check point 防火墙实施指南utm-1&power-1 v2.0

2012 Check Point Software Technologies Ltd. All rights reserved

.

1

Check Point

UTM-1/Power-1


.

2

Check Point UTM-1&Power-1 V2.0

V2.0

2011/06/01

Check Point UTM-1&Power-1 V2.0

V1.0 2011/7/30

V2.0 2012/5/01 R75.40

Check Point


.

3

CHECK POINT .................................................................................................................... 1

1 . ............................................................................................................................................... 9

1.1 UTM-1 ........................................................................................................................................ 9

1.1.1 UTM-1 .............................................................................................................. 9

1.1.2 UTM-1 ........................................................................................ 10

1.2 POWER-1 .................................................................................................................................... 10

1.2.1 Power-1 .......................................................................................................... 10

1.2.2 Power-1 .................................................................................................. 11

1.3 ............................................................................................................................. 12

1.4 UTM-1/ POWER-1 ...................................................................................................... 13

1.4.1 ............................................................................................................ 13

2 ............................................................................................................................... 13

2.1 ..................................................................................................... 13

2.1.1 Check Point ....................................................................................... 13

2.1.2 UTM-1/Power-1 ............................................................................. 13

2.2 ............................................................................................. 22

2.2.1 ........................................................................................................ 23

2.2.2 ................................................................................................ 25

2.2.3 ........................................................................................ 33

2.2.4 ................................................................................................ 37

2.3 ................................................................................................................. 40

2.3.1 .................................................................................................................... 40

2.3.2 ........................................................................................................................ 43

2.3.3 ........................................................................................................................ 49

2.4 HA .................................................................................................................. 55

2.4.1 SmartCenter ClusterXL .................................................................................. 55

2.5 ..................................................................................................... 60


.

4

2.5.1 ................................................................................................................ 60

2.5.2 ................................................................................................................ 79

2.5.3 ............................................................................................................ 81

2.5.4 (NAT) ............................................................................................... 85

2.5.5 OPSEC .................................................................................................... 89

2.5.6 ............................................................................................................ 97

2.5.7 ............................................................................................ 98

2.5.8 ........................................................................................................ 98

2.6 POWER-1 (COREXL) ..................................................................................................... 99

2.6.1 CPU .............................................................................. 100

2.6.2 CPU .............................................................................. 101

2.7 SYSLOG SMARTCENTER ............................................................................................... 103

3 (IPS) ...................................................................................................................... 105

3.1 IPS .................................................................................................................................. 105

3.2 IPS .................................................................................................................................. 106

3.2.1 IPS ............................................................................................... 106

3.2.2 IPS Profile ............................................................................................................. 108

3.2.3 Protections ........................................................................................................... 111

3.2.4 Geo Protection ..................................................................................................... 112

3.2.5 Network Exceptions ............................................................................................. 113

3.2.6 IPS ................................................................................................................ 114

3.2.7 Follow Up ............................................................................................................. 115

3.2.8 Advanced ............................................................................................................. 116

3.3 IPS ............................................................................................................................. 116

4 (IDENTIFY AWARENESS) ................................................................................................... 117

4.1 CAPTIVE PORTAL ............................................................................................................... 120

4.2 (IDENTITY ACCESS) .............................................................................. 121

4.3 (ACCESS ROLES) ............................................................................................. 122


.

5

4.4 IP .............................................................................. 123

4.5 CAPTIVE PORTAL ................................................................................................... 125

5 SMARTEVENT ...................................................................................................................... 128

6 URL (APP CONTROL & URL FILTERING) .................................................................. 132

6.1 APPLICATION CONTROL .............................................................................................. 132

6.2 USERCHECK ............................................................................................ 134

6.3 URL FILTERING ......................................................................................................... 136

7 HTTPS ........................................................................................................................... 138

7.1 HTTPS ........................................................................................................ 138

7.2 HTTPS INSPECTION ....................................................................................................... 138

7.3 BYPASS HTTPS INSPECTION .......................................................................................................... 138

8 (DLP) ............................................................................................................................ 139

8.1 DLP ......................................................................................................... 139

8.2 DLP ......................................................................................................... 139

8.2.1 DLP Blade .................................................................... 139

8.2.2 DLP .................................................................................. 139

8.2.3 DLP .................................................................................. 139

8.3 DLP :............................................................................................................ 140

8.4 DLP ............................................................................................................. 140

8.4.1 HTTP ..................................................................................... 141

8.4.2 SMTP ........................................................................ 145

8.4.3 FTP .................................................................................... 149

9 ............................................................................................................................. 151

9.1 ........................................................................................... 151

9.2 ........................................................................................... 151

9.3 ........................................................................................... 152

9.4 ........................................................................................................... 153

9.5 ............................................................................................................... 154


.

6

10 (ANTI-BOT&ANTI-VIRUS) .................................................................................................. 155

10.1 ............................................................................................................... 155

10.2 ........................................................................................................... 155

11 ................................................................................................................................. 157

11.1 SMARTDASHBOARD ................................................................................................................ 157

11.1.1 Data Base Reversion Control ........................................................................... 157

11.2 SMARTVIEW TRACKER ............................................................................................................. 163

11.2.1 SmartView Tracker Mode ............................................................................................. 164

11.2.2 ............................................................................................................. 165

11.2.3 Filter ............................................................................................... 165

11.2.4 Track ........................................................................................................ 166

11.3 SMARTVIEW MONITOR ........................................................................................................... 167

11.3.1 Monitor ........................................................................................................... 167

11.3.2 Gateway ................................................................................................ 168

11.3.3 Traffic .............................................................................................................. 169

11.3.4 System Counters .............................................................................................. 170

11.3.5 Tunnels ............................................................................................................ 170

11.3.6 Remote Users .................................................................................................. 171

11.3.7 SmartUpdate ................................................................................................................ 172

11.3.8 ......................................................................................................... 173

11.3.9 License ............................................................................................................. 174

12 ................................................................................................................................. 176

12.1 SECUREPLATEFORM ........................................................................................... 176

12.2 SMARTCENTER (UPGRADE_TOOLS) ........................................................................ 177

13 ........................................................................................................................................ 180

13.1 ............................................................................................................... 180

13.1.1 Hardware Diagnostic Tool ............................................................................... 180

13.1.2 .............................................................................................. 181


.

