4 hours 44 minutes
Hello and welcome again to check point jump start training in this module,
we will cover deploying a checkpoint Security Gateway
So we are going to look at
network models. But this is not a networking class, so we're not going to spend a lot of time on the various models.
But we will talk about
packet filtering firewalls
versus state, full inspection firewalls
versus an application layer firewall.
We'll also briefly cover how the firewall product
can be deployed.
Well, look at anti spoofing, which is, and
integral feature of checkpoint security gateways
also security zones. And then we'll demonstrate the set up
adding that security gateway as an object
into your checkpoint configuration using Smart Consul.
So the OS I model open systems interconnect
has been around for a few decades,
and I'm again not going to spend a lot of time on this. I want to note that
on a security gateway, which again is just
a Lennox host.
The firewall functionality is
mostly implemented as a kernel module,
and that kernel module, when it's loaded,
essentially hooks itself between layer to
which we've received packets
from the wire or or the fiber.
We've done some
decoding as necessary,
and later to would normally hand the packet upto layer three for routing. What's the next
hop that this pack it needs to be sent to to get to its final destination.
But the firewall colonel sits between layer two and layer three.
So as the packet is being passed up from layer to
to layer three firewall, Colonel receives the packet
implements the functionality of the firewall or most of it. There's
some functionality that's implemented elsewhere.
And when the firewall colonel is done with the packet,
assuming that your security policy
says forward this packet, allow this packet. Except this connection,
the firewall colonel will hand the pack it up to layer three and perhaps the pack it's been modified. Perhaps it's been encrypted for a VPN, or perhaps network address Translation has occurred.
Layer three will then route the packet
send it down toe layer to
to be transmitted out the physical interface that's connected to the next hop.
But the firewall colonel is hooked between layer three and later, too, So
the outbound packet is also
processed by the firewall Colonel
and again At this point, we may need to do network address translation or
something else with the packet.
Once the firewall colonel has completed processing of the outbound traffic,
that packet is then passed down to layer two and transmitted to the next top.
But in the overtime model, we have
three distinct layers the top session presentation and application.
And that's not really how the Internet works.
Internet uses a simplified sometimes referred to as T C P I. P model
and this model. There are four layers
we've combined the top three layers
the session, the presentation and the application into just one the application layer and that reflects reality.
Your Web browser, for instance, implements session controls. It implements
presentation where we decide what kind of data and my sending, What kind of data am I receiving? How do I interpret that data?
Also, how doe I
encode this data so that it can survive a trip through, perhaps, and a text on Lee Connection.
And then again, the up again the application layer layer seven in the or side model, where we implement the functionality of whatever protocol this is
if you're doing
http, we implement the http protocol. If you're sending email,
we implement probably the S and M s TMP Protocol.
Also, we simplify the bottom layers a little bit. We just combine layer one and layer to the physical layer and the data link layer into
a network interface layer.
And the job of that network interface layer is to talk to directly connected local area network hosts.
But from the OS I model, we do use the Internet layer.
the Internet protocol version four or version six.
And the transport layer,
which is typically TCP or UDP, could be other protocols.
The Internet layer gives a source I p address destination I P address
transport layer gives us generally with most transport protocols the source port and the destination port
and the protocol itself Are we sending us as a UDP packet or a TCP packet
destination port plus protocol
or 43 TCP
This is the service that I want to
I'm going to connect out do whatever destination I p address
destination, Port 443 and I'm gonna use the TCP Protocol.
Those two things for 43 TCP indicates this is an https connection.
It's a checkpoint, uses various technologies to enforce your security policy and make decisions about
incoming and outgoing traffic. Should this be permitted
should it not be permitted? Should I
alter the traffic somehow?
And it starts with packet Phil. Tree packet filtering is the basic firewall functionality where
we operate it layer three and layer four. So again, layer three, we're looking at source I p. Address Destination I, P. Address of the packet
layer four. We're looking at
Destination port and protocol
We don't normally care about the source port because that's usually randomly chosen by whatever client operating system is initiating the connection.
