. QUeries aTe defined by filte r properties and charts properties. Filter
properties allow you to define what type of events to display and how they should
be organized. Chans propen ies allow you to define how the filtered event data
should be displayed in chan fonn .
Introduction to Check Point Technolog y
SmartProvisioning
Sman Provisioning provides centralized administration and provisioning of
Check Point security devices via a single management console.
-.-
.-
. ~ . - --- .~
System Over'l'''''''
-'-'
-",-",,,",,,,---, -
'---
. _ ' . . 4 ....~_
---
Figure 12 -
"-~-
- ..
-- .
SmartProvisioning
--
Cheek Point SmanProvisioning enables you to manage thousands ofGatcways

from a single Security Management Server or Provider-l CMA, with features 10
define, manage, and provision large-scale deployments of Check Point
Gateways.
The SmanProvisioning management conccpt is based on profiles: a definitive set
of Gateway propenies and when relevant a Check Point Security Policy. Eaeh
profile may be assigncd to mUltiple Gateways and defines most of the Gateway
propcnics per profile object instead of pcr physical Gateway_ reducing the
administrative overhead.
SmartCons ola Components
SmartUpdate
Smart Update is used to manage and maintain a license repository. as well as to
fac ilitate upgrading Check Point soflware. SmanUpdate is a component that
distributes software applications and updates for Check Point and OPSEC
certified products. and manages product licenses. SmanUpdatc provides a
central ized means to guarantee that Internet security throughout an enterprise
network is always up-to-date.
"::;;::;:: ",.,.
!:=:
-,,'
,-
-,.
......
",n.
".
Figure 13 - SmartU pdate
SmartView Monitor
Based on SMA RT technology, SmanView Monitor provides a s ingle. central
interface fo r monitoring network activity and perfonnance of Check Point
applications in real-time.
SmanView Monitor allows Administrators to easily configure and monitor
different aspects of network activities. Graphical views can easily be viewed
from an integrated, intuitive GUI.
R75 Trainilll! Manllal
27

Smart View Monitor is used to monitor and generate repons for traffic Oil
different Check Pain! components. The SmartYiew Monitor is a VPN
perfomlancc-analysis solution .hal presents users with graphical views of end-toend VPN tunnel-performance met rics, such as bandwidth, round-trip time. and
packet loss. In add ition. S martYicw Monitor compares actual VPN performancc
to service-levc\ agreements.
-_.
...
,.......
-_..- ....'",,..- ..,-.......... -.----_.

-'''' ... -
"~
.~
"~
-... - . ...
....
~
.)--""
I
~- '"''''
-----
.,
...-
"
-'--.~
Figure 14 - SmartView MonitOf

The following list describes the key featu res of SmanView Monitor (ll1d how it is
employed:
1. Gateway Status ~ Smart View MonilOr enables information about the status
of all Gateways in the system to be collected from these Gateways. This information is gathered by the Security Management Server and can be viewed in
an e:lSy-to-use SmartConsole. The views can be customized. so that details
about the Gateway(s) can be shown in a manner that best meets the Admin istrator 's needs.
2. Traffic/System Cou nters ~ Smart View Monitor provides a solution for
monitoring and analyzing network traffic and network usage. You can generate fully detailed or summarized graphs and chans for all connections when
monitoring traffic. and for numerous rates and figures when counting usage
throughout the network. The Traffic view also enables filtering according to
categories (services. 1P addresses. illlcrfaces. security rules. etc.)
rJ,,~rI{
Pni11l .'\Pf'lIrirv Admini.\"frntnr
3. Tunnels - SmanView Monitor enables Administrators to mon itor connectivity among Gateways. By showing real-time in formation about active tunnels
(Le., infonnation about their state and activities, volume of tratlic, which
hosts are most active. etc.), Administrators can verify whether the tunnels are
working properly and verify privacy, authentication and integrity.
4. Remote Users - The Remote User Monitor is an administrati ve feature
allowing you to keep track of VPN remote users currently logged in (i.e.,
Secu Remote, SecureClient and SSL Network Extender. and in general any
IPSec client connecting to the Gateway). It provides you with a comprehensive set of filters . which enables you to casily navigate through the obtained
results.
5. Cooper ative Enfo rcement - This is a feature that works in conjunction
with the Integrity Server. This feature utilizes the Integrity Server compliance
capability to verify connections arriving from the various hosts across the
internal network. The Security Gateway generates logs for unauthorized
hosts. The logs generated for both authorized and unauthorized hosts can be
viewed.
Introduction to Check Point Te c hnology
SmartView Tracker
SmanView Tracker is used for managing and tracking logs and alens. It provides
realt ime historical and v;sualtracking. monitoring. and accounting infonnation
for all logged connections. Additionally, SmanView Tracker logs administrator
actions. such as changes to object definitions or mles. which can dramatically
reduce the time needed to troubleshoot configuration crrors. Security
Admi nistrators can filter or perform searches on log records. to quickly locale
and track events ofimerest . In the case of an attack or otherwise suspicious
network activity. Security Administrators can usc SmanVicw Tracker to
tcmporarily or permanently terminate connections from specific IP addresses.
..
1' - ' - 1 -
...'0 -
,=-'.-.,."'-
-.- .,,"~
:~:::....-.:;::
: i=:~
..,--:i:::::-::
,,_ ....----..-
..: . ~-. C"""

a __ _
...-,
.-,....
. .,,---
-~-
---~
.--.-..tt _ ..
Figure 15 -
- :-_""
.
.--..0,
-'--
- .......
---
SmartView Tracker
1. Network & Endpoint tab - displays entrics for security-related events for
different Check Point products, as well as Check Point's OPSEC partners.
2. Active tab - shows active connections in thc SmartView Tmcker. i.c ..
connections currently open through any Security Gateway components
logging to the currently active log file .
l. Management tab-- tracks changes made to objects in the Rule Base. as well
as general SmartDashboard usc.

The Security Management Server is used by the Administrator to manage the
Security Policy, The organization's databases and Security Policies arc stored on
Ihe Security Management Servcr and downloaded to the Gateway(s), The
Security Management Server also maintains the Security Gateway databases,
including object definitions. Security Policies, and log files for all Gateways.
Policies arc defined using SmanDashboard. and saved on the Security
Management Server. To make the most ofChcck Point products and 10 best use
their capabilities and features, it is helpful to review some basic concepts and
components.
Managing Users in SmartDashboard

Your network can be accesscd and managed by multiple Llsers and administrators.
A secure network is efficiently managed by centrally controlled user and
administrator accounts. Sman Dashboard manages users. admin ist rators and their
groups as Objects using the standard object administration tool s; i.e .. the Objects
Tree pane and the Users and Administrators window.
-...-.
'"
---
......u_ ..._ .......
"
""'--
'.. -\ A _....
a...-. """ .....
~-~
""''''''"'*"
~e_!
DEJ--=--J
Figure 16 -
Ob;ects Tree and the Users and
Administrators
,.
Introduction to Check Point Technolog y
The user 's definition includes acccss permissions to and from specific machines
at specific times of the day. Thc user definition can be uscd in the Rule Base's
Authentication Rules and in Remote Access VPN.
SmartDashboard furt her facilitates user management by allowing you to define
user and administrator templates. Templates serve as prototypes of standard user
account properties that are common to many users. Any user you create based on
a template inherits all of the template's properties, induding membcrship in
groups.
Users Database
The users defined in SmartDashboard (as well as their authentication schemes
and encryption keys ) are saved to the proprietary Check Point Internal Users
Database on the Security Management Server.
The Users Database is automatically downloadcd to Check Point hosts with
installed Management Softwarc Blades as part of the Policy installation process.
Alternatively, you can manually instal! the Users Database by selecting Policy >
Install Database ... from the menu. Security Gateways that do not include a
Management Software Blade do not receive the Users Database.
Creating Administrato rs in SmartOashboard

SmartDashboard allows you to manage a variety of administrator types:
Administrators - Login to Check Point SmanConsole (i.e. , Smart Dashboard,
Smart Update. etc.) with either Read Only or Read/ Write pennissions, to view or
manage (respectively) the network's various databases and policies.
Administrator Groups - Consist of administrators and administrator subgroups. Administrator groups are used to specify which administrators have
pennissions to install Policies on a specific Gateway.
To create administrator accountS or groups in SmanDashboard, you select

Manage > Users and Admini strators from the main menu. In the Users and
Admini strators window, select New, and from the drop-down menu, make your
selection .
J," ~.
,_.
'_.-" uno..,.,.......
'''''--
o.-...lIPtlu....... ~
figure 17 -
Users and Administrators
Admini strator accounts must be configured using a permission profile. A

permission profile is a permission 10 card which is assigned 10 administrators or
administrator groups. The name of the permission profile should be significant.
For instance. the permissio n profile called ReadOnlyProfile. will be applied to
administrators with Read Only permissions.
Generally. different administrator types are SCI up using Permission Proliles. and
a single cpconfig admini strator account is locked away in a safe place.
Introduction to Cheek Point Technology
Securing Channels a/Communication

The Security Management Server must be able to communicate with all
components and partner-OPSEC applications that it manages. even though they
may be installed on different machines. The interaction must take place to ensure
that the components receive all necessary infonnation from the Security
Management Server (such as the Security Policy). While in fonnation must be
allowed to pass freely, il also has to pass securely. This means that:
The communication must be encrypted so that an imposter cannot send,
receive or intercept communication meant for someone else.
The communication must be authenticated; there can be no doubt as to the
identity of the communicating peers.
The transmitted communication should have data integrity; that is, t he
communication must not be altered or distorted in any fonn.
The SIC setup process allowing the intercommunication to take place must be
user-friendly.
[fthese criteria are met. secure channels of communication between
intercommunicating components of the system can be set up and enforced. to
protect the free and secure flow of information.
Secure Internal Communications

Secure Internal Communications (S IC) is the Check Point featu re that ensures
components, such as Security Gateways, Security Management Servers, etc., can
communicate free ly and securely using a si mple communication-initialization
process.
The following security measures are taken to ensure the safety of SIC:
Certi ficat es for authentication
Standards-based SS L for the creation of the secure channel
3DES fo r encryption
Securing Channels of Commun ication
The Internal Certificate Authority {lCA}

The Internal Cenifi cate AuthorilY (lCA) is created during the Sec urity
Management Server installation process. II is responsible for issuing Certificates
fo r:
SIC - Certifi cates issued for the Security Management Server, its
components. OPSEC components. and product Administrators, to enable
secure communication fo r ~!l Check Point-related operations (such as Policy
installation on components. logging, SmartConsole- Security Management
Server connectivity. etc.)
Virtua l Private Network (V PN) Certificates for ga teways - To enable

efficient and seamless strong authentication in VPN tunnel c reation.
Users - To enable strong authentication between remote-access uscrs and

Gateways. as well as other features, such as clientless VPN.
ICA Clients
leA operations are perfonned using the following clients:
Cheek Point configuration tool or cpconfig on the command line. Using this
tool. the ICA is created and a SIC Certificate is issued for the Security
Managemenl Server.
SmartDashboard. This SmartConsole is used to manage :
The Certi fi cate Revocation List (C RL).

SIC Certificates for the various components, as we ll as for
Administrators.
VPN Certi ficates.
User Certificates managed in the inlemal database.
R75 Trailling Malll/al
Secure Virtual Network
ICA management tool. This tool is used to manage VPN Certificates for users
that are either managed on the internal database or on an LDA P server. and to
pcrform ICA management opcrations. Thc leA generates audit logs when
ICA operations are performed. Thesc logs can be viewed in the SmanVlcw
Tracker Managcment tab.
35
Introducti o n to Check Point Techn ology
SIC Between Security Management Servers and Components

The following is an example of the SIC process:
SmattCoroole
..,------j
~,ty
------- ...
-,
~..dChVOl'S ecniflcatcs to
tile Ch$Clc Point ModoJe,s
,,
Management SElt'liElf :
,,
,
M""9'''''''' ""'" ,,
The ICA on Ih&
Seoum,
Gateway
Intranet
Invanet
1_ __ - _
Security
G.alllw.ly
Figure 18 -
SIC Amoog Security Management Servers and Compooents
The graphic illustrates the SIC process in a distributed environment:

1. The ICA creates a Cenificate for the Security Management Server during the
Security Management Server installation. The ICA is created automatically
during the installation procedure.
2. Ceni ficates for the Security Gateways. and any other communicating components. arc crealed via a simple initialization from the SmanConsole. Upon initialization, the ICA creates, signs. and delivers a Cenificale to the
communication component. Every component can then verify the Ccnificate
for authenticity.
Communication between a Security Management Server and its components
depends on a Security Policy specified in a Policy fiJe on each machine. Communication using Cenificates will take place, provided that the communicating components arc of the appropriate version, and agree on the
authentication and encryption methods. The Security Management Server and
its components arc identified by their SIC name. also known as the Distinguished Name .
36
Check PoiI/{ Secllrily Administrator
Securing Channels of CommunIcation
Administrative Login Using SIC

The login process, in which Administrators connect to the Security Management
SelVer. is common to all Check Point SmartConsole components
(SmartDashboard, SmanUpdate. etc.). This process consists of a bidirectional
operation. in which the Administrator and the Security Management Server
authenticatc cach other and create a secure channel of conununication bctwecn
them using SIC. Once both the Administrator and the Security Management
SelVer have been successfully authenticated. Security Management launches the
selected SmanConsole.
Introd uction to Check Point Techno logy
Practice and Review

Practice Labs
Lab 1: Distributed Installation
Lab 2: Branch Office Security Gateway Installation
Rev iew
,. What is the strength of Check Point's Stateful Inspection technology?
2. What arc the advantages of Check Point's Secure Management Architecture

(SMART),? In what way does it benefi t an enterprise network and its administrators?
3, What is the main purpose for the Security Management Server? Which function is it necessary to pcrfonn on the Security Management Server when
incorporating Security Gateways into the network?
CHAPTER 2
Deployment Platforms
Oeployment Platforms
Before delving iOio the intricacies of creating and managing Security Policies. il
is bene fi cial to know about Che<:k Point's different deployment platfonns. and
understand the basic work ings of Check Point's UN IX-based and Linux
operating systems ( IPSO and SecurePlatfonn) that support many Chec k Point
products. For those fa miliar with Linux and UN IX this section will be a review.
But for those with linle to no LinuxiUN IX experience. this will be a welcome
guide.
Learning Objectives:
Given network specifications. perfoml a backu p and restore the current
Gateway installation from the command line.
Identify critical files needed to purge or back up, import and export users and
groups and add or delete administrato rs from the command line.
Deploy Gateways using sysconfig and cpconfig from the Gateway command
line.
UTM1 Edge Appliance
UTM-I Edge Appliance

UTM-l Edge is a series of appliances offered by Check Point thai provides
Security and VPN solut ions. which are affordable. and easy 10 configure and
simple to manage deployment for securing enterprise remote sites and VPN
deployments. UTM 1 Edge appliances support SMART managem ent and can be
used with any Security Gateway.
UTM-l Edge appliances arc available in different series:
The Xseries - for sites req uiring site-to-site VPN. This series also delivers
additional capabilities such as high performance. high availabili ty. support for
mu lti- ISPs and automatic recovery.
The W-series - provides secure wireless connectivity for remote sites .

branch offices, and partner si tes by integrating a secure wireless access point
with Check Point technology, high availability support. and a s imple Webbased set up.
Other supported appliances:

- Nokia IP30, IP40.1 P45. IP60, IP60W
-
NEC Secure Blade. SecureBlade 300
Oeploym ent Platfonns
Smart-1 Edge -

Security Management server is consi dered the standard UTM-J Edge
management sol ution and is often used in conjunction with Sman Provi sioning.
Security Management server is useful for organizations with bronch officcs who
arc looking for affordable altematives and basic security and VPN sol utions for
each branch office. VTM-l Edge appliances arc represented by an object which
is created und managed in SmanDashboard called the UTM-l Edge gateway.
- ~
Figure 19 -
..
- ...:-.. -:.. .;.:. .-=.... '~

..-. - c':"
c ,.. ~ r'" ;. ......, _L
.~........
"'--
.:.;:
---.-=I
... ......
Check Point Appliances
SmartProvisioning
SmanProvisioning is an extension of Security Management providing
administrators with an effective means of provisioning and managing thousands
ofSmanLSM Security Gateways. UTM-l Edge Profiles and Profile policies arc
defined in SrnanDushboard. SmanLSM Security Gateways arc provisioned and
managed via the Sman Provisioning console application. For more information,
sec the Check Point Security Expen (CCSE) course.
UTM-1 Edge Appliance
Managing UTM1 Edge -
Provider-1
Multi Domain Managemenl (Providcr- I) is used by large enlerpris es and by
Managed Servicc Providers to centrally manage multiple. fully customized.
customer domains. UTM-l Edge applianccs are inlcgrated transparently with this
managemcnt sol ution. The management capabilitics of a Multi Domain
Managemcnl CMA (Customer Managemcnl Add-On) arc cq uiva lent to those of
the Security Managemcnl Gateway, including the SmanProvisioning extension.
Global VPN Communities are currently not supponed for UTM-] Edge
applianccs. For mo re infonnation. sec the Check Point Multi Dom a in
Managemcnl course.
Power-1 Appliances
The family of Power-I appliances enables organizations to maxim ize security in
high-perfonnance environments such as large campuses or data centers. Utilizing
multi-core technologies. Power-I delivers a high-perfonnance sec urity platfonn
capable of blocking application layer threats. Even as new threats appear. PowerI appliances maintain or increase pcrfonmmce while protect ing the network
against attacks.
-~
Figure 20 -
Provider-1 Appliance Deptoyment
Powe r- I suppons the Check Point Software Blade architecture. providing

independent. modular and centrally managed security building blocks. Software
blades can be quickly enabled and configured into a solution based on emerging
security needs. The follow ing software blades are included in Power-]:
Fi rewall- Proven. enterprise-class firewall.
IPSe<: VPN - Encrypted secure connectivity to corporate networks. remote

users. branch offices and business panners.
IPS - High perfonnance integrated IPS solution with an extensive threat

coverage.
Acceleration & Clustering - SecureXL and ClustcrXL tcchnologies provide

inspection acceleration, high availability and load sharing.
Advanced Networking - Dynamic routing. mul ticast suppon and Quality of
Service for data center reliability levels.
IP Appliance
IP Appliance
The IP Security Platforms combine market-leading security software and worldclass IP routing, to provide high-perfonnanee network security sol utions. This
appliance fa mily is built for rapid deployment. Key advantages of the IP security
solutions are presented in this section.
key integrated applications, tum-key and ready 10 be
Factory installed deployed on site
Easily serviced -
Remote-network management -
On site re placement parts, serviceable in the rack.
Centralized management Provider-I.
browser-based management tool.
with C heck Point's Security Gateway or
World-class ro uting functionality protoco ls available.
High availability redundancy.
comprehensive IP ro uting and control
VRRP is standard, enabling load sharing and active
Nokia IP clusteri ng - adds Active Session Failover and Dynamic Load

Balancing.
Figure 21 -IP Appliance Deployment

T here arc two ways of managing IP appliances. You can use the command line
interface (C LI) or a Web-based user interface (WebU I). IPSO ru ns the C LI and IP
Net\\'ork Voyager runs the WebUI.
Oeplo yment Platform s
IP Network Voyager
[P Network Voyager. a Web-based application. runs on a remote computcr as a
client application. Voyager communicates with routing software, to configurc
inter/ace hardware, sct routing protocols and routing policies, and monitor
routing traffic and protocol performance.
[s the primary configuration interface 10 IPSO.
[s a SS L enabled, Web-based configuration and monitoring tool.
Comes packaged with the hardened IPSO operating system software.
Displays configuration parameters. status and event logs.
Permits the ability to set routing protocols. applications. and QoS rules
enabled or disabled.
Uses hardened IPSO operating-system software.
Is a dynamic GUI. with point-nnd-click access.
IP Network Voyager
Once the IP Appliance is set up and configured, it is managed via the Voyager
GU I interface. You simply open an Internet browser and log in 10 Voyager. using
the authentication screen to log in. Upon successful authentication, you will be
presented with the Nokia Network Voyagcr home page.
The IP Voyagcr home pagc dis plays the name of the Appliancc, model number of
the device, software release. and version. serial number. uptime, and memory. A
title bar will always be made available across the top, a configuration tree on the
left. and buttons for savi ng and other actions across the bottom,
Navigatbtg within Voyager
Access all the features from the navigation tree
"Expand Tree" to view all the features at a glance
Navigation frame width is adjustable
The Current feature is highlighted
Configuring Voyager
After the initial configuration of the IP Appliance using IPSO is done. you can
complete the IPSO con fi guration using Voyager.
After configuring IPSO, you wi ll be able to:
Navigate within Voyager
Set the time
Configure the interface, routes, and hosts
Install and manage muhiple images
Configure Audit logs
IPSO
IPSO slaned as a bare-bones operating system, beginning with a b3se kemel wiIh
no extraneous services. The Kernel is a FreeBSD derivative. meaning that IPSO
is a UN IX-bused oper3ling system. The Kcmel itself is optimized for switching
packets. In fact. it can 31so be deployed as a router only.
IPSO is still an operating system, so it can run applications compiled for it, such
as the Check Point suite of products.
Et~ Idconfig .... th : lIib lusr/hb
Inili.l i l86 initiali zation :
Addi ti_1 1181 SU",)or! .
Sl"..Iing u..bd .
110 lISa hosl contro llers found

i t. done .
(;.r.er~tin~ config f i l." for lPm : pbr H~s IOOdH B....-.er ~nd Hotd ipsrd hos t s ""
ssword -conl r ols Pdss..ord oroup r n ol" .... li . u ...... - ds t tz RfIIl ssh cron s"." ..... td
archive clusler elb svslog "utosuPPOrt hi tlld ss.Ip flcce lera lloo ..lip ;pl""" <lhcl>
orll ndp nIp iMCIIo x.ode aggrd~ ss dc l af Mlflo_ perf""n s"i ~""I _~ffinit~ IOdd
er . conf h,so-.; sc
Startinu locil dauons:
Local I>lICk. i nitializl ti",, :
Additional rcp ""tions:.
Wed Apr 21 12 :21 :35 CitT 2010
IPSO/i386 UP3901 I!tydO)

Thi s s vst i s far .... thori zed ..se on ly .
109 l n : _
Figure 22 -IPSO
The key strengths of the IPSO operating system arc:
Removal of unnecessary features and services to minimize the need for UN IX

system administration, and harden and secure the OS.
Availability of a unique operating system kemelthat is optimiZed. security

hardened, IP networking enabled. and cluster-able.
Wide array of routing protocols and capabilities to harden network security
Cheek Point's firewall functionality
Cl ustering to ensure high availability and load balancing
Comprehensive inter operability with Network Management Systems (NMS)
for sccurc. centralized. and scalable monitoring through SNM P. fo r s llppon of
thi rd-pany monitoring systems.
IPSO
IPSO Command line Interface (CLI)

The Command Line Interface (C LI). also known as the Command Line Interface
Shell (CLIS H) in IPSO enables you to perfonn all management functions using
an intuitive text-based command line that can be accessed using the IP Network
Voyager web interface. The interactive mode gives you the ability to execute
commands embedded in script files.
The features ofCLI include command recal l. command line editing. automatic
command completion. and full context-sensi' i\'e help. The internal language used
in CLI is built around a simple set of commands, such as set, show. add. and
delete.
logu, : "d'lL n
P~s ....... d :
t.as t tOllin: Wed I\pr 21 12 ' 3'5 :56 on ttydO
Ilpr 21 12:43: 09 IP390 (ftu th . (lOG.~OtlCEI) login : i n pa ~ oPen.$e$$ ion () (IO{Ii
n) sess; "" opened f or us er ad.,n by root!u;d - O)
Apr 2112 :43: 09 IP 390 ( /lut h. ILOG.HDtICEt) l ogin : in p"._~ open_se!<Sion(l (log;
n l session O)I)en.ed for user adJoi n by roolluid~OI
CODyrighl (e) 1992 2008 Ihe Fre<!BSO Proje.:!.
Couv.-i\lh l tel 197? 1980 . 1983 . 1986 . 1988. 1?89 . 1991. 1992 . 1993 . 1m
the ReoefIts of the Uni~r s i t y of C.. tiforni ... All r i gh ts res erved .
IPSO 6 . 2-GA02' 11 : M .04 .208? G421"12b
You l"wIYe lo"_
j;i~~iIii':;
""
~k Point IPSO Sec.... i! y Rooliann .
I . ... i""l tlj
IP390llIdooi
Mold alP
Codes: C Stat ic. I IGIII' . R - RIP. 8 - BGP .
0 0
n r
ea (IA - Interllr ell . E - hterMI. N - NSSllI
R - lIooregat<!. K Ker lWll RellnN"lt. H - Hidden . P - Suoor u s4d
C
C
19 .2.2124
127 .0 . 0 .1/32
NokialP:l90 :?) _
i s di ~ ectl y connected. ethlcO

is di r ectly connected. 10""Oc0
Figure 23 - IPSO
To usc the CLI :
Log on to the platfonn using a command-line connection (SSH. console, or
tclnct) over a TCP/ IP nctwork as an admin. cadmin, o r monito r uscr.
If you log in as a eadmin (duster administrator) user. you ean change and view
configuration settings on all the d uster nodes.
49
If you log in as a monitor user. you can cxecUie only the show foml of
commands. ThaI is. you can view configuration scttings, but you cannOt change
them.
With CLI SH. you can configure any pan of IPSO
CLIS H is the new default shell for all uscrs except admin
Auditing and config locking is CoopcTfltive with Voyager
CLISH is designed to look more like a typical network appliance and less like
UN IX
If you have pcnnission. you can run UNIX commands including sh
A complete IPSO Command Line Re ference Guide is available for download

from the Check Point web site. under Suppon.
50
SecurePlatform
SecurePlatfo rm
With limited IT personnel and budget. organizations must oft en choose between
the si mplicity of pre-installed security appliances or the flexibility of open
servers.
Chcck Point SccurePlatfonn combines the simplicity and built-in security of an
appliance with the flexibil ity of an open servcr by enabling you to tum an lntelor AMD-based open server into a pre-hardened security appliance in less than 5
minutes.
Figure 24 -
SecurePlatform
SecurcPlatfonn Pro builds on SeeurePlatfonn by adding dynamic routing support

fo r both unicast and multicast protocols as well as centralized adm inist rator
management through RAD IUS. By integrating dynmn ic routing support,
SecurePlat fonn Pro makes it easier for administrators to deploy security in a
complex environment and secure complex multicast pro!Ocols.
Check Point Secure Platfonn is distributed on a bootable CD-ROM , which
incl udes Check Point's product suite comprised of the Security Gateway, Check
Poim QoS, Smart View Monitor, Policy Server, and UserAuthority Server. The
system is preconfigured and optimized as a network-security device, requiring
only minimal user configuration of IP addresses, routes, etc. SecurePlatform
allows casy configuration of your computer and networking aspects, along with
installed Check Point products. The Linux shell provides a conven ient set of
commands, including network settings. backup- and-restore utilities. an upgrade
utility, and system-log viewing. A WebUI enables most of the admi nistration
configuration, as well as the first-ti me installation setup. to be perfonned from an
casy-to-use Web interfacc.
Hardware Compatibility Testing Tool

Check Point's Hardware Compatibility Testing Tool enables yOll to determine
whethcr Secure Platfonn is supported on a specific hardware pl at form .
For dctails rcgarding SeeurePlat foml on specific hardware platfonns, see:

http: //www.checkpoint . com/ s e rvices/techsupport / hcl /
Managi ng Yo ur Sec urePlatform System

SeeurePlatfo rm Command Shell includes two permission levels: Standard and
Expert Modes.
Standard Mode - This is the default mode when logging into a SecurcPlatform
system. In Standard Mode. the SecurePlatform Command Shell provides a set of
commands required fo r easy configuration and routine ad ministration of a
SecurePlatforrn system. Most system commands are not supported in this mode.
Standard Mode displays the following prompt: [hostname]#, where hostname is
the hostname of the machine.
[lI: pert Mode - provides the user with root pernlissions and a full system shell.
Switching from Standard to Expert Mode requires a password. The first time you
switch to Expert Mode, you will be asked to select a password. Until then, the
password is the same as the one that you set fOT Standard Mode.
You need to enter the first replacement password that you used when logging in
as the Administrator. Any sequential administrative-password change will not
update the expen password you must cnte r at the fi rst ti me expen-user password
change. To exit Expert Mode. run the command exi t.
Expert Mode displays the following prom pt: [Expert@hostname]#, where
hostname is the hostnamc of the mach ine.
An Expert Modc user must fi rst log in as a Standard Mode lIser. and only then
enter the expcrt command to acccss Expen Mode.
A complete SecurePlatform Command Line Reference Guide is available for
download fro m the Check Point web site, under Support .
SecurePlatfonn
Critical Check Point Directories

When upgrading a Check Point installation, it is imponant 10 be aware of crit ical
directories. for back-up and restore purposes:
SFWDIRIconf - This directory contains Rule Bases. objects, and the

user database.
SFWDIRibin -The import and export tool s arc located under
SFWD IRlbinl upgrade_tools.

