Check Point NG VPN-1/Firewall-1: Advanced Configuration and Troubleshooting

Barry J. Stiefel, Syngress

ISBN:1931836973, Edition: 1, 2003-05

Price: $59.95

Table of Contents

Chapter 1 FW-1 NG Operational Changes 1
Introduction 2
Static NAT Changes from 4.x to NG 2
Server-Side NAT 4
Version 4.x Destination Static NAT 6
How It Really Works 8
Client-Side NAT 9
How It Really Works 10
Bidirectional NAT 11
Automatic ARP 11
When ARP Is Automatic 13
When ARP Is Manual 13
Upgrading 4.x to NG 14
The 4.x Upgrade Process 16
When to Rebuild 16
Summary 18
Solutions Fast Track 19
Frequently Asked Questions 20

Chapter 2 Smart Clients 23
Introduction 24
SmartDashboard 24
What’s New in NG SmartDashboard? 25
New Panes 25
New Policy Tabs 28
New Menu Items and Toolbars 29
New Object Types 31
The Extended Object Properties Screen 34
Extended Administrator Access 34
A GUI Overview of New FP3 Features 35
The New Policy Installation Interface 36
Using Sections in the Security Rule Base 38
Version Control with Database Revision Control 38
SmartView Status 39
What’s New in SmartView Status? 39
The Panes 39
Changes in the Menu and the Toolbar 42
Highlights of SmartView Status 42
Disconnecting a Client 42
Other Fancy Features 43
SmartView Tracker 43
What’s New in SmartView Tracker? 43
The Panes 43
Menu Changes 45
Highlights From the SmartView Tracker 45
Remote File Management 45
View in SmartDashboard 46
Command-Line Options 46
SmartView Monitor 48
Installation 48
The Interface 48
Traffic Monitoring 49
Monitor Using Check Point System Counters 49
Monitor by Service 50
Monitor Using Network Objects 51
Monitor by QoS 51
Monitor Using Top Firewall Rules 51
Monitor Using Virtual Links 52
Generating Reports 53
Check Point Systems Counter Reports 53
Traffic Reports 53
User Monitor 53
The Interface 54
Managing Queries 55
Summary 56
Solutions Fast Track 57
Frequently Asked Questions 58

Chapter 3 Advanced Authentication 61
Introduction 62
Active Directory 62
Setting Up Active Directory for FireWall-1 Authentication 63
Active Directory Installation and Basic Configuration 64
Enabling LDAP Over SSL 69
Delegation of Control 72
Active Directory Schema Management 73
Extending Your Schema 76
Enabling SSL Communication Between VPN-1/FireWall-1 and Active Directory 79
Setting Up the Firewall for AD Authentication 81
Configuring Global Properties for Active Directory 82
Defining the Active Directory Account Unit 83
Configuring LDAP Administrators 89
User Management on Active Directory 90
Configuring the Rule Base 92
Troubleshooting 94
Suggested Uses of MS-AD Authentication 95
Standard LDAP 96
Setting Up the LDAP for FireWall-1 Authentication 97
Setting Up the Firewall for LDAP Authentication 99
Defining a New User 102
Suggested Uses of LDAP Authentication 104
RADIUS 105
Setting Up the Firewall for RADIUS Authentication 106
Setting Up RADIUS for FireWall-1 Authentication 108
Suggested Uses of RADIUS Authentication 109
TACACS+ 110
Setting Up the Firewall for TACACS+ Authentication 111
Setting Up TACACS+ for FireWall-1 Authentication 112
Suggested Uses of TACACS+ Authentication 114
General User Management 114
Self-Service User Management with ADSI 117
Summary 121
Solutions Fast Track 122
Frequently Asked Questions 123

Chapter 4 Advanced VPN Concepts 125
Introduction 126
What Are SEP and MEP? 126
Sample Scenario 128
Exploring SEP 129
Exploring MEP 131
SEP Configuration Examples 131
Scenario One 131
Scenario Two 132
MEP Configuration Examples 135
Scenario One 135
Setup of New York Firewall 140
Setup of San Diego Firewall 142
Combinations of MEP and SEP 146
VPN Modes 146
Transparent Mode 147
Connect Mode 147
Routing Between VPN Connections 150
Dynamic IP Address VPN Connections 151
Summary 153
Solutions Fast Track 153
Frequently Asked Questions 155