But in some circumstances, we do care about the source port.
So packet filtering firewalls,
they allow you to control network traffic based on layer three and layer for information.
However, they have some flaws, including the fact that
well, in early packet filtering firewall so you had to have two sets of rules to allow, Say, uh, http traffic
I would have to have one rule for the outgoing traffic that permitted destination port or 43 protocol TCP
and a second rule for the incoming traffic
source port or 43 TCP return traffic from the Web server
Now, later packet filtering firewalls did away with that. It was sort of a pain to manage these pairs of rules. So okay, the A rule imply a rule that allows traffic out implies that the return traffic is also allowed. Well, we can do that.
But another limitation of packet filtering firewalls is they have to examine the rule set. They have to run the rules for each packet in every connection
that can take some C p a time.
Also, packet filtering firewalls don't look at the higher layers. They don't have any
intelligence to determine. Is this a dangerous
http requests that might be encoding some sort of SQL injection attack.
Can't do that.
developed state ful inspection,
pack it arrives on the security gateway. We first of all determined Is this the start of a new connection?
And if it's a TCP packet,
that's easy to determine with the TCP packet,
a connection is always begun by sending a TCP packet with no data, and the TCP header has one flag turned on the sin flag.
And so if I get a packet and it is a TCP packet and Onley the sin flag in that packet is turned on. Then this is the start of a new TCP connection.
If not, then this is not the start of Ah, new TCP connection with UDP. You don't have the three way handshake that involves the syn packet.
So with UDP, we just sort of have toe. If has I. Have I seen this traffic before?
If I haven't
seen this traffic, then I'm gonna call it a new connection.
And when we receive traffic that's
initiating a new connection,
we run the rules.
We go through our firewall policy doing packet filtering layer in our level inspection
and determine Is there a rule
that matches the properties of this traffic? If so, what's the action of the rule?
And in checkpoint, the typical actions are
we're done with the traffic
or accept which case
the traffic is going to be allowed pending other
if we decide to accept the connection,
we create a state table entry which is essentially a hash table
inside of the firewall colonel
allows us to quickly match
and not have to rerun our rule set.
we we hash the source and destination I p address the source and destination port. In this
a specific instance, sore sport is important,
and the protocol is a TCP UDP or what
we hash that five pieces of information. Together, we get essentially a memory location in this hash table, and there we put a note
at that position. In the hash table. We make a note saying this connection is permitted.
And so when we proceed through the establishment of a TCP connection,
subsequent packets that arrive on the security gateway that are part of this connection well, it's not a new connection because thes packets will not have on Lee the sin flag set.
So this must be an existing connection. Hash. Those five values
and the resulting
table location will tell us if
this is a known approved connection. If we don't have a state table entry
or the packet that has arrived, that is apparently part of an existing connection
now we're gonna drop the packet for being out of state.
And that helps
protect against some forms of network scanning techniques
that abused the TCP protocol or other protocols
allow the attacker to fool some firewalls. And to think you know this, this traffic must be OK because it's not the start of a connection. It's the middle of the connection. I can pass it through.
Another thing that state full inspection allows is
when we have
run our firewall policy starting at the first rule working our way down until a rule matches the properties of the packet
and that rules action is. Except so we created the state table entry. We're gonna allow this traffic through.
We can then
allow other types of policy to examine the traffic.
For instance, network address translation policy
can decide that we need to
modify the source i p address of this outgoing packet to be,
say, the firewalls external I p address
because we are doing network address translation of internal hosts.
But more than that,
we have layer seven policy
examine what we have now and at the start of a connection beginning of a TCP
or you dp connection.
We don't have any layer seven data yet, so the layer seven protections
they can't really do their job, but what they can do is say this looks like an http connection.
I have protections that
work on http traffic.