Log Files
The logs arc displayed in SmanView Trac ker. These should be logsw itched
regularly. The time between a logswitch will depend on how many rules arc
logging, the type oflogging, and the amount oflmffie passing through the
Security Gateway. The logswitch can be configured 10 perfOntl on a set schedule,
using time objects . This is completed through the SmanCentcr Server and log
server 's General Propenies.
$FWDIR ! log contains log files such as ahupd.log, aftpd.log,and s mptd.log.
These files contain infonnation about each Security Server. SFWDIR! log can
get large quickly, depending upon the amount of network traffic passi ng through
the Security Gateway.
Oeployment Platform s
The objects_s _ o . c file includes a section ofpropenies whose values affect

behavior. In addition. neTwork objects. server objects. service objects. t ime
objects. and other miscellaneous data also exist in this file. objects_ s_o . c is
modified when global and local propen ies are changed. or when the DbEdit
utility is used. obj ects_S_o . c is used only by the SmanCenter Server.
ob jects_ s _ o.C file is used to create the objects.C file, which is passed 10 the
Set:urity Gateway and contains information required tor the Gateway's operation.
These files are located in the $FWDIR/conf / directory. ob j ects . C is created
when a Security Policy is installed on the Security Gateway. objects . C is then
sent to the Gateway, along with the new Policy.
The ru l ebases_S_O . flo'S file is located in $ FWDI R/con f. This file contains
rules and auditing infommtion about modifications made to the Rule Base.
Unlike objects.C.rulebases_ s _o . flo' S does not appear on the Security Gateway
in a distributed environment. All created Rule Bases may be extracted from
rulebases_s_o. flo'S: Select a Ru le Base. then install the Security Policy on the
Security Gateways. rulebases_s _0 . flo'S is nOI modified manually. but is
manipulalcd through Sman Dashboard.
fwauth.NOB
The fwauth . NDB database file contains all users and groups. It is located in both
the $FWD IR/conf and $FWDIR / database directories. File modifi cation is
perfonned through SmanDashboard user administ ration.
CoreXL: Multicore Acceleration

As the fi rst security technology to fully leverage general-purpose multi-core
processors. CorcXL introduces advanced corc-level load balancing that increases
throughput for the deep inspection required to achieve intrusion prevention and
high throughput on the firewall. With CoreXL. high perfo rmance and high
security can be achieved simultaneously.
In a CoreXL gateway. the fi rewall kernel is rcplicated multiple times. Each
replicated copy. or instance. of the firewall kernel runs on one processing core.
The instances handle traffic concurrently. and each instance is a complete and
independent inspection kernel. All of the kernel instances of a gateway handle
tmffic going through the usual gateway interfaces and apply the same gateway
Security Policy.
SecurePlatform
No changes to Security Policies is necessary for CoreXL impleme ntation, but

CoreX L is not supponed in standalone gateway deployments.
CoreXL is configured and monitored via the command line, using a set of
commands in expen mode. More advanced implementations of these commands
will be covered in the CCSE R75 course.
CoreXL: Arc hitectu re

CoreXL is supponed with VPN-I NGX R65 and later versions of Security
Gateway. When running CoreXL on four or more processing cores. the number
ofkemel instances in the CoreXL post-setup (default) configuration is one less
than the number of processing cores (n-I). The remaining core is designated as
the Secure Network Dispatcher (SND), described below. The instances arc
numbered from 0 to n-2. CoreXL is designed for a maximum of e ight processing
cores. [f your platfonn has more than that, the number of kemel instances will
still be set to only seven.
When running CoreXL on two processing cores, the number ofkemel instances
in the CorcXL default configuration will be set to two and will be numbered 0
and 1.
N Cores
--------~~---------'\
VPN-1 Kernels
___A~_ _
"\
, - - - - - - - - r - - - - - ,-- - - - - -- - . , - - - - - - ,
SNO
Instance 'n-2
Instance 10
Processing
Processing
Processing
Core 10
Core'1
Core . n-1
' - - - - - - ' - - - - - "._ Figure 25 - Architecture
--- -- --. ' - - - - - - - '
The cores in a multi-core machine assume several roles, including:
Secure Network Dispatcher (SN D)

The SND is responsible for processing traffic from the network interfaces
through either the accelerated path or non-accelerated paths. These paths distribute packets among kernel instances for IPS, DLP ( Data Loss Prevention)
and Firewall inspection.
Traffic entering network interface cards (NICs) are di rected to a pan icular
processing corc. and this association is referred to as the affinity with that
core .
Daemon
A daemon is a computer program (i.e .. process) that runs in the background,
and doesn't rely on direct user control. In CoreXL. the firewall daemon (fwd)
and other dacmons can be configured to run on a dedicated core.
It is not recom mended to share a core between the SND and an instance
unless the machine is limited to two cores. or if you know that most oflhe
packets are processed in the accelerated path (i.e., Performance Pack, 10 be
fully discussed in CCSE R71). In the latter case, it is likely the instances a re
not receiving significant work and sharing cores becomes appropriate.
CoreXL and Performance Pack

CoreX L can run with or without Perfonnance Pack. Performance Pack's
effect on performance in a CoreXL gateway can vary according to the nature
of the traffic passing through the gateway. lfmost of the traffic is accelerated
by Performance Pack, you should have Performance Pack running.
Once Perfonnance Pack is installed, you can enable or disable Performance
Pack by using the cpconfig utility, and selecting Enable I Disable Check Point
SecureXL.
For more details regarding Performance Pack, sec Perfonnance Pack Administration Guide Version R75 from the Check Point Website, or take the CCSE
R 75 course for instruction and lab exercises.
SecurePlatfQffl\
Working with CoreXL

CoreX L is configured via expert mode from thc command line on t he gateway,
and can be monitored via Smart View Monitor (sec chapter. Monitoring Traffic
and Connections). The commands that are key to working wilh CoreX L arc fw etl
affinilY. fw ctl multik stat and when Perfonnanee Pack is implemented. sim
affinity.
Figure 26 - CoreXl
t\v etl affinity - This command is used to set and view affinities a nd firewall
instances. To set affinities. type fw ct1 affinity -soTo list existing
affinities, type fw ct1 affinity -1.
However. the senings arc not persistent through a restan of the security gateway.
To make the settings persi stent, you must edit the fwa ffin ity.conf configuration
file.
To list complete affinity infonnation fo r all Check Point daemons, kernel
instances and interfaces, including items without spccific affinities. and with
additional infonnation, run : fw etl affini ty - 1 -a -v.
fw etl multik stat - This co mmand displays infonnation for each kernel
instance. The state and processing core number of each instance is displayed.
along with the number of connections currently being handled. and the peak
number of concurrent connections the instance has handled since its inception.
Oeployment Platform s
sim affi nity - When Performance Pack is running, the sim aff inity
command controls Perfonnance Pack driver features and applies only to
SeeurcPlatfoml. Affinity is a generaltenn for binding NIC interrupts to
processors. By default, SecurePlatform does not set Affinity to the NIC
intcrrupts, which means that each NIC is handled by all processors. Optimal
network performance is obtained when each NIC is individually bound to a
single processor.
sim affinity -a sets affinity automatically by analyzing the load on cach
NIC.
s i m affinity -s allows you to manually specify the affinity settings.
sim affini ty - 1 lists the current settings.
You should use sim affinity to set affinities only if Performance Pack is
running. These scttings will be persistent. If Perfonnanec Pack '5 sim atlinity is
set to Automatic mode (even if Perfonnanee Pack was subseq uently disabled),
you will not be able to set interface affinities by using fw etl affinity -5 .
Practice and Review
Practice and Review

Practice Labs
Lab 3: Command Line Interface Tool
Review
1. What are some of the advantages in deploying UTM-l Edge Appliances?
2. How do you manage an lP Appliance?
3. What does SecurePlatform Pro provide over SecurePlatform?
4. What are the two critical Check Point directories?
-CH- A-PT-ER- 3- -
Introduction to the
Security Policy
Introduction 10 the Security Policy

The Security Policy is essential in administrating security for your organization's
network . This chapter examines how to create rules based on network objects.
and modify a Security Policy's properties. In addition. this chapter will teach you
how to apply Database Revision Control and Policy Package management. to
decrease the burden of management when working with rules and objects.
Given the network topology. create and configure network. host and galeway
objects.
Verify SIC establ ishment between the Security Management Server and the
Gateway using Smart Dashboard.
Create a basic Rule Base in Sman Dashboard that includes pennissions [or
administrative users. external services. and LAN outbound use.
Configure NAT rules on Web and Gateway servers.
Evaluate existing policies and optimize the rules based on current corporate
requirements.
Maintain the Security Management ScrvcTwith scheduled backups and policy

versions to ensure seamless upgrades and minimal downtime.

The Security Pol icy is a SCI of rules that defines your network security using a
Rule Base, rules comprised of network objects, such as gateways, hosts,
networks, routers, and domains. Once a Rule Base is defined, the Policy is
distributed to all Security Gateways across a network.
The Rule Base

Each rule in a Rule Base specifies the source, destination, service, and action to
be taken for each session. A rule also specifics how a communication is tracked.
Events can be logged, and then trigger an alert message. The figure is an example
of a Rule Base:
.~
C:::... '~''''.-
.-
Figure 27 -
00.."._
rn __
.,-~
,~'.""'"
'.-
0-~-
oo_b_
'-
-.--- ....
,,- ......
- ,,-
~~
li:"..,
Ii..
$ ..... ' .......
.-..,.....
.""""-.:..-
Rule Base
Managing Objects in SmartOashboard

Objects are created by the System Administrator to represent actual hosts and
devices, as well as intangible components, such as services (for example, HTTP
and TELNET) and resources (for example, URI and FTP). Each component of an
organization has a corresponding object that represents it. Once these objects are
created, they can be used in the rules of the Security Policy. Objects are the
building blocks of Security Policy rules and are stored in the Objects database on
the Security Management Server.
Objects in Smart Dashboard are divided into several categories, which can be
viewed in the different tabs of the Objects Tree. For instance, the Network
Objects tab represents the physical mach ines and logical components, such as
dynamic objects and address ranges, that make up your organization.

When creating objects. the System Administrator must consider thc nee ds of the
organization :
What are the physical and logical components thru make up the organization?
Each component that accesses the Security Gateway most likely needs to be
defined.
Who arc the users and Administrators. and how should they be divided imo
different groups?
..
---. _-_.,
--.-- . .___._..._-_
-- _. __.... ...
... ... l-lll'lo ... ~ .

~ ....
K __
-~-- .
. . .-
v__
Figure 28 - SmartDashboard
....
-....
.-".
._J ""..... 1 -
)f _ W __
1Ir- 'J=
==1___
-- ,
--.
-"""-
-~
. . 1_,...
"
.-.--
., ... ,U
- - -
SmartDashboard and Objects

Smart Dashboard is comprised of four principal areas, known as panes. From
these panes. objects are created, manipulated, and accessed. From these paneS.
objects are created, manipulated. and accessed. The following section describes
the fun ctions and characteristics of each pane.
Object-Tree Pane
The Objects tree is the main view for managing and displaying objects. Objects
arc distributed among logical categories (called tabs). such as Network Objects
and Services. Each tab orders its objects logically. For example, the Services tab
locates all services using ICM P in the folder called IC MP.
..... ,. '. " .. . '""
Objects-List Pane
The Objects tree works with the Objects list. The Objects list disp lays current
inronnution ror a selected object category. For example. when a Logical Server
network object is selected in the Objects tree. the Objects list displays a list or
Logical Servers, with certain detai ls displaycd.
Object Types
The objects lists are divided into the rollowing categories:
Network
Services
Resources
Servers and OPSEC Applications
Users and Administrators
VPN Communities
Rule Base Pane

Objects arc implemented across various Rule Bases, where they arc used in the
rules o r various Policies. For example, network objects arc generally used in the
Source. Destination or Install On col umns, while time objects can bc applied in
any Rule Base within the Time column ,
SmartMap Pane
A graphical display orobjecls in the system is displayed in the SmartMap view.
This view is a visual representation orlhe network topology. Existing objects
represent ing physical components such as gateways or hosts arc d isplayed in
SmanMap, but logical objects such as dynamic objects cannot be displayed. Th is
is a userul documentation tool.
Introduction to th e Security Policy
Managing Objects
The O bjects Tree is the main view fo r adding. editing. and deJcling objC<:ts.
although these operations can also be perfonned from the menus. loolbars and
other views. such as in Rule Bases or in SmanMap .
.,-.
E!
Network Objects
ltl"Ig] Check Point
ffi jgJ Nodes

ffi ~
rtl tID Grl

83'@Ad
ffifilll Dy - - - - - -
- J@l Se _Query
ObJects."
Bluo;u
__
_ __
!~
~h.!J
Figure 29 -
IpI
Sort Tree
..
-----~
Object Tree
Creating an Object with the Objects Tree

To add a new object, righi-cl ick the object type you would like to add. For
example. in the Network Objects tab, right-click Netwo rks and selcct New
Network from the displayed menu.
Editing an Object with the Objects Tree

To edit an existing object, right-click the desired object in thc Objects tree and
select Edit from the displayed menu. Or double-click the object you would like to
modify.
Deleting an Object with the Objects Tree

To delete an existing object, right-click the object in the Objects tree and click
Delete from the displayed menu.
Ma naging Objects
Changing the View in the Objects Tree

The Network Objects tree provides two possible ways of viewing and organizing
network objects. The first is known as Classic view. which automatically places
each object in a predefined logical category. Thc second is Group view, which
provides additional flexibility in organizing objects by groups.
~~I"'~ I,o, IO I
E ~ Iiot_k. ~lOCU
IB ~ 0.0:. Pont
El (Qj_.
~ '~""""UA(J)N51
I.. .o.o-ot_lA<J)N52
~ 1'".1'" 1'1> 1,0, 10 I

F.' ~ _~
to? ~ OtI>to,
(ii-~ ChockPoo1t
~[QJII
.r;
':: _JA<..won1
_ _IA<..9IISftZ
... {gJ-... ~-
J;. _I"'U'-;..-.I
:0 ~
Dr<- 0bI0W
a; ;e 5u-ty_
<;; ......,.,
J:l CIlnxSTAs..v
li:
!;I CItr[>(1iI1
,,,:gj-
il
Ccoroor~
GW-q....,
~"j' t4t
$ !ilw...
!;j~
_~
......
.y. 1T~
~.~
! ; j__~
ffi "
""" Portnor.,..
J:l NoOo'_<lew:.l
J:l NAT_<lew:02
J:l SIP _,01_"""'"90<
" ,,-,
..,... "'''N+doat)'rd''
j;,;,; SIP yroxy_o<to<Mi

... _.xt
!;j-~
C T..n.So.w:>rI
.13-
-~-"
!;j-
00- 00 "'''-
lfl ~ Addros.Ri>rJ90S
III ~ Oyt.omic Object,
jf 1111 Sooxt Zone,
-'
t!J tM
6- ~JlN5_'J'""'"
~ Corporot.dn. ..t
Q Corporot.-dr"l<..rI;
<c> _r~
::B_1o:.o
.J [j"' __
Figure 30 - Objects Tree Examples
Introduction 10 the Security Polley
Classic View of the Objects Tree

In Classic view. network objects are displayed beneath their object type. For
example, a corporate mail server would appear under the Node category.
Check Point management stations and Security Gateways appear under the
category Check Point. DA IP servers appear in the category Dynamic Objects.
etc. Organizing objects by category is preferred for small-to-medium-sized
deploymenls. Sman Dashboard opens to classic view by default. unless sct to
Group view.
Group View of the Objects Tree

In Group view. network objects are organized by the group objects to which they
belong. For instance. group GW-group could incl ude all of the gateway objects in
an organization. You can switch to Group view by right-clicking Network
Objects. and selecting Arrange by groups. As changing views can at first be
disorienting, a warning appears.

Each rulc in a Rule Base defines the packets that malch the rule - based on
source. destination. service. and the time the packet is inspected. The fi rst rule
that matches a packet is applied. and the specified Action is taken . The
communication may bc logged and/or an alert may be issued, depending on what
has been entered in the Track field.
",add Rule
[~P.ule
Add Section rltle

E-PMd
~ " OO
Title:;
e.ottom
Ctfl+Ai+6
r""
Ctrl+Al+T
Bo<ow
Qr1+AIt+E
&OOve
CtrI+AIt+A
Co/l<:pS>:! Se>:tior, Titi~s
Ad,:! Sidb-Pule
Add QoS Class
--------
C!~!~e
r.;.!
t!de
Select AI
Cl:JI+A
Figure 31 - Adding a Rule
Basic Rule Base Concepts

The SmanDashboard allows you to create a Rule Base, which builds your
Security Policy from a collection of individual rules. Choose from the following
options:
Add Rule ~ The position where the rule is to be placed: BOllom. Top. After.
Before.
Delete Rule ~ Deletes the currently selected rule from the Rule Base.
Disable Rule - Disables a rule when tesdng a Security Policy; disabling a
rule can also allow access to a previously restricted source or destination.
Hide - Hides, unhides. views. and manages hidden rules; hidden rules still
apply, they arc just not visible in the SmanDashboard. This feature is normally used to temporarily move groups of rules OUI of view. 10 minimize confusion when an Administrator is working on a complex Ru le Base.
I>Q
Default Rule
The Defaull Rule is added when you add a rule to the Rule Base. You can
configure this rule with all objects, services, and users installed on your database.
Figure 32 - Default Rule

The Default Rule is defined with the following infonnation:
No. -
Defines the number order of each rule; the first rule in the Ru le
Base is No.1.
Name - Gives Administrators a space to name the rule, helping to annotate
the Rule Base; by default, it is blank.
Sou rce - Displays the Object Manager screen, from which you can select
network objects or a group of users. to add to the Rule Base; the default is
Any.
Destination - Displays the Object Manager screen. from which you can
select resource objects to add to the rule; the default is Any.
VPN - Displays the Add Objects VPN Communities screen, from which
you can select a VPN Community to add to the rule; the default is Any Traftic.
Service - Displays the Service Manager screen, from which you can select
services to add to the rule; the default is Any.
Action - Accepts, drops, o r rejects the session, or provides authentication
and encryption; the default is drop.
Tr ack -
Defines logging or alerting for Ihis rule; the defauh is none.
The opt ions are: Account, Alert, Log. Mail, None, SnmpTrap, and UserDefined.
Install On - Specifics which firewallcd objects will enforce the rule; the
default is Policy Targets. which means all internal firewalled objects.
(Throughout this handbook. all labs and examples assume this defauh, :md the
Install On col umn is not shown.)
70
Crealing the Rule Base
Time - Specifies the time period for the rule; the default is Any. (Throughout this handbook, all labs and examples assume this default and the Time
column is not shown.)
Comment - Allows Administrators to add notes about this nile; the defau lt
is a blank comment field.
Basic Rules
There lIrc IWO basic rules uscd by nearly all Security Gateway Administrators:
the Cleanup Rule and the Stcalth Rule.
Figure 33 -
Basic Rules
Both the Cleanup and Stcalth Rules arc imponant for creating basic security
measures, and tracking imponant information in SmanView Tracker.
Cleanup Rule - The Security Gateway follow s the principle. 'That which is
not expressly penn itted is prohibited". Security Gateways drops all communication attempts Ihat do not match a rule. The only way to monitor the dropped
packets is to create a Cleanup Rulc that logs all dropped traffic. The Cleanup
Rule, also known as the None oflhe Above rule. drops all communication
not described by any other rules, and allows you to specify logging for everything being dropped by this rulc.
Stealth Rule - To prevent any users from connecting directl y to the Gateway. you should add a Stealth Rule to your Rule Base. Protecting the Gateway
in this manncr makes the Gateway uansparcnt to thc network. The Gateway
becomes invisible to users on thc network. Figure 4-10 below displays a sample Stealth Rule.
In most cases. the Stealth Rule should be placed above all other rules. Pl acing the
Stealth Rule at the top of the Rule Basc protects your Gateway fro m pan
scanning, spoofing, and othcr types of direct attacks. Connections thill nced to be
made dircctly to the Gateway, such as Client Authentication, encryption and
Content Vcctoring Protocol (CVP) rules, always go above the Stealth Rule.
Introduction 10 the Security Policy
Implicit/Explicit Rules
Thc SecurilY Galcway creates a Rulc Base by translating thc Sccurity Policy into
a collcclion of individual ru les. The Security Gateway creates implicil rules.
derivcd from Global Properties and explicit rules. created by the Admin istrator in
the Smart Dashboard.
-"
- --
.._--.__
- ._-- .-.- .-
...""'"'-
....
.- --.
......
... -... .'----.... - --_

_- .-a-_
.
.. - "'--..000-
'
- --
... ....
~ ....
~- - . -
<-
.~
0-
e- o0-
o.
J.'
Figure
34 -
Imp~dUExplicit
Rules
An explicit rule is a rule that you crcatc in the Rule Basc. Explicit rules arc
displayed together with implicit rules in the correct sequence. when you select to
view implied rules. To sec how properties and rules interact. select Implied
Rules from the View menu. Impl icit rules appear without numbering. and
explicit rules appear with numbcring.
Implicit rules arc defined by the Security Gateway to allow certain connections to
and fro m the Gateway, with a variety of different services. The Gateway enforces
two typcs of impl icit rules that enable the following:
Contro l Connections
Outgoing packets
Control Connections
The Security Gateway creates a group of [mpEcit rules that it places first, last, or
before last in the explicitly defined Rule Base. These first implicit rules are based
on the Accept control connections setting on the Global Properties window.
The Gateway anticipates other possible connections relating to Ga teway
communication, and also creates implicit rules for those scenarios.
There are three types of Control Conneclions, dcfined by default rules:
Gateway specific traffic that facilitates functionality, such as logging,
management, and key exchange
Acccptance of IKE and RDP traffic for communication and encryption
purposes
Communication with various types of servers. such as RAD IUS, CVP, UF P,
TACACS. LDAP. and Logical Servers, even if these servers are not
specifically defined resources in your Security Policy
Implied rules arc generated in the Rule Base through Global Properties. Check
the properties enforced in the FireWall Implied Ru les screen. then choose a
position in the Ru le Base for the implied rule:
Firsl -
first in the Rule Base
Before Last -
Lasl- last rule in the Rule Base
before the last rule in the Rule Base
Detecting IP Spoofing
Spoofing is a technique where an intruder attempts to gain unauthorized access
by altering a packet's IP address. This alteration makes it appear as though the
packet originated in the part of a network with higher access privileges.
n.,~
..,...___ __
, _ . ~
,'-_ .. _,
The Security Gatcway has a sophisticated anti-spoofing feature that detects such
packets, by requiring that the intcrface on which:l packet enters a gateway
corresponds to its IP address.
'-; ,,-JOoo".. ., ..
~~
t' to-o> .......... _ _
""'Pe-~_""
...",. ........
- - ...1r 1l..1........ <>06M_

