SECURITY ADMINISTRATION

S t u d e n t & L a b M a n u a l
© 2019 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and de-compilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.

TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http:// www.checkpoint.com/
3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. 

International  5 Ha!Solelim Street

Headquarters Tel Aviv 67897, Israel
Tel: +972-3-753 4555

U.S. Headquarters 959 Skyway Road, Suite 300

San Carlos, CA 94070
Tel: 650-628-2000

Technical Support,  6330 Commerce Drive, Suite 120

Education & Professional Irving, TX 75063
Services Tel: 972-444-6612
E-mail comments or questions about our courseware to: [email protected]
For questions or comments about other Check Point documentation, e-mail:
[email protected]

Document # DOC-Manual-CCSA-R80.20
Revision R80.20 v1
Content Vanessa Johnson, Matthew Frey
Graphics Vanessa Johnson, Chunming Jia
Contributors Beta Testing, Content Contribution, or Technical Review
Michael Adjei - Wickhill - England
Chris Alblas - QA - England
Eric Anderson - Netanium - USA
Mario Angelastro - ITway - Italy
Eli Faskha - Soluciones Seguras - Panama
Michael Curtin - Red Education - Australia
Kishin Fatnani - K-Secure - India
Patrick Felsner - Arrow ECS - Austria
Omar Gonzalez - Soluciones Seguras - Panama
Tim Hall - Shadow Peak - USA
Mark Halsall - Check Point Software Technologies - USA
Eli Har-Even - Check Point Software Technologies - Israel
Anthony Joubaire - Arrow ECS - France
Yasushi Kono - Arrow ECS - Germany
Fabrizio Lamanna - Check Point Software Technologies - USA
Jani Linder - S&T - Slovenia
Valeri Loukine - Dimension Data - Switzerland
Dries Mertens - Westcon - Belgium
Piotr Misiowiec - CLICO - Poland
Richard Parkin - Arrow ECS - England
Jigarkumar Patel - Check Point Software Technologies - USA
Yaakov Simon - Check Point Software Technologies - Israel
Dan Valluvassery - Arrow ECS - England
Erik Wagemans - Proximus ICT Academy - Belgium
Kim Winfield - Check Point Software Technologies - USA
Special Thanks:
Glen Bayless - Check Point Software Technologies - USA
Mauro Feletti - ITway - Italy (Milan Event Host)
Jeremy Ford - Check Point Software Technologies - USA
Fabrizio Lamanna - Check Point Software Technologies - USA
Ashley McDowell - Arrow ECS-UK (London Event Host)
Certification Exam Development:
Jason Tugwell
Check Point Technical Publications Team:
Uri Lewitus, Aliza Holon, Daly Yam, Daniel Epstein, Eli Har-Even, Luba Tuchin, Paul Grigg, Rachel Teitz,
Ronit Segal, Sergei Shir
Table of Contents

Preface: Security Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Course Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Check Point CheckMates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Course Chapters and Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Lab Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Related Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 1: Introduction to Check Point Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Concept of a Firewall ................................................................................................................................... 19
Open Systems Interconnect Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Transmission Control Protocol/Internet Protocol Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Controlling Network Traffic ......................................................................................................................... 23
Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Stateful Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Application Layer Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Introduction to the Gaia Operating System .................................................................................................. 27
Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Obtaining a Configuration Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Lab 1.1: Working with Gaia Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Reviewing and Configuring Basic Settings in the Gaia Portal ..................................................................... 44
Defining Roles and Creating Check Point Users .......................................................................................... 51
Working in Expert Mode .............................................................................................................................. 63
Applying Useful Commands ........................................................................................................................ 66

4
 Check Point Automation Specialist

Adding and Deleting Administrators via the CLI ........................................................................................ 71

Testing User Role Assignments ................................................................................................................... 73
END OF LAB 1.1 76

The Check Point Security Management Architecture .................................................................................. 77

SmartConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Security Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Network Communication ............................................................................................................................. 79
Secure Internal Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
The SmartConsole ........................................................................................................................................ 82
Navigation Pane Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Gateways & Servers Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Security Policies Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Logs & Monitor Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Manage & Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
SmartConsole Applications .......................................................................................................................... 87
SmartEvent (Advanced Events and Reports) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
SmartView Monitor (Tunnel & User Monitoring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
SmartUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
SmartDashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Lab 1.2: Installing and Touring SmartConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Installing SmartConsole ............................................................................................................................... 90
Touring SmartConsole ................................................................................................................................. 94
END OF LAB 1.2 104

Deployment Platforms ................................................................................................................................ 105

Check Point Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Open Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Deployment Considerations ....................................................................................................................... 108
Standalone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Distributed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Bridge Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Review Questions ....................................................................................................................................... 111

Chapter 2: Security Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Introduction to the Security Policy ............................................................................................................. 113
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

5
 Check Point Automation Specialist

Anti-Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
The Rule Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Global Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Publish Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Policy Packages .......................................................................................................................................... 127
Policy Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Unified Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Shared Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Additional Policy Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Install Policy ............................................................................................................................................... 134
Install a Policy Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Lab 2.1: Modifying an Existing Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Reviewing and Modifying Objects in the Check Point Security Management Architecture ..................... 137
Editing and Creating Rules for the Rule Base ............................................................................................ 151
Reviewing Existing Security Policy Settings ............................................................................................. 157
Organizing the Rule Base ........................................................................................................................... 160
Creating a New Host Object ....................................................................................................................... 162
Defining a New Rule .................................................................................................................................. 164
Publishing and Managing Revisions .......................................................................................................... 170
END OF LAB 2.1 175

HTTPS Inspection ...................................................................................................................................... 176

Enabling HTTPS Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Inspecting HTTPS Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Lab 2.2: HTTPS Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Verifying the HTTPS Server Certificate .................................................................................................... 182
Enabling and Testing HTTPS Inspection ................................................................................................... 188
Distributing the Certificate ......................................................................................................................... 202
Bypassing HTTPS Inspection .................................................................................................................... 211
END OF LAB 2.2 215

Network Address Translation ..................................................................................................................... 216

Hide NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
NAT - Global Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Lab 2.3: Configuring Hide and Static Network Address Translation . . . . . . . . . . . 226
Configuring Hide Network Address Translation ....................................................................................... 227
Configuring Static Network Address Translation ...................................................................................... 233

6
 Check Point Automation Specialist

Testing Network Address Translation ........................................................................................................ 238

END OF LAB 2.3 239

Administration ............................................................................................................................................ 240

Permission Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Database Revisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Concurrent Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Lab 2.4: Managing Administrator Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Creating Administrators and Assigning Profiles ........................................................................................ 250
Configuring IPS .......................................................................................................................................... 267
Testing Profile Assignments ...................................................................................................................... 269
Managing Concurrent Administrator Sessions ........................................................................................... 278
Disconnecting an Administrator Session ................................................................................................... 285
Defining WiFi Access ................................................................................................................................ 288
END OF LAB 2.4 292

Managing Remote Gateways ...................................................................................................................... 293

Lab 2.5: Installing and Managing a Remote Security Gateway . . . . . . . . . . . . . . . . 294

Installing Gaia on a Remote Security Gateway .......................................................................................... 295
Configuring the Branch Office Security Gateway with the First Time Configuration Wizard ................. 303
Using the Gaia Portal to Configure the Branch Office Security Gateway ................................................. 314
Configuring the Alpha Security Policy to Manage the Remote Security Gateway ................................... 320
Creating a New Security Policy ................................................................................................................. 335
END OF LAB 2.5 350

Backups ...................................................................................................................................................... 351

Performing Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Lab 2.6: Managing Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Scheduling a Security Management System Backup ................................................................................. 358
Managing Scheduled Security Gateway Backups ...................................................................................... 361
Performing Backup via CLI ....................................................................................................................... 363
END OF LAB 2.6 365

Review Questions ....................................................................................................................................... 366

Chapter 3: Policy Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Policy Layer Concept ................................................................................................................................. 368
Policy Layers and Sub-Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Managing Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Lab 3.1: Defining Access Control Policy Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Assigning Layers to an Existing Security Policy ....................................................................................... 377

7
 Check Point Automation Specialist

Confirming the Installation Target Gateway .............................................................................................. 382

END OF LAB 3.1 383

Access Control Policy Layers .................................................................................................................... 384

Network Policy Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Application Control Policy Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Creating an Application Control Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Content Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Creating a Content Awareness Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Lab 3.2: Implementing Application Control and URL Filtering . . . . . . . . . . . . . . . 392

Configuring the Application Control & URL Filtering Rule Base ............................................................ 393
Creating a Rule to Block an Application .................................................................................................... 397
Reviewing Dropped Traffic ........................................................................................................................ 402
END OF LAB 3.2 404

Threat Prevention Policy Layers ................................................................................................................ 405

Layers and Policy Packages ....................................................................................................................... 408

Lab 3.3: Defining and Sharing Security Policy Layers . . . . . . . . . . . . . . . . . . . . . . . 412