So when you get subsequent traffic for this connection, let me take a look at it. Add an entry to the state table
or this connection
that we need to do this sort of nat rewriting. But we also need to pass the traffic to our intrusion prevention
blade so it can examine it
once we have layer seven data being transmitted.
So state full inspection
really improved throughput. But I think more importantly, it allowed later seven inspection of traffic and so were not confined to just looking at source port
our sorry source I p destination. I'd be destination port and protocol.
that led to the development of the application layer firewall where we have
really almost all of these layers.
The I p layer. We have protections against dangerous I P options and others
we have at the layer for TCP level the ability to determine that this is a TCP resource starvation attack,
not normal DCP traffic. So I'm not going to allow this
and then at the higher layers, we have
hundreds of layer seven protocols, which various software blades implement protections for.
And those software blades, if enabled,
can examine the later seven data of a connection Once we actually get to the point where we're transmitting Layer seven
and make decisions of whether or not this traffic should be allowed
to be dropped. Should re modify the traffic somehow for safety.
And so that gives us the ability to implement intrusion prevention but also recognized
dot net traffic. Do you are l filtering and anti virus and more
so early? Application layer Firewalls used various techniques, including proxy servers,
but in checkpoint
the bulk of the layer seven protections are implemented in the firewall. Colonel.
So they're very fast.
Now we'll talk a little bit about how you deploy
a checkpoint. Security gateway.
A security gateway
requires a management server to manage it,
and we've already talked about deploying a management server appliance.
So that's sort of implies that we have a management server appliance and at least one security gateway appliance in a very small shop, a very small deployment
that may not be necessary and cost maybe in issues, so
I only want to buy one appliance.
Well, you can do that. And the appliance congee both the security gateway and the Security Management server
on the same appliance that's that's known as a standalone deployment,
and it works. But there are some limitations.
If you have a security gateway that's in a standalone deployment, it can't be clustered, so you can't do high availability with that security Gateway.
being a management server requires a decent amount of memory and CPU time and disk I O,
robbing resource, is from the security gateway, which needs CPU to examine traffic. It needs memory toe hold stuff
so it can limit throughput.
The most common deployment that
check point is
is a distributed deployment, and in a distributed deployment you have
a management server
on another appliance.
So the security gateway is not managed locally by a local management server. That would be a standalone
security gateway has managed over the network from a management server.
We already discussed secure internal communications in a standalone deployment management server. Communications
to and from the security gateway
inside of the same host, so a simplified form of secure internal communications is used.
But across a network in a distributed deployment.
We use the full secure internal communication protocol to secure that traffic
now on a security gateway. And I will demonstrate this
you have to configure
the various interfaces that will be
dealing with network traffic. I have an internal interface. I have a D M Z interface.
I have an Internet facing external interface, and I have a management interface on this security gateway appliance.
Each of those interfaces
needs to be configured at the operating system level. And then when you have a new security gateway that you're adding to your deployment,
you need to create an object in the smart consul application that represents that security Gateway
established sick to that security gateway
as part of the initialization of that object,
network topology, the list of network interfaces
and i p address sub net information
or those network interfaces
default gateway information will all be imported over sick, from the security gate weight to the smart Consul application.
To populate this new
security gateway object,
the security gateway object will
have a list of interfaces the I P addresses of each interface sub net mask of each interface,
typically one of the interfaces,
the one that connects out to the Internet will be on the same subject
as the default gateway of this security gateway.
Because that's how routing works. I need an interface on the same sub net as the next hop. Might my default gateway
be able to communicate with it?
So the interface
that is on the same sub net as the security gateways default
Browder. The default next top
the external interface.
Every other interface
is designated an internal interface,
this is used by anti spoofing, and I spoofing is protection
that is on by default.
It does not allow traffic
from the wrong sub net
in from a specific interface. So perhaps my internal network is a 192.168 dot one dot whatever slash 24 network.
with an eye spoofing protection enabled,
will drop any traffic that arrives on that interface from a different subject.