$""",,,~r
I<?'JO
I"
1.00 (" /j.-
Figure 35 - Anti-Spoofing
Anti-spoofing verifies that packets arc coming from. and going to. the correct
interfaces on a gateway. Anti-spoofing confinns that packets claiming to be from
the internal network are actually coming from the internal-network interface. It
also verifies that, once a packet is routed. it is going through the proper interface.
Configuring Anti-Spoofing
To properly configure anti-spoofing. networks that arc reachable from an
interface need to be defined appropriately. For anti-spoofing to be most effective,
it should be configured on all gateway interfaces. If antispoofing is implemented
on a specific interface. spooftraeking fo r that interface should also be defined.
This will help with both intrusion detection and troubleshooting.
To activate anti-spoofing. configure the firewalled-interfaee properties. The
Topology tab of the Interface Properties window allows you 10 configure antispoofing properties of a gateway.
.,... ,
,,,
.. ..
.,

As a network infrastructure grows. so wi!! the Rule Base created to manage the
network 's traffic. Ifnot managed properly. Rule Base order can affect Security
Gateway perfonnance and negatively impact traffic on the protected networks.
Here a re some general guidelines to help you manage your Ru le Base effect ively.
Before creating a Rule Base for your systcm. answer the following questions:
1. Which objects are in the network? Examples include gateways, hosts, networks, routers, and domains.
2. Which user pennissions and authentication schemes are needed?
3. Which services, including customized services and sessions. are allowed
across the network?
As you formulate the Rule Base for your Policy. these tips are useful to considcr:
The Policy is enforced from top to bottom.
Place the most restrictive rules at the top of the Policy, then proceed with the
generalized rules further down the Rule Base. If more pennissive rules are
located at the lOp, the restrictive rule may not be used properly. This allows
misuse or unintended use of access. or an intrusion, due to improper rule
configuration.
Keep it simple. Grouping objects or combining rules makes fo r visual clarity

and simplifies debugging. If more than 50 rules are used. the Security Policy
becomes hard to manage. Security Administrators may have difficulty
detennining how rules interact.
Add a Stealth Rule and Cleanup Rule first to each new Policy Package. A
Stealth Rule blocks access to the Gateway. Using an Explicit Drop Rule is
recommended for logging purposes.
Limit the use of tile Reject action in mles. If a rule is configured to reject, a
message is returned to the source address. infonn ing that the connection is not
pennitted.
Use section titles to group simi lar rules according to thei r func tion. For
example, rules controlling access to a DMZ should be placed together. Rules
allowing an internal network access to the Internet should be placed together.
and so on. This allows easicr modification orthe Rule Base, as it is easier to
locate the appropriate rules.
Introduction to the Security Polley
Comment each rule! Documentation eases troubleshooting. and explains why

rules exisl. This assists when reviewing the Security Policy for errors and
modifications. This is panicularly imponant when the Policy is managed by
multiple Administrators. In addition, this Comment option is available when
saving database versions. See the Database Revision Control section in this
chaptcr.
For emciency, the most frequently used rules arc placed above less-frequently
used rules. This must be done carefully, to ensure a general -accept rule is not
placed before a specific-drop rule.
Understanding Rule Base Order

Before you can define Security Policy propenies. you must consider Rule Base
order. The Security Gateway inspects packets by comparing them to the Security
Policy, one rule at a time. For this reason. it is imponant to define each rule in the
Security Policy in the appro priate order. Firewall implied rules are placed fi rst .
last, or before last in the Rule Base and can be logged. Rules are processed in the
following order;
1. IP spoofing/IP options
2. First: This rule cannot be modi fi ed or overwritten in the Rule Base because
the first rule that matches is always applied to the packet and no rules can be
placed before it. Implied rules are processed before administrator explicitlydefined rules.
3. Explicit: These are the administrator-defined rules, which may be located
between the first and the before-last rules.
4. Before Last: These are more specific implied rules that are enforced before
the last rule is applied.
5. Last: A rule that is enforced after the last ru le in the Rule Base, which normally rejects all packets, usually refetTed to as the Cleanup Rule .
S. Implicit Drop Ru le: No logging occurs.
Rule Base Manag ement
Completing the Ru le Base

Whcn you have defined the desi red rules. you must install the Security Policy.
The installation process specifies the network object on which thc Security
Policy is installed. Only managed objects arc available fo r Policy installation. In
contraSt. the Install On clement in the Rule Base specifics Ihe network object that
is 10 cnforce a specific nIle.
There arc times when verifying a Security Policy is useful to System
Administrators. By verifying a Security Policy, you check that rules arc
consistcnt. and that there arc no redundant rules before Security Policy
installation.
R75 Training Manual
77
Policy Management and Revision Control

The Rule Base and object database of a Security Gateway are always changing.
Changes, such as reassigning systems to other networks, tratTic access, or users
bcing moved from one group to another, can be simple or complicated . Because
of the growing complexity of the Security Policy, many Administrators operate
according to the axiom, "I fit isn't broken, don't fix it'". This can lead to
unnecessarily cluttering Security Policies that both tax the system's resources. as
well as make it difficult for thc Administrator to manage.
A Security Administrator needs methods for '"backing ouC of a rulc or object
changc. as weB as to organize changes in a systematic approach that keeps track
of changes as time goes by. This system would help minimize rcdundancy and
expensive downtimes. Two utilities in particular are used for providing backups
and incremental changes:
Policy Package management
Database Revision Control.
Policy Package Management

Some ci rcumstances require multiple versions ofa Security Policy. but the object
database needs to stay the same. Often this will be when adding or consolidating
rules in an existing Rule Base, or creating a new set of rules on a Gateway. In
these circumstances, using Policy Package management is better than creating
multiple versions of the system database.
These two points are worth consideration when saving your Policies:
78
Policy Package Management cntails the Policy Package. which incl udes only
Security, NAT, and Desktop and OoS Policy rules.
It is an ideal management utility for a distributed installation with multiple

Security Gateways; specific Policies arc created for specific Security
Gateways.
Check Poim Securit)- Administrator
Policy Management and Revision Control
The Security Management Server provides a wide range of tools that address
various Policy management tasks, both at the definition stage and at the
maintenance stage:
Policy Packages - Allow you to easily group different types o f Policies. to

be installed together on the same installation target(s).
Predefined Installation Ta.-gets - Allow you to associate each Policy

Package with the appropriate set of Gateways; this feat ure frees you of the
need to repeat the Gateway selection process every time you install (or
uninstall) the Package, with the option to easily modify the list at any given
time. In addition, it minimizes the risk of installing Policies on inappropriate
targets.
Section Titles - Allow you 10 visually break your Rule Base into subjects.
thcreby instantly improving your orientation and ability to loca te rules and
objects of interest.
Queries - Provide versatile search capabilities for both objects and the rules
in which they are used.
Sorting - Using the Objects tree and Objects list pane is a simple and quick
way to locate objects; this feat ure is greatly facilitated by cons istent use of
naming and coloring conventions.
Database Revision Control

Database Revision Control gives the Administrator freedom to create fallback
configurations when implementing new objects and rules, or adjusting rules and
objects as networks change. This can help the Administrator lest new Rule Base
and object configurations, or can be used to revert to an earlier configuration for
troubleshooting.
Consider these points when saving your Policies:
The database version consists of all Policies on a single Gateway, and objects
and users configured, including senings in SmanDefense and Global
Propenies.
It is an ideal management utility for a stand-alone or distributed deployment
with a single Gateway.
It is configurable to automatically create new database versions on Policy
installation.
This table comparcs thc advantages of using Database Revision Contro l and
Policy Package Management:
Database Revision Control
Database version consists of all Policies,

objects and lIsers configured. induding
settings in Smart Defense and Global
Properties
Ideal management utility for a stand-alone
dcployment, or distributed with a single
Gateway deployment
Configurable to automatically create new
database versions on Policy installation
Policy Package Management
Policy Package including only Security and

NAT. QoS, and Desktop Security settings.
Ideal management utility for a distributed
installation wilh multiple Security
Gateways; specific Policies created for
specific Security Gateways.
Network Address Tran s lation

Network Address Translation (NAT) allows Security Administrators to overcome
IP addressing limitations, allowing private IP-address allocation and unregistered
internal-addressing schemes.
Enterprises employ NAT for a variety of reasons. including:
Private IP addresses used in internal networks.
Limiting external network access.
Easc and flexibility of network administration.
Network Address Translation (NAT) can be used to translate either IP address in

a connection. When translating the IP of the machine initiating the connection
(typically the "client" of the connection) this is referred to as Source NAT. When
translating the IP address of the machine receiving the connection this is referred
to as Destination NAT.
The Security Gateway supports two types of NAT where the source and/or the
destination are translated:
Hide NAT - Hide NAT is a many-Io-one relationship, where multiple

computers on the internal network are represented by a single unique address.
This enhances security because connections can only be initiated from the
protected side of the Security Gateway. This type of NAT is also referred to as
Dynamic NAT.
Static NAT - Static NAT is a one-to-one relationship, where each host is

translated to a unique address. This allows connections to be initiated
internally and externally. An example would be a Web server or a mail server
that needs to allow connections initiated externally.
NAT can be configured on Check Point hosts, nodes, networks, address ranges
and dynamic objects. NAT can be configured automatically or by creating
manual NAT rules. Manual NAT rules offer flex ibility because it can allow the
translation of both the source and destination of the packet and allow the
translation of services.
IP Addressing
In an IP network, each computer is assigned a unique IP address. Because public
IP addresses are scarce and ex pensive, many enterprises choose to use private
addresses for their internal networks. The following blocks of lP addresses were
set aside for internal-network use in RFC 1918, "Address Allocation for Private
Networks":
Class A network numbers: 10.0.0.0- 10.255.255.255
Class B network numbers: ! 72 , 16.0,0-172.31.255.255
Class C network numbers: 192.168.0.0-192.168.255.255
Best practices recommend using only these address ranges for intranets . RFC
1918 addresses cannot traverse public networks.
Hide NAT
In Hide NAT, the source is translated, the source port is modi tied and translation
occurs on the server side. As shown in the illustration below. notice the source
packet with address 10.1.1.101 going to destination x.x.x.x. As the packet hits the
interface on pre-in, 'i', it is processed by the firewall kernel and fonvarde d to
post-in. T where it is then routed to the external interface. It arrives, pre-out. '0 ' ,
and is then processed by the NAT rule base. The firewall modifies the SOUTce pOrt
and adds the port information to a state table. The packet translates on post-out,
'0' as it leaves the Gateway, For protocols where the pOrt number cannot be
changed, Hide NAT cannot be used.
Original Packet (franslated)
SouR:a
IP
""'"
o.s_oo
1122110"11 1929100 10
':?53't
$0
No!w s-<'urt " ' - ~ ~ $-I'f<1 Ir.M;IoJ (thigIJIIl

12!131
1l~2' 1011
In
101 f lUI
Hide NAT
Figure 36 -
Hide NAT
Networt&: Address Triln s lation
Choosing the Hide Address in Hide NAT

The Hide Address is the address behind which the network. address runge, or
node is hidden. It is possible to hide behind either the interface of the GlIteway or
a specified IP address.
Choosing a fixed public IP address is a good option jr you want to hidc the
address of the Security Gateway. However, it means you have to use an extra
publicly routable IP address. Choosing to hide behind the address of the Gateway
is a good option for administrative purposes. For example, if the external lP
address of the Gateway changes, there is no need to change the NAT settings.
Static NAT
A static translation is assigned to a server that needs to be accessed directly from
outside the Security Gateway. So. the packet is typically initiated from a host
outside the fircwall. When the client initiatcs tramc to the static NAT address. the
destination of the packet is tmnslatcd.
puoo.com
'.
Static NAT
In the pas!. all destination NAT occurred at the "server side" oflhe kerneL i.e., on
the outbound side of the kernel closest to the server. When NAT occurs in this
configuration, a host route is required on the Security Gateway to rout e to the
destination server. As ofV PN-1 NGX. the default method for Destination NAT is
"client side". where NAT occurs on the inbound interface closest to the client.
Assume the client is outside the Gatewuy. and the server is inside the Gateway
with automatic Static NAT configured. When the client stans a conneclion to
access the server's NAT IP address, the following happens to the original packet
in a client-side NAT:
Original Packet
1. The packet from outside the GatewllYarrives at the inbound interface, 'i'. destined for the Web server. and passes Sec urity Policy and NAT rules.
2. Ifaccepted. the packet infonnation is added to the connections t:lble and the
destination is translated on the post-in side of the interface, 'l' before it is
routed.
3. The packet arrives at the TCP/IP stack of the Gateway. and is routed to the
outbound interface. ' 0' .
4. The packet is then forwarded through the kernel, '0' and routed to t he Web
server.
Reply Packet
1. The Web server replies and hits the inbound interface, 'i', of the Gateway.
2. The packet is passed by the Policy. since it is found in the connections table
and arrives at the post-in si de of the kernel. T .
3. The packet arrives at the TCP!IP stack of the Gateway, and is routed to the
outbound interface. '0',
4. The packet goes through the outbound interface and is translated to the static
NAT IP address as it leaves the Security Gateway, '0'. The source pon does
not change.
When the external server must distinguish between clients based on their IP
addresses. Hide NAT cannot be uscd. because all cl ients share the same IP
address under Hide NAT.
To allow connections from the extemal nctwork to the intcmul network, only
Static NAT can be used,
NAT - Global Properties

Several Global Propenies influence how NAT is handled by a Security Gateway.
The fig ure shows the default Global Propenies tor NAT.
.--," FnIN..
'" ' d'lftD''' _""I'"

-~ . ""
g
_~"'I
Ulllll<1g06_
""~-
..,II.ON'I
~.
-,
g
. --",,~
r=:_'8'
_ _ ..
r~,.
~,
"'
_ _ .of<p _ _
~ ... ..H"I""
~I'
F ."" ... ll>':
"___ A.,
,~
0;;0-$.""",
s""... ItI _ _ [
_
... ___ -.
_ _"",-"
....... ""1
r~_.!'>oIIIIt..T
\.IoIP>otlo e...
""1.<>0 .......
'-"-
........,,,_.
~,
1io;n U..... . _
"~
~
'f
Saot!O_~(_
Figure 37 -
NAT Settings
In most cases. the Security Gateway automatically creates NAT rules. based on
information derived from object propenies. The following three Global
Propenies can be modified to adjust the behavior of Automatic NAT rules on a
global level:
Allow bi-directional NAT - Ifmore than one Automatic NAT rule matches
a connection, both rules arc matched. If Allow bidirectional NAT is selectcd,
the Gateway will check all NAT ru les to see if there is a source match in one
rule, and a destination match in another rule. The Gateway will usc the first
matches found. and apply both rules concurrently.
Translate Destination on client side - For packets from an external host
that arc to be translated according to Static NAT rules. select this option to
translate destination IP addresses in the kernel nearest Ihc elient.
Auto rn lltic ARP configura tion - Select this option to automatically update
ARP tables on Security Gateways. For NAT to function properly, a Gateway
must accept packets whose destination addresses differ fro m the add resses
configured on its interfaces. Automatic ARP configuration adds the A RP
entries needed to accomplish this task. This property applies to automatically
created NAT rules only.
Mer ge man ual p roxy AR P - Select this optio n to merge automatic and
manual AR P configurations. Manual proxy ARP configuration is req uired for
manual Static NAT rules. lfa manual ARP configuration is ddined in the
local.arp file and automatic ARP configuration is enabled. both definitions arc
maintained. If there is a conflict between the definitions (the same N AT IP
address appears in bOlh).the manual configuration is used. If this opt ion is not
enabled and automatic ARP configuration is enabled. the Gateway ignores the
entries in the local.arp file .
Object Configu ration - Hide NAT

Hide NAT can be configured 10 hide networks using n Security Gateway lP
address o r another. externally accessible IP address. The figu re illustrates how to
configure the NAT properties for a network using a Security Gateway's IP
address when dynamically translated. To configure Hide NAT with automatic
NAT rule creation. select the appropriate options and click OK. which
automatically creates the necessary NAT rules for the object.
-- _
... .... ( -.
~-
_""-...1,.-
--
r.;~_-'1'~-'!1
Figure 38 - NAT
",1-;::-::--"'3
Configured Object
Network Add ress Trans lation
Address-translation rules arc divided into two elements: Original Packet and
Translated Packet. The clements of the Original Pac ket section infonn a Secu rity
Gateway which packets match the rule. The Translated Packet elements define
how the Security Gateway should modifY the packet. Configuring the network
object as described above creates two rules in the Address Translation Policy.
The first rule prevents translation of packets traveling from the translated object
to itself. The second rule instructs the Security Gateway to translate packets
whose source IP address is pan of the Corporate-Financc-nefs net"\.vork . This rule
translates packets from private addresses to the IP address of the ex iting interface
of the Security Gateway.
I"
"""f
I ";
I~
------ -- --------- -- ------- - --- - --- - -- -,- c"""',..-. .y. """"'"...,.....-a.n.! : ~
I - -r-'c-
l!
i..... c""""...,...,.,
Figure 39 -
...",.
------
NAT
* "'"
* ~'"
Rules
Because Hide NAT also modifie s source pons, there is no need to add another
rule for reply packets. Infonnation recorded in a Security Gateway 's state tables
will be used to modifY the destination IP address and destination pon of reply
packets.
Introduction to th e Security Polley
Hide NAT Using Another Interface IP Address

Hiding internal addresses behind a Security Gateway's IP address is not the most
secure way to configure Hide NAT. Using another externally accessible IP
address for Hide NAT is considered best practice. The figure illustrates how to
configure the NAT properties fo r a network that will use another externally
accessible IP address when dynamically translated.
G.-oootI .... '
~_""A-'I_
r;1 ...... " " - _ , . - ...
J...- -
'""
;;---3~
-
r ll-_G_
" _ _ !f>_ 1!1l12'1I2 '~
or
Figure 40 -
I~
Hide NAT Configured Object
For Automatic NAT rulc creation, the Security Gatcway makes all necessary
route and ARP table entries on the Security Gateway. In the example above, the
Security Gateway will process packets destined for 172.22.102.15, even though
that IP address is not bound to its interface. For routing to work properly, the
address selected to hide internal networks should be on the same subnet as the IP
address of the interface where packets will arrive.
Like Hide NAT behind a Security Gateway's IP address, configuration for Hide
NAT using another externally accessible IP address also creates two rules. The
fi rst rule instructs the Security Gateway not to translate traffic whose source and
destination is the object fo r which Hide NAT is configured. The second rule
translates the source address of packets not destined for the object for which Hide
NAT is configured.
Networil. Address Tran slation
Static NAT
Configuring a Security Gateway 10 perform Static NAT fo r a host is similar to
configuring a Security Gateway to perfoml Hi de NAT using anoth er ex ternally
accessible IP address.
~ _ IOI_f _
--c
Figure 41 -
Static NAT Configured Object
The figu re illustrates how to configure NAT propcnics. when Slatic NAT is used
to translate a host's IP address.
For routing 10 work properly. the Translate to IP Address must be on the same
subne! as the Security Gateway's IP address. When Automatic NAT rule crealion
is used. it makes the necessary adj ustments to the ARP configurat ion.
Configuring an object for automatic creation of Static NAT rules adds IWO rules
to the Address Translation Policy. For Stalic NAT, both rules are translating rules.
In thc cllample above, the Security Gateway changes the source address from a
private add ress to the public address (172.22.102. 112).
0 0
Introduction to the SecurIty Po lley
Manual NAT
The Security Gateway allows Security Administrators to create Manual NAT
rules. Manual NAT involves more configuration than automatic NAT rule
cremion. but provides additional flexibility in Rule Base design.
Automatic NAT rule creation is appropriate fo r most installations. Properly
configured objects. well-planned networks. and Global Properties settings make
Manual NAT rule creation unnecessary for most enterprises. For Security
Administrators faced with legacy networks where design issues prevent the use
of automatic NAT rules, Manual NAT rules may provide solut ions.
Some of the situations where Manual NAT rule creation may be warranted
include:
Instances where remote networks only allow specific II' addresses.
Situations where translation is desired fo r some services. and n01 for others.
Environments where more granular control of address translation in VPN

tunnels is needed.
Enterprises where Address Translation Rule Base order must be manipulated.
When pon address translation is required.

Environments where granular control of address translation between inlernal
netwo rks is required.
When a range of IP addresses, rather than a network, will be translated.
Configuring Manual NAT

Manual NAT requi res configuration of objects and rules. The amount of
configuration varies between Hide NAT and Static NAT. Global Properties for
Manual NAT Rules On the NAT window of Global Properties. only onc global
property can be set for manually created NAT rules. The Translate destination on
client side property performs the same function for Manual NAT rules as it docs
for automatic NAT rules.
Transla te destination on client side - For packets from an externa l host
undergoing Static NAT, translate destination IP addresses in the kernel nearest the
client.
Enable IP Pool NAT - If IP pools are used o n a Gateway. SecuRemotel
SecureClient connections are modi tied, so a target host sends reply packets 10 the
appropriate Gateway.
Manual NAT
Special Considerations
When Automatic NAT rule creation is used. it makes all necessary adjustments to
the Security Gateways ARP and routing tables. Using Automat ic NAT rule
creation also eliminates potential anti-spoofing issues. If Manual NAT rule
creation is used, special consideration must be paid to ARP and routing-table
entrics. and anti-spoofing issues.
ARP
When Automatic NAT rule creat ion is used. the Security Gateway makes all
nccessary adjustments to thc Security Gatcways ARP tablc. If Manual NAT rule
creation is used. the Security Administrator must edit the Security Galeways
A RP table. as follows:
Hide NAT, Set!urity Gateway in Translated Packet, Sourcl' field additional ARP table entries arc req uired.
Hide NAT, hiding behind an IP address not assigned 10 the Security

Gateway - Add an ARP table entry to the Security Gateway for the hiding
address.
Static NAT addresses.
Add ARP table entries to the Set!urity Gatcway for all hiding
For information creating persistcnt ARP table entries. consult your OS

documentation.
..... ,. ...
No
Multicasting
Multicasting transmits a single message to a select group ofrccipicnts. A typical
use of multicasting is 10 distribute realtime audio and video 10 a set of hosts thm
have joined a distributed conference. lP multicasting applications send one copy
of each IP packet, and address it to a group of computers that want to receive it.
This technique addresses datagrams to a group of receivers at a multicast address.
rather than to a single receiver at a unicast address. Network routers Forward the
datagrams to only those routers and hosts that need to receive them.
0-
...
.'p_a-..
t,...
r _r_
f",._j'::HO~
Figure 42 -
Multicast Address Range Properties
The Multicast Restrictions tab in the Interface Propert ies window drops mult icast
packets according 10 config ured conditions. Security Administrators can
configure a list of address ranges to drop or accept.
_i,_,OW
--1
I'1lw _ _ .... _ _
r _ _ ...... _ _ ....
.~
1>0,. . _ _ _ _ _ _ , .......
Figure 43 -
Interface Properties
Manual NAT
To configure multicast access control:

1. In the Topology window of the Gateway's General Propenies, edit the appropriate interface.
2. In the Interface Propen ies window 's Multicast Restrictions tab. select Drop
Multicast packets by the following conditions.
3. After selecting your drop option and clicking Add. you are prompted to select
a Multicast Address Range in the Add Object window. Click Add. and in the
Multicast Address Range Propenies window. define either an I P address
range or a single IP address that is in the range 224.0.0.0-239.255.255.255.
4. In the Rule Base. add a rule to allow the required multicast groups. Inlhe destination of the rule. specify the multicast groups defined in step I.
5. Save and install the Policy.
IntroductIon to the Security Po lley
Practice and Review

Practice Labs
Lab 4: Building a Security Policy
Lab 5: Configuring a DMZ
Lab 6: Configuring NAT
Review
1. Objects are created by the Security Administrator to represent actual hosts
and devices, as wei) as services and resources, to use when developing the
Security Policy. What should the Administrator consider before creating
objects'?
2. What arc some important considerations when form ulating or updating a Rule
Base?
3. What are some reasons fo r employing NAT in a network when requiring pri
vate IP addresses in internal networks. to limit extcmalnetwork access, or 10
ease network administration?
CHAPTER 4
Monitoring Traffic and

Connections
Monitoring Traffi c and Connections
Monitoring Traffic and Connections

To manage your network effecti vely and to make infonned dec isions. you need to
gather infonnation on the nctwork's traffic patterns.
Learning Objectives
Use Queries in Sman View Tracker to monitor IPS and com mon network
trallie and troubleshoot events using packet dala.
Using packet data on a given corpomte nctwork. generatc reports,

troubleshoot system and security issues. and ensure network functionalit y.
Using SmanVicw Monitor, configure alens and traffic countcrs, view a

Gatcway's status. monitor suspicious activity rules. analyzc tunnel activity
and monitor remote user access based on corporate rcquirements.
SmartVlew Tracker
Smart View Tracker