7

13.1.3 I/O .................................................................................. 181

13.1.4 ......................................................................................................... 181

13.1.5 ......................................................................................................... 181

13.2 ................................................................................................................... 181

13.3 ....................................................................................................... 182

13.3.1 .............................................................................. 182

13.3.2 Coredump ................................................................................................. 182

13.3.3 debug .............................................................................................................. 182

13.3.4 zdebug ............................................................................................................ 182

13.3.5 Debug FWD .......................................................................................................... 183

13.4 ....................................................................................................... 184

13.4.1 ................................................................................................................. 184

13.4.2 ................................................................................................................. 184

13.4.3 ......................................................................................................... 184

13.4.4 : ................................................................................................................ 185

14 ............................................................................................................................................... 186

14.1 ....................................................................................................... 186

14.2 ........................................................................................................... 186

15 ............................................................................................................................................... 187

15.1 SMARTCENTER ..................................................................................................... 187

15.2 ....................................................................................................... 188

15.2.1 .......................................................................................... 188

15.2.2 .......................................................................................... 189

15.2.3 X11 ......................................................................................... 189

15.2.4 ......................................................................................................... 190

15.2.5 ......................................................................................................... 191

16 ........................................................................................................................................ 193

16.1 +OSPF+ECMP ................................................................................................. 193


.

8

16.1.1 ................................................................................................. 193

16.1.2 IP .................................................................................................................. 194

16.1.3 ................................................................................................................. 194

16.2 +STATIC+ECMP ................................................................................................ 201

16.2.1 ................................................................................................. 201

16.2.2 IP .................................................................................................................. 202

16.2.3 ................................................................................................................. 202

16.3 HA +OSPF ................................................................................................................... 208

16.3.1 ................................................................................................. 208

16.3.2 IP .................................................................................................................. 209

16.3.3 ................................................................................................................. 209

16.4 HA +STATIC ......................................................................................................... 220

16.4.1 ................................................................................................. 220

16.4.2 IP .................................................................................................................. 221

16.4.3 ................................................................................................................. 221

16.5 HA +OSPF+ECMP ....................................................................................................... 228

16.5.1 ................................................................................................. 228

16.5.2 IP .................................................................................................................. 229

16.5.3 ................................................................................................................. 229

16.6 HA +STATIC+ECMP ...................................................................................................... 239

16.6.1 ................................................................................................. 239

16.6.2 IP .................................................................................................................. 240

16.6.3 ................................................................................................................. 240


.

9

1 .

1.1 UTM-1

1.1.1 UTM-1

UTM-1

Check PointUTM-1 VPN

UTM-1

Check Point

IPSWEB

UTM-1

UTM-1 3076 UTM-1


.

10

1.1.2 UTM-1

1 LCD

2 LCD

3 USB

4 Console

5 Internal

6

1.2 Power-1

1.2.1 Power-1

Check Point Power-1

Check Point IPsec VPN

Gbps

25 Gbps

IPS 15 GbpsPower-1 11000

Power-1 11000 Power-1

: Power-1 HCC 11000 64 :

Firewall Throughput 30Gbps

Maxumum concurrent HTTP connections 400

Maximum HTTP connections rate HTTP 7


.

11

1.2.2 Power-1

CheckPoint Power-1

1

2 LCD

3 LCD

4

5

6

7 USB

8 8 1 GbE

9

1 GbE SR 4 ;1 GbE LR 4

10 GbE SR 2 ; 10 GbE LR 2

10 LOM


.

12

1.3

/

SecurePlatform/

SecurePlatform Pro

CheckPoint UTM-1Power-1 Smart-1

CheckPoint FirewallVPN

sshweb IP

SNMP CLI

Source and Destination

VPN

Service

Action

Track

Install-On

time

Implied Rules

Gloable properties

Anti-Spoofing IP

SmartView Tracker

SmartView Monitor

SmartUpdate license

SmartReporter

SmartEvent

Expert SecurePlatform

Unix

IPS

Security Gateway/

Firewall Module

Check Point

SmartCenter

Standalone() Distributed()

Standalone

Distributed

SmartConsole

(GUI) SmartDashboardSmartView Tracker

SmartView Monitor SmartUpdate

NAT

SmartConsole

SmartCenter

License

License

Local License SmartCenter Standalone

License IP


.

13

Central License SmartCenter Distributed

License IP

1.4 UTM-1/ Power-1

1.4.1

UTM-1

1.5G 4.5G UTM(

)\VPNIPS

Power-1

9G 30G

VPN

UTM-1 Power-1

2

2.1

2.1.1 Check Point

Check Point UTM-1/Power-1

R70 and R70.x releases

R71 and all R71.x releases

R75

Check Point Support site http://support.checkpoint.com.

2.1.2 UTM-1/Power-1

UTM-1/Power-1 SecurePlatform

UTM-1

Power-1 HCC 64

2.1.2.1 Console

COM

http://support.checkpoint.com/


.

14

Console

https://192.168.1.1:4434(), UTM-1

WEB 2.1.2.2

2.1.2.2 WEB

console WEB

1. pc (Internal)

2. pc IP 192.168.1.10/24

3. IE https://192.168.1.1:4434 admin

https://192.168.1.1:4434/https://192.168.1.1:4434/


.

15

admin

UTM-1

6

Save and Login

UTM-1 Next


.

16

ApplyNext

IP

IP


.

17

External

IP Apply

connections IP


.

18

Internal 192.168.1.1 IP

Internal IP

IP

https://100.100.101.3:4434Next,

New

NewDefault Route

https://100.100.101.3:4434/


.

19

Next DNS

Next

Management Centrally Management

SmartCenter Next

Locally Managed SmartCenter

Web SSH Web SSH


.

20

Applyany WEB

SSH IP

HA HA Next

Standard Gateway IP

HAThis Gateway is a member of a Cluster.

Smart Center SIC SIC Secure Internal Communication

SSL SmartCenter Next


.

21

SIC SmartCenter Next

Finish

10

Check Point UTM-1 SmartCenter

SmartCenter


.

22

2.2

Check point

Check PointSmartCenter

(SmartCenter) Check Point

(SmartCenter)

IP

(SmartCenter)

: SmartCenter Security Gateway Module

,SmartConsole SmartCenter

check point

1. SmartConsole ( SmartCenter)

2. (),

3. SmartCenter

4. SmartCenter

5. SmartCenter


.

23

SmartCenter

: Smart-1

Smart-1 Smart-1

2.2.1

2.2.1

PC Check Point

http://www.checkpoint.com/services/techsupport/hcl/all.html

OKDevice List

US

http://www.checkpoint.com/services/techsupport/hcl/all.html


.

24

SmartCenter IP

SmartCenter https 443


.

25

: 4434 Smart-1 4434

OK

2.2.2

Open Server

IP https://192.168.1.1

Smart-1 ;

Smart-1 MGMT PC 192.168.1.100


.

26

https://192.168.1.1:4434

===================================================================

WEB

====================================================================

I Accept

admin,admin


.

27

Ok,

_.me)Forgot your password?Browse

Send


.

28

Next


.

29

IP IPNext,

Default Route

Next

DNS DNS Next

IP SmartCenter

SmartCenter Next


.

30

Next

SSH/WEB IP IP

anyAdd

Security Management


.

31

Primary Security Management, HA

Next

SmartDashBoard GUI IP

IP Add

any IP


.

32

SmartDashBoard GUI Add

GUI

SmartDashBoard admin******Apply

Finish


.

33

2.2.3

(SmartCenter)

SmartCenter Secondary SmartCenter SIC, 2.2.1.2

Primary SmartCenter

Primary SmartCenter

Primary SmartCenter

HA SmartDashboard

Secondary SmartCenter 2.5

SmartDashboard Primary SmartCenter Host IP

SIC :


.

34

Policy Globle PropertiesManagement High Ability SmartCenter

Save SmartCenter

log server SmartCenter log server

log server Logs and Masters , Log Server


.

35

log server

PolicyManagement High Avalability SmartCenter

Read Only SmartCenter

SmartCenter :


.

36

Primary SmartCenter SmartView Tracker Primary

SmartCenter Standby Failed to connect

Read-Write Secondary SmartCenterSecondary

SmartCenter Active;


.

37

Primary SmartCenter Secondary SmartCenter log

2.2.4

SmartConsole SmartConsole

https://Managment IP:4434Production ConfigurationDownload SmartConsole,

Next

==========================================================

SmartConsole .Net 2.0

==========================================================


.

38

Next,

SmartConsole C

Next


.

39

Next,Finish

SamrtDashboard

SamrtCenter,


.

40

2.3

2.3.1

2.3.1.1

Web SecurePlatform

Device Device Administrators

web SSH

2.3.1.2 NTP

Device Date and Time

Apply

Device Date and Time Use Network Time Protocol (NTP) to


.

41

synchronize the clock NTP NTP IP Apply

2.3.1.3

Network DomainApply

2.3.1.4 SSHHTTPS

SecurePlateform

Device Web and SSH Clients IP

Apply


.

42

2.3.1.5 SNMP

SNMP

SNMP

1. SecurePlatform

2. Expert

3. SNMP snmp service enable

4. SNMP daemon

a. cpconfig

b.SNMP extentions

c.y

MIB(management Information Base) Check Point MIB

161

5. SNMP

ps aux | grep snmp

netstat -an | grep 161

ps aux | grep cpsnmp

snmpwalk -c public -v2c 127.0.0.1 1.3.6.1.2.1 ( OS MIB)

snmpwalk -c public -v2c 127.0.0.1 1.3.6.1.4.1.2620 ( the Check Point MIB)

SNMP Agent

$FWDIR/conf/snmp.C SNMP community name

cpstop

vi $FWDIR/conf/snmp.C community name

=========================================

:snmp_community (

:read ()


.

43

:write ()

==========================================

cpstart

2.3.2

2.3.2.1 IPMTU

IP eth1

eth1

IP Apply

MTU

connections IP

2.3.2.2

Vlan New


.

44

VLAN

InterfaceVLAN NumberIP

connections


.

45

2.3.2.3

NewBond

BondAvailable Add

Selected Members IP

IP BondLoad Sharing


.

46

Advanced Bond Properties

MTU LCAP rate

Lan2Lan3bond0

bond0Delete


.

47

2.3.2.4

NewBond

BondAvailable Add

Selected Members IP

IP BondHigh

Availability


.

48

2.3.2.5

NewBridge

BridgeAvailableadd

Selected Members

connections Bridge Lan2 Lan3


.

49

br0Delete

2.3.3

2.3.3.1

Network Route New Default Route


.

50

GatewayApply

2.3.3.2

Network Route New Route

Apply


.

