Ngx II r65 Slides

Check Point Security Administration IINGX R65

Slide Graphic LegendSlide Graphic Legend

Course ObjectivesCourse Objectives

Part 1: Updating and Upgrading Chapter 1: SmartUpdate

– Identify the common operational features of SmartUpdate.– Use SmartUpdate to create an upgrade package.– Upgrade and attach product licenses using SmartUpdate.

Chapter 2: Upgrading VPN-1– Determine which VPN-1 upgrade strategy is appropriate, given

a variety of scenarios.– Determine VPN-1 license requirements, based on upgrade

strategy.

Part 2: Virtual Private Networks Chapter 3: Encryption and VPNs

– Explain encryption for VPNs.– Compare and contrast common encryption methods.– Describe the process for setting up a encrypted VPN tunnels.

Chapter 4: Introduction to VPNs– Select the appropriate VPN deployment to meet requirements,

given a variety of scenarios.– Configure VPN-1 to support site-to-site VPNs, given a variety of

business requirements.– Adjust NGX R65 VPN configuration settings to correct a

problem, given symptoms of a configuration problem.

Chapter 5: Site-to-Site VPNs– Select the appropriate VPN deployment to meet requirements,

given a variety of scenarios.– Configure VPN-1 to support site-to-site VPNs, given a variety of

business requirements.– Adjust VPN configuration settings to correct a problem, given

symptoms of a configuration problem.

Chapter 6: Remote Access VPNs– Configure VPN-1 to support remote-access VPNs, given a

variety of business requirements.

Part 3: High Availability and ClusterXL Chapter 7: High Availability and ClusterXL

– Identify the features and limitations of Management High Availability.

– Identify the benefits and limitations of different modes in a ClusterXL configuration.

– Configure a ClusterXL VPN, given a specific business scenario.– Implement and test State Synchronization, given a business

scenario.

PrefaceCheck Point Security Administration II

NGX (R65)

Course LayoutCourse Layout

Prerequisites Check Point Certified Security Expert (CCSE)

Recommended Setup for LabsRecommended Setup for Labs

Recommended Lab Topology

Recommended Setup for LabsRecommended Setup for Labs

IP Addresses Lab Terms

Check Point Security ArchitectureCheck Point Security Architecture

PURE Security

Check Point Components

Unified Security Architecture

Broad Range of Security Solutions

Network Security Data Security Security Management Services

Training and CertificationTraining and Certification

CCMA Learn More

Part 1: Updating and UpgradingPart 1: Updating and Upgrading

Chapter 1: SmartUpdate

Chapter 2: Upgrading VPN-1

SmartUpdateSmartUpdate

ObjectivesObjectives

Identify the common operational features of SmartUpdate.

Use SmartUpdate to create an upgrade package. Upgrade and attach product licenses using

SmartUpdate.

Introduction to SmartUpdateIntroduction to SmartUpdate

Optional component of VPN-1 that automatically distributes software applications and updates for Check Point and OPSEC certified products

Manages product licenses

Introduction to SmartUpdateIntroduction to SmartUpdate

SