Upload
shixiong-chen
View
562
Download
17
Embed Size (px)
Citation preview
2012 Check Point Software Technologies Ltd. All rights reserved
.
1
Check Point
UTM-1/Power-1
2012 Check Point Software Technologies Ltd. All rights reserved
.
2
Check Point UTM-1&Power-1 V2.0
V2.0
2011/06/01
Check Point UTM-1&Power-1 V2.0
V1.0 2011/7/30
V2.0 2012/5/01 R75.40
Check Point
2012 Check Point Software Technologies Ltd. All rights reserved
.
3
CHECK POINT .................................................................................................................... 1
1 . ............................................................................................................................................... 9
1.1 UTM-1 ........................................................................................................................................ 9
1.1.1 UTM-1 .............................................................................................................. 9
1.1.2 UTM-1 ........................................................................................ 10
1.2 POWER-1 .................................................................................................................................... 10
1.2.1 Power-1 .......................................................................................................... 10
1.2.2 Power-1 .................................................................................................. 11
1.3 ............................................................................................................................. 12
1.4 UTM-1/ POWER-1 ...................................................................................................... 13
1.4.1 ............................................................................................................ 13
2 ............................................................................................................................... 13
2.1 ..................................................................................................... 13
2.1.1 Check Point ....................................................................................... 13
2.1.2 UTM-1/Power-1 ............................................................................. 13
2.2 ............................................................................................. 22
2.2.1 ........................................................................................................ 23
2.2.2 ................................................................................................ 25
2.2.3 ........................................................................................ 33
2.2.4 ................................................................................................ 37
2.3 ................................................................................................................. 40
2.3.1 .................................................................................................................... 40
2.3.2 ........................................................................................................................ 43
2.3.3 ........................................................................................................................ 49
2.4 HA .................................................................................................................. 55
2.4.1 SmartCenter ClusterXL .................................................................................. 55
2.5 ..................................................................................................... 60
2012 Check Point Software Technologies Ltd. All rights reserved
.
4
2.5.1 ................................................................................................................ 60
2.5.2 ................................................................................................................ 79
2.5.3 ............................................................................................................ 81
2.5.4 (NAT) ............................................................................................... 85
2.5.5 OPSEC .................................................................................................... 89
2.5.6 ............................................................................................................ 97
2.5.7 ............................................................................................ 98
2.5.8 ........................................................................................................ 98
2.6 POWER-1 (COREXL) ..................................................................................................... 99
2.6.1 CPU .............................................................................. 100
2.6.2 CPU .............................................................................. 101
2.7 SYSLOG SMARTCENTER ............................................................................................... 103
3 (IPS) ...................................................................................................................... 105
3.1 IPS .................................................................................................................................. 105
3.2 IPS .................................................................................................................................. 106
3.2.1 IPS ............................................................................................... 106
3.2.2 IPS Profile ............................................................................................................. 108
3.2.3 Protections ........................................................................................................... 111
3.2.4 Geo Protection ..................................................................................................... 112
3.2.5 Network Exceptions ............................................................................................. 113
3.2.6 IPS ................................................................................................................ 114
3.2.7 Follow Up ............................................................................................................. 115
3.2.8 Advanced ............................................................................................................. 116
3.3 IPS ............................................................................................................................. 116
4 (IDENTIFY AWARENESS) ................................................................................................... 117
4.1 CAPTIVE PORTAL ............................................................................................................... 120
4.2 (IDENTITY ACCESS) .............................................................................. 121
4.3 (ACCESS ROLES) ............................................................................................. 122
2012 Check Point Software Technologies Ltd. All rights reserved
.
5
4.4 IP .............................................................................. 123
4.5 CAPTIVE PORTAL ................................................................................................... 125
5 SMARTEVENT ...................................................................................................................... 128
6 URL (APP CONTROL & URL FILTERING) .................................................................. 132
6.1 APPLICATION CONTROL .............................................................................................. 132
6.2 USERCHECK ............................................................................................ 134
6.3 URL FILTERING ......................................................................................................... 136
7 HTTPS ........................................................................................................................... 138
7.1 HTTPS ........................................................................................................ 138
7.2 HTTPS INSPECTION ....................................................................................................... 138
7.3 BYPASS HTTPS INSPECTION .......................................................................................................... 138
8 (DLP) ............................................................................................................................ 139
8.1 DLP ......................................................................................................... 139
8.2 DLP ......................................................................................................... 139
8.2.1 DLP Blade .................................................................... 139
8.2.2 DLP .................................................................................. 139
8.2.3 DLP .................................................................................. 139
8.3 DLP :............................................................................................................ 140
8.4 DLP ............................................................................................................. 140
8.4.1 HTTP ..................................................................................... 141
8.4.2 SMTP ........................................................................ 145
8.4.3 FTP .................................................................................... 149
9 ............................................................................................................................. 151
9.1 ........................................................................................... 151
9.2 ........................................................................................... 151
9.3 ........................................................................................... 152
9.4 ........................................................................................................... 153
9.5 ............................................................................................................... 154
2012 Check Point Software Technologies Ltd. All rights reserved
.
6
10 (ANTI-BOT&ANTI-VIRUS) .................................................................................................. 155
10.1 ............................................................................................................... 155
10.2 ........................................................................................................... 155
11 ................................................................................................................................. 157
11.1 SMARTDASHBOARD ................................................................................................................ 157
11.1.1 Data Base Reversion Control ........................................................................... 157
11.2 SMARTVIEW TRACKER ............................................................................................................. 163
11.2.1 SmartView Tracker Mode ............................................................................................. 164
11.2.2 ............................................................................................................. 165
11.2.3 Filter ............................................................................................... 165
11.2.4 Track ........................................................................................................ 166
11.3 SMARTVIEW MONITOR ........................................................................................................... 167
11.3.1 Monitor ........................................................................................................... 167
11.3.2 Gateway ................................................................................................ 168
11.3.3 Traffic .............................................................................................................. 169
11.3.4 System Counters .............................................................................................. 170
11.3.5 Tunnels ............................................................................................................ 170
11.3.6 Remote Users .................................................................................................. 171
11.3.7 SmartUpdate ................................................................................................................ 172
11.3.8 ......................................................................................................... 173
11.3.9 License ............................................................................................................. 174
12 ................................................................................................................................. 176
12.1 SECUREPLATEFORM ........................................................................................... 176
12.2 SMARTCENTER (UPGRADE_TOOLS) ........................................................................ 177
13 ........................................................................................................................................ 180
13.1 ............................................................................................................... 180
13.1.1 Hardware Diagnostic Tool ............................................................................... 180
13.1.2 .............................................................................................. 181
2012 Check Point Software Technologies Ltd. All rights reserved
.
7
13.1.3 I/O .................................................................................. 181
13.1.4 ......................................................................................................... 181
13.1.5 ......................................................................................................... 181
13.2 ................................................................................................................... 181
13.3 ....................................................................................................... 182
13.3.1 .............................................................................. 182
13.3.2 Coredump ................................................................................................. 182
13.3.3 debug .............................................................................................................. 182
13.3.4 zdebug ............................................................................................................ 182
13.3.5 Debug FWD .......................................................................................................... 183
13.4 ....................................................................................................... 184
13.4.1 ................................................................................................................. 184
13.4.2 ................................................................................................................. 184
13.4.3 ......................................................................................................... 184
13.4.4 : ................................................................................................................ 185
14 ............................................................................................................................................... 186
14.1 ....................................................................................................... 186
14.2 ........................................................................................................... 186
15 ............................................................................................................................................... 187
15.1 SMARTCENTER ..................................................................................................... 187
15.2 ....................................................................................................... 188
15.2.1 .......................................................................................... 188
15.2.2 .......................................................................................... 189
15.2.3 X11 ......................................................................................... 189
15.2.4 ......................................................................................................... 190
15.2.5 ......................................................................................................... 191
16 ........................................................................................................................................ 193
16.1 +OSPF+ECMP ................................................................................................. 193
2012 Check Point Software Technologies Ltd. All rights reserved
.
8
16.1.1 ................................................................................................. 193
16.1.2 IP .................................................................................................................. 194
16.1.3 ................................................................................................................. 194
16.2 +STATIC+ECMP ................................................................................................ 201
16.2.1 ................................................................................................. 201
16.2.2 IP .................................................................................................................. 202
16.2.3 ................................................................................................................. 202
16.3 HA +OSPF ................................................................................................................... 208
16.3.1 ................................................................................................. 208
16.3.2 IP .................................................................................................................. 209
16.3.3 ................................................................................................................. 209
16.4 HA +STATIC ......................................................................................................... 220
16.4.1 ................................................................................................. 220
16.4.2 IP .................................................................................................................. 221
16.4.3 ................................................................................................................. 221
16.5 HA +OSPF+ECMP ....................................................................................................... 228
16.5.1 ................................................................................................. 228
16.5.2 IP .................................................................................................................. 229
16.5.3 ................................................................................................................. 229
16.6 HA +STATIC+ECMP ...................................................................................................... 239
16.6.1 ................................................................................................. 239
16.6.2 IP .................................................................................................................. 240
16.6.3 ................................................................................................................. 240
2012 Check Point Software Technologies Ltd. All rights reserved
.
9
1 .
1.1 UTM-1
1.1.1 UTM-1
UTM-1
Check PointUTM-1 VPN
UTM-1
Check Point
IPSWEB
UTM-1
UTM-1 3076 UTM-1
2012 Check Point Software Technologies Ltd. All rights reserved
.
10
1.1.2 UTM-1
1 LCD
2 LCD
3 USB
4 Console
5 Internal
6
1.2 Power-1
1.2.1 Power-1
Check Point Power-1
Check Point IPsec VPN
Gbps
25 Gbps
IPS 15 GbpsPower-1 11000
Power-1 11000 Power-1
: Power-1 HCC 11000 64 :
Firewall Throughput 30Gbps
Maxumum concurrent HTTP connections 400
Maximum HTTP connections rate HTTP 7
2012 Check Point Software Technologies Ltd. All rights reserved
.
11
1.2.2 Power-1
CheckPoint Power-1
1
2 LCD
3 LCD
4
5
6
7 USB
8 8 1 GbE
9
1 GbE SR 4 ;1 GbE LR 4
10 GbE SR 2 ; 10 GbE LR 2
10 LOM
2012 Check Point Software Technologies Ltd. All rights reserved
.
12
1.3
/
SecurePlatform/
SecurePlatform Pro
CheckPoint UTM-1Power-1 Smart-1
CheckPoint FirewallVPN
sshweb IP
SNMP CLI
Source and Destination
VPN
Service
Action
Track
Install-On
time
Implied Rules
Gloable properties
Anti-Spoofing IP
SmartView Tracker
SmartView Monitor
SmartUpdate license
SmartReporter
SmartEvent
Expert SecurePlatform
Unix
IPS
Security Gateway/
Firewall Module
Check Point
SmartCenter
Standalone() Distributed()
Standalone
Distributed
SmartConsole
(GUI) SmartDashboardSmartView Tracker
SmartView Monitor SmartUpdate
NAT
SmartConsole
SmartCenter
License
License
Local License SmartCenter Standalone
License IP
2012 Check Point Software Technologies Ltd. All rights reserved
.
13
Central License SmartCenter Distributed
License IP
1.4 UTM-1/ Power-1
1.4.1
UTM-1
1.5G 4.5G UTM(
)\VPNIPS
Power-1
9G 30G
VPN
UTM-1 Power-1
2
2.1
2.1.1 Check Point
Check Point UTM-1/Power-1
R70 and R70.x releases
R71 and all R71.x releases
R75
Check Point Support site http://support.checkpoint.com.
2.1.2 UTM-1/Power-1
UTM-1/Power-1 SecurePlatform
UTM-1
Power-1 HCC 64
2.1.2.1 Console
COM
http://support.checkpoint.com/
2012 Check Point Software Technologies Ltd. All rights reserved
.
14
Console
https://192.168.1.1:4434(), UTM-1
WEB 2.1.2.2
2.1.2.2 WEB
console WEB
1. pc (Internal)
2. pc IP 192.168.1.10/24
3. IE https://192.168.1.1:4434 admin
https://192.168.1.1:4434/https://192.168.1.1:4434/
2012 Check Point Software Technologies Ltd. All rights reserved
.
15
admin
UTM-1
6
Save and Login
UTM-1 Next
2012 Check Point Software Technologies Ltd. All rights reserved
.
16
ApplyNext
IP
IP
2012 Check Point Software Technologies Ltd. All rights reserved
.
17
External
IP Apply
connections IP
2012 Check Point Software Technologies Ltd. All rights reserved
.
18
Internal 192.168.1.1 IP
Internal IP
IP
https://100.100.101.3:4434Next,
New
NewDefault Route
https://100.100.101.3:4434/
2012 Check Point Software Technologies Ltd. All rights reserved
.
19
Next DNS
Next
Management Centrally Management
SmartCenter Next
Locally Managed SmartCenter
Web SSH Web SSH
2012 Check Point Software Technologies Ltd. All rights reserved
.
20
Applyany WEB
SSH IP
HA HA Next
Standard Gateway IP
HAThis Gateway is a member of a Cluster.
Smart Center SIC SIC Secure Internal Communication
SSL SmartCenter Next
2012 Check Point Software Technologies Ltd. All rights reserved
.
21
SIC SmartCenter Next
Finish
10
Check Point UTM-1 SmartCenter
SmartCenter
2012 Check Point Software Technologies Ltd. All rights reserved
.
22
2.2
Check point
Check PointSmartCenter
(SmartCenter) Check Point
(SmartCenter)
IP
(SmartCenter)
: SmartCenter Security Gateway Module
,SmartConsole SmartCenter
check point
1. SmartConsole ( SmartCenter)
2. (),
3. SmartCenter
4. SmartCenter
5. SmartCenter
2012 Check Point Software Technologies Ltd. All rights reserved
.
