SECURITY ENGINEERING Student & Lab Manual R80.10 CHECK POINT INFINITY Gd Check Point© 2017 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and de-compilation. No part of this praduet or related documentation may be reproduced in any form or by any means without priar written authorization of Check Point. While every precaution has been taken in the preparation of this boak, Check Point assumes no responsibility for errors ar omissions. This publication and features described herein are subject to change without notice, RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (MU\(i) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52,227-19. TRADEMARKS. Refer to the Copyright page (http://www checkpoint.com/eop yright.html) for a list of ourtrademarks. Refer to the Third Party copyright notices (http) www.checkpoint.com! 4rd_party copyright.himl) for a list of relevant copyrights and third-party licenses Taternational 3 Ha Solelim Suet Headquarters iv 6797, ened U.S. Headquarters 959 Skyway Road, Sue 300) San Carlos, CA 94070 TechnicalSupport, $530 Commerce Drive, Suite 120 Education & Professional | teving, TX 75063, Services anal comments or question about oar cou rarailecebec kp oan For guise orseeinnas aoa dee Chock Pa ces a CP Teche Feat ceric Document F DOC-Manwal-CCSE-RAD.10 Revision Rw.10W2 ‘Content “ouy Win, Vanesea lohason, Whitney Bentley ‘Grapes (Cihuaming Jia, Wanessa lolason, Angels Abendan‘Contributors Beta Tevting, Content Contilbutlon, or Teehaleal Review Michael Adj. Wick Mil- United King dom ete Alan England Pace Czopk C1100 - Pound Brent Beany-Dinensna Data Learning oktinas- Aussi VideryPevermaa - Dia Master La - Ress Aiea Gat - MTech Padus Singapoce Destend Gook -M.Tesh Padus Siaapere AAntoay foubuie - Anon ECS. Fone Saohy Kanecimcety -Red bdseaina Aseria [Ao Koby - Ret Eeition- Ansa [wea Kecbir- Worera-Gemmmy Fabrics Lamia - Check Pine Software Tesbeslogs Drie Mesens- Westen Helgean Caden Mons - Rese ahenbia Tamas Norbeck -Glispuper- Norway Richand Baki Arco ECS England ign ute fuel Chock Point Sotwae Techeckgien- USA Mita Ratan Hakware Trai -Filand NiklisSarsem- Inf pte Sweden Fede Taygaton-Sotine Group - Resa Maihiva\ - MeSya Tech slgis- aia Ek Wages Prosimas CT aden Belin /Spectal Thanks: Kins Winfield Chas Point Softwa Tachsslogies USA Duss Sy Red Edation- Awsrala (Syey Bea Hoth KinWeauel. Antow ECS. Fisind (ekiak Bea Hos) |Certification Exam Development: Jasco Tugwell Cheek Point Technical Publicatlous Team: Noctll: Fakes, Daly Van,Eh Haven, Pal sige, Rachel Tots, Ronit Sepa Shin Ronald, Vashon Simon, Devers HonnalTable of Contents Preface: Security Engineering ....... Cheek Point Security Engineering Course Prerequisites Course Chapters and Learning Objectives Lab Topol Related Certification Chapter 1: System Management .. Advanced Gaia : Gaia Features and Benefits Upgrades Hotfixes CLI Commands Pinto Advanced Firewall Check Point Firewall Infrastructure The Firewall Kernel Packet Flow au Chain Modules 33 Statefual Inspection 36 Security Servers a7 Kernel Tables 38 Policy Installation aL Network Address Translation 46 Firewall Administration st Review Questions cette tere ceeee ieee cece we 86 Tasks: 7 Performance Objectives: stCheck Point Cre Secarihy Engineer Lab 1.1: Upgrading to R80.10.. Migrating Management Server Data 58 Installing the Security Management Server m1 Configuring Security Management Server Using the Gaia Portal 16 Installing SmartConsole a Importing the Check Paint Database 98 Launching SmartConsole and Reconfiguring Existing Security Policies 6.00... 00 00eeeeeeeeeees elOS Lab 1.2: Applying Check Point Hotfixes . Locating the CPUSE Identifier Installing the Hotfix on the Security Gateway Lab 1.3: Configuring a New Security Gateway Cluster ..... Installing a Second Security Gateway : Configuring the Bravo Security Gateway with the First Time Configuration Wizard Mal Using the Gaia Portal ta Configure the Security Gateway 182 Re-configuring the Primary Gateway Lol Configuring the Alpha Security Policy to Manage the Remote Security Gateway Cluster 114 Lab 1.4: Core CLI Elements of Firewall Administration... Managing Policy and Verifying Status from the CLI Recanfiguring the Security Policies Using fw monitor Using tepdump Lab 1.5: Viewing the Chain Modules . . . Evaluating the Chain Madules Moditying the Security Policy anslation. oe. .eeeeeeeeChock Point Cyber Secerity Eng Chapter 2: Automation & Orchestration ..........04+ = 265 Automation & Orchestration. web tee tent eeee beteeeeeee wee teens 266 Check Point APIs 266 Check Point API Architecture 268 Management APE Commands an Management APL Support. ...c0cccsceccseeeecceeseesesescncesetiteeessaessanees DT Review Questions 278 Tasks: 279 Performance Objectives: 279 Lab 2.1: Managing Objects Using the Check Point API... ... : -279 Configuring the Check Point APL 280 Defining and Editing Objects inthe APL 283 Chapter 3: Redundancy ... beens ete ee ees aeeune eens 293 Advanced ClusterXL 294 Load Sharing 294 Proxy ARP. 297 vMAC 208 Cluster Synchronization 300 Cluster Connectivity Upgrade 302 Adda Member to an Existing Cluster . ” . . . . . . . +303 Sticky Connections 303 Management High Availability 304 OPSEC Certified Clustering Products 308 VRRP Clusters 309 WRRP Types: 310 Review Questions 314 Tasks: 3s Performance Objectives: . . . . . . . . . . . . als Lab 3.1: Deploying a Secondary Security Management Server . =315 Installing the Secondary Management Server 316 Configuring Management High Availability Fe BID Testing Management High Availability 0 0...000ccceeeeeeeeeeeeeeeeeeeeeee tesa entrees 2 B28:hack Fasn Cy Lab 3.2: Enabling Check Point VRRP : : 341 Viewing ClusterXL Failover 342 Defining a Virtual Router for VRRP 346 Configuring the Security Policy for VRRP 358 Chapter 4: Acceleration ....... : : : -367 SceureXL: Security Acceleration 368 Using SecureX 368 Packet Acceleration Fee renter ttt r entice cree oo 369 Session Rate Acceleration 370 SecureX L Connection Templates 372 Packet Flow 374 VPN Capabilities... Fe eee eet ntti rent wee BIS CoreXL: Multicore Acceleration 336 Using CoreXL 376 Processing Core Allacation 398 Dynamic Dispateher 380 Packet Flow with CoreXL and SeeureXL Enabled 383 Multiple Traffic Queues 384 Using Multi-Queue 384 Review Questions 387 Tasks: 389 Performance Objectives: 389 Lab 4.1: Working with SecureXL, : : : = 389 Identifying Status of Current Connections 390 Lab 4.2: Working with CoreXL. .. 