51

2.3.3.3 OSPF

SecurePlateform OSPF SSH

SecurePlateform Pro OSPFpro enable

SecurePlatform pro featuresreboot

router OSPF

Cisco

[CPC]# router

localhost>enable

localhost#configure terminal

localhost(config)#router ospf 1

localhost(config-router-ospf)#router-id 127.1.1.2

# OSPF router ID/

localhost(config-router-ospf)#network 100.100.101.0 0.0.0.255 area 0.0.0.10

# OSPF

localhost(config-router-ospf)#network 200.200.1.0 0.0.0.255 area 0.0.0.10

# OSPF

localhost(config-router-ospf)# redistribute direct

( SPLAT web sysconfig OSPF)

localhost(config-router-ospf)#redistribute kernel

( OS OSPF)

localhost(config-router-ospf)#restart-type signaled

( Cluster OSPF failover)

localhost(config-router-ospf)#exit

localhost(config)#interface bond0

localhost(config-if)#ip ospf 1 area 0.0.0.10

localhost(config-if)#enable

localhost(config-if)#exit

localhost(config)#exit

localhost#write memory ()

localhost#quit

[CPC]#

localhost#show run

[CPC]# router

localhost>en


.

52

localhost#show run

Building configuration...

router ospf 1

restart-type signaled

router-id 127.1.1.2

network 100.100.101.0 0.0.0.255 area 0.0.0.10

network 200.200.1.0 0.0.0.255 area 0.0.0.10

redistribute kernel

redistribute direct

exit

interface bond0

ip ospf 1 area 0.0.0.10

exit

exit

localhost#show ip ospf neighbor OSPF

localhost#show ip ospf neighbor

Routing Process "ospf 1":

Neighbor 100.100.101.2, interface address 100.100.101.2

In area 0.0.0.10 interface eth1

Neighbor priority is 1, state is Full 6 state changes

DR is 100.100.101.3 BDR is 100.100.101.2

Options is 18

Dead timer is due in 37 seconds

Neighbor 100.100.101.2, interface address 101.100.101.2

In area 0.0.0.10 interface eth4

Neighbor priority is 1, state is Full 6 state changes

DR is 101.100.101.3 BDR is 101.100.101.2

Options is 18

Dead timer is due in 32 seconds

localhost#show ip route

localhost#show ip route

Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF

D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel

A - Aggregate

O 0.0.0.0/0 [12/150] via 192.168.110.238, 00:22:17, eth0

via 192.168.110.238, 00:22:17, eth0

C 1.1.1.0/24 [1/0] via 1.1.1.1, 00:22:54, eth7

O 23.23.23.0/24 [12/10] via 101.100.101.2, 00:22:17, eth4

via 100.100.101.2, 00:22:17, eth1

O 24.24.24.0/24 [12/10] via 101.100.101.2, 00:22:17, eth4

via 100.100.101.2, 00:22:17, eth1

C 100.100.101.0/24 [1/0] via 100.100.101.3, 00:08:04, eth1

O 100.100.102.0/24 [11/10] via 101.100.101.2, 00:22:17, eth4


.

53

via 100.100.101.2, 00:22:17, eth1

O 100.100.104.0/24 [11/10] via 101.100.101.2, 00:22:17, eth4

via 100.100.101.2, 00:22:17, eth1

O 100.100.105.0/24 [12/10] via 101.100.101.2, 00:22:17, eth4

via 100.100.101.2, 00:22:17, eth1

C 101.100.101.0/24 [1/0] via 101.100.101.3, 00:22:54, eth4

S 127.0.0.0/8 [0/0] via 127.0.0.1, 00:22:54, lo

C 127.0.0.1/32 [1/0] via 127.0.0.1, 00:22:54, lo

C 127.1.1.0/24 [1/0] via 127.1.1.1, 00:22:54, loop00

C 192.168.110.0/24 [1/0] via 192.168.110.236, 00:22:54, eth0

C 200.200.1.0/24 [1/0] via 200.200.1.2, 00:22:54, eth3

C 200.200.2.0/24 [1/0] via 200.200.2.2, 00:22:54, eth2

K 200.200.4.0/24 [0/40] via 200.200.1.4, 00:22:54, eth3

localhost#

2.3.3.4

ECMP Hotfix /var/tmp

1. dr_splat_979015002_2.tgz

2. sim_979001003_1.tgz

3. routeassistd

4. routeassistdscript

5. routeassistd /bin routeassistdscript /etc/init.d

6. dr_splat_979015002_2.tgz sim_979001003_1.tgz

==================================================================

[Expert@CPA]# tar xvfz dr_splat_979015002_2.tgz # Hotfix

CPadvr-R75-00.i386.rpm

[Expert@CPA]# rpm -ihv CPadvr-R75-00.i386.rpm #

Preparing... ########################################### [100%]

1:CPadvr ########################################### [100%]

**************************************************************

DO NOT FORGET TO:

Log in again and run cpstart in order to activate the product.

**************************************************************

*******************************************************

Check Point Advanced Routing R75 installation complete.

*******************************************************

[Expert@CPA]# tar xvfz sim_979001003_1.tgz

[Expert@CPA]# rpm ihv .rpm

===================================================================

7. ECMP

ECMP

ECMP rc.local


.

54

===================================================================

[Expert@CPA]# vi /etc/rc.local

#!/bin/sh

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

if [ -f /opt/CPshared/5.0/tmp/.CPprofile.sh ]; then

# Register log rotation process

. /opt/CPshared/5.0/tmp/.CPprofile.sh

cpd_sched_config add RotateLogs -c /sbin/cp_logrotate -e 100 -s

fi

if [ -f /etc/rc.d/rc.local.user ]; then

. /etc/rc.d/rc.local.user

fi

ip route add 200.200.4.0/24 nexthop via 200.200.1.4 nexthop via 200.200.2.4

ip route add 23.23.23.0/24 nexthop via 100.100.101.2 nexthop via 101.100.101.2

~/etc/rc.local: unmodified, readonly: line 1

[Expert@CPA]#/etc/rc.local rc.local

===================================================================

8. ECMP

[Expert@CPA]# chkconfig --add routeassistdscript

9.