23
SmartCenter
: Smart-1
Smart-1 Smart-1
2.2.1
2.2.1
PC Check Point
http://www.checkpoint.com/services/techsupport/hcl/all.html
OKDevice List
US
http://www.checkpoint.com/services/techsupport/hcl/all.html
2012 Check Point Software Technologies Ltd. All rights reserved
.
24
SmartCenter IP
SmartCenter https 443
2012 Check Point Software Technologies Ltd. All rights reserved
.
25
: 4434 Smart-1 4434
OK
2.2.2
Open Server
IP https://192.168.1.1
Smart-1 ;
Smart-1 MGMT PC 192.168.1.100
2012 Check Point Software Technologies Ltd. All rights reserved
.
26
https://192.168.1.1:4434
===================================================================
WEB
====================================================================
I Accept
admin,admin
2012 Check Point Software Technologies Ltd. All rights reserved
.
27
Ok,
_.me)Forgot your password?Browse
Send
2012 Check Point Software Technologies Ltd. All rights reserved
.
28
Next
2012 Check Point Software Technologies Ltd. All rights reserved
.
29
IP IPNext,
Default Route
Next
DNS DNS Next
IP SmartCenter
SmartCenter Next
2012 Check Point Software Technologies Ltd. All rights reserved
.
30
Next
SSH/WEB IP IP
anyAdd
Security Management
2012 Check Point Software Technologies Ltd. All rights reserved
.
31
Primary Security Management, HA
Next
SmartDashBoard GUI IP
IP Add
any IP
2012 Check Point Software Technologies Ltd. All rights reserved
.
32
SmartDashBoard GUI Add
GUI
SmartDashBoard admin******Apply
Finish
2012 Check Point Software Technologies Ltd. All rights reserved
.
33
2.2.3
(SmartCenter)
SmartCenter Secondary SmartCenter SIC, 2.2.1.2
Primary SmartCenter
Primary SmartCenter
Primary SmartCenter
HA SmartDashboard
Secondary SmartCenter 2.5
SmartDashboard Primary SmartCenter Host IP
SIC :
2012 Check Point Software Technologies Ltd. All rights reserved
.
34
Policy Globle PropertiesManagement High Ability SmartCenter
Save SmartCenter
log server SmartCenter log server
log server Logs and Masters , Log Server
2012 Check Point Software Technologies Ltd. All rights reserved
.
35
log server
PolicyManagement High Avalability SmartCenter
Read Only SmartCenter
SmartCenter :
2012 Check Point Software Technologies Ltd. All rights reserved
.
36
Primary SmartCenter SmartView Tracker Primary
SmartCenter Standby Failed to connect
Read-Write Secondary SmartCenterSecondary
SmartCenter Active;
2012 Check Point Software Technologies Ltd. All rights reserved
.
37
Primary SmartCenter Secondary SmartCenter log
2.2.4
SmartConsole SmartConsole
https://Managment IP:4434Production ConfigurationDownload SmartConsole,
Next
==========================================================
SmartConsole .Net 2.0
==========================================================
2012 Check Point Software Technologies Ltd. All rights reserved
.
38
Next,
SmartConsole C
Next
2012 Check Point Software Technologies Ltd. All rights reserved
.
39
Next,Finish
SamrtDashboard
SamrtCenter,
2012 Check Point Software Technologies Ltd. All rights reserved
.
40
2.3
2.3.1
2.3.1.1
Web SecurePlatform
Device Device Administrators
web SSH
2.3.1.2 NTP
Device Date and Time
Apply
Device Date and Time Use Network Time Protocol (NTP) to
2012 Check Point Software Technologies Ltd. All rights reserved
.
41
synchronize the clock NTP NTP IP Apply
2.3.1.3
Network DomainApply
2.3.1.4 SSHHTTPS
SecurePlateform
Device Web and SSH Clients IP
Apply
2012 Check Point Software Technologies Ltd. All rights reserved
.
42
2.3.1.5 SNMP
SNMP
SNMP
1. SecurePlatform
2. Expert
3. SNMP snmp service enable
4. SNMP daemon
a. cpconfig
b.SNMP extentions
c.y
MIB(management Information Base) Check Point MIB
161
5. SNMP
ps aux | grep snmp
netstat -an | grep 161
ps aux | grep cpsnmp
snmpwalk -c public -v2c 127.0.0.1 1.3.6.1.2.1 ( OS MIB)
snmpwalk -c public -v2c 127.0.0.1 1.3.6.1.4.1.2620 ( the Check Point MIB)
SNMP Agent
$FWDIR/conf/snmp.C SNMP community name
cpstop
vi $FWDIR/conf/snmp.C community name
=========================================
:snmp_community (
:read ()
2012 Check Point Software Technologies Ltd. All rights reserved
.
43
:write ()
==========================================
cpstart
2.3.2
2.3.2.1 IPMTU
IP eth1
eth1
IP Apply
MTU
connections IP
2.3.2.2
Vlan New
2012 Check Point Software Technologies Ltd. All rights reserved
.
44
VLAN
InterfaceVLAN NumberIP
connections
2012 Check Point Software Technologies Ltd. All rights reserved
.
45
2.3.2.3
NewBond
BondAvailable Add
Selected Members IP
IP BondLoad Sharing
2012 Check Point Software Technologies Ltd. All rights reserved
.
46
Advanced Bond Properties
MTU LCAP rate
Lan2Lan3bond0
bond0Delete
2012 Check Point Software Technologies Ltd. All rights reserved
.
47
2.3.2.4
NewBond
BondAvailable Add
Selected Members IP
IP BondHigh
Availability
2012 Check Point Software Technologies Ltd. All rights reserved
.
48
2.3.2.5
NewBridge
BridgeAvailableadd
Selected Members
connections Bridge Lan2 Lan3
2012 Check Point Software Technologies Ltd. All rights reserved
.
49
br0Delete
2.3.3
2.3.3.1
Network Route New Default Route
2012 Check Point Software Technologies Ltd. All rights reserved
.
50
GatewayApply
2.3.3.2
Network Route New Route
Apply
2012 Check Point Software Technologies Ltd. All rights reserved
.
51
2.3.3.3 OSPF
SecurePlateform OSPF SSH
SecurePlateform Pro OSPFpro enable
SecurePlatform pro featuresreboot
router OSPF
Cisco
[CPC]# router
localhost>enable
localhost#configure terminal
localhost(config)#router ospf 1
localhost(config-router-ospf)#router-id 127.1.1.2
# OSPF router ID/
localhost(config-router-ospf)#network 100.100.101.0 0.0.0.255 area 0.0.0.10
# OSPF
localhost(config-router-ospf)#network 200.200.1.0 0.0.0.255 area 0.0.0.10
# OSPF
localhost(config-router-ospf)# redistribute direct
( SPLAT web sysconfig OSPF)
localhost(config-router-ospf)#redistribute kernel
( OS OSPF)
localhost(config-router-ospf)#restart-type signaled
( Cluster OSPF failover)
localhost(config-router-ospf)#exit
localhost(config)#interface bond0
localhost(config-if)#ip ospf 1 area 0.0.0.10
localhost(config-if)#enable
localhost(config-if)#exit
localhost(config)#exit
localhost#write memory ()
localhost#quit
[CPC]#
localhost#show run
[CPC]# router
localhost>en
2012 Check Point Software Technologies Ltd. All rights reserved
.
