CCSE Class Slides

Security Engineering
2013 Edition
2012 Check Point Software Technologies Ltd. [PROTECTED] All rights reserved.
2013 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties
Preface
2013 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties | 2
Training Blades and Certification
2 WAYS to EXTEND CCSA / CCSE for 1 YEAR
1.
Take and pass
any 2 Training
Blades OR
+
AppControl Introduction to Gaia
Attend and pass

1 Instructor-led Based on a 2 day course
class
Advanced IPS
Certification Renewal Examples
CCSA Certification CCSE Certification

Extension Options Extension Options
Training Blades: Instructor Led Training

Application Control Advanced IPS
Data Loss Prevention SmartConsole Managed

Introduction to Gaia VSX
Intrusion Prevention P1 Managed VSX
Threat Prevention Endpoint
OR OR
CCSA exam CCSE exam
Check Point Certified Security Expert
Key Course Elements
Advanced and in-depth explanation of FireWall-1

technology
Key tips and techniques for troubleshooting FireWall-1

Advance upgrading concepts and practices
Cluster firewall and management concepts and
practices
Software acceleration features

Advanced VPN implementations
2
Reporting tools options and features
CCSE Course Chapters
1. Advanced Upgrading
2. Advanced Firewall
3. Clustering and Acceleration
4. Advanced User Management
5. Advanced IPsec VPN and Remote Access
6. Auditing and Reporting
3/4
Lab Topology
Check Point 3D Security
Policies that support business needs and transform

security into a business process
Security that involves People in policy definition,

education and incident remediation
Enforce, consolidate and control all layers of

security- network, data, application, content and user
Security is a process
A network is never 100% secure
IT security policy must be transparent
Challenges to IT involve security, deployment, management,
and compliance
Security products are tools to avoid risk
IT security best practices:
1. Perform a risk assessment

2. Develop and enforce a policy
3. Address known vulnerabilities
4. Control and monitor devices
5. Conduct audits
Deployment Scenario
Alpha Corp
Upgrading
Upgrading
Learning Objectives
Perform a backup of a Security Gateway

and Management Server
Upgrade and troubleshoot a Management
Server using database migration
Upgrade and troubleshoot a clustered
Security Gateway deployment
10
Upgrading
Backup Schedule
Snapshot before major changes

Backup every few months
upgrade_export/migrate export every month, before
upgrade or migration
Test backups
11
Upgrading
Gaia Snapshot Image Management
With Gaia snapshot image management you can:

Make a new image
Revert to a locally stored image
Delete an image
Export a local image
Export an existing image
Import an exported image
View an image list
11
Upgrading
Upgrade Tools
Backs Check Point configuration independent of

hardware, OS and Check Point version.
Backup Check Point configuration settings on
management station.
Intended for upgrades or migration of database
information to new systems with hardware changes.
Smaller file dependent on size of Policy
Can be initiated on live system 12
Upgrading
Backup Schedule Recommendations
Snapshot once before major changes

Backup every couple of months
Upgrade_export/migrate export every month
Test your backups
12
Upgrading
Upgrade Tools
migrate.conf
migrate
pre_upgrade_verifier.exe
upgrade export
cp_merge
12
Upgrading
Performing Upgrades
Before upgrading valid support contract

Upgrade SMS before any gateways
Process verifies a contract file on server
13
Upgrading
Upgrading Security Gateways
Upgrade by:
SmartUpdate
Local Upgrade
14
Upgrading
Upgrading Security Management Server
Upgrade by:
Upgrading Production Security Management Server
Migrate and Upgrade to a New Security Management
Server
14
Upgrading
Upgrading Full High Availability
Upgrade by:
Upgrade one machine and synchronize second
(minimal downtime)
Upgrade with clean installation on one machine and
synchronize second (system downtime)
16
Upgrading
Minimal Effort Upgrade
Each Cluster member treated as individual gateway

Network downtime
Distributed deployment upgrade procedure
16
Upgrading
Upgrading with Minimal Downtime
Check status of cluster members

Failover to second cluster member
Change second cluster member to Active
Upgrade primary cluster member
Install policy on cluster object
Upgrade second cluster member
Synchronize 16
Upgrading
Lab Practice
Lab 1: Upgrade to Check Point R76
18
Upgrading
Review Questions
1. When should snapshots be performed?
18
Upgrading
Review Questions
1. When should snapshots be performed?

At least once, and before major changes, such as
upgrades.
18
Upgrading
Review Questions
2. To run advanced upgrade or migration, what tool is

used?
18
Upgrading
Review Questions
2. To run advanced upgrade or migration, what tool is

used?
Migrate.
18
Upgrading
Review Questions
3. What is a critical task for both Snapshots and

Backups?
18
Upgrading
Review Questions
3. What is a critical task for both Snapshots and

Backups?
Testing your backups with either the backup,
upgrade_export, or migrate export files.
18
Advanced Firewall
20
Advanced Firewall
Learning Objectives
Using knowledge of Security Gateway

infrastructure, including chain modules,
packet flow, and kernel tables, to describe
how to perform debugs on firewall
processes
20
Advanced Firewall
FireWall-1 Infrastructure
Check Point security components:

GUI clients
Security Management
Security Gateway
21
Advanced Firewall
GUI Clients
SmartConsole Applications:
SmartView Tracker
SmartEvent
SmartReporter
SmartDashboard
Admin Tools:
Configure
Manage & Monitor
Perform Maintenance
Generate Reports
Enforce Policy 21
Advanced Firewall
Management
Management Component processes:

FWM
FWD
CPD
CPWD
21
Advanced Firewall
Security Gateway
22
Advanced Firewall
User and Kernel Mode Processes
23
Advanced Firewall
The CPD Core Process
Check Point Daemon (CPD):

1. Secure Internal Communication (SIC)
2. Status
3. Transferring messages between processes
4. Policy Installation
24
Advanced Firewall
FWM
FWM is available on management products

GUI Client communication
DB manipulation
Policy compilation
Management HA
24
Advanced Firewall
FWD
FWD
Forwards logs
Related to policy installation
Command line tool communication
25
Advanced Firewall
FWSSD
FWSSD
Child process of FWD
Maintains Security Servers
Activated features
25
Advanced Firewall
CPWD
CPWD (WatchDog)
Invokes and monitors critical processes
Check Point daemons
Restart attempts
Processes monitored:
cpd, fwd, fwm
cpwd_admin utility used to show process
status, and to configure cpwd
25
Advanced Firewall
Inbound and Outbound Packet Flow
26
Advanced Firewall
Inbound FW CTL Chain Modules
27
Advanced Firewall
Outbound Chain Modules
28
Advanced Firewall
Columns in a Chain
29
Advanced Firewall
Stateful Inspection
30
Advanced Firewall
Stateful Inspection
1. Packets pass
through the NIC to
the inspection
module. The
Inspection Module
inspects the
packets and their
data.
31
Advanced Firewall
Stateful Inspection
2. Packets are
matched to the
policy rule, one
rule at a time.
Packets that do
not match any
rule are
dropped.
31
Advanced Firewall
Stateful Inspection
3. Logging and/or alerts that have

been defined are activated.
31
Advanced Firewall
Stateful Inspection
4. Packets that pass

inspection are moved
through the TCP/IP stack
to their destination.
31
Advanced Firewall
Stateful Inspection
5. For packets that do not

pass inspection and are
rejected by the rule
definition, an
acknowledgement is sent.
31
Advanced Firewall
Stateful Inspection
6. The packets that do not

pass inspection and do not
apply to any of the rules,
are dropped without
sending an
acknowledgement.
31
Advanced Firewall
Kernel Tables
Kernel tables store information on firewall function

To view Kernel tables: fw tab t <tablename>
To view table names on SecurePlaform:
fw tab | grep e ---- | more
32
Advanced Firewall
Kernel Tables
Most traffic information I saved in the Kernel tables

To view Kernel tables: fw tab t
Tables can be:
Created
Deleted
Modified
Read
32
Advanced Firewall
Connections Tables
Connections table = approved connections list