[Expert@CPA]# drouter stop ; drouter start #

[Expert@CPA]# cpstop ; cpstart #

2.3.3.5

SSH router

[Expert@CPA]# ip route

224.0.0.2 dev lo proto gated scope link



23.23.23.0/24 proto none

nexthop via 100.100.101.2 dev eth2 weight 1


8.8.8.8 via 100.100.101.6 dev eth1

127.0.0.1 dev lo proto kernel scope link

127.1.1.0/24 dev loop00 proto kernel scope link src 127.1.1.1

100.100.101.0/24 via 101.100.101.2 dev eth4 proto none

100.100.101.0/24 dev eth1 proto kernel scope link src 100.100.101.3

100.100.102.0/24 via 100.100.101.2 dev eth1


.

55


23.23.23.0/24 via 101.100.101.2 dev eth4 proto none


200.200.4.0/24 proto none




100.100.104.0/24 via 100.100.101.2 dev eth1

100.100.105.0/24 via 100.100.101.2 dev eth1



24.24.24.0/24 via 100.100.101.2 dev eth1

127.0.0.0/8 dev lo scope host

[Expert@CPA]#

2.4 HA

2.4.1 SmartCenter ClusterXL

UTM-1 SmartDashboard Cluster

SmartDashboard Cluster

SmartDashboard, Smart CenterNetwork Object"Check

Point"Security Cluster-->UTM-1/Power-1/Open Server Cluster/IP Series

Cluster


.

56

Wizard Mode Classic Mode Cluster

Classic ModeDont show this againClassic Mode

Classic Mode Cluster Cluster

Cluster IP IPHardwareVersionOS

Cluster FirewallClusterXL


.

57

"Cluster Members"Cluster Members SIC

Cluster Member AddNew Cluster Member

Cluster Member IP

NameIP addressCommunicationSIC


.

58

one-time passwordActivation Key

Initialize SIC

Test SIC Status SIC Status for CPA: Communicating

CPA SmartCenter SIC CPB

Cluster Member Cluster ClusterXL

HA High AvailabilityMode New


.

59

TopologyTopologyEdit

TopologyTopologyGet All member

topology IP

anti-spoofing

General Properties"Get OS".

SIC SMC OS "Secureplatform"

OK License

2.5


.

60

2.5

2.5.1

Check Point

SmartConsole SmartConsole

CheckPoint Configuration

SmartDashboard

SmartView Tracker

SmartEvent

Tools Check Point

SmartEvent Intro SmartEvent

SmartProvisioning

SmartReporter

SmartUpdate License

SmartView Monitor

SmartDashboard SmartCenter IP


.

61

SmartDashboard Approve

Fingerprint GUI

2.5.1.1 HA Security Cluster HA

Security Gateway Cluster

2.5.1.1.1 Security Cluster

SmartDashboardCheckPointSecurity ClusterUTM-1/Power-1/Open

Server Cluster/IP Series


.

62

Dont show this again Classic Mode

Cluster IP ()

UTM-1 Power-1CheckPoint R75 Network Security

Firewall Monitoring ClusterXL

Custer MembersAddNew Cluster Member


.

63

IP Communicaton SIC

One-time password cpconfig CheckPoint

Activation Key Initialize

: One-time password 2.4.1 Enter Activation Key:

Trust state Trust established

Test SIC Status Communicating

(SmartCenter)


.

64

Security Gateway member

ClusterXL ClusterXLHigh AvailabilityMode

New HA Upon Cluster Member recovery

Active


.

65

Topology Edit Topology get

Get->All Members Interfaces


.

66

Cluster Get Topology Cluster IP Network Objective

IP

1st Sync 2nd Sync3rd Sync

Anti-Spoofing Edit

Topology External Anti-Spoofing


.

67

Internal Network defined by the interface Anti-spoofing


.

68

2.5.1.1.2 (Anti-Spoofing)

Check Point

Internet IP

Anti-Spoofing

Anti-Spoofing

GroupSpecificGroup

Perform Anti-Spoofing based on interface

topology

Group

VPN Pool IP Internet

Dont check packets from

SmartDashboard

Capacity Optimization


.

69

2.5.1.1.3 Security Gateway

SmartDashBoard Check PointSecurity Gateway/Management


.

70

IP

CommunicationSIC

One-time password cpconfig checkpoint Activation

Key Intialize


.

71

SIC(Secure Internal Communication)Topology

GetInterfaces

Anti-SpoofingEdit,


.

72

TopologyExternalAnti-Spoofing

InternalNetwork defined by the interfaceAnti-spoofing


.

73



.

74

2.5.1.1.4 Log Switch

SIC (SmartCenter)

SmartCenter SmartCenter

SmartCenter


.

75

Log switch when file size is log switch

Schedule log switch to log switch

Required Free Disk Space

Do not delete log files from the last

Alert when the disk space is below

Stop logging when the free disk

space is below

2.5.1.2 IP

Network ObjectsNodes

NodeHost

IP Address

OK


.

76

General Properties

Topology

NAT NAT

Advance

2.5.1.3

NetworkNetwork

DMZInternal

(Comment)

General


.

77

NAT NAT

2.5.1.4 IP IP

GroupSimple Group

Simple Group

Group With Exclusion

Not in GroupIn Group

OK


.

78

2.5.1.5 IP(IP range)

NetworkDo not show empty folders

IP Range

Address RageAddress Ranges

IP IP OK .


.

79

2.5.2

2.5.2.1 TCP

Check Point TCPUDPRPCICMP

Services

TCP TCPNew TCP

TCP

TCP UDP


.

80

2.5.2.2 UDP Services

UDP UDPNew

UDP

UDP

RPCICMP TCP UDP


.

81

2.5.3

2.5.3.1

SmartDashboardRules

Bottom rule base

Top rule base

Below

Above

SmartDashboard ,

Firewallrule base

Firewall

NAT NAT

IPS IPS

Application Control

Anti-Spam & Mail

Mobile Access VPN

DLP

Anti-Virus & URL Filtering

IPSec VPN IPSec VPN

QOS

Desktop


.