52
localhost#show run
Building configuration...
router ospf 1
restart-type signaled
router-id 127.1.1.2
network 100.100.101.0 0.0.0.255 area 0.0.0.10
network 200.200.1.0 0.0.0.255 area 0.0.0.10
redistribute kernel
redistribute direct
exit
interface bond0
ip ospf 1 area 0.0.0.10
exit
exit
localhost#show ip ospf neighbor OSPF
localhost#show ip ospf neighbor
Routing Process "ospf 1":
Neighbor 100.100.101.2, interface address 100.100.101.2
In area 0.0.0.10 interface eth1
Neighbor priority is 1, state is Full 6 state changes
DR is 100.100.101.3 BDR is 100.100.101.2
Options is 18
Dead timer is due in 37 seconds
Neighbor 100.100.101.2, interface address 101.100.101.2
In area 0.0.0.10 interface eth4
Neighbor priority is 1, state is Full 6 state changes
DR is 101.100.101.3 BDR is 101.100.101.2
Options is 18
Dead timer is due in 32 seconds
localhost#show ip route
localhost#show ip route
Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF
D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel
A - Aggregate
O 0.0.0.0/0 [12/150] via 192.168.110.238, 00:22:17, eth0
via 192.168.110.238, 00:22:17, eth0
C 1.1.1.0/24 [1/0] via 1.1.1.1, 00:22:54, eth7
O 23.23.23.0/24 [12/10] via 101.100.101.2, 00:22:17, eth4
via 100.100.101.2, 00:22:17, eth1
O 24.24.24.0/24 [12/10] via 101.100.101.2, 00:22:17, eth4
via 100.100.101.2, 00:22:17, eth1
C 100.100.101.0/24 [1/0] via 100.100.101.3, 00:08:04, eth1
O 100.100.102.0/24 [11/10] via 101.100.101.2, 00:22:17, eth4
2012 Check Point Software Technologies Ltd. All rights reserved
.
53
via 100.100.101.2, 00:22:17, eth1
O 100.100.104.0/24 [11/10] via 101.100.101.2, 00:22:17, eth4
via 100.100.101.2, 00:22:17, eth1
O 100.100.105.0/24 [12/10] via 101.100.101.2, 00:22:17, eth4
via 100.100.101.2, 00:22:17, eth1
C 101.100.101.0/24 [1/0] via 101.100.101.3, 00:22:54, eth4
S 127.0.0.0/8 [0/0] via 127.0.0.1, 00:22:54, lo
C 127.0.0.1/32 [1/0] via 127.0.0.1, 00:22:54, lo
C 127.1.1.0/24 [1/0] via 127.1.1.1, 00:22:54, loop00
C 192.168.110.0/24 [1/0] via 192.168.110.236, 00:22:54, eth0
C 200.200.1.0/24 [1/0] via 200.200.1.2, 00:22:54, eth3
C 200.200.2.0/24 [1/0] via 200.200.2.2, 00:22:54, eth2
K 200.200.4.0/24 [0/40] via 200.200.1.4, 00:22:54, eth3
localhost#
2.3.3.4
ECMP Hotfix /var/tmp
1. dr_splat_979015002_2.tgz
2. sim_979001003_1.tgz
3. routeassistd
4. routeassistdscript
5. routeassistd /bin routeassistdscript /etc/init.d
6. dr_splat_979015002_2.tgz sim_979001003_1.tgz
==================================================================
[Expert@CPA]# tar xvfz dr_splat_979015002_2.tgz # Hotfix
CPadvr-R75-00.i386.rpm
[Expert@CPA]# rpm -ihv CPadvr-R75-00.i386.rpm #
Preparing... ########################################### [100%]
1:CPadvr ########################################### [100%]
**************************************************************
DO NOT FORGET TO:
Log in again and run cpstart in order to activate the product.
**************************************************************
*******************************************************
Check Point Advanced Routing R75 installation complete.
*******************************************************
[Expert@CPA]# tar xvfz sim_979001003_1.tgz
[Expert@CPA]# rpm ihv .rpm
===================================================================
7. ECMP
ECMP
ECMP rc.local
2012 Check Point Software Technologies Ltd. All rights reserved
.
54
===================================================================
[Expert@CPA]# vi /etc/rc.local
#!/bin/sh
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
if [ -f /opt/CPshared/5.0/tmp/.CPprofile.sh ]; then
# Register log rotation process
. /opt/CPshared/5.0/tmp/.CPprofile.sh
cpd_sched_config add RotateLogs -c /sbin/cp_logrotate -e 100 -s
fi
if [ -f /etc/rc.d/rc.local.user ]; then
. /etc/rc.d/rc.local.user
fi
ip route add 200.200.4.0/24 nexthop via 200.200.1.4 nexthop via 200.200.2.4
ip route add 23.23.23.0/24 nexthop via 100.100.101.2 nexthop via 101.100.101.2
~/etc/rc.local: unmodified, readonly: line 1
[Expert@CPA]#/etc/rc.local rc.local
===================================================================
8. ECMP
[Expert@CPA]# chkconfig --add routeassistdscript
9.
[Expert@CPA]# drouter stop ; drouter start #
[Expert@CPA]# cpstop ; cpstart #
2.3.3.5
SSH router
[Expert@CPA]# ip route
224.0.0.2 dev lo proto gated scope link
224.0.0.6 dev lo proto gated scope link
224.0.0.5 dev lo proto gated scope link
23.23.23.0/24 proto none
nexthop via 100.100.101.2 dev eth2 weight 1
nexthop via 101.100.101.2 dev eth3 weight 1
8.8.8.8 via 100.100.101.6 dev eth1
127.0.0.1 dev lo proto kernel scope link
127.1.1.0/24 dev loop00 proto kernel scope link src 127.1.1.1
100.100.101.0/24 via 101.100.101.2 dev eth4 proto none
100.100.101.0/24 dev eth1 proto kernel scope link src 100.100.101.3
100.100.102.0/24 via 100.100.101.2 dev eth1
2012 Check Point Software Technologies Ltd. All rights reserved
.