Chapter 5 Advanced VPN Client Installations 157
Introduction 158
The Difference Between SecuRemote and SecureClient 158
Using DNSInfo Files 159
Encrypting Internal Traffic 160
Using SR/SC from Behind a CP-FW-1 System 161
Using SecureClient 163
Creating Rules for Internal Connections to Remote Clients 165
Examples of Common Deployments 166
L2TP Tunnels Terminating on a Check Point FP3 Box 174
Office Mode SecureClient 181
FP3 Clientless VPNs 182
Summary 185
Solutions Fast Track 185
Frequently Asked Questions 188

Chapter 6 High Availability and Clustering 191
Introduction 192
Designing Your Cluster 192
Why Do You Need a Cluster? 192
Resilience 192
Increased Capacity 193
High Availability or Load Sharing? 193
Load Sharing 193
High Availability 193
Clustering and Check Point 193
Operating System Platform 193
Clustering and Stateful Inspection 194
Desire for Stickiness 194
Location of Management Station 194
A Management Station on a Cluster-Secured Network 195
Management Station on Internal Network 196
Connecting the Cluster to Your Network: Hubs or Switches? 198
FireWall-1 Features, Single Gateways vs. Clusters: The Same, But Different 198
Network Address Translation 199
Security Servers 199
Remote Authentication Servers 200
External VPN Partner Configuration 200
Installing FireWall-1 NG FP3 201
Checking the Installation Prerequisites 201
Installation Options 202
Installation Procedure 202
Check Point ClusterXL 207
Configuring ClusterXL in HA New Mode 208
Prerequisites for Installing ClusterXL in HA New Mode 208
Configuration of ClusterXL HA New Mode 209
Testing ClusterXL in HA New Mode 224
Test 1: Pinging the Virtual IP Address of Each Interface 224
Test 2: Using SmartView Status to Examine the Status of the Cluster Members 224
Test 3: FTP Session Through the Cluster When an Interface Fails 225
Command-Line Diagnostics on ClusterXL 226
How Does ClusterXL HA New Mode Work? 229
ClusterXL HA New Mode Failover 231
ClusterXL Failover Conditions 234
Special Considerations for ClusterXL in HA New Mode 237
Network Address Translation 237
Configuring ClusterXL in HA Legacy Mode 239
Configuring ClusterXL in Load-Sharing Mode 241
Prerequisites for Configuring ClusterXL in Load-Sharing Mode 241
Configuration of ClusterXL in Load-Sharing Mode 242
Testing ClusterXL in Load-Sharing Mode 242
Test 1: Pinging the Virtual IP Address for Each Interface 242
Test 2: Using SmartView Status to Examine the Status of the Cluster Members 242
Test 3: FTPing Through ClusterXL Load Sharing During Failover 243
Command-Line Diagnostics for ClusterXL 244
How ClusterXL Works in Load-Sharing Mode 247
ClusterXL Load-Sharing Mode Failover 249
Special Considerations for ClusterXL in Load-Sharing Mode 251
Network Address Translation 251
User Authentication and One-Time Passcodes 251
Nokia IPSO Clustering 251
Nokia Configuration 251
A Few Points About Installing an Initial Configuration of NG FP3 on Nokia IPSO 253
Check Point FireWall-1
Configuration for a Nokia Cluster 254
Configuring the Gateway Cluster Object 254
Nokia Cluster Configuration on Voyager 258
Voyager Configuration 258
Testing the Nokia Cluster 263
Test 1: Pinging the Virtual IP Address of Each Interface 263
Test 2: Determining the Status of Each Member in the Cluster 264
Test 3: FTPing Through a Load-Sharing Nokia Cluster During Interface Failure 265
Command-Line Stats 267
How Nokia Clustering Works 269
Nokia Cluster Failover 272
Nokia Failover Conditions 273
Special Considerations for Nokia Clusters 273
Network Address Translation 274
Defining the Cluster Object Topology 274
Nokia IPSO VRRP Clusters 275
Nokia Configuration 275
Nokia VRRP Configuration on Voyager 277
Voyager Configuration 277
Testing the Nokia VRRP Cluster 281
Test 1: Pinging the Virtual IP Address for Interface 281
Test 2: Finding Which Member Responds to Administrative Connections to the VIPs 282
Test 3: Determining the Status of Each Member in the Cluster 282
Test 4: FTPing Through a VRRP Cluster During Interface Failure 282
Command-Line Stats 283
How VRRP Works 284
Special Considerations for Nokia VRRP Clusters 286
Network Address Translation 286
Connections Originating from a Single Member in the Cluster 287
Third-Party Clustering Solutions 287
Clustering and HA Performance Tuning 287
Data Throughput or Large Number of Connections 288
Improving Data Throughput 288
Improving for Large Number of Connections 290
Final Tweaks to Get the Last Drop of Performance 296
Summary 297
Solutions Fast Track 298
Frequently Asked Questions 301