399 Enabling Com XL weet weet eee settee ee 400 Reviewing CoreXL Settings 407Cheek Point Cober Security Engineering Chapter 5: SmartEvent . The SmanE-vent Solution 410 SmartEvent Components. - . . . . . . . ALL SmantE-vent Clients 412 SmartE vent Workflow. 413 Smartk-vent Deployment Ald Defining the Internal Network AIS Identifying an Event Al6 Monitoring the Network we - . . . . wee . . A422 Event Queries 4z3 Investigating Security Events - . . . . wee . . A2S Ticketing 427 Importing Offline Log Files - . . . . wee . . AQ? Remediating Security Events 428 ‘Configuring Event Policy A28 ‘Configuring IPS Policy AB Reporting Security Events 432 Using Predefined Reports A432 Defining Custom Reports 433 Preventative Measures 4M Creating a New Event Definition 4M Reporting an Event ta Check Point 435 Eliminating False Positives ABS SmarEvent Example 436 High Availability Environment Aa? Security CheckUp 438 Review Questions 440 Tasks: . . wee a . . . . a . . Aah Performance Objectives: 44h Lab 5.1: Evaluating Threats with SmartEvent ..... wees Configure the Network Object in SmartCansole a2 Monitoring Events with Smart vent AstCheck Poin Cyher Securiny Engineering Chapter 6: Remote and Mobile Access ....... Mobile Access Software Blade Mobile Access Wizard Mobile Access Workflow Gateway Security Features Mobile Access Deployment Choosing Remote Access Solutions Installation Types oe Secure Connectivity and Endpoint Security SSL VPN versus IPSec (Layer 3) VPN Clients Mobile Access Portal SSL Network Extender Check Point Mobile : Check Point Capsule Workspace SecuRemote Additional Remote Access Options Cheek Point Capsule Capsule Workspace Capsule Docs Capsule Cloud Mobile Access Policy Mobile Access Rule Base Best Practices Review Questions Tasks: Performance Objectives: Lab 6.1: Managing Mobile Access . Enable Mobile Access Blade . Configure the Chae Point Capsule Policy Testing Cheek Paint Capsule 462 462 468 468 469 4T0 470 an ane ars ans ars am4 am ana ama ATS ATs 479 48 483 483 485 486 487 487 488 497 sisCheck Pom! Cyber Security Engineering ‘Chapter 7: Threat Prevention The Threat Landeape Zero-Day Attacks Advanced Persistent Threats Intrusion Prevention System IPS Profile Settings and Protections IPS Tuning and Maintenance Geo-Protection Antivirus Anti-Bot Sandboxing Operating System-Level Sandboxing CPU-Level Sandboxing Check Point SandBlast Zero-Day Protection SandBlast Components Sand Blast Appliances SandBlast Cloud SandBlast Agent SandBlast Deployment Public Cloud Service Private Cloud Hybrid Solution (SandB last Appliance and Cloud) Mobile Threat Prevention MTP Components Mobile Threat Prevention Warkflow Review Questions Tas Performance Objectives: nderstanding IPS Protections figuring the Protection Profile Configuring the IPS Demonstration Tool Testing the Default Protections Modifying the Protection Profile Settin Working with Logs & Monitorto Iny Modifying an Existing Protection Profile gate Threats Lab 7.2: Deploying IPS Geo Protection . . Modifying Anti-Spoofing Setting Configuring 1PS Geo Protection vii S17 S18 sis sis s19 S19 sz0 S21 S23 soa 528 S28 s2s so7 S27 S30 S34 say S30 sso S39 s40 SAL sat sas 546 say say S48 S62 S68 st? 580 SeL 591 S92 596Cheek Point Cy Lab 7.3: Reviewing Threat Prevention Seitings and Protections ... Review Threat Prevention Settings and Protections 604 Testing EICAR Access . . . - . . . . . 14 Lab 7.4: Deploying Threat Emulation and Threat Extraction ....... 0.0.5 617 Use ThreatCloud to Verify Pile Safety 618 Configure Threat Emulation to Inspect Incom ing Traffic 621 Appendix A: Questions and Answers ......... : os 22 633 ‘Chapter 1 634 System Management ” . . - . . . . . 634 Chapter 2 635 Automation and Orchestration . . a wee . . . . 35 ‘Chapter 3 636 Redundancy 636 Chapter 4 637 Acceleration 37 Chapter 5 638 SmanEvent 638 Chapter 6 639 Remote and Mobile Access 639 Chapter 7 640 Threat Prevention 640Security Engineering vU Welcome to the Check Point Cyber Security Engineering course. This course provides an advanced and in-depth explanation of Check Point technology. It includes advanced upgrading, key techniques for building, deploying and enhancing network performance, and management and troubleshooting features to mitigate security risks. The course is intended to provide you with an understanding of the skills necessary to effectively design, maintain and protect your enterprise network. Preface Outline Prerequisites Course Chapters and Learning Objectives Lab Topology Related CertificationCheck Peins Seeurty Engineering Check Point Security Engineering Course This course is designed for security experts and Check Point resellers who need to perform advanced deployment configurations of a Security Gateway and are working towards their Check Point Certified Security Engineering (CCSE) certification. The following prafessionals benefit best fom this course: + System Administrators + Support Analysts + Network Engineers Prerequisites Successful completion of this course depends on knowledge of multiple disciplines related to network-security activities including: * UNIX and W indows operating systems + Certificate management + System administration + COSA trainingicerti + Networking (TCP/IP) tion Course Chapters and Learning Objectives Chapter 4: System Management + Understand system management procedures, including how to perform system ‘upgrades and apply hatfixes + Identify advanced CLI commands Understand the Check Point Firewall infrastructure and other advanced Firewall processes and procedures. Chapter 2: Automation and Orchestration Recognize haw Check Point's flexible API architecture supports automation and ‘orchestration of da ily operations. Understand bow to use the management APE. command Line tools and web services to read information, create objects, work on Sesurity Policiss, and send commands to the ‘Check Point Security Management Server\Chook Paint Seu rnsering Chapter 3: Redundancy * Discuss advanced ClusterXL functions and redundaney. + Deseribe VRRP network redundancy and its advantages, Chapter 4: Acceleration + Understand haw SccureXL acceleration technology enhances and optimizes Security Gateway performance, + Understand haw CoreXL acceleration technology enhances and improves Security Gateway performance, Chapter 5: SmartEvent + Identify SmartEvent components