Check Point's Sman View T!"Jckcr provides visual l!"Jck ing. monitoring, and
accounting info rmation for all connections logged by Check Point components.
Online viewing features enable real-ti me monitoring of network activity.
SmartView Tracker provides control over every event. incl uding those causing
alerts. as well as cenain important system events. such as Security Pol icy
installation or uninstallation.
To log in to Sman View Tracker, select Window > Smart Vi ew Trucker from the
Smart Dashboard main menu, or click Start > Programs > C heck Point
S marlCo nsole R75 > SmarlView Tracker:
_._-
,-"_i._I._
,
11' 'D
<,f
..---.--
- -..--
- _.... .. -
-.--
--
iJ
Ii! .-. ..
...
.
..
..
...
..._...... -- ..- r" . -_.......
.,
--- ""
10
____
.~--
---_.
".-t-.......a_,_
--_.-
--.
..
.
,,,
.
"'
.....
...
'- _....... , -- t ..:;
a - ..
.' . ... - ."" -,
,.,
"" ....,,....-.
---/1;---, _
-'-'... , . .," ..
.--, ..... ."
-.,'
....
.- . .-. - ....
.
.,
.~
" .nO . . . ". '
"" .
(1,
:.
:~ ~
0 .. . ",
4> 11/
~
4> '!:
."
..- '
.'
....
~.
,-
Figure 44 -
,," ' "
..J
;;:
i ' :'
'",
SmanView Tracker
Log Types
The format oflog entries requested by a rule is determined by the log type
speci fied in the rule. You can select the log cntries and data fields to display.
SmanView Tracker also allows you to navigate the log Iile. You can display one
of several log types from the Network & Endpoint Queries trec, as shown.
Log types are defined as either predefined or custom. The predefined types
include log details specifi e to that type. For instance, UA WebAccess displays
Monitoring Traffi c and Connections
UserAuthority Web access log data for SecureClienl entries. and the Ac count
type displays changes made to fields over lime.
L~~~ji"=~-"~~,?f,,".:~.~~~~_,=~..~~f'~~~=='1~,...o-"$
";;1
.".......
-1$1-- '"-
. . . .- . . _
",.N
,;. """'-~'
Jit
_ __ . _ ,
0'11'-,.,,"-"1
~. ... .......
. ;:::..;:.
'",.
'"
... .~
, " ...'-~--l
, (JiI' _~ ~ '_-l
0<0",,.,,,,,,_
-....,_..0'"",-_ .. .
--:iiiiioo,
"'_ ow
.'1"......----.
~4_" "'w
ill ~ ~ " . v
;11:"", ....
.,. ,
". "'I'~""'~ ""

I'> ~ ' ; -'-
., -~
", ,-,._
,-
("".-
t _
Figure 45 -
--,
Log Types
Smart View Tracker toolbar buttons also enable Administrators to de fin e custom
log queries that can be saved for recurring use. The CUSlOm query allows the
column widths to be modified. and also aiJows selection of various log
infonnation to dis play.
SmartVlew Tracker
SmartView Tracker Tabs

SmartView Tracker has three predefined, optional views. These views can be
modified and saved. Select views with tabs located above the main log-viewing
area, as shown in below:
Network & Endpoint lab-- Displays the default view for SmanView
Tracker, and shows all security-related events.
Active tab - Shows currently open. active connections in Smart View
Tracker. The Active Connections screen displays as shown in Figure 5- 3, and
also includes the Elapsed or duration of the connection, the By tes or amount
of data passed on the connection. and any additional infonnation about the
connection.
Management tab - Displays only audit entries in Smart View Tracker; this
enables you to track changes made to objects in the Rule Base , and tracks
general SmanDashboard use.
-.-"--.
- -.- 1~::;l~t:;j~~~1=~::;;~-:~~~f!~~:;"-~1
0 _
> _
.~
~l- ' _
-.... ""
-~
, - -,
~.
v",
.,. _ r
iiI " i. ..,
,~ ,
,-."",
co_....
~'
.,.
" ".
"'(. .,-,.
i) ''' -.
-",
co,,""
.- ....
~,...
-"' -,
,
;;;
<Ii
,~
; ,;:-.-. !t ':7
t ::;::?
~=
: ::::::: :: g
-.
.. . . ~
..
Figure 46 -
Smartview Tracker Tabs
, '~ . "~
~
....... , ,..
I)
((>o
,-.~ ..,
~~ ",,<,
Monitoring Traffic and Conn ection s
Action Icons
Each tab displays log fields regarding both the product that generated the log, and
the type of operation performed. Action icons provide a visual representation of
the log's operation. The following table gives a description of some of the
different types of actions recorded by SmanView Tracker:
Accept - The connection was allowed to proceed.
Reject -
The connection was blocked.
Drop - The connection was dropped without notifying the source.

Encrypt - The connection was encrypted.
r\
-'..'
Decrypt -
The connection was decrypted.
Key Install -
The encryption keys were created.
Woridng with Smartview Tracker
Working lVith SmartvielV Tracker

Log-File Management
The SmartView Trackertoolbar allows you to perfonn the following tasks:
.1j' "Iocal- Check Pomt Smart View Tracker - Iv
Figure 47 - Log File Management
1. Open log File -
When you select Open. you can open other log files.
2. Save log File As - When saving a log file, the current log entries will be
written to file. Only the records that match the selection c riteria will be saved
to the file; both entries that arc visi ble in the screen. and those that arc not visible.
l.
Swiech log File - In this window. you can select the defaul t log file or specifya particular log file name. Thi s operation actually performs a log file
switch.
4. Remote Files Management -
In this window, you can trans fer log files

fro m a remote machine to the machine to which the SmartView Tracker is
currently connected.
s. Show or hide Fetch Progress - After clicking Get File List from the
Remote Files Management window, you can click Fetch Files and toggle the
display of the Files Fetch Progrcss window. The file transfer operation will
continuc even ifthc Filcs Fctch Progress window is closed. It is interrupted
only if you click the Abort button.
6. Query Options - These buttons allow you to toggle the display of the query
tree pane. open an cxisting query, save a custom query, or savc a custom
query under a new namc.
Administrator A uditing
SmartView Tracker logs Security Administrator activities, including;
Administrator login and logout.
Object creation, deletion, and editing.
Rule Base changes.
Administrator auditing si mplifies the process of tracking and troubleshooting
Security Policy changes, especially in environments with more than one
Administrator. Yia the Management tab. it is possible to see the changes made by
a particular Administrator, or see who modi fi ed an object and what changes were
made.
Figure 48 -
Auditing
Logging provides a historical record ofloggcd connections. Logs arc essential fo r

security management, so properly configuring Security Gateway to log
connections of in Ie rest is imponant .
Working with Smartvlew Tracker
Global Logging and Alerting

The Global Properties - log and Alert window, accessed by clicking Policy>
Global Properties> log and Alert, allows you to define global log-and-alert
parameters.
VPN successful key exchange - Specifies the action to be taken then VPN keys
arc successfully exchanged.
VPN packet handling errors - Specifies the action to be taken when
encryption or decryption errors occur.
VPN configuration and key exchange errors- Specifies thc act ion to be taken
when logging configuration or key-exchange errors occur; for exa mple. when
attempting to establish encrypted communication with a network object inside
the same VPN Domain.
I P Options drop - Specifies the action to take when a packet with IP options is
encountered: the Security Gateway always drops these packets, but you can log
them or issue an alert.
Administrative notifications - Specifies the action to be taken when an
administrative event occurs, for example, when a Certificate is about to expire.
SlA violation - Specifics the action to be taken when an SLA violation occurs,
as defined in the Virtual Links window.
Connection malched by SAM - Specifics the action to be taken when a
connection is blocked by Suspicious Activities Monitoring (SAM); for
infonnation about SAM, see http://www.opsec.com .
Dynamic object resolution failure dynamic object cannot be resolved.
Specifics the action to be taken when a
Log every authenticated HTTPconnection - Specifiesthatalogentl)'should

be generated for every authenticated HTTPconnection.
log VolP connection - Generates additional log entries for every VolP
connection; additional log entries for SIP contain infonnation about the user (S IP
URL, for example, fred @bloggs.com). Additional log entries for H.323 contain
information about phone numbers.
Time Settings
The Time Settings window allows you to configu re time settings associated with
system-wide logging-and-alert parameters.
Excessive log grace period - Specifics the minimum amount of time
between consecutive logs of similar packets; two packets are considered si milar. if they have the same source address. source pon. destination add ress and
destination port. and the same protocol was used, After the first packet. similar packets encountered within the grace period will be acted upon according
to the Security Policy, but only the first packet generates a log entry or an
alert.
SmartView Tracker resolving - After a specified amount of time , displays
a log page, without resolving names and showing only lP addresses.
Virtual Link statistics logging inlerval - Specifies the frequency with
which Virtual Link statistics will be logged; this parameter is relevant only for
Virtual Links defined with Log SLA values enabled in the SLA Parameters
tab of the Virtual Link window. Virtual Links are defined by clicking Manage
> Smart View Monitor > Virtual Links from the main menu.
Status fetching intCT\'al - Specifics the frequency at which the Sec urity
Management Server queries the Security Gateway, Check Point QoS , and
other software it manages for status information; any value from 30 to 900
seconds can be entered in this field .
Wor1l.ing with Smartview Tracker
Blocking Connections
You can tcnninate an acti ve connection and block funher connect ions from and
specific IP addresses. using thc Smart View Tracker Block Intruder function .
To block an active connection with Block Intrudcr. select the connection you
want to bloc k, then se lect Tools > Block Intruder rrom the menu .
(0
Block Intrwler
"""""" 10
Cornec.to,PIII-"':
FIIIm '-to 10 1n.22 255..255 Itwcuf'> rwow. /01 _ _ rbdoWv__
6Joo:l<n.l ~eOpe.
rollio<;l<"cctTJeCtKm.,Itw._,c:u
r
eled<.~hOfl\\t.:cuo; ..
BixI< ~ \0 lin de;/1Il!IIJon
<intNhon><<eMt,.
BIod<r.,111'n01<JJ
rolndefrQ
FOI
r-
....-...ee,
iw bIockrq
R 0", tn rwosIo
FOICOI
O,...,VPNl l.F.evJal-l
Figure 49 -
Block Intruder
...
The Block Intruder window displays. In the Blocking Scope fields . select one of
the options:
Block all connections with the same source, destination and service Block the connection or any other connection with the same service. source or
dcstination.
Block access from this source - The connection is terminated, and all further attempts to establish connections from this source IP address will be
denied.
Block access to this destination - Thc connection is terminated, and all further attempts to establish connections to this destination lP address will be
denied.
In the Blocking Timeout field. select one of the options: Indefinite - Block
all funher access. For... minutes - Block all funher access attempts for the
specified number of minutes.
In the Force this blocking field , select one of the options:
Only on ... - Block access attempts through the indicated Security Gateway.
On any Security Gateway - Block acccss attempts through Security Ollteways defined as gateways or hosts on the log server. The connection will
remain blocked, until you choose Tools> Clear Blocking fro m the main
menu.
SmartView Monllor
Smarl View Monilor

SmanView Monitor is a high-perfonnance network- and security a nalysis system
that helps you easily administer your network. by establishing work habits based
on learned system-resource patterns. SmanView Monitor provides a single.
central interface fo r monitoring network activity and pcrfonnance of Check Point
applications. SrnanView Monitor allows Administrators to easily configure and
monitor different aspects of network activities. Graphical views can easily be
viewed from an integrated. intuitive GU !.
-----
-...-.....-_'.
"""--
: ::::;'0:",
"~ ::"'..=.
~.
Z-:="'__
........
& ....... -
Il- ... ......-.

. ~--
,
;
~'
Figure 50 -
SmartView Monitor
~;
i
i
::
!~
Monitoring Traffic and Connectio ns
Predefined views include the most frequently used traffic, counter, tunnel,
gateway, and remote-user infonnation. For example, Check Point system
counters collect information on the status and activities of Check Point Blades
(for example, Firewall). Using custom or predefined views. Administrato rs can
drill down on the status of a specific gateway and/or segment of traffic to identify
top bandwidth hosts that may be affecting network perfonnance. If suspicious
activity is detected, Administrators can immediately apply a security rule to the
appropriate Security Gateway to block that activity. These security rules can be
created dynamically via the graphical interface. and can be sct to expire within a
certain time period.
Real-time and historical reports of monitored events can be generated to provide
a comprehensive view of gateways. tunnels, remote users, network. security, and
Security Gateway perfommnce over time.
SmartView Monitor Login

To log in to Smart View Monitor, select Window > Smart View Monitor from the
SmanDashboard main menu . Or, click Start > Programs > Check Point
SmartConso!c R75 > SmanView Monitor.
Customized Views
Customized Views
Smart View Monitor enables gmphical views depicting data for several types of
measurements, including bandwidth, round-trip lime. packet rate, CPU usc. elc.
The most efficient way to yield helpful information is to create a v iew based on
your specific needs. It is possible to create customized views for v iew types (for
example, status, traffic, system statistics, and tunnels). The customization
provides the ability to filter specific data and how the data is to be displayed.
-...
""
"
'I::::"
-----I..,-..,--f~
---.",-"""'"
.11---
. ,.
_
"'''"''
.. ..
,~
...
-,,~
".
.--.
,.,
.
-- ..,..
..
."
N'
--
------"'
----~
-...
~~.-~
.. _
"Uou-..
---
,--,..
u_._
Figure 51 -
Customized Views
Gateway Status View

Smart View Monitor enables information about the status of all Gateways in a
network. The data in the results pane (upper right) provides information about all
Gateways in the organization, as well as pertinent information about the Gateway
(such as its IP addresses, the last time it was updated. and its status). This
information is directly linked to the view selected in the tree pane (left). Each row
in the table represents a Gateway.
Traffic View
SmllrtView Monitor makes Administrators aware of traffic associated with
speci fic network activities, servers, clients, etc .. as well as activitics, hardware,
and software use of different Check Point products in real time. Among other
things, this knowledge enables Administrators to:
Block specific traffic when a threat is imposed.
Assume instant control of traffic flow on a Gateway.
Learn about how many tunnels are currently open, or about the rate of new
connections passing through the Security Gateway.
You can generate fully detailed or summarized graphs and charts for all
connections and for numerous rates and figures when calculating network usc.
System Counters provides in-depth details on Gateway usc and activity. As a
Security Administrator, you can generate system status infonnation about:
Resource use for the variety of components associated with the Security
Gateway.
Gateway perfonnance statistics for a variety of fi rewalled componen ts.
Detect and monitor suspicious activity.
Customized Views
Tunnels View
VPN tunnels are secure links between Security Gateways, and ens ure secure
connections between an organization's gateways and its remoteaccess clients.
Once tunnels arc created and put to use, Administrators can keep track of their
nomlal functions, so possible malfunctions and connectivity prob lems can be
accessed and solved as soon as possible.
.,"---......--
'" ....
"- ' ....
~,.;.-
.-._. -,~
--
& ..... -
~I"-~---
-.
-
- , - .- -- . .- .
- ,
-- "' . * -
-~
-~
Figure 52 -
.-
Tunnels
To ensure this security leveL SmanView MonilOr can recognize malfunctions and
connectivity problems, by constantly monitoring and analyzing the stams of an
organizations' tunnels. With the use ofmnnel queries, Administrators can
generate fully detailed repons that include infonnation about all tunnels that
fulfill specific tunnel-query conditions. With this infonnation, it is possible 10
monitor tunnel status, the VPN Community with which a tunnel is associated. the
Gateways 10 which a tunncl is connected. etc.
R75 Traillinf! Manual
I II
Remote Users View

The Remote Users view allows you to kccp track ofV PN rcmote users currently
logged in (i.e .. Secu Rcmote. SeeurcClient and SS L Network Extcndcr. and in
general any [PSee client connecting to the Security Gateway). II provides you
with filtering capabilities, making it easier to navigate through thc entries .
.-
-.--
wu
.- -_.
= --1'-.
-- ---1-----.-_.--. ...-_. - ------.- .-.,
" .-.~
"
-"
''-~.
'-
~ _ _ a.
Figure 53 -
-"
. ,"
-. ..... ..._..
.......
..
_
...
.........
...
-J
--............
. ..
....... -.......
..
.._..... . .-_ --- -._._.
. "- -.....
.. --..... -- -" ..........
--. ....
_....-- .-- .._...._- -.....
" . . -.
.-.......
-.
....
.
.
-. . "--- ..
--.
..
I:...... -....
....
........
_.
............ .-......
.-.
........
.
--... - --..
_
........
_.
....
_,
-.
.....
-- ....... .. - -.... .-.
'-'-.,.. .. ,-.
--
,.. ..... '"
.-~
. ~ .
...........
"... "
~
>
I!' - > ~
11 _ _ ._
III ... ~.
..-'
,.,' ,.
-.~
-~
~
.... .,...
........ u . .
,..
'"
_-
>""" ' -
.-~
....,
*.- ...
"
"
,,.........
... ,
, .. :a _ _ _
t.~
.~
11 _ _ _ '"
_.6 .....' ...
''''''''~"
.... " "
<>1 .... _ ,
'''_
''''''
..,.-
.,.
'
,,;-
_. I
_. ,I
Remote Users
The Remote Users view provides detlliled real-time information about remote
users' connectivity, using data collected from sources such as current open
sessions. overlapping sessions. route traffic, and connection time.
,, ?
rlwrk Pninf Sprllrilv Atimilli." lrnlnr
Customized Views
Cooperative Enforcement View

Cooperative Enforcement is a feature that works in conjunction with the Integrity
Server. The Cooperative Enforcement view utilizes the Integrity Server
compliance capability to verify connections arriving from various hosts across
the intemal network. Easily deployed and managed. the Integrity Server mitigates
the risk of hackers, wonns. spyware, and other security threats.
I~,-
.,"
-i
::.
--0::::::
I ,""":...-
----,...
--
----
-.....
.....
.
--.'.--.':1-)_-. .,,-..
..... _--_. "-", --..
."'-~
.-
1> _
,.--~-
.
Figure 54 -
Cooperative Enforcement
Using Cooperative Enfo rcement, any host initiating a connection through a

Gateway is tested for compliance. (The Gateway generates logs for unauthorized
hosts. The logs generated fo r bot h authorized and unauthorized hosts can be
viewed in Smart View Monitor.) This increases the integrity of the network,
because it prevents hosts with malicious software components from accessing the
network.
This featu re acts as a middleman between hosts managed by an Integrity Server
and the Integrity Server itsel f. It relies on the Integrity Server compliance feature,
which defines whether a host is secure and can block connections that do not
meet the defined prerequisites of software components.
R75 Traininf! Manllal
113
Monitoring Suspicious AClivily Rules

The fast-changing nctwork environment demands the ability to immediate ly react
to a security problem. without having to change the entire network's Ru le Base
(for example, to instantly block a specific user). All inbound and outbound
network activity should be inspected and identified as suspicious when necessary
(for instance. when network or system acti vity indicates that someone is
attempting to break in).
Figure 55 -
External Suspicious Acti .... ity Rules
Smart View Monitor enables thc integration of a suspicious-activity monitoring

program that is used to modify access pri. . ileges, upon detection of any
suspicious network acti. . ity. This detection is based on the creation of Suspicious
Activity rules. Suspicious Acti . . ity rules arc security rules that enable the
Administrator to instantly block suspicious connections that are not restricted by
the currently en forced Security Policy. These rules can be applied immediately,
without the need to install a Policy.
11 4
Check Point SeCllritv Administrator
Monitoring Suspic ious Acti vity Rules
Monitoring Alerts
Alerts provide real-time information about vulnerabilities to computing systems
and how they can be eliminated.
Check Point alerts users to potential threats to the security of their systems, and
provides infonnation about how to avoid, minimize, or recover from the damage,
Alerts arc sent by the Security Gateways to the Security Management Server. The
Security Management Server then forwards these alerts to the Smart View
Monitor SmartConsole, which is actively connected to the Security Management
Server. Alerts arc sent to draw the Administrator 's attention to problematic
Gateways, and arc displayed in Smart View Monitor. These alerts are sent:
If certain rules or attributes, which arc set to be tracked as alerts. are matched
by a passing connection.
If system events, also called System Alerts, are configured to Trigger an alert
when various thresholds are surpassed.
The Administrator can define alerts to be sent for different Gateways . These
alens are sent under certain conditions, such is if they have been defined for
certain Policies, or if they have been set for different properties. By default, an
alert is sent as a message to the Administrator 's desktop when a new alen arrives
in Smart View Monitor. Alerts can also be sent for certain system events. If
certain conditions are set, you can receive System Alerts for critical situation
updates; for example, if free disk space is less than 10 percent, or if a Security
Policy has been changed. System Alerts arc characterized as follows:
They are defined per product. For instance, you may define certain System
Alerts for Check Point QoS that would not apply to Conncctra .
They may be global or per Gateway. You can set global alert parameters fo r
all Gateways in the system, or you can specify a particular alert for a
particular Gateway.
They arc displayed and viewed via the same user-friendly window. The
infonnation Smart View Monitor gathers also includes status information
about O PSEC gateways and network objects.
Monitoring Tra ffic and Connections
After reviewing the status of cenain clients in SmanView Monitor. you may
decide to take decisive action for a panicular client or cluster member, for
instance:
Disconnect cliem ~ If you have the correct permissions, you can c hoose to
disconnect one or more of the connected SmanConsole clients. Click the
Disconnect Client button on the Results pane toolbar.
Start/Stop Cluster Member - All cluster members of a given gateway

cluster can be viewed via SmanView Monitor. You can stan or stop a selected
cluster member. To do this. rightclick the cl uster member. From the pull
down menu, select Stan Member or Stop Member.
To configure an alert in Smart View Monitor from SmartDashboard. select Policy
> Global Properties> Log and Alert> Alert Commands. To view the active
alerts from SmanView Monitor, select the Alerts icon from the toolbar.
Gateway Status
Gateway Status
Cheek Point enables infonnation about the status orall gateways in the system to
be collected by the Security Management server and viewed in SnlartView
Monitor. The information gathered includes status infonnation about:
Check Point gateways
OPSEC gateways
Check Point Softwarc Blades
A Gateways Status view displays a snapshot of all Check Point Software Blades.
such as VPN and ClusterXL. as well as third party products (for example.
OPSEC-partner gateways). Gateways Status is vcry similar in opc"ralion to the
SNMP daemon that also provides a mechanism to ascertain information about
gateways in the system.
_.
Figure 56 -
Gateway Status Example
:_.-.. . . . ........ ".... .,., ....

