Checkpoint Packet Flow Troubleshooting Issues

1. Security Policy Misconfiguration

• Issue: Traffic is dropped due to incorrect or missing security policies.
• Troubleshooting:
  • Review security policies in the SmartDashboard.
  • Use the command fw monitor to see how packets traverse through policy layers.
  • Ensure that source, destination, services, and actions in policies are configured correctly.

2. NAT Misconfiguration

• Issue: Traffic fails due to incorrect or missing NAT rules.
• Troubleshooting:
  • Check NAT rules in the SmartDashboard.
  • Use fw monitor or tcpdump to verify that the NAT translation is happening as expected.
  • Ensure proper ordering of manual NAT rules and automatic NAT rules.

3. Routing Problems

• Issue: Packets do not reach the destination due to routing issues.
• Troubleshooting:
  • Check the routing table using netstat -rn or ip route show.
  • Verify that static or dynamic routing protocols (e.g., OSPF, BGP) are correctly configured.
  • Perform a traceroute from the firewall to the destination to check path availability.

4. Anti-Spoofing

• Issue: Traffic is dropped due to Check Point’s anti-spoofing protection.
• Troubleshooting:
  • Review anti-spoofing settings in the network interface settings.
  • Ensure that the interfaces’ networks and the anti-spoofing configuration match.
  • Use fw ctl zdebug + drop to identify if traffic is being dropped due to anti-spoofing.

5. Session Table Problems

• Issue: Packets dropped due to session state issues or session table being full.
• Troubleshooting:
  • Use fw tab -t connections -s to check the session table size and utilization.
  • Clear specific sessions using fw tab -x if necessary.
  • Review session timeouts and adjust if needed.

6. Inspection Module Drops

• Issue: The firewall’s inspection engine drops traffic for security reasons.
• Troubleshooting:
  • Review SmartLog and the fw ctl zdebug output to see inspection engine logs.
  • Ensure the inspection profiles are correctly configured (IPS, Application Control, etc.).
  • Disable or modify specific inspection rules if they are triggering false positives.

7. High Availability (ClusterXL) Issues

• Issue: Traffic disruption due to HA failover or ClusterXL synchronization problems.
• Troubleshooting:
  • Check ClusterXL status using cphaprob stat.
  • Ensure that synchronization between cluster members is healthy (cphaprob syncstat).
  • Use tcpdump to capture traffic during failover events.

8. Interface and VLAN Issues

• Issue: Traffic may be dropped due to incorrect interface or VLAN configuration.
• Troubleshooting:
  • Check interface and VLAN configurations in the SmartConsole and the Gaia portal.
  • Use tcpdump to verify that traffic is reaching the correct interface.
  • Ensure that VLAN tagging is properly configured on both firewall and connected devices.

9. Encryption/Decryption (VPN) Issues

• Issue: VPN tunnels fail to establish or traffic is dropped inside the VPN.
• Troubleshooting:
  • Verify VPN configuration for phase 1/2 settings (IKE and IPSec).
  • Use vpn tu to reset tunnels and verify their state.
  • Review logs for encryption and decryption errors.

10. IPS Blocking Legitimate Traffic

• Issue: Legitimate traffic blocked due to IPS false positives.
• Troubleshooting:
  • Review the IPS logs and check if legitimate traffic is flagged.
  • Add exceptions or tune IPS profiles to reduce false positives.
  • Use SmartEvent or SmartLog to analyze the specific attack signatures triggered.

11. Global Properties Misconfiguration

• Issue: Traffic may be affected by incorrect global properties settings.
• Troubleshooting:
  • Review global properties, such as NAT settings, logging, and session timeouts.
  • Ensure that the security settings are aligned with your network requirements.
  • Use fw ctl debug to see if global property settings are affecting traffic.

12. SecureXL and CoreXL Issues

• Issue: Performance degradation due to incorrect configuration of SecureXL/CoreXL.
• Troubleshooting:
  • Check SecureXL status using fwaccel stat to ensure acceleration is enabled.
  • Review CoreXL CPU distribution using fw ctl affinity -l -a.
  • Disable SecureXL temporarily (fwaccel off) to see if acceleration is causing the issue.

13. Multicast Traffic Issues

• Issue: Multicast traffic not reaching its destination due to improper configuration.
• Troubleshooting:
  • Ensure multicast routing is configured correctly using cphaprob -a if and IGMP settings.
  • Use tcpdump to monitor multicast traffic on relevant interfaces.
  • Verify that routing protocols like PIM are correctly set up if needed.

14. Licensing or Blade Activation

• Issue: Features not functioning or traffic being blocked due to licensing issues.
• Troubleshooting:
  • Verify licenses using cplic print or the SmartUpdate tool.
  • Ensure that all required security blades (e.g., IPS, Application Control) are activated.
  • Check SmartLog for traffic that might be blocked due to license limitations.

15. Fragmentation Issues

• Issue: Large packets may be dropped due to improper handling of fragmented packets.
• Troubleshooting:
  • Use fw ctl debug to monitor for packet fragmentation issues.
  • Check the Maximum Transmission Unit (MTU) settings on interfaces.
  • Enable fragmented packet handling in the global properties if necessary.

16. Secure Policy Installation Issues

• Issue: New policies are not being installed or causing traffic issues after installation.
• Troubleshooting:
  • Use the fw stat command to verify if the policy has been installed.
  • Review policy installation logs in SmartConsole.
  • Reinstall or recompile policies if needed using the “Install Policy” button in the SmartDashboard.

17. Logging and Monitoring Configuration

• Issue: Insufficient logging or monitoring settings may prevent proper troubleshooting.
• Troubleshooting:
  • Ensure logging is enabled on relevant rules and features (e.g., IPS, VPN, etc.).
  • Use SmartView Tracker or SmartLog for real-time log monitoring.
  • Increase log verbosity for deeper analysis of traffic issues.

Each of these common issues can be diagnosed with Check Point’s packet capture tools (tcpdump, fw monitor), session monitoring, and log analysis, allowing administrators to quickly pinpoint and resolve packet flow problems.

Remote Access VPN Setup

Below is the setup which we will be using to configure the SSL VPN in Checkpoint firewall

Local PC – 192.168.1.17 (from where user will access the applications of office server AND user is sitting in any remote location like HOME, Cafe)

Checkpoint Firewall – 192.168.1.18 (Will provide secure communication between user and LAN server over internet)

LAN SERVER  – 10.1.1.10 (WHERE APPLICATION IS HOSTED AND SERVER IS LOCATED IN OFFICE NETWORK)

VPN Setup and Configuration: Checkpoint Firewall

Here the interface configuration in the Checkpoint Firewall. Go to Smart Console -> Network Management -> Interfaces

Eth0 -> 192.168.70.12/24

Eth1 ->10.1.1.1/24

Eth3 ->192.168.1.18/24

Create User

First step to create a user in the checkpoint firewall.

1.Go to Right Most corner in Smart Console “*” and select More

2.Select “User” in the next Tab

3.Choose “User..” in next available options

4.Select “Default” Mode from the next option

5.User name -> Admin

6.Give password for Local Authentication -> ipwithease&1131

7.Similarly create another user with name Admin2 and repeat steps 5 and 6 to execute the same.

8.Next step to create User Group 

9.Name User Group Admin-Users and add above created users into it.

10.Add Admin and Admin1 users to the Admin-Users group.

Create VPN Communities

After creating user Group we need to create VPN communities from Security Policies TAB

1.Go to the Security Policies -> VPN Communities -> Select RemoteAccess VPN communities 

2.RemoteAccess -> Select Participating Gateways -> Select already created Gateways from the option SGCM (already Created VPN Gateway)

3.Now add Participating Users -> Go to the Participating Users Tab

4.Add already created User Group and call it here

5.We are adding Admin-Users and Sales-User group 

IP SSL configuration

Now we will move to the IP SSL configuration in the Checkpoint firewall.

1.G to the Gateways & Services -> Edit SGCM Gateway

2.Select VPN Clients -> Office Mode

3.Select Office Mode -> Allow User Group here. You can select specific user group -> Admin-Users OR Sales-User

4.OR you can select Allow Client Mode to All Users.