For every recorded connection, is a matching
reversed entry
Prevents returning packets on same connection from
being blocked
33
Advanced Firewall
Connections Tables
Enhanced performance
Allow server replies
Stateful Featues
Streaming apps
Sequence verification and translation
Hide NAT
Logging, accounting, monitoring
Client and server id
Data connections 33
Advanced Firewall
Connections Table Format
34
Advanced Firewall
Check Point FireWall Key Features
Packet Inspection Flow

CoreXL
Policy Installation
Network Address Translation
Security Servers
35
Advanced Firewall
35
Advanced Firewall
36
Advanced Firewall
Policy Installation Flow
Installation
Verification
Conversion
Code generation
CPTA
Commit
38
Advanced Firewall
Policy Installation Process Flow
39
Advanced Firewall
How NAT Works
41
Advanced Firewall
Hide NAT Process
Packet arrives at inbound interface

Packet inspected by Security Policy
If accepted, packet entered in connections table
First packet matched against NAT rules
If match found, packet is translated
Packet arrives at TCP/IP stack
Packet is routed to outbound interface 42
Advanced Firewall
Hide NAT Process
42
Advanced Firewall
Security Servers
Firewall acts as a proxy, and user-mode processes

are employed to manage:
Application layer enforcement
User, Client, Session authentication
43
Advanced Firewall
How a Security Servers Works
Client initiates a connection to a server

Firewall kernel signals FWD process using a trap
FWD spawns the FWSSD child service running the Security
Server
Security Server binds to a socket manages connection

FWD waits for connections on ports of other servers, starting
corresponding servers
FWD also talks to child processes on other server

43
Advanced Firewall
How a Security Servers Works
In the file structure the real_port is the port being

bound to
If real_port is 0, a high random port will be
assigned
$FWDIR/conf/fwauthd.conf file structure:
<logical_ports> <server>
<real_ports> <opt args>
43
Advanced Firewall
Basic FireWall-1 Administration
Configuration file structure main sub-grouping of

configuration files divided into directories under /opt:
Cpsuite-R76
CPshrd-R76
CPvsxngxcmp
CPedgecmp
44
Advanced Firewall
/lib and /conf directories store definitions files

$FWDIR/lib/*.def stores rulebase and protocol definitions
$FWDIR/conf/fwauth.NDB stores user definitions
$FWDIR/conf/fwauthd.conf stores security server
configurations
$FWDIR/conf/classes.C defines fields for objects in

objects_5_0.C
$FWDIR/database stores specific object entries on a

gateway 44
Advanced Firewall
Two ways to view and edit database files

dbedit
GUIdbedit.exe
44
Advanced Firewall
Common Commands
cpconfig
cplic print
cpstart
cpstop
45
Advanced Firewall
What is FW Monitor?
FW Monitor is a packet analyzer

Provides kernel level inspection
Works for OSI layer-3 and above
Syntax is same for all platforms
Supports CAP output used in Ethereal and
Wireshark
46
Advanced Firewall
What is FW Monitor?
46
Advanced Firewall
C2S Connections and S2C Packets
FW Monitor captures packets entering and leaving

the firewall kernel
FW Monitor records when the packet enters and
leaves inbound and outbound chains
Packet must traverse and be inspected by both
firewall chains
Once fw monitor is executed, parameters will be
displayed in fw monitor with the same filter
executed on all interfaces in all directions 47
Advanced Firewall
C2S Connections and S2C Packets
5247
Advanced Firewall
fw monitor
Running fw monitor without filters can create

excessive output
Use filter expressions to specify packets to be
captured and limit amount of output
General syntax:
fw monitor e accept <expression>;
48
Advanced Firewall
Lab Practice
Lab 2: Core CLI Elements of Firewall Administration
49
Advanced Firewall
Review Questions
1. The core process CPD allows what main functions?
54
Advanced Firewall
Review Questions
1. The core process CPD allows what main functions?

SIC (Secure Internal Communication) functionality
ports 18xxx are used for this communication
Status pull AMON status from the
GW/Management using Smart Event Transferring
messages between FW-1 processes.
Policy installation received the policy (on the GW)
and pushes it forward to relevant processes and the
Kernel.
49
Advanced Firewall
Review Questions
2. The firewalls kernel consists of two completely

separate logical parts representing the process of a
packet coming into and out from the firewall, these
are referred to as...?
49
Advanced Firewall
Review Questions
2. The firewalls kernel consists of two completely

separate logical parts representing the process of a
packet coming into and out from the firewall, these
are referred to as...?
Inbound and Outbound
49
Clustering and Acceleration
51
Learning Objectives
Build, test and troubleshoot a ClusterXL Load Sharing

deployment on an enterprise network.
Build, test and troubleshoot a ClusterXL High Availability

deployment on an enterprise network.
Build, test and troubleshoot a management HA deployment

on an enterprise network.
Configure, maintain and troubleshoot SecureXL and

CoreXL acceleration solutions on the corporate network
traffic to ensure noted performance enhancement on the
firewall.
Build, test and troubleshoot a VRRP deployment on

52
an enterprise network.
VRRP
VRRP (Virtual Routing Redundancy Protocol)

Two or more gateways work together as one
Configurable for high availability and/or load sharing
Additional functionality of Check Point VRRP

Prevents black holes
53
VRRP vs ClusterXL
VRRP and ClusterXL mutually exclusive

Advantages of ClusterXL
Transparent failover
Higher performance
Easy deployment
Cost-effective
53
VRRP vs ClusterXL
Advantages of VRRP
Minimum failover time
Supports 255 virtual routers
Minimum service disruptions during failover
Election of multiple virtual routers for load balancing
Addresses failover at router level
Avoids configuration changes in end nodes if router fails
No need for router discovery protocol for failover operation
Multi access LAN technology support
53
Simple VRRP Configuration
54
VRRP in More Than One VRID
55
Multiple VIRDs in Active-Active Configuration
56
VRRP Configurations
VRRP (Simple Monitored Circuit VRRP)

Basic parameters
Applicable for most environments
Advanced VRRP
Necessary to monitor each interface individually
Can change the VMAC (Virtual MAC Address assignment
mode
56
Monitored Circuit VRRP
Eliminates black holes caused by asymmetric routes.

Done by reducing priority over interfaces
All interfaces are monitored
If one interface fails, master releases priority over all
interfaces
Backup takes over all interfaces and becomes master
57
Troubleshooting VRRP
Enable traces to log error and event information

All routers of a VRRP group must have same system time
All routers of a VRRP group must have same Hello Interval
The Priority Delta must be sufficiently large
If different encryption accelerator cards, select
encryption/authentication algorithms supported by both
VRIDs must be same on all routers in VRRP group
If interface shows in initialize state, IP address may be invalid
If SNMP Get lists incorrect IP address, may be incorrect Policy
57
Firewall Policies
Firewall policies must be configured to accept VRRP

packets.
Multicast destination for VRRP 224.0.0.18
Firewalls in same VRRP group will take on Master state if
policy does not accept packets.
58
SecureXL + ClusterXL + CoreXL = Open Performance

Architecture.
60
Clustering Terms
Active Up
Critical Device
Failure
Failover
High Availability (HA)
Hot Standby
Cluster Control Protocol
61
ClusterXL
Organizational needs vs. available resources

Maintaining dependability of VPN connections critical to
business
ClusterXL infrastructure ensures no data loss in case of
system failure load sharing and HA
High availability ensures redundancy for transparent
failover between machines
Load Sharing provides reliability and enhances
performance
62
ClusterXL
Installed in a distributed configuration

Licensing allows up to three ClusterXL clusters managed
by one Security Management Server
ClusterXL uses unique physical IP and MAC addresses
for Cluster members
ClusterXL cluster is represented by a virtual IP address
Cluster members must synchronize clocks to function
properly
62
Cluster Synchronization
Cluster members are aware of connections through

other Cluster members via State Synchronization
Every IP based service including TCP and UDP is
synchronized
State Synchronization is used by ClusterXL and third-
party OPSEC certified clustering products
63
Cluster Synchronization
State Synchronization works in two modes:

Full synchronization
Delta synchronization
Full synchronization initial transfer of state information

Delta synchronization update transfer of state
information
60
Synchronized-Cluster Restrictions
Restrictions to synchronizing cluster members:

Only cluster members on same platform
Cluster members must be same software version
User Auth connections will be lost if cluster member fails
State of connections using resources in a Security Server
cannot be synchronized
Account information is accumulated in each Cluster
member, and lost if that member fails before that
information is reported to the SMS
64
Securing the Sync-Interface
Synchronization network carries sensitive Security Policy

information.
To secure the synchronization interface:
Use a dedicated sync network
Connect the physical network interface of cluster members
directly with cross-over cables or dedicated hub or switch
64
To Synchronize or Not to Synchronize
Certain types of connections do not require sync:

Connections solely between cluster members
Service that puts significant load on network
Service that opens many short connections
Bi-directional stickiness is employed for all connections

For TCP services HTTP or None you can configure
to delay connections to only sync if connection exists
after x seconds (SecureXL devices)
65
ClusterXL: Load Sharing
In Load-Sharing Gateway Cluster, all cluster members

are active performance advantage
Load-Sharing deployment modes:
Multicast
Unicast
66
Multicast Load Sharing
ClusterXL Load Sharing Multicast mode

Every member receives all packets
ClusterXL decision algorithm decides which member
performs enforcement
Other members drop the packet
Only routers or layer 3 switches accepting multicast MAC
addresses in response to ARP requests with unicast IP
addresses are supported
66
Unicast Load Sharing
ClusterXL Load Sharing Unicast mode

One machine called the Pivot receives all traffic
Pivot redistributes traffic to other machines in cluster
Pivot machine is chosen automatically by ClusterXL
Pivot machine is only machine in communication with
router
Pivot functions as cluster router
Pivot mode is based on unicast addresses only, and works
with all routers and Layer 3 switches
66
Packet Travel Unicast LS Cluster
1. Router sends ARP request Cluster IP Address
2. Pivot returns ARP reply with own unicast MAC

address
3. Router sends packet to the Pivot
4. Pivot forwards packet to designated Cluster member
5. Cluster member receives packet, sends to

destination
6. Return packet first reaches Pivot, which assigns to

Cluster member
7. Packet forwarded Cluster member for inspection
8. Cluster member sends packet to destination

67
Sticky Connections
Sticky connections handled either direction by single

cluster member
High Availability mode all connections routed though
same cluster member
Load Sharing mode connections can be made sticky
by enabling Sticky Decision Function
68
Sticky Decision Function
Sticky connections handled either direction by single

cluster member
High Availability mode all connections routed though
same cluster member
Load Sharing mode connections can be made sticky
by enabling Sticky Decision Function
68
Maintenance Tasks and Tools
Perform a manual failover of the FW Cluster

Best practice for initiating failovers:
cphaprob d STOP s problem t 0 register
Puts current machine into problematic state

Running cphaprob list will show a STOP entry
To remove the problematic STOP

cphaprob d STOP unregister
70
Maintenance Tasks and Tools
Perform a manual failover of the FW Cluster - alternate

Via the command:
$FWDIR/bin/clusterXL_admin down
Perform on active cluster member to initiate failover to the

standby cluster member
To normalize the environment:

$FWDIR/bin/clusterXL_admin up
70
Advanced Cluster Configuration Examples
Example 1 Setting CCP to use Broadcast

ClusterXL Control Protocol multicast by default
More efficient than broadcast
If connection switch not able to forward multicast, change
mode to broadcast:
cphaconf set_ccp broadcast
Traffic will be on UDP Port 8116
Will survive reboot but as precaution add command to
/etc/rc.local file
For verification: cphaprob a if can be executed
For Verizon Wireless CCP must be set to Broadcast 71
Advanced Cluster Configuration Examples
Example 2 Multicast MAC Addresses

To find the multicast MAC address of a cluster on the
Security Gateway run:
cphaconf debug_data
Output is written to:

/var/log/messages under the Multicast table section
of each cluster member
68
Management HA
Security Management Server = system database -

(objects, users, policy information)
Important to maintain a backup incase of server failure
Backup Management Server needs to be able to take
over or fetching of Security Policy and retrieval of the
CRL cannot take place
72
Management HA
In Management HA the Active SMS has one or more

backup Standby SMS
These SMS must be same OS and version
First installed SMS is designated as Primary SMS
Subsequent SMS installed are designated as Secondary
Once manually synchronized either SMS can function as
Active SMS
72
The Management HS Availability Environment
The Secondary SMS is created with empty databases

The Active SMS populates the Secondary SMS
databases
The Secondary SMS is ready when:
It is represented on the Primary SMS by a network object
SIC has been initialized between it and the Primary SMS
Manual synchronization has been completed with the
Primary SMS
72
Active vs. Standby
All management operations are done on the Active SMS

If the Active SMS is down the Standby SMS must be
made active by the System Admin manually
Standby and Active SMS are synchronized so databases
are up-to-date
Gateways can fetch Security Policy and retrieve a CRL
from both the Active and Standby SMS
73
What Data is Backed Up?
For Management HA to function properly backed up:

Databases (such as Objects and Users)
Certificate information (such as Certificate Authority data
and CRL
Last installed Security Policy
73
Synchronization Modes
Two ways to perform synchronizations

Manual synchronization by System Admin
Automatic synchronization at set intervals
73
Synchronization Status
Synchronization status is the status of peer SMSs

Never been synchronized
Synchronized
Lagging
Advanced
Collision
74
SecureXL: Security Acceleration
SecureXL accelerates multiple intensive security

operations
SecureXL offloads firewall operations to performance-
optimized software or hardware
Dramatically increases throughput
75
What SecureXL Does
SecureXL records certain attributes of packets and

packet flows validated by the firewall
Future validation of related packets and connections is
delegated to the SecureXL API
Done at hardware interrupt level on x86
Supervises execution of code in network processors in IP
security appliances
75
Packet Acceleration
Packets establishing new TCP or UDP connection table

entry are handled in slowpath
Once first packet validated by firewall, further packets
are handled at the OSs interruptlevel code
These packets are forwarded directly from the driver
level without added firewall application overhead
Only packets during the specific TCP/UDP connection
can be accelerated
75
Session Rate Acceleration
In certain high traffic environments SecureXL:

Improves new connection rate (connections per second)
Improves connection setup/teardown rate (sessions per second)
Extension of SecureXL one-time validation to a range or block

Once a packet flow is validated and established, a template of that
flow, with source port masked off is saved creating a global match
New connection setup packets that match, avoid a round trip to the
firewall application.
Security is not impacted the OS tracks the state of the new

connection using stateful inspection 76
Masking the Source Port
76
Application Layer Protocol An Example with HTTP
Protocol accounting for most Internet traffic is HTTP

Web pages consist of multiple HTTP components
Using HTTP 1.0, each component is downloaded using a separate
TCP connection involving substantial overhead in connection setup
and tear-down and proactive firewall connection tracking
Between the Web Client and a Web Server, TCP connections are
initiated by the Web Client sending an HTTP request
The Web Server responds by sending the HTTP component
77
HTTP Requests (->)

Each packet from the Web client requesting an HTTP
component from the Web Server has the same source
address, destination address, destination port (80), and
protocol (HTTP).
Only source port, assigned by the Web client per
connection differs, to create a unique socket address at
the Client for each HTTP request, via separate TCP
connection
77
HTTP Component (<-)

Going the other direction, each packet from the Web
server building the Web page on the Web client has the
same source address, destination address, source port
(80), and protocol (HTTP)
Only the destination port differs (assigned by the client OS
to that connection
77
Once a connection with flow to port 80 is approved by

the firewall application for the web client a template is
created and stored
All subsequent connection setups carrying those
additional requests can share that template approval
Establishing those subsequent connections does not
involve a round trip to the firewall, resulting in faster
processing
77
At the client Firewall, once a connection with flow to port