-._s.
. ..:-_._
_
""~r
__
..
-.--- -
Io<t....",~o<o,
$ _ _ , _ _ 1_ _ _ ","
The Security Management server acts as an AMON (Application Monit oring)

client. It collects infonnation about specific Check Point Software Blades
installed. using the AMON protocol. Each Check Point gateway, or any other
OPSEC gateway which runs an AMON server. acts as the AMON serve r itsclf.
Each gateway makes a status update request. via APls. from various other
components such as:
The "kernel"
Security Servers
An alternate source for status collection may be any AMON client, such as an
OPSEC partner, which uses the AMON protocol.
The information is fetched at a subscribed interval which is defined by the system
administrator. The AMON protocol is src- based so infonnation can be retrieved
once SIC has been initialized.
Note: There are general statuses whieh occur for both the
gateway or machine on which the Check Point So ftw are
Blade is installed. and the So ftware Bl ade which
represents the components installed on the gateway.
Gateway Status
Overall Status
An Overall status is the result of the blades' statuses. The most serious Software
Blades status detennines the Overall status. For example. if all the Software
Blades statuses are OK except for the Sman Reponer blade. whieh has a Problem
status, then the Overall status will be Problem.
OK -
indicates Ihm the gateway is working properly.
Attention - at least one of the Software Blades indicates that there is a minor
problem but it can still continue to work. Attention can also indicate Ihal.
although a Software Blade is not installed. it is selected in the General
Properties > Check Point Products associ ated with a specific gateway.
Problem - indicates that one of the Software Blades reported a specific

mal fu nction. To see details of this malfunction open the gateways Status
window by double-clicking it in the Gateways view. Pro blem can also
indicate a situation in which the Firewall, VPN and ClusterXL Software
Blades are selected in the General Pro penies > Software Blades but are not
insta lled.
Waiting - from the time that the view Slarts to run until the tim e that the fi rst
status message is received. This takes no more than thirty seconds.
R75 Traininj{ Mallllal
the Security Gateway cannot be reached.
Disconnected -
Untrusted - Secure Internal Communication failed . The gateway is

connected, but the Security Management server is not the maste r of the
gateway.
119
Software Blade Status

Software Blades include components such as VPN, SmanReponer. Endpoint
Security, and QoS.
OK - indicates that the blade (for example, SmanReponer, VPN. Firewall,

etc.) is working properly.
Attention - the blade indicates that there is a minor problem but it can still
continue to work.
Problem - indicates that the blade reponed a specific malfunction. To see

detai ls of this malfunction open the gateways status window associated with
the blade by double-clicking it in the Gateways Status view
Waiting - displayed from the time that the view stans to run until t he time
that the first status message is received. This takes no more than thirty
seconds.
Disconnected - the gateway cannot be reached.
Untrusted - Secure Internal Communication failed. The gateway is

connected, but the Security Management server is not the master of t he
gateway.
Displaying Gateway Information

Gateways Status, information is displayed per Check Point or OPSEC gateway.
To display information about the gateway, click the specific gateway in the
Gateway Results view. Details about the gateway will be displayed in the
Gateway Details pane.
This information includes general infomtation such as the name, IP Address,
version. operating system, and the status of the specified gateway, as well as a
myrid of gateway specific information.
120
Check Poim Security Administrator
SmartVlew Tracker \IS. Sma rtView Monitor
Smart View Tracker
VS .
Smart View Monitor

Here arc some key points when considering which product addresses your needs
better:
SmartView Tracker Benefits
Ensure network components are operating properly.
Troubleshoot system and security issues.
Gather information for legal or audit purposes.
Generate repons to analyze network-traffic patterns.
Temporarily or pennanently tenninate connections from spec ific IP

addresses, in case of an attack or other suspicious network acti vity.
SmartView Monitor Benefits -
R 75 Traillillf! Malliial
Administrators can use Smart View Tracker to:
Administrators can use Smart View Monitor to:
Centru lly monitor Check Point and OPS EC devices.
Present a complete picture of changes to Gateways, tunnels, re mote users, and

security acti vities. Immediately identify changes in network-traffic flow
patterns that may signify malicious activity.
Maintain high network avai lability.
Improve efficiency of bandwidth use.
Track SLA compliance.
121
Practice and Review

Practice Lab
Lab 7: Monitoring with SmanView Tracker
Review
1. Discuss the benefits or using SmanView Monitor instead orSmanView
Tracker in monitoring network activity.
2. Why is there a warning message when switching to Active mode in SmanView Tmcker?
"1
rhprK Pnill/ Sprllrirv
Arll/lill i~/r(/rnr
CHAPTER 5
Using Smart Update
Us ing SmartUpdate
Using SmortUpdate
Sman Update extends your organization's ability to provide centralized poliey
management across enterprise-wide deployments. SmartUpdate can dcliver
automated softwa re and license updates to hundreds of distributed Securi ty
GaTeways from a s ingle management console.
Monitor remote Gateways using Smart Update to evaluate the need fo r
upgrades. new installations. and license modifications.
Usc SmanUpdate 10 apply upgrade packages to single or multiple VPN- I

Gateways.
Upgrade and attach product licenses usi ng SmartUpdate.
SmartUpdate and Managing Licenses
Smart Update and Managing Licenses

Smart Update automatically distributes applications and updates fo r Check Point
and OPSEC Certified products. and manages prod uct licenses.
SmartUpdatc extends your organization 's ability to provide centralized policy
management across enterprise-wide deployments. Sman Update can deliver
automated software and license updates to hundreds of distributed Security
Gateways from a single management console. SmanUpdate ensures security
deployments are always up-Io-date by cnforcing the most current security
software. This provides greater control and emcicncy while dramatically
decreasing maintenance costs of managing global security installations.
- - -_.,--.
,,..'"--'.'ij-~ - ... _-a~~D~~~~
"",-_
~~~e~~.
."....._ ........'-\,"1
--- - -- --- .
..
...
-,
"" ,--~o".:_:_=-_ .", ;::..,
~ =='"
'-'" ...:
, -'
-; ; - ;::--
~,
-;:
.1_
.. "
"'"
.~_
:l_.
"'.~
.,
1~.~~!!i!!!!!~""
*
Figure 57 -
"
....
-I
'
",-... _ _ _
~-,t,;,
_
_ .....
iIl
__
,"
~-
.... ,..
".,
----- n
...
=:::::J
'=...J
Managing Ucenses
_"'!!.J
-~
SmartUpdale enables remote upgrade. installation and license management to be

perfonned securely and easily. It is possible to remolely upgrade:
Check Point Security Gateways.
Hot fixes. Hotfix Accumulators (HFAs) and patches.
Third-party OPSEC applications.
UTM-l Edge Gateways.
Operating System.
SecurePlatfo nn .
Using SmartUpdate
Smart Update Architecture

Smart Update installs twO repositories on the Security Managcmem Server:
1. License & Comract Repository. which is stored on all platfonns in the direc
tory SC POIR\conf\.
2. Package Repository. which is stored on:
Windows machines in C:\SUrool.

UN IX machines in Ivarlsuroot.
The Package Repository requires a separate license. in addit ion to the license for
the Security Management Server. This license should stipulate the number or
nodes that can be managed in the Package Repository.
--
oI
~.
_-
....--
0
Bo-_
_
''''<Mwo._~CW<>_Cll
~~
Figure 58 -
$martUpdate Architecture
Packages and licenses arc loaded imo these repositories from several sources:
Download Center Web site (packages)
Check Point CD (packages)
User Center (licenses) by imponing a file (packages and licenses)
Running cplic from the command line
SmartUpdate Arc hitecture
Of the many processes that nm on Security Gateways distributed across the

corporate network, two in particular arc used for SmartUpdate . Upgrade
operations require the cprid daemon, and license operations use the cpd daemon.
These processes listen and wait for the in formation to be summoned by the
Security Management Server.
From a remote location. an Administrator logged inlO the Security Management
Server initiates operations using the Smart Update tool. The Security
Management Server makes contact with the Security Gateways via the processes
that are running on these components to execute the operations initiated by the
System Administrator (e.g .. attach a license or upload an upgrade) , In formation is
taken fro m the repositories on the Security Management Server. For instance. if a
new installation is being initiated. the information is retrieved from the Package
Repository: if a new license is being attached to a remote Gateway. information is
retrieved from the License & Contract Repository.
This entire process is SIC based, and is completely sec ure.
Using SmartUpdate
Smart Update Introduction

SmartUpdate has two tabs:
The Packages lab - shows the packages and Operating Systems installed on
the Check Point Security Gateways managed by the Security Management
server. Operations that relate to packages can only be performed in the
Packages tab.
The Licenses & Contracts tab - shows the licenses on the managed Cheek
Point Security Gateways. Operations thai relate to licenses can only be
performed here.
These tabs arc divided into a tree structure that displays the packages installed
and the licenses attached to each managed Security Gateway. The tree has three
levels:
The root level shows the name of the Security Management server 10 which
the GU I is connected.
The SL'Cond level shows the names or the Check Point Security Gateways
configured in SmartDashboard.
The third level shows the Check Point packages or installed licenses on the
Check Point Security Gateway.
"
....
-- ,-'-- ,--
.-- -.....
--.
......,..,....
'..,
Figure 59 - SmartUpdale
SmartUpdate Introduction
Additionally, the following panes can be displayed:

The Package Repository shows all the packages available for installation. To
view this pane, select Packages > View Repository.
The License & Contract Repository shows all licenses (attached or
unattached). To view this pane, select Licenses & Contracts > View
Reposi tory.
The Operation Status shows past and current SntanUpdate operations. To
view this pane, select Operations > View Status.
The Operations perfonned (i.e., Installing package <X> on Ga teway <V>, or
Attaching license <L> to Gateway < V ~ .
The status of the operation being perfonned, throughout all the stages of its
development (i.e .. operation staned, or a warning).
A progress indicator.
The time that the operation takes to complete.
R75 Training Mallllal
129
Using SmartUpdate
Overview of Managing Licenses

SmanView Tracker logs Security Administrator activities. including: with
SmanUpdatc. you can manage all licenses for Check Point packagcs throughout
the organization from the Security Management Server. SmanUpdate provides a
global view of all available and installed licenses, al!owing you to perform such
operations as adding new licenses, attaching licenses and upgrading licenses 10
Check Point Security Gateways. and deleting expired licenses. Check Point
licenses come in two forms , Central and Local.
-""-'~.~ !
."-- ",
,,'" ~~~:;E
. . . ...
."~,,
,.,~,,,
.~
."
' '-'
'"
.""'''''
. ".,,,,
",.
".' ..m ""

'.n '
Figure 60 -
~
~
SmartUpdate - Licenses
The Centrallieense is the preferred method of licensing. A Cenlrallieense ties

the package license to the IP address of the Security Management Server. That
means that there is one IP address for al1licenses; that the license remains valid if
you change the IP address of the gateway; and that a license can be taken from
one Check Point Security Gateway and given to another with case.
The Local license is an older method of licensing. however il is still supported by
SmanUpdate. A Local license ties the package license to the IP address of the
specifie Check Point Security Gateway, and cannot be transferred to a Gateway
with a different IP address.
130
Check Point Security Administrator
SmartUpda le Introduction
When you add a license to the system using SmartUpdate, it is stored in the
License & Contract Repository. Once there. it must be installed to the Gateway
and registered with the Security Management Server. Installing and registering a
license is accomplished through an operation known as attaching [) license.
Central licenses require an administrator to designate a Gateway for attachment.
while Local licenses arc automatically 311ached to their respective Check Point
Security Gateways.
Licensing Te rminology
Common tenns used with respect to licensing incl ude the following:
Add -Licenses received fro m the User Center should first be added to the
Smart Update License & Contract Repository. Adding a local license to the
License & Contract Repository also attaches it to the gateway.
Attach - Licenses are attached to a Gateway via SmartUpdate. Attaching a
license to a Gateway involves installing the license on the remote Gateway.
and associating the license with the specific Gateway in the License &
Contract Repository.
Certifi cnte Key - The Certificate Key is a string of 12 alphanumeric
characters. The number is unique to each package. For an eval uation license,
your Certificate Key can be found inside the mini pack. For a pennanent
license, you should receive your Certificate Key from your rescller.
CPU C - A command line for managing localliccnses and local license
operations. For additional information, refer to the Command Line Interface
Reference Guide:
http :/ supportcontent.checkpoint.com/
documentation download?ID=8713
Detach - Detaching a license from a Gateway involves uninstalling the

license from the remote Gateway, and making the license in the License &
Contract Repository available 10 any Gateway.
State - Licenses can be in one of the following states: Requires Upgrade. No
License, Obsolete or Assigned. The license state depends on whether the
license is associated with the Gateway in the License & Contract Repository,
Us ing SmartUpdate
and whether the license is installed on the remote Gateway. The license state
definitions arc as lollows:
Attached - indicates that the license is associated with the

Gateway in the License & Contract Repository, and is installed
on the remote Gateway.
Unattached - ind icates that the license is not associated w ith
the Gateway III the License & Contract Repos itory. and is not
installed on any Gateway.
Requires Upgrade - indicates an NG license that is insta ll ed
on a Gateway. for which no replacement upgraded license
exists.
Assigned - is a license lhat is assoc iated with the Gateway in
the License & Contract Reposi tory, but has not yet been
installed on the Gateway as a replacement ror an existing NG
license.
No NGX license - is an NG license that does not nced a new
lieensc. or one ror w hich the license upgrade failed.
Obsolete license - is a pre-NGX license ror wh ich a
repl acement license is installed on a Gateway.
Upgrade Status - A fiel d in the License & Contract Repository

that contains an error message from the User Center if the upgrade
process fails.
Get - Locally installed licenses can be placed in the License & Contract
Repository, to update the repository with alllicellSCS across the installation .
The Get operation is a two-way process that places nil locally installed
licenses in the License & Contract Repository and removes aU loca lly deleted
licenses from the License & Contract Repository.
license Expiration - Licenses expi re on a particular date, or never. After a

license has expired. the functionality of the Check Point package may be
impaired.
MultiLicense File - Licenses can be conveniently added to a Gateway or

Security Management Server via a file. rather than by typing long text strings.
Multi -license files contain ma rc than one license. and can be downloaded
from the User Center
.' caturcs -
A character string that identifies the featu res of a package.
Upg rading Licenses
Upgrading Licenses
When a Central license is placed in the License & COnlract Repository.
SmartUpdate allows you to attach it to Check Point packages. Att:.lching a license
insta lls it to the remote Gateway and registers it with the Security Management
Server.
New licenses need 10 be attached when:
An existing license expires.
An existing license is upgradcd to a newer license.
A locallicensc is replaced with a ccntrallicense.
The IP address of the Security Management Server or Gateway changes.

Attaching a license is a thrcc,slcp process:
1. Get realtime license data from the remote Gateway.
2. Add the appropriate liccnse to the License & Contract Repository.
3. Attach the license to the device.
Retrieving License Data from Security Gateways

To know e:-:actly what type of license is on each remote Gateway, you can
retrieve that data directly from the Gateway.
R 75 Training Manllal
To retrieve license data from a single remote Gateway, rightclick the gateway
obj ect in the License Management window, and select Get Licenses.
To retrieve license data from multiple Check Point Security Gateways. select
Get All Licenses from the Licenses & Contracts menu.
133
Using SmartUpdate
Adding New Licenses to the License & Contract Repository

To install a license. you must first add it to the License & Contrnct Repository.
You can add licenses to the License & Contract Repository in the following
ways:
Downloading from the User Center
1. Select Licenses & Contracts > Add License > From User Center.
2. Entcr your credentials.
3. Perfonn one of the following:
Generate a new license - If there are no identical liccnses,

the license is added to the License & Contract Reposi tory.
Change the IP address of an ex isting license (Move IP).
Change the license fro m Local to Central.
Upgrade the lice nse.
Importing License Files
1. Select Licenses & Contract > Add License > From File.
2. Browse to the location orthe license file. select it. and click Open.
A license file can contain multiple licenses. Unattached Central licenses nppear
in the License & Contract Repository. and Local licenses are automatically
attached to thei r Security Gateway. All licenses arc assigned a default name in the
fonnat SKU@ timedate. which you can modify at a later time.
134
Upgrading Licenses
Adding License Details Manually

You may add licenses that you have received from the Licensing Center by email. The e-mail contains the license-installation instructions.
1. Locate the license - If you have receivcd a license by e-mai!. copy the
license to the clipboard. Copy the string that starts with cplic putlic ... and ends
with the last SKU/feature. For example:
c p1i c put1ic 1.1.1 .1 06Dec2002 dw59Ufa2e LLQ9NBgPuyHzvQ- WKreSo4Zx CPSUITE-EVAL-3DES - NGXCK1234567890
If you have a printout, cont inue to step 2.

2. Select the License & Contracts tab in SmartUpdatc.
3. Select Licenses & Contracts > Add License > Manually. The Add License
window appears.
4. Enter the license details. If you copied the license to the clipboard. click Paste
License. The fields will be populated with the license details.
Alternatively, enter the license details from a printout.
5. Click Calculate. and make sure the result matches the validat ion code
received from the User Center.
6. Vou may assign a na me to the license. if desired. If you leave the Name field
empty. the license is assigned a name in the fonnat SKU@ time date.
7. Click OK to complete the operation.
Attaching Licenses
After licenses have been added to the License & Contract Reposi tory, select one
or more licenses to attach to a Security Gateway.
1. Select the license(s).
2. Select Licenses & Contracts > Anach.
3. From the Attach Licenses window. select the desired device.
If the attach operation fails, the local licenses arc deleted from the Repository.
Oetaching Licenses
Dctaching a license involves dcleting a single Central license from a remote
Check Point Security Gateway and marking it as unattached in the License &
COnlmct Repository. Thi s license is then available to be used by any Check Point
Security Gatcway. To detach a license, select Licenses & Contract s> Detach and
selec! the licenses to be detached from the displayed window.
Using SmartUpdate
Deleting Licenses From License & Contract Repository

Licenses that are not attached TO any Check PoinT Secu riTy Gateway and aTC no
longeT needed can be deleTed from the License & Cont ract Repository. To deleTe
a license:
1. Right-click anywhere in the License & ContracT ReposiTOry and seleCT View
Unattached Licenses.
2. SelecT the unattached license(s) TO be deleted. and click Delete.
Viewing License Properties
Viewing License Properties

The overall view of the License & Contract Repository displays general
infonnation on each license such as the name of the license and the I P address of
the machine to which it is attached. You can view other properties as well. such
as expiration date. SKU. license type. certificate key and signature key. To view
license propcrties. double-click on the license in thc Licenses & Contracts tab.
Checking for Expired Licenses

After a license has expired, the functionality of the Check Point package will be
impaired; therefore. it is advisable to be aware of the pending expiration dates of
all licenses. To check for expired licenses. select Licenses & Con t r acts > Sho\\'
Expired Licenses. To check for licenses nearing their dates of expiration:
1. In the License Expiration window, set the Search for licenses expiring within
the next x days property.
2.
Click Apply to run the search.
To delete expired licenses from the License Expiration window. select the
detached license(s) and click Delete.
To Export a License to a File

1. In the Licenses Repository select one or more license. right-click. and from
the menu select Export to File.
2. In the Choose File to Export License(s) To window, name the file (or select an
existing file). and browse to the desired location. Click Save.
All selected licenses are exported. If the file already exists, the new licenses are
added 10 Ihe file.
Usin g SmartUpdate
Service Contracts
Before upgrading a Gateway or Security Management Servcr. you need to have a
valid suppon contract that includes software upgrade and major releases
registered to your Check Point User Cemer account. The comract file is stored on
Security Management Server and downloaded to Check Point Security Gateways
during the upgradc process. By veri fying your status with the User Center. the
contract file enables you to easily remain compliant with current Check Point
licensing standards.
,,--
"
_.
---
.,..
Figure 6t - Service Contracts

As in all upgrade procedures. first upgrade your Security Management server or
Mul ti Domain Management ( Provider-I /SiteManager-l) before upgrading the
Gateways. Once the management has been success full y upgraded and contains a
contract file. the contract file is transferred to a Gateway when the Gateway is
upgraded (the contract file is retrieved from the management).
Servic e Contracts
Managing Contracts
Once you have successfully upgraded the Security Management Server. you can
use SmartUpdate to dis play and manage your contracts. From the License
Management window. it is possible to see whether a panicular license is
associated with one or more contracts. The Licence Repository window in
SmanUpdate displays contracts as well as licenses.
Updating Contracts
The Licenses & Contracts on the menu bar has enhanced functionality for
handling contracts.
Licenses & Contracts> Update Co ntracts - Installs contract information

on the Security Management Server. Each time you obtain a new contract.
you can usc Ihis option 10 make sure the new contract is displayed in the
liccnse repository.
Licenses & C ontracts> Get all Licenses - Collects licenses of all

Gateways managed by the Security Management Server. and updates the
contract file on the Server if the file on the Gateway is newer.
---- .-.. -,
"'".
.,.
""
"',
'"
-----,_.- ,---- ----, -
Figure 62 - Updating Contracts
R75 Training Mallllol
139
Us ing SmartUpdate
Licensing R75
Licenses are required for the Security Management server and Security
Gateways. No license is required for SmanConsole management cl icnts. Check
Point Gateways enforce the license installed on the Gateway by counting the
number of users Ihal have crossed the Gateway. If the maximum number of users
is reached. warning messages are sent to the console.
The Cheek Point software is activated using a cenificatc kcy, which is located on
the back of the software media pack. The ccnificate key is used to generate a
license key for products that you want to eval uate or purchase. To purchase
Check Point products, contact your rcseller.
Note : You must install Software Blade lice nses. NGX licenses
can not bc used with R75.
Obtaining a License Key
To obtain a license key from the Check Point User Center:
1. Add the required Check Point products/eval uations to your User Center
account by selecting Accounts & Products > Add Products.
2. Generate a license key for your products/evaluations by selecting Accounts
& Products > Products. Select your product(s) and click Activate License.
The selected product(s) evaluations have been assigned license keys.
3. Complete the inslallation and configuration process by doing the following:
Read and accept the End Users License Agreement.
Impon the product license key.
140
Check Poilll Security Administrator
Licensing R75
Liccnses are imponed using the Check Point Configuration Tool or SmartUpdatc.
SmanUpdate allows you to centrally upgrade and manage Check Point software
and liccnses. The cenificate keys associate the product license with the Security
Management server, which means that:
The new license remains valid even if the IP address of the Check Point
gateway changes .
Only one IP address is needed for all licenses.
A Iicense can be detached fro m one Check Point Gateway and assigned to
another.
Upgrading Licenses
The upgrade procedure is free of charge to purchasers of the Software
Subsc ription service (Enterprise Base Suppon) .
Using SmartUpdate
Licensing SmartEvent
SmartEvent licenses arc installed on the SmartEvcnt server and not on the
Security Management Server. Correlation Units arc licensed by the number of
units that arc attached to the SmanEvent server.
SmartUpdate Options
Packages> Upgrade all Packages - This feature allows you to upgrade all
packages installed on a Gateway. For IPSO and SecurePlatform, this feature also
allows you to upgrade your operating system as a pan of your upgrade. In R70,
SmanUpdate's "Upgrade all Packages" supports HFAs, i.e., it will suggest
upgrading the Gateway with the latest HFA if a HFA package is available in the
Package Repository. "Upgrade All" is the recommended method. In addition,
there is an advanced method to install (distribute) pac~ages one-by-one.
Packages> Add - SmanUpdate provides three "helper' tools for adding
packages to the Package Repository:
From CD - Adds a package from the Check Point CD.
From File -
Adds a packagc that you havc stored locally.
From Download Center Center.
Adds a package from the Check Point Download
Packages> Get Gateway Data - This tool updatcs SmartUpdate with the
current Check Point or OPSEC thi rd-pany packages installed on a specific
Gateway or for your entire enterprise.
Tools> Check for Updates - This feature locates the latest HFA on the Check
Point Download Center, and adds it to the Package Repository.
SmartUpdale Command Line

All management operations that arc perfonned via the SmanUpdate GUl can also
be executed via the command line. There are three main commands:
cppkg to work with the Packages Repository
cprin sta ll to perfonn remote installations of packages
cpl ic for license management
For details on how to use these commands, see the Command Line Interface
(CLl) Administration Guide.
Practice and Re\liew
Practice and Review

Review
1. What can be upgraded remotely Using Sman Update?
2. What two repositories does SmanUpdate install on the Security Management

Server? Management Server'?
3. What docs the Pre lnslall Verifier check?
R 7) Tra il/ilia At/flIIIIII/
Using SmartUpdate
rl",r fr Pn;m S N '"r;/lJ
Adm ;lI i~/rn'n r
CHAPTER 6
R75 Trainillf! Mali/wI
l!serAianagementand
Authentication
145

If you do not have a user-management infrastructure in place. you can make a
choice beTween managing the internal-user database or choosing 10 implement an
LDAP server. If you have a large user count, Check Point recommends o pting for
an external user-management database, such as LDAP.
Check Point authentication features enable you to verify the identity of users
logging in to the Security Gateway, but also allow you to control securi ty by
allowing some users access and disallowing others. Users authenticate by
proving their identities, according 10 the scheme specified under a Gateway
authentication scheme, such as LDAP, RADIUS, SecurlD and TACACS.
Centrally manage users to ensure only authenticated users securely access the
corporate network either local!y o r remotely.
Manage users to access to the corporate LAN by using external databases.
146
Check Point SeclII"ity Administrator

Authentication rules are defined by user groups rather than individual users.
Therefore, you must fi rst defi ne users and then add them to groups to define
authentication rules. You can define users using the Security Gateway proprietary
user database or using an LOAP, RAD IUS or ACE server.
For the procedure describing how to create Security Gateway users using a
template. create a group, adding users to the group and installing user
information in the database, refer to the lab "Creating Users and G roups" in Ihis
chapter.
User Types
Sman Dashboard allows yo u to manage a variety of user types:
Exter nal User Profiles - Profiles of externally defined users who are not
defined in the internal users database or on an LDAP server. External user
profiles are used to avoid the burden of maintaining multiple Users Databases, by
defining a single. generic profile for all external users. External users are
authenticated based on either their name or their domain .
Groups - User groups consist of users and of user sub-groups. Including users
in groups is required fo r performing a variety of operations, such as defining user
access rules or remote access communities.
LDAP G roups - An LOAP group speci fies certain LDAP user characteristics.
All LOAP users defined on the LOAP server that match these characteristics are
included in the LOAP group. LOAP groups are required for perform ing a variety
of operations, such as defining LDAP user access rules or LDAP remote access
communities. For detailed information on LDAP groups. see chapter, "User
Management and Authentication".
Tem pla les - User templates facilitate the user definition process and prevent
mistakes, by allowing you to create a new user based on the appropriate template
and change only a few relevant properties as needed.
Users - These are either local clients or remote clients. who access your
network and its resources.
User Management and Aut henti cat ion

The Security Gateway authenticates individual users using credentials. nnd
manages them using different authentication schemes. All authentication
schemes require a usemame and password.
Types of Authentication
There are three ways to access a network resource and authenticate usi ng the
Security Gateway:
User Aut hentication - Grants access on a per-user basis. This method can
only be used for Telnet. FT P. HTT P. rlogin and HTTPS services. User
Aut hentication is secure. because the authentication is valid only fo r one
conncctiOI1. but intnlsive, because each connection requi res another
authentication. For example. accessing a single Web page could display
scveral dozen User Authentication windows. as different componentS arc
loaded.
Session Authentication - Provides an authentication mechanism for any

service. and requires users to supply their credentials for each authentication
session: a Session Authentication Agent must be installed on every
authenticating client. Therefore. this method is not suitable fo r authenticating
H'n p services, as they open multiple connections per session. Session
Authentication can be used to authenticate any service on a per-session basis.
Alier the user initiates a connection directly to the server, the Security
Gateway - located between the user and the destination - intercepts thc
connection. The Gateway recognizes that user-level authentication is
required. and initiates a connection with a Session Authentication Agent.
Similar to Client Authentication. Session Authenticmion is best used on
single user machines. where only one user can authentica;e from a given IP at
anyone ti me.
Client Authentication - Pennits multiple users and connections from the
authorized lP address or host: authorization is perfonned per machine. For
example, iffinger is authorized for a client machine. all users on the client are
authorized to use finger and are not asked to supply a password during the
authorization process. Client Authentication is slightly less secure than User
Aut hentication, because it allows any user access from the IP address or host.
but is al so less intrusive Ihan Session Authentication. Client Authentication is
best used when the client is a si ngle-user machine. such as a desktop
computer. The main advantage of this method is that it can be used on any
number of connections fo r any service. and authentication can be validated
for a speci lied time period.
Security Gateway Aut henticati on
This table presents a comparison of the three Scrurit)' Gateway au thentication

methods:
Authentication
Type
User
Session
Client
Services
Tclnet. FTP,
rlogin. HITP.
HTfPS
All services
A II scrvices
Authentication is per~
formed once per ...
Connection
Session
IP address
Authenticates when_.
Each limc a
Each time a user
uscr uses one of uses allY servIce
the supponed
(requires a Sesscrvices
sion Authentication Agent on the
client)
Only once. and

USes any service
until signing oul
Authentication is required for remOte-access communication such as SSL VPN,

IPSec VPN and Endpoint clients. However. these authentication m ethods arc nOl
often employed in such environments. For more infonnation about user access
and VPNs. see chapters, "Encryption and VPNs" and "Introduction 10 YPNs" in
this manual.
Authentication Schemes
Authentication schemes employ usemames and passwords to identify valid users.
Some schemes are maintained locally and store uscrnames and passwords on the
Security Gateway, while others arc maintained externally and store User
Authentication information on an external authentication server. Ccnain
schemes, such as SecurlD, arc based on providing a one-time password. All of
the schemes can be used with users defined on an LDAP server. For additional
infonnation on configuring the Security Gateway to integrate with an LOAP
server, refer to the "Sman Dircctory and User Management" section in this
chapter.
Check Point Password - The Security Gateway can store a static password in
thc local user database of each user configured on the Security Management
Servcr. No additional software is required. Alternatively. to pcnnit alteration of
this credential, store thc Check Point password in SmanDirectory.
Operating System Password - The Security Gateway can authcnticate using
the usemame and password that is stored on the operating system of the machine
R 75 Trainin!{ Mallllal
14Q
on which the Security Gateway is installed. You can also usc passwords that arc
stored in a Windows domain. No additional software is required.
RADIUS - RADIUS is an external authentication scheme that provides security
and scalability by separating the authentication function from the access server.
Using RADI US. the Gateway fonva rds authentication requests by remote users
to the RADIUS server. The RADIUS server, which stores user account
infomtation. authenticates the users.
The RAD IUS protocol uses UDP to communicate with the Gateway. RAD IUS
servers and RADIUS server-group objects arc defined in SmanDashboard.
SecurlD - SecurI D requires users to both possess a token authenticator and to
supply a PI N or password. Token authenticators generate one-time passwords
that are synchronized to an RSA ACE/server, and may come in the fomlof
hardware or software. Hardware tokens are key-ring or credit card-sized devices.
while so ftware tokens reside on the computer or device fro m which the user
wants to authenticate. All tokens generate a random. one-time- use access code
that changes approximately every minute. When a user attempts to authenticate
to a protected resource, the one-time-use code must be validated by the ACE/
server.
Using SeeurlD. the Security Gateway fonvards authentication requests by remote
users to the ACE/server. ACE manages the database ofRSA users and their
assigned hard or soft tokens. The Securi ty Gateway acts as ACE/Agent 5.0. and
directs all access requests to the RSA ACE/server for authentication. For
additional infonnat ion on agent con fi guration, refer to your ACE/serve r
documentation.
There are no specific parameters required fo r the SecurlD authentication scheme.
TACACS - TACACS is an external-authentication scheme that provides
verification services. TACACS provides access control for routers, network
access servers and other networked devices through one or more centrnlizcd
servers. Using TACACS, the Gateway fonvards authentication requests by
remote users to a TACACS server. The TACACS server. which stores useraccount infonnation, authenticatcs users. The system supports card-key devices
or token cards and Kerberos secret-key authentication. TACACS encrypts the
usemame, password. authentication scrvices, and accounting infonnat ion of all
authentication requests 10 ensure secure communication.
Undefined - The authentication scheme for a user can be undefined. If a user
with an undefined authentication scheme is matched to a nile with some fonn of
authentication, access is always denied.
0<"
Remote User Authentication

S5L VPN suppons three authentication schemes. namely. Check Point password.
SecurlD and RADIUS. Note the foll owing image of the 5SL. VPN tab in
Sman Dashboard:
.. ... -=liIt
..-_- -------- - .-. ,.-.".'-"'- - - .--.-.. --..,

.
~.
""--..
--.
~-.-
.'-''""-
. '-'-'"--
_ .. ____ , _
-'~"---_ __
r --..._.
~_
"_
"
'"~oo/'
rFigure 63 -
R75 Training Manila!
Remote User Authentication
tJ
As outlined above, these schemes manage users by means of their credentials. In

addition, after successfully authenticating using one of the allowed gateway
authentication schemes. users can be challenged to provide additional credcntials.
sent to their mobile commun ications device via an SMS message. This is referred
to as Two Factor Authentication.
Sec Check Point Security Expert R75 (CCSE) courseware for more details
about the SS L VPN Software Blade.
Authentication Methods
Each method can be configured to connect and authenticate clients to the
Security Gateway before the connection is passed to the desired resource (a
process known as nontransparent authentication). Alternatively, each method can
be configured to connect clients directly to the target server (a process known as
transparent authentication).
This section describes how users authenticate using each authentication method.
along with guidelines for configuring each method.
Use r Auth entication
User Authentication
User Authentication provides authentication for the Tc lnct. FTP. H TT P. and
rJogin services. By default. User Authcmication is transparent. The user does not
connect d irectly to the Security Gateway. but initiates a connectio n to the target
server.
,.;;;;;;,;;;,:::;~
":;-;;;;". '1.'_ _ _ __
.~
--
.~
>:-
'" ~
- . """,....
:.- ..
.... 0:_
Figure 64 -
-- -
..... c....._
......
.... ,,_
.....
Q-
00-
. ,...,
Q-
fiI ....
Rule Base with User Authenlica~on Defined
User Authentication Rule Base Considerations

Although it is true that the Gateway processes rules in order. an exception 10 this
is when User Authenlication is employed. In this cascothe most pennissi ve rule
in the Rule Base is used by the Gatcway. If a Uscr Authcntication rule matches a
packet, all rules are evaluated before authentication occurs. and the least
restrictive rule is applied.
Time-Out Considerations for HTTP User Authentication

In HTTP User Authentication. the Web browser automatically pro\lides the
password to the server for each connection. whic h raises special security
considerations when using User Authentication for HTTP with one-ti me
passwords.
----.--__._,. . . 1__
~~~--====-- ~
-~.' 7 _ D ' _ _ _ _ _ "'_, ....... _
.....
,'''''
=."
~-I:t~_
,..,...._._
,. &ooUI
,. srCII ....,_
____
tp.ooo ....
_"'IJoIo _
>5
... _
iJ
==::.1 -"
Figure 65 -
TimeOUt Coosiderations
To a\loid forcing users with one-time passwords to generate a new password for
each connect ion. the HTTPSecurity Scrver extends the validity of the password
fo r the time period defined by the User Authentication session timeout option
in the Authentication Settings section ofthc C heck Point Gateway window.
This ensures that users of one-time passwords do not ha\le to reauthentieatc for
each request during this time period.
To enhance security, you could require users to reauthenticate for ccrtai n types of
requests . For examplc. you can specify thaI every request to a specific HTTP
server requires a new password, or that requests that change a server's
configuration require a new password. To set reauthentieation parameters.
redefine the Reauthentication opt ions in thc HTTP Server fie ld oft he Policy >
Global Properties > fireWall > Secu rity Sen'er wi ndow.
,... ,... '- n _, __.
C'
. _ :h
. '
J . : :_ .
User Authentication
Configuring User Authentication

