Professional Documents
Culture Documents
75Administrator R
Eran Shaham
Mct,Mcitp,Ccna,Ccse,Wci
Course Agenda
Module 1:
Check Point Three Tier
Architecture
Perimeter
Internal
Web
Brief Info
Smart Console A gui client that have all the administrative tools installed
Smart Center Server A database that contains the security policy (rulebase) for
the firewall it manages
Security gateway A firewall that scans and filters the traffic. Also called an
enforcement module.
SMny will be the smart console and the smart center server
SGny will be the security gateway
Ldap will be and external server
Module2:
Implementing a Distributed
installation
Win XP sp2
Ram is configured with 1gb of memory
Nic is connected to vmnet1
CD is attached to an iso image file
Floppy has been removed
Splat R75
Ram is configured with 768 MB of memory
Nic is connected to vmnet1 to Smny
Nic is connected to vmnet2 to DMZny (we will not use it in the course)
Nic is connected to vmnet3 to Ldap
CD is attached to an iso image file
In SMny launch the setup application from the cdrom drive and press next
Choose New Installation
Press Next and verify that Typical-Management is selected
Press Next again
PowerUp SGny
Press the Enter button
Press OK to start the installation of SPLAT
Note that pressing ALT+CTRL will exit to the host. Pressing the mouse inside the
black windows will let you configure the SPLAT.
Moving inside the console is done with the Arrows , Tab button and the Enter key.
Dont press anything yet.
Press the new -> default Route and choose 172.17.2.1. with
metric on 1. The new entry is now added to the routing table.
Press Finish and Start to send the settings configured to the SPLAT.
After trust was established, view that IP addresses and interfaces are
configured correctly. How did it know that eth2 is external?
Note that when the Red Door and the Crown are on separate objects,
it indicates a distributed installation.
Module 3:
Configuring The RuleBase
RuleBase floatchart
NYlan
NYdmz
Ldap_Server
Delete the CP_default_Office_Mode_addresses_pool network
Stealth Rule
Traffic Rules
Cleanup Rule
Remember that changes to the RuleBase take effect just after policy
installation. The policy is enforced until a new policy is installed.
Module 4:
Tracking Activity using
SmartView Tracker
Maximize the Smartview Tracker window and double click on the first
green http line.
Module 5:
Filtering Offensive Web Content
Expand URL Filtering and watch the settings in the right pane.
Press the Blocking Notifications option and write your own content.
Module 6:
Scanning the Network
On the Host and Service Discovery tab deselect the Host Discovery.
On the Scan tab press the play button and watch the results.
Open the Smartview Tracker and find the port scan attempt.
Module 7:
Deploying Site to Site VPN
We will use 4 virtual machines to configure a VPN between the sites of NY and
LA: SMny, SGny, SGla, PCla.
SMny will communicate with PCla via the VPN.
SGny will encrypt the traffic and SGla will decrypt
To summarize: Traffic is encrypted only between the firewalls to allow private data
to pass between the sites.
From the Vmware menu File> Open and then browse to the SGnyVPN folder. Click on the folder and then click on SGny.vmx file.
From the command line change the date to reflect todays date in the
following format: Date MM-DD-YYYY.
Verify that the time is correct using sysconfig from the command line.
From the Vmware menu File> Open and then browse to the SGla
folder. Click on the folder and then click on the vmx file.
From the command line change the date to reflect todays date in
the following format: Date MM-DD-YYYY.
Verify that the time is correct using sysconfig from the command
line.
Notice that both gateway objects appear with pink triangle in the
upper right of the object. It means that they are controlled by SMny
and connected to it via SIC.
From the License and Contracts menu choose Add License and
then From File
From the License and Contracts menu choose Add License and
then From File
From the License and Contracts Repository highlight the line that
its type is local in the right coloum.
Right click on the unattached license in the left and choose Attach
License
Open SmartDashboard.
DoubleClick SGny object and checkbox Ipsec VPN and press OK.
Note that both object contain a lock symbol now. This indicates vpn
capabilities.
Press on the IPSec VPN Tab. You can see MyIntranet object that
contain common settings to establish the VPN.
Note, the vpn rule states that when traffic passes between networks
the firewalls will encrypt and decrypt it by the parameters defined in
the MyIntranet object.
Module 8:
Course Summary
ACL, encryption