5.Further create Portal Setting which is used to connect with Firewall interface when trying to fetch the SSL VPN settings.

6.Select Portal Settings -> in VPN Clients and Check SSL VPN URL to download the application in User’s system

7.Here, URL is https://192.168.1.18/sslvpn—> https://<firewall external interface IP Address>/sslvpn

8.All connections through the entire interface.

Create VPN Security Policies

Here we will create a Security Policy to allow communication over VPN networks. Moreover you can modify the Security rule as per your requirement. Let’s suppose if Destination server is accessible over a specific port the same port needs to be allowed in the firewall policy.

1.Go to Security Policies tab -> Policy

2.Create New

3.Policy Name -> RA-VPN

4.Source Address -> Admin-Users (user profile)

5.Destination -> here you will allow the segment which users can access over SSL VPN. 

6.MY server is placed in LAN Segment hence I am going to allow LAN subnet 10.1.1.0/24 as Destination Address

7.Allow Application Any or specific ports on which servers are running in the network

8.And put Action -> Allow

9.Install firewall policy and publish it.

VPN Client Installation on User’s PC

Now login to User’s PC -> 192.168.1.17 and install Checkpoint VPN Client in User’s PC.

1.Go to up arrow in right bottom corner of the user’s PC “^”

2.Select VPN Client from the options. (VPN Client software needs to be download from https://192.168.1.18/sslvpn url from user’s browser)

3.Select VPN Options and open it.

4.Add New Option -> New VPN profile

5.Select Site Wizard

6.Add Server Details with IP Address of Firewall Gateway which is 192.168.1.18

7.Add Display Name -> PC-Gateway -> which is optional here.

8.Click “Next”

9.Now Checkpoint Endpoint Client will try to resolve the IP address of CP-GW

10.Select Login Option is “ Standard”

11.Click on Next and Select Authentication Method “ Username and Password”

12.Click Next for further action

13.Installation Finished for VPN 192.168.1.18

14.Now Press “Yes” to connect with Endpoint Security client 

15.A prompt will be appeared on the screen to provide username and password which was created before in firewall (see steps 7 in “ user creation” tab above)

Now try to ping LAN –Server from User’s PC after connecting to SSL VPN. It should be responding over ping from the user’s cmd.

>ping 10.1.1.10

Moreover check ipconfig /all from the user’s system and you can see the VPN segment IP address which is assigned to the Ethernet Adapter of the system. Here we can see IP address 172.16.10.1 is assigned to user VPN machine.

You can also perform other actions to validate the server access over Client VPN from user’s machine like

• Ping

• telnet

• Web access

• Tracert 

Thanks for reading!!!

Continue Reading:

Site 2 Site VPN vs Remote Access VPN

SSL VPN Configuration in Palo Alto

Here, we will discuss SSL inspection technology of Checkpoint Firewall and how it does work.

SSL inspection policy allows our advanced security Function to analyze the content of encrypted network traffic. With SSL inspection our gateway can force the same level of security on encrypted traffic as they do with clear traffic.

SSL Inspection

How SSL is used by browsers to establish secure communication with web sites on the Internet.

We will be using https://facebook.com as an example. 

Notice the browser is using HTTPS. Where “s” denotes that the HTTP session is encrypted with SSL. The first function of SSL is to establish the trust of a web server if the server has a Digital Certificate that was issued by a trusted certificate authority or CA that is vetting the site’s identity. The SSL handshake starts off with the web server sending its certificate to the browser.

Facebook web server needs a way to prove it’s the rightful owner of the certificate. For this Facebook has a file called a private key which is cryptographically paired with its certificate, without possession of Facebook’s private key no one can forge its certificate and Impersonate the site on the web. This is a key part of SSL. 

Facebook Certificate is signed by a CA named VeriSign. Our browser searches for VeriSign certificates and its store of trusted CA certificates.

On Windows the list of trusted CA is maintained by Microsoft. 

In our example the VeriSign Certificate is found in the trusted store and so the browser decides to trust Facebook Certificate

Now that the SSL cryptographic Validation is done and browser trusts the website browsing commences using SSL encrypted communication.

Enable SSL Inspection in Checkpoint

Let’s visit Facebook again and now we are going to turn on the checkpoint SSL inspection. From the HTTPS inspection page on smart dashboard, the first step for enabling SSL inspection is to create a CA certificate to be used by the Gateway for signing. 

Step-1. We provide a certificate name, validation date and a password that will protect the private key.

Step-2.  Export/download certificate from Checkpoint Firewall to local machine.

Case I Download the certificate and install it on user’s machine if list of users are less like 2-10 users

Case II if numbers of users are very high then pushes the certificate through Active directory Group policy to all users’ systems.

Step-3. We will then enable HTTPS inspection. 

Step-4. Enable recommended inspection policy in Inspection Settings of the firewall

Go to -> Security Policies -> Inspection Settings -> Gateways -> SELECT Gateway -> recommended Inspections

Traffic Flow after Enabling SSL Inspection

Now our gateway is performing SSL inspection. 

1. Let’s browse Facebook again and see what happens this time.

2. The gateway sees the browser’s SSL request and rather than letting the request who initiates its own as SSL session with Facebook pretending to be  our browser, like the browser the gateway has its own trusted CA store which it uses to validate the critical in order to preserve the trust validations to normally carry out by the browser. 

3. Once the connection between the gateways and facebook is established, the gateway creates and SSL certificate that is very similar to that of Facebook.

4. That Certificate has its own private key associated with it the gateway signs the copied certificates using the CA certificate we created for the Gateway (Step 1).

Now the Gateway completes the SSL session with our browser pretending to be Facebook and using the just created certificate.

We can also prevent threats concealed in SSL by enabling IPS, anti-virus and other software blades.

Continue Reading:

Cisco FTD SSL Decryption

Palo Alto SSL Decryption

• Standalone Deployment
• Distributed Deployment

Here, we will discuss Standalone and Distributed Modes of Checkpoint Deployment. Let’s start with Standalone Mode.

Checkpoint Deployment Modes

Standalone Deployment Mode

Both Firewall and Management are installed in the same box in standalone mode.

In this document we will deploy Checkpoint R81 in Standalone Mode. There are two main components in Checkpoint installation 

1. Security Gateway: Is an Engine that enforces security policies and it is managed by Security Management. Security Gateway is the module which is doing all the work of the firewall.
2. Security Management: It is an application that manages and stores the security policies to the security Gateways. Security Policies are written on the management server and enforced to the security Gateway.

1. Connect to the Device either by using Console Cable or WEB GUI IP address.
2. Login to the device by using default credentials username – admin, password admin or none.
3. First Time Wizard Window Prompt, Please click on NEXT.
4. In next option select Continue with R81 Configuration option and click on NEXT.
5. Provide management interface IP address manually on the eth0 interface and select NEXT.
6. Select device Hostname and DNS values in below tab to setup the configuration and proceed ahead for option NEXT.
7. Setup date time and zone of the firewall physical location.
8. Select Installation type.
9. We are doing Standalone deployment hence we are selecting both Security Gateway and Management Server in Products.
10. Select administrative password and click on NEXT.
11. Select management IP address ranges or single IP address to connect with Checkpoint device.
12. Click on finish as first-time wizard installation is completed.
13. Once installation is done, firewall will verify and configure and takes the reboot.
14. After reboot, firewall comes to the login page again.

After login you have entered to Checkpoint dashboard from where you can edit the configuration and create policy in Checkpoint Firewall.

Now, move to Checkpoint Distributed Mode Deployment.

Distributed Deployment Mode

We need two different devices to do Distributed deployment 

1. One single machine to deploy Gaia OS instalment with Firewall application
2. Another machine to install Gaia OS for SMS application (Secure Management Server)

We are using the below topology to configure distributed deployment in the network.

Let’s start the configuration in Smart Manager Server (SMS)

1. Login to the SMS device by using admin credentials (username admin password admin or admin123) and check the interface configuration
2. You need to change default IP address of eth0 and configure eth0 interface with new IP address as per your network topology
3. Set interface eth0 ipv4-address <address you want to give> mask-length 24
4. In a similar way you can assign interface IP address to the Firewall as well
5. Login to firewall console and provide below IP address to eth0 interface
6. Now, open Web GUI of SMS -smart management server and Firewall by using command https://105.0.0.254 (SMS)  & https://105.0.0.253 (Firewall) in browser
7. You need to run First time Wizard once you login into the SMS GUI (which we have done in standalone deployment)
8. Only select Security Management instead of selecting both as we are installing first time wizard in a security Management device.

In a similar way you can run the One-time Wizard in Firewall GUI

1.Login to https://105.0.0.253

2.Admin, password admin123

3.Run first time wizard (same as standalone deployment)

4.Only exception is to select “Security Gateway” in firewall deployment

5.Apply Activation Key in Firewall’s One time Wizard which is kind off one-time password which is used to integrated with SMS server during the sync 

6.I have put “123@test” password for integration with SMS

Once installation of first-time wizard completed both Firewall and SMS takes the reboot.

7.Login to Smart Console to connect with SMS and sync with Firewall

8.This is how SMartConsole looks like < see below image >

9.Integrate Gateway with Firewall and SMS server 

10.Go to Gateways🡪 Wizard Mode🡪 Gateway Name

11.Add details in General Properties 

12.Add Device Name

13.Add Firewall IP address 

14.Add Gateway Platform (Device Model Number)

15.Go to Trusted Communication 🡪 Establish the SIC- Secure Integrated Communication (One-time password which we have given in firewall as Activation-Key and Click NEXT

16.Go to End 🡪 Select FINISH

Firewall successfully integrated with SMS server and added to SmartConsole Gateway

Checkpoint Distributed Mode Deployment Completed!

Thanks for reading!!!!

Continue Reading:

Palo Alto Interface Types & Deployment Modes Explained

Cisco FTD Deployment Modes

Checkpoint VSX full form is Virtual System eXtension (VSX), a product that runs multiple virtual firewalls in the same hardware firewall.

You can purchase hardware appliances with Licence of Virtual firewall. Using one hardware you will be able to create multiple firewalls, meaning virtual systems. These virtual systems (VSX) can act like a firewall, one VSX means one firewall. If you create multiple VSX means you are creating multiple firewalls for several locations.

Admin needs to create a VSX gateway which further checks the packet and forward it to correct VSX. Every VSX has its own topology and security policies.

Advantages of Using VSX Firewalls

• Cost effective: low cost is required to implement multiple VSX 
• Less Work: we can manage the work through a single hardware firewall. It helps to reduce total time and work in managing multiple hardware firewalls.

Main Components for VSX

VSX Gateway: Communicates with the Management Server. It acts as a mediator which lies between VSX and management server/MDS

Management Server/MDS: VSX Gateways communicate with the management server /MDS for the purpose of managing, configuring, and deploying all virtual devices.

DMI: Dedicated Management Interface which is used to connect MDS and VSX Gateway over a physical network. Like if MDS and VSX gateway devices are in the same Data Center then a physical connectivity between MDS and VSX gateway can be performed via DMI.

• DMI uses a separate interface which is restricted to the management traffic.
• Its segregate management interface to the routing, production traffic
• Main Components for VSX

VSX Architecture

In the above image VSX A is connected to Network A, VSX B to Network B and so on.. 

VSX -Virtual system is a security and routing domain that provides the functionality of security Gateway with full firewall and VPN facilities.

Every Virtual system maintains its own security blades and licences, security policies, VPN policies and routing which means a virtual system acts like a separate firewall.

How communication happens among VSX, VSX Gateway and Management Server

• Management server redirects traffic to the internet. Via management server we are performing configuration activities. 
• When we initiate communication from the management server, it forwards the request to VSX Gateway and through VSX gateway traffic moves to the VSX. 
• However, VSX Gateway first checks to which the traffic is pointed based on the subnet details. 
• Once traffic reaches the VSX system, policy/routing and other configuration will be parsed. 
• Traffic will be allowed/deny by the VSX based on the configuration in the VSX

Configure VSX Gateway Through MDS

1. Login into MDS -> Smart Console Checkpoint 

2. First you need to create a Domain in the MDS Server. Domain is nothing but a security management server through which security blades are managed for VSX. Go to “ * ” option and select Domain.

3. Give Name to New Domain. Here we have given name -> SMS1-VSX1

4. Add Domain Server name and configuration details by selecting + tab. In this section Domain server and address details will be shared.

5. New Domain Server along with server IP address. We have given 192.168.1.20 IP addresses to the VSX domain server.

6. Add trusted subnets which admin wants others to access the VSX management 

7. Now install the changes in Checkpoint Smart Console

8. VSX Domain has been created and seen in the Smart Console

9. Right click on the Smart Domain and connect to the Domain Server from Smart Console

10. Domain Server dashboard look like as below

11. Select Gateway object -> VSX -> Cluster (as we have lab for VSX Cluster)

12. Provide cluster IP addresses , select cluster version and VSX Cluster platform

13. Click next and add Cluster members IP Addresses, here we have created Cluster Member VSX1 and VSX2. Establish trust through SIC. Now Click Next to add Interfaces 

14. We are not selecting any interfaces here as it is not required as per our lab

15. Add cluster member state synchronisation port and IP address for internal cluster communication. Below IP addresses are only for  internal cluster communication 

16. Select firewall management access rules  which you want to add in the VSX cluster

After selecting Firewall policies, we will finish the installation 

Now Configure Virtual System Configuration

1. Now got to the * tab and select -> VSX -> VSX System

2. Name Virtual System VS1 and add Gateway cluster (which is created above)

3. Add Virtual System Network Configuration in the setup 

4. Finish the setup.

Now VSX Gateway and Cluster is ready to use through Smart Console and Dashboard!

Continue Reading:

Checkpoint Firewall Policy: Rules & Configuration

Understanding Checkpoint 3-Tier Architecture: Components & Deployment

Checkpoint has multiple types of security policy to allow or Deny traffic from source to destination. 

Types of Rules in a Firewall

1. Implicit Rules – Default rules allowed/deny by firewall. For example, any-any traffic is by default dropped by all firewalls. It’s a general behaviour of a firewall. These rules are not visible in the security policy dashboard.
2. Explicit Rule – The rule which are created/configured by admin in firewall. 
3. Stealth Rule – It stops or denied access of any user to connect with Security Gateway
4. Cleanup Rule – Rules which are created to deal with unmatched traffic.

Moreover, make sure you understand the order of the rule enforcement to maximise the security of the firewall.

The firewall always enforces the first rule that matches a connection. It cannot enforce the last rule that can be more applicable.

The Order of Policy is:

• First Implied Rule – You cannot delete or edit rule and no explicit rules can be replaced before it. Implied Rule means which are already available in firewall by-default.
• Explicit Rule – These are rules that you create
• Before Last Implied Rule – These implied Rules are applied before the last explicit rule.
• Last Explicit Rule – We recommend that you use the Cleanup rule as the last explicit rule.

Let’s discuss the best practices to create Security Policy in Checkpoint Firewall.

Checkpoint Firewall Policy: Management Rule

Management Rule means policy allows access to specific IP addresses to take SSH/HTTPs access to Checkpoint Gateway.

1 Go to Left Most Tab -> Select Rule -> Add Rule ->Select Top

2 Give Name to the Security Policy -> Management_Rule ( As policy Created for Management Access )

3 Now Add Source Address by Clicking + sign in Source Address Tab and similarly add Destination address in Policy.

Here, we have selected Source Address -> 10.0.0.99 (Any Client Machine)

Destination Address -> Gateway IP address of the Firewall 

4 Add List of Services like SSH, HTTPS & HTTP in the Security Policy by clicking + sign on right most corner of the Service Tab.

5 Add Action -> Accept from the + of Action tab

6 Add Track -> Log, every traffic generated by Client access will be logged

7 Install the Policy.

Checkpoint Firewall Policy: Deny Rule | Stealth Rule

Here we will deny access to unauthorised users for Management Gateway.