To configure User Authentication:
1. Configure authentication for requ ired users and groups, and instal! the user
database.
2. Define a User Authentic:lIion access rule. as follows:
Right-d ick in thc Source col umn. sel ect Add User Access. then sclect the
group.
In the Location section in the User Access window. to restrict the location of
authenticating users. select Restrict To and the host. group of hosls. network.
or group of networks that users can access.
In the Service fiel d o f the Rule Base. se lect the services you wish to authenticate,
In the Action column. select User Auth . Table 6- 2 below shows nn HTTP
User Authentication rule:
1'< SOURCE
' " DESrlNATlON VPN SERVICE ACTIONj
Alaska_ Users@Any Alaska_LAN
Aoy
HTTP
Trame
FTP
User Auth
3. Double-cl1c k the Achon column to edll the User AuthenllcatlOn actIOn

properties.
4. lf req uircd. adjust the Uscr Authentication session timeout option.
5. inSlal lthe Sccurity Policy.
R 75 Training Mallllal
,,,
Session Authentication can be used for any service; however. a Session
Aut hentication Agent is required to retrieve a user's identity. The Session
Authentication Agent is nonnally installed on the authemiealing client. w here the
person who initiates the connection to the destination host supplies the
aut hentication credentials. Session Authentication requires an authentication
procedure for each connection. However. the Session Authentication Agent can
also be installed on the destination machine or on some other machine in the
network, in which case the user at that machine would provide the usemame and
password.
IlIiI EJ
;: Fife\llall1 SeSSion Authentication
Check Point Fi1't!Ifilll-l

-11ft!
FW- I Session Authcntic:ttion Request rmm eqU<'
COflfleding to f>ef\CI" equeaJfllCOm.com for S(: \ I\."e SOi lCp
u....
II _ _ _ _ _ _ _ 1
OK
Figure 66 -
The Figure shows the Session Authentication login window. After typing the
uscmame, the user is prompted 10 provide a password.
The following is a typical Session Authentication workflow:
1. The user initiates a connection directly to the server.
2. The Gateway intercepts the conneclion.
3. The Session Authentication Agent challenges the user for authentication data,
and retums this in formation to the Gateway.
4. If authent ication is successful. the Gateway allows the connection to pass
through the Gateway and cont inue 10 the targel server.
1"
Configuring Session Authentication

To configure Session Authentication:
1. If using the Session Authentication Agcnt. install and configure it fo r all
machine desktops with Session Authentication enablcd.
2. Configurc the requircd uscrs and groups for authentication. and install the
user database.
3. In the Authentication window from the Gateway object's General Properties. enable the required authentication schemes. Thc Gateway must suppon
all user-defined authentication schemes. For example. if some users mllst provide a Check Point password and others RAD IUS authentication. se lcct both
schemes.
4. Define a Session Authentication access rule by following the s ame instructions as those under "Configuring User Authentications. except select Session
Auth in the Action col umn of the Rule Base.
5. Ifrequired. adjust the Failed Authentication Attempts senings for Session
Authenticat ion in the Authentication window of the G lobal Properties :
---._..
........ _
,N_ ....."
. F_
I
___
T_ _ _ _
"' -u,.. "..- . ,----~,_o-____

~
" R_ _
~-
- ..-..-I_}r_~
__
"- -,..._--.....'F....... , ""
"--09"
oS( _ _ [
jOU_J)4oI_~
!t-' _ _ _ _ _ ....... _
r- t...~_
~,
- . ...
;"'~ " - .
"""~
"
~--~
Figure 67 -
::::_
P " _... _ _ ....... ""' ....
_0.$0'_ 1
... l.Og .... -
ll
.. _ -
n -
User Management and Auth entication
Cliem Au/hemicarion
Client Authentication can be used to authenticate any service. It enables access
from a specific IP address fo r an unlimited number of connections. The client
user perfonns the authentication process. but it is the client machine that is
granted "ccess. Client Authentication is less secure than User Authentication.
becausc it perm its access for multiple users and connections fro m authorized IP
addresses or hosts. Authorization is performed on a per-machine basis tor
services that do not have an initial login procedure. The advantages of Client
Amhentication arc that it can be used for an unlimited numhcrofconncctions. for
any servicc. and is valid fo r any length oftimc.
Client Authentication and Sign-On Overview

Client Authentication works with all sign-on methods. The table below shows
how different sign-on methods provide a choice when selecting an authentication
method lor authenticated services and others. For sign-on methods other than
Manual Client Authentication. the Security Gateway is transparent to uscrs who
authenticate directly to the destination host.
Client
Authentication
Slgn-Gn
Method
Authentication
Method for
Authen_
5ervl....:
Telnet, FTP, HTTP,
rlogln
Authentication
Method for Other
services
Telnet to pon 259

on Gateway
TcJnet to port 259

on Gateway
HTTP to pon 900

on Gateway
HTTP to pon 900

on Gateway
PartiallyaulOmatic
User Authentication
Not available
Fully automatic
Uscr Authentication
Agent automatic
Single Sign On
UserAuthority
UserAuthori ty
Manual
Clien t Authentication
The following are the two Client Authentication sign-on options:

Standard Sign-()n - Enables users to access all services pcnn iued by the
rule. without authenlicat ing for each service.
Specific Sign-()n Enables users to access only the services that they
specify when they authenticate. even iflhe rule allows more than one service;
if users want to use another service. they muSt reauthenticate for that specific
service.
At the end of an authentication session. users can si gn ofT. When users sign off.
they arc disconnected from all services and the remote host .
Sign-On Methods
Manual Sign On - Available fo r any service Ihal is specifie d in the Client
Authentication rule; Ihe user muSI first connecllo the Gateway and
authenticate in one of thc following two ways:
Through a Telnet session to Ihe Gateway on port 259.
Through an HTTP connectiontotheGatcwayonport900and a Web browser;
the requested URL must include thc Gateway name and palt number. for
example. http ://Gateway: 900 .
Wait Mode
Wait Mode is a Client Authentication feature for Manual Sign On. when the user
initiates a Client Authenticated connection with a Telnet session on pOIt 259 on
the Gateway. Wait Mode eliminates the need to open a new Telnet session to sign
orr and withdraw Client Authentication privileges. In Wait Mode. the initial
Telnet session connection remains open. as long as CHent Authentication
pri vileges remain valid. Cl ient Authentication pri vileges arc withdrawn when the
Telnet session is closed.
The Security Gateway keeps thc Telnet session open by Pinging the
authenticating client. lf for some reason the client machine stops running. the
Gateway closes the Telnet session, and Client Authentication privileges from the
connected IP address arc withdrawn.
R75 Train ing Mal1//(/1
Partia lly Automatic Sign On - Panially Automatic Sign On is available for

authent icated services (Telnct. FTP, HTTP.andrlogin), only if they arc
specified in the Client Authentication rule. [fusers attempt to connect to a
remote host using one of the authenticated services. they must authenticate
with User Authentication. When usi ng partially automatic Clicnt
Authentication. ensure that port 80 is accessible on the Gateway.
159
Fully Automatic Sign O n - Fully Automatic Sign On is avai lablc for any
service. only if the required service is specified in the Client Authentication
rule. Ifusers attempt to connect to a remote host using an authentica ted
service (Tclnct. FTP. HTTP, and rlogin), they must authenticate with User
Authentication. If users attempt to connect to a remote host using any other
service, they must authenticate through a properly installed Session
Authentication Agent. When using fully automatic Client Authentication.
ensure that pon 80 is accessible on the Gateway.
Agent Automatic Sign On - Agent Automatic Sign On is available only if
the required service is spec ified in the Client Authentication rule. and the
Session Authentication Agent is properly installed. Ifusers attempt to connect
to a remote host using any service. they must authenticate through a Session
Authentication Agent.
Single Sig n On - Single Sign On is available for any service. only if the
requi red service is specified in the Client Authentication rule and
UserA uthority is installed. Single Sign On is a Check Point addressmanagement feature that provides transparent network access. The Gateway
consults the user IP address records to dctcmline which users are logged in to
any given IP address. When a connection matches a Single Sign On enabled
rule. the Gateway queries UserAuthority with the packet's source JP.
UserAuthority returns the name of the user who is registered to the Jr. If the
user's name is authenticated. the packet is accepted. If not, it is dropped.
Configuring Client Authentication

To perfonn basic Client Authentication configuration:
1. Con figure the required users and groups for authentication and install the user
database.
2. Right-click the appropriate Check Poi nt Gateway object and select the
Autbentication window.
3. Enable the required authenticalion schemes. The Gateway must suppon all of
the user-defined authentication schemes. For example. if some users must
provide a Check Poin! password and others RADIUS authentication, select
both schemes.
4. Define a Client Authentication access rule by following the same instructions
as those under "Configuring User Authentication" on page 155, except sclect
Client Auth in the Action column of the Rule Base.
5. For partially or fully automatic Client Authentication, ensure that port 80 is
accessible on the Gateway.
160
Client Authentication
6. Double-click the Action column to editlhe Client Authentica tion Action

Prope rties. The settings for Requires Sign On and Sign On Met hod arc
described in "Client Authentication and Sign-On Overview.
7. Place all Client Authe ntication rules above the rule that prevents direct connections to the Security Gateway (i.e . the Stealth Rule) to ensure connections
have access to the Security Gateway.
S. If required, adj ust the Failed Authentication Attempts settings for Client
Authentication in the Authentication window of thc Global Properties.
9. Insmll the Security Policy,
For morc details, rcfer to lab "Panially Automatic Client Authentication",
Enabling Client Authentication Wait Mode

1. Right-click the appropriate Check Point G ateway object and sclcclthc
Authentication window,
2. Select Enable Wait Mode for Client Authentication, In Client Authentication Wait mode, the Gateway monitors the Telnet connection to pon 259 of
the Gateway by Pinging the user's hOSl,
3, Define rules to enable Pinging as follows:
Enable the echo-request service from the Security Gateway to the user's host,
Enable the echo-reply service from the user's host to the Security Gateway,
Resolving Access Conflicts

When configuring users, you can define those locations they can access.
However, by doing so. you disallow access to all unspeci fied locations, which
can cause conflicts with rules that require authentication. f or example. if a nale
grants authenticated access to users from MkllLnct to Finance_net. bu t in the
user's Location tab connections arc only pennitted within MktlLnel. the
Gateway does not know whether to allow the authentication request when the
user tries to connect to Finance_net .
You can specify how to resolve this conflict by editing the authentication-action
property of the nale. You can define this property for both the Source and
Destination of the rulc.
To resolve access conflicts:
1. Right-click the Action field of a rule using some form of authentication. and
select Edit Properties.
2. Do one of the following in the Source and/or Destination fields :
To apply the more restrictive access privileges specified in the rule and in the
location tab of each user's User Properties window. select Intersect with
User Database.
0'
To allow access according to the location specified in the rule. select Ignore
User Database .
Configuring Authentication Tracking

Successful and unsuccessfu l authentication anempts can be monitored in
Smart View Tracker or using OIher tracking opt ions. for example. e-mail and
alens. Authentication tracking can be configured for the follow ing types of
authentication attempts:
Failed authentication attempts - Can be tracked for all fo nns of

authentication; to track failed authentication attempts. in the Authentication
window ofa gateway object, set the Authentication Failure Track propeny
to define the tracking option when authentication failures occur.
Successful authentication attempts - Can only be tracked for Client

Authentication; in the Client Authentication Action Properties window. set
the Successful Authentication Tracking propcny to define the tracking
option for all successful Client Authentication attempts. These options
include None, Log, and Alert. The default setting is log.
Resolv ing Access Conflicts
All Authe ntication attempts - Can be tracked fo r all forms of

aUlhcnticalion: select an option in thc Track column of any ru le that uses
some form of authentication. Some tracking options may not take efTeet if the
gateway object is set to log all failed authentication attempts. For example,
selling a rule to None has no efTeet, and failed authentication attempts are still
logged in Smart View Tracker. However, selling the ru le to Alert causes an
alert to be sent for each failed authentication allempt.
LDAP User Management with SmartDirectory

Ughtweight Directory Access Protocol (LDAP) is an open industry standard
that is used by multiple vendors. It is used 10 maintain information about users
and items within an organization. LOA P is widely accepted as the directoryaccess method of the Internet. One of the reasons that it is the obvious c hoice for
so many vendors is because of its cross-platfonn compliancy. LDAP is
automatically installed on different operating systems (e.g .. the Microsoft Active
Di rectory) and servers (such as Novell. Netscape, etc .).
When integrated with Security Management, LDAP is referred to as

Sma.-tDirectory (LOAP).
LOAP Features
Features of LDAP are as follows:
LOAP is based on a client/server modeL in which an LOAP client m akes a
TCP connection to an LOAP server.
Each entry has a unique Distinguished Name (DN).
Oefault port numbers arc 389 for standard connections, and 636 fo r Secure
Sockets Layer (SS L) connections.
Each LDAP server is called an Account Unit.
LOAP User Management with SmartDirectory
Distinguished Name
A Distinguished Name (ON) is a globally unique name for an entity, constructed
by appending the sequence of ON fro m th{' lowest leve! of a hierarchical
structure, to the root. The root becomes th{' relati ve ON. This struc ture becomes
apparent when setling up SmanOashboard user manag{'ment.
cn=
John Brown
Figure 68 -
Distinguished Name
For example. if searching fo r Ihc name John Brown, the search path would stan
with John Brown's Common Name (CN). You would then narrow the search to
the organization he works fo r, then to Ihe country. If John Brown works fo r ABC
Company, one possible ON is show below:
en=John Brown,ou_Marketing,ozABC Company,e=US

This can be read as. "John Brown, in Mark{'ting, of ABC Company. in the United
States". A different John Brown. who works at the XYZ Company. might have a
DN, as follows:
en_John Brown,o _XYZ Company,e=US

The tWO CNs "John Brown" belong to two different organizations with different
ONs. Thi s can be outlined as an invened tree, as in the figure.
l fl 'i
Multiple LDAP Servers

There are several advantages to using more than one LOAP server, including the
following:
Companmentalization, by allowing a large number of users to be distributed
aeross several servers
High Availability, by replicating the same information on several servers
Faster access time. by placing LOAP servers containing the database at

remote sites
I. DAP f.l!rv ......
au _ 1.,;11 SUPlXln
oC - Ufo
,~RC
Figure 69 -
Multiple LDAP Servers
If the Securi ty Gateway includes the appropriate license, account management is

allowed for an unlimited number of LOAP servers. Therefore, as many LOAP
servers as needed may be managed through SmanOashboard, as shown be low:
Using an Existing LDAP Server

(ft here is an existing LOAP user database, integration with the Security Gateway
is re latively simple. The LDAP server maintains all user infonnation , including
login name and password. Addition and deletion of users is perfonned on the
LOAP server through the LOAP user interface or SmartOashboard.
,(;<
Configuring Entities to Work with the Gateway

The predominant reasons fo r integrating the Security Gateway and
SmanDi rcctory (LDAP) arc:
To query user infonnation.
To enable Cenificate Revocation List (CRL) retrieval.
To enable user management.
To authenticate users.
The first step is 10 enable the option Use SmanDireclOry (LIMP) in Global
Propcnies. Then, it is necessary to define an Account Unit. If you ,Ire
implementing SmanDireetory user management. you will need to know which
entities to define, and how to manage the users defined by the Sman Directory
Account Unit. SmanDireclory user management requires a special license.
,---_..- -,
.'r_ ..
_ _ a.DAPI
",1 _ _
un., (... &_
'l A_""",,,
-.
,~.
tBi
~--~"
~~
()$(
'
s,.... 0...,'""",,,
... _
~
$......
-....UW"..
~'-
SI<_~_
__
~11W'l_
"1---.
"'~---.-,----
1.-.1"" _ _
....-
r ___
(_.,.."
.~
r u..
--
11=
r _ .. _
__
.... _
__
... __
rr
~----~
_
.. _
' 00 .... _
A_1.."
_ _ ._
$-,"-- rr _
___ ._
'-
~,
H,",,,,,- IP " " "

~
r~_
. -~
Figure 70 -
.. _ _ _
Configuring Entities to Work with the Gateway
The graphic shows the global settings for SmartDirectory (LDAP):
User Management and Authenticatio n
Defining an Account Unit

Create a new SmanDirectory Account unit via the Sen 'en tab of the Objects
tree, as shown.
-Iw-: _
_._, _ _ 1
."" j--
'-'
If'SECM
Figure 71 - LOAP Account Unit Properties

The LDAP Account Unit Properties window consists of several tabs:
Gene r al ta b Defines the general scttings of the LOAP Account Unit;

decide whet her this Account Unit is w be used for CRL retrieval. user
management. o r both.
LOAP User Management with SmartOirectOf)'
Servers tab - Select a profile to be applicd to the new AccounI Unit. Four
profiles are defined by default. each corresponding to a specific LDA P SCNeT:
OPSEC_DS - The dcfault profilc for a standard O PSEC

certified SmartDi rcctory server.
Nelscape_DS Novell_DS -
The profile for a NClscapc Direclory Scrver.