Adding an Ordered Policy Layer ................................................................................................................ 413
Configuring the Content Awareness Policy Layer ..................................................................................... 417
Sharing a Policy Layer ............................................................................................................................... 419
Testing the Content Awareness Layer ........................................................................................................ 423
Configuring an Inline Layer ....................................................................................................................... 427
END OF LAB 3.3 433

Review Questions ....................................................................................................................................... 434

Chapter 4: Check Point Security Solutions and Licensing . . . . . . . . . . . . . . . . . . . . . . . . . 435

Check Point Software Blade Architecture .................................................................................................. 436
Security Gateway Software Blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Advanced Threat Prevention Software Blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Management Software Blades for Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Management Software Blades for Monitoring Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Management Software Blades for Operations and Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Endpoint Software Blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Software Blade Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Licensing Overview ................................................................................................................................... 445
Components of a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Perpetual versus Subscription Blade Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Central and Local Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
License Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

8
 Check Point Automation Specialist

Hardware Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

SmartUpdate ............................................................................................................................................... 451
SmartUpdate Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Using SmartUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Package Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Managing Licenses ..................................................................................................................................... 455
Add and Install Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Attaching and Detaching Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
New Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
View License Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Export a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
License Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
License Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Service Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Lab 4.1: Activating the Compliance Software Blade . . . . . . . . . . . . . . . . . . . . . . . . . 467

Activating the Compliance Software Blade ............................................................................................... 468
END OF LAB 4.1 469

Lab 4.2: Working with Licenses and Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Verifying the Status of Existing Licenses in SmartConsole ...................................................................... 471
Importing Licenses ..................................................................................................................................... 476
Attaching Licenses ..................................................................................................................................... 480
Verifying the Status of Existing Licenses in the Gaia Portal ..................................................................... 484
END OF LAB 4.2 485

Review Questions ....................................................................................................................................... 486

Chapter 5: Traffic Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Analyzing Logs .......................................................................................................................................... 488
Collecting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Deploy Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
SmartConsole Logs View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Tracking Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Examining Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Pre-defined Log Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Query Language Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

Lab 5.1: Working with Check Point Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Viewing Logs and Log Search Results ...................................................................................................... 502
END OF LAB 5.1 507

9
 Check Point Automation Specialist

Monitoring Traffic and Connections .......................................................................................................... 508

SmartView Monitor and SmartConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Monitoring and Handling Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Monitoring Suspicious Activity Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Monitoring Gateway Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Users View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
System Counters View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Tunnels View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Cooperative Enforcement View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Traffic View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

Lab 5.2: Maintaining Check Point Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Scheduling Log Maintenance ..................................................................................................................... 521
END OF LAB 5.2 526

Review Questions ....................................................................................................................................... 527

Chapter 6: Basic Concepts of VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

Introduction to VPN ................................................................................................................................... 529
IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
VPN Deployments ...................................................................................................................................... 533
Site-to-Site VPN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Remote Access VPN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
VPN Communities ..................................................................................................................................... 537
Meshed VPN Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Star VPN Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Combination VPN Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Remote Access VPN Community Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Access Control for VPN Connections ........................................................................................................ 542
Allow All Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Allow All Site-to-Site VPN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Allow Specific VPN Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Site-to-Site Communities " Allow All Encrypted Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Tunnel Management and Monitoring ......................................................................................................... 545
Permanent VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Tunnel Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Monitoring VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

10
 Check Point Automation Specialist

Lab 6.1: Configuring a Site-to-Site VPN Between Alpha and Bravo . . . . . . . . . . . . 548
Defining the VPN Domain ......................................................................................................................... 549
Creating the VPN Community ................................................................................................................... 553
Creating the VPN Rule and Modifying the Rule Base ............................................................................... 557
Testing the VPN ......................................................................................................................................... 564
END OF LAB 6.1 569

Review Questions ....................................................................................................................................... 570

Chapter 7: Managing User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

Overview of User Management Components ............................................................................................ 572
User Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Identity Awareness ..................................................................................................................................... 574
Active Directory (AD) Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Browser-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Terminal Server Identity Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Endpoint Identity Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
How to Choose an Identity Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Managing Users .......................................................................................................................................... 587
SmartConsole and User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
LDAP and User Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Authenticating Users .................................................................................................................................. 593
Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Managing User Access ............................................................................................................................... 595
Access Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Rule Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Captive Portal for Guest Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

Lab 7.1: Providing User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

Configuring the Security Policy for Identity Awareness ........................................................................... 598
Defining the User Access Role .................................................................................................................. 604
Testing Identity Awareness Connection ..................................................................................................... 612
Controlling Tablet Access Through Captive Portal (Optional) .................................................................. 614
END OF LAB 7.1 623

Review Questions ....................................................................................................................................... 624

Chapter 8: Working with ClusterXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

Overview of ClusterXL .............................................................................................................................. 626
ClusterXL Deployments ............................................................................................................................. 629

11
 Check Point Automation Specialist

High Availability Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629

Failovers ..................................................................................................................................................... 633
Performing a Manual Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Synchronizing Cluster Connections ........................................................................................................... 634
Securing the Sync Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Monitoring a Cluster .................................................................................................................................. 635
SmartView Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Lab 8.1: Working with ClusterXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637

Reviewing High Availability Settings ........................................................................................................ 638
Configuring FTP Access ............................................................................................................................ 641
Testing High Availability ........................................................................................................................... 642
END OF LAB 8.1 646

Review Questions ....................................................................................................................................... 647

Chapter 9: Administrator Task Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648

Compliance Software Blade ....................................................................................................................... 649
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Best Practice Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Continuous Compliance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Corrective Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656

Lab 9.1: Verifying Network Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

Identifying Inactive Objects ....................................................................................................................... 658
Reviewing a Compliance Scan Report ....................................................................................................... 660
END OF LAB 9.1 666

CPView ...................................................................................................................................................... 667

User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Using CPView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670

Lab 9.2: Working with CPView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678

Reviewing Statistics in CPView ................................................................................................................. 679
Changing the Refresh Rate of CPView ...................................................................................................... 685
Viewing Historical Data in CPView .......................................................................................................... 687
Saving Statistics to a File ........................................................................................................................... 689
END OF LAB 9.2 691

Review Questions ....................................................................................................................................... 692

12
 Check Point Automation Specialist

Appendix A: Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693

Chapter 1: Introduction to Check Point Technology .................................................................................. 694
Chapter 2: Security Policy Management .................................................................................................... 695
Chapter 3: Policy Layers ............................................................................................................................ 696
Chapter 4: Check Point Security Solutions and Licensing ......................................................................... 697
Chapter 5: Traffic Visibility ....................................................................................................................... 698
Chapter 6: Basic Concepts of VPN ............................................................................................................ 699
Chapter 7: Managing User Access ............................................................................................................. 700
Chapter 8: Working with ClusterXL .......................................................................................................... 701
Chapter 9: Administrator Task Implementation ......................................................................................... 702

13
Security Administration P

Welcome to the Security Administration course. This course provides an understanding of

basic concepts and skills necessary to configure Check Point Security Gateway and
Management Software Blades. During this course, you will configure a Security Policy
and learn about managing and monitoring a secure network. In addition, you will upgrade
and configure a Security Gateway to implement a Virtual Private Network (VPN) for both
internal and external remote users.

Preface Outline
Course Layout
Prerequisites
Certificate title
Course Chapters and Learning Objectives
Lab Topology
Related Certification

_____________________
_____________________ 14
 Check Point Security Administration

C o u r s e L ayo u t
This course is designed for Security Administrators, Check Point resellers, and those who are
working towards their Check Point Certified Cyber Security Administrator (CCSA)
certification. The following professionals benefit best from this course:

System Administrators
Support Analysts
Network Engineers

P r er eq u i s i te s
Before taking this course, we strongly suggest you have the following knowledge base:

General knowledge of TCP/IP

Working knowledge of Windows and/or UNIX
Working knowledge of network technology
Working knowledge of the Internet

Ch ec k Poi n t Ch ec kM a tes
CheckMates is a community of people passionate about cyber security#

It is an interactive platform with a large crowd of users where they can discuss various topics,
talk about challenges they face, develop and share API tools and scripts, discuss benefits of
products and solutions, exchange ideas, ask questions related to all Check Point products and
services, and interconnect through local CheckMates Live (local user group) events.

To boost your professional career with Check Point, become a member of the CheckMates
community and share your thoughts and experiences, follow technology trends, learn about the
most recent products and features, and participant in your local CheckMates community. Use
your UserCenter account to sign in and get started: https://community.checkpoint.com/

C o u r s e C ha p te r s a nd L ea r ni ng O b j e c t i ve s

Chapter 1: Introduction to Check Point Technology

Interpret the concept of a Firewall and understand the mechanisms used for controlling
network traffic.
Describe the key elements of Check Point!s unified Security Management Architecture.
Recognize SmartConsole features, functions, and tools.
Understand Check Point deployment options.
Describe the basic functions of the Gaia operating system.

