8/7/2019 Checkpoint - Day 2[1]
1/56
CSC Private
Day Two Session
Objectives
After completion of this session you will be able to-
Install Firewall-1on Windows OS
Build a rulebase
Configure Logging and Alerting
8/7/2019 Checkpoint - Day 2[1]
2/56
CSC Private
Chapter 3 - Installing Firewall-1
Selecting the Operating System. Checkpoint can beinstalled on following operating system.
Windows NT 2000 Server
Sun Solaris (SPARC)
AIX
Nokia IP Security Platform (IPSO)
Linux and Secure Platform (SPLAT)
8/7/2019 Checkpoint - Day 2[1]
3/56
CSC Private
Windows NT and Windows 2000/Server
Advantages of using Windows
Ease of use The GUI interface is quite familiar to most.Installation and maintenance is quite easy
Widely used Win 2000 is popular choice for firewall-1installations and plenty of documentation is available for bothOS
Third party software integration There are lots of functionsthat third party software provides and which firewall-1 doesnt.
8/7/2019 Checkpoint - Day 2[1]
4/56
CSC Private
Windows NT and 2000/Server (Contd.)
Disadvantages
Remote Administration Windows is more difficult to remotelyadminister. Most admin task is performed by GUI. Although,VNC is an option but that poses additional security issues.
Command Line Access Windows lacks the powerful CLI tool.This makes troubleshooting further difficult as compared toother OS
8/7/2019 Checkpoint - Day 2[1]
5/56
CSC Private
Sun Solaris (SPARC)
Advantages
Widely used Most widely used and plenty of documentationavailable for support.
Primary Platform for Checkpoint Development of Checkpointfirewall is performed on SUN OS.
CLI access As mentioned earlier, biggest advantage of SUN is theCommand Line access it provides for troubleshooting andmaintenance.
8/7/2019 Checkpoint - Day 2[1]
6/56
CSC Private
Sun Solaris (SPARC) Contd.
Disadvantages
Training Like other flavors of UNIX, this needs more skills.Not only this skill is difficult to find, they also cost more.
Policy Editor Costs Requires extra cost for purchasing smartclients.
8/7/2019 Checkpoint - Day 2[1]
7/56
CSC Private
AIX
Advantages
Command Line Access UNIX systems has strong CLI access
Hardware Support They have high end hardware support.
Disadvantages
Deployment and Resourcing AIX is not widely deployed as
against Solaris
Training Requires more training to administer
Third party software 3rd parties dont quickly release AIXcompatible software version.
8/7/2019 Checkpoint - Day 2[1]
8/56
CSC Private
IPSO
Advantages
Ease of use
CLI Access Hardened OS
Thoroughly tested product
Easier to upgrade
Easy to Manage
Support
8/7/2019 Checkpoint - Day 2[1]
9/56
CSC Private
IPSO (Contd )
Disadvantages
Cost Nokia platform has higher acquisition cost than otherh/w and s/w combinations from other vendors
CLI Limited feature set as compared to other UNIX flavors.
3rd Party Integration Few 3rd party application integrate withCheckpoint.
8/7/2019 Checkpoint - Day 2[1]
10/56
CSC Private
Secure Platform (SPLAT)
Advantages
UNIX features Shares the same features as other flavors ofUNIX
Lower acquisition costs Since the OS comes for free and canbe installed on common PC hardware, the overall cost less.
Ease of installation Nokia has done the homework. All you
need to do is insert the CD and go!
Support The OS and firewall are supported by single vendor.
8/7/2019 Checkpoint - Day 2[1]
11/56
CSC Private
Secure Platform (SPLAT) Contd.
Disadvantages
Customization Any customization on SPLAT makes the OScompletely unsupported by Checkpoint.
Limited interface support Not all interfaces are supported bySPLAT. (e.g. Ethernet PPP etc)
Not easily upgradeable If you want to upgrade from NG FP2
to NG FP3 you need to make a complete reinstall.