The pro fil e for a Novell Direclory Servcr.
Microsoft_AD -
The profile for Microsoft AC li ve Directory.
Se rvers tab - Displays the LDAP servcrs 10 be used by the

Account Unit: the order in which they arc d isplayed is Ihc
defau lt query order.
Note: Additionall y, for purposes of backward compatib il ity,
selec t an LDAP selVer that is able 10 work with pre-NG
FP3 Gateways.
ObjecCs Managemenc Cab - Allows you to select the LDA P server on
which objects are managed; the branchcs for the selected LDA P scrver can be
retrieved by selecting Felch branches, or thcy can be added manually. Some
versions of LDA P do not support automatic branch retrieval using Felch
branches. These branches will be searched when this LDAP server is
queried. The Administrator can add or modify the branches.
Authen tica tion tab the LDAP account.
Allows you to define an authentication scheme for
Note: For en hanced security, Ihis Account Unit object can be

locked wilh a password thai must be entered when Ihis
Account Unit is accessed from SmanDashboard for
managing users.
R 7 'i Trni"i"o M n ",ml
169
Managing Users
Users defined in the Account Unit arc managed in the User s tab of the O bj ects
tree. This intuitive tree structure enables users to be managed as ifall the users
were actually sitting on the internal Security Gateway database. For insta nce. you
can add. edit or delete users by right-clicking them in the O bjects tree. and by
selecting the option of your choice.
"101
"' ~ :' I" I 'l>
!".-~ ..-sord-'''''',
~-- ... "'-
" i!J
-..-.--.
&:!jw...... ' - .. _
.,. ~ lDU'r.r"""
~ AJ T"""'"
.:; &1 L!oetGt""",

!!J U<ct.
,:; ~ "' P~.M$J>D
:~
& ' OOI
:;:; ~ .
",it I!IIII
U OK ,,",,",", _
U ....... ,i'\5,H U
flO
~.I'
..
-Figure 72 -
170
Managing Users
SmartDirectory Groups
Sman Directory groups arc created to classify users within cenain group types.
These SmanDirectory groups are then applied in Policy rules. Define a
SmartDirectory group in the LDAP Group Properties window in the Users and
Administrators tab of the Objects tree:
,-
~~, rl-------------o3
r'- - I
r....,._ .. __
Figure 73 - LDAP Group Properties

Once SmanDirectory groups arc created, they can be applied in various Policy
rules. such as the Security Policy. In this window, you can select the Account
Unit on which the Smart Directory group is defined. and apply an advanced filter
to increase the granularity of a group definition. Only those users who match the
defined criteria will be incl uded as members of the SmanDirectory group. For
instance. you can include all users defined in the selected Account Unit as pan of
the Smart Directory group, or only members ofa speci fied branch, or only
members of a specified group on the branch.
Practice and Review

Practice lab
Lab 8: Client Authentication
Review
1. User Auth can be on ly used fo r what scrvices'?
Tcl net. FTP. HTTP. rlogin, HTTPS
2. When using Session Authentication. what is needed to retrieve a user's identity,!
3. What are the advantages of using multiple LDAP servcrs?
4. Why integrate the Security Gatcway and SrnanDircctory?
CHAPTER 7
R75 Traininf!. Mal/ual
Identity Awareness
Identity Awareness
[denary Awareness
To provide a granular access 10 resources on thc nctwork. yOll need to deploy a
morc comprehcnsivc Security Policy Ihal manages access based on more
information than juslthe IP Addrcss of the connccting machine. Implement
Identity Awarcness to manage access based on the identity of the user in addition
to their location in the network.
174
Use Identity Awareness to provide granular lcvel access to network resources.
Acquire user information used by the Security Gateway to cOlllrol access.
Define Access Roles for use in an Identity Awareness rule.
Implementing Identity Awareness in the Firewall Rule Base.
Introduction to Identity Awareness
Introduction to Identity Awareness

In typical firewall configurations, the firewall is only aware of the I P addresses of
the machines attempting to send traffic through it. With Chec k Point's Identity
Awareness feature. security administrators have the ability to manage access to
network resources not only by lP address, or location of the machine sending the
traffic. but also based on the user making the request.
Through a comprehensive object called an Access Role. administrators can create
complex rules that allow or deny traffic to or from a speci fic network based on
the user's credentials. This means. it is possible to block all traffic 10 a specific
resource while allowing that same traffic from a specific group of users
configured by the administrator.
'-n .........
--,---
-- --,--. ... ------
10<,.....
, ",
-..~ -
......,. ...............
"'"'''''II .......... "
'--M:-.s..-
. "'
""'-.-",,~
....
..
-.~,-
...
~::...- -.....
..
, "'--'
JGoo _ _ _ _
"-"00--"
--
.~--( . . _(aoW...._____..
~-----
-.
Figure 74 -
R 75
Trai"i"~
Mallllal
Check Point Gateway -Identity Awareness
_~
Identity Awareness
Enabling Identity Awareness

Activate Identi ty Awareness functionality by selecting the Ident ity Awar eness
option in the Security Gateway. This can be done on the General Properties page
or the Identity Awareness page.
f=~'~'~'~"'~t~-;,,~~-~~
._.........
' .000$)
" ~' T
--
Got-. - - -
------- --_I
, If., ,.,.
::-
---
..
-....!r.o<... '"
~~
C__...
.~ -
""'Y .... .
.....
T_5_
-_
___
()hoo
....... _0....
'-
---
'l'- O'S .. _
!- """,s....
--
URI.'_
'i_V..,.'
_-_
---"'_
.....
"........
........
""-,, .
............
..
t, _ S_1
,~-
C ~"lo<._
.~
Figure 75 - Check Point Gateway General Properties
rl,pr!' Pninf Sprurifv Admillis fr(Jf(W
Enabling Ide ntity Awareness
Once selected. the system displays a wizard that allows you to define the Identity
Awareness settings. The purpose of the wizard is to allow you 10 define your
authentication method as one or both of the fo llowing:
Capti ve Portal
LDAP
lDAP Integration
LDAP integration with the Security Manager allows a gateway configured with
Identity Awareness to query the Active Directory server for user infommtion.
Based on the Windows Management Instrumentation protOcoL this process
works in environments where Microsoft Active Directory Server 2003 or 2008 is
deployed. The query is clientless and takes place in a way that is transparent \0
the user, requiring no client or server side softwflre.
To identify the user or machine fo r Identity Awareness us ing the L DAP query. the
user or resource must be pre-defined in the Active Directory server's database.
Connections by users not configured in the dalnbase will be denied . To have the
user nuthenticate through LDAP. you must configure the following infonnation
to allow the gateway to query the Active Directory server for use r credentials:
Active Directory
(LDAP server object configured on the Manage ment Server)
Usemame (domain ad ministrator)
Passwo rd (domai n administrator password)
,,,
Identity Awareness
Once the LDAP information is configured. test connectivity from the Integration
with Active Directory screen:
.,,r
I . ... _
Figure 76 -
I ....
.. _
... _O-Z" ... _
Integration with Active Directory
If you do not want the gateway to query the Active Directory server for user
information. sclect the option I do not wish to configure an Active Di rectory at
this ti me.
Once LDA P integration is configured. the authentication process is seamless to
the user. The gateway takes the LDAP inform from the host attempting to
connect and sends it 10 the Active Directory server. The gateway uses the
in formation retrieved from the LDAP query 10 detennine the user's access based
on the enforced Security Policy,
Enabling Identity Awa re ness
Captive Porta l
The Caplive Ponal is a web based loollhat allows Ihc galeway to requesl login
informati on from the user. This simple sol ution is built into the Security Gateway
and docs not require additional configuration. Enable the Capti ve Portal in the
Action column of an Identity Awareness rule.
When an unknown user uncmpts to connect to a protected resource through a n
HTTPrulewith Identity Awareness configured. the gateway presents Captive
Portal and pro mpts thc user for credcntials. Thc login infoml ation provided is
then authcnticated against Ihe existing user database con fi gured on Ihe Security
Management Server. The portal also suppons all Check Point uuthentication
methods such as LDAP, RAD IUAS. etc.
Note : Only HTTP traffic can be rc-<lircctcd to thc

Captive Portal.
When configuring Identity Awareness in the wizard. the Captive Portal Senings
window displays an example of Identity Awareness configured in a Rule Oase. II
also allows you 10 selectlhe Main URL to which an unknown user will be
directed to the ponal.
.... ,........ _.......
_,.._..... _.
1"' _._.,.,n.:1""1_
. ""' ____
_ lJIIl .....
Figure 77 - Captive Portal Default Settings
By default. the portal is only accessible through internal interfaces. The system.
however. automatically selects the primary interface of the Security Gatcway as
the Main URL. This means, the automatically selected interface may not be on
Ihc internal network. If this is the case. change the Main URL selection to an IP
on a protected network.
Identity Awareness
The Capt ive Ponal offers administrators greater flexibilit y than the automatic
LDAP query. in thaI it works wit h both existing users and guests. Unidentified
users may be blocked or guests can be allowed 10 enter required crcdentinls or
download the Identity Awareness agent.
A UlhelllicalinK Through Caplive Por/al
J
d
Actr.e
Oif~<10fV
l"tl'l"nilOit d
fIe",urc~
t, ,'
,'4,,
,
Figure 78 -
Identity Awareness with Captive Portal and LOAP
1. A user attcmpts to access
a resource on the internal network.
2. Identity Awareness does nOI recognize the user and redirects the user 's
browser to the Captive Pon al.

3. The user enlers his existing credentials.
4. The credentials arc sent to the Security Gateway and verified against the AD
SeNer.
Note: LDAP integration is used in th is example but is n ot

required. The user may be verified against the usc r
database confi gured 0 11 the Security Management
Server.
5. The user is granted access to the originally requested URL
Enabling Identity Aware ness
Identity Agents
Identity Agents can be installed by the guest user by downloading it from the
Captive Portal or pre-installed on an internal user's machine. Once installed. the
Identity Agent provides both lIser and machine identity when providing
credentials 10 the gateway. [n addition, Identity Agents allow administrators to
identify the user even iflhey roam to different protected networks within the
organization.
Identity Agent uses single sign-on, so that when the user logs into the domain.
that information is also used to meet Identity Awareness credential requests.
Authenticating with all ldelllity Agelll

Int"mo l Da ta
~MO"'"
UU
Figure 79 -
Identity Awareness with Identity Agent
1. A user logs into his PC with his regular credentials and attempts to access the
Internal Data Center.
2. The Security Gateway enabled with Identity Awareness does not recognize
the user.
3. The Security Gateway redirects the his browser 10 the Captive Portal.
4. The user downloads the Identity Agent from the Captive Portal and installs it
on his Pc.
5. The Identity Agent connects 10 the Security Gateway.
6. The user is authenticated and granted access to the originally requested
resource.
Tl7'i Trn;";"<Y M,"'''nl
,,,
Identity Awareness
Defining Access Roles

After selecting the authcntication method and configuring Identity Awareness
settings on the gateway object it is then necessary to configure an Access Role
and inelude it in the Rule Base before Identity Awareness can be enforced in the
Security Policy.
Access Roles are used in the FireWall and Application Control Rule Bases to
define users, machines. and network segments as a single object . This
comprehensive object allows you to grant or restrict access to protected resources
bused on the identity of the user.
H_
I_ BIocI
::::1
~Ir-------------------~~------~
q ,,~.!
u...I
..
"~1" ' -*""'1

2 r.
r. R,~~
..; Q
","" net_
:., S "'"" ",..
1:1
.3
',.1 1:1
"'"" machne
Figure 80 - Access Role
Access Roles grant security administrators greater tlcxibility when defining the
an organization's Security Policy. For example, lcfs say you need to pro hibit all
users except for the finance group from accessing servers in the finance network
segment. Those users, however, need FTP access. You want to grant this access,
but only if they are logging in from an internal location. To do this, you simp ly
configure an Access Role with the internal network and the finance group's users.
When placed in the Source column of an FTP accept rule. your task is complete.
,.,
Using Access Roles In the Firewall Rule Base
Using Access Roles in/he Firewall Rule Base

The Firewall Rule Base enforces the Security Policy in a sequential manner.
When implementing Identity Awareness. it is imponant to verify that traffic you
intend to block or authenticate is not allowed in another rule.
To be an Identity Awareness rule, a rule must include an Access Role in either the
Source or Destination column. Access Roles may also be negated. facilitating
add itional security options.
Figure 81 -Identity Awareness Rule
In rules with Access Role objects. the matching criteria operates as follows:
When the identity of the user is known :

If the user credentia ls match the Access Ro le, the rule is
applied and the traffic is accepted or dropped based on the
defined action.
If the user credentials do not match the Access Rolc. it goes
on to examine the nex t rule.
When the identity of the user is unknown and the fo llowing
conditions apply, thc traffic is redirected to the Captive Ponal
to retrieve credentials and au thenticate the user:
Traffic is HTTP
Action is sct to redirect to the Captive Portal
All the rule's fields match except the Access Ro le field
When the identity of the user is unknown , there is no match
and the next rule is examined, if:
the traffic not HTTP.
the Action is not sct to redirect to the Captive Portal.
or all the rule's fiel ds do not match.
10'
Identity A.wareness
Practice and Review

Practice Labs
Lab 9: Deploying Identity Awareness
Review
1. What sleps must you take to enforce Identity Awareness rules in your
Security Policy?
2. In what instances can the Captive Portal be deployed?
3. What are the benefits of pre-installing Identity Agents on internal hosts?
-CH-AP-T-ER-S--
Introduction to
Check Point VPNs
1 0:
Introduction to Check Point VPNs
Introduction to VPNs
Vin ual Private Network ing technology leverages the Internet to build and
enhance secure network connectivity. Based on standard Internet secure
protocols. a VPN enables secure links between special types ofnelwork nodes:
the GatewrlYs. Site-to site VPN ensures secure links between Gateways. Remote
Access VPN ensures secure links between GatewrlYs and remote access clients.
Configure a pre-shared secret site-Io-site VPN with panner sites.
Configure permanent tunnels for remote access to corporate resources.
Configure VPN tunnel sharing, given the difference between host-based.
subunit-based and gateway-based tunnels.
I R6
The Check Point VPN
The Check Point VPN

A Virtual Private Network (VPN) is a secure-connectivity platform that both
connects networks and protects the data passing between them . For example. an
organization may have geographically spaced networks connected via the
Internet; the company has connectivity but no privacy. The Gateway provides
privacy by encrypting those connections that need 10 be secure. Another
company may connect all pans of its geographically spaced network through the
use of dedicated leased lines; this company has achieved connectivity and
privacy. but at great expense. Gateway offers a cheaper connectivity solution by
connecting the different pans of the network via the public Internet.
V!>N- l
~nCNnl
,~~
Inl0<,1mOO
'/PN.l
s.r...0ClI!ic! Appitiax..
Bratlc h ()jfic~
Figure 82 -
Check Point VPN Deployment
A VPN employs encrypted tunnels to exchange securely protected data. The

Security Gateway creates encrypted tunnels by using the Internet Key Exchange
(IKE) and IP Security (IPSec) protocols. IKE creates the VPN tunnel. and th is
tunnel is used 10 transfer IPSec encoded data. Think oflKE as the process that
builds a tunnel. and IPSec packets as trucks that carry the encrypted data along
the tunnel.
Introduction 10 Cheek Point VPNs
VPN DeploYll7el1ls
A VPN uses the Internet as its network backbone. allowing the establis hment of
secure communication links among company offices. business partners, and so
on. VPNs are replacing more expensive leased lines, Frame Relay circ uits. and
other ronns of dedicated connections.
Site ~toSite
VPNs
Site-Io-site VPNs are built 10 hand le secure commun icmion between a company's
internal departments and branch offices. A site-to-site VPN's design
requirements include:
Strong data encryption, 10 protect confidential informati on.
Reliability for mission-cri tical systems. such as database management.
Scalability, to accommodate growth and change.

DMZ/Publk S8fVerfs)
E-mail
WQrld Wide Web

File Transfer
Bran ch Office
Figure 83 -
'OR
Site-te-Site VPN
VPN Oeployments
Remote-Access VPNs
Remote-access VPNs are built to handle secure communication between a
corporate network, and remote or mobile employees. A remote-access VPN's
design requirements include:
Strong authentication, to verify remote and mobile users.
Centralized management.
Scalability, to accommodate user groups.
DMZ/Public Server(s)
E-mail
World Wide Web
File Transfer
Main Office
Mobile Users
Security
Gateway
Figure 84 - Remote-Access VPN
In u oduction to Check Poi nt VPN s
VPN Implementation
A complete VPN implementation supports all VPN categories: Imemet and
remote-access VPNs. This allows a company worldwide access to network
resources, links mobile workers to corporate intranets. aliows customers to pl ace
orders, and enables suppliers to check inventory levels - ali in a highl y secure
and cost-effective manner.
DMZJPublic Stwer(s)
CUSfOtmlfS
Figure 85 - Check Point VPN Example
The complete VPN must include three critical VPN components:

VPN Endpoints - Gateways, clusters of gateways, o r remote client software
(for mobile users) which negotiate the VPN link.
VPN Trust Entities - For example. the Check Point Internal Certificate
Authority. The ICA is part of the Check Point sui te used for establishing truSt for
SIC connections between Gateways. authenticating administrators and third party
servers. The ICA provides certificates for internal Gateways and remote access
clients which negotiate the VPN link.
VPN Management Tools - Sec urity Management Server and Dashboa rd.
Smart Dashboard is the SmartConsole uscd to access the Security Management
Servcr. The VPN Manager is part of Smart Dashboard. Smart Dashboard enables
organizations to define and deploy Intranet, and remote Access VPNs.
1Q"
VPN Implementation
VPN Setup
Configuring a VPN can be a complicated task for Security Administrators. Check
Point's management tools provide a simplified VPN setup mode. reducing the
VPN configuration process to essentials. and making setup straightforward and
simple.
Understanding VPN Deployment

The Check Point VPN management model enables Administrators to directly
define a VPN on a group of Gateways. Each Gateway in a group, and all (or pan)
of a Gateway's protected domain, constitute a new entity: a VPN s ite.
(A VPN site is not to be confused with a site that is delined for Endpoint Security
Secure Access clients.)
Each VPN site performs encryption on behalf ofa VPN Domain. the LAN, or
group of networks that a Gateway protects. System Administrators group VPN
sites together, creating a VPN CommunilY. A VPN Community is a collection of
VPN sites and the enabled VPN tunnels among them, with predefined propenies
that arc automatically applied to each Community member.
The structure of the VPN Community is automatically translated into encrypted
connections among its members, so the Administrator is relieved of the task of
designing and defining encryption rules. Just by defining a VPN Community, the
Administrator has completed the VPN configuration. once access control has
been set and the encompassing security system is in place. Sincc this VPN
management model separates the VPN as a secure connectivity platfoml from
access control. no access-control related decisions will affect the VPN
Community.
The structure of the VPN Community is automatically translated into encrypted

connections among its members, so the Administrutor is relieved of the tusk of
designing and defining encryption rules. Just by defining a VPN Community, the
Administrator has completed the VPN configuration. once access control has
been set and the encompassing security system is in place. Since this VPN
management model separates the VPN as a secure connectivity platfonn from
access control, no access-control related decisions will affect the VPN
Community.
VPN Communities
Creming VPN tunnels between Gateways is made easier through thc
configuration of VPN Communities. To understand VPN Communitit's. a
number of terms need to be defined:
VPN Com munity member - The Gateway that resides at one end of a VPN
tunneL
VPN Domain - The hosts behind the Gateway: the VPN Domain can be the
whole network that lies behind thc Gateway or just a section of that network.
For example, a Gateway might protect the corporate LAN and the DMZ. Only
the corporate LAN needs to be defined as the VPN Domain.
V PN site - Community member plus VPN Domain: typical VPN s ite would
be the branch office of a bank.
VPN Co mmunity - The collection of VPN tunnels/links and thei r
attributes.
Doma in-based VPN - Routing VPN tmffic based on the VPN Domain
behind each Gateway in the Community: in a star Community, th is allows
satellite Gateways to communicate with each other through center Gateways.
Route-based VPN - Traffic routed within the VPN Commun ity based on
the routing infonnation. static or dynamic. configured on thc operating
systems oflhe Gateways.
"
........,
Figure 86 - VPN Communities
VPN Implementation
The methods used for encryption and ensuring data integrity detennine the type
of tunnel created between the Gateways, which in tum is considered a
characteristic of that particular VPN Community.
Security Management Server can manage multiple VPN Communities, which
means Communities can be created and organized according to specific needs.
Remote Access Community

A Remote Access Community is a type of VPN Community created specifically
for users who usually work from remote locations, outside the corporate LAN.
This type of Community ensures secure communication between users and the
corporate LAN .
R75 Traillinp Afmlllaf
193
VPN Topologies
The most basic topology consists of two Gateways capablc or creating a VPN
tunnel between them. Security Management Server's support or morc complex
topologies enables VPN Communities to be created according 10 the pa rticular
needs or an organization. Security Management Server supports two mnin VPN
topologies:
Meshed
Star
Meshed VPN Community

A mesh is a VPN Community in which a VPN site can create a VPN tunnel with
any other VPN site in the community:
VPN l
Gateway
Figure 87 -
IQ4
Meshed VPN
rhpr/r Pnim Spr/lritv
Arlmjl!j~'rnfn,.
VPN Topologies
Star VPN Community

A Slar is a VPN Community consisting of central Gateways (or "hubs") and
satellite Gateways (or "spokes'} In this type of Community. a satellitc can create
a tunnel only with other sites whose Gateways are defined as cent ral:
~ ..=:..
Figure 88 -
StarVPN (Meshed)
A satellite Gateway cannot create a VPN tunnel with a Gateway that is also
defined as a satellite Gateway.
Central Gateways can create VPN tunnels with other central Gatcways only ifthe
Mesh center Gateways option has been selected in the Central Gateways
window ofSla r Community Properties.
Choosing a Topology
Which topology 10 choose for a VPN Community depcnds on the overall Policy
of the organization. For example, a meshed community is usually appropriate for
an Intranet in which only Gateways that are part of the internally managed
network are allowed to participate: Gateways belonging to company partners are
not.
1 ()~
Introduct ion to Check Point VPNs
A star VPN Community is usually appropriate when an organization needs to

exchange information with networks belonging to external panners. These
panners need to communicate with the organization. but not with each other. The
organization's Gateway is defined as a "central" Gateway; the panner Gateways
are defined as "satellites: '
Combination VPNs
For more complex scenarios, consider a company with headquaners (HQ) in two
countries, London and New York. Each headquaners has a number of branch
offices. The branch offices only need to communicate with the HQ in their
country, not with each other: only the HQs in New York and London need to
communicate directly. To comply with this Policy, define two star Communities.
London and New York. Configure the London and New York Gateways as
"central" Gateways. Configure the Gateways of New York and London branch
offices as "satellites:' This allows the branch offices to communicate with the
HQ in their country. Now create a third VPN Community, a VPN mesh consisting
of the London and New York Gateways.
-- --l ....d"n.N.'" v......

ESI-I
London
STAR
Figure 89 - Combination VPNs
---- """,
..... __ "'"'
New York
STAR
VPN Topologies
Topology and Encryption Issues

Issues involving topology and encryption can arise as a result of an organization's
Policy on security, fo r example the country in which a branch of the organization
resides may have a national Policy regarding encryption strength . For example,
Policy says the Washington Gateways should communicate using JDES for
encryption. Policy also states the London Gateways must communicate using the
DES encryption algorithm.
w_ _
,,
,,
; 3 DES
,,
\1
,,
,,
AU~"W\'''iflW~
~~ ... tlOlIlIlI>O~'"
_ L _ oW
~ - --~
Figure 90 -
Topology and Encryption Concerns
In addition. the Washington and London Gateways need to comm unicate with
each other using the weaker DES. Consider the solution in the fig ure.
In this solution, Gateways in the Washington mesh aTe also defi ned as satellites in
the London star. In the London star, the central Gateways are meshed. Gateways
in Washington build VPN tunnc\s with the London Gateways using DES.
Internally, the Washington Gateways build VPN tunnels using 3DES.
IntroductIon to Check PoInt VPNs
Special VPN Gateway Conditions

Individually, Gateways can appear in many VPN Communities: however. two
Gateways that can create a VPN link between them in one Community cannot
appear in another VPN Community in which they can also create a link ; for
example.
------
,
/
/
,,
,
,,
I
I
I
London
I
I
1
\
\
New Yon: \
,,
,,
LONCON
"'
I
I
ME SH
I
I
I
I
/
,,
Figure 91 -
Paris
---
/
/
asd!
The London and New York Galeways belong 10 the London-NY Mesh VPN
Community. To create an additional VPN Community which includes London.
New York. and Paris is nm allowed. The London and New York Gateways cannot
appear "together" in more than one VPN Community.
Two Gateways that can create a VPN link between them in one Community can
appear in another VPN Community. provided that they oue incapable of creating a
link between them in the second Community.
' 0 0
SpecIal VPN Gateway Condltlons
Figure 92 -
asdf
In the figure. the London and New York Gllteways appear in the London-NY
mesh. These two Gateways also appcar as satellite Gateways in the Paris Star
VPN Community. In the Paris Star. satellite Gateways (London and NY) can only
communicate with the central Paris Gateway. Since the London and New York
satellite Gateways cannot open a VPN link between them. thi s is a valid
configuration.
Authentication Between Community Members

Before Gateways can exchange encryption keys and build VPN tunnels. they first
need to authenticate to each other. Gatcways authenticate to each olher by
presenting one oflwo types of"credentials":
Certificat~
- Each Gateway presents a Certificate which contains

identifying infonnation oflhe Gateway itself. and the Gateway's public key,
both of which arc signed by the trusted CA. For convenience. Power-I has its
own Internal CA that automatically issucs Certificates for all internally
managed Gateways. requiring no configuration by the user. In addition.
Power-I supports other PKI solutions.
Pre-shared secret - A pre-shared is defined for a pair of Gateways. Each

Gateway proves that it knows the agreed-upon pre-shared secret. The preshared secret can be a mixture of letters and numbers. a password of some
kind.
Considered more secure, Certificates aTC the preferred means. In addition. since
the Internal CA on the Security Management Center Server automatically
provides a Certificate to each Power-l Gateway it manages, it is more convenient
to usc this type of authentication.
R75 Traillillf,! Mallllal
199
Introduction to Check Point VPN s
However, if a VPN tunnel needs to be ere3led with an externally managed

Gateway (a GllIeway managed by a different Securi[y Management Servcr). the
externally managed Gateway:
Might support Certificates. but certificates issued by an external CA. in which
case both Gateways need to trust the other's CA.
May not support Certific ates: in which case. VPN supports the use ofa preshared secret. A "secret" is defi ned per extemal Gateway. If there arc five
internal Gateways and two externally managed Gateways. then theTe- arc two
pre-shared secrets. The two pre-shared secrets arc used by the five internally
managed Gateways. In other words. all the internally managed Gateways usc
the same pre-shared secret when communicating with a particular externally
managed Gateway.
Domain and Route-Based VPNs

VPN routing provides a way of controlling how VPN traffic is directed. There are
two methods for VPN routing:
Domain-based VPN
Route-based VPN
Domain-Based VPN
This method routes VPN traffic based on the VPN Domain behind each GllIeway
in Ihe Community. In a star Community. this allows satellite Gateways to
communicate with each other through center Gateways. Configuration for
domain-based VPN is perfonned di rectly through Smart Dashboard.
Route-Based VPN
Traffic is routed with in the VPN Community based on the routing information.
static or dynamic, configured on the operating systems of the Gateways. Routebased VPN is discussed in detail in the Check Point Security Administration II
course.
?on
rheck Poinl Securitv Admil1iswafOr
Acc ess Contro l and II P N Communities
Access Con trol and VPN Comm unities

Configuring Gateways into a VPN Community does nOl create a de facIO accesscontrol Policy between the Galeways. The facllhat tWO Gateways belong 10 the
same VPN Community docs not mean thc Gateways have access 10 each other.
--.~
Figure 93 -
Access Control VPN
The configuration orthe Gateways into a VPN Community mean s that ir these
Gateways are allowed to communicate via an access-control Policy, Ihen that
communication is encrypted. Access control is configured in the Rule Base.
Using the V PN column of the Rule Base. it is possible to create access-control
rules that apply only to members of a VPN community, fo r example:
DestInation
Any
Service
YPN
Comunity_A
HTTP
ActIon
Accept
It is also possible for a rule in the Rule Base to be relevant for both VPN
Communities and host machines not in the Community.
The rule in the Rule Base allows an HTTP connection between any internal lP
wit h any lP:
I.
Source
Any Internal_Machine
D7-; T .."; .. ; .. ,, ",(" .... " .1
Destfnation
Any
YPN
A"y
Service ActIonl
HTTP
Accept
1n,
In the figure. an HTTP eonnection between Host I and the Internal Web Server
behind Gateway 2 matches Ih is rule. A connection between Host I and the Web
Server on the Internet also matches this rule; however. the connection between
Host I and the Internal Web Server is a connection between members ofa VPN
Community and passes encrypted; the connection between Host I and the
Internet Web Server passes in the clear.
In both cases. the connection is si mply matched to the rule; whether or not the
connection is encrypted is dealt with on the VPN level. VPN is another level of
security separate from the access-control level.
Accepting All Encrypted Traffic

If you select Accept all encr}'ptcd traffic in the General window of the VPN
Community Properties. a new ru le is added to the Ru le Base. This rule is neither
a regular ru le nor an implied rule, but an automatic community rule. and can be
distinguished by its beige-colored background.
r_, _ -- .......
-- 1--
=-..~
'-
.. s.-".
c-....,I,._ .....
_n.. ... _ ...

