Scribd
Upload
13 views

R80.10 Cookbook - CPX

Uploaded by

César Paz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

R80.10 Cookbook - CPX

Uploaded by

César Paz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Before you start working on tasks,

please take a few minutes to go over


the ‘Session at a Glance’ presentation
at the resource tab.

(Resource Tab)

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 1


Login
1. Open the client machine tab by clicking on it.

2. Locate SmartConsole shortcut on your desktop

To complete tasks, click on SmartConsole shortcut and login with username ‘James’,

password ‘aaaa’ to IP address ‘192.168.88.9‘

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


Task 1: Unified Policy and Policy Layers
Objective: To protect our employees from exposing sensitive personal data, create an
additional policy rule, warning our employees about attempts to upload their credit card
numbers over http protocol.

1. Click Security Policies (main navigation buttons on the left hand side)

2. Make sure Standard policy is open

In R80, you can work on multiple policy packages simultaneously. Each tab
 represents a policy package.

The ‘+’ tab is where you manage your policy packages. You can create, edit or
 delete policy packages.

3. Go to rule number 14 ‘Web access permissions’ and expand the inline layer:
click the black triangle on the left

4. Select rule number 14.1 and create a new rule above it: right-click the rule number >
New Rule > above.

5. Name this rule: ‘Protect exposure of personal data’.

6. In the ‘Service & Application’ column, open the picker (+) and choose the ‘http’
service

7. In the ‘Content’ column, open the picker and choose the ‘PCI – Credit Card
Numbers’ data type.

8. To restrict only upload of data, right click the ‘Content’ cell and set the ‘Data
Direction’ to Up (Upload).

9. In the ‘Action’ column, right-click and select ‘Ask > Personal Data Exposure’.

10. In the ‘Track’ column, select ‘Log’.

R80.10 presents a Unified Policy. A single rule can hold multiple security
 products.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


This policy is structured as a unified policy with inline layers (sub-policies)

11.  Publish changes: click ‘Publish’ at the center top of the console.
o Edit the session name to be ‘Protect exposure of personal data’ and its
description to be ‘Warn employees on uploading credit card numbers’.
o Click ‘Publish’.

R80 (and higher) presents a built in revision control mechanism. When a session
 is published, a new database version is created and shows in the list of database
revisions.

12.  To install the ‘Standard’ policy on ‘CP_GW’, click ‘Install Policy’.

After clicking ‘Install’, a new task will appear on the lower left side of

SmartConsole with policy installation progress.

Click the triangle next to the progress bar to open the ‘Tasks’ pane. In the ‘Tasks’
 pane, you can see tasks such as ‘Policy Installation’, ‘IPS Update’ and
‘Applications Update’.

13. Make sure the policy installation ended successfully.

14. Simulate traffic:


o Open Chrome browser. Notice the phishing site is the home page. If not, click
‘phishing site’ from bookmark pane of browser.
o Fill in the ‘Card Number’ field with ‘5231123764286662’
o Click ‘Confirmation’.
o Verify you got the expected UserCheck notification.

15. Explore the logs on SmartConsole:


o Click on the newly created rule (Rule number 14.1)
o On the panel below the policy, open the ‘Logs’ tab.
(If the panel is hidden, click the icon to the right, to expand the panel)
o In the filter bar, enter: type:Session.
o Double-click the first log entry in the list. Navigate between tabs (e.g. Match
Rules, Files) to see details described in the log card.

R80.10 introduces new Session Logs, by collecting multiple connection logs in



one single Session log, providing better visibility of user actions.
16. Explore Gateway statistics:

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


o Connect to the gateway via putty: click the shortcut named ‘GW-SSH’ on
Desktop.
o Enter ‘cpview’
o Navigate to ‘Software Blades’ > ‘Content Awareness’
o Review statistics

 R80.10 introduces new innovative concepts of efficient Security Policy Management


with Unified Policy and Policy Layers. Unified Policy enables organizations to
translate their security definitions into a simple set of rules which streamline policy
administration and enforcement across the organization.