used to store network activity logs and identify events. + Discuss the SmartE vent process that determines which network activities may lead ta critical security issues, + Understand how SmartEvent can assist in detecting, remediating, and preventing security threats targeting organizations, Chapter 6: Mobile Access + Discuss the Mobile Access Software Blade and how it secures communicationand data exchange during remote comections. + Understand Mobile Access deployment aptions + Recognize Check Point Remote Access solutions and how they differ. + Discuss Check Point Capsule components and haw they work to protect mobile devices and business documents, Chapter 7: Threat Prevention + Discuss different Check Point Threat Prevention solutions for dangerous attacks such as zero-day and Advanced Persistent Threats. + Understand haw SandBlast, Threat Emulation, and Threat Extraction helps to prevent security incidents + Identify how Cheek Point Mobile Threat Prevention helps protect an organization from threats targeting company-issued smartphones and tabletsChock Paint Secu Engincering Lab Topology Labs forthis course were developed using VMware Workstation, ¥ ourinstmuctor will have information forthe specific settings and configuration requirements of cach virtual machine. Most lab exercises will require you to manipulate machines in the virtual network. Review the starting lab topology pictured below. Note the location of each server in relation to the Security Gatewaysandhow they are routed. Make sure you understand the purpose of each machine, and the credentials and applications used throughout the course. Check Point R80.10 CCSE Lab Topology Se 3) Saleen by | isin nati Figure 4 — GCSE Lab Topology Related Certification The Check Point Cemtified Cyber Security Engineer (CCSE) certification is designed for partners and customers secking to validate their expert level knowledge of Check Point's software products and security solutions. Students must havea valid CCSA certification before challenging the CCSE examCheck Point R80.10 CCSE Lab Topology ! ! see ea | eae r extranet | she mai | | lal Ve ves OI Se | aes onan aie g Figure 1 — CCSE Lab TopologySystem Management - Cyber Security experts are expected to acquire and apply in-depth knowledge of systems used to securely manage the organization’ snetwork infiastructure, This course begins with a deep dive into the Check Point Gaia operating system, with how to use essential CLI commands, perform upgrades, and apply hotfixes, We will also take a closer look at the Check Point Firewall infrastructure, chain modules, kemel tables, packet flow, and many more advanced Firewall processes and procedures. Learning Objectives + Understand system management procedures, including, how to perform system upgrades and apply hotfixes, + Identify advanced CLI commands. + Understand the Check Point Firewall infrastructure and other advanced Firewall processes and procedures.\Chook Paint Seu rnsering Advanced Gaia Check Point Gaia is the unified, revolutionary, secure operating system for all Cheek Point appliances, open servers, and virtualized gateways. The cutting-edge technology combines the best features af IPSO and Check Point's original secure operating system, SecurePlatfarm, into single, harmonious operating system ta provide greater operatiana| efficieney and rabust performanee. The Makings of Gaia Gaia was derived from IPSO and SecurePlatfarm. The [PSO operating system was developed hy Ipsilon Networks, a computer networking company specializing in IP switching during the 1990s, Nokia purchased Ipsilon Networks in 1997 and incerporatsd IPSO into their secure network appliances. Check Point acquired Nokia's Security business unit in April 2009. As a stripped down operatin: SO provided enough functionality to run Check Point Firewalls, along with the incorporation of some standard Unix commands, such as tep, ps, and A£. Italso provided great visibility into kemel statistics, such as network counters, interrupts, and more. em, Check Point's SecurePlatform operating system is based an a kernel from Red Hat Software. ScourePlatform’s hardened and optimized operating sysicm eliminated software package Component that were amecescary fora network security deve and modified or removed component hat could retent severity rw x eney-tocue command shell provided set commands required for configuration, administration, and system diagrontie including network settings, back up and restore utilities, upgrading, and system log viewing. Routine ‘management and maintenance of SecureP latform was performed through a restricted shell called Standard mode. Standard mode enhanced the security of SecurePlatform by restricting access to utilities that, if used im property, would damage system stability SecurePlatform also consisted of'a Web Graphical User Interface (WebUI), which enabled users to easily configure settings and perform first time installations SccurePlatform allowed all system resourees to be dedicated to the operating system and the installed Check Point products. With SecurePlatform, resources were no longer consumed by sofware such as GUls, office applications, and netwark file systems. Gaia Features and Benefits Gaia supports the full suite of Cheek Point technologies, giving you improved connection capacity and the full power af Check Point security.Check Pain Security Engincering Check Point Gaia offers these key values: + Combine the best Features of PSO and SecursPlatform, + Increase operational efficiency with a wide range of features + Providea secure platform for the most demanding enviranments. Gaia simplifies and strengthens management with the segregation of duties by enabling role- based administrative access. Additionally, Gaia greatly increases operational efficiency with an advanced and intuitive software update agent, commonly referred to as the Check Point Update Service Engine (CPU SE). Gaia management is made simple with the intuitive and feature-rich WebUI, and instant search options fr all commands and properties. The same powerful CLI commands from IPSO and SecurePlatform have been seamlessly integrated into Gaia, along with new commands and capabilities, Figure 2 — Gala PortalCheck Point Security Engineering Key Features Key features of Gaia inelude: Web-based User Interface with search navigation — This interface