Oh, any traffic from 19 to tow 168.1 that arrives on this internal interface. Okay, we pass and I spoofing,
but if it comes from, say, 1 72.16 dot 12.1.
That's a different sub net
doesn't match the sub net. That this interface is connected to its a spoofed packets.
Somebody is forging the source i p. Address of outgoing traffic. For some reason,
sometimes and I spoofing breaks valid traffic, it drops valid traffic. And when that happens, it's almost always
because you have a more complicated network infrastructure
connected to this
Checkpoint knows about.
For instance, you may have
another internal network 1 72.16 dot 12 slash 24
that routes through the 192.168 that one sub net.
to the firewall,
you have to configure the interface for the firewall
to reflect the reality of your network topology that
we'll see traffic from 192.168 dot one, but it will also see traffic from 1 72.16 dot 12
and the way you do that is you create
network object that represents the 19 to 1681 sub net.
Another network object that represents the 1 72
0.16 dot 12 sub net
you create a network group object that has as its members
both of these network objects
and then in the leads to field at the top of the security gateway interface apology settings.
You override the default this network,
and that simply means whatever the network interface that that we're configuring its sub net.
We should only see traffic from its sub net.
That's a very simplified view, but it's the default view.
Instead, we want override it and say, I have a specific network topology that you need to be aware of. And then you would select the network group
that contains both the 192.1681 network and the 1 72 Dots 16 12 network.
It's currently great out because
we have it set to the default of just used the interfaces sub net.
I want to point out that great out button interface leads to DMC. The demilitarized zone
Demilitarized zone is sort of a
widely accepted best practice where if you have servers that must accept
incoming connections from the Internet,
you segregate. You isolate those servers
on a restricted network
with its own hardware,
you then lock down security policies on Lee, the traffic that must be allowed in from the Internet is permitted
Onley. The traffic that must be allowed out to the Internet is permitted,
s case would be No. Traffic is permitted from the D M Z to my internal networks
because since the hosts, the servers and the D. M Z are directly exposed to the Internet there at a higher level of risk for
And let's make it harder for an attacker to jump from a D M Z server host to an internal server by blocking traffic that's not always possible.
But allow Onley what must be allowed. This interface leads to D M Z Button.
What it actually does is inform some of the protections that
traffic that comes in on this interface is from the D M Z,
and so could be treated differently.
And that's used, for instance, by the anti virus software blade.
You can configure it to examine traffic
that's coming into your internal network, but not traffic that's coming into the DMC network
because that's low risk and we don't need the overhead
things like that.
Also in this dialog box is the security zone.
The security zone allows you to match traffic in your policy based on
the type of interface the traffic arrived on
and by default.
Internal interfaces are assigned to the Internal Zone Security Zone
and your external interface, the interface that is connected to the sub net, that your default gateway is on
that interfaces assigned to the
external zone security zone. And then these are objects that you can use to match rules in your policy.
If the sources internal zone in the destination is external zone and the services https allow will accept that traffic.
So I'm gonna demonstrate finishing the configuration of a firewall host,
adding that firewall host as a checkpoint object
and setting up that object.
At this point, I have
my Web browser connecting to the Web user interface
of the security Gateway appliance
and again recall that
you're going to get an SSL warning because you're talking to a Web server on a Lennox host that initialized itself created Ah, it's own internal certificate authority, which is distinct
from the checkpoint management servers, Internal certificate authority
and I'm presented with a website certificate digitally signed by the Security Gateways
Web Server Certificate authority, which
I don't trust.
And again, best practice would be. Do not
permit this sort of situation indefinitely. You should
never be doing sensitive administration tasks like entering credentials over an SSL connection. That's not secure.
You're probably gonna be okay. Yeah, probably. But ah, why not be sure?
So I did what everybody does. I clicked through the SSL warning
I have the log in screen
where The Web user interface.