55
101.100.101.0/24 dev eth4 proto kernel scope link src 101.100.101.3
23.23.23.0/24 via 101.100.101.2 dev eth4 proto none
192.168.110.0/24 dev eth0 proto kernel scope link src 192.168.110.236
200.200.4.0/24 proto none
nexthop via 200.200.2.4 dev eth2 weight 1
nexthop via 200.200.1.4 dev eth3 weight 1
1.1.1.0/24 dev eth7 proto kernel scope link src 1.1.1.1
100.100.104.0/24 via 100.100.101.2 dev eth1
100.100.105.0/24 via 100.100.101.2 dev eth1
200.200.2.0/24 dev eth2 proto kernel scope link src 200.200.2.2
200.200.1.0/24 dev eth3 proto kernel scope link src 200.200.1.2
24.24.24.0/24 via 100.100.101.2 dev eth1
127.0.0.0/8 dev lo scope host
[Expert@CPA]#
2.4 HA
2.4.1 SmartCenter ClusterXL
UTM-1 SmartDashboard Cluster
SmartDashboard Cluster
SmartDashboard, Smart CenterNetwork Object"Check
Point"Security Cluster-->UTM-1/Power-1/Open Server Cluster/IP Series
Cluster
2012 Check Point Software Technologies Ltd. All rights reserved
.
56
Wizard Mode Classic Mode Cluster
Classic ModeDont show this againClassic Mode
Classic Mode Cluster Cluster
Cluster IP IPHardwareVersionOS
Cluster FirewallClusterXL
2012 Check Point Software Technologies Ltd. All rights reserved
.
57
"Cluster Members"Cluster Members SIC
Cluster Member AddNew Cluster Member
Cluster Member IP
NameIP addressCommunicationSIC
2012 Check Point Software Technologies Ltd. All rights reserved
.
58
one-time passwordActivation Key
Initialize SIC
Test SIC Status SIC Status for CPA: Communicating
CPA SmartCenter SIC CPB
Cluster Member Cluster ClusterXL
HA High AvailabilityMode New
2012 Check Point Software Technologies Ltd. All rights reserved
.
59
TopologyTopologyEdit
TopologyTopologyGet All member
topology IP
anti-spoofing
General Properties"Get OS".
SIC SMC OS "Secureplatform"
OK License
2.5
2012 Check Point Software Technologies Ltd. All rights reserved
.
60
2.5
2.5.1
Check Point
SmartConsole SmartConsole
CheckPoint Configuration
SmartDashboard
SmartView Tracker
SmartEvent
Tools Check Point
SmartEvent Intro SmartEvent
SmartProvisioning
SmartReporter
SmartUpdate License
SmartView Monitor
SmartDashboard SmartCenter IP
2012 Check Point Software Technologies Ltd. All rights reserved
.
61
SmartDashboard Approve
Fingerprint GUI
2.5.1.1 HA Security Cluster HA
Security Gateway Cluster
2.5.1.1.1 Security Cluster
SmartDashboardCheckPointSecurity ClusterUTM-1/Power-1/Open
Server Cluster/IP Series
2012 Check Point Software Technologies Ltd. All rights reserved
.
62
Dont show this again Classic Mode
Cluster IP ()
UTM-1 Power-1CheckPoint R75 Network Security
Firewall Monitoring ClusterXL
Custer MembersAddNew Cluster Member
2012 Check Point Software Technologies Ltd. All rights reserved
.
63
IP Communicaton SIC
One-time password cpconfig CheckPoint
Activation Key Initialize
: One-time password 2.4.1 Enter Activation Key:
Trust state Trust established
Test SIC Status Communicating
(SmartCenter)
2012 Check Point Software Technologies Ltd. All rights reserved
.
64
Security Gateway member
ClusterXL ClusterXLHigh AvailabilityMode
New HA Upon Cluster Member recovery
Active
2012 Check Point Software Technologies Ltd. All rights reserved
.
65
Topology Edit Topology get
Get->All Members Interfaces
2012 Check Point Software Technologies Ltd. All rights reserved
.
66
Cluster Get Topology Cluster IP Network Objective
IP
1st Sync 2nd Sync3rd Sync
Anti-Spoofing Edit
Topology External Anti-Spoofing
2012 Check Point Software Technologies Ltd. All rights reserved
.
67
Internal Network defined by the interface Anti-spoofing
2012 Check Point Software Technologies Ltd. All rights reserved
.
68
2.5.1.1.2 (Anti-Spoofing)
Check Point
Internet IP
Anti-Spoofing
Anti-Spoofing
GroupSpecificGroup
Perform Anti-Spoofing based on interface
topology
Group
VPN Pool IP Internet
Dont check packets from
SmartDashboard
Capacity Optimization
2012 Check Point Software Technologies Ltd. All rights reserved
.
69
2.5.1.1.3 Security Gateway
SmartDashBoard Check PointSecurity Gateway/Management
2012 Check Point Software Technologies Ltd. All rights reserved
.
70
IP
CommunicationSIC
One-time password cpconfig checkpoint Activation
Key Intialize
2012 Check Point Software Technologies Ltd. All rights reserved
.
71
SIC(Secure Internal Communication)Topology
GetInterfaces
Anti-SpoofingEdit,
2012 Check Point Software Technologies Ltd. All rights reserved
.
72
TopologyExternalAnti-Spoofing
InternalNetwork defined by the interfaceAnti-spoofing
2012 Check Point Software Technologies Ltd. All rights reserved
.
73
Capacity Optimization
2012 Check Point Software Technologies Ltd. All rights reserved
.
74
2.5.1.1.4 Log Switch
SIC (SmartCenter)
SmartCenter SmartCenter
SmartCenter
2012 Check Point Software Technologies Ltd. All rights reserved
.
75
Log switch when file size is log switch
Schedule log switch to log switch
Required Free Disk Space
Do not delete log files from the last
Alert when the disk space is below
Stop logging when the free disk
space is below
2.5.1.2 IP
Network ObjectsNodes
NodeHost
IP Address
OK
2012 Check Point Software Technologies Ltd. All rights reserved
.
76
General Properties
Topology
NAT NAT
Advance
2.5.1.3
NetworkNetwork
DMZInternal
(Comment)
General
2012 Check Point Software Technologies Ltd. All rights reserved
.
77
NAT NAT
2.5.1.4 IP IP
GroupSimple Group
Simple Group
Group With Exclusion
Not in GroupIn Group
OK
2012 Check Point Software Technologies Ltd. All rights reserved
.
78
2.5.1.5 IP(IP range)
NetworkDo not show empty folders
IP Range
Address RageAddress Ranges
IP IP OK .
2012 Check Point Software Technologies Ltd. All rights reserved
.
79
2.5.2
2.5.2.1 TCP
Check Point TCPUDPRPCICMP
Services
TCP TCPNew TCP
TCP
TCP UDP
2012 Check Point Software Technologies Ltd. All rights reserved
.
80
2.5.2.2 UDP Services
UDP UDPNew
UDP
UDP
RPCICMP TCP UDP
2012 Check Point Software Technologies Ltd. All rights reserved
.
