Scribd Logo
Upload

Welcome to Scribd!

  • CheckPoint Firewall Configurations

    Uploaded by

    Tuhin Kanti Roy
    53 views9 pages
    The document provides an overview of Checkpoint Firewall training which covers: 1. Introduction to network security and the basic functions of firewalls 2. The different types of firewalls including packet filter, proxy, stateful inspection, and next generation firewalls 3. An overview of Checkpoint firewall architecture, features like packet flow, installation, configuration, NAT, VPN, IPS, backup, restoration, and troubleshooting.

    Original Description:

    Original Title

    CheckPoint Firewall Configurations.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides an overview of Checkpoint Firewall training which covers: 1. Introduction to network security and the basic functions of firewalls 2. The different types of firewalls including packet filter, proxy, stateful inspection, and next generation firewalls 3. An overview of Checkpoint firewall architecture, features like packet flow, installation, configuration, NAT, VPN, IPS, backup, restoration, and troubleshooting.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    53 views9 pages

    CheckPoint Firewall Configurations

    Uploaded by

    Tuhin Kanti Roy
    The document provides an overview of Checkpoint Firewall training which covers: 1. Introduction to network security and the basic functions of firewalls 2. The different types of firewalls including packet filter, proxy, stateful inspection, and next generation firewalls 3. An overview of Checkpoint firewall architecture, features like packet flow, installation, configuration, NAT, VPN, IPS, backup, restoration, and troubleshooting.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 9

    -: Checkpoint Firewall Training: -

    Content: -

    1. Introduction of Network Security


    2. Basic of Firewall
    3. Types of Firewall
    4. History of Checkpoint Firewall
    5. Architecture
    6. Packet flow
    7. Installation & Configuration
    8. NAT
    9. VPN (Site to Site and Remote access)
    10. IPS
    11. Backup, Restore and Upgrade
    12. Troubleshooting

    Introduction of Network Security: -

    Firewall is a security device (can be software / hardware) design to protect unauthorised access to or
    from private network. Firewall does it by enforcing access control policies (ACLs).

    All the message that pass through the firewall are examined and either allowed or denied,
    depending on whether they meet the specified traffic classification criteria.
    Based on traffic classification and inspection criteria firewall can be classified as: -

    a. Packet filter firewall (Block only source IP & destination IP, work on Layer-3).
    b. Application / Proxy gateway firewall (Block HTTP, HTTPS, Windows Firewall. Work on layer-1. Any
    request from host computer first goes to Proxy firewall and then proxy firewall sends that request to web server
    without sharing the details from where its being requested).
    c. Stateful Inspection firewall
    d. Next generation firewall

    a. Packet Filter Firewall: -


    Packet filter firewall as named describes does traffic inspection at Layer 3 and Layer 4. i.e.- IP
    address and port numbers, examples of such security devices are routers configured with
    stateless ACLs.

    b. Application Gateway firewall: -


    Also known as application proxy firewall, traffic inspection is done at layer 7, these firewalls
    are capable of doing traffic filtering based on specific application data. Proxy firewalls are
    does have application later understanding and hence policies can be enforced at layer 7.
    E.g.- content security policies, URL filtering, content filtering etc.
    c. Stateful Inspection firewall: -
    Checkpoint was 1st one to introduce concept of state aware firewalls in security industry,
    hence the name stateful inspection.
    Stateful inspection examines a packet header, and also the contents of the packet up
    through the application layer, to determine more about the packet than just source and
    destination. Statefull Firewalls
    I. Maintain the context about active session and use the state information for packet
    processing.
    II. Implement bi-directional policies.
    III. Uses best of proxy and packet filtering features.
    IV. Allows filter to handle dynamic protocol such as FTP.

    d. Next Generation Firewall: -


    Nextgen Firewall identifies application regardless of part and protocols to further strengthen
    the security policies in enterprise network. Traffic inspection and policy enforcement are
    based on layer 7 data rather than only relying on IP address and port number. Next gen
    firewall prevents threats in real time embedded across applications,
    Q. What is difference between Stateful and Next generation firewall?