And like the management server, this security gateway appliance has not yet had the first time wizard run.
So when I log in to the Web user interface, it presents the first time wizard
I mentioned in our 80 thea images are distinct between the
installation image for a management server and an installation image
or a security gateway.
This is the security gateway appliance. So it's running the security gateway operating system image.
But it looks just like the management server. First time wizard, At least to begin with,
it allows me to configure the interface that will be used to manage this security gateway
and the I P address and sub net information for this
first eat zero interface
was entered when I did the installation of the appliance.
You have a checkpoint appliance.
You may probably don't have to install the operating system, but you have to do some set up.
This is not a checkpoint appliance, so I had to install the operating system. And just like on the management server, it wants some operating system level configuration.
And again, you want to choose the host name wisely.
You don't wanna have to change that. It's possible to change it, but
it's a pain
and you need an I peed. Sorry. Ah DNS server
i p address
the security gateway host can resolve things like
checkpoints update servers
so that it can download
i p s signature updates. If you have that and I vier signature updates if you have that. But also I talked about the
checkpoint update Service engine CP use
and that will automatically check if there are any guy a updates that are relevant for this host
need to be able to resolve the update servers.
Correct time is important between the security gateway in the management server because secure internal communications
the time stamp to prevent replay attacks and and other things Also, certificates have ah limited
validity. And so we have to have the agreement about time between the management server and the security Gateway.
Best practice would be set up
your appliances to use network time protocol
to sink against a common set of NTP servers, which may be
associated with your active directory deployment
of nothing else. You can use publicly available NTP servers
for this demonstration. I'm not going to set up NTP,
but I do want to make sure the time zone is correct.
it offers to be a security gateway
and or security management server.
You recall when I was running the first time wizard on the security Management server, it had no option to be a security gateway. That was great out against because of that
It also has an option to be a multi domain server
that is great up cannot be selected
because this is a security gateway image.
But you may want to do a standalone deployment, so it does offer the option of installing a security management server as well. So this could be a standalone deployment,
and that option is selected by default. So
important, safety note.
Uncheck the security management product option
on a security gateway unless you intend to do a standalone installation.
If you don't uncheck that it will be installed as a standalone installation, and then you will not be able to correctly established
management sink from your actual management appliance.
Here, I can also designate whether or not this appliance is going to be used as part of a cluster. And they're currently two options for the clustering protocol Buster Excel and Virtual Router Redundancy Protocol. I'm not going to set up clustering here and you can leave. This turned off not part of a cluster and then later enable it,
so you don't have to make the decision yet.
A security gateway may have a d HCP assigned external i p address.
You may not have a static i p address,
and so it's asking. Is this a dynamically assigned I P address D A. I p.
Normally not but possible in this case not.
And now I need to provide an activation key. You bootstrap, the secure internal communications.
This activation key, which I have managed to type in wrong,
you are creating the checkpoint security gateway object
in smart dashboard.
You provide the same activation key there.
Meanwhile, as I installed this security gateway and it completes the first time Wizard
finishes its configuration and it will restart the operating system
because now we know where. Security Gateway. We're going to install the firewall kernel module and so on.
When that is done, the security gateway will be a firewall, and it will have what's what's called the initial policy.
I haven't yet
sent a policy to the security gateway. It comes with an initial policy
that initial policy is very simple. It essentially says any network connections that this appliance wants to initiate out are allowed.
And pretty much the only incoming connections that are permitted are the Web user interface, secure shell
and secure internal communications.
We don't know who are management server's gonna be yet, so we accept incoming
secure internal communication
for many i p address.
Oh, okay. That could be dangerous. So
we protect it by a shared secret. This activation key.
And when I create the object in smart Consul, provide the activation key and I tell smart Consul to tell the management server
initialize secure internal communications.
There will be a challenge response exchange, where
the management server has to prove it's the correct bonified Genuine management server
demonstrating that it knows the activation key.
And so if it knows the correct activation key, you're my management server.