81
2.5.3
2.5.3.1
SmartDashboardRules
Bottom rule base
Top rule base
Below
Above
SmartDashboard ,
Firewallrule base
Firewall
NAT NAT
IPS IPS
Application Control
Anti-Spam & Mail
Mobile Access VPN
DLP
Anti-Virus & URL Filtering
IPSec VPN IPSec VPN
QOS
Desktop
2012 Check Point Software Technologies Ltd. All rights reserved
.
82
SOURCEDESTINATIONVPNSERVICEACTION
NO
NAME
SOURCE
DESTINATION
VPN VPN
SERVICE
ACTION
TRACK
INSTALATION
TIME
COMMET
2.5.3.2
C FileServer
SourceDestination
2012 Check Point Software Technologies Ltd. All rights reserved
.
83
2.5.3.3
DMZ
Internal VPN
Add Section Title
Add Rule
Delete
Copy
Cut
Paste
Rule Expiration
Add Section Title
Hide
Disable Rule(s)
Select All
2.5.3.4 (Rule Base)
;
1.
2.
(Rule Base)
3.
(Rulebase)
2012 Check Point Software Technologies Ltd. All rights reserved
.
84
Standard
SmartCenter
SmartCenter
SmartDashBoardFile New
New
Open
Save
Save as
Delete
Copy Policy to Package
Database Revision Control
Print Preview
Print Setup
Exit
2012 Check Point Software Technologies Ltd. All rights reserved
.
85
NewPolicy Package
NAT Application Control Qos OK
StandardOpenStandard
2.5.4 (NAT)
Check Point Static NAT NATManual
NAT( NAT) Hide NAT( IP NAT)
2.5.4.1 Hide NAT
Hide NAT
Internet Internet
Internet
Internet internet
NATHide
Network
2012 Check Point Software Technologies Ltd. All rights reserved
.
86
NetworkNAT
Add Automatic Address Translation rules NAT
Translation method
Hide behind Gateway
Hide behind IP Address IP
Install on Gateway NAT
OK NAT NAT
2012 Check Point Software Technologies Ltd. All rights reserved
.
87
NAT NAT
Hide NAT
2.5.4.2 Static NAT Static NAT NAT DMZ Internet
Internet
Node
NAT
NAT
Add Automatic Address Translation rules NAT
Translation method Static
Translate to IP Address NAT
Install on Gateway NAT
NAT
AnyWeb-ServerhttpAcceptlog
2012 Check Point Software Technologies Ltd. All rights reserved
.
88
2.5.4.3 Manual NAT (Manual)NAT IP
Internet
HTTP FTP
IP HTTP 80 FTP 21 A
B NAT
FW-Ext-IP,NAT NAT
NAT Firewall
2.5.4.4 IP Pool NAT
IP Pool NAT Network Object
NAT IP Pool
2012 Check Point Software Technologies Ltd. All rights reserved
.
89
IP Pool
Manual NAT NAT Internal_Net
NAT_IP_Pool
NAT_IP_Pool
TRANSLATED PACKET SOURCE
Hide
Internal_Net Internet
2.5.5 OPSEC
OPSEC Check Point Check Point
Check Point
OPSEC CISCO
Check Point RadiusLDAPTACACS Securid
2012 Check Point Software Technologies Ltd. All rights reserved
.
90
Radius LDAP
2.5.5.1 Radius Radius VPN Radius
Radius
Services and OPSEC Applications New
RADIUS
RADIUS Server NameHostServiceShared Secret
RADIUS RADIUS
RadiusRadiusgeneric*
External User
ProfilesMatch all users
2012 Check Point Software Technologies Ltd. All rights reserved
.
91
generic*
RADIUSRADIUS
RadiusRadiusUser Group
generic*Radius_User
2012 Check Point Software Technologies Ltd. All rights reserved
.
92
RadiusRadiusRadiusRadius
RadiusVPNIPSEC VPN
2.5.5.2 LDAP Check Point Microsoft Active Directory
IPSEC VPN AD LDAP
AD
VPN LDAP SSL SecureCleint VPN
LDAP
VPN
A LDAP CheckPoint
2012 Check Point Software Technologies Ltd. All rights reserved
.
93
LDAP
1. AD AD
2. Active Directory Schema .dll () CMD
regsvr32 schmmgmt.dll
3. Administrator
AD CheckPoint
B CP
SmartDirectory(LDAP)PolicyGlobal Properties
SmartDirectory(LDAP) LDAPUse LDAP Account Management .
2012 Check Point Software Technologies Ltd. All rights reserved
.
94
SmartDirectory(LDAP) LDAP
Services and OPSEC Applications NewLDAP Account Unit
LDAP ServersAdd
2012 Check Point Software Technologies Ltd. All rights reserved
.
95
Profile LDAP
389
Encryption
Host LDAP
Port LDAP
Username LDAP
Login DN ADExporer
Password
Branches in LDAP OU DN
Add OU()
2012 Check Point Software Technologies Ltd. All rights reserved
.
96
LDAP LDAP
MS_AD, LDAP
LDAP Group Group VPN
only Group in branch VPN users
cn=VPN cn=users,DC=,DC=com. OU VPN
User VPN LDAP
SmartCenter LDAP Group LDAP
VPN LDAP RemoteAccess VPN . LDAP
VPN
2012 Check Point Software Technologies Ltd. All rights reserved
.
97
vpn_user@Any LDAP Group
OPSEC TACACSSecurid
Radius LDAPOPSEC
2.5.6
2.5.6.1 IPS IPS IPSIP and ICMP Network
QuotaChange Action PreventEditAllow up to 100 connections per second from the
same source.
2.5.6.2 QOS
Qos Qos
Internetl
2012 Check Point Software Technologies Ltd. All rights reserved
.
98
2.5.7
Check Point 25000
NetworkCheck Point
Capacity Optimization
Capacity Optimization
UTM-1 576 500,000
UTM-1 572 650,000
Powre-1 11095 2,000,000
2.5.8
SmartCenter TCPUDP ICMP
SmartDashboardPolicyGlobal Properties
2012 Check Point Software Technologies Ltd. All rights reserved
.
99
Global PropertiesStateful Inspection
TCP start timeout TCP
TCP session timeout TCP
TCP end timeout TCP FIN
UDP virtual session timeout UDP
ICMP virtual session timeout ICMP
Other IP protocols virtual
session timeout
TCPUDPICMP
TCP session time out 600900 TCP end timeout 510 ,
2.6 Power-1 (CoreXL)
Power-1 CPU CPU
4 CPU 1
( dispatcher) 3 ( instance)
2012 Check Point Software Technologies Ltd. All rights reserved
.
100
8 CPU 2 6
CPU CPU
2.6.1 CPU
expertcpconfig CPU
[Expert@P5075]# cpconfig # cpconfig Corexl
This program will let you re-configure
your Check Point products configuration.
Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable Advanced Routing
(7) Enable cluster membership for this gateway
(8) Disable Check Point SecureXL
(9) Configure Check Point CoreXL
(10) Automatic start of Check Point Products
(11) Exit
Enter your choice (1-11) :9
Configuring Configure Check Point CoreXL...