_____________________
_____________________ 15
 Check Point Security Administration

Chapter 2: Security Policy Management

Describe the essential elements of a Security Policy.
Understand how traffic inspection takes place in a unified Security Policy.
Summarize how administration roles and permissions assist in managing policy.
Recall how to implement Check Point backup techniques.

Chapter 3: Policy Layers

Understand the Check Point policy layer concept.
Recognize how policy layers affect traffic inspection.

Chapter 4: Check Point Security Solutions and Licensing

Recognize Check Point security solutions and products and how they work to protect
your network.
Understand licensing and contract requirements for Check Point security products.

Chapter 5: Traffic Visibility

Identify tools designed to monitor data, determine threats, and recognize opportunities
for performance improvements.
Identify tools designed to respond quickly and efficiently to changes in gateways,
tunnels, remote users, traffic flow patterns, and other security activities.

Chapter 6: Basic Concepts of VPN

Understand Site-to-Site and Remote Access VPN deployments and communities.
Understand how to analyze and interpret VPN tunnel traffic.

Chapter 7: Managing User Access

Recognize how to define users and user groups.
Understand how to manage user access for internal and external users.

Chapter 8: Working with ClusterXL

Understand the basic concepts of ClusterXL technology and its advantages.
_____________________
_____________________ 16
 Check Point Security Administration

Chapter 9: Administrator Task Implementation

Understand how to perform periodic administrator tasks as specified in administrator
job descriptions.

L a b To p o l o g y
Most lab exercises will require you to manipulate machines in your network and other labs will
require interaction with the instructor!s machines.

Figure 1 ! CCSA Lab Topology

Rel a te d C er ti fi c a t i o n
The current Check Point Certified Cyber Security Administrator (CCSA) certification is
designed for partners and customers seeking to validate their knowledge of Check Point!s
Software Blade products.

_____________________
_____________________ 17
 C

1
H
A
P

Introduction to Check Point T

E
R

Technology

Check Point technology addresses network deployments and security threats while
providing administrative flexibility and accessibility. To accomplish this, Check Point
uses a unified Security Management Architecture and the Check Point Firewall. These
Check Point features are further enhanced with the SmartConsole interface and the Gaia
operating system. The following chapter provides a basic understanding of these features
and enhancements.

Learning Objectives
Interpret the concept of a Firewall and understand the mechanisms used for controlling network
traffic.
Describe the key elements of Check Point!s unified Security Management Architecture.
Recognize SmartConsole features, functions, and tools.
Understand Check Point deployment options.
Describe the basic functions of the Gaia operating system.

_____________________
_____________________ 18
 Check Point Security Administration

Concept of a Firewall
Firewalls are the core of a strong network Security Policy. They control the traffic between
internal and external networks. Firewalls can be hardware, software, or a combination of both
and are configured to meet an organization!s security needs. When connecting to the Internet,
protecting the network against intrusion is of critical importance. The most effective way to
secure the Internet link is to put a Firewall system between the local network and the Internet.
The Firewall ensures that all communication between an organization!s network and the
Internet conforms to the organization!s Security Policy.

O p en Sy s tem s I n te r c o n n ec t M o d el
To understand the concept of a basic Firewall, it is beneficial to examine the aspects of the
Open Systems Interconnect (OSI) Model. The OSI Model demonstrates network
communication between computer systems and network devices, such as Security Gateways. It
governs how network hardware and software work together and illustrates how different
protocols fit together. It can be used as a guide for implementing network standards.

The OSI Model is comprised of seven layers. The bottom four layers govern the establishment
of a connection and how the packet will be transmitted. The top three layers of the model
determine how end user applications communicate and work. The Check Point Firewall kernel
module inspects packets between the Data Link and Network layers. Depending on the traffic
flow and service, inspection may transcend multiple layers.

Figure 2 ! OSI Model

_____________________
_____________________ 19
 Check Point Security Administration

The OSI Model layers are described as follows:

Layer 1 " Represents physical-communication links or media required hardware such

as Ethernet cards, DSL modems, cables, and hubs.
Layer 2 " Represents where network traffic is delivered to the Local Area Networks
(LAN); this is where identification of a single specific machine takes place. Media
Access Control (MAC) addresses are assigned to network interfaces by the
manufacturers. An Ethernet address belonging to an Ethernet card is a layer 2 MAC
address. An example of a physical device performing in this layer would be a switch.
Layer 3 " Represents where delivery of network traffic on the Internet takes place;
addressing in this layer is referred to as Internet Protocol (IP) addressing and creates
unique addresses, except when NAT is employed. NAT makes it possible to address
multiple physical systems by a single layer 3 IP address. An example of a physical
device performing in this layer would be a router.
Layer 4 " Represents where specific network applications and communication
sessions are identified; multiple layer 4 sessions may occur simultaneously on any
given system with other systems on the same network. Layer 4 is responsible for flow
control of data transferring between end systems. This layer introduces the concept of
ports, or endpoints.
Layer 5 " Represents where connections between applications are established,
maintained, and terminated. This layer sets up the communication through the network.
The Session layer allows devices to establish and manage sessions. A session is the
persistent logical linking of two software application processes.
Layer 6 " Represents where data is converted into a standard format that the other
layers can understand. This layer formats and encrypts data to be sent across the
network. The Presentation layer is responsible for presenting the data. It defines the
format for data conversion. Encoding and decoding capabilities allow for
communication between dissimilar systems.
Layer 7 " Represents end user applications and systems. Application protocols are
defined at this level and are used to implement specific user applications and other
high-level functions. Hyper Text Transfer Protocol (HTTP) and Simple Mail Transfer
Protocol (SMTP) are examples of application protocols. It is important to understand
that usually, the Application layer is a part of the operating system and not necessarily a
part of the application in use.

NOTE
Distinctions among layers 5, 6, and 7 are not always clear. Some models
combine these layers.

_____________________
_____________________ 20
 Check Point Security Administration

The more layers a Firewall is capable of covering, the more thorough and effective the
Firewall. Advanced applications and protocols can be accommodated more efficiently with
additional layer coverage. In addition, advanced Firewalls, such as Check Point!s Security
Gateways, can provide services that are specifically oriented to the user, such as authentication
techniques and logging events of specific users.

Tr a n sm i ssi o n Co n tr o l Pr oto co l / I n te r n et P r oto c o l M o de l

The Transmission Control Protocol/Internet Protocol (TCP/IP) Model is a suite of protocols
which work together to connect hosts and networks to the Internet. Whereas the OSI Model
conceptualizes and standardizes how networks should work, TCP/IP actually serves as the
industry-standard networking method that a computer uses to access the Internet. TCP/IP
protocols support communications between any two different systems in the form of a client-
server architecture. The model name is based on its two most dominant protocols but the suite
consists of many additional protocols and a host of applications. Each protocol resides in a
different layer of the TCP/IP Model.

The TCP/IP Model consists of four core layers that are responsible for its overall operation:
Network Interface layer, Internet layer, Transport layer and Application layer. Each layer
corresponds to one or more layers of the OSI Model. These core layers support many protocols
and applications.

Figure 3 ! TCP/IP Model

_____________________
_____________________ 21
 Check Point Security Administration

The TCP/IP Model layers are described as follows:

Network Interface layer " Corresponds to the Physical and Data Link layers of the
OSI Model. It deals with all aspects of the physical components of network
connectivity, connects with different network types, and is independent of any specific
network media.
Internet layer " Manages the routing of data between networks. The main protocol of
this layer is the IP, which handles IP addressing, routing, and packaging functions. IP
tells the packet where to go and how to get there. The packets are transported as
datagrams, which allow the data to travel along different routes to reach its destination.
Each destination has a unique IP address assigned. The Internet layer corresponds to the
Network layer of the OSI Model.
Transport layer " Manages the flow of data between two hosts to ensure that the
packets are correctly assembled and delivered to the targeted application. Transmission
Control Protocol (TCP) and User Datagram Protocol (UDP) are the core protocols of
the Transport layer. TCP ensures a reliable transmission of data across connected
networks by acknowledging received packets and verifying that data is not lost during
transmission. UDP also manages the flow of data; however, data verification is not as
reliable as TCP. The Transport layer corresponds to the Transport layer of the OSI
Model.
Application layer " Encompasses the responsibilities of the Session, Presentation,
and Application layers of the OSI Model. It defines the protocols that are used to
exchange data between networks and how host programs interact with the Transport
layer. The Application layer allows the end user to access the targeted network
application or service.