1 Add new Rule below Management_Rule

2 In this rule we will use below values to stop access to unauthorised access

Rule name -> Stealth Rule

Source Address -> Any

Destination Address -> GWMGMT

Service -> Any

Action -> Drop

Checkpoint Firewall Policy: Internet Access

In this policy we will allow users to access Internet from Inside network

1. Add Policy Name-> Internet Rule
2. Add Source Address/Network -> Inside_hosts-> 192.168.1.0/24
3. Destination Address -> Any (Internet)
4. Service -> Internet Ports which are HTTP (port 80) and HTTPs (port 443)
5. Action -> Accept

Checkpoint Firewall Policy: Allow Specific Port

Here we will allow access to specific ports.

1. Source Address is any user machine-> Cli02
2. Destination Address -> RDP_Host-> Server
3. Service -> RDP
4. Action->Accept 

Checkpoint Firewall Policy: Inside to DMZ

To allow access from Inside network to DMZ network below policy will be used.

1. Policy Name ->Inside_to_DMZ_Access
2. Source -> Any source IP which needs to be access DMZ network
3. Destination Address -> DMZ_Network
4. Service -> DNS and Https
5. Action -> Accept

Checkpoint Firewall Policy: Cleanup Rule

Last Rule is a cleanup rule in which we deny all other traffic and apply it at the BOTTOM of all the firewall rules.

1. 1. Rule Location -> Bottom
   2. Rule Name -> Cleanup_Rule
   3. Source -> Any
   4. Destination -> Any
   5. Service -> Any
   6. Action -> Drop

Checkpoint Firewall Policy: Install Policy

Once all rules are configured, it’s time to install policy on the Gateways.

Select -> Install Policy

Once you select Install Policy it will prompt Gateway options 

Select Firewall Gateway -> Click OK

Installation done

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

Checkpoint NAT Policy: Types & Configuration

Checkpoint 3-Tier Architecture

Checkpoint is a Next Generation Firewall which has three basic pillars 

• Security Management Server
• Security Gateway (Enforcement Module)
• SmartConsole 

Let’s understand, how these components work together as a harmonious unit:

• Security Admin access SmartConsole and initiate communication with Security Management Gateway.
• Security Admin makes the changes in firewall policy and install policy.
• Security Management Server validate and verify the changes and confirms if change is error free and forward change policy package to Security Gateway
• Security Gateway fetch the changes and apply it to firewall packet flow which is passing through the gateway.

Security Management Server  (SMS)

As its name implies, Security Management Server is a server component. As being a server component its work is to store firewall policies, repository of policies, rules, NAT policies, VPN configuration, user-database, user-groups, user permissions, authentications, storage of certificates.

SMS distributes policies and rules to multiple or single gateway. Single Smart Center Server can manage multiple gateways.

SMS can act like a log server which means it can store logs, those are generated by firewall.

Installation Platform -> SMS can be deployed on below platforms.

Key job performs by Security Management Gateway

• Store policies, act as a database
• Store log and log files
• Maintain and store Firewall database
• Deployed on Linux, Windows, and Gaia OS
• Single Security Management Gateway can manage multiple Gateways.

Management Gateway has below featured blades

• Network Policy Management — Security Gateway policies are created and managed by Network Policy Management
• Endpoint Policy Management — Endpoint Policies are created and managed by it
• Logging & Status – Logs are managed by Logging and Status
• Workflow — Audit and approval of management policy
• User Directory — Authentication and user database manages by it
• Provisioning — Maintenance tool
• Compliance — Audit and apply compliance as per rules and regulations
• SmartEvent — Logs and Events management 

Security Gateway

Security Gateway is also known as Enforcement Module. You will see it very commonly when people call it an Enforcement Module.

Its work is to regulate the policy, Security Gateway receives policies from Smart Center Server and applies policies in order of top-to-bottom against every packet that the firewall receives in inbound/outbound direction.

Once a rule is defined in the firewall, the gateway acts as a decision maker which can protect the traffic as per defined rule.

Key Jobs perform by Security Gateway

1. All inbound and outbound traffic of Next Generation firewalls are inspected on Gateway.
2. Gateway verifies the packet and compares it with security policy and then applies security policy accordingly.
3. Network defence is done by Security Gateway.
4. Gateway protects the traffic by applying 3-way handshake OR stateful inspection.
5. Installation can be done -> Linux, Windows, and Gaia OS

Below is the list of Security Blades which are available in Security Gateway. Security Blades are the feature of the firewall. For example, URL filtering, IPS, Anti-virus etc.

Smart Console

To manage Smart Center Server, the admin needs GUI to access the application or features. Smart Console is the platform which is used to access the features of Next Generation Firewall.

Smart Console can only be accessible from Windows, it does not support Gaia OS.

First policies are configured by using SmartDashboard and further saved in the Smart Management Server.

Below packages are downloaded as a SmartConsole package:

1. Smart Dashboard
2. Smart View Tracker
3. Smart View Monitor
4. Smart Update
5. Smart Log
6. Smart Event
7. Smart Provisioning 
8. Smart Reporter 
9. Smart Endpoint 
10. Smart Domain Manager
11. Smart Event Intro
12. Secure Client Packaging Tool

Deployment Option

Based on Checkpoint product we can choose deployment options 

1. Check Point Security Appliance. Hardware and software options are required to run Check Point Network Security System.
2. Open Server. Gaia OS can be installed on any of the compatible server 
3. A Virtual Machine. Gaia can be configured on virtual machines, cloud-based platforms like VMware, cloud platforms: AWS, Azure, Google Cloud, Alibaba, and Oracle.

Another method to deploy the device in network

1. Standalone -> Single device in which Security Gateway and SMS are installed on same machine.
2. Distributed -> Console and Security Gateway are using different machines or server.

Distributed Deployment is the commonly used approach in the network.

You may further need to explore SmartConsole deployment, Smart Management Server features and deployment and Security Gateway components. These topics will help you to understand the Checkpoint 3-Tier architecture.

Continue Reading:

How to Configure Checkpoint Firewall? Step-by-Step Guide

How to Reset Checkpoint Firewall with the Default Factory Settings?

Are you preparing for your next interview?

Please check our e-store for e-book on Interview Q&A on Checkpoint Firewall. All the e-books are in easy to understand PDF Format, explained with relevant Diagrams (where required) for better ease of understanding.

High Availability is the feature of firewall in which it eliminates the single point of failure in the network. Two firewalls make a cluster and act as an active passive mode. 

Active firewall handles the network traffic while passive firewall takes over the traffic once a failover happens in the network.

Let’s discuss the topology and start HA configuration in Checkpoint Firewalls.

Access FW1 through CLI and check interface status and IP addresses 

Run command -> fw getifs

Similarly, login to other Firewall->FW2 and check interface status and IP addresses

Add Gateways in Checkpoint Smart Dashboard  

1 Go to Smart Dashboard and click on Gateway and Services and select add Gateway

2 Select Wizard Mode

3 Add firewall -> FW1 details in the Wizard section and Add Firewall 1 management IP address and select NEXT

4 Provide SIC Key (any password which you can remember, here I set Nam@123) in the next tab and apply it to the firewall

5 Firewall initiate SIC communication

In a similar manner add Firewall -> FW2 in the Gateway and established SIC key

Note: SIC password must be same in both FW1 and FW2 to establish the trust.

Add Cluster in Checkpoint Smart Dashboard ->FW1

1 Here Go to Cluster- > Select Cluster Option

2 Add FW 1 details in cluster values 

3 Select Cluster option -> High Availability -> Select Next

4 Add Gateway in the cluster and select Existing Gateway

5 Add Existing Gateway in the configuration 

6 Select FW and choose option ADD

7 Firewall prompt warning regarding the Cluster member, select Yes to proceed ahead

Add Cluster in Checkpoint Smart Dashboard  -> FW2

In a similar manner add another Gateway -> FW2

Smart Dashboard prompts the cluster message on the screen.

Click OK to proceed ahead.