===========================================
CoreXL is currently enabled with 3 firewall instances.
# 3 CoreXL.
(1) Change the number of firewall instances # CPU
(2) Disable Check Point CoreXL # Check Point CoreXL
(3) Exit
Enter your choice (1-3) : 1 # 1 CPU
This machine has 4 CPUs.
How many firewall instances would you like to enable (2 to 4) [3] ? 2
# 2 CPU
CoreXL was enabled successfully with 2 firewall instances.
Important: This change will take effect after reboot.
2012 Check Point Software Technologies Ltd. All rights reserved
.
101
Press Enter to continue...
#
CPU 2 CPU
Active
[Expert@P5075]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
-------------------------------------------
1 | Yes | 2 | 2 | 2
2 | Yes | 1 | 2 | 2
instance
instance
fw ctl multik stat 2 instanceID1 ID2 2
CPU CPU1 CPU2
[Expert@P5075]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
-------------------------------------------
1 | Yes | 2 | 2 | 2
2 | Yes | 1 | 2 | 2
instance CPU
[Expert@P5075]# fw ctl multik -s -k 1 0
instance ID 1 CPU0 instance ID1
CPU2 CPU2
Instance ID2 CPU
[Expert@P5075]# fw ctl multik -s -k 2 0
fw ctl multik stat instance Instance ID1 Instance
ID2 CPU CPU1 CPU2
[Expert@ P5075]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
-------------------------------------------
1 | Yes | 0 | 1 | 141717
2 | Yes | 0 | 1 | 142310
2.6.2 CPU
CPU
CPU
[Expert@P5075]# fw ctl affinity -l -a -v
Interface Mgmt (irq 178): CPU all
Interface Lan1 (irq 107): CPU all
Interface Lan2 (irq 155): CPU all
Interface Lan3 (irq 228): CPU all
Interface Lan4 (irq 61): CPU all
Interface Exp1-1 (irq 114): CPU all
2012 Check Point Software Technologies Ltd. All rights reserved
.
102
Interface Exp1-2 (irq 138): CPU all
Kernel fw_0: CPU 2
Kernel fw_1: CPU 3
Kernel fw_2: CPU 1
Daemon in.asessiond: CPU all
Daemon vpnd: CPU all
Daemon dtlsd: CPU all
Daemon mpdaemon: CPU all
Daemon in.aufpd: CPU all
Daemon in.geod: CPU all
Daemon fwd: CPU all
Daemon cpd: CPU all
Daemon cprid: CPU all
[Expert@P5075]#
[Expert@P5075]# sim affinity -s
Usage : For each interface enter one of the following:
Return - To keep the default values (appearing in [ ])
all - To allow all processors for this interface
List of processors - A list of processor numbers between 0 and 3
Exp1-1 [0 1 2 3 ] : Mgmt [0 1 2 3 ] : 2
Lan1 [1 ] : all
Exp1-2 [0 1 2 3 ] : 3
Lan2 [1 ] : all
Lan4 [2 ] : all
Lan3 [3 ] : all
[Expert@P5075]#
[Expert@P5075]# sim affinity -l -a -v
# CPU core2 Exp1-1,Exp1-2 core3
Exp1-1 : 2
Mgmt : 0 1
Lan1 : 1
Exp1-2 : 3
Lan2 : 0 1
Lan4 : 0 1
Lan3 : 0 1
inbond outbond CPU0,CPU1, CPU0 CPU1
CPU3,CPU4 8 CPU
CPU
instance CPU
instance CPU
2012 Check Point Software Technologies Ltd. All rights reserved
.
103
2.7 Syslog SmartCenter
Syslog syslog
Kiwi3CDeamon syslog
UDP 514
syslog syslog
[Expert@SMC-R75]# vi /etc/syslog.conf
# Kernel messages clutter the screen, they go to /var/log/messsages anyway
kern.* /dev/null
# Log anything of level info or higher.
# Don't log private authentication messages and GateD logs!
*.info;authpriv.none;cron.none;local5.none @192.168.0.20 # syslog server IP
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg;local5.none *
# Save boot messages also to boot.log
local4.info @192.168.0.20 # syslog server IP
local7.* /var/log/boot.log
auth.* /var/log/auth
mail.* /var/log/maillog
mail.* |/opt/postfix/log_npipe
[Expert@SMC-R75]# vi /etc/rc.d/init.d/cpboot
#!/bin/sh
# chkconfig: 2345 99 99
# description: Runs Check Points Products
CPDIR=/opt/CPshrd-R75
LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/opt/CPshrd-R75/lib
umask 0007
. /opt/CPshrd-R75/tmp/.CPprofile.sh
case $1 in
'start') $CPDIR/bin/cpstart -b
2012 Check Point Software Technologies Ltd. All rights reserved
.
104
;;
'stop' ) $CPDIR/bin/cpstop
;;
Esac
fw log -ftnl 2> /dev/null | awk 'NF' | logger -p local4.info -t Firewall & #
syslog
[Expert@SMC-R75]# service syslog restart # syslog
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]
[Expert@SMC-R75]# reboot # SmartCenter
Are you sure? (y/n)
syslog
[Expert@SMC-R75]# service syslog status
syslogd (pid 3706) is running...
klogd (pid 3710) is running...
syslog
Syslog
SyslogCatchAll.txt
2012 Check Point Software Technologies Ltd. All rights reserved
.
105
3 (IPS)
CheckPoint IPS IPS
IPS
3.1 IPS
SmartDashboard IPS
IPS IPS
2012 Check Point Software Technologies Ltd. All rights reserved
.
106
Overview IPS
Enforcing Gateways IPS
Profiles IPS
Protections
Geo Protection
Network Exceptions IPS
Download Updates IPS
Follow Up
Advanced HTTP
3.2 IPS
3.2.1 IPS
IPS->Enforcing Gateways IPS Gateway
Firewall Network Objects->CheckPoint IPS
IPS IPS
2012 Check Point Software Technologies Ltd. All rights reserved
.
107
IPS Assign IPS Profile IPS Protect internal hosts
onlyPerform IPS inspection on all traffic IPS
Bypass IPS inspection when gateway is under heavy load
Tracklog IPS logAdvanced
CPU
Failover Behavior
Prefer security IPS
Prefer connectivity IPS
2012 Check Point Software Technologies Ltd. All rights reserved
.
108
3.2.2 IPS Profile
IPS->Profiles IPS (Default Recommended
)
New->Create new profile IPS Profile
IPS ModePreventDetect
Activate protections according to IPS Policy IPS Policy
Activate protections manuallyIPS Policy
IPS Policy
2012 Check Point Software Technologies Ltd. All rights reserved
.
109
Client Protections
Server Protections
Do not activate protections with severity
Do not activate protections with confidence-level
Do not activate protections with performance
inpact
Do not activate Protocol Anomalies
Do not activate protections in the following
categories
Updates PolicDetectPrevent
Network Exceptions IPS ( Profile
2012 Check Point Software Technologies Ltd. All rights reserved
.