Chapter 7 SecurePlatform 305
Introduction 306
The Basics 306
Installation 306
Configuration 307
Web User Interface Configuration 308
Command-Line Configuration 314
CPShell 321
Backup and Restore 323
Applying OS and Application Updates 324
Adding Hardware to SecurePlatform 326
Adding Memory 326
Adding NICs 327
Adding a Second Processor 328
Configuring SecurePlatform for a Second Processor 329
Adding Hard Drives 332
FireWall-1 Performance Counters 338
Firewall Commands 338
cpstat 338
fw ctl pstat 340
vpn tu 342
fwaccel 342
Summary 344
Solutions Fast Track 344
Frequently Asked Questions 345

Chapter 8 SmartCenter Management Server, High Availability and Failover, and SMART Clients 349
Introduction 350
SmartCenter Server:The Roles of a Management Server 350
Internal Certificate Authority 352
VPN Certificates 352
Management Server Backup Options 352
Protecting the Configuration 353
Enforcement Point Functions 353
Logging 354
Installing a Secondary Management Server 354
SMART Clients 358
SMART Client Functions 359
SMART Client Login 359
SmartDashboard 362
SmartDefense 363
SmartView Status 365
SmartView Tracker 366
SmartView Monitor 366
User Monitor 367
SmartUpdate 367
Summary 374
Solutions Fast Track 374
Frequently Asked Questions 376

Chapter 9 Integration and Configuration of CVP / UFP 379
Introduction 380
Using CVP for Virus Scanning E-Mail 380
Configuring CVP 380
A Generic CVP Solution 381
Troubleshooting CVP 387
URL Filtering for HTTP Content Screening 388
Setting Up URL Filtering with UFP 389
Using Screening without CVP 395
Summary 397
Solutions Fast Track 397
Frequently Asked Questions 398

Chapter 10 SecureClient Packaging Tool 401
Introduction 402
Installing the SecureClient Packaging Tool 403
Installing by Default 403
Installing Explicitly 403
Starting the SecureClient Packaging Tool 403
Creating a Profile 404
The Welcome Window 404
The General Window 405
The Connect Mode Window 406
Transparent Mode 407
Connect Mode 407
Mode Transition 408
The SecureClient Window 408
The Additional Options Window 409
The Topology Window 410
The Certificates Window 412
The Silent Installation Window 413
The Installation Options Window 414
The Operating System Logon Window 414
The Finish Window 416
Managing SecureClient Profiles 416
Creating a New Profile From an Existing Profile 416
Deleting a Profile 417
Editing a Profile 418
Creating SecureClient Installation Packages 418
The Welcome Window 418
The Package Generation Window 419
Deploying SecuRemote Packages 420
Summary 421
Solutions Fast Track 421
Frequently Asked Questions 423