I will trust you, and we'll import the internal certificate, authority, information and so on.
this device is going to be a security gateway, not standalone installation. So it's not going to be a security gate. Weight and Security Management server
confirmed that I want the first time wizard to start the configuration process, and this is going to run for a while. So all pause and come back when it's completed.
But this point, the first time wizard has completed successfully.
And as part of the first time wizard configuring a security gateway,
it restarted the operating system.
And when that happened, my Web user interface session was lost.
Doesn't survive. A reboot may recall with the management server.
When the initial configuration completed their it just took me into the Web user interface
that you normally see on a guy. A host.
I didn't have to log back in because there was no restart when the management server was configured.
But there is a restart with security Gateway,
and you can see the
Web user interface
looks the same on a security gateway versus of management server. Because it's an operating system level thing,
though, the specific options on the left hand menu
they differ a little bit.
This doesn't offer me any options related to a management server.
Well, the next thing I want to do is configure the other network interfaces. So this
device has three physical interfaces. Eat zero, which is my management interface,
and that's already set up. That's how I'm communicating with the guy, a host,
and next, I want to configure the internal network interface.
important to select that enable box
that actually brings the link up when you apply the new configuration Comment Field is entirely optional. It's really just displayed here in the Web user interface, and
if you use the CLI is displayed there,
then I'm gonna go ahead and
use the 192.168 network for this example
and a sub net mask of 2 55 to 55
2 55 0 which is equivalent to a slash 24.
And when I click OK,
that configuration change is applied and you can see scrolling off to the right a little bit.
It has the comment
really squished down there.
I also want to configure the external interface
again. I want to make sure it's enabled.
You know, my interfaces are configured.
Another thing I should do is set up at least one default gateway.
Add routes as needed.
So there is this default. Get Gateway object here in the Web user interface, but it doesn't have any I p addresses
or interfaces assigned to it.
I'm gonna add
and i p address for the next hop the default gateway.
This is going to be
on the same sub net
as my external interfaces i p address,
I have a default route out to the Internet.
I'll bring up Smart Consul,
and I'm going to create
a security gateway object. So up here, this allows you to create a new object,
it's going to be a gateway object.
I have two options for how I want to proceed in the Smart council, gooey, I can use wizard mode, which is simplified,
but I'm going to go ahead and choose classic mode so you can see more of the options.
The right now it's busy creating this
security gateway object. Initializing it. And since we're on a virtual environment,
You, ah, want to use. You want to name the object the same host name as you configure it in the operating system.
in the operating system, I used a dash gateway.
I'll use that here,
then provide the I P address that
this management server should use to communicate with security. Gateway.
I'm going to use the management interfaces i p address on the security gateway.
secure internal communications.
I have to provide the same
one time shared secret the activation key
that I provided during the
initial configuration wizard
don't click OK, that's a trap.
You need to click the initialized button here,
transmits the activation key. Did the management server, the management server, than establishes a connection to the security Gateway
proves its identity
by proving it knows the same activation key
the internal certificate authority information from the management server is
sent to the security gateway. This is your trusted certificate authority. Also certificate for the security gateway is digitally signed by the management server.
So when the security gateway participates in future secure internal communications,
it proves its identity
by presenting a certificate that is digitally signed by the internal certificate authority that
all of my checkpoint components trust.
So once I
okay out of that secure internal communications dialogue,
topology is fetched, and the gateways topology is just a list of its
network interfaces, their I P addresses and subject masks
and the default gateway.
So the default gateway is
on the same subject it as ether to the teeth to is automatically designated the external interface
and anything that doesn't have a default gateway on the same sub net is automatically designated an internal interface.
I'll go ahead and dismiss that. If I then select
you can see that the interfaces have been populated in this
security gateway object,
and if I added a specific interface,
I can see the properties of this interface,
the fact that the topology for this interface is just the interfaces sub net.