80 is approved by the firewall application, all subsequent
connections can share the same approval.
Establishing those subsequent connections does not
involve a round-trip to the firewall
SecureXL accelerates subsequent connection
establishment through both firewalls when multiple
connections share the same source address, destination
address, destination (server) port and protocol
78
HTTP 1.1
HTTP version 1.1 improves protocol performance by

permitting persistent and pipelined server connections
The server can keep the connection alive after sending
the end of a component, avoiding the need to create a
new connection to send the next component
While HTTP 1.1 is significantly less connection intensive,
HTTP 1.0 remains the protocol that generates most of
the new connection requests in enterprise and Internet
traffic
78
Factors that Preclude Acceleration
SDF (Sticky Decision Function)

QoS
Connection to or from the module
Connection requires Security Servers (AUTH, AV, URLF, AS)
Connections that have a Handler: ICMP, FTP, H323, etc.
Some IPS features
IP ID, TTL, DNS Protocol enforcement
Multicast packets 79
Factors that Preclude Templating (Session

Acceleration)
Time objects
Dynamic objects
Domain objects
Source port ranges
IPS features no supported in Acceleration
NAT
Encrypted Connections
79
Packet Flow
80
VPN Capabilities
SecureXL adds VPN routing capabilities and enhanced

connectivity support to VPNs in dynamic routing
environments:
VPN Link Selection
Dynamic VPN Routing
Wire Mode Connections
81
CoreXL: Multicore Acceleration
CoreXL introduces advanced core-level load balancing

Multi-core CPU support allows the sharing of traffic among cores of
a single system
Joining multi-core CPU with SecureXL acceleration, can deliver

more than 10 Gbps of intrusion prevention throughput
CoreXL replicates the firewall kernel on each processor core, and

handles traffic concurrently with each instance a complete and
independent inspection kernel.
82
Supported Platforms and Features
CoreXL is supported on SecurePlatform, Gaia, IP, and Crossbeam

platforms. It does not support Check Point Suite with the following
features:
Check Point QoS
Traffic view in SmartView Monitor
Firewall-1 GX
Route-based VPN
IP Pool NAT
IPv6
Overlapping NAT
SMTP resource
82
Default Configuration
CoreXL the number of kernel instances is based on the total

number of cores in the system:
83
Processing Core Allocation
CoreXL software architecture includes the Secure Network

Distributor. SND is responsible for:
Processing incoming traffic from the network interfaces
Securely accelerating packets
Distributing non-accelerated packets among kernel
instances
83
Traffic entering NIC is directed to processing core running SND

Setting a kernel instance or process to run on a particular core is
called the instances or processs affinity with that core
Default affinity setting for all interfaces is Automatic

Automatic affinity = affinity is reset every 60 seconds, and balanced
between available cores
Any processing core running a kernel instance is considered

unavailable, and will not be set as the affinity for any interface
83
In some cases, SND cores can be overloaded due to

high traffic
Manual sim affinity can alleviate this:
sim affinity -1 and the /proc/interrupts file to see
affinity distributions
Each busy interface should be assigned its own IRP and

distributed among SND cores
Refer to sk33250 on how to edit sim affinity
84
Allocating Processing Cores
In some cases, it may be advisable to change the

distribution of kernel instances, SDN, and other
processes among the cores.
This is done by changing affinities of NICs and/or
processes
If you change affinities of interfaces or other processes,
you need to set the number of kernel instances and
ensure that the instances run on other processing cores
84
Adding Processing Cores to the Hardware
Increasing number of processing cores on hardware

does not automatically increase kernel instances
If kernel instances are not increased, CoreXL does not
utilize some of the processing cores
After upgrading hardware, increase number of kernel
instances using cpconfig
84
Reinstalling the gateway will change the number of

kernel instances if you have upgraded the hardware to
increase processing cores, or the number of kernel
instances was changed.
Use cpconfig to reconfigure the number of kernel
instances
85
In clustering deployment, changing number of kernel

instances is treated as a version upgrade
Follow directions in the Upgrade Guide, and perform
either a Minimal Effort Upgrade, or a Zero Downtime
Upgrade
Substitute the instance number change for the version
upgrade in the procedure
A Full Connectivity Upgrade cannot be performed when
changing number of kernel instances
85
Allocating an Additional Core to the SND
In some cases, the default configuration of instances

and SND is not optimal where the load of the SND
may be disproportionate to that of kernel instances:
Most traffic of type accelerated by Performance Pack
ClusterXL Load Sharing Deployment
IPS features disabled
If the SND is slowing traffic, and there are enough cores

to reduce kernel instances, allocate an additional core to
the SND
85
Allocating a Core for Heavy Logging
If gateway performing heavy logging:

Allocate a processing core to the fwd daemon
This will reduce the number of cores available for kernel

instances
85
Packet Flows with SecureXL Enabled
Acceleration path
Packet handled by
Secure XL
Medium path
Packet handled by
Secure XL, except for
IPS processing
Firewall path
SecureXL unable to
process packet
86
Lab Practice
Lab 3: Migrating to a Clustering Solution
87
Review Questions
1. What is the main advantage of Monitored-circuit

VRRP?
87
Review Questions
1. What is the main advantage of Monitored-circuit

VRRP?
Eliminates black holes caused by asymmetric
routes when one interface on the master fails
87
Review Questions
2. What two modes does State Synchronization work

in?
87
Review Questions
2. What two modes does State Synchronization work

in?
Full synchronization
Delta synchronization
87
Review Questions
3. What does Check Point recommend for security the

synchronization interface?
87
Review Questions
3. What does Check Point recommend for security the

synchronization interface?
Using a dedicated sync network
Connecting the physical network interfaces of
the cluster members directly using a cross-over
cable
87
Review Questions
4. In a Management HA environment, how do you

know when the Secondary SMS is ready?
87
Review Questions
4. In a Management HA environment, how do you

know when the Secondary SMS is ready?
It is represented on the Primary SMS by a
network object
SIC has been initialized between it and the
Primary SMS
Manual synchronization has been completed
with the Primary SMS for the first time
87
Advanced User Management
89
Learning Objectives
Using an external user database such as LDAP,

configure User Directory to incorporate user
information for authentication services on the
network.
Manage internal and external user access to

resources for Remote Access or across a VPN
Troubleshoot user access issues found when

implementing Identity Awareness
90
Active Directory OU Structure
Active Directory database technology based on Lightweight

Directory Access Protocol (LDAP)
Based on objects and containers set up in a hierarchical
structure
Each tier of the hierarchy is made up of containers containing
objects or a container containing other containers and
objects
91
Each object or entry in the directory is made up of a set of attributes with

an attribute type or description and one or more values
Set of rules that govern the types of objects in the directory, and their
associations is called the schema
Each object has a unique identifier, its Distinguished Name (DN)

This is a Relative Distinguished Name, constructed from some attributes
in the object, followed by the parent entrys DN
91
The container is called an Organizational unit (OU).

OUs are tiers in the hierarchy, and contain objects in three
categories:
Resources
Services
Users
91
AD hierarchies are nested within each other, stemming from

a root level.
Example: atlantiscorp.cp.local sub-OUs:
sales.atlantiscorp.cp.local
finance.alantiscorp.cp.local
mis.atlantiscorp.cp.local
Each are distinct containers at their own level and are part of the
enterprise container: atlantiscorp.cp.local
A user in MIS could have an AD designation of:

CN=Boucher\\,Eric,OU=MIS,DC=atlantiscorp,DC=cp,DC=local 92
92
Using LDAP Servers with Check Point
The Security Management Server supports LDAP

No user management infrastructure in place?
Choose between managing Domains internally, or
implementing LDAP
Large user count use an external user management
database such as LDAP
LDAP advantages:
SMS performance enhanced
LDAP database available for other applications
93
Using LDAP Servers with Check Point
To manage users on User Directory (LDAP) server special

license required
Integrate SMS and Security Gateways with User Directory to:
Query user information
Enable User management
Enable CRL retrieval
Authenticate users
93
LDAP User Management with User Directory
Integrated with Check Point Security Management, LDAP is