integrates all Gaia operating system management functions into a dashboard that is accessible via the ‘most popular Web browsers, such as Internet Explorer, Chrome, Firefox, Opera, and Safari. The built-in search navigation tool delivers instant results, and for the CLI- inclined users, a Shell Emulator pop-up window is only a single click away. Full Software Blade support — Gaia provides support for comprehensive Security Gateway and Security Management Software Blade solutions deployed on Check Point appliances and open servers, High connection capa Gaia is capable of boosting the connection capacity of existing Check Paint appliances Role-based administrative access — Segregation of duties is part of a good Security Policy because it improves operational efficiency and auditing of administrative events. Role-based administrative aceess gives Gaia customers the ability and granularity to customize their security management policies to meet their business needs, User authentication and authorization is based on industry standard RA DIUS and TACACS+ protocols. Specific levels of access can be granted based on each individualsrote and responsibility. Intelligent software updates — With Gaia, software updates times are shoriened and post-updatc testing is performed automatically. New releases and patches can be scheduled for automatic download and installed during off-peak hours for minimal business impact, Notification emails are sent about recommended updates and update statuses, Native IP y4 and IPy6 support — Check Point Gaia allows easy interoperability with hoth networking protocols Clustering protocol support — Gaia fully supports ClusterXL, Check Point’ proprietary network redundancy protacol, and standard VRRP an all Check Point appliances, open servers, and virtualized environments. Manageable dynamic routing suite — Multiple dynamic routing and Multicasting protacols are supported by Gaia, providing flexible and uninterrupted network connectivity, All can he managed from both the Gaia partal ar the CLICheck Point Security Engowering Upgrades Supported Protocols Dynamic Routing Protocols Multicasting Protocols + RIP RPC 1058, + IGMPy2 RFC 2236 * RIPV2 (with authentication) REC | « IGMPV3 REC 3376 1723 + PIM-SM RFC 4601 + operating systemPFv2 RFC 2328 | + PIM-SSM RFC 4601 + opsmating systemPFy3 RFC $340 | PIM-DM RFC 3973 * opemting systemPF NSSA REC | « PIM-DM state refresh draft-ietf-pim-refresh-02.txt S101 + BGP4 RFCs 1771, 1963, 1966, 1997, 2918, Table 4: Gala Supported Dynamic and Multicasting Protocols As a Cyber Security Engineer, itis important to evaluate the averall health, compliance, and performance of your netwark. This often entails the task of deciding whether to install new hardware to fit business needs or ta upgrade to newer software versions ta ensure the efficiency of the existing environment, Check Point recommends installing the most recent sofware release to stay up-to-date with the latest funetional improvements, stability fixes, security enhancements, and protections against new and evalving attacks, Upgrades provide added enhancements aver an carlier version and eliminate the complexities of re-creating product configurations, Security Policies, and objects. Before upgrading appliances or open servers, verify the interoperability and upgrade path of your existing environment and make use of the appropriate Check Point upgrade tools. To upgrade from R77.XX to RRO,10, an advanced upgrade with database migration pracess must be performed. Upgrades from R80 ta R8G.10, are performed through the software update agent, CPUSE NOTE Upgrades to R80 and above are not supporied from IPSO- and SccurePlatform. For more information, refer to Check Point's Upgrade Map.Check Peins Seeurty Engineering Upgrade Tools Upgrade tools back up Check Point configurations, independent of hardware, operating system, and Check Paint security management platform version. Use the upgrade tools to back up-Cheek Point configuration settings ondisk partitions of Check Point appliances and open servers, Disk space requirements for upgrades vary based on the upgrade version. Before starting an upgrade, refer to the release notes of the desired platform version‘to verify the space requirements for each disk partition, such asthe /vax/Log / and root partitions There is a different package of upgrade tools for each platform. Download the latest version of upgrade tools from the Check Point support site. Before upgrading, a valid service contract that includes sofiware upgrades and major releases must be registered 10 your organization's Check Point User Centeraccount. The upgrade tools package consists of several files, including the files noted in the table below. Package File Description migrate.conf Holds configuration settings for Advanced Upgrade with Database Migration, migrate Runs Advanced Upgrade with migration pre_upgrade verifier — |Analycescompatibility of the currently installed Jeonfiguration with the upgrade version. It gives a report Jon the actions to take before and after the upgrade. Table 2 Upgrade Took Package Files Advanced Upgrade with Database Migration ‘As in all upgrade procedures, itis best practice to upgrade the Security Management Server or Multi-Domain Server before upgrading the Security Gateways. To upgrade from an earlier sofware version, suchas R77.30, to Check Point's R80, 10 security management platform, use the Advanced Upgrade with Database Migration method to migrate the databaseand install the software. With this method of upgrading, the current environment must meet these requirements for database migration: + Availabledisk space of at least five times the size of the exported database an the target machine. + Size of the /var/1og folder of the target machine must be at least 25% of the size of the /vax/1og directory on the source machine. + Source and target servers must be connested to a network and the connected network interface must have an IP address, + Ifthe soures environments uses only IPy4 or only LPv6, the target must use the same LP address configuration, Por example, you cannot migrate to an IPv6 configuration if the source environment uses only IPv4, 10Chick Point Secunny Empanscring get must have the same or higher version and the same set of installed praduets. + The appropriate package of upgrade tools must be download for each