8/7/2019 Checkpoint - Day 2[1]
12/56
CSC Private
Installing Firewall-1
Run setup.exe file
8/7/2019 Checkpoint - Day 2[1]
13/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
14/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
15/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
16/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
17/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
18/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
19/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
20/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
21/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
22/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
23/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
24/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
25/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
26/56
CSC Private
Questions
8/7/2019 Checkpoint - Day 2[1]
27/56
CSC Private
Chapter 4 Building the Rulebase
At the end of the Chapter, you should be able to
Manage firewall administrators
Create objects on Firewall
Add rules on firewall
Identify various objects on firewall
8/7/2019 Checkpoint - Day 2[1]
28/56
CSC Private
Management GUIs
Smart Dashboard/ Policy Editor View and modify SecurityPolicy
Smart Tracker / Log Viewer View and track logs
Smart Update/ Secure Update Update Checkpoint firewall
Smartview Monitor Traffic monitoring and analysis
User Monitor View Secure client connections
8/7/2019 Checkpoint - Day 2[1]
29/56
CSC Private
Smart Dashboard/ Policy Editor
8/7/2019 Checkpoint - Day 2[1]
30/56
CSC Private
Adding Administrators
Click on Manage > Users
8/7/2019 Checkpoint - Day 2[1]
31/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
32/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
33/56
CSC Private
Once you are added as an Administrator on Policy Editor,you need to define the ip addresses of the Admins who canaccess the Policy Editor.
The list of ip addresses should be clearly defined. Addingnetworks isnt the best of ideas
You can configure ip addresses using cpconfig command
8/7/2019 Checkpoint - Day 2[1]
34/56
CSC Private
Default rule on Firewall.
8/7/2019 Checkpoint - Day 2[1]
35/56
CSC Private
Adding Stealth Rule
Any connections to the firewall should be dropped. Such rule is called Stealth
rule
8/7/2019 Checkpoint - Day 2[1]
36/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
37/56
CSC Private
Creating Objects
8/7/2019 Checkpoint - Day 2[1]
38/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
39/56
CSC Private
8/7/2019 Checkpoint - Day 2[1]
40/56
CSC Private
Rule base evaluation Chart
8/7/2019 Checkpoint - Day 2[1]
41/56
CSC Private
Thumb Rule for managing firewall policy
Client Encryption rules
Firewall- Firewall encryption rules
Incoming accept rules (typical from internet) Outgoing accept rules ( To internet)
Client Authentication rules
Session Authentication rules
User Authentication rules
Cleanup rule
8/7/2019 Checkpoint - Day 2[1]
42/56
CSC Private
Creating a rule - Example
Identify number of objects needed?
8/7/2019 Checkpoint - Day 2[1]
43/56
CSC Private
Installing the firewall policy
Once the rule base is added, you need to install the policyto confirm the changes and to make the rulebaseoperational.
Select Policy > Install or click on to install the policy
8/7/2019 Checkpoint - Day 2[1]
44/56
CSC Private
Chapter 5 Logging and Alerting
At the end of chapter, you should be able to
Determine information displayed in Smartview Status/ Manager
Determine what information is displayed in Smartview Tracker
Identify where logging and alerting occur.
8/7/2019 Checkpoint - Day 2[1]
45/56
CSC Private
Smartview Status
Allows you to view the current state of Checkpoint firewallmodules.
Individual installed components status can be determined
Components includes
Firewall Module
VPN Module
Management Server
8/7/2019 Checkpoint - Day 2[1]
46/56
CSC Private
Smartview Status
8/7/2019 Checkpoint - Day 2[1]
47/56
CSC Private
Firewall -1 Status
8/7/2019 Checkpoint - Day 2[1]
48/56
CSC Private
Management Module Status
8/7/2019 Checkpoint - Day 2[1]
49/56
CSC Private
VPN Module Status
8/7/2019 Checkpoint - Day 2[1]
50/56
CSC Private
Different States of the modules
8/7/2019 Checkpoint - Day 2[1]
51/56
CSC Private
Smartview Tracker
Also called the log viewer
Presents historical logs and the active connections
Provides audit history of Administrator actions
8/7/2019 Checkpoint - Day 2[1]
52/56
CSC Private
Smartview Tracker/ Log Viewer
8/7/2019 Checkpoint - Day 2[1]
53/56
CSC Private
Blocking a connection
Temporarily block the connection
Can only be performed in Active mode
Done without modifying the existing rulebase.
Block can only be removed in following three ways Unloading the firewall module
Rebooting the system
Manually removing the block
8/7/2019 Checkpoint - Day 2[1]
54/56
CSC Private
Blocking a connection (Contd.)
Blocking can be performed using following ways
8/7/2019 Checkpoint - Day 2[1]
55/56
CSC Private
Audit Mode
Allows you to view what actions administrator performs onvarious applications.
Following details are shown in the audit
Date
Time
Origin
Application
Operation
Object Name
Changes
Administrator
8/7/2019 Checkpoint - Day 2[1]
56/56
Questions