Checkpoint CCSA R76 GAIA Nuggets

Securiry Mgmt Architecture (SMART) -Console, Management & Gateway

Traffic Control Methods: Packet Filtering, Stateful (INSPECT engine), App Awareness
History of SOs: IPSO,SecurePlatform (SPLAT), GAIA

!Called SuperShell in GAIA

HQ-FW>

!Check Policy installed on gateway

HQ-FW> fw stat

!Install default local policie
HQ-FW> fw fecth localhost

!To unload Policy
HQ-FW> fw unload


Database Revision control - a snapshot with all info (objects,etc), easy in case of rollback
[File-Database revision Control]

Secure Internal Comunication (SIC) - one time password, after establihesd MGMT and gateway exchange certificates to comunicate securely

NAT

Source

*Ingress
Pre | Post

*Egress
Pre | Post

Tha translation happens on the Pre (Egress)

Destination

*Ingress
Post | Pre

*Egress
Post | Pre

Tha translation happens on the Post (Ingress)

Policy Packages & Database Revision

Database Revision control - a snapshot with all info (objects,etc), easy in case of rollback
[File-Database revision Control]

SmartView Tracker

Modes:Log, Active, Audit

active -current connections
audit - show who, when and what was changed

Queries:Predefined and Custom

Global Properties - control granulary how often it is logged

$FWDIR/log/ - logs are saved on Management
Other event destinations - send to other location all logs

Manual Block - use on active mode to block connection

fw.log - default firewall log

To create a new file of log open [File-Switch Active file]
To open a old log file [File->Open in New Window]

After create a new log file, this will do a clear Hit Count on Policy

SmartLog can look to different log files

The current connections (Active Tab on SmartView Tracker)are logged in fw.vlog

To manual block connection, select the Conn.ID and  go to Menu-Block Intruder
Blocking Scope: same Source and Destination and Service, or Source/Destination
Blocking timeout:Indefinite, For xx minutes
Force this blocking:Only in FW1-HQ, on any Security Gateway

The Management (in SmartTracker) logs are located in fw.adtlog

Define how often is generated a log entry for the same "connection" (source,destinatio,protocol,port)
Global Properties -> Log and Alert -> Time Settings->Excessive log grace period

!Define where and logrotate on Management

Edit Management object->Logs->Log Storage
Note:It is possible config Log Forwarding

!How to save locally logs on Security Gateway
Edit Firewall object->Logs

SmartView Monitor

Provide stats/status of:Gateways, Traffic,Counters, Tunnels
Requires Licensing

!To Config Threshold
Click on Gateway->Right Buton

!To activate the monitoring
File->Tools->Start System Alert Daymon

!Block Suspicious Activity Rules

On Top Services of the Firewall, you can select on graph and block the traffic until a specific date/time

Using for remediations, or stop connected connections

FW1_sam - Suspicious Activity Monitor

User Management

LDAP
Account may be kept:Locally, LDAP, Radius, Tacacs, SecureID

LDAP Config:
Enable User Directory Directory (Global Properties)
Create LDAP Hook to server (Account Unit), under Servers and OPSEC App
Create LDAP Group (Links to Account Unit)

Identity Awareness

AD Query (Security Event Logs)
Captive Portal (Browser)
Agents (End point or Terminal Services)
VPN

3 steps:Enable blade, Create Access Roles (network and a user which belongs to a group)and use them in rules

We can select what interfaces runs captivel portal

The Main URL by default choose the management ip address

On authentication it is possible to use Single Sign-on,Authentication method(username/password,radius),Users Directories(Internal users, LDAP users)

Captive Portal Customization (only logos)

+++HTTPS Inspection+++

Setup:
-Enable on Firewall (HTTPS Inspection on Gateway)
-Manager certs
-Configure Rules

We can disable admin users to check logs about https inspection

We can enable captive portal on Application & URL Filtering also

To apply rules about HTTPS Inspection go to Application & URL Filtering->Advanced->Policy 

The certificate used by Captive portal and HTTPS Inspection will be diferent

Applicaiton control & URL Filtering

Protect Against:
Malware,B/W Abuse,Non-approved Sites

Steps:Eable blades on gateways, Add Rules, Push Policy

+++CLI+++

Modes:
CLISH/Super Shell prompt >
Expert (Linx BASH Shell)prompt #
tcpdump available at expert mode

Reasons to go to CLI:
Load/unload policy
Linux Related Checks
Status Checks
Recovery

#get fw version
fw ver
#get fw interfaces
fw getifs

#on Manager

show users
add user Bubba uid 555 homedir /home/Bubba
set user Bubba newpass abc123$
delete user Bubba
add backup local
show backup status

#show loocal backups
ls -l /var/CPbackup/backups

#restore backup

set backup restore local

cp_config sic state

cplic check identity

cpstat os

#On Gateway
#show info about who is authenticated via portal
pdp monitor client_type portal

pdp monitor ip 10.1.1.50

#Revoking the access deleting session from captive
pdp control ip 10.1.1.50

#Check policy loaded
fw stat

#On Manager
#Database Revision
dbver (to go to submode)
create class-db-ver-from-cli

#shows all revisions on manager
print_all

#Using expert mode
fw logswitch
ls -l *.log /$FWDIR/log

#Capture traffic on expert

#capture 40 bytes
fw monitor -l 40 -o capture.pcap

+++IPsec VPNs+++

Communities, Sites, Domains

Steps:
-Enable on gateway
-IP domain
-Create Community
-Add rules

Main mode requires 3 packets, and aggressive mode requires 3 packets

Ikev1, authenticaiton, Data Integrity (MD5, SHA), encryption DES,3DES, AES

VPN Domain, by default all based on Topology Info belongs to VPN Domain

On VPN Blade tab, Community Types:Mesh and Star (Hub and Spoke)
VPN Tunnel Sharing, One VPN tunnel per pair of hosts/subnet/gateway

VPN domain is regarding Networks
VPN Community is regarding
VPN Member
#VPN tunnel utilitie on Firewall
vpn tu


+++Backup and Recovery+++

GAIA does not have sysconfig, instead has set command

DB Revision;small;Polciy and Objects;dashboard and CLI
Backup;Medium;GAIA Config and CP Dbase;CLI and HTTPS
Snapshot;Large;OS Partition and CP Dbase;CLI and HTTPS

#Do a backup
add local backup
show backup
show backups status

+++SmartUpdate+++

Packages, remotely upgrade:
Gteway OS, Patches, Hotfixes

Sources:D/L Center, User Center, DVD
-Licenses stored in $FWDIR/conf

License Management
Central - links license to IP of Manager
Local - links license to IP of Gateway

Associating Licenses with Gateways:
Unattached/Assigned(to the gateway, but not working)/Attached(on gateway)

License is bind to management IP

Checkpoint SmartUpdate

Package Management
-Install new versions of OS

Licenses & Contracts
Get all licenses or individually

+++Additional check Point Features+++

Smart Log, Smart event, DLP, QoS, desktop, IPS, Anti-bot/Virus/Spam

Legacy User Authentication
-User Auth:telnet,rlogin,FTP, HTTP & HTTPS
-Session auth:Based on Agent (HTTP:900, TELNET:259)
-Client Auth:Based on IP (HTTP:900, TELNET:259)

SmartEvent correlate events from all blades, it's possible to react to an event blocking it for 10 minutes for example

+++Exam Success+++
Minimum 70%

http://www.checkpoint.com/support-services/training-certification/checkpoint-certified-security-administrator-ccsa/index.html