source platform + The correct ports for SmariCansole must be open in order for SmartConsole ta communicate with the Security Management Server. “After the requirements far database migration have been met, create a backup copy af the existing from the Gaia WebUL Gaia operating system settings are not backed ‘upand must be configured manually if the database is restored later due to issues with the ‘stem setting upgmde. Take note of operating system settings (interfaces, servers, routes, system setti ‘cte,) before upgrading, It is important to use the correet migration toal package to perform the upgrade. Use the ‘upgmde tools package for the software version you are upgrading too. For example, if upgmding from R77.30 to R80.10, use the migration tools package for R80.10. Download and ‘extract the tools to the old server (R77.30). Use the migrate uiility of the upgrade tools package, to export the source Security Management Server database (R77.30) to a file, and ‘then import the file to the new server (R80, 10), NOTE SmartEvent databases are net migrated during an advanced upgrade ‘because the databases can be very large. Migration of these databases must bbe performed separately. Refer to sk110173 for information on how to ‘migrate the SmariEvent database. The Upgrade Verification Service ‘Check Point's Upgrade Verification Service is an upgrade verification and environment simulation service created ta help custamers transition to R8O.XX as seamlessly as passible, guration files from your current platform to simulatetheenvironment and verify that the upgrade can be successfully applied across the key features of the software. The service will use con The simulation will also ensure that the database is not corrupted during the upgrade process. Upon completion, a status update of the simulation results along with advice on how best to procesd will be provided. For more detailed information grade Verification Service, refer to ski 10267. Lab 1.1 Upgrading to R80.10‘Check Pasn Sccuriy Engineering Hotfixes Holfixesare updates that are released to correst an issue discovered within the operating system orsoftware, They ean be released to address security vulnerabilities and inconsistencies or to provide enhancements and improvements, A Hotfix Accumulatar (HFA) is a collection of stability and quality fixes that resolve multiple issues in different products, When installed, HEAs will overwrite the current hotfixes insialled on the sysiem, The name of «a hotfix identifies the version it is compatible with. For example, R80_JUMBO_HF 1 Bundle _190 isa very large bundle of hotfixes for R80. In addition to hotfixes, same versions may have new features which require the installation ofan Add-on. Check Point recommends installing the add-on only ifthe features enabled are required When providing a fix to customers, Cheek Point supplies the updated file and installation package which will interactively install the fix. Gaia automatically provides a list of update packages available for download that are relevant to the operating system version installed. The Status.and Actions page of CPUSE displays hotfixes that are available for download and hotfixes that have previously been downloaded, imported, and installed Figure 3 — CPUSECheck Point Seuriy The CPUSE Agent CPUSEis an advanced and intuitive tool used to update the Gaia operating system and Check Point software products. It supports the deployment of majar and single hotfixes, and HAs. A major release intraduces new functionali wrsofiware releases, -sand technologies Examples of a major release would be R77 and R80. Minor releases include the latest fixes released to customers. R77.30 is an example af a minarrelease. The CPUSE tool automatically lacates and displays so fiware update packages and full images relevant to the Gaia operating sysiem version installed on the sompuisr. It also considers the role of the computer (management server, gateway, oF Gaia standalone) and other properties. The CPUSE agent is installed on every Gaia-hased machine and is responsible for all software deployment on that machine. The machine must be connectedto the Internet to-obtain software updates from the Check Point Cloud. Prior to every installation, CPUSE runs several verification tests to ensure that the package is compatible and can be installedon the machine without canilicts. To view available packages in the Gaia Portal navigate to the Upgrades (CPUSE}sectionand select Status and Actions. All are displayed in categories and are filtered to show recommended packages only by default hotfix and minor version pack: Check Point recommends downloading the Latest build of the CPUSE agent prior to applying a hotfix, In most cases, the latest build is downloaded automatically, To check the current build ofthe agent, elick the Hatfixes link next to the CPUSE version number, near the top of the Status and Actions page. A pop-up window will appear displaying hotfix information, The installed build of the deployment agent is displayed at the bottom ofthe build ean also be checked by using Clish and running the following com mand: indow. The current HostName:0>show installer status build Figure 4 —CPUSE > Status and Actions > Hotfixes Link NOTE ‘The latest buildof CPUSE is gradually released to all customers, therefore, all machines may not receive the latest build at the sime time. Hot fixes can be scheduled to download automatically, manual ly, or periadically; hawever, full installation and upgrade packages must be installed manually. 