Cluster Topology

Click Next and add Cluster Topology for FW1 and FW2

1 Add IPV4 subnet of Cluster

2 Add cluster synchronization -> Primary -> Click Next

3 Add External facing subnet in the Cluster topology

4 Add Cluster Interface which will be represented by firewall

5 Add internal connected subnets in the Cluster Topology

6 Add cluster interface in the topology

Now add another interface with Private IP address and keep the interface in Private mode which means if management interface goes down then traffic remains at Primary interface and doesn’t perform failover.

Cluster Configuration has been completed.

Install the changes on the Gateway and publish it.

Cluster Verification

Verify the cluster status from FW 1 and FW 2

1 Login to FW1 and run command 

>>Cphaprob status -> Firewall display status of active standby firewall 

100% assigned load means firewall is Active 

0% assigned load means Firewall is Passive

Further check HA interfaces and their status by using below command

>Cphaprob -a if

Enable Load Sharing in Cluster

ClusterXL Load Sharing is a mechanism that divides traffic among the members of a cluster in order to maximize the overall throughput. All functioning cluster members are active and handle network traffic in an Active/Active setup. If one member of the cluster becomes inaccessible, the remaining operational members will take over and provide High Availability, with all connections being shared smoothly between the remaining Security Gateways.

It should be noted, however, that Load Sharing modes of ClusterXL do not support IPv6.

1 Go to Cluster member Cluster A and double Click the tab

2 Select ClusterXL and VRRP -> Enable Load Sharing with Multicast option

Click OK to finish the configuration.

Install policy and publish the change.

Verify Load Sharing in Cluster

Login to FW1 and check the cluster status by using below command

>>Cphaprob stat -> output shows that Load sharing is divided into 50% and 50%

>>50% for Active Firewall

>>50% for Passive Firewall

Continue Reading:

High Availability Palo Alto

Fortinet FortiGate HA (High Availability): Detailed Guide

• URL Filtering
• Application Control
• Intrusion Prevention System
• Antivirus & Anti-Bot
• Data Loss Prevention

Let’s discuss all the features one-by-one.

URL Filtering: Check Point UTM

URL filtering applies to web-browsing traffic and divides traffic to multiple categories. Based on URL-Filtering Category we can allow/block traffic in Firewall policy. There are more than 100 Categories which are given by Checkpoint in the URL=Filtering like social-networking, banking, adult-sites, news etc.

TASK -> We will block CNN.COM News site by using URL Filtering

• Here we will first enable URL Filtering Blade in Checkpoint Firewall.

• Enable HTTPS Inspection in Checkpoint Firewall to inspect Web-browsing traffic.

• First Create Policy to allow news site in policy
• Security Policy -> URL+APP -> Policy Name -> Source Address -> Destination ->Services and Applications (Select News/Media) -> Action (Allow)

• Now Create another Policy above Access policy to deny rule for CNN.COM news
• Policy (Block CNN) -> Source -> Destination –
  > Services & Application –>(Create Customised Category CNN.COM) -> Action (Drop)

• Verify the access through logs -> Traffic dropped by firewall.

Application Control: Check Point UTM

Here, we will block sites based on Application.

Application control, identify and parse traffic uniquely from various applications in an organisation, Companies enable Application Control to filter malicious traffic and block all the suspicious content of the network. 

1. Security Policies🡪 URL + APP🡪 Source 🡪 Destination🡪 Services & Application (Select Application)

2. Select multiple applications like

• • Spyware

• • High Risk

• • Phishing

• • Bonnets

3. Action🡪 Drop

4. Install Policy

Validate the access from logs

Try to access drpbox.com and got below drop logs in Check point

IPS Intrusion Prevention System: Check Point UTM

IPS is the most effective and multilayer approach to protect your network. It tremendously reduces the risk of traffic exposure to exploitation.

1. Note -> Enable IPS Blade in Checkpoint Firewall

2. We have two options

• • Threat Prevention Policy
  • Detect Only

Select Threat Prevention Policy

3. Now Enable Policy to Activate IPS Profile in it

4. Go to -> Threat Protectionà Policy

5. We have two policy here , one is for MTA traffic

6. Second one is the default policy for IPS

7. Go down to Threat Tools 🡪 profiles🡪 Create Test Strict Clone (Customised) Profile

8. Apply Strict Clone Profile to Threat Prevention Policy

9. Install Policy in Checkpoint SmartConsole

10. Validate the logs

11. Go to 🡪 IPS Protection

12. Select Max Ping Size and add Strict Clone Profile in it.

13. If the Ping size is greater than 2500 bytes, signature will be triggered. Now install the policy in Checkpoint SmartConsole.

14. IPS allows normal ping from network, however blocks large packet through the firewall and gives Request Time Out in ping response.

15. Let’s Check Logs for the same in Firewall. Traffic is being dropped by a firewall with a message large ping.

Antivirus: Check Point UTM

Antivirus software is a firewall application that protects systems and removes harmful software or code which are created to damage data. Nowaday’s every second a new malware is created to destroy the network. So to detect and block such traffic in network Checkpoint uses advance Anti-virus and Anti-bot Application which blocks any suspicious traffic/content

1. Enable Anti-virus and Anti-bot Blade in the Checkpoint and Install the policy.

2. Go to Profiles which we have created above (in IPS section) and Check Anti-virus and Anti-Bot settings.

3. Now test your browser protect by using https://cpcheck.com to verify if the browser is protected or not and which services is being used.

4. Try to access any site and download content from there.

5. Now check the logs here in Checkpoint Log Monitor and you can see preventive log messages in the threat logs of the firewall. You can see the Checkpoint assessment report also.

Checkpoint UTM DLP (Data Loss Prevention) – R80.40

DLP is the part of Security Integrity which means if any data passes through the network it should be un-altered. And must be scanned by Firewall, like password protected files or any text document through emails.

Data Loss Prevention (DLP) solutions are designed to guarantee that any insightful data in a company/network must not be accessed by illegal/unprotected users, nor misplaced or stolen.

1. We need to enable DLP in Firewall Gateway by using SmartConsole

2. Enable DLP Client in below settings as well

3. Enable Email to transfer DLP emails 

4. Enable DLP over SmarttDashboard Security Policies 🡪 Shared Policies🡪 DLP

5. Here is SmartConsole trying to Connect with SmartDashboard

6. Select All  users in DLP🡪 Organisations Policy

7. Enable DLP Policy for Password Protected Files

8. Now we are trying to transfer file over FTP protocol which is password protected

9. Now check the firewall logs if firewall able to detect the file

DLP works as we have configured in the above policy.

Continue Reading:

FortiGate UTM (Unified Threat Management)

Checkpoint NAT Policy: Types & Configuration

Many firewalls include network address translation, a procedure that translates between internal and external IP addresses. NAT enables a private network to use non-routable internal IP addresses that are mapped to one or more external IP addresses. Furthermore, a single IP address may represent multiple computers on a network. Check Point NGFWs offer both high-performance NAT functionality and enterprise-level threat prevention.

In this article, we will discuss the Checkpoint NAT Policy, NAT types and its configuration. 

Types of NAT

The different types of network address translation are:

• Static NAT – One to one translation
• Hide/Dynamic NAT – It can translate multiple IP address with single outgoing IP address
• Automatic NAT – It can translate Complete LAN/Network Segment with single gateway / Firewall interface IP address
• Manual NAT – Conditional NAT in which we can use multiple combinations to achieve the NAT result.

Static NAT

Static NAT with Automatic NAT

In static NAT we can convert one Public IP address with one (One to One Translation) Private IP address. We can create Static NAT in Checkpoint firewall by following below steps

Criteria is:

Step 1 Go to Left corner of Checkpoint and Select New -> Host

Step 2 Select Host name and 

Step 3 Add Hostname of the internal server

Step 4 Give IP address 192.168.1.11

Now Create NAT Policy on Firewall

Step 1 Go to Security Policies

Step 2 Select NAT

Step 3 Go to Left most corner and search host DMZ_WebServer

Step 4 Edit host DMZ_WebServer

Step 5 Edit NAT Config 

Step 6 Give Public IP address 172.18.72.3 to Server and Security Gateway

Save Config

Next Create Policy to allow access to internal server from outside.