110
) New
Single protections
All supported protections
Sorece
Destination
Service
Apply this exception on all R70 gateways R70
Apply this exception on
IT Fileserver
Troubleshooting Detect-Only IPS Profile
2012 Check Point Software Technologies Ltd. All rights reserved
.
111
3.2.3 Protections
Protections Protections By Type By Protocol
ProtectionProtections
IPS Profile ActionProtectionsDefault_Protection
ProfileRecommended_Protections Profile
2012 Check Point Software Technologies Ltd. All rights reserved
.
112
Edit Protections IPS Profile
Change Action
Protections IPS Profile Action
Prevent on all Profiles: Profile Action Prevent
Detect on all Profiles: Profile Action Detect
Deactivate on all Profiles: Profile Protection
Follow Up Mark for Follow UP:
Unmark for Follow UP:
Edit Follow Up Commont:
View Logs SmartView Tracker IPS
Protection Profile Profile
Action according to IPS Policy IPS Policy Action
Override IPS Policy with Action IPS Policy Action
Track
Capture Packets
3.2.4 Geo Protection
Geo Protections
ProfileActionIPS ProfileGeo Protection
2012 Check Point Software Technologies Ltd. All rights reserved
.
113
Policy for Specific Countries Policy Add
Country
Direction
Action ,Allow or Block
Track Log Alert
Policy for other countries
3.2.5 Network Exceptions
Network Exceptions IPS New
IPS Profile
2012 Check Point Software Technologies Ltd. All rights reserved
.
114
Single protections Protection
All supported protections
Sorece
Destination
Service
Apply this exception on all R70 gateways R70
Apply this exception on
3.2.6 IPS
Download Updates
Update Now IPS CheckPoint Support Account
Scheduled Update IPS
2012 Check Point Software Technologies Ltd. All rights reserved
.
115
Edit schedule
User Center credentials
On update failure perform
On Successful update perform install policy
Offline Update
Apply Revison Control:
Check for new update: SmartDashboard IPS
3.2.7 Follow Up
IPSFollow UpProtections
Mark newly downloaded protections for follow upProtections
MarkProtectionProtection
2012 Check Point Software Technologies Ltd. All rights reserved
.
116
3.2.8 Advanced
HTTP inspectionEnable HTTP inspection on non stardard ports for the IPS Blade
http
3.3 IPS
SmartDashboard SmartCenter IPS
2012 Check Point Software Technologies Ltd. All rights reserved
.
117
4 (Identify Awareness)
Check Point AD
LDAP LDAP
IP
Check Point R75.20
Check PointI (dentity Awareness)
AD :
Active Directory
Identity Awareness , Activate
Identity Awareness
2012 Check Point Software Technologies Ltd. All rights reserved
.
118
AD Query Captive Portal
Captive portal AD
Captive portal
HTTP ,
Next, SmartConsole PC AD
AD :
.
AD
SK43874
2012 Check Point Software Technologies Ltd. All rights reserved
.
119
, Connect:
1234Qwer
Domain Name:
xxx.com
Username:
Administrator
Password: xxxx
Domain Controller:
10.10.10.100
2012 Check Point Software Technologies Ltd. All rights reserved
.
120
4.1 Captive Portal
default URL https://192.168.10.1/connect
Next, Finish
https://192.168.10.1/connect
2012 Check Point Software Technologies Ltd. All rights reserved
.
121
Servers and OPSEC
LDAP User
4.2 (Identity Access)
AD log out
SmartView Tracker. Identity Awareness
users machines
, reboot Windows XP.
2012 Check Point Software Technologies Ltd. All rights reserved
.
122
4.3 (Access Roles)
AD John Group,
Rule #1
Source: Any
Destination: Any
Service: http ( negate cell )
Action: Accept
Track: Log
Rule #2
Source , , Add User/Access Role
Group: Finance_Group
Network , Any Networks
Users , : Finance
Machines , Any machine
Destination: Any
Service: Any
Action: Accept
Track: Log
2012 Check Point Software Technologies Ltd. All rights reserved
.
123
Rule #3
clean-up rule (Any / Any / Drop / Log)
Rulebase :
Install Policy , John internet
:
4.4 IP
log off John Anna(xx) / 1234Qwer
John Anna Source User Name
2012 Check Point Software Technologies Ltd. All rights reserved
.
124
Anna John
Reference Notes:
, gateway properties identity awareness Active Directory Query
Settings
Assume that only one user is connected per computer
IP 2 IP
2012 Check Point Software Technologies Ltd. All rights reserved
.
125
OK, Install Policy
> pdp control revoke_ip
IP
John ( Windows XP VM )IP 192.168.10.1XX
> pdp control revoke_ip 192.168.10.1XX
> pdp m a
:
- John
-
- > pdp m a + Check logs
- Log Off John Anna log In
-
- > pdp m a + Check logs
4.5 Captive Portal
Captive Portal web
IP
> pdp control revoke_ip 192.168.10.1XX
:
> pdp cont r 192.168.10.1XX
Captive portal Identity Awareness
Identity Awareness , Captive portal
https://192.168.10.1/connect (), Captive Portal
Settings Access Settings Main URL),
https://192.168.10.1/connect
2012 Check Point Software Technologies Ltd. All rights reserved
.
126
Captive portal
All Interfaces Captive Portal SettingsAccess SettingsAccessibility
Captive portal
Login: Administrator
Password:
Action accept Action Edit Properties,
Captive Portal:
captive portal ; clean-up rule
,
captive web portal, AD
Clark(XX) / 1234Qwer
2012 Check Point Software Technologies Ltd. All rights reserved
.
127
pdp m a + Check logs Clark
SmartView Track Clark
2012 Check Point Software Technologies Ltd. All rights reserved
.
128
5 SmartEvent
SmartEvent IPSIdentify AwarenessDLP
Anti-VirusURL filering
SmartEvent SmartEvent
pop-up . OK Correlation Units.
Add Correlation Unit Log Servers. Save Close.
pop-up OK Internal Network.
2012 Check Point Software Technologies Ltd. All rights reserved
.
129
Close. SmartEvent No,
Identity Awareness SmartEvent .
Policy > Identity Awareness Events User Session Machine
Session
Action Install Event Policy SmartEvent
Identity Awareness
log off, log in as John(xx) / 1234Qwer
log off, log in as Anna(xx) / 1234Qwer
2012 Check Point Software Technologies Ltd. All rights reserved
.
130
SmartEvent , Events
Identity Awareness All Identification Events
Timelines
Add Line
Identity Awareness > All Events
OK.
2012 Check Point Software Technologies Ltd. All rights reserved
.
131
Charts
Time Frame = Last Hour
By Event Name
User Session
2012 Check Point Software Technologies Ltd. All rights reserved
.
132
6 URL (App Control & URL Filtering)
6.1 Application Control