Professional Documents
Culture Documents
CheckPoint Firewall Configurations
CheckPoint Firewall Configurations
Content: -
Firewall is a security device (can be software / hardware) design to protect unauthorised access to or
from private network. Firewall does it by enforcing access control policies (ACLs).
All the message that pass through the firewall are examined and either allowed or denied,
depending on whether they meet the specified traffic classification criteria.
Based on traffic classification and inspection criteria firewall can be classified as: -
a. Packet filter firewall (Block only source IP & destination IP, work on Layer-3).
b. Application / Proxy gateway firewall (Block HTTP, HTTPS, Windows Firewall. Work on layer-1. Any
request from host computer first goes to Proxy firewall and then proxy firewall sends that request to web server
without sharing the details from where its being requested).
c. Stateful Inspection firewall
d. Next generation firewall
Models of Checkpoint: -
Deployment Modes: -
Distributed
Standalone
Routed
Bridged
High Availability (Cluster XL)
Lab Practice: -
Smart Console: -
1.Smart Dashboard
2.SmartView Tracker
3.SmartView Monitor
4.Smart Update
Types of NAT: -
- Dynamic NAT (Hide NAT)- Many Private IP converted to a Single Public IP. (Many to One)
- Static NAT- One Private IP to convert one public IP (One to One)
Policy Management: -
Add header- (To understand the rules functions)
Backup
- Usually takes less than 5 GB.
- OS configuration & Checkpoint database is backed up.
- Default location is “/var/CPbackup/backups”
Backup though CLI from-
- show backups
- add backup local
- lock database override (in case you had previous backup)
- add backup local
- show backup status
- set backup restore local (back up restoration)
choose the desire backup file option.
Image Snapshot
- Takes more than 5 GB.
- Entire OS partition & Checkpoint database is backed up.
- Default location is “/var/CPsnapshot/snapshots”
AD Integration: --
User Accounts: -
Centralized
- LDAP – Microsoft Active Directory, Lotus Domain etc.
- RADIUS – AAA- Cisco provide ACS & ISE – Open Vendor. Unencrypted (Insecure).
- TACACS - AAA- Cisco provide ACS & ISE – Encrypted, CISCO proprietary.
- SecureID – designed by RSA, OTP base authentication,
Enable User Directory – Global Properties – User Directory – (Check) Use user directory for security
gateway.
Create an Account Unit – Launch Menu – Manage – Server & OPSEC application – (show) select
LDAP account unit – add server and domain – Login DN:
(cn=administrator,cn=users,dc=tuhin,dc=com ) – Object management – fetch branches –
authentication – (check only) checkpoint password
Create LDAP Group – User and administrators – LDAP groups – (right click) add new LDAP group –
put name and select Account Unit – (double click) account unit – (then click added domain name)
tuhin.com – all users and group showing