    Models of Checkpoint: -
    Deployment Modes: -

     Distributed
     Standalone
     Routed
     Bridged
     High Availability (Cluster XL)

    Lab Practice: -
    Smart Console: -

    1.Smart Dashboard
    2.SmartView Tracker
    3.SmartView Monitor
    4.Smart Update

    IP set through CLI mode on Gateway: -


    Command- set interface eth1 ipv4 address 192.168.10.200 subnet mask 255.255.255.0
    Command- set interface eth1 state on
    Command- save config
    Command- show interface eth1 ipv4-address
    Command- ping 192.168.10.100

    Rule base management: -

    a. Policy – Collection of rules.


    b. Types of Rules
    I) Management rules - To manage the management server access (i.e HTTPS, SSH etc).
    II) Stealth rules – Give the permission to access management server & gateway.
    III) Internal rules – Give the permission to Internal LAN for access the internet as per
    company policies.
    IV) Clean-up rules – Those rules are not matched with above mentions rules are
    belonging to clean up rule. By default, this service is drop the access.

     To Check the running policies on Gateway through command prompt: -


    Command- fw stat

     Uninstalling all default security policies on firewall: -


    Command- fw unloadlocal

     Fetch the policies from management to gateway server by command: -


    Command- fw fetch 10.10.10.150 (management server IP)

     To Check the default route: -


    Command- show route

     To set static route through command: -


    Command- set static-route default nexthop gateway address (IP) on
    Network Address Translation (NAT): -

    Reason- a) Private to public IP translation.

    ICANN published private IP NAT range RFC-1918

    Private IP Range: - 10.0.0.0/8 (A Class)


    172.16.0.0/12 (B Class)
    192.168.0.0/24 (C Class)
    b) IP Conservation- Public IP conserve.
    c) Security- do not expose private IP to internet.

    Types of NAT: -
    - Dynamic NAT (Hide NAT)- Many Private IP converted to a Single Public IP. (Many to One)
    - Static NAT- One Private IP to convert one public IP (One to One)

    Policy Management: -
     Add header- (To understand the rules functions)

    Preventing Data loss: -


     Database Version
    - Usually takes less than 100 MB.
    - Only policy and objects are backed up.

     Backup
    - Usually takes less than 5 GB.
    - OS configuration & Checkpoint database is backed up.
    - Default location is “/var/CPbackup/backups”
    Backup though CLI from-
    - show backups
    - add backup local
    - lock database override (in case you had previous backup)
    - add backup local
    - show backup status
    - set backup restore local (back up restoration)
    choose the desire backup file option.

     Image Snapshot
    - Takes more than 5 GB.
    - Entire OS partition & Checkpoint database is backed up.
    - Default location is “/var/CPsnapshot/snapshots”
    AD Integration: --
    User Accounts: -

     Local - Local Management Firewall.

     Centralized
    - LDAP – Microsoft Active Directory, Lotus Domain etc.
    - RADIUS – AAA- Cisco provide ACS & ISE – Open Vendor. Unencrypted (Insecure).
    - TACACS - AAA- Cisco provide ACS & ISE – Encrypted, CISCO proprietary.
    - SecureID – designed by RSA, OTP base authentication,

    Enable User Directory – Global Properties – User Directory – (Check) Use user directory for security
    gateway.

    Create an Account Unit – Launch Menu – Manage – Server & OPSEC application – (show) select
    LDAP account unit – add server and domain – Login DN:
    (cn=administrator,cn=users,dc=tuhin,dc=com ) – Object management – fetch branches –
    authentication – (check only) checkpoint password

    Create LDAP Group – User and administrators – LDAP groups – (right click) add new LDAP group –
    put name and select Account Unit – (double click) account unit – (then click added domain name)
    tuhin.com – all users and group showing

    Identity Awareness and HTTPS Inspection: -

    You might also like