_____________________
_____________________ 22
 Check Point Security Administration

Controlling Network Traffic

Managing Firewalls and monitoring network traffic is the key role of a network Security
Administrator. Effectively controlling network traffic helps to improve overall network
performance and organizational security. The Firewall, or the Security Gateway with a
Firewall enabled, will deny or permit traffic based on rules defined in the Security Policy. The
following technologies are used to deny or permit network traffic:

Packet Filtering
Stateful Inspection
Application Layer Firewall

Pa c ket F i lte ri n g
Packet Filtering is the process by which traffic is broken down into packets. Basically,
messages are broken down into packets that include the following elements:

Source address
Destination address
Source port
Destination port
Protocol

Figure 4 ! Packet Filtering

_____________________
_____________________ 23
 Check Point Security Administration

Packet Filtering is the most basic form of a Firewall. Its primary purpose is to control access to
specific network segments as directed by a preconfigured set of rules, or Rule Base, which
defines the traffic permitted access. Packet Filtering usually functions in the Network and
Transport layers of the network architecture. Packets are individually transmitted to their
destination through various routes. Once the packets have reached their destination, they are
recompiled into the original message.

Sta tef u l I n sp ec ti o n
Stateful Inspection analyzes a packet!s source and destination addresses, source and
destination ports, protocol, and content. With Stateful Inspection, the state of the connection is
monitored and state tables are created to compile the information. State tables hold useful
information in regards to monitoring performance through a Security Gateway. As a result,
filtering includes content that has been established by previous packets passed through the
Firewall. For example, Stateful Inspection provides a security measure against port scanning
by closing all ports until the specific port is requested.

Figure 5 ! Stateful Inspection

_____________________
_____________________ 24
 Check Point Security Administration

Check Point!s INSPECT Engine, which is installed on a Security Gateway, is used to extract
state related information from the packets and store that information in state tables. State tables
are key components of the Stateful Inspection technology because they are vital in maintaining
state information needed to correctly inspect packets. When new packets arrive, their contents
are compared to the state tables to determine whether they are denied or permitted.

NOTE
Stateful Inspection technology was developed and patented by Check
Point. State tables are covered in more detail in the CCSE course.

Stateful Inspection versus Packet Filtering

Stateful Inspection differs from Packet Filtering in that it deeply examines a packet not only in
its header, but also the content of the packet up through the Application layer to determine
more about the packet than just information about its source and destination. In addition,
Packet Filtering requires creating two rules for each user or computer that needs to access
resources. For example, if a computer with IP address 10.1.1.201 needs to access 8.8.8.8 on the
Internet for DNS, an outgoing request rule is needed for connecting to the server on the
Internet and a second rule is required for the incoming reply for the same connection. The
creation of Stateful Inspection eliminated the need for two rules. The Firewall remembers each
reply for an existing request using the state tables. Therefore only one rule is required for each
connection.

_____________________
_____________________ 25
 Check Point Security Administration

A p p l i c a t i o n L ayer F i r ewal l
Many attacks are aimed at exploiting a network through network applications, rather than
directly targeting the Firewall. Application Layer Firewalls operate at the Application layer of
the TCP/IP protocol stack to detect and prevent attacks against specific applications and
services. They provide granular level filtering, Antivirus scanning, and access control for
network applications, such as email, FTP, and HTTP. These Firewalls may have proxy servers
or specialized application software added.

Application Layer Firewalls inspect traffic through the lower layers of the TCP/IP model and
up to and including the Application layer. They are usually implemented through software
running on a host or stand-alone network hardware and are used in conjunction with Packet
Filtering. Since Application Layer Firewalls are application-aware, they can look into
individual sessions and decide to drop a packet based on information in the application
protocol. The Firewalls deeply inspect traffic content and apply allow or block access rules per
session or connection instead of filtering connections per port like Packet Filtering. Packets are
inspected to ensure the validity of the content and to prevent embedded exploits. For example,
an Application Layer Firewall may block access to certain website content or software
containing viruses. The extent of filtering is based on the rules defined in the network Security
Policy. Application Layer Firewalls are often referred to as Next-Generation Firewalls because
they include the traditional functions of Packet Filtering and Stateful Inspection.

Figure 6 ! Protocol Examples

_____________________
_____________________ 26
 Check Point Security Administration

Introduction to the Gaia Operating System

Gaia is Check Point!s operating system for all Check Point appliances and open servers. It
supports the full portfolio of Check Point Software Blade, gateway, and Security Management
products. It also supports:

IPv4 and IPv6 network protocols.

High connection and virtual systems capacity (64 bits).
Load Sharing.
High Availability.
Dynamic and Multicast routing.

Gaia can be configured via the Command Line Interface (CLI) or WebUI. For CLI-inclined
users, a shell-emulator pop-up window makes Gaia CLI more intuitive to use. The intuitive
WebUI delivers a seamless user experience for Security Administrators by integrating all
management functions into a Web-based dashboard accessible via most popular Web browsers.
The built-in search navigation delivers instant results on commands and properties.

C o m m a n d L i n e I n te r f a c e
Gaia utilizes an easy-to-use Command Line Interface (CLI) for the execution of various
commands that are structured using the same syntactic rules. CLI can be used via SSH or a
web browser. An enhanced help system and auto-completion further simplify user operation.
The default shell of the CLI is called Clish. Clish is a restrictive shell and does not provide
access to advanced system and Linux functions. Expert mode allows advanced system and
Linux function access to the system, including the file system. To use the expert shell, run the
expert command. A password for export mode must be set prior to running the shell. To exit
the expert shell and return to Clish, run the exit command.

Figure 7 ! Clish and Expert Shells

_____________________
_____________________ 27
 Check Point Security Administration

Commands and Features

Gaia commands are organized into groups of related commands called features. Commands
have the following syntax:

operation feature parameter

Operation Description
set Set a value in the system.
show Show a value or values from the system.
delete Delete a value from the system.
add Add a value from the system
save Save the configuration changes made since the last save operation.
reboot Restart the system.
halt Turn the computer off.
quit Exit the CLI.
exit Exit the shell.
start Start a transaction.

Put the CLI into transaction mode. All changes made using commands in
transaction mode are applied at once or none of the changes are applied
based on the way transaction mode is terminated.
commit End a transaction by committing changes.
expert Enter the expert shell.
ver Show the version of the active Gaia image.
help Retrieve help on navigating the CLI and some useful commands.
Table 1: CLI Operations and Descriptions

To view all commands that the user has permissions to run:

show commands

To view a list of all features:

show commands feature <TAB>

To show all commands for a specific feature:

show commands feature VALUE

_____________________
_____________________ 28
 Check Point Security Administration

To show all possible operations:

show commands op <SPACE> <TAB>

To show all commands per operation, per feature:

show commands [op VALUE] [feature VALUE]

To show how long the system has been running:

show uptime

To show the full system version information:

show version all

To show version information for operating system components:

show version os build

show version os edition
show version os kernel

To show the name of the installed product:

show version product

Parameter Description
all Show all system information.
os build Display the Gaia build number.
os edition Display the Gaia edition (32-bit or 64-bit).
os kernel Display the Gaia kernel build number.
product Display the Gaia version.
Table 2: System Information Parameters and Descriptions

_____________________
_____________________ 29
 Check Point Security Administration

Command Completion
In order to save time, Gaia offers the ability to automatically complete a command using a few
keyboard buttons.

Keyboard Button Description

TAB Complete or fetch the keyword.
SPACE + TAB Show the arguments that the command for that feature accepts.
ESC ESC Display possible command completion options.
? Retrieve help on a feature or keyword.
Up/Down arrows Browse the command history.
Left/Right arrows Edit the command.
Enter Run a command string. The cursor does not have to be at the end of
the line.
Table 3: Keyboard Buttons and Descriptions

User-Defined and Extended Commands

User-defined and extended commands are managed in Clish. Role-based administration can be
used with extended commands by assigning those commands to roles and then assigning those
roles to users or user groups.

Parameter Description
command Name of the extended command.
path Path of the extended command.
description Description of the extended command.
Table 4: Extended Command Parameters and Description

To show all extended commands:

show extended commands

To show the path and description of a specified extended command:

show command VALUE

To add an extended command:

add command VALUE path VALUE description VALUE

_____________________
_____________________ 30
 Check Point Security Administration

To delete an extended command:

delete command VALUE

Commonly Used Commands

As an administrator, there are additional commands that you may frequently use in your role.
Many of these commands will be introduced throughout this course. Here are a few commonly
used Firewall commands.

To display the version of Check Point software installed on a gateway, enter the following
command in the Clish shell:

fw ver

To display the name of the Security Policy installed on a gateway:

fw stat

To display interface information:

fw getifs

_____________________
_____________________ 31
 Check Point Security Administration

O b t a i n i n g a C o n fi g u r a t i o n L o c k
Only one user can have Read/Write access to Gaia configuration settings at a time. All other
users can only log in with Read-Only access to view configuration settings, as specified by
their assigned roles. For example, AdminA logs in and no other user has Read/Write access.
AdminA receives an exclusive configuration lock with Read/Write access. If AdminA logs in
and AdminB already has the configuration lock, AdminA has the option to override AdminB!s
lock. If AdminA decides to override the lock, AdminB stays logged in but will have Read-
Only access. If AdminA decides not to override the lock, they will only be granted Read-Only
access.