The new Content Awareness Software Blade adds visibility and control over data
transfers in the network traffic, using data types based on content, file types, and
direction.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


Task 2: New and Enhanced Revision Management Capabilities

Objective: A few minutes after the last policy installation, you get a phone call saying
there is a presentation in the conference room for a customer. The demonstration of
uploading a file to FTP, which worked this morning, is now blocked. This issue must be
fixed ASAP.

 A short search in the logs leads to the conclusion that rule 21.3 in the Standard
rulebase blocks all external file uploads to the ‘Public FTP Server’.

1. Although it is easy to navigate from a log to the relevant rule, in this demo, we’ll use
a new rulebase feature called “go to rule”:
 Press Ctrl+G, enter 21.3, and click OK.

 Quickly navigate to a rule in your policy by the rule’s number or the rule’s UID.

2. While the rule is selected, get more information in the rulebase bottom pane:
i. Open the Summary tab - according to the Additional Rule Info, the rule was
created as part of a specific ticket.
ii. Open the History tab. Set the search’s time frame to be ‘All Time’

You can see Paul made this change and you prefer to talk to him first.

The bottom pane provides additional information for a selected rule. This
 information lets you make changes with more confidence.

 As you understand, this connectivity issue must be fixed immediately and you don’t
have time to deeply investigate it. You want to revert to last known “working point”
as soon as you can.

R80 version (and higher) have a built-in revision mechanism. The quickest way to
 get back to a working environment without reverting your management
configuration is to re-install a specific “good” version on the gateway

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


 Install a specific version:
1. Go to Installation History of the Access Policy:
Access Control > Access Tools > Installation History

2. Select CP-GW.

 At the bottom you can see all revisions that have been installed on this Gateway.

3. Select the installed policy at 4/13 and click ‘View Installed Changes’.

There are 2 revisions published. One holds your changes and the other is Paul’s.

This issue needs additional investigation.

4. To resolve the connectivity issue, select Walter’s revision from 4/5 and click
‘Install Specific Version’. Confirm: click ‘Install’ and select ‘Yes’ to continue.

 After the connectivity issue is fixed, Paul realized he made a mistake. The ticket says
‘block download from Public FTP Server’, but he set ‘Any Direction’ in the Content
column.

 R80 version (and higher) offer tools that let you make changes with confidence.
In R80 versions and higher, versions are saved automatically. You can switch to a
specific IPS version or a specific access policy version, to overcome connectivity
issues due to mistakes in a faster, safer and easier way.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


Task 3: Policy Readability, Session Changes and
Search Capabilities
Objective: As part of a task force effort for making the policy clearer, your manager
asked you to use R80.10’s ability of layers and sub-policies.
In this task you’ll encapsulate all RDP related rules into an inline layer and attach it to a
parent rule.

To help you complete your task with confidence, you will use management tools such as
Packet Search and Session Pane.

1. Click Security Policies (main navigation buttons on the left hand side)

2. Make sure the Standard policy is open

3. Click ‘Policy’ to view the rulebase

4. Click in the search bar of the policy and see predefined Search Tokens for searching
the access policy.

5. Click the ‘Services’ token, enter ‘Remote_Desktop_Protocol’ and click the icon.

6. Reviewing results, you realize that only rules 37-40 are candidates to be part of your
new inline layer.

7. Clear the search bar by clicking the button on the search bar.

8. Navigate to the RDP Exceptions section (rules 37-40) and create a new rule below it:
i. Right-click the section and select New Rule > Below.
ii. Name the rule ‘RDP Parent rule’.

9. In the ‘Service & Application’ column, open the picker and select these services:
i. Remote_Desktop_Protocol
ii. Remote_Desktop_Protocol_UDP

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


10. In the ‘Action’ column, set the action to be inline layer
i. Right-click in cell and select Inline Layer > New layer…
ii. In the window that opens, set the inline layer name to be RDP Exceptions.
iii. Click OK

11. Move rules 38-41 to the newly created inline layer (above the layer’s cleanup rule)
i. Select the rules.
ii. Right-click the selection and then click ‘Cut’.
iii. Right-click on rule 37.1 and then click ‘Paste -> Above’

Notice the purple marks along the scroll bar. You can quickly navigate to edited

rules.

R80 versions introduce fast navigation features. Click the hamburger icon
 located on top of the scroll bar and the one located on the right hand side when
selecting a section header to explore fast navigation options

 You made a major change, so before installing the policy, you would like to check
yourself. Use the Packet Search feature to simulate relevant traffic and make sure it
gets into your inline layer.