Chapter 11 SmartDefense 425
Introduction 426
Understanding and Configuring SmartDefense 427
General 427
Anti-Spoofing Configuration Status 429
Denial of Service 431
Teardrop 433
Ping of Death 434
LAND 434
IP and ICMP 434
Fragment Sanity Check 435
Packet Sanity 435
Max Ping Size 436
TCP 437
SYN Attack 437
Small PMTU 445
Sequence Verifier 445
DNS 446
FTP 447
FTP Bounce Attack 448
FTP Security Servers 448
HTTP 451
Worm Catcher 451
HTTP Security Servers 454
SMTP Security Server 455
SMTP Content 456
Mail and Recipient Content 456
Successive Events 459
Address Spoofing 460
Local Interface Spoofing 461
Port Scanning 461
Successive Alerts 462
Successive Multiple Connections 462
Summary 463
Solutions Fast Track 463
Frequently Asked Questions 464

Chapter 12 SmartUpdate 467
Introduction 468
Licensing Your Products 468
Management Server 469
Installing Licenses via the Management Server 470
Removing Licenses via the Management Server 470
Resetting SIC 471
Enforcement Points 471
Installing Licenses via SmartUpdate 471
Removing Licenses via SmartUpdate 472
Other License Types 472
SecuRemote 472
SecureClient 473
FloodGate 473
Connect Control 473
Updating Your Products 473
Adding a New Product 474
Installing a Product 474
Summary 475
Solutions Fast Track 475
Frequently Asked Questions 476

Chapter 13 Performance Pack 477
Introduction 478
How Performance Pack works 478
Working on Interfaces While Using Performance Pack 479
Installing Performance Pack 480
Hardware Requirements 480
Performance Considerations 481
Installing Performance Pack on Solaris 8 482
Prerequisites 482
Installation Using the Solaris Comprehensive Install Package 482
Installation as a Separate Package 484
Uninstalling Performance Pack 485
Installing Performance Pack on SecurePlatform 485
Prerequisites 486
Installing the rpm Package 486
Command-Line Options for Performance Pack 486
Stopping and Starting SecureXL 486
Checking the Status of SecureXL 486
Configuring SecureXL 487
Troubleshooting Performance Pack 488
Summary 489
Solutions Fast Track 489
Frequently Asked Questions 491

Chapter 14 UserAuthority 493
Introduction 494
Defining UserAuthority 494
WAM in Detail 496
Supported Platforms 497
Installing UserAuthority 498
Installing the UserAuthority Server 498
UserAuthority Server on a FireWall-1 Enforcement Module 498
UserAuthority Server on a Windows Domain Controller 499
Installing UserAuthority SecureAgent 502
Manual Installation on Desktop 502
Automatic Installation on Login to the Domain 503
Installing the UserAuthority WebAccess Plug-In 504
Prerequisites for the WebAccess Plug-In 504
Installing the WebAccess Plug-In 505
Implementing UserAuthority Chaining 511
Utilizing UserAuthority Logging 513
FireWall-1 SSO Policy Rules 514
WAM Web Access Logging 514
UAS Event Logging 515
Understanding Credentials Management and Domain Equality 515
Domain Equality 516
Configuring Domain Equality 517
Deploying UserAuthority 517
Authenticated Internet Access 518
Configuring Objects in the SmartDashboard GUI 519
Configuring Domain Equivalence Between the Firewall UAS and the Domain Controller UAS 519
Creating Users on the Firewall 520
Creating the Rule Base 522
Testing the Configuration 522
Authenticated Web Server 523
Creating a Simple WebAccess Policy 523
SSO Internet Access and Web Server 533
Configuration 533
Testing the Configuration 538
Summary 542
Solutions Fast Track 543
Frequently Asked Questions 545

Chapter 15 Firewall Troubleshooting 547
Introduction 548
SmartView Tracker 548
Filtering Traffic 548
Active and Audit Logs 550
SmartView Monitor 551
Monitoring Check Point System Counters 552
Monitoring Traffic 553
Monitoring a Virtual Link 554
Running History Reports 555
Using fw monitor 556
How It Works 557
Writing INSPECT Filters for fw monitor 558
Reviewing the Output 560
Other Tools 562
Check Point Tools 562
Log Files 563
fw stat 564
fw ctl pstat 564
fw tab 566
fw lichosts 567
cpinfo 568
Operating System and Third-Party Tools 568
Platform-Friendly Commands 568
Unix Commands 569
Third-Party Tools 570
Summary 571
Solutions Fast Track 572
Frequently Asked Questions 573
Index 577