I haven't said anything. Mawr,
or complicated security zone by default is not set, but you could do that by editing,
you can specify a specific security zone. For instance, there is a
wireless is owned for your guest WiFi
TMZ zone, which is another way of designating this interface is used for DMC. The interface leads to DMC Radio Button. That's great. Out
essentially informs Layer seven protections that
this is the D. M Z interface.
The DMC Zone security zone
is just a *** jek that you can use in your security policy to say, Hey, if the traffic is coming from this DMC zone and the destination is my internal zone,
I'm gonna leave it
leave it to the checkpoint software to determine what the appropriate security zone is. Since this is an internal interface, it
chooses by default Internal zone. And so I'll just select that,
and the anti spoofing checks
are enabled. You can disable, and I spoofing checks on a given interface.
But if you do that,
you will get warned incessantly. Every time you install policy,
there will be warnings about
this object has an interface that
doesn't have an eye spoofing protection enabled.
You can ignore the warnings
in my opinion, no compelling reason to disable the anti spoofing protections. If traffic is being dropped for being spoofed,
that probably means is you need to go in and change the network topology settings from the default. Hey, it's just whatever sub net this interfaces on
and describe to checkpoint what the actual network topology is behind that interface
and that will
usually almost always cure. Your traffic is being dropped for being spoofed.
You can also disable it another way by setting the protections action to detect instead of prevent, settle, log when it sees spoofed traffic. But it won't drop it for being spoofed.
Not a best practice,
though I've configured my management interface,
be the Internal Zone security zone
internal network interface
being slow to edit.
I want to do a little bit more
I do want to set it to be the internal zone security zone as well,
but I also want to describe a more complex
internal network topology.
simply the sub net of this interface,
though I'm going to tell it, I have a specific topology
to give you,
there are some redefined objects.
appropriate for this. I'm going to create a new network object
that represents the primary internal network that is interfaces on.
So this network
the i p address range of 192.168
0.1 dot whatever.
That's ah to 55 to 35 to 55.0 sub net
and the broadcast address option here. Really? Just if somebody sends traffic toe 192.168 dot 1.2 55
which would be the broadcast address for this specific sub net.
Should that be matched in this group,
or should it not match a script?
And the default is
let a match,
I'm going to create another network object to represent a different internal network that is routed through my internal 192.168 that one network.
Now I have these two network objects.
I can only
list one object here for the topology. So what I need to do is create a network group, object
internal network object that I created
and the other internal network object that I created.
Now that these two objects
are in this
network, group object.
select the network group object as the topology for the network that this interface is connected to
and now and I spoofing
for this interface will accept incoming traffic from the 192.168 about one subject, but also from the 1 72.16 12 subjects.
For my third interface, the external interface,
I want to set the security zone
to be appropriate for the external interface.
And again, Checkpoint knows that this is the extra interface because the sub net of this interface
is on. This is the same sub net as the default gateway for this host,
but this must be the
leads to the default gateway. That's the interface that gets us out to the Internet
that by default is our
So for the external interface,
check point will automatically select the external zone security zone object
and and I spoofing is a little bit different on an external interface
when traffic is received on an external interface we look to see is the source I. P address of this traffic
on any internal sub nets
behind any of my internal interfaces. If So why is the Internet
sending me traffic?
That says it's from one of my internal networks.
That's spoofed and I'll drop the traffic.
So in an extra interface,
and I spoofing checks to make sure that you aren't sending traffic for many internal network
on an internal interface and I spoofing checks. Is the traffic appropriate
to this interface? And by default,
is it the same sub net as this interface?
I've configured the
network object of the network interfaces
for this security gateway object.
I wanted Teoh just briefly point out
the log option here
by default. Logs are sent to the Security Gateways management server
in a small deployment that's fine.
I may want to override the default log destination, and instead of sending it to my normal management server, I have a dedicated log server.
That log should go to
a lot of the bulk of network traffic that processes from the Internet to your internal networks, and back is https.