To further illustrate, AdminA can run the lock database override command to obtain
the configuration lock from AdminB and gain Read/Write access. Alternately, AdminB who
has Read/Write access can run unlock database to release the configuration lock. In this
instance, the configuration lock can be obtained by AdminA.

NOTE
The administrator whose Read/Write access is revoked does not receive
notification.

_____________________
_____________________ 32
 Check Point Security Administration

Web U I
The WebUI is an advanced, web-based interface used to configure Gaia platforms. It provides
clientless access to the Gaia CLI directly from a browser. A majority of system configuration
tasks can be done through the WebUI. To access the WebUI, navigate to https://<Device IP
Address>. Log in with a user name and password. The following browsers support the WebUI:

Internet Explorer
Firefox
Chrome
Safari

The WebUI operates in the following two modes:

Basic " Shows only basic configuration options.

Advanced " Shows all configuration options.

Figure 8 ! WebUI

_____________________
_____________________ 33
 Check Point Security Administration

System Overview Page

The System Overview page displays an overview of the system in various widgets. These
widgets can be added or removed from the page, moved around the page, and minimized or
expanded. The following widgets are available:

System Overview " Provides system information, including the installed product,
product version number, kernel build, product build, edition (32 bit or 64 bit), platform
on which Gaia is installed, and computer serial number (if applicable).
Blades " Displays a list of installed Software Blades. Those that are enabled are
colored. Those that are not enabled are grayed out.
Network Configuration " Displays interfaces, their statuses, and IP addresses.
Memory Monitor " Provides a graphical display of memory usage.
CPU Monitor " Provides a graphical display of CPU usage.

Navigation Tree
The Navigation tree is used to select a page within the WebUI. Pages are arranged in logical
feature groups. There are two viewing modes:

Basic " Shows some standard pages.

Advanced (Default) " Shows all pages.

To change the view mode, click View Mode and select a mode from the list. To hide the
Navigation tree, click the Hide icon.

Toolbar
The toolbar displays whether the user has Read/Write access or is in Read-Only mode. It is
also used to open the Terminal (Console) accessory for CLI commands and open the Scratch
Pad accessory, which is used for writing notes.

NOTE
The Scratch Pad accessories are available in Read/Write mode only.

_____________________
_____________________ 34
 Check Point Security Administration

Search Tool
The Search tool is used to find an applicable configuration page by entering a keyword, which
can be a feature, a configuration parameter, or a word related to a configuration page.

Status Bar
The Status bar displays the result of the last configuration operation. To view a history of the
configuration operations during the current session, click the Expand icon.

Configuration Tab
Under the Configuration tab, a user may view and configure parameters for Gaia features and
settings groups. The parameters are organized into functional settings groups in the navigation
tree.

NOTE
Read/write access is required to configure parameters for a settings group.

Monitoring Tab
The Monitoring tab allows a user to view the status and detailed operational statistics, in real
time, for some routing and High Availability settings groups. This ability is useful for
monitoring dynamic routing and VRRP cluster performance.

Configuration Lock
To override a configuration lock in the WebUI, click the small lock icon in the toolbar. The
pencil icon, which indicates Read/Write access is enabled, will replace the lock icon.

NOTE
Only users with Read/Write access can override a configuration lock.

_____________________
_____________________ 35
 Check Point Security Administration

Users
The WebUI and CLI can be used to manage user accounts and perform the following actions:

Add users to your Gaia system.

Edit the home directory of the user.
Edit the default shell for a user.
Assign a password to a user.
Assign privileges to users.

Figure 9 ! WebUI Users Page

There are two default users that cannot be deleted. The Admin has full Read/Write access for
all Gaia features. This user has a User ID of 0 and therefore has all of the privileges of a root
user. The Monitor has Read-Only access for all features in the WebUI and the CLI and can
change their own password. An Admin must provide a password for the Monitor before the
Monitor user account can be used.

_____________________
_____________________ 36
 Check Point Security Administration

New users have Read-Only privileges to the WebUI and CLI by default. They must be
assigned one or more roles before they can log in.

NOTE
Permissions can be assigned to all Gaia features or a subset of the features
without assigning a user ID of 0. If a user ID of 0 is assigned to a user
account (this can only be done in the CLI), the user is equivalent to the
Admin user and the roles assigned to that user cannot be modified.

Roles and Role-based Administration

Role-based administration enables Gaia administrators to create different roles. Administrators
can allow users to access features by adding those functions to the user's role definition. Each
role can include a combination of Read/Write access to some features, Read-Only access to
other features, and no access to other features.

Figure 10 ! WebUI Roles Page

_____________________
_____________________ 37
 Check Point Security Administration

When a user is created, pre-defined roles, or privileges, are assigned to the user. For example, a
user with Read/Write access to the Users feature can change the password of another user or an
Admin user. It is also possible to specify which access mechanisms, the WebUI or CLI, are
available to the user.

When users log in to the WebUI, they see only those features for which they have Read-Only
or Read/Write access. If they have Read-Only access to a feature, they can see the settings
pages but cannot change the settings.

_____________________
_____________________ 38
 Check Point Security Administration

Configure Roles in the WebUI

Roles are defined on the Roles page of the WebUI. To add a new role or change an existing
role:

1. Select User Management > Roles in the WebUI navigation tree.

2. To add a new role, click Add and enter a Role Name. The role name can be a combination
of letters, numbers, and the underscore (_) character, but must start with a letter.
3. To change permissions for an existing role, double-click the role.
4. In the Add or Edit Role window, click a feature (Features tab) or extended command
(Extended Commands tab).
5. Select None, Read-Only, or Read/Write from the options menu to the left of the feature or
command.

Figure 11 ! WebUI Add Role Window

_____________________
_____________________ 39
 Check Point Security Administration

To assign users to a role:

1. Select User Management > Roles in the WebUI navigation tree.

2. Click Assign Members.
3. In the Assign Members to Role window:
Double-click a user in the Available Users list to add that user to the role.
Double-click a user in the Users with Role list to remove that user from the role.

Configure Roles in the CLI

To add role definitions:

add rba role <Name> domain-type System

readonly-features <List>
readwrite-features <List>

To delete role definitions:

delete rba role <Name>

delete rba role <Name>

readonly-features <List>
readwrite-features <List>

To add users to or from existing roles:

add rba user <User Name> roles <List>

To remove users to or from existing roles:

delete rba user <User Name> roles <List>

To add access mechanism, WebUI or CLI, permissions for a specified user:

add rba user <User name> access-mechanisms [Web-UI | CLI]

_____________________
_____________________ 40
 Check Point Security Administration

To remove access mechanism (WebUI or CLI) permissions for a specified user:

delete rba user <User Name> access-mechanisms [Web-UI | CLI]

Parameter Description
Role <name> Role name as a character string that contains letters, numbers, or
the underscore (_) character.
Domain-type Reserved for future use.
System
readonly- Comma separated list of Gaia features that have read only
features <List> permissions in the specified role. You can add Read-Only and
Read/Write feature lists in the same command.
readwrite- Comma separated list of Gaia features that have Read/Write
features <List> permissions in the specified role. You can add Read-Only and
Read/Write feature lists in the same command.
user <User name> User to which access mechanism permissions and roles are
assigned.
roles <List> Comma separated list of role names that are assigned to or
removed from the specified user.
access- Defines the access mechanisms that users can work with to
mechanisms manage Gaia. You can only specify one access mechanism at a
time with this command.
Table 5: User and Role Parameters and Descriptions

For example:

add rba role NewRole domain-type System readonly-features 

vpn,ospf,rba readwrite-features tag,
add rba user Paul access-mechanisms CLI,WebUI
add rba user Daly roles NewRole,adminRole
delete rba role NewRole
delete rba user Daly roles adminRole

_____________________
_____________________ 41
 Check Point Security Administration

U p d a tes
Gaia provides the ability to directly receive updates for licensed Check Point products. With
the Check Point Upgrade Service Engine (CPUSE), you can automatically update Check Point
products for the Gaia operating system and the Gaia operating system itself. Updates can be
downloaded automatically, manually, or periodically and installed manually or periodically.

Figure 12 ! Gaia Software Updates Policy Page

Hotfixes are downloaded and installed automatically by default, however full installation and
upgrade packages must be installed manually. Email notifications are sent for newly available
updates, downloads, and installations. Updates are discussed in greater detail in the CCSE
course.

L a b 1 .1
Working with Gaia Portal

_____________________
_____________________ 42
 L
Working with Gaia Portal A
B
1.1
This lab is an introduction to Check Point Gaia. Here, you will view and manipulate basic settings of the
Gaia operating system through the Gaia Portal, the WebUI. Create users and define settings that will
appear in later labs.