.....- ......... _ _
r~oI...."....
'110,_._. -.._
k
Figure 94 -
"
Encrypting All Traffic
LAvonrTc ....
Access Control and VPN Communities
Excluded Services
In the YPN Communities Properties > Excluded Sen'ices window, you can
select services that are not 10 be encrypted. for example control connections.
Services in the clear means "do not make a VPN tunnel for this connection".
Note that Excluded Services is not supponed when using route-based YPN.
Special Considerations for Planning a VPN Topology

When planning a VPN topology, it is imponant to ask a number of questions:
1. Who needs secure/private access?
2. From a VPN point ot'view, what will be the structure of the organization?
3. Internally managed Galeways authenticate each other using Certificates. but
how wil! externally managed Gateways authenticate?
Do these externally managed Gateways suPPOrt PKI?
Which CA should be trusted?
R75
Trainin~
Manllal
203
Introduction to Check Point VPN s
Integrating VPNs into a Rule Base

The ty pe of Rule Base used detennines how an Administrator integrates
encryption rules into a Policy. In Si mplified Mode. the Administrator can
configure both star and mesh intranets. The Simplified Mode Rule Base also
includes an additional col umn. VPN. to incorporate configured intranet
Community objects:
,
I
..--- -. -- '.-
,,...
...... -
.~
:;--
...... -
'1--
Figure 95 -
......
.~
00 _ _
...,.. "'-
'"~-
,e_
.,~
I--~
'-0
.~
~-
.....e-
il~
*-'*-..'......
"'''''qon
"'~
*""-
Rule Base
In the Rule Base abovc. several rules arc shown. The fi rst rule allows d eartc.xt
Tclnct tT'dffic to pass each way between netoslo and netmadrid. The second
rule allows cncrypted FTP traffic to pass each way between the two networks.
Although thc second rule is an encryption rule. the Administrator cannot
configu re the AClion column for encryption. The only actions available in the
Simplified Mode of the Rule Base are as follows:
accept
drop
reject
Legacy > User Auth

Legacy > Client Auth
Legacy > Session Auth
The inclusion of either a star or mesh Community object in the VPN fie ld ofa
Rule Base forces all packets matching the rule's criteria to be encrypted. The
traffic also appears as encrypted and decrypted in Smart View Tracker. even
though the rule shows accept in the Action column. If Any Traffic is selected in
the VPN column and no intmnet Community is defined, traffic passing on this
rule will be matched to the Sou rce, Destination. and Service columns, as in
Traditional Mode.
204
Check Poim Security AdminiSlralOr
Simplified
vs. Traditional Mode VPNs

Simplified Mode makes it possible to maintain and create simpler. and therefore
less error-prone and more secure VPNs. It also makes il easier 10 understand the
VPN topology of an organization. and to understand who is allowed to
communicate with who. In addition. new VPN features sllch as VPN routing arc
supported only with a Simplified Mode Security Policy. However. organizations
thai have large VPN deploymems with complex networks may prefer to maintain
existing VPN definitions and continue to work within Traditional Mode. until
they are able to migrate theiT policies 10 Simplified Mode.
VPN Tunnel Management

A Virtual Pri vate Network provides a secure connection. typically over the
Interne!. VPNs accomplish this by creating an encryptcd tunnel that provides the
same security available as in a privatc network. This allows workers who are in
the field or working at home to securely connect to a remote corpo rate server, and
also allows companies to sccurely connect 10 branch offiees and other companies
over the Internet. The VPN tunnel guarantees:
Authenticity, by using standard authentication methods.
Privacy, by encrypting data.
Imegrity, by using standard integrity-assurance methods.
Types of tunnels and the number of tunnels can be managed with the following
features:
Pennanent Tunnels - This feature keeps VPN tunnels active. allowing realtime monitoring capabilities.
VPN Tunnel Sharing - This feat ure provides greater interoperability and
scalability between Gateways. It also controls the number ofV PN tunnels
created between peer Gateways.
The status of all VPN tunnels can be viewed in SmanVicw Monitor. f or more
information on monitoring, see the Smart View Monitor user guide.
Permanent Tunnels
As companies have become more dependent on VPNs for communication to
other sites. uninterrupted connectivity has become more crucial than ever before.
Therefore. it is essential to make su re that the VPN tunnels arc kept up and
running. Pcnnanent tunnels are constantly kept active and. as a result, make it
easier to recognize malfunctions and connectivity problems. Administrators can
monitor the two sides ofa VPN tunnel and identify problems without delay.
Tl7~
T,.ni.,i.,,,, ,\;'lI1m",1
' 0<
E3ch VPN lunnel in the Community may be set to be a pennanent tunnel. Since
permanent tunne ls are constantly moni tored. if the VPN tunnel fails. then a log,
alen , or user defined-action can be issued. A VPN tunnel is monitored by
periodically sending "tunnel test" packets. As long as responses to the packets arc
received, the VPN tunnel is considered "up." lfno response is received within a
given time period. the VPN tunnel is considered "down." Pennanent tunnels can
only be establ ished between Check Point Gatew3Ys. The configuration of
pennanent tunnels takes place on the Community level and:
Can be specified for an entire Community. This o ption sets every VPN tunnel
in the Community as pennanen!.
Can be speci fi ed for a specific Gateway. Use Ihis option to configure specific
Gateways 10 have pennanent tunnels.
Can be specified for a single VPN tunnel. This feature allows con figuring
specific tunnels between specific Gateways as permanent.
Tunnel Testing for Permanent Tunnels

Tunnellesting is a proprietary Check Point protocol that is used to test ifVPN
tunnels are active. A packet has an arbitrary length. with only the first byte
containing me3ningful data. This is the Iype fiel d.
The type field can take any of the following va lues:
1. Test
2. Reply
3. Connect
4. Connccled
Tunnellcsting requires IWO Gateways - one configured to Ping and one to
respond. The Pinging Gateway uses the VPN daemon to send encrypted lunneltesling packets 10 Gateways config ured to listen fo r them. A responder Gateway
is configured to liSlen on pon 18234 for the specialtunnel-tesling packets.

The Pinging Gateway sends type I or 3. The responder sends a packet of identical
length with type 2 or 4. respectively. During the connect phase, tunnel-testing is
used in two ways :
1. A connect message is sent to the Gateway. Receipt ofa connect message is
the indication that the connection succeeded. The connect messages are
retransmitted for up to 10 seconds after the IKE negotiation is o ver. if no
response is received.
2. A series of test messages with various lengths is sent. so as to discover the
Path Maximum Transmission Unit (PMTU) of the connection. This may also
take up to 10 seconds. This test is executed to ensure that TCP packets that are
too large are not sent. TCP packets that are too large will be fragmented and
slow down perfonnance.
VPN-l NG with Application Intelligence R54 and higher Gateways can Ping or
respond. In a MEP environment, center Gateways can only bc responders.
Embedded NG 5.0 and higher Gateways can Ping or respond. Older versions of
this software can only be responders. Third-party Gateways cannot Ping or
respond.
VPN Tunnel Sharing

Since various vendors implement IPSec tunnels lIsing a number of different
methods, Administrators need to cope with different means of implementation of
the IPSec framework.
VPN Tunnel Sharing provides interoperability and scalability by controlling the
number ofVPN tunnels created between peer Gateways. There are three
available settings:
One VPN tunnel per each pair of hosts
One VPN tunnel per subnel pair
One VPN tunnel per Gateway pair
For a VPN Community, the configumtion is set in the Tunnel Management
dialog box of the Community Properties window. For a specifi c Gateway, the
configumtion is set in the VPN Advanced dialog box of the Gateway's
properties window.
R7) TrniniJ1v Mnmlfll
)07
VPN Tunnel Sharing provides greater inleropcrability and scalability by

controlling thc number of VPN tunnels created between peer Gateways.
Configuration of VPN Tunnel Sharing can be set on both the VPN Com munity
and Gateway object:
One VPN Tunnel per each pair of hosts - A YPN tunnel is created for
cvery session initiated between every pair of hosts.
One VPN Tunnel per subnet pair - Once a VPN TUnnel has been opcned
between two subnets. subsequcnt sessions between the same subnelS will
share Ihe same VPN tunnel. This is the default selling and is compl ia nt with
the IPSec industry standard.
O ne VPN Tunnel per Gateway pair - One VPN tunnel is created between
peer Gatcways and shared by all hosts behind each peer GUicway.
In case of a conflict between the tunnel propcrties of a VPN Commun ity and a
Gateway object that is a member of that samc Community, the striclcr" setting is
foll owcd. For example. a Gateway that was sella One VPN Tunnel pcr ca(.: h pair
ofhoS1S and a Community Ihat was ~et 10 Onc VPN Tunnel per subnci pair.
would follow One VPN Tunnel per cach pair of hosts.
Remote Access VPNs
Remote Access VPNs

Check Point offers several remote access solutions to provide the right product
fo r different types of mobile users. From client to clientless VPN solutions,
Chec k Point provides comprehensive solutions that maximize security to
corporate resources,
Check Point's IPsec VPN Software Blade is an integrated software solution that
provides secure connectivity to corporate networks, remote and mobile users.
branch offices and business partners. The blade integrates access controL
authentication and encryption to guarantee the security of network connections
over the public Internet.
The SmartDashboard enables administrators to define participating gatewaysincluding third-party gateways-in large-scale VPNs. VPN gateways can be
configu red for both star and mesh topologies in minutes with an i11legrated
certificate authority to manage keys.
The rPsec VPN Software Blade provides flexibility to design a so lution to meet
corporate needs with a number of remote access VPN client choices:
Check Point Endpoint Security - Check Point Endpoint Security is the fi rst
single agent for total endpoint security that combines a remote access VPN with
the fi rewall, network access control (NAC), program control. antivirus, antispyware, and data security feat ures.
SecuRemote - SecuRemote is a basic VPN client that offers IPsc c connectivity
for remote users.
SecureClienl - SecureClient is an advanced VPN client that otTers IPsec
connectivity for remote users.
SecureClient Mobile - SeeureClient Mobile delivers fi rewall protection and
secure, unintenupted remote access for wireless devices such as mobile phones.
L2TP for iPhone - This otTers support for the iPhone's built-in L2TP VPN
client.
Multiple Remote Access VPN Connectivity Modes

The JPsec Software Blade provides various modes to address a variety of
connectivity and routing issues faced by remote users.
?nQ
Office Mode - Addresses routing issues bctween the client and the Gateway by
encapsulating IP packets with thc remotc user's original IP address, thereby
enabl ing users to appear as if they wcre "in the ofTIce" while connecting
remOtely. Office Mode also provides enhanced antispoofing by ensuring thaI the
lP address encountered by the Galeway is authenticated and assigned to the user.
Visitor Mode - Enables employees to access resources while they arC' working
at a remote location such as a hotel or a customcr office. where Internet
connectivity may be limited to Web browsing using the standard HTTP and
HTTPS ports. The client tunnels all client-to Gateway trn ffi c through a regular
Te p connection on pon 443.
Hub i\lode - Enables rigorous. centralized inspection of all client traffic.
removing the need to deploy security functions to mulliple offices, and giving
employees secure clienHoclient communications such as Voice over IP (VoIP)
or Internet conferencing using applications like Microsoft NctMeeting.
Establishing a Connection Between a Remote User and a Gateway

To allow the user to access a network resource protected by a Security Gateway,
the following process must take place. First. a VPN tunnel establishment process
is initiated. An IKE negotiation takes place between the peers. During IKE
negotiat ion, the peers' identities arc authenticated. The Gateway then verifies the
user's identity and the client verifies that of the Gateway. The authenticat ion can
be pcrfonned using several methods , including digital certificates issued by the
Internal Certificate Authority (ICA). It is also possible to authenticate usin
thirdpany PKI solutions, pre-shared secrets or third party authentication
methods, such as SecurlD and RADI US.
Jl n
Remote A ccess VPNs
,.
'.
Figure 96 -
Remote Access Connections
After the IKE negotiation ends successfully. a secure connection (a VPN tunnel)
is established between the client and the Gateway. All connections between the
client and the Gateway's VPN domain (the LAN behind the Gateway) arc
encrypted inside this VPN tunnel, using the IPSec standard. Except for when Ihe
user is asked to authenticate in some manner, Ihe VPN establishment process is
transparent.
1. The remote user initiates a connection 10 Gateway I.
2. The user is not authenticated via the VPN database, but an LDAP server
belonging 10 VPN Site 2.
3. Gateway 1 verifies that the user exists by querying the LOAP server behind
Gateway 2.
4. Once the user 's existence is verified. the Gateway then authenticates the user;
for example, by validating Ihe user's certificate.
5. Once IK E is successfully completed, a tunnel is created; the remote client
connects 10 Host L
Praclice and Review

Practice Labs
Lab 10: Sitc-to-Sile VPN Between Corporate and Branch Officc (Shared Secret)
Review
1. Whm is a VPN CommlmilY:
2. What iS:l meshed V PN Community?
3. Which is the preferred means of authentication between VPN Community
members. and why?
4. When planning a VPN topology, what questions should be asked? Who needs
secure/private access? From the point of view of the VPN, what will be the
structure of the organization? How will externally managed Gateways authenticate?
APPENDIX
Chapter Questions
and Answers
Chapter Questions and Answers
Chapter I - Technology Overview

Rev iew
1. What is the strength of Check Point's Stateful lnspeetion technology?
The COllfelllS of I/Ie packet is examined. 1I0t jusllhe he{u/er information.
The state of Ihe cOlllleelioll is monitored.
2. What are the advantages of Check Point 's Secure Management Architecture
(SMART)? In what way does it benefit an ente rprise network and its Administrators?
S AlA RT is a I/niJied approach 10 centrali:ing Policy managemelll and configuralioll, illellldillg mOllitorillg, logging. analysis. and reportillg Ifithin a single conlrol center.
3. What is the main purpose for the Secu rity Managcment Server? Wh ich function is it necessary 10 perfo nn on the Security Management Servcr w hen
incorporating Security Gateways into the network?
Used by Ihe Securily Adminislmlor. lhe Security Mallagement Sen-e,. manages Ihe SeclII"il), Policy. /" order 10 peljorm tlwt role. the Seclirily A1anagelIIelll Sen-er IIIUSI establish SIC with Olher compollellls. so Illal
comlllUllicatioll is verijied alld mal/Ggell/em call be pel/orllled Oil any componem 011 Ihe ne/ll'OIk.
Chapter 2 Deployment Platforms
Chapter 2 - Deployment Platforms

Review
1. What are some of the advantages in deploying UTM-\ Edge A ppliances?

Easy 10 instafl and cOl1jigure; Can participale in cO/porale VPNs; Secllrity
Policy can be e,~rorced 011 appliance; SlalllS alld /l"ajjic call be lIIollilOred:
Del'ice jirm ll'are call be alllomalicafly IIpdated.
2. How do you manage an lP Appliance?

Through Ihe WebU/
Through the eLI
3. What does Secure Platform Pro provide, over SecurePlatform?

Dynamic IVuting support
Cellfrali=ed Administrator management via RADIUS
4. What are the two critical Check Point directories?

$FWDIRlcon! - contains Rille Bases. objects. and the IIser database
$FWDIRIbin - collfaills import alld exporllOols.
Chapter 3 - Introduction to the Security Policy

Rev iew
1. Objects are created by the Security Administrator to represent aelUal hosts
and devices. as well as services and resources. to use when deVeloping the
Security Policy. What should the Administrator considcr before creating
objects?
IVlwllIIT! the physical and logical cOIllPOIlf:'III.~ IhallJlake III' (he organi::(lfioll?
Who are 'he users and AdminislralOrs, and how shollld they be grouped. i.e ..
access permissions. location (rell/ore or lowl). etc.?
2. What arc some imponant considerations when fomluialing or updating a Rule

Base?
Which objects (Ire ill the lIetwork. i.e., g(llell"ays. rOlllers. hosts. nent'orks. or
domains?
Which IIser permissiollS and allfliel1licatioll schemes (Ire IT!qllired?
Which services. includillg Cllstomized sen'ices and SI:'ssiolls. are allowed
across the nefwork?
3. What are some reasons for employing NAT in a network?

IVhell IT!qlliring prim/e IP addresses in imemlllnf:'tll'orks
To /imit external-nenl'Ork access
To elise network admillistration
Chapter 4 Monitoring Traffic and Connections
Chapter 4 - Monito ring Traffic and Connections

Review
1. Discuss the benefits of using SmartVtew Monitor instead orSmanVicw
Tracker in monitoring network activity.
Smorr/liew Monitor presents an o\'erall view ofchanges Ihrollghollllhe lIel
work. SmarrJliew Tracker focllses Oil indh'idllal cOllneeriom. S marr/liew MOIIilOr also helps Ihe Adminislralor idem ify Iraffic-flow ,wllerm that may sigllify
maliciolls activity. moillfain netn-ork a mi/ability, and improve efficient bandwidll! lise.
2. Why is there a warning message when switching to Active mode in SmartView Tracker?
There are peljal'mallce implications jor memol:'o' (1m/network resources in
Active mode, .I'ince data i.l' being activef), logged.
,,,
Chapter 5 - Using SmartUpdate

Review
1. What can be upgraded remotely Using SmanUpdate?
IIPN-/ Gateways
f1otjixes. 1-IF.4.s. (lnd parches

Third-par!.v OPSEC applicalions
UTAI Edge del/ices
Nokia o/Jeraring systems

Check Poilll SecllreP/arjol'lJI
2. What two repositories docs SmanUpdatc install on the Security Management
Server?
License & Conrract RepositOl )' ill SCPD/R lcollf

Package RepositOlY ill C: ISUrool {lVilldoll'.I'j. /mdslll'Oot (UNIX)
3. What docs the Pre- Install Verifier check'!
Operating-system compalibiliry
Disk-space (lmi/ability
Package /lot already installed
Package dependencies fIIel
.r . . .
Chapter 6 User Management and Authentication
Chapter 6 - User Management and Authentication

Review
1. User Auth can be only used fo r what services?
Telner. FTP. flTTP. rlogin. flTTPS
2. When using Session Authentication. what is needed to retrieve a user 's iden
tity?
Session Authentication Agellt.
3. What are the advantages of using multiple LDAP servers?

C ompartmemalizatioll
!-ligh At'ai/ability
Faster access time
4. Why integrate the Security Gateway and Smart Directory?

To query user il1{o
To enable CRL retrieval
To enable user managemel1l
To allfiJelllicate users
Chapter Questions and An swers
Chap fer 7 - Idel1lify Awareness
1. What must steps must you take to enforce Identity Awareness rules in your
Security Policy?
Enable Idenrif)1AII"(lrene.u from eilht'r rhe gCllell"aY:f General Properties page
or rhe ldenrif)1AII'Oll'IIess page.
Define a method 10 caplllre user login illformation.
Create (III Access Role wilh networks, IIser groups. andlor machilles ineluded.
Defille a rule ill rhe Rille Base Ihal includes all Acce.H Role mId ellable Captil'e Portal ifllecessary.
2. In what instances can the Captive Portal be deployed?

rhe traffic mllsr be HIT?
The Acrion of the rule /1/llst be ser ro redireClto rhe Cllpril'e Portal.
Allrhe mil.' S fle/ds
1111151
malch except Ihe Access Role field.
3. What arc the benefits of pre-installing Identity Agents on internal hosts?

The Idemi/)' Agent includes both IIser lind lIIacl,ille idellli~v whell providing
credenrials 10 Ihe galeway.
Idelllif)1Age"ts allow adminislrators 10 identify the IIser elell if Ihey roam 10
diffell'lIT pl"Olecled lIetworks lI'ilhill rhe orgtmi:lII;oll.
ldemif)1Agellls work with Single Sigl1-on.
Chapter 8 -Introd uction to VPNs
Chapter 8 - fntrodu ction to VPNs

Review
1. What is a VPN Community?
II collection of VPN enabled Gateways capable of CO//l/JI/Illicarioll via VPN
/IInne/s.
2. What is a meshed VPN Community"!

A VPN Community in which a VPN site call create a VPN II/nlle/with any
other VPN site withillthe COII//II/11li(v.
3. Which is the preferred means of authentication between VPN Community

members. and why?
Cen ijicates. because they are //lore secure thall pre-shared secrets.
4. When planning a VPN topology, what questions should be asked?

/VIm needs secure/private lICCes.f?
F1"Q1tI
the point of riew o/the VPN. what will be the structliTe Qfthe
organization?
How lI'i/l externolly mal/aged G(l/ew{lYs {lllthelllicafe?
",
" .
Become an IT Security Guru!
Training & Certification

Get Prepared
Check Point offers a variety of methods to help you
achieve your Check Point Certification goals.
Attend training
Download study guides
Challenge practice exams
Interact with technical communities
Challenge the Exam

Exam content
80% course materials

20% real world experience
Requires product experience
Multiple choice and scenario questions
Visit: www.vue.com/checkpoint to schedule your exam.
www.checkpoint.com
ISBN-13: 978-1-935862-11-6
PIN: 704735
Pf,
Check Point
SOFTWARE TECHNOLOGIES LTD.
We Secure the Internet.

CCSA R75 Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCSA R75 Manual

Uploaded by

Copyright:

Available Formats

;:e.

We Secure the Internet.

Check Point Security Series

Check Point Certified Security Administrator

SOFTWARE TECHNOLOGIES INC .

Copyright Check Point Software Technolog ies

A Division of Check Point Software Technologies Ltd.

Q 2003-20 I I Check Point Software Technologies Ltd.

CO PYR IGHT NOTICE

e Check Point Software Technologies Ltd. At! rights reserved.

Reporter. Eventia Suitc, FireWall-I, FireWall-I GX, FireWall-1 SecureServer.

U.S. Patent No. 5.606.668.5.835.726.5.987.611. 6,496,935. 6.873.988. 6.850.943.

5 Ha' Solelim Street

U.S. Headquan crs:

800 Bridge Parkway

Technical Support, Education & Professional Service!>:

6330 Commerce Drive, Suite 120

Mark Hoefle, Steven Luc, Joey Witt

Jeffery Holder, Chunming l ia

Alpha & Beta Testing

Check Point Technical Publications Teanl:

Check Point Technical Review:

Preface: Check Point Security Administrator R75 ................ . .. . 1

Chapter 1: Introduction to Check Point Technology . ..... . .. ........ 5

.. . ............. ........ ... ... 19

Chapter 2: Deployment Platforms . . ..... .... .. . .. . . ............. 39

. .. .. ........ .......... ..... ... .. 41

Chapter 3: Introduction to the Security Policy . .. . ... . . . . . .. .. .... 61

Chapter 4: Monitoring Traffic and Connections . .. . . . . . .... .. . . . ... . 95

....... ..... ........ ...... ... .....

Chapter 5: Using SmartUpdate

Chapter 6: User Management and Authentication . .. . .... ....... .. 145

Chapter 7: Identity Awareness . .... . ' , ...... . ... . . . .. . , . .. . . 173

Chapter 8: Introduction to Check Point VPNs . . ,., . . .. . . ... . . .. . . 185

Appendix: Chapter Questions and Answers .. . .. . . . .. . . .. . .. .. . .. . 213

Check Point Security

Cheek Point Security Administrator R75

CCSA R75 Overview

Working knowledge of Windows and/o r UNIX

Working knowledge of network technology

CCSA R75 Overview

Sample Setup for Labs

Check Point Security Administrator R75

AdministralOr client machine used

Security Gateway at corporate

Multi-purpose server in the DMZ

Active Directory server for

Security Gateway at branch office

-CH- A-P T-ER- 1 --

Int roduclion to Check Poin t Te c hnology

Check Point Technology Overview

Learn ing Object ives:

lnstallthc Security Gateway vcrsion R75 in a distributed environment using

Check Point Technology Overv iew

Network Access Control

Check Point Security Gateway Enforcement

Check Point security policies can be enforced consistenliy across multiple

Introduction to Check Point Techno logy

The Check Point Firewall

Layer 2 - Data Unk

OSI Model Example

Layer I: Represents physical-communication hardware or media required.

Layer 2: Represents where network traffic is delivered to the local area

Layer 3: Represents where delivery ofnelwork traffic on Wide Area