There's http as well, but more more websites are deploying https because certificates air now free
from certain certificate authorities
there have been practical demonstrations of attacks on, for instance, session cookies
that, if you're using http, are being transmitted in plain text and our sub septa ble to sniffing and copying.
So more and more websites are just
doing https all the time,
which is good. That's secure, but
the layer seven inspection protections They lose visibility into https traffic because it's encrypted inside of a TLS tunnel,
the checkpoint can intercept and decrypt
https. It can decrypt the TLS, and it does that by essentially launching a man in the middle attack
and as part of the man in the middle attack,
the https inspection will create
a fake certificate
for the destination website you were going to facebook dot com will create a fake certificate that says It's for facebook dot com,
and it will be digitally signed by a certificate authority that your Web browsers don't trust by default.
So if you want to enable https inspection,
you either create a certificate authority
on the security gateway,
or you can create a certificate authority somewhere else, like active directory.
Then create a certificate for the gateway
that's digitally signed by your
active directory certificate authority
and import that
into the security gateway. So it's not using its own certificate authority. It's using a trusted
internal certificate authority, which is again, is not the Checkpoint Management Server Internal certificate authority
that's only used for sick.
It's used for other things, such as VPNs, but I digress.
Then activate the https inspection module
service on this security gateway, and now
https inspection policy will decide if given https. Connection out to some destination website
should be decrypted or not,
but we're not going to set that up now.
I also want to just briefly point out the software blades here.
All of these checked boxes are software blades, which are really just additional functionality
additional features that can be enabled on the security gateway.
Every security gateway must have the firewall software blade
enable because that provides the packet filtering and state full inspection, which are required to be a security gateway.
depends on what you've licensed,
so I save this object by clicking OK
and what I've done actually has made changes to my checkpoint configuration in this smart consul session.
And those changes
have yet to be published
to the master if you will Smart management server database.
So if you have multiple administrators who are signed in via Smart consul to the same management server. They can work
but change is that I make are not available to other administrators until I publish
so I can publish my clicking on this button here.
Best practice would be to include a description of what changes your publishing.
Though it's in the audit logs
and then publishing operation,
it should not take long. I'm on a virtual environment, so we'll take longer than normal
once the publishing operation is completed. Then
up in the top of Smart Consul, you'll see the number of unpublished changes
goes away is I published the changes.
Also, my changes air now visible and accessible,
two other administrators.
Any changes that they make that they publish become visible to my smart consul.
It's down the gateway and servers view.
There are two checkpoint objects listed. The management server,
which it created the object as part of its initialization. It knows about itself and the gateway.
We don't yet have status for the gateway.
Among other things, the gateway isn't properly licensed, nor is the management server. There's a
15 day trial period
where you don't need a license after the first time wizard complete.
Ah, When the 15 day trial is done, you need a license.
So I demonstrated
first time wizard final configuration of a security gateway
yes, and as part of that
giving an activation key, which is used to bootstrap secure internal communications with Security Management Server.
We also looked at
creating the security gateway object in smart dashboard
and configuring that object.
Verifying that the topology is correct, that it's in the correct security zone,
and we'll also We also looked at
creating a group of network objects
to facilitate a more complicated internal network structure
this more complicated network infrastructure network structure doesn't have traffic dropped by the anti spoofing protections.
that's it for this module. We looked at the firewall colonel just briefly
and network models.
packet filtering, which is layer three layer four vs state full inspection,
which is layer three layer for. But we can also designate traffic to be examined at higher layers,
which leads to the application layer firewall, which has layer seven awareness of protocols and can provide protections that are specific to a protocol.
We looked at the two major deployment options. Standalone, where the management server is on the same host as the security gateway
and distributed, which is the most common where the management server is its own appliance Security Gateway is its own appliance,
and I spoofing protection, which is on by default, and security zones, which you can use in your policy.
Thank you for attending this module of jump start training.