82

SOURCEDESTINATIONVPNSERVICEACTION

NO

NAME

SOURCE

DESTINATION

VPN VPN

SERVICE

ACTION

TRACK

INSTALATION

TIME

COMMET

2.5.3.2

C FileServer

SourceDestination


.

83

2.5.3.3

DMZ

Internal VPN

Add Section Title

Add Rule

Delete

Copy

Cut

Paste

Rule Expiration

Add Section Title

Hide

Disable Rule(s)

Select All

2.5.3.4 (Rule Base)

;

1.

2.

(Rule Base)

3.

(Rulebase)


.

84

Standard

SmartCenter

SmartCenter

SmartDashBoardFile New

New

Open

Save

Save as

Delete

Copy Policy to Package

Database Revision Control

Print

Print Preview

Print Setup

Exit


.

85

NewPolicy Package

NAT Application Control Qos OK

StandardOpenStandard

2.5.4 (NAT)

Check Point Static NAT NATManual

NAT( NAT) Hide NAT( IP NAT)

2.5.4.1 Hide NAT

Hide NAT

Internet Internet

Internet

Internet internet

NATHide

Network


.

86

NetworkNAT

Add Automatic Address Translation rules NAT

Translation method

Hide behind Gateway

Hide behind IP Address IP

Install on Gateway NAT

OK NAT NAT


.

87

NAT NAT

Hide NAT

2.5.4.2 Static NAT Static NAT NAT DMZ Internet

Internet

Node

NAT

NAT

Add Automatic Address Translation rules NAT

Translation method Static

Translate to IP Address NAT

Install on Gateway NAT

NAT

AnyWeb-ServerhttpAcceptlog


.

88

2.5.4.3 Manual NAT (Manual)NAT IP

Internet

HTTP FTP

IP HTTP 80 FTP 21 A

B NAT

FW-Ext-IP,NAT NAT

NAT Firewall

2.5.4.4 IP Pool NAT

IP Pool NAT Network Object

NAT IP Pool


.

89

IP Pool

Manual NAT NAT Internal_Net

NAT_IP_Pool

NAT_IP_Pool

TRANSLATED PACKET SOURCE

Hide

Internal_Net Internet

2.5.5 OPSEC

OPSEC Check Point Check Point

Check Point

OPSEC CISCO

Check Point RadiusLDAPTACACS Securid


.

90

Radius LDAP

2.5.5.1 Radius Radius VPN Radius

Radius

Services and OPSEC Applications New

RADIUS

RADIUS Server NameHostServiceShared Secret

RADIUS RADIUS

RadiusRadiusgeneric*

External User

ProfilesMatch all users


.

91

generic*

RADIUSRADIUS

RadiusRadiusUser Group

generic*Radius_User


.

92

RadiusRadiusRadiusRadius

RadiusVPNIPSEC VPN

2.5.5.2 LDAP Check Point Microsoft Active Directory

IPSEC VPN AD LDAP

AD

VPN LDAP SSL SecureCleint VPN

LDAP

VPN

A LDAP CheckPoint


.

93

LDAP

1. AD AD

2. Active Directory Schema .dll () CMD

regsvr32 schmmgmt.dll

3. Administrator

AD CheckPoint

B CP

SmartDirectory(LDAP)PolicyGlobal Properties

SmartDirectory(LDAP) LDAPUse LDAP Account Management .


.

94

SmartDirectory(LDAP) LDAP

Services and OPSEC Applications NewLDAP Account Unit

LDAP ServersAdd


.

95

Profile LDAP

389

Encryption

Host LDAP

Port LDAP

Username LDAP

Login DN ADExporer

Password

Branches in LDAP OU DN

Add OU()


.

96

LDAP LDAP

MS_AD, LDAP

LDAP Group Group VPN

only Group in branch VPN users

cn=VPN cn=users,DC=,DC=com. OU VPN

User VPN LDAP

SmartCenter LDAP Group LDAP

VPN LDAP RemoteAccess VPN . LDAP

VPN


.

97

vpn_user@Any LDAP Group

OPSEC TACACSSecurid

Radius LDAPOPSEC

2.5.6

2.5.6.1 IPS IPS IPSIP and ICMP Network

QuotaChange Action PreventEditAllow up to 100 connections per second from the

same source.

2.5.6.2 QOS

Qos Qos

Internetl


.

98

2.5.7

Check Point 25000

NetworkCheck Point



UTM-1 576 500,000

UTM-1 572 650,000

Powre-1 11095 2,000,000

2.5.8

SmartCenter TCPUDP ICMP

SmartDashboardPolicyGlobal Properties


.

99

Global PropertiesStateful Inspection

TCP start timeout TCP

TCP session timeout TCP

TCP end timeout TCP FIN

UDP virtual session timeout UDP

ICMP virtual session timeout ICMP

Other IP protocols virtual

session timeout

TCPUDPICMP

TCP session time out 600900 TCP end timeout 510 ,

2.6 Power-1 (CoreXL)

Power-1 CPU CPU

4 CPU 1

( dispatcher) 3 ( instance)


.

100

8 CPU 2 6

CPU CPU

2.6.1 CPU

expertcpconfig CPU

[Expert@P5075]# cpconfig # cpconfig Corexl

This program will let you re-configure

your Check Point products configuration.

Configuration Options:

----------------------

(1) Licenses and contracts

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable Advanced Routing

(7) Enable cluster membership for this gateway

(8) Disable Check Point SecureXL

(9) Configure Check Point CoreXL

(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :9

Configuring Configure Check Point CoreXL...

===========================================

CoreXL is currently enabled with 3 firewall instances.

# 3 CoreXL.

(1) Change the number of firewall instances # CPU

(2) Disable Check Point CoreXL # Check Point CoreXL

(3) Exit

Enter your choice (1-3) : 1 # 1 CPU

This machine has 4 CPUs.