Step 1 Create Policy

Step 2 Add below values in Security Access Policy

Hide NAT

Hide NAT allows you to configure NAT in which multiple IP addresses can be NAT through Single IP address or Gateway Interface IP address.

First, Create Network Object for LAN network 192.168.22.0/24

1. Go to left most corner in Security Policies Tab
2. Select New -> Network Object 
3. Name Network Object and provide IP address 192.168.22.0/24

Step 1 Go to NAT tab in Checkpoint Security Policies 

Step 2 Go to Left most corner and search LAN_192.168.22.0/24 Network Object

Step 3 Edit Object LAN_192.168.22.0/24

Step 4 Select NAT

Step 5 Select Translation Method “Hide” and choose Hide behind Gateway

Step 6 Install on -> Gateway

Next Create Policy to allow access to internal servers from outside

Step 1 Create Policy

Step 2 Add below values in Security Access Policy

Hide NAT vs Static NAT

Hide-NAT is a technique for hiding LAN or any network segment traffic (network, etc.) behind single IP address.

Static-NAT is a one-to-one NAT. Single source IP can be translated to single WAN/outside WAN IP.

Manual NAT

Manual NAT is often called Conditional NAT which means we are using single source Private IP address and using single Public IP address and using different ports to connect with source to destination.

Here condition is, when initiator uses Public IP address 63.8.0.111 and Port 25 –> It redirects to server private IP address 192.168.1.10

Now if same Public IP address 63.8.0.111 access by initiator with port 80, it will redirect to private IP address 192.168.1.20

Step by step configuration of Manual NAT

1. Create NAT Policy NAT-> Original Destination->63.8.0.111(Create Object of this IP address already)
2. Original Service/Port-> ssh or 22
3. Translated Destination IP-> 192.168.1.10
4. Translated Services -> ssh
5. Apply Gateway

Create a Security policy to allow access to servers from outside.

1. Name policy-> Policy_SSH
2. Source -> Internet-> Any
3. Destination-> 63.8.0.111(NAT Public IP address)
4. Services SSH
5. Action – Accept

In a similar way you can create NAT rules and Policy for Port 80. Only change server to 80 and backend Private server IP to 192.168.1.20

Here is NAT policy 

And Security Policy is

Manual NAT vs Automatic NAT

Automatic NAT – It is for Network objects OR static IP address however outgoing IP will be one (Gateway IP address. You can hide the complete Network/subnet behind one IP address. Proxy arp is by default allowed by firewall.

Manual NAT is configured using the NAT condition and apply rules according to the requirement. You need to configure proxy NAT.

You can further apply multiple combinations to get the desired result from Hide NAT, Static NAT, Automatic NAT and Manual NAT.

Continue Reading:

FortiGate NAT Policy: Types & Configuration

NAT Configuration & NAT Types – Palo Alto

Reset  – Admin can only wipe-out the configuration

Factory-Reset/Default – Admin can wipe out the configuration of device and put the device in default operation/firmware.

For Example, when you buy a Firewall, it comes with a default operating system (like r80.10, r80.20). So, over the period admin has done the upgrade of the device. 

Let’s suppose the admin has upgraded the Checkpoint device to r80.30. But now he needs to perform factory reset. Device will boot up to the initial operating system r80.20 and it will take you back to the operating system which was the same at the time you bought the firewall.

However, in case of Reset, it only wipes out the configuration and you can still have an upgraded firmware version in the device.

Scenarios to perform Reset/Factory-Default

• When device starts misbehaving even after doing all the troubleshooting, but not able to find out the root cause of device hardware misbehaviour (like auto-reboot, crash state, hang state)
• Reset generally performed by admin when offices shut down the Data Center OR switch to new technology, in that scenario current firewall will no longer be required in the network and need to be removed from the topology.

Prerequisites to Reset Checkpoint Firewall 

1. Console Access -> You must have the access through console access
2.  Admin rights
3. Local site Engineer who can physically access the device. We require a Local site Engineer at the site to        remove the device from the network and provide us physical console access if the device is not able to boot up itself.

3 Ways to factory reset Checkpoint Firewall

We have 3 methods through which Factory reset can be performed on the Checkpoint Firewall

1. From Device Hardware (Hard Reset)
2. From Console Access (CLI)
3. From Console Access (Web GUI)

RESET from Hardware Device

1. Connect to the console and check the traffic flow in the console putty. Now, by using any sharp pin try to press the RESET button on Checkpoint Firewall.
2. Keep it pressing for 10-15 seconds
3. You can see multiple messages on the console access
4. You can remove the pin from RESET button 
5. Lights will turn on and off on the devices 
6. Device boot up itself 
7. You can login into the device by using the default IP https://192.168.1.1 address once it boots up after RESET action.

Factory-Reset from Checkpoint Web GUI

1. Login to the device and got to the DEVICE tab
2. System-> System Operations 
3. Appliance and select tab Factory Defaults
4. It will prompt Factory Reset message, click OK
5. Checkpoint device takes reboot and prompts the below message. After reboot the device return to default configuration and initial firmware version.

Factory-Reset from Checkpoint Console/CLI

1. Open Cli with admin right access
2. Type command   #reboot 
3. Press Ctrl + C multiple times in keyboard
4. You will get below options once you press Ctrl + C
5. Select option “4” by entering number 4 and press Enter

Device starts the boot up process once you press Enter. You can login again to the device via console access by using the default IP address.

Continue Reading:

How to Reset FortiGate Firewall with the Factory Default Setting?

How to Reset Palo Alto Firewall to Factory Default Settings

In the above image Checkpoint Firewall packet flow is shown. 

Let’s start with Anti-spoofing.

Anti-Spoofing

Anti-spoofing is a technique which can identify the packet and drop it if the packet has a FAKE/False source address.

Let’s understand it with a diagram. On the WAN interface you have IP address 192.168.10.0/29 and LAN interface has 10.10.10.0/24 subnet. 

When someone from the WAN interface tries to get into the LAN network by using a dummy/FAKE IP address which belongs to the LAN network, firewall blocks that traffic by its intelligence and this phenomenon is known as Anti-spoofing.

Anti-spoofing acts at interface level and Checkpoint is using this feature to protect the network from malicious invaders. 

SAM Database 

SAM means suspicious activity rule which is integrated with SmartView Monitor that is used to modify access privileges after detection of any suspicious network activity. (Example attempt to gain the unauthorised access of any server or any application in any organisation)

You can check the SAM database in SmartView Monitor and add any malicious IP address to block the traffic. Please see below images to check suspicious IP block method in the SAM database.

Session Lookup

Session lookup means the firewall checks if a session is there in the firewall session table OR if it’s a new packet.  Next step is to match the traffic with firewall policy. 

Policy lookup is performed by firewall from top-to-bottom approach once session lookup completed by Checkpoint firewall.

Policy Lookup

Checkpoint Firewall checks 5 tuples in a packet to match with the security policy of Firewall rules. These 5 tuples are source address, source port, destination address, destination port and protocol (TCP/UDP).

If policy exists for the current packet, traffic will be allowed by the firewall else dropped silently at policy level.

When a firewall searches any packet against the Security policy rule, it checks Policy name, Source address, destination address, if the packet has any VPN configuration, services and Applications, action (drop/accept/block) and takes decision according to the policy match.

Firewall discards the packet if no policy match is found in the security rule. Means by-default traffic is dropped by firewall.

Firewall has two types of policies 

• Explicit Policy:  Administrator defined policies are known as explicit policy.

• Implicit Policy: System generated policies are known as Implicit policy. We neither modify them nor disable/enable them.

Destination NAT

Packet moves to the Destination NAT phase post policy lookup performed by Checkpoint firewall. Destination NAT is always created for the inside server which needs to be accessed from the outside world.

In Destination NAT firewall checks if the IP address in the packet comes from outside to inside to access the services.

In Destination NAT Public IP address of server will be changed to Private IP address. After that route for Private IP address will be checked by firewall to move the traffic to correct server zone (LAN/DMZ/etc.)