1B(Check Pains Securer Engineering Download and Install Hotfixes Hatfixes are applied by first downloading or importing the CPUSE package and then instal the package on the machine, In the Gaia Portal, click the lock icon to obtain the lock aver the configuration database before applying a hotfix and then navigate to the Status and Actions 6 Every haifix displayed as available for download may or may not be allowed or needed for installation onio your machine, Check Point rsvommendds verifying the package to determine if it can be installed without conflicts. To verify a package, perform one of the following actions + Select the package and click the Mare button on the toolbar. Fram the list of options, click Verifier.Or, + Rights the package and ¢liek Verifier The Verifier Results window will display, indicating whether or not installation is allowed. If installation is allowsd, proceed to download the package. The download progress is displayed in the Status column of the hotfix. The dawnload may be paused at any time. When paused, the status of the package will change to Pausing Download and then to Partially Downloaded and may be resumed at any time. Install the package after it has been successfully downloaded. To install a downloaded package, select the package and click the Install Update button, ar right-click the package and select Install Update. Hotfixes can also be downloaded and installed all at once, by simply clicking the Install Update bution, Most Jumbo Hotfix packages and private hotfix packages are posted ta the Check Point Cloud. Click the Add Hotfixes from the cloud button to search, or enter a package identifier pasted to the cloud. Contact Cheek Point Support ta get the package"s CPUSE Identifier, or copy and paste the file name from the Check Point Download Center, Use the CPUSE Identifier search string to add the relevant CPUSE package from the Cheek Point Claud. Once the package is added, its status will display as Available far Dovwalxad. To import a package, click the More button located on the toolbar of the Status and Actions page, and select Import Package. In the Import Package window, browse to the package file, and click Upload.CPUSE Software Updates Policy The WebUI afters different methods for dawnloading hotfixes via CPUSE: + Manually — This is the defiult method, Downloads ean also be manually deployed in Clish, + Scheduled — The CPUSE agent can check for and download hotfixes at a specified time, such as daily, weekly, monthly, or on a selected date. + Automatic — The CPUSE agent will check for updates every three hours and automatically download hoifixes as they become available. The CPUSE agent can also send email notifications to administrators, which can inform them of update events, such as when new packages are available for download ,and the success ot failure ofa package installation. To define the CPUSE update policy and configure email notifications, under the Upgrades (CPU SE) section, select Software Updates Ps Figure 5 — Software Updates Polley Software update packagescan be imported and installed offline if: + the Gala machine has no access to the Check Point Cloud. + the desired CPUSE package isnot available in the Check Point Cloud, + the administrator prefers to manually import the CPUSE package. 15Check Poias Secuny Ei The Central Deployment Tool System Administrators can automatically install CPUSE offline packages on multiple Security Gateways and cluster membersat the same time using the Central Deployment Tool (CDT). The CDT is utility that runs on Gaia operating system Seeurity Management Servers and Multi-Domain Servers using software versions R77.30 and higher. The tool communicates with gateways and cluster members aver SIC via TCP port 18209. Automatic installation on multiple managed gateways and cluster members is supported for the following package types + Upgnides to R77.30 + Minor version upgrades + Hotfixes + Jumbo Hotfixes (bundles) or HF AS Priorto using the CDT, all Security Gateways and cluster members must be already installed and configured with SIC established and Security Policies installed. There are also several file requirements that must be met before the utility ean be run, This includes the CDT executable and configuration files as well as several optional shell script files. The latest build of the CPUSE agent is also required. CDT uses CPUSE agents to perform package installation on remotely managed giteways and cluster members. The entire process is monitored and managed by the management server, lag into Expert mode, and then access the ditestory that contains the CDT files, YT. To begin using the CDT, connect to the command line onthe Do not use CDT for clean instal sofa major jon, Also, CDT does not support upgrades or installs of Clust egarding the CDT utility, refer to the Check Point Central Deployment Tool Administration Guide. XL in Load Sharing mode. Far moredetailed information Lab 1.2 Applying Check Point Hotfixes Lab 1.3 Configuring a New Security Gateway Cluster 16\Chook Paint Suny rnsering CLI Commands Check Point Gaia's powerful CLI commands and Clish shell are designed forusers wha prefer to interact with the system by executing commands or sexipts.,The most commen operations + aaa + set * show + delete CLI commands can be entered in two modes; Standard mode and Expert mode, Standard mode is the default Check Point shell (Clish) and provide commands for easy configuration and routine administration such as epetax t and cpstop. Hawever, most system commands are not supported. The prompt for standard mad= commands is Uhostname] > Expert mode allows advanced Check Poii the Gaia operating system and underlying Linux functions access to sstem. Toenter Expert mode, use the expert command in Clish. This commandopens the Bash shell."The prompt for Expert mode is: [Expert@hostnane] # ‘An Expert made user can run Linux.commands such as 18, e@ and pwd as they would on any Linux system to directly manipulate the Gaia operating system file system. Basic Check Point commands such as £w ver and cpconfig can alse bs run from the Expert mode CLI, similar to Gaia Clish. CLL inelined users can also use CLI commands and taols in Export mode to ereate automation scripts, These tools include: * abedit — creates and configures objects and rules in the database for the Security Policy. © fwm Load — installs the specified Security Policy on Security Gateways. = send_command — runs functions which are not included with standard Check Point CLI commands and tools CLI commands and multiple shells are available forall Check Point Gaia-based operating systems, software blades and features. Several useful commands are noted in this section, however many other commands are discussed in greater detail throughout this course. WChick Point Se Environment Commands Use these commands to set the CL environment for a user. The syntax ta set the client environment is; get clienv To save the client environment permanently: eave client To acquire the confi guration lack from another administrator: lock database override To set inactivity timeout when working with CLL set inactivity-timeout With this command, is the timeout in minutes, Parameter