User Directory (LDAP)
Security Management Server and Security Gateway function
as User Directory clients
SMS manages user information in the User Directory (LDAP)
server
Security Gateway queries it for user information, retrieving
CRLs and for authentication
94
Differences between internal users and User Directory

(LDAP):
User management on User Directory server is done externally
User Directory server template can be modified and applied to
users dynamically
94
User Directory (LDAP) features:

Based on client/server model
Each entry has a unique DN
Default port numbers are TCP 389, TCP 636
Each LDAP server is an Account Unit
High Availability
Compartmentalization
Encrypted and non-encrypted connections
Support multiple LDAP vendors using Profiles
94
Defining an Account Unit
An Account Unit is an interface between client and server

Each account unit represents one or more branches of each
User Directory (LDAP) server
An Account Unit represents the location of users in the LDAP
95
Configuring Active Directory
User Management Wizard for configuring Active Directory

User Management Wizard has two parts:
Quick setup of AD
Users, Groups, LDAP Groups and Authentication Servers
Management
RADIUS server is configured in Wizard as well
95
Schemas
LDAP Schema defines types of objects and object attributes

Default schema includes user definitions for that proprietary
LDAP server
Check Point schema complements structure of information in
LDAP server, includes SMS and Gateway specific
information
Check Point schema can be used to enhance object
definitions for more granular user authentication
95
Multiple User Directory (LDAP) Servers
With Multiple User Directory (LDAP) Servers query from

clients made to servers based on priority defined:
By Gateway
By Account Unit
96
Authentication Process Flow
96
Limitations of Authentication Flow
Some limitations to keep in mind:

Authentication method is set on user record - internal database
Authentication schema cannot be set on user record LDAP
database without extending the schema
Predefined search order 1st internal database, then LDAP
servers slows search down conflicting user information
All LDAP servers searched simultaneously cannot determine
which account unit to search
97
User Directory (LDAP) Profiles
User Directory profiles designed to normalize different LDAP

vendors dissimilar object repositories, schema, and object
relations
Four default profiles:
OPSEC_DS
Netscape_DS
Novell_DS
Microsoft_AD
97
Troubleshooting User Authentication and User

Directory (LDAP
User Authentication problems? Verify configuration.

1. Make sure that Global properties > Smart Directory (LDAP) >
Use Smart-Directory(LDAP) for Security Gateways is checked.
2. Verify that your AU (Account Unit) is configured for user
management, i.e., User management is checked on the General
tab of the AU.
3. Configure the correct User Directory profile. Which LDAP server are
you using? Is it one of our supported OPSEC servers?
Verify that your OPSEC LDAP server is supported on http://
www.opsec.com/solutions/
sec_authentication.html.
98

Directory (LDAP
4. Check the AU object is configured correctly, i.e., profile, correct

branches and
5. Check the LDAP group objects configuration. How did you
configure the LDAP groups? If you selected the option:
All Account-Units Users or Only Sub Tree - the groups defined
on the LDAP server are irrelevant
Only Group in branch - the group must point to a group on the
LDAP server. Is it a dynamic group?
6. Where do you use authentication? The relevant LDAP groups
should be used in the authorizations of the product that uses
authentication. For example, when using Endpoint Connect, the
user groups should be defined on the Remote Access object.
98

Directory (LDAP
Once configuration is verified debug:.

Run TDERROR_ALL_AU=5 on the process that performs the
authentication.
In this case, it depends on item number 4 above
for example, it would be the vpnd process for Endpoint
Connect.
Try to authenticate with the problematic user (and with a user
that authenticated successfully if you have one), and save the
log file.
98

Directory (LDAP
Once configuration is verified debug:.

A capture of a successful and unsuccessful login will help you
in investigating the problem
Be sure your AU object is configured not to work with SSL so
that you have a clear connection
When you have the capture, try to see which attributes are
being used to query for group membership..
98
Common Configuration Pitfalls
When troubleshooting User Directory (LDAP):

The Use User Directory (LDAP) checkbox is unchecked in Global
Properties.
Getting the bind credentials for the LDAP AU is wrong. Incorrect
credentials are not flagged at the time the AU is created.
The option, User Management is unchecked on the General tab of
the AU.
Allowed authentication schemes may be configured on the SG, but
the corresponding scheme is not selected in the AU properties.
99
Common Configuration Pitfalls
When troubleshooting User Directory (LDAP), cont.:

The AUs are assigned to the SG, but the AU is not selected.
The LDAP schema is not extended and the AU is not assigned with
an authentication scheme.
Even if the schema is extended, the authentication schema on the
user record could still be undefined. It will remain undefined even
though the AU defines a scheme.
If the generic template is used and a password is defined on it.
99
Some LDAP Tools
ldapsearch
For example: ldapsearch -D cn=administrator,
cn=users,dc=boaz,dc=com -w zubur1! -b
cn=users,dc=boaz,dc=com -h 20.20.20.100
'(&(objectclass=user)(sAMAccountName=zaza) )'
mobile otherMobile.
ldapcmd (per process, commands: cacheclear, cachetrace,log

on/off)
Ldapmodify
For example: ldapmodify -c -h <host> -D <Admin FQDN> -w
<password> -f <schema ldif file> 99
Troubleshooting User Authentication
A set of libraries in the /CPShared directory is linked to the

application process. The processes which perform the
authentication include:
fwm - SmartDashboard authentication
vpnd - Remote Access authentication
cvpnd - SSL VPN user authentication
Security Servers - user/client/session authentications
100
The authentication is mostly performed by the infrastructure

in cpauth. The authentication infrastructure code modules in
the chain include::
cpauth
The authentication schemes performed by cpauth include:
Username and password (internal database as well as LDAP)
RADIUS
SecurID
TACACS
OS password
cpldapcl, ldap 100
ace5sdk
When examining log entries, search for the following

information to help with the debugging:
Username
Functions: make_au, au_auth, au_fetchuser,
cpLdapGetUser, cpLdapCheck
After fetch the users set is printed
Auth starts with au_auth_auth, look for the authentication result
Often the problem is authorization, not authentication
100
Identity Awareness
Identity Awareness key features:

Configurable access roles
Multiple user identification methods
Deployment wizard for fast & simple deployment
Identity sharing
Identity Awareness uses IP addresses as a means to map

users and machine identities
101
Identity Awareness
Identity Awareness acquires user identities from Identity

Sources
AD Query
Captive Portal
Once an Identity Source is enable on the Gateway, a network

IP address is mapped to the user
When traffic arrives from/to the IPs, user and computer name
information is included in the logs
101
Identity Awareness
Identity Awareness troubleshooting procedures:

1. Verify AD Query Setup
2. Identify users behind an HTTP proxy
3. Verifying theres a logged on AD user in the source IP
4. Checking the source computer OS and activating captive
portal
5. Using SmartView Tracker for further troubleshooting
102
Enabling AD Query
Once AD Query is enabled, the Gateway registers to the

Domain Controllers to analyze security logs and map IP on
the network to users and computers
Detecting all users and computers may take a few hours,
depending on network activity
To quickly ID a user, lock and unlock the users' computer, to
generate a security event
102
AD Query Setup
Verify the following conditions:

Active Directory even logging is setup
Verify Domain Controllers are configured to audit and authenticate success
events look for these event numbers
Windows 2003: events 672, 673, 674
Windows 2008: events 4624, 4768, 4770
The LDAP Account Unit is setup
The gateway connects to all domain controllers
A firewall/IP devise en route to the domain controller is blocking DCOM
Check Point Firewall or IPS is blocking DCOM
Non-English user names
Users reach the gateway and domain controller with the same endpoint ID
103
Identifying Users Behind an HTTP Proxy
With an HTTP proxy server between users and Security