Route Lookup

Route of the source in packet will be checked in the route table. When traffic comes from outside to the inside server, e.g. DMZ server must be hosted on the Internet segment to communicate with Internet users. 

Once a public IP address changed to Private IP firewall looks for the route for private IP address of server and send traffic to private IP address.

Source NAT

Source NAT will be checked when traffic goes from inside to outside. If the packet goes from inside LAN segment to outside Internet, then source NAT will be performed by Firewall. Otherwise, this step will be skipped by the firewall. Internal IP addresses are not routable over the Internet. Source NAT can be performed for single IP address or for multiple IP address.

Layer 7 Inspection

First understand what Layer 7 inspection is.

It is a technology which is used to analyse TCP/IP based traffic. Layer 7 inspection included Anti-Virus scanning, URL-Filtering, Application Control, anti-spoofing, website-categorisation, Anti-bot, Anti-spam blades. 

It is a deep level packet inspection performed by Checkpoint firewall by using its security blades. Checkpoint security blades have below featured

•  IPS
• Anti-Virus
• Anti-Bot
• Application Control

We can enable Application Layer & inspection by using below steps:

Encryption

Here, Checkpoint checks if the packet is encrypted or not. If the packet belongs to VPN or SSL, it is in encryption format. Encryption is performed on VPN traffic after L7 inspection and check if there is any route for tunnel Gateway from source to destination.

Route is a mandatory factor in site-to-site VPN. Packet takes IPSec route whenever traffic goes via VPN tunnel.

Routing

Final step is to redirect the firewall packet to the correct interface (Ingress or Egress) as to reach the destination hop from Checkpoint firewall. It could be an exit interface or inbound interface.

Routing will be checked by Checkpoint firewall post encryption to redirect the traffic to the correct route.

Continue Reading:

FortiGate Packet Flow: Ingress And Egress

Packet Flow in Palo Alto – Detailed Explanation

Sometimes in the network we need to install a new Checkpoint Firewall from scratch which requires a few prerequisite as follows:

• Console Cable
• Physical access to device (arrange any local site Engineer)
• Bootable USB Stick

Steps to Configure Checkpoint Firewall

Let’s understand how can we configure checkpoint firewall by a guided step by step process:

Step 1 Check if the version of the new device is up to date. If yes, then move to Step8 otherwise follow Step 1

Step 2  Preparing USB Stick: Check Point sk92423 shows which USB stick is supported for installing checkpoint 

Step 3 Use Isomorphic to make a Checkpoint Bootable USB Stick

Step 4  Plugin USB stick in the device USB port and powered on the Checkpoint Device 

Step 5 Enter BIOS Configuration 

Step 6 Press TAB or DEL to enter BIOS to set up the booking devices.

 USB-HDD and USB-CDROM have been picked for boot devices.

Step 7 Change here to USB boot. 

Step 8 Loaded the CHECKPOINT ISO and select on” Install Gaia on this System”.

Step 9  Select OK

Step 10 Select language: 

Step 11 In this figure we are seeing the partitions configuration, the nicely is the checkpoint system knows to calculate the disk space as his best practices, 

 Disk space along with percentage Is shown in the below images.

Step 12 We can set password for CSCONFIG, it is not Dashboard password. 

Step 13 Select your network ports and continue with OK 

Step 14  Here we can set IP address of the Checkpoint device. Configure IP for management interface :192.168.1.150 

Put Netmask -> 255.255.255.0

Default Gateway -> 192.168.1.1

And enter OK

Step 15 It will execute hard drive format process and install the OS.

Step 16 Formatting has been started 

Step 17 Perform reboot once Formatting has been completed. And connect to the management by “https://192.168.1.150” (which we have given in Step 14)

Step 18 Check Device access by using CLI/putty access of device

You can access the device from local system by connecting LAN cable to device eth1/management port and give below IP address to your local system

IP address 192.168.1.30

Subnet 255.255.255.0

Gateway 192.168.1.1

Step 19 OR Connect to the Gaia portal with username and password you set in previous step.

Step 20 And we’ll get the Gaia configuration Wizard. 

At this stage, we have completed the OS upgrade from the firewall. Now we will configure firewall initial setup step by step.

Step 21  Continue with Gaia R77.20 Configuration: First time Wizard configuration will be prompt on screen.

Step 22 Select Deployment option

Note :: Please note that in this figure we have to specify the IP address we will connect to Smart Console 

User interface required a licence.

Step 23 Select DNS value and configured it according to the network topology.

Step 24 Set Time or Date manually or Configure NTP server details.

Step 25 And in Installation type select “Security gateway or security management”.

Step 26 Put the device in Cluster XL or skip this part if Checkpoint firewall configured as a standalone box.

Step 27 Set User Password and for Security Management Administrator in Checkpoint Firewall.

Step 28  Here we can set that only from a specific Computer or IP we will be able to connect to the Management console. 

We are selecting Any IP address Option here.

Step 29 Setup has been completed and we can select Finish Tab.

Step 30 Please select YES to save the changes in device and then all new configurations will be applied to the device.

Once you Click Yes, the system will be restarted again.

Continue Reading:

Packet Flow in Checkpoint Firewall

How to Reset Checkpoint Firewall with the Default Factory Settings?

Are you preparing for an Interview?

If you want to learn more about Checkpoint, then check our e-book on Checkpoint Firewall Interview Questions and Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

Gaia functions as a cohesive security Operating System, merging Check Point’s original operating systems with IPSO, the operating system utilized in appliance security products. It’s accessible for all Check Point Security Appliances and Open Servers.

The Gaia Portal is an advanced interface that is accessible through the web for configuring the Gaia platform. This interface allows you to accomplish nearly all system configuration tasks. Let’s understand and configure Check Point routing using Gaia Portal.

Check Point Routing Types

Check Point offers two types of routing:

1. 1. Static Routing
   2. Dynamic Routing- which includes BGP, OSPF, RIP. Here we will discuss BGP and OSPF routing. 

Check Point Static Routing R80.10 Firewall

We configure a static route to apply a single destination with one or more paths to reach the destination.

CLI Command to configure the static route in Checkpoint firewall is “set static-route”.

• Static routes is used to add paths for specific destination

• We can add multiple static routes for different destinations by using priorities.

Let’s configure Static route in Checkpoint Firewall

1.Login into Web GUI of the Checkpoint Firewall 

2.Select IPV4 Static Routes

3.Go to Add Multiple Static Routes

4.Add routes with the IP address of the next hop.

5.Default 192.168.2.132

In a similar way if you want to add single static route in the firewall 

1.Login into Web GUI of the Checkpoint Firewall 

2.Select IPv4 Static Routes

3.Go to Add Static Routes 

4.Add destination Route 172.16.24.0 subnet mask 255.255.0.0 

5.Add Gateway eth0 (associated interface)

Checkpoint Dynamic Routing /Advanced Routing: BGP Protocol

Checkpoint Dynamic Routing is also known as Advanced Routing.

Let’s configure BGP in Checkpoint Web GUI

1.Go to Advanced Routing 🡪 BGP.

2.Add Router ID which is the ID of autonomous System (AS)🡪 Closest ID

3.Select Local Autonomous System Number: 5

4.Next Move to Miscellaneous Setting in which add Default Route IP address.

5.Default Gateway is a default route which is generated when BGP pairs are UP.

6.Default route has a higher rank than the default static route.