Pe r for ma n c e Ob j ec t ive s:
Identify important operating system level settings configured through the WebUI.
Create and confirm administrator users for the domain.
Configure network messages.
Confirm existing configuration settings.

Ta sks :
Review and configure basic settings in the Gaia Portal.
Define a new role and create new Check Point users.
Work in Expert mode.
Apply useful commands.
Add and delete administrators via the CLI.
Test user role assignments.

_____________________
_____________________ 43
 Check Point Security Administration

Reviewing and Configuring Basic 

Settings in the Gaia Portal
Follow these steps to connect to the Gaia Portal on the Alpha Security Management Server.

1. From A-GUI, launch a web browser, such as Firefox or Chrome.

2. In the address field, type the following:

https://10.1.1.101

NOTE
You must use HTTPS to access the Gaia Portal or the connection will fail.

3. Press Enter, and your browser should warn you that the site!s Security Certificate is from an 
untrusted source.
4. Ignore this warning and continue to the site. The system displays the Gaia Portal login screen:

Figure 13 ! Gaia Portal R80.20

5. Log into A-SMS with the following credentials:

Username: admin
Password: Chkp!234

_____________________
_____________________ 44
 Check Point Security Administration

6. Click Login, and the system displays the Gaia Portal Overview page:

Figure 14 ! Overview

7. Review the Overview page and identify the information presented about A-SMS.

_____________________
_____________________ 45
 Check Point Security Administration

8. In the Navigation pane, select System Management > Time:

Figure 15 ! System Management - Time

9. Review the information displayed for the following:

Time and Date
Time Zone
10. Make any corrections necessary for this information to display correctly for your environment.

_____________________
_____________________ 46
 Check Point Security Administration

11. In the toolbar search field, type the following:

dns

Figure 16 ! DNS Search Results Displayed

12. In the search results, select Hosts and DNS. The system displays the Hosts and DNS page.

_____________________
_____________________ 47
 Check Point Security Administration

13. Use the information below to configure the DNS settings for A-SMS:

Host Name: A-SMS

Domain Name: alpha.cp
DNS Suffix: alpha.cp
Primary DNS Server: 192.168.11.101
Secondary DNS Server: 8.8.8.8
Tertiary DNS Server: Blank

Figure 17 ! Network Management - Hosts and DNS

14. Click Apply.

_____________________
_____________________ 48
 Check Point Security Administration

15. In the Navigation pane, select System Management > Messages:

Figure 18 ! System Management - Messages

16. In the Banner Message field, replace the default text with the following:

A-SMS

Unauthorized access of this server is prohibited and punishable by law.

_____________________
_____________________ 49
 Check Point Security Administration

17. Click Apply, to save the message:

Figure 19 ! System Management - Messages Configured

_____________________
_____________________ 50
 Check Point Security Administration

Defining Roles and Creating Check Point Users

All Check Point users and administrators are role-based, with each role defining what privileges are
assigned. In this section, you will define operating system level users. In a later lab, you will define
application level users.

1. In the Navigation pane, select User Management > Roles:

Figure 20 ! User Management - Roles

_____________________
_____________________ 51
 Check Point Security Administration

2. In the Roles page, click Add. The system displays the Add Role window:

Figure 21 ! Add Role

3. In the Role Name field, enter the following:

rtrRole

_____________________
_____________________ 52
 Check Point Security Administration

4. In the Search field of the Features tab, enter the following:

route

Figure 22 ! Add Role - Search Initiated

NOTE
The search results displayed by the system are a list of commands and features
available for assignment to the role, based on the search criteria.

_____________________
_____________________ 53
 Check Point Security Administration

5. To view the permission options, click the down arrow next to the Route item:

Figure 23 ! Add Role - Search Results - Assignment Options

NOTE
If no privilege is specifically selected for the command or feature, it is not assigned
to the role.

_____________________
_____________________ 54
 Check Point Security Administration

6. Assign the following permissions to the rtrRole role:

Route: Read Only

Route Map: Read Only
Static Multicast Routes: Read / Write

Figure 24 ! Add Role - Privileges Assigned

_____________________
_____________________ 55
 Check Point Security Administration

7. Click OK, and the system adds rtrRole to the list of configured roles:

Figure 25 ! User Management - Roles Configured

_____________________
_____________________ 56
 Check Point Security Administration

8. In the Navigation pane, select User Management > Users:

Figure 26 ! User Management - Users

_____________________
_____________________ 57
 Check Point Security Administration

9. In the Users page, click Add and the system displays the following:

Figure 27 ! Add User

_____________________
_____________________ 58
 Check Point Security Administration

10. Use the information below to configure a new user:

Login Name: scpadmin

Password: Chkp!234
Real Name: Scpadmin
Home Directory: /home/scpadmin
Shell: /bin/bash
User must change password at next logon: Deselected
UID: 0
Assigned Roles: adminRole
Access Mechanisms: Web
Clish Access

Figure 28 ! Add User Configured

NOTE
The system automatically assigns the Real Name and Home Directory settings.

_____________________
_____________________ 59
 Check Point Security Administration

11. Click OK, and the system displays the new user in the Users list:

Figure 29 ! User Management - Users - User Added

12. In the Users page, click Add, to add another user.

_____________________
_____________________ 60
 Check Point Security Administration

13. Use the information below to configure a new user:

Login Name: rtradmin

Password: Chkp!234
Real Name: Rtradmin
Home Directory: /home/rtradmin
Shell: /etc/cli.sh
User must change password at next logon: Deselected
UID: 0
Assigned Roles: rtrRole
Access Mechanisms: Web
Clish Access

Figure 30 ! Add User Configured

14. Click OK to add the new user to the Users list.

15. In the toolbar, identify the name of the user currently logged into the system.

_____________________
_____________________ 61
 Check Point Security Administration

16. Click the Logout icon to the right of the username, and the system logs the user out of the Gaia Portal:

Figure 31 ! Gaia Portal Logout

_____________________
_____________________ 62
 Check Point Security Administration

Working in Expert Mode

Gaia has two modes, Clish and Expert. In order to run some CLI commands, you must be in Expert mode.

1. Log into Gaia on the first gateway in the Alpha cluster, A-GW-01.

Username: admin
Password: Chkp!234

NOTE
Log into the Virtual Machine either directly or from A-GUI through a Putty session.

2. Then, type the following and press Enter:

set expert-password

3. When prompted to enter a new password for Expert mode, type and confirm the following:

Chkp!234

4. At the prompt, type the following and press Enter.

save config

Figure 32 ! save config

_____________________
_____________________ 63
 Check Point Security Administration

5. Execute the following command:

tcpdump -ni eth1

6. Press Enter, and the system displays an error.

7. At the prompt, type the following:

expert

8. Press Enter, and the system prompts you for the newly configured Expert mode password.
9. Type the following and press Enter:

Chkp!234

NOTE
Once in Expert mode, you are in BASH. Notice that the prompt now displays
Expert@A-GW-01:0, indicating the current mode.

NOTE
Expert mode is root BASH. Proceed with caution.

10. Type exit and press Enter, so that you are at the Clish prompt.

NOTE
To exit to the login prompt, you would type exit again.

11. Enter Expert mode.

12. From Expert mode, run the following command and press Enter:

tcpdump -ni eth1

NOTE
This runs a packet sniff on eth1.

_____________________
_____________________ 64
 Check Point Security Administration

13. Press Ctrl + C to stop:

Figure 33 ! tcpdump Stopped

NOTE
More commands worth noting are shutdown and reboot.

14. Exit to Clish mode.

_____________________
_____________________ 65
 Check Point Security Administration

Applying Useful Commands

There are many commands commonly used in troubleshooting on the gateway. Commands to try are those
beginning with fw.

1. Type the following command, and press Enter. This displays the name of the Security Policy installed
on the gateway:

fw stat

Figure 34 ! fw stat

2. Type the following command, and press Enter. This unloads the current Security Policy:

fw unloadlocal

Figure 35 ! fw unloadlocal

NOTE
This command unloads all policies from the gateway, preventing network access,
disabling IP forwarding, and turning off NAT. Consider only using this command
when you need to regain access to the gateway and all other measures have failed.

_____________________
_____________________ 66
 Check Point Security Administration

3. Type the following command, and press Enter:

fw stat

Figure 36 ! fw stat

4. Type the following command and press Enter, to display the gateway version:

fw ver

Figure 37 ! fw ver

NOTE
For more information about each command from the prompt, type the command
name followed by --help. For example, fw --help.

_____________________
_____________________ 67
 Check Point Security Administration

5. Type the following command and press Enter, to display the system interfaces:

show interfaces

Figure 38 ! show interfaces

NOTE
This command displays information on the show available options for the show
interfaces command. If you are not sure which flags are available for a
command, simply type the basic command and then press the Tab key.