How many firewall instances would you like to enable (2 to 4) [3] ? 2

# 2 CPU

CoreXL was enabled successfully with 2 firewall instances.

Important: This change will take effect after reboot.


.

101

Press Enter to continue...

#

CPU 2 CPU

Active

[Expert@P5075]# fw ctl multik stat

ID | Active | CPU | Connections | Peak

-------------------------------------------

1 | Yes | 2 | 2 | 2

2 | Yes | 1 | 2 | 2

instance

instance

fw ctl multik stat 2 instanceID1 ID2 2

CPU CPU1 CPU2

[Expert@P5075]# fw ctl multik stat


-------------------------------------------

1 | Yes | 2 | 2 | 2

2 | Yes | 1 | 2 | 2

instance CPU

[Expert@P5075]# fw ctl multik -s -k 1 0

instance ID 1 CPU0 instance ID1

CPU2 CPU2

Instance ID2 CPU

[Expert@P5075]# fw ctl multik -s -k 2 0

fw ctl multik stat instance Instance ID1 Instance

ID2 CPU CPU1 CPU2

[Expert@ P5075]# fw ctl multik stat


-------------------------------------------

1 | Yes | 0 | 1 | 141717

2 | Yes | 0 | 1 | 142310

2.6.2 CPU

CPU

CPU

[Expert@P5075]# fw ctl affinity -l -a -v

Interface Mgmt (irq 178): CPU all

Interface Lan1 (irq 107): CPU all




Interface Exp1-1 (irq 114): CPU all


.

102

Interface Exp1-2 (irq 138): CPU all

Kernel fw_0: CPU 2

Kernel fw_1: CPU 3

Kernel fw_2: CPU 1

Daemon in.asessiond: CPU all

Daemon vpnd: CPU all

Daemon dtlsd: CPU all

Daemon mpdaemon: CPU all

Daemon in.aufpd: CPU all

Daemon in.geod: CPU all

Daemon fwd: CPU all

Daemon cpd: CPU all

Daemon cprid: CPU all

[Expert@P5075]#

[Expert@P5075]# sim affinity -s

Usage : For each interface enter one of the following:

Return - To keep the default values (appearing in [ ])

all - To allow all processors for this interface

List of processors - A list of processor numbers between 0 and 3

Exp1-1 [0 1 2 3 ] : Mgmt [0 1 2 3 ] : 2

Lan1 [1 ] : all

Exp1-2 [0 1 2 3 ] : 3

Lan2 [1 ] : all

Lan4 [2 ] : all

Lan3 [3 ] : all

[Expert@P5075]#

[Expert@P5075]# sim affinity -l -a -v

# CPU core2 Exp1-1,Exp1-2 core3

Exp1-1 : 2

Mgmt : 0 1

Lan1 : 1

Exp1-2 : 3

Lan2 : 0 1

Lan4 : 0 1

Lan3 : 0 1

inbond outbond CPU0,CPU1, CPU0 CPU1

CPU3,CPU4 8 CPU

CPU

instance CPU

instance CPU


.

103

2.7 Syslog SmartCenter

Syslog syslog

Kiwi3CDeamon syslog

UDP 514

syslog syslog

[Expert@SMC-R75]# vi /etc/syslog.conf

# Kernel messages clutter the screen, they go to /var/log/messsages anyway

kern.* /dev/null

# Log anything of level info or higher.

# Don't log private authentication messages and GateD logs!

*.info;authpriv.none;cron.none;local5.none @192.168.0.20 # syslog server IP

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg;local5.none *

# Save boot messages also to boot.log

local4.info @192.168.0.20 # syslog server IP

local7.* /var/log/boot.log

auth.* /var/log/auth

mail.* /var/log/maillog

mail.* |/opt/postfix/log_npipe

[Expert@SMC-R75]# vi /etc/rc.d/init.d/cpboot

#!/bin/sh

# chkconfig: 2345 99 99

# description: Runs Check Points Products

CPDIR=/opt/CPshrd-R75

LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/opt/CPshrd-R75/lib

umask 0007

. /opt/CPshrd-R75/tmp/.CPprofile.sh

case $1 in

'start') $CPDIR/bin/cpstart -b


.

104

;;

'stop' ) $CPDIR/bin/cpstop

;;

Esac

fw log -ftnl 2> /dev/null | awk 'NF' | logger -p local4.info -t Firewall & #

syslog

[Expert@SMC-R75]# service syslog restart # syslog

Shutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]

Starting system logger: [FAILED]

Starting kernel logger: [ OK ]

[Expert@SMC-R75]# reboot # SmartCenter

Are you sure? (y/n)

syslog

[Expert@SMC-R75]# service syslog status

syslogd (pid 3706) is running...

klogd (pid 3710) is running...

syslog

Syslog

SyslogCatchAll.txt


.

105

3 (IPS)

CheckPoint IPS IPS

IPS

3.1 IPS

SmartDashboard IPS

IPS IPS


.

106

Overview IPS

Enforcing Gateways IPS

Profiles IPS

Protections

Geo Protection

Network Exceptions IPS

Download Updates IPS

Follow Up

Advanced HTTP

3.2 IPS

3.2.1 IPS

IPS->Enforcing Gateways IPS Gateway

Firewall Network Objects->CheckPoint IPS

IPS IPS


.

107

IPS Assign IPS Profile IPS Protect internal hosts

onlyPerform IPS inspection on all traffic IPS

Bypass IPS inspection when gateway is under heavy load

Tracklog IPS logAdvanced

CPU

Failover Behavior

Prefer security IPS

Prefer connectivity IPS


.

108

3.2.2 IPS Profile

IPS->Profiles IPS (Default Recommended

)

New->Create new profile IPS Profile

IPS ModePreventDetect

Activate protections according to IPS Policy IPS Policy

Activate protections manuallyIPS Policy

IPS Policy


.