Description config-lock [onjeff) | Default value of the Clisheanfiguration lock pammeter. Ifset to om, Clish will lack the configuration and no jconfiguration changes can be made in the WebUL debug (0 - 6] Debug level. Zero is the default level; do not debug, display error messages only. Level 6 will shaw handler invocation parameters and results, echo-cma [on/off] When sella on, echacs all commands before excouling them. The default is of €. on-failure [continue| — |When the system encounters an error, commands from a stop] file or script will either continue to run ar stop running, The default is stop. output [pretty Determines the command line output format, The |etructured|xm1] default is pretty prompt cwalue> [Command prompt string. Defines the appearance of the Jcommand prompt. Can consist of any printable Jchamacters and a combination of variables. rows «integer Number of rows to display in the terminal window eyntax-check [on|off] [When settoon, puts the shell into syntax-check mode, }Commands are checked syntactically and are not Jexecuted, but values are validated. The default is of £. Table 3: Environment Command Parametersc wh Point Sceurity Eg System Configuration Commands Gaia system configuration settings ean be saved as a ready-to-nin CLL seript. Tosave the system configuration toa CLI script: gave configuration To restore confi guration settings: load configuration Tossee the latest configuration settings: show configuration This example shows part of the configuration settings as last saved to a CLI script: mem103> show configuration 4 # Configuration of mem103 # Language version: 10.0v1 # Exported by admin on Mon Mar 19 15:06:22 2016 # eet hostname mem103 eet timezone London / Europe eat paseword-controle min-paseword-langth 6 est paseword-controle complexity 2 eet paseword-controle palindroms-check true eet paseword-controle hiestory-checking true set password-controle history-length 10 set paseword-controls paseword-expiration never set ntp active off eet router-id §.6.6.103 eat Ipvé-state off eet enmp agent off eet snmp agent-vereion any eet enmp community public read-only set snmp traps trap authorizationError disable get snmp traps trap coldstart disable eet snmp traps trap configurationChange disableCheck Peins Seeurty Engineering System Management Commands There are a multitude of system management tasks that can be perfonned and configured using CLI, suchas managing users, synchronizing system clocks, configuring SNMP banner . core dumps, and mare. Examples of several af these tasks are noted below. messagi To add a user account add user uid 200 homedir To modify user accounts: eet user To sct a user password: eet user paseword To show the current system date and time: show clock To display the current system day, date, and time: Thu Aug 25 15:25:00 2016 ceT ‘A Banner message can be canfigured to show users when they log in, To set a banner message: set message banner megvalue Example of a banner message: eet message banner on megvalue “This eystem is private and confidential” To enable SNMP: eet enmp agent on To enable or disable core dumps: set core-dump [enable|disable] To cnableor disable [P v6 support set TPvé-state [on|off] show IPv§-stateA Pains Security Network Administration Commands The syntax to configure physica! interfaces is eet interface IPv4-addrese mask-length cMask> eubnet-mask IPv6-addrese maek-length 1Pv6-autoconfig [on |of£] comments mac-addr mtu state [on | off] link-speed auto-negotiation [on | off] Parameter Description interface ‘Configures a physical or virtual interface with an Interface Tpvé-addese | Assigns the [Pod or [Pub address Ipv6-addrese TPvé-autoconfig | lfon, automatically getsthe IPvé address from the DHCP fon |ofe] fmaek-length Masks | Configures IPv4 or [Pv6 subnet mask length using CIDR (/xx) notation, subnet-mask | Configures IPy4 subnet mask using dotted decimal notation: comments ‘Adds free text comments to an interface definition, fmac-addr Configures the inlerface hardware MAC address meu | Configures the Maximum Transmission Unit(MTU) size fr an imterface with an integer greater than or equal to 68. The default is 1500. state [on/off] Seis interfaces slatus to enabled ordisabled Link-epeed ‘Configures the interface link speed in Mbps and duplex status values, such as 1M/half or 10M fall Buto-nego tiation | Configures auiomaiic negotiation of interface [ink speed and [on | of) duplex settings to enabled ar disabled. Table 4: Network Administration Command Parameters 21Check Fam suty Engineering Examples! eet interface eth? IPv4-address 40.40.40.1 eubnet-mask 255.255.255.0 eet interface eth? mtu 1500 eet interface eth? estate on eet interface eth? link-speed 1000M/full Todelete an interface settin delete interface eth? Ipvi-addrese Gaia automatically identifies physical interfaces, such as NICs, installed on a computer, Therefore, they cannot be added ordeleted using the WebULor the CLL. Gaia devices can also be conti igured to be a Dynamic Host Configuration Protocol (DHCP) server. DHCP servers allocate [Paddresses and other network parameters to network hosts, ‘thus eliminating the necessity of configuring cach host manually. DHCP server subnets can be ‘configured on the Gaia device interfaces to allocate network parameters, such as [PV4 addresses and DNS parameters, to hosts behind the Gaia interface, Use DHCP commands to ‘configure the Gaia device as a DHCP server for network hosts. To create DHCP server subnets: add dhep server netmask cvalue> include-ip-pool start end exclude-ip-pool start end To change DHCP server subnet configura set dhep server subnet Parameter subnet end The IP\4 address that starts orends the allocated IP. pool range: The range of [Pv addresses to include in the IP pool, For example 192.0,220-192.0.2.90 exclude-ip-pool enable disable The range of IPv4 addresses to exclude from the IP pool Enable or disable the DHCP server subnet, of the DHCP server process (depending an the context). default-gateway The [v4 address of the del ult gateway for the network hosts. domain The domain name of the network hosts, Far example, testdomaineom ane The Domain Name Service (DNS) servers that the network hosts will use to resolve host names Optionally, specify a primary, secondary and tertiary server in the order af precedence. all All DHCP server configuration settings. eubnet DHCP server subnet configuration settings subnet ip-poole statue [enabled|disabled] The IP pools in the DHCP server subnet, and their status: enabled or disabled. The stalus of the DHCP server process: enabled or disabled Table 5: DHGP Gammand ParametersCheck Poias Seeunty Gaia uses the Domain Name Service (DNS) to translate host names in to IP addresses. To enable DNS lookups, the primary DNS server must be entered for your system, The system ‘will consult the primary DNS serverto resolve hast names, A DNS-suffix, which is a search for host-name lookup, cam also be defined To configure the DNS server: eet dne primary cvalue> To configure the DNS suffix: eet dne suffix cvalue> The value parameter for both examples is an [Pv4 or IPV6 address. Additional CLI Commands There are many more CLI commands available, such as commands which allow you to define static routes and configure system logging. To view a list of all possible CLI commands, log imo Clish and press the Ese tab on your keyboard twice. For operation specific commands, press the tab key twice. Lab 1.4 Core CLI Elements of Firewall Administration‘Check Paint Securty Engineering CPinfo ‘CPInfa is a Check Point utility that collects diagnostic data ona machine at the time of execution, The CPinfo output file allows Check Point's support engineers to analyze customer setups remotely. The support engineer opens the CP Inf file in demo mods, while viewing actunil customer Security Policiesand objects. This process allows fora more in-depth analysis ‘of all of the customer's onfiguration options and environment settings. CPInfo collects the ‘sntise gateway installation directory, including $F WDIR/Iog/* files. Some of the other ‘viewable information includes routing tables, system message lags, and the output of various ‘command, such as 1feon£ ig and fw etl petat commands. CPlnfo files are sent to ‘Check Point Technical Support via email or FTP. Touse CPInfo, make sure that the platform's current version of epinfo is installed to extract the CPInfo file. Run the epin£o command with the relevant flags in Clish or in Expert mode: lg records + -£ <£ile>— This flag uploads additional files ta the Check Point server. It should be used in combination with -n and -4, Ifthe file to be uploaded is not compressed, CPinfo will first compress it and then upload it, + -0 <£ilename> — This flag directs the output toa file and ta the screen. Italso specifiesa filename, : is flag instructs the utility to display all installed hotfixes, sis for non-interactive mode instructs the utility not to check for updates is flag forces the update check. By default, the update check of CPInfo uiility is once a week. + -u— This flag connects to the User Center with username and password. + -e — Spscificsa single email or multiple smails of people that should be notified about upload status. Multiple emails must be enclosed in double-quotations and separated by semiscolons. For example: “cemail #1>;cemail #2>" + -8 — Specifies the Service Request mumber opened with Check Point Support. For example, -8 26-123456785 + -7 ctimeout>— Specifies the timeout in seconds for the commands executed by the utility. This does not apply to collection of the CPInfo ouput file itself, The default timeout is 600 seconds (5 minutes) + “bh — The flags displays the built-in help. 25(Check Paint Secaver Empancring Advanced Firewall The Check Point Firewall Software Blade builds on the award-winning technology first offered in Check Point's Firewall solution and provides the industry's best cyber secur demonstrated industry leadership and continued innovation since the introduction of the Firewall-I in 1994, Check Point Firewalls are trusted by 100% of the Fortune 100 companies, Check Point Firewall Infrastructure As a security expert considering the needs of your organization, in-depth knowledge of Sceurity Gateways must be applied as you implement them beyond a simple distributed deployment. To establish a framework for assessing gateway performance in a complex network topology, you must understand the infrastructure. ‘Youshould weall from the CCSA that fundamentally, Check Point security components are divided inta the following com ponent © GUI Clicat + Security Management + Security Gateway GUI Client GUI applications, for object manipulation, log Monitor and SmariEvent, are all unified into one console (SmantConsole). These GUL applications offer you the ability to configure, manage and monitorsceurity solutions, perform jena reports and enforce corporate policy in real-time. maintenance tasks, Check Point periodically releases new executables that include updates for SmartConsole applications. These updates are not always related to oraligned with Security Gateway hoifines and are considered a separats, unrelated release track Security Management the system. It server, ete. All The management component is responsible far all management operation contains several elements, suchas the management server, reporting suite, of the functionality of the Management server is im plemented in User-Mode processes, where each process is responsible for several operations, 26Check Paint Secu Empincering Check Point Management (epm) is the main management process. It provides the architecture for a unified security environment. CPM allows the GUI client and management serverto communicate via web services using TCP port 19009. It empawers the migration from legacy Client-side logic to Server-side logic. The epm pracess performs database tasks, such as creating, deleting, and modifying objects, and compiling policy. Processes controlled by CPM include: + web_services — Transfers requests to the dle_server. + dle_server — Contains all the logic af the server and validates information before it ‘written into the database. + object_store — Translates and writes data to the database CPM saves all data in the Postgres $QL database and stores mast of the data in Solr, a standalone search server powered by the Lucene Java search library. The Posigres SQL database contains objects, policies, users, administrators, licenses, and management data.The dats is segmented into multiple database domains, Salr generates indexes of the data ta be used for fill text searching capabilities, ‘Clantand tener commana via Webserices wing TCP port 19000 dle_server ‘object store Peigies sr Figure 6—CPM Architecture a