6. Type the following command and press Enter, to display information on eth0:

show interface eth0

Figure 39 ! show interface eth0

_____________________
_____________________ 68
 Check Point Security Administration

7. Type the following command and press Enter, to display route information:

show route

Figure 40 ! show route

8. Type the following command and press Enter, to display the routing table:

netstat -rn

Figure 41 ! netstat -rn

_____________________
_____________________ 69
 Check Point Security Administration

9. Type the following command and press Enter, to display running services and down ports:

netstat -an

Figure 42 ! netstat -an

10. Type the following command and press Enter, to display interface information:

fw getifs

Figure 43 ! fw getifs

_____________________
_____________________ 70
 Check Point Security Administration

Adding and Deleting Administrators via the CLI

Clish supports multiple administrators on the regular shell. This is important for audit purposes. In the
following steps, you will create user Sam with password Chkp!234.

1. Type the following command and press Enter:

add user sam uid 200 homedir /home/sam

Figure 44 ! add user

2. Type the following command and press Enter, to set the user!s password:

set user sam newpass Chkp!234

Figure 45 ! set user sam newpass

NOTE
When adding users in Clish, you must assign a permissions profile in addition to the
password. Because we do not have any permission profiles defined, we are not going
to do this step. This is, however, important.

3. Type the following command and press Enter, to set the user!s role:

add rba user sam roles adminRole

_____________________
_____________________ 71
 Check Point Security Administration

4. To show all users, type the following and press Enter:

show users

Figure 46 ! show users

5. To delete the user Sam, type the following command and press Enter:

delete user sam

Figure 47 ! delete user sam

6. To show all users, type the following and press Enter:

show users

Figure 48 ! show users

7. Verify that Sam is no longer in the list of configured users.

_____________________
_____________________ 72
 Check Point Security Administration

Testing User Role Assignments

Log into A-SMS as different users to confirm that user privileges are properly assigned.

1. From the desktop of A-GUI, launch PuTTY.

2. To connect to the A-SMS, enter the following Host Name:

10.1.1.101

3. Click Yes to acknowledge the security message.

4. Use the information below to log into A-SMS as the admin user:

Login as: admin

Password: Chkp!234

Figure 49 ! PuTTY Session - admin

_____________________
_____________________ 73
 Check Point Security Administration

5. Type the following and press Enter, to display the configuration of A-SMS:

show configuration

Figure 50 ! show configuration

6. Exit the PuTTY session.

7. Relaunch PuTTY.
8. Connect to the A-SMS.

_____________________
_____________________ 74
 Check Point Security Administration

9. Next, use the information below to log in as a different user:

Login: rtradmin
Password: Chkp!234

Figure 51 ! PuTTY Session - rtradmin

_____________________
_____________________ 75
 Check Point Security Administration

10. Attempt to display the configuration for A-SMS. Note that this user does not have sufficient privileges
to execute this command.

Figure 52 ! Invalid Command

END OF LAB 1.1

_____________________
_____________________ 76
 Check Point Security Administration

The Check Point Security Management

Architecture
The Check Point Security Management Architecture is an object-oriented architecture that
uses graphical representations of real-world entities, such as users and gateways. These entities
are configured, managed, and monitored through a single management console which provides
the flexibility needed for organizations of all shapes and sizes to manage and secure their
network. There are three essential components of the Check Point Security Management
Architecture: SmartConsole, Security Management Server, and the Security Gateway.

Figure 53 ! Check Point"s Security Management Architecture Components

Sma r tCo n so l e
SmartConsole is a Graphical User Interface (GUI) used to manage the objects that represent
network elements, servers, and gateways. These objects are used throughout SmartConsole for
many tasks including creating Security Policies. SmartConsole is also used to monitor traffic
through logs and manage Software Blades, licenses, and updates.

S ec u r i t y M a n a g em en t S er ver
When a Security Policy is created in SmartConsole, it is stored in the Security Management
Server. The Security Management Server then distributes that Security Policy to the various
Security Gateways. The Security Management Server is also used to maintain and store an
organization!s databases, including object definitions and log files, for all gateways.

_____________________
_____________________ 77
 Check Point Security Administration

S ec u r i t y G a teway
A Security Gateway is a gateway on which the Firewall Software Blade is enabled. It is also
known as a Firewalled machine. Security gateways are deployed at network access points, or
points where the organization!s network is exposed to external traffic. They protect the
network using the Security Policy pushed to them by the Security Management Server.

_____________________
_____________________ 78
 Check Point Security Administration

Network Communication
S e c u r e I n ter n a l C o m m u n i c a t i o n
Secure Internal Communication (SIC) is a means by which platforms and products
authenticate with each other. It creates trusted connections between gateways, management
servers, and other Check Point components. SIC is required for policy installation on gateways
and to send logs between gateways and management servers. Once SIC is established, the
management server and its components are identified by their SIC names rather than the IP
address.

Check Point platforms and products authenticate each other through one of these SIC methods:

Certificates
TLS for the creation of secure channels
3DES or AES128 for encryption

NOTE
Gateways above R71 use AES128 for SIC. If one of the gateways is below
R71, the gateways use 3DES.

Internal Certificate Authority

The Internal Certificate Authority (ICA) is created during the primary Security Management
Server installation process. It is responsible for issuing the following certificates to
authenticate:

SIC " Between gateways or between gateways and management servers

VPN Certificates " Between members of a VPN community in order to create the
VPN tunnel
Users " User access according to authorization and permissions.

NOTE
If the Security Management Server is renamed, trust will need to be
reestablished as the certificate is reissued.

_____________________
_____________________ 79
 Check Point Security Administration

Initializing Trust
A gateway and management server use a one-time password to initially establish trust. The
ICA signs and issues a certificate to the gateway. At this point, the trust state is initialized but
not trusted. The ICA issues a certificate for the gateway, but does not yet deliver it. The
gateway and management server will then authenticate over SSL using a one-time password.
The certificate is then downloaded and stored on the gateway, trust is established, and the one-
time password is deleted. Now, the gateway can safely communicate with other Check Point
gateways and management servers that have a security certificate signed by the same ICA.

NOTE
Make sure the clocks of the gateway and management server are
synchronized before initializing trust between them.

To initialize trust:

1. In SmartConsole, navigate to the General Properties page of the gateway object.

2. Under the Machine section, click the Communication button.
3. Under the Authentication section, enter and confirm the one-time password. This one-time
password must be on both the gateway and the management server.
4. Under the Trusted Communication Initialization section, click the Initialize button.
5. Publish the changes.

Secure Internal Communication Status

Once the certificate is downloaded and stored on the gateway, the SIC status will display the
current communication status between the management server and the gateway.

The communication status may show:

Communicating " The secure communication is established.

Unknown " There is no connection between the gateway and management server.
Not Communicating " The management server can contact the gateway but cannot
establish SIC.

_____________________
_____________________ 80
 Check Point Security Administration

Resetting the Trust State

If the trust state has been compromised, such as when keys are leaked or certificates are lost, it
is possible to reset the trust state. Once SIC has been established, it must be reset on both the
management server and the gateway. When resetting SIC, the management server revokes the
certificate from the Security Gateway and stores the certificate information in the Certificate
Revocation List (CRL). The CRL is a database of revoked certificates. Once the trust state has
been reset, it is updated with the serial number of the revoked certificate. The ICA signs the
updated CRL and issues it to all gateways during the next SIC connection. If two gateways
have different CRLs, they cannot authenticate.

To reset the trust state:

1. In SmartConsole, navigate to the General Properties page of the gateway object.

2. Under the Machine section, click the Communication button.
3. At the bottom of the window, next to the certificate status, click the Reset button.
4. Publish the changes.
5. Install policy on the gateways to deploy the updated CRL to all gateways.

NOTE
If the default policy is in place on the gateway, trust cannot be reset
because communication from the management server will be dropped
along with traffic from any other source.

The trust state must be reset on the gateway as well. To establish a new trust state for a
gateway:

1. Open the Command Line Interface (CLI) on the gateway.

2. Execute the following command:
cpconfig
3. Type the number for SIC, press Enter and confirm.
4. Enter and confirm the activation key.
5. When done, enter the number for Exit.
6. Wait for Check Point processes to stop and automatically restart.
7. In SmartConsole, navigate back to the General Properties page of the gateway object.
8. Complete the steps required to initialize trust.


_____________________
_____________________ 81
 Check Point Security Administration

The SmartConsole
The SmartConsole is an all-encompassing, unified console for managing Security Policies,
monitoring events, installing updates, adding new devices and appliances, and managing a
multi-domain environment.