109

Client Protections

Server Protections

Do not activate protections with severity

Do not activate protections with confidence-level

Do not activate protections with performance

inpact

Do not activate Protocol Anomalies

Do not activate protections in the following

categories

Updates PolicDetectPrevent

Network Exceptions IPS ( Profile


.

110

) New

Single protections

All supported protections

Sorece

Destination

Service

Apply this exception on all R70 gateways R70

Apply this exception on

IT Fileserver

Troubleshooting Detect-Only IPS Profile


.

111

3.2.3 Protections

Protections Protections By Type By Protocol

ProtectionProtections

IPS Profile ActionProtectionsDefault_Protection

ProfileRecommended_Protections Profile


.

112

Edit Protections IPS Profile

Change Action

Protections IPS Profile Action

Prevent on all Profiles: Profile Action Prevent

Detect on all Profiles: Profile Action Detect

Deactivate on all Profiles: Profile Protection

Follow Up Mark for Follow UP:

Unmark for Follow UP:

Edit Follow Up Commont:

View Logs SmartView Tracker IPS

Protection Profile Profile

Action according to IPS Policy IPS Policy Action

Override IPS Policy with Action IPS Policy Action

Track

Capture Packets

3.2.4 Geo Protection

Geo Protections

ProfileActionIPS ProfileGeo Protection


.

113

Policy for Specific Countries Policy Add

Country

Direction

Action ,Allow or Block

Track Log Alert

Policy for other countries

3.2.5 Network Exceptions

Network Exceptions IPS New

IPS Profile


.

114

Single protections Protection

All supported protections

Sorece

Destination

Service

Apply this exception on all R70 gateways R70

Apply this exception on

3.2.6 IPS

Download Updates

Update Now IPS CheckPoint Support Account

Scheduled Update IPS


.

115

Edit schedule

User Center credentials

On update failure perform

On Successful update perform install policy

Offline Update

Apply Revison Control:

Check for new update: SmartDashboard IPS

3.2.7 Follow Up

IPSFollow UpProtections

Mark newly downloaded protections for follow upProtections

MarkProtectionProtection


.

116

3.2.8 Advanced

HTTP inspectionEnable HTTP inspection on non stardard ports for the IPS Blade

http

3.3 IPS

SmartDashboard SmartCenter IPS


.

117

4 (Identify Awareness)

Check Point AD

LDAP LDAP

IP

Check Point R75.20

Check PointI (dentity Awareness)

AD :

Active Directory

Identity Awareness , Activate

Identity Awareness


.

118

AD Query Captive Portal

Captive portal AD

Captive portal

HTTP ,

Next, SmartConsole PC AD

AD :

.

AD

SK43874


.

119

, Connect:

1234Qwer

Domain Name:

xxx.com

Username:

Administrator

Password: xxxx

Domain Controller:

10.10.10.100


.

120

4.1 Captive Portal

default URL https://192.168.10.1/connect

Next, Finish

https://192.168.10.1/connect


.

121

Servers and OPSEC

LDAP User

4.2 (Identity Access)

AD log out

SmartView Tracker. Identity Awareness

users machines

, reboot Windows XP.


.

122

4.3 (Access Roles)

AD John Group,

Rule #1

Source: Any

Destination: Any

Service: http ( negate cell )

Action: Accept

Track: Log

Rule #2

Source , , Add User/Access Role

Group: Finance_Group

Network , Any Networks

Users , : Finance

Machines , Any machine

Destination: Any

Service: Any

Action: Accept

Track: Log


.

123

Rule #3

clean-up rule (Any / Any / Drop / Log)

Rulebase :

Install Policy , John internet

:

4.4 IP

log off John Anna(xx) / 1234Qwer

John Anna Source User Name


.

124

Anna John

Reference Notes:

, gateway properties identity awareness Active Directory Query

Settings

Assume that only one user is connected per computer

IP 2 IP


.

125

OK, Install Policy

> pdp control revoke_ip

IP

John ( Windows XP VM )IP 192.168.10.1XX

> pdp control revoke_ip 192.168.10.1XX

> pdp m a

:

- John

-

- > pdp m a + Check logs

- Log Off John Anna log In

-

- > pdp m a + Check logs

4.5 Captive Portal

Captive Portal web

IP

> pdp control revoke_ip 192.168.10.1XX

:

> pdp cont r 192.168.10.1XX

Captive portal Identity Awareness

Identity Awareness , Captive portal

https://192.168.10.1/connect (), Captive Portal

Settings Access Settings Main URL),

https://192.168.10.1/connect


.

126

Captive portal

All Interfaces Captive Portal SettingsAccess SettingsAccessibility

Captive portal

Login: Administrator

Password:

Action accept Action Edit Properties,

Captive Portal:

captive portal ; clean-up rule

,

captive web portal, AD

Clark(XX) / 1234Qwer


.

127

pdp m a + Check logs Clark

SmartView Track Clark


.

128

5 SmartEvent

SmartEvent IPSIdentify AwarenessDLP

Anti-VirusURL filering

SmartEvent SmartEvent

pop-up . OK Correlation Units.

Add Correlation Unit Log Servers. Save Close.

pop-up OK Internal Network.


.

129

Close. SmartEvent No,

Identity Awareness SmartEvent .

Policy > Identity Awareness Events User Session Machine

Session

Action Install Event Policy SmartEvent

Identity Awareness

log off, log in as John(xx) / 1234Qwer

log off, log in as Anna(xx) / 1234Qwer


.

130

SmartEvent , Events

Identity Awareness All Identification Events

Timelines

Add Line

Identity Awareness > All Events

OK.


.

131

Charts

Time Frame = Last Hour

By Event Name

User Session


.

132

6 URL (App Control & URL Filtering)

6.1 Application Control

check point 防火墙实施指南utm-1&power-1 v2.0

Documents