7.Next is enabling the Peer Group Configuration in BGP

CLI Commands to:

Configure BGP

set bgp external remote-as as_number

{on | off}

aspath-prepend-count <1-25 | default>

description “text”

local-address ip_address {on | off}

outdelay <0-65535>

outdelay off

Configure BGP Peers

set bgp external remote-as <as_number> peer

<ip_address> {on | off}

accept-med {on | off}

accept-routes {all | none}

allowas-in-count {0-10 | default}

as-override {on | off}

authtype {none | md5 secret <secret>}

capability {default | ipv4-unicast | ipv6-unicast}

graceful-restart-helper {on | off}

graceful-restart-helper-stalepath-time <seconds>

holdtime {<6-65535> | default}

ignore-first-ashop {on | off}

ip-reachability-detection

check-control-plane-failure

multihop

off

on

keepalive {<2-21845> | default}

log-state-transitions {on | off}

log-warnings {on | off}

med-out {<0-4294967294> | default}

multihop {on | off}

no-aggregator-id {on | off}

outgoing-interface <finterface> {on | off}

passive-tcp {on | off}

peer-local-as

dual peering {on | off}

inbound-peer-local {on | off}

outbound-local {on | off}

peer-local-as as {{<1-4294967295> | <0.1-65535.65535>} on | off}

removeprivateas {on | off}

route-refresh {on | off}

send-keepalives {on | off}

send-route-refresh {request | route-update} {ipv4 | ipv6 | all} [unicast]

suppress-default-originate {on | off}

throttle-count {<0-65535> | off}

trace bgp_traceoption {on | off}

ttl {1-255 | default}

Configure BGP Reflection

set bgp

internal peer <ip_address> peer-type

none

no-client-reflector

reflector-client

cluster-id {<ip_address> | off}

default-med {<0-65535> | off}

default-route-gateway {<ip_address> | off}

Monitor BGP

>show bgp

Checkpoint Dynamic Routing: OSPF Protocol

OSPF protocol confirms that associated interfaces are functional, OSPF first initiated Hello packets by using the Hello protocol over their OSPF interfaces, to discover neighbours. Neighbours are routers/another device which shares a common area network with firewall interface.

After that, neighbouring routers or devices establish adjacencies and exchange their link-state databases.

Topology Details

1.Loopback IP 🡪 30.30.30.0/24

2.Firewall Internal IP Subnet 🡪 10.10.10.1/24

3.Now go to Advanced Routing 🡪 OSPF🡪 Router ID 🡪 10.10.10.1 (Routes will be learnt by this IP address)

4.Add Interface in the configuration which learns routes and publishes OSPF routes.

5.We have added eth1 where 10.10.10.1 subnet is defined.

6.Here the interface configuration for OSPF.

Now OSPF is configured in the firewall.

CLI Commands to:

Configure OSPF in Checkpoint Firewall

set ospf [instance <1-65535>]

default-ase-cost <cost>

default-ase-type {1 | 2}

force-hellos {on | off | timer {default | <2-10>}}

graceful-restart-helper {on | off}

graceful-restart {on | off | grace-period <seconds>}

rfc1583-compatibility {on | off}

spf-delay {default | <delay>}

spf-holdtime {default | <holdtime>}

Configure OSPF Areas

set ospf

[instance <1-65535>]

area {backbone | <ospf_area_name>} {on | off}

range <ip_range>

off

on

restrict

stub

default-cost <1-677215>

off

on

summary

stub-network <ip_range>

off

on

stub-network-cost

nssa {on | off}

default-cost <1-677215>

default-metric-type <1-2>

import-summary-routes {on | off}

range <ip_range> {on | off | restrict}

redistribution {on | off}

translator-role {always | candidate}

translator-stability-interval <1-65535>

Monitor OSPF

show ospf instance <OSPF_instance_number> neighbors [detailed]

Continue Reading:

Checkpoint NAT Policy: Types & Configuration

How to Configure Checkpoint Firewall? Step-by-Step Guide

This blog covers below topics of Checkpoint SD WAN:

• Quantum CheckpointSD-WAN concept

• Architecture

• Application basic traffic steering

• Demo-> how to configure Checkpoint SD WAN

• Monitoring Checkpoint SD WAN logs

Checkpoint SD WAN Concept

Main purpose of SD-WAN is the cost saving.

Checkpoint always focus on Threat Prevention policy and here we are using Checkpoint R80.10. Components we use during the configuration of SD-WAN and firewall policy are:

1. SmartManagement Server:  which installs security policy and shares objects with infinity next portal (Infinity Next Portal will discuss later)
2. Infinity Next:  it holds the SD-WAN traffic steering policy and object synchronisations. Traffic steering for applications provides feature of Jitter, Packet Loss, Latency and link failovers. Active probing is also the part of traffic steering which helps to monitor the multiple ISP links.
3. Nano Agent: it holds the steering policy from the Infinity Next
4. Active Probing:  measuring the link quality

Checkpoint SD WAN Architecture

Here we will discuss the Architecture of the Checkpoint SD WAN topology.

1. Security Management Server -> installing the policy on the gateways and it also synchronizes its network objects with infinity next portal which is under Infinity Next Portal  
2. Link Mapping -> where we define  which interface goes to which link
3. Nano Agent -> which fetches policy from Infinity Next portal. It helps us to perform smooth deployment.
4. Infinity Next ->Helps to sync the objects with Management Server

WAN Links and Steering Policy

1. Wan links are associated with ISPs. Configure WAN links with name and IP addresses
2. Define steering policy which allows you to differentiate the link.
3. Define Steering policy which is based on the Jitter latency and packet loss

 When we completed the association, we know that which link is associated with which steering policy and Ethernet

Routing

 In Gaia you will define one default route for all which will be further managed by Nano Agent. 

NAT

Also enable Hide NAT behind the Gateway.

Nano Agent fetches the policy from infinity portal

Run command

 #fw sdwan stat

 # cpsdwan stat

Understand the Link Monitoring in SD WAN

We can run the #cpview command to check the traffic pattern in the firewall.

We can see the Probe Targets which mention default IP 8.8.8.8 and also the next hop segment where ISP details and traffic are defined by firewall. 

Final option is ISP selected means which ISP is carrying the traffic to the destination.

Next step is to define the Steering policy -> which application can use which link and for which behaviour and apply thresholds to the WAN links.

 Note: before deploying the Steering and Security policy consider below points

• Choose best available WAN link according to the application 
• and choose bandwidth according to the utilisation
• Limit bandwidth for low level applications
• Categorise the quality of WAN link

How to configure SD-WAN in Checkpoint?

Scenario is

1. Best Available link must assign for Teams application for high speed
2. Sales Users can use high speed link for YouTube
3. Other users can only use limited speed link for YouTube

Quantum SDWAN solution is managed by smart management server

where everything is related to the security and traffic steering is managed by the Infinity Next Portal

Allow policy for youtube and teams in the Security Gateway

Step 1  Apply threat prevention policy in Security Manager Server 

Step 2 Disable Hide NAT for every traffic

Step 3 Configure policy in the Firewall. Go to Security Policies -> Policy

1. Teams : Access policy for Teams application Policy 7
2. YouTube : Access policy for Sales user Policy 9
3. YouTube for all : Access policy for all other user Policy 10

Step 4 Apply Basic default Threat Prevention Policy for subnet

Step 5 Enable HTTPS Inspection for Youtube and Teams application in the Firewall

Step 6 Enable similar access in SD-WAN Steering Policy in Checkpoint Quantum.

Step 7 Wan Link mapping on the device. Next Hop is defined after enabling the Interface.

On the Security gateway we will map interface and WAN link mapping by using CLI command here, we manually define the interface WAN link mapping with active Steering Policy from CLI session.

We define Interface, Next-hop and keyword which enforces to make it active immediately. 

Step 8 Check Network Address Translation (NAT) for whole subnet

Step 9 we can check the SD-WAN ISP, where interface are mapped with the characteristics. ISP has high speed bandwidth and ISP 2 has limited bandwidth. 

Step 10 Define the Steering objects. Steering objects are defined and the behaviours of Wide Area Network Interface will be used in the network. All the WAN criteria will be defined in the Steering Object. Please see bee screen-shot for better understanding.

Step 11  Define Nano Agent as below

Step 12  here you can install Nano agent

Now configuration is completed. Now we will access the application and check respective logs in the firewall.

Monitor SD-WAN Traffic Logs

Case 1  Access YouTube site as a normal user

1. Check logs in Web Smart Console to see the logs

When we expand the log,

Case 2 Access YouTube site as a Sales User. We can see in below screen-shot that the traffic is going via Main ISP

Everything works as per our configuration.

Continue Reading:

Understanding Checkpoint 3-Tier Architecture: Components & Deployment

Checkpoint NAT Policy: Types & Configuration