N av i g a t i o n Pan e O ve r v i ew

Figure 54 ! SmartConsole

1. Navigation toolbar " Navigate between SmartConsole views.

2. Main menu " Manage policies and layers, explore and create objects, manage sessions,
install policy, manage licenses and packages, and configure global properties.
3. Objects menu " Create and manage objects.
4. Install Policy button " Install policy.
5. Session details " View the session name and description and publish or discard the cur-
rent session.
6. Side bar " Create and manage objects and view validation errors.
7. Management activity bar " View the current administrator logged in and the number of
changes made in the current session, management server details, and additional manage-
ment activity, such as policy installation tasks.
8. Command Line " Run API commands and scripts.

_____________________
_____________________ 82
 Check Point Security Administration

The SmartConsole is organized into the following tabs:

Gateways & Servers

Security Policies
Logs & Monitor
Manage & Settings

G a teway s & S er ver s Tab

In the Gateway & Servers tab, you can manage gateways, configure blade activation, view
gateway status, and perform actions on the gateways.

Figure 55 ! Gateways & Servers Tab

1. Views menu " Navigate between various pre-defined views.

2. Gateways & Servers toolbar " Create and edit gateways and clusters, run scripts, per-
form backups and restores, and search and filter gateways.
3. Additional Information section " View a summary of the selected gateway, tasks, and
error messages and view installed Software Blades.

_____________________
_____________________ 83
 Check Point Security Administration

Sec u r i ty Po l i c i es Ta b
Under the Security Policies tab, you are able to manipulate the various Security Policies and
layers.

Figure 56 ! Security Policies Tab

1. Tabs " Navigate between different policy packages.

2. Policy Package menu " Navigate between various policies within a policy package and
view and manage shared policies.
3. Security Policies toolbar " Add or delete rules, expand and collapse sections, install
policy, view the history, and search, filter, and export the Rule Base.
4. Related Tools " View and edit VPN communities, view updates, create and manage
UserCheck messages, manage client certificates, navigate to the Application Wiki or
ThreatWiki, and view installation history.
5. Additional Information section " View a summary of the selected rule along with
details, logs, and history.

_____________________
_____________________ 84
 Check Point Security Administration

L o g s & M o n i to r Tab
The Logs & Monitor tab allows you to view graphs and pivot tables in an organized dashboard,
search through logs, schedule customizable reports, and monitor gateways.

Figure 57 ! Logs & Monitor Tab

1. Tabs " Open various event analysis views.

2. Logs toolbar " Use pre-defined and custom queries to search through logs, refresh statis-
tics, export search results, and manage query settings.

_____________________
_____________________ 85
 Check Point Security Administration

M a n a g e & S et t i n g s Tab
The Manage & Settings tab allows you to manipulate various general settings.

Figure 58 ! Manage & Settings Tab

1. Manage & Settings menu " Navigate between the various menu options, create, edit,
and manage permission profiles and administrators, manage Software Blade global set-
tings, view sessions and revisions, manage tags, and edit preferences.

_____________________
_____________________ 86
 Check Point Security Administration

SmartConsole Applications
S m a r t E ven t (Ad va n c ed E ven t s a n d Re p o r ts )
SmartEvent correlates logs and detects real security threats. It provides a centralized display of
aggregated data and potential attack patterns from perimeter devices, internal devices, Security
Gateways, and third-party security devices. SmartEvent automatically prioritizes security
events for action. This automation minimizes the amount of data that needs to be reviewed,
thereby reducing the use of resources. SmartEvent is capable of managing millions of logs per
day per correlation unit in large networks. A correlation unit is used to analyze log entries and
identify events. SmartEvent is a licensed Software Blade and can be installed on a single server
or across multiple correlation units to reduce the network load.

SmartEvent views can be customized to monitor patterns and events that are most important to
a Security Administrator. Information can be displayed from a high level view down to a
detailed forensics analysis view. The free-text search engine is extremely effective in quickly
running data analysis and identifying critical security events.

Sm a r tV i ew M o n i to r (Tu n n e l & U ser M o n i tor i n g )

SmartView Monitor displays a complete picture of network and security performance,
allowing you to monitor changes to gateways, tunnels, remote users, and security activities.
This SmartConsole application can be used in its most basic form without a license. More
advanced features, such as customized views and detailed queries will require a license.
SmartView Monitor is discussed in greater detail in a later chapter.

Sm a r tU p d a te
SmartUpdate is used to manage licenses and packages for multi-domain servers, domain
servers, gateways, and Software Blades. Through this client, an administrator can add licenses
to the central license repository and assign those licenses to components as necessary.
SmartUpdate can also be used to upgrade packages and install contract files. SmartUpdate is
discussed in greater detail in a later chapter.

_____________________
_____________________ 87
 Check Point Security Administration

SmartDashboard
There are a few legacy applications that must be accessed through SmartDashboard. Links to
SmartDashboard are located throughout SmartConsole and provide access to the following
applications:

Data Loss Prevention

Anti-Spam & Mail
Mobile Access
HTTPS Inspection

Lab 1.2
Installing and Touring SmartConsole

_____________________
_____________________ 88
 L
Installing and Touring
SmartConsole
A
B
1.2
From the Gaia Portal, you will download and install the SmartConsole application. Once installation is
complete, tour the new GUI client application to see how to configure and manage your security
environment.

Pe r for ma n c e Ob j ec t ive s:
Perform an installation of the SmartConsole application.
Connect and tour SmartConsole.

Ta sks :
From Gaia Portal, download and install SmartConsole.
Tour SmartConsole.

_____________________
_____________________ 89
 Check Point Security Administration

Installing SmartConsole
Download the SmartConsole installer from the Gaia Portal of the Security Management Server.

1. From A-GUI, log into the A-SMS through the Gaia Portal using the following credentials:

Username: admin
Password: Chkp!234

2. In the Overview page, identify the Manage Software Blades using SmartConsole banner.

NOTE
You can also find the SmartConsole download in the Maintenance section of the 
Gaia Portal.

3. Click the Download Now button.

4. Save the SmartConsole.exe file in the Downloads folder of A-GUI:

Figure 59 ! Downloads

_____________________
_____________________ 90
 Check Point Security Administration

5. Double-click the SmartConsole installer file.

NOTE
The SmartConsole installer may be compressed. If it is, extract the executable file
before attempting to install.

6. Double-click the setup file. The system displays the following:

Figure 60 ! Welcome

7. In the Welcome screen, select the following option:

I have read and agree to the Check Point End User License Agreement

NOTE
In this lab environment, you should accept the default installation path.

_____________________
_____________________ 91
 Check Point Security Administration

8. Click the Install button, to continue the installation of SmartConsole:

Figure 61 ! Installation

_____________________
_____________________ 92
 Check Point Security Administration

9. When installation is complete, the system displays the Finish screen:

Figure 62 ! Finish

10. Clear the following option:

Launch SmartConsole

11. Click Finish.

_____________________
_____________________ 93
 Check Point Security Administration

Touring SmartConsole
Launch SmartConsole for the first time and tour features of the software version.

1. From the desktop of A-GUI, select Start > All Programs > Check Point SmartConsole [R80.xx
version] > SmartConsole [R80.xx version]. The system displays the Login window:

Figure 63 ! SmartConsole Login

2. Use the information below to log into SmartConsole:

Username: admin
Password: Chkp!234
IP Address: 10.1.1.101
Read Only: Deselected
Demo Mode: Deselected

_____________________
_____________________ 94
 Check Point Security Administration

3. Click the Login button, and the system displays the Fingerprint message:

Figure 64 ! Fingerprint

4. Next, log into the A-SMS:

Figure 65 ! A-SMS Clish

_____________________
_____________________ 95
 Check Point Security Administration

5. At the prompt, type the following and press Enter:

cpconfig

Figure 66 ! cpconfig

6. Type 7, and press Enter to view the certificate!s fingerprint:

Figure 67 ! Configuration Certificate"s Fingerprint

7. Compare the fingerprint displayed on A-SMS to the one displayed on A-GUI.

8. On A-GUI, click Proceed to continue to SmartConsole.

_____________________
_____________________ 96
 Check Point Security Administration

9. On the Welcome to SmartConsole page, review the features highlighted for this software version:

Figure 68 ! Welcome to SmartConsole

_____________________
_____________________ 97
 Check Point Security Administration

10. Click the right arrow and the system displays the following:

Figure 69 ! Welcome to R80.xx

11. Identify where in the Navigation frame the following items are located:
Application menu
Application main navigation
Session details and actions
Objects management

_____________________
_____________________ 98
 Check Point Security Administration

12. Click the right arrow and the system displays the following:

Figure 70 ! Gateways & Servers

13. Identify where in the Gateways & Servers tab the following items are located:
Server status
Module version
Active software blades
CPU usage
Object summary

_____________________
_____________________ 99
 Check Point Security Administration

14. Click the right arrow and the system displays the following:

Figure 71 ! Security Policies

15. Identify where in the Security Policies tab the following items are located:
Access Control policy
Threat Prevention policy
Shared Policies
Install Policy Button

_____________________
_____________________ 100