12. Click in the search bar of the policy and type the following query:
i. To use ‘mode:Packet’, click in the search bar under the Packet Mode section,
and then click On.

All search results match the parent rule and one of the rules of the ‘RDP

Exception’ layer

Packet Search includes *Any, Negated cell and address ranges. It simulates
 packet enforcement of the gateway.

 Before installing the policy you would like to review your changes.

13. Click ‘Manage & Settings’ from the main navigation buttons on the left hand side.

14. Click ‘Preferences’.

15. In the ‘Check Point Lab’ section at the bottom,


select the ‘Enable Session Pane – Review all changes before publish’.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


16. On the far right hand side of the screen, open the ‘Session’ pane (below the
‘Validations’ pane) and review all changes made in session.

The session pane in SmartConsole is where you


can review the changes done in your session
 before you publish them. It is now available in
R80.10 as part of the “Check Point Lab” features.

17. After seeing that changes are correct, publish them: click ‘Publish’ at the center top
of the console. In the pop-up window, click ‘Publish’.

18.  Install the policy: click the ‘Install Policy’. In the pop-up window, click ‘Install’.

19. Simulate traffic:


o Open Windows Remote Desktop Connection utility (from the desktop link or
start menu)
o Connect to 10.10.10.25 and verify that you are blocked

20. Explore the Logs:


o Click Logs & Monitor from the main navigation buttons on the left hand side
o Click in the search bar of the view and type this query:

o Double-click the first row in filtered results.


o Click the ‘Matched Rules’ tab and review the rules hierarchy towards the final
reject decision.
o Click on the “Block all other RDP attempts” rule name in the table, and close
the Log Details card to see the actual rule.

The Matched Rules tab describes all the various rules across layers that a
 connection was matched on, towards the final match decision.

 In this exercise, you became familiar with these R80.10 features:


 Inline-Layers are sub-policies. They provide the ability to separate the policy
into independent segments which provide separation, delegation and sharing.
 Packet mode search –simulates policy match logic similar to the gateway’s
logic
 ‘Session’ pane – allows a review of the changes done in your session before
publishing.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


Task 4: Policy Readability, Layers Reuse
Objective: Access to Microsoft AD Domain Controllers in our organization is provided
according to a predefined set of permissions, used across our organization.

Our New York office has deployed a new local Domain Controller; they would like us to
provide the necessary access to it.

In this task, you’ll be using the ability to share a sub-policy (inline layer) across multiple
places in your policy.

1. Click Security Policies from the main navigation buttons on the left hand side

2. Make sure the Standard policy is open

3. Notice rules 27-31 and rules 32-36, describing the same set of access permissions
provided to MS Domain Controllers over two different sites (Moscow & UK)

Up to R80.10, we would have copied this set of 5 rules to the NY Rules section,
 and change the source and destination according to the NY office servers.

4. Go to rule number 22 ‘HQ Domain Controllers Access’ and expand its inline layer:
click the black triangle on the left.

The Microsoft AD Services layer provides the same set of 5 AD services



permissions as used in the Moscow and UK offices.

5. In the Action column, right-click Microsoft AD Services > Inline Layer > Edit
Layer…

6. Verify Multiple policies and rules can use this layer is selected and click OK.

 Microsoft AD Services is a firewall only layer

Layers can be enabled with FW, Applications & URL Filtering, Content Awareness
 and/or Mobile Access capabilities.

7. Go to the NY Rules section (rules 25-26) and create a new rule below it: right-click
the section > New Rule > Below.

8. In the ‘Source’ column, open the picker and select ‘NY Lan’.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


9. In the ‘Destination’ column, open the picker and select ‘NY Domain Controller’.

10. In the ‘Action’ column, select Inline Layer > Microsoft AD Services.

In the above example we shared the same layer within the same policy.
 Layers can also be shared across different policies

 Using Layers we managed to share the same set of access rules, to be used in
different places across the policy, instead of copying this set of rules for each site.
This is highly helpful when a change is needed, because a single change in the layer
will automatically apply to all places this layer is used.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2

You might also like