Gateway, logs show the proxy as the source IP address, not
user identities
For Application Control add X-Forward-For HTTP Header, to
the proxy server to resolve the issue:
1. Configure the proxy server to use X-Forward-For HTTP Header
2. In SmartDashboard, on the Identity Awareness page of the gateway
object, check For Application Control blade, detect users located
behind HTTP proxy using X-Forward-For header
3. Install the policy
104
Verify Logged On AD User at the Source IP
Verify computer on the IP is a domain computer, and has a

user logged on
1. Verify the computer is a domain member. From a computer in
the domain, try to access the C$ share on the source IP. For
example, using the Start- >Run command,
enter \\10.0.0.1\C$. When prompted for credentials,
enter a domain administrator credentials. If you successfully
opened the C$ share, it means this is a domain computer.
2. Verify that there's a user logged on. Use a WMI tool such as
WMI Explorer to remotely connect to the IP and query for the
user name.
104
Checking the Source Computer OS
Cannot connect to source IP C$ share or with WMI Explorer:

Possible that this computer is not a member of the
domain
Possible that this IP is a domain computer but RPC and
WMI traffic is blocked on network or target computer
105
To determine the OS at the IP, use remote endpoint profiling

tools such as nmap to detect the OS.
For example run nmap A 10.0.0.1 to detect the OS on
this IP:
105
104105
Using SmartView Tracker
Track Identity Awareness Login Activity to troubleshoot:

1. Open SmartView Tracker Identity Awareness Login Activity
View
2. Search for log records from source IP missing in logs
If no logs, search in log files switched already still no logs? AD
Query failed to ID user contact support
If you see Login and AD Query on different gateway, verify
identity sharing configure correctly in Identity Awareness Prop.
If you see Logout logs despite user was active in duration,
increase the AD Query association time-out
If you see a Logout log of user, followed by Login log of different
user on same IP, may be Windows service logging in with 106
a user account
Lab Practice
Lab 4: Configuring SmartDashboard to Interface with

Active Directory
107
Review Questions
1. What objects make up an Organizational Unit

container?
107
Review Questions
1. What objects make up an Organizational Unit

container?
Resources
Services
Users
107
Review Questions
2. What does an LDAP Schema do?
107
Review Questions
2. What does an LDAP Schema do?

Defines the types of objects and object attributes in the
directory
107
Review Questions
3. How long can it take for an AD Query to map users

and computers to IPs?
107
Review Questions
3. How long can it take for an AD Query to map users

and computers to IPs?
AD Query may take up to a few hours to complete the
mapping of users and computers to IPs
107
Review Questions
4. If you cannot connect to the source IP C$ share or

with WMI Explorer, what is the likely cause?
107
Review Questions
4. If you cannot connect to the source IP C$ share or

with WMI Explorer, what is the likely cause?
This IP is a computer that is not a member of the domain
107
Advanced IPsec VPN and Remote Access
109
Advanced IPSec VPN and Remote Access
Learning Objectives
Using our knowledge of fundamental VPN tunnel

concepts, troubleshoot a site-to-site or certificate-
based VPN on a corporate gateway using IKEView,
VPN log files and command-line debug tools.
Optimize VPN performance and availability by using

Link Selection and Multiple Entry Point solutions.
Manage and test corporate VPN tunnels to allow for

greater monitoring and scalability with multiple
tunnels defined in a community including other VPN
providers. 110
IPsec
IPsec is open standard protocol suite for secure IP

communication, using authentication and encryption
techniques on IP packets:
Authentication Headers (AH)
Encapsulating Security Payloads (ESP)
Security Associations (SA)
111
Internet Key Exchange (IKE)
IKE negotiations two phases

Phase 1 (Main mode)
Phase 2 (Quick mode)
Negotiation process can be observed in ike.elg with IKE

view
112
IKE Key Exchange Process Phase 1
Phase 1 (Main mode) negotiates encryption methods, and

establishes a key to protect messages of an exchange
Stage 1: Pears negotiate algorithms, authentication methods,
and Diffie-Hellman groups
Stage 2: Each gateway generates a DH private key and public
keys and calculates the shared key
Stage 3: Peers authenticate using the certificate or PSK
111
IKE Key Exchange Process Example
The IKE exchange uses six packets for Phase 1 (Main

mode), and three packets for Phase 2 (Quick mode)
For Main mode packet 1, the initiator 172.24.104.1 provides:
Encryption algorithm: AES-CBC
Key length: 256 bit
Hash algorithm: SHA1
Authentication method: pre-shared key
111
172.24.104.1
Encryption algorithm:
AES-CBC
Key length: 256 bit
Hash algorithm: SHA1
Authentication
method: pre-shared
key
111
1. Packet 2 is from the responder to agree on one encryption and hash algorithm:
113
2. Packets 3 and 4 perform key exchanges and include a large number never used
before, called a nonce:
112
3. Packets 5 and 6 perform authentication between the peers of the tunnel. The peers
IP address shows in the ID field under MM packet 5:
113
4. Packet 6 shows the peer has agreed to the proposal and has authenticated the
initiator:
113
In Phase 2
Security Associations are negotiated
Shared-secret key material is determined
Additional DH exchange occurs
Phase 2 failures are often due to misconfigured VPN Domain,

such as:
Omitted objects
Duplicate objects
All IP address behind the gateway
114
IKE Key Exchange Process
Phase 2 Stages
Peers exchange more key material and agree on encryption and
integrity methods for IPSec
DHC key is combined with the key material to produce the
symmetrical IPSec key
Symmetric IPSec keys are generated
115
1. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm,
and ID data:
115
In the ID field, the initiators VPN Domain configuration displays. In the following figure,
the VPN Domain for the initiator is the 10.2.4.0/24 network:
116
2. ID field_2 proposes the peers VPN Domain configuration. In the figure below, the
VPN Domain for the peer Gateway is the 10.2.2.0/24 network:
116
3. Packet 2 from the responder agrees to its own subnet or host ID, and encryption
and hash algorithm:
117
4. Packet 3 completes the IKE negotiation:
117
Remote Access VPNs
Check Point provides several Remote-Access VPN solutions

Newest Endpoint Connect
Lightweight remote access client
Native desktop used to launch business applications
Does not require authentication each time a connection is
initiated
118
Connection Initiation
In order for VPN tunnel between the site and remote user, an
IKE negotiation must take place between them
Peer identities are authenticated (Phase 1):
Digital Certificates
Pre-Shared Secrets
Hybrid Mode
One-Time Password
Security Gateway Password
OS Password
RADIUS
TACACS
118
SAS
Once authentication is successful, IKE negotiation (Phase 2)

occurs, and VPN tunnel is established
118
Client connects to gateway with a Connection Mode

Initial connection is to the gateway, with subsequent
connections to internal resources made though VPN links
Five connection methods:
Office Mode
Visitor Mode
Hub Mode
Auto Connect
User Profile
119
Link Selection
Link selection specifies which interfaces are used for incoming

and outgoing VPN Traffic
Configuration options:
Probe link for availability
Use Load Sharing on links to distribute VPN traffic
Use links based on services to control the bandwidth
Set up links for remote access
119
Link Selection
Link selection is only applicable to locally managed VPN peers

A link set to the wrong IP address can damage VPN
connectivity configuration, unless configured to auto probe
119
Multiple Entry Point VPNs
Multiple Entry Point (MEP) VPNs provide high availability:

MEP VPNs are not restricted to gateway location
MEP Security Gateways can be managed by separate
Management Servers
No state synchronization needed between gateways
VPN client selects which Gateway site will take over if
connection fails
121
How Does MEP Work
MEP VPNs continuously probes IP connections to check

gateway availability
This is done via Probing Protocol (PP) sending special UDP
RDP packets to port 259 to check if an IP is reachable
121
Explicit MEP
Only Star VPN Communities with more than one central

Security Gateway can be defined as explicit MEP VPNs
Entry point Security Gateways are chosen by:
First to respond (Gateway closest to source)
By VPN domain (Gateway closest to destination)
For Load distribution (random selection)
MEP rules (from priority list)
121
Implicit MEP
Fully or partially overlapped encryption domains MEP VPNs

can be implicitly defined
Implicit MEP VPNs select entry-point Security Gateway by:
First to respond
Primary-Backup
Load Distribution
For remote access MEP VPNs, clients must use Office mode
122
Tunnel Management
Two types of VPN tunnel management:

Permanent Tunnels
VPN Tunnel Sharing
123
Permanent Tunnels
Permanent tunnels are always active and monitored

Permanent tunnels can only be established between Check
Point Gateways, configured:
For the entire community
For a specific Gateway
For a single VPN tunnel
123
Tunnel Testing
Tunnel Test to test a VPN tunnel is active

Tunnel Test packet has an arbitrary length only first byte
contains meaningful data the type field:
1 Test
2 Reply
3 Connect
4 Connected
124
Tunnel Testing
Tunnel Test requires two Gateways, a pinger and a

responder
Pinger sends type 1 or type 3 message, responder responds
with type 2 or type 4 message
124
VPN Tunnel Sharing
VPN tunnel sharing provides for interoperability and scalability

by controlling the number of VPN tunnels via three settings:
One VPN Tunnel per each pair of hosts
One VPN Tunnel per subnet pair
One VPN Tunnel per Gateway pair
124
Tunnel Management Configuration
125
Permanent Tunnel Configuration
To set VPN tunnels as permanent, use one of the Permanent

Tunnel modes:
On all tunnels in the Community
On all tunnels of specific Gateways
On specific tunnels in the Community
126
Tracking Options
Administrators can monitor tunnel status by configuring

alerts
Alerts can be configured globally or individually on tunnels
Alert options:
Log
Popup Alert
Mail Alert
SNMP Trap Alert
User Defined Alert
126
Advanced Permanent Tunnel Configuration
Several attributes allow for customization of tunnel tests and

intervals for permanent tunnels:
1. In SmartDashboard, select Global Properties >
SmartDashboard Customization.
2. Click Configure. The Advanced configuration screen is
displayed.
3. Click VPN Advanced Properties > Tunnel Management to
view the five attributes.
127
VPN Tunnel Sharing Configuration
Configuration of VPN Tunnel Sharing can be set on both the

VPN community and Gateway objects.:
One VPN Tunnel per each pair of hosts
One VPN Tunnel per subnet pair
One VPN tunnel per Gateway pair
If there is a conflict between the tunnel properties of a VPN

Community and a Gateway object that is a member of that
same Community, the stricter setting is used.
127
Troubleshooting
1st step are packets traversing the VPN tunnel?

Use SmartView Tracker logs to confirm packets arriving at
Gateway
fw monitor can confirm if IKE packets arrive and leave the
Gateway
128
Troubleshooting
Run a debug for IKE traffic

vpn debug on
Generate traffic from VPN Domain to peers VPN Domain
If ike.elg file does not contain useful information, an invalid
tunnel may have been set up
127
Troubleshooting
Use vpn tu to remove site-to-site IKE and/or IPSec keys and

initiate traffic
Check ike.elg file to identify on which packet the IKE
negotiation fails
Check relevant configuration parameters
Look at the vpnd.elg file for other errors
128
VPN Debug
vpn debug Command
vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [

- s size(Mb) ]| ikeoff | trunc | truncon | truncoff
| timeon [ SECONDS ] | timeoff | ikefail [ -s
size(Mb) ]| mon | moff >
129
VPN Debug
VPN debug on|off

vpn debug on Turn on vpn debug, and write the output to
the following file: vpnd.elg
vpn debug on [debug topic]=[debug level] sets the
specified TDERROR topic to the specified level, without affecting
any other debug settings. This may be used to turn specific topics
on or off.
vpn debug on TDERROR_ALL_ALL=1,2,3,4,5 turns on default
VPN debugging, i.e., all TDERROR output and default VPN topics,
without affecting any other debug settings.
vpn debug off Disable vpn debug.
130
VPN Debug
VPN debug ikeon|ikeoff

vpn debug ikeon Turn on ike debug and write the output to
the following file: ike.elg
vpn debug ikeoff Disable ike debug..
130
VPN Debug
vpn Log Files

IKE debugging is written to $FWDIR/log/ike.elg
VPN debugging is written to $FWDIR/log/vpnd.elg
130
VPN Debug
vpn debug trunc

When the vpn debug on command runs, the output is written
to $FWDIR\log\vpnd.elg file by default
130
VPN Environmental Variables
Setting the environment variables is recommended as a method for

debugging, only if there is a VPN tunnel failure:
Windows set VPN_DEBUB=1
Unix set VPN_DEBUG 1
131
VPN Command Options
131
VPN Debug
vpn tu
The command vpn tu is short for vpn tunnelutil, and is
useful for deleting IPSec or IKE SAs to a specific peer or user
without interrupting other VPN activities.
Example
You have several site-to-site VPN tunnels among Gateways.
You want to remove the IKE SAs for a particular peer, without
interrupting the other VPNs. How do you do that?
Run vpn tu from the Gateway Command Line Interface, and select
delete all IPSec and IKE SAs for a given Peer (GW) option.
132
VPN Debug
Comparing SAs
1. Enable VPN debugging on both your site and your partners site with vpn
debug on trunc.
2. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer
with which you are about to create the tunnel, or all tunnels.
3. Have your peer initiate the tunnel from its site to yours.
4. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer
with which you are about to create the tunnel, or all tunnels.
5. Initiate the tunnel from your site to your peer.
6. Disable debugging on both sites.
7. Examine ike.elg and vpnd.elg, as they will now contain records of
the SA sent by your gateway, as well as what was received from your
partner site.
132
VPN Encryption Issues
Quick mode packet 1 fails with error No Proposal Chosen from

the peer.
Cause: Peer does not agree to the proposal field, such as encryption
strength or hash
A Security Gateway agrees loosely to the proposal, when host or network
based.
Third part vendors may only agree to proposals with strict adherence to
defined parameters
133
Security Gateway proposes supernetted address as VPN

Domain to Cisco (or other) concentrator in phase 2.
Cisco device only agrees to a VPN Domain that matches its network
address and subnet mask.
This issue is known as the Largest possible subnet problem.
133
Largest possible subnet problem - troubleshooting.

Check the Shared Tunnel settings in the Tunnel Management section
of the VPN community. Make sure both sides agree on either host
based or subnet based.
Interoperable devices do not support the Gateway to Gateway option.
In GuiDbedit, change the following property to false.

ike_use_largest_possible_subnet
This will prevent Check Point from supernetting networks in the VPN
domain. The subnets defined in the network object should be used.
133
Cont
Largest possible subnet problem - troubleshooting. (Cont.)
Check for multiple network objects in the VPN domain that overlap.
For example, 10.1.1.1/24 and 10.0.0.0/8 are both in the VPN
domain. It is possible that a packet sourced from 10.1.x.x will use
255.0.0.0 for the subnet in phase 2 instead of 255.255.255.0.
In some cases, particularly when network overlaps exist in the VPN

domain, it is still required to modify the user.def file. See
SecureKnowledge
solution sk19243 and sk30919 on Check Points Web site:

133
https://usercenter.checkpoint.com/support
Example - 1
Assume you have a site-to-site VPN between two Check Point
Security Gateways.
They are managed by their own Management Servers.
You see a lot of IKE Phase 1 failures in SmartView Tracker.
You run IKE debug on one Gateway and discover only one packet
in Main mode is transferred.
There is no packet in Main mode after packet 1.
What might have caused this problem?
134
Example - 1
What might have caused this problem?
First, check VPN settings (including Encryption Algorithm, key length,

and Hash method) in the Community object.
Make sure Phase 1 settings are identical on both sides.
Check Phase 1 settings in the Advanced settings in the Community
object, such as group 1 or group 2, aggressive mode, etc.
They must be defined identically on both sides.
134
Example - 2
You are configuring a site-to-site VPN from a Check Point Security
Gateway to a Cisco device.
You see that traffic initiated from the VPN Domain inside the Security
Gateway is dropped with the error, Packet is dropped as there is no
valid SA.
The Cisco side is sending Delete SA to the Security Gateway.
The IKE debug indicates a Phase 2 (Quick mode) failure.
What is causing the misconfiguration?
134
Example - 2
What is causing the misconfiguration?
A Quick mode failure usually indicates the VPN Domain is not

configured exactly the same for one or both peers.
For example, if the Security Gateways VPN Domain is a Class B

network, but the same network is defined with a Class C subnet mask
on the Cisco VPN configuration, then this type of error occurs.
134
Lab Practice
Lab 5: Configuring Site-to-Site VPNs with Third Party

Certificates
Lab 6: Remote Access with Endpoint Security VPN
135
Review Questions
1. What are the stages of a Phase 2 IKE exchange?
135
Review Questions
1. What are the stages of a Phase 2 IKE exchange?

Peers exchange more key material, and agree on
encryption and integrity methods for IPSec
The DH key is combined with the key material to produce
the symmetrical IPSec key
Symmetric IPSec keys are generated
135
Review Questions
2. What is the advantage of Link Selection for VPN traffic?
135
Review Questions
2. What is the advantage of Link Selection for VPN traffic?

When high-traffic demands are applied to the gateway and its
performance is impaired, Link Selection provides the means to
specify which interfaces are to be used for incoming and outgoing
VPN traffic
135
Review Questions
3. What type of VPN communities can be explicitly defined

as MEP VPNs?
135
Review Questions
3. What type of VPN communities can be explicitly defined

as MEP VPNs?
Only Star VPN Communities using more than one central Security
Gateway can be defined explicitly as MEP VPNs
135
Review Questions
4. Quick mode packet 1 fails with error No Proposal

Chosen from the peer. What is likely the cause?
135
Review Questions
4. Quick mode packet 1 fails with error No Proposal

Chosen from the peer. What is likely the cause?
This failure is usually caused when a peer does not agree to the
proposal fields, such as encryption strength or hash
135
Auditing and Reporting
137
Learning Objectives
Create Events or use existing event

definitions to generate reports on specific
network traffic using SmartReporter and
SmartEvent in order to provide industry
compliance information to management.
Using your knowledge of SmartEvent
architecture and module communication,
troubleshoot report generation given
command-line tools and debug-file 138
information.
Auditing and Reporting Process
Security Administrator role:

Guided by process and procedures
Need to document changes on corporate
network
Compliance with industry standards and
corporate mandates
Corporate governance
Efficient auditing and reporting
Compliance regulatory practices 139
Implementing audit policies

Password changes
Changes to access rights to shares, files, folders, etc.
Attempts of unauthorized access to computer system resources.
Attempts of unauthorized access to information held in application systems.
All internal system activity including logins, file accesses and security
incidents.
Produce and retain logs recording exceptions and security-related events
Any attempts of unauthorized changes to IT systems.
Key system files and critical data for unauthorized changes.
Changes to Active Directory permissions for user accounts, groups and
computer accounts.
140
Implementing audit policies (cont.)

Unauthorized Active Directory access permissions.
Any changes to users, groups, rights, and user account policies.
Notifications of group policy changes.
Authorized users attempts to perform unauthorized activities.
Permission changes in Active Directory.
User information, access information, date and time stamp.
Real-time policy modifications.
Last access dates for files and applications
140
SmartEvent
SmartEvent - Management Software Blade

Uses network security information with real-time security event
correlation and management for Check Point Security Gateways and
third-party devices.
SmartEvents unified event analysis identifies critical security events from

the clutter of data, while correlating events across all security systems.
Its automated aggregation and correlation of data minimizes the time

spent analyzing log data, and also isolates and prioritizes the real
security threats.
141
SmartEvent
141
SmartEvent
SmartEvent available as a software blade, or an appliance

SmartEvent Appliance bundle:
SmartEvent
SmartReporter
Logging and Status
142
SmartEvent Intro
SmartEvent Intro security event correlation and management for a

single Check Point Security Software Blade
Full reporting part of SmartReporter Software Blade

Only possible to install one SmartEvent Intro blade per device
To monitor and correlate firewall events use full SmartEvent Software
Blade
142
SmartEvent Architecture
Three main components for log consolidation, correlation, and results

analysis:
Correlation Unit (CU)
Analyzer Unit
Analyzer Client
143
Example Deployment
143
Component Communication Process
144
Analyzer Server
144
Event Policy User Interface
Event Policy is fundamental to the workings of SmartEvent
145
Edit Event Definition
145
146
147
147
148
149
150
151
152
153
SmartReporter
SmartReporter provides:
High-level view, trends, reports
Understanding of the details of each event
Integration with other tools to modify the security policies
Manage events by state and owner
154
SmartReporter
154
Consolidation Policy
Consolidation Policy:
Similar to a Security Policy in structure and management
Uses Rule Bases defined via SmartDashboard
Uses the network objects
Consolidation rules store or ignore logs that match rules
Based on logs, not security issues
155
SmartReporter
155
Consolidation Policy
Consolidation is performed at two levels:

Interval at which the log was created
Log fields whose original values should be retained
When several logs match a Rule and are recorded:

Values of their relevant fields are saved as-is
Values of their irrelevant fields are merged or consolidated together
SmartReporter server then can extract the consolidated records that

match a specific report definition
155
Report Types
Two types of reports can be created:

Standard Reports
Express Reports
SmartReporter Standard Reports are supported by two Clients:

SmartDashboard Log Consolidator
SmartReporter Client
156
User Management and Authentication
Lab Practice
Lab 7: SmartEvent and SmartReporter
157
Review Questions
1. What does the SmartReporter Consolidation Policy do?
157
Review Questions
1. What does the SmartReporter Consolidation Policy do?

The Consolidation Policy goes over your original raw log file,
compressing similar events and writing the compressed list of
events into a relational database.
157
Review Questions
2. What is the difference between a Consolidation Policy, and

a Security Policy?
157
Review Questions
2. What is the difference between a Consolidation Policy, and

a Security Policy?
A consolidation Policy is based on logs, as opposed to
connections, and has no bearing on security issues.
157
Review Questions
3. When is an event reported?
157
Review Questions
3. When is an event reported?

When it is created
Up to five updates
When it is closed
157
Security Engineering
2013 Edition
2012 Check Point Software Technologies Ltd. [PROTECTED] All rights reserved.
2013 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties

CCSE Class Slides

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCSE Class Slides

Uploaded by

Copyright:

Available Formats

Security Engineering

2 WAYS to EXTEND CCSA / CCSE for 1 YEAR

Attend and pass

CCSA Certification CCSE Certification

Training Blades: Instructor Led Training

Key Course Elements

Advanced and in-depth explanation of FireWall-1

Key tips and techniques for troubleshooting FireWall-1

Software acceleration features

Policies that support business needs and transform

Security that involves People in policy definition,

Enforce, consolidate and control all layers of

IT security best practices:

1. Perform a risk assessment

Perform a backup of a Security Gateway

Snapshot before major changes

Gaia Snapshot Image Management

With Gaia snapshot image management you can:

Backs Check Point configuration independent of

Backup Schedule Recommendations

Snapshot once before major changes

Before upgrading valid support contract

Upgrading Security Gateways

Upgrading Security Management Server

Upgrading Full High Availability

Minimal Effort Upgrade

Each Cluster member treated as individual gateway

Upgrading with Minimal Downtime

Check status of cluster members

Lab 1: Upgrade to Check Point R76

1. When should snapshots be performed?

1. When should snapshots be performed?

2. To run advanced upgrade or migration, what tool is

2. To run advanced upgrade or migration, what tool is

3. What is a critical task for both Snapshots and

3. What is a critical task for both Snapshots and

Using knowledge of Security Gateway

Check Point security components:

Management Component processes:

User and Kernel Mode Processes

The CPD Core Process

Check Point Daemon (CPD):

FWM is available on management products

Inbound and Outbound Packet Flow

Inbound FW CTL Chain Modules

Outbound Chain Modules

3. Logging and/or alerts that have

4. Packets that pass

5. For packets that do not

6. The packets that do not

Kernel tables store information on firewall function

Most traffic information I saved in the Kernel tables

Connections table = approved connections list

Connections Table Format

Check Point FireWall Key Features

Packet Inspection Flow

Packet Inspection Flow

Packet Inspection Flow

Policy Installation Flow

Policy Installation Process Flow

How NAT Works

Hide NAT Process

Packet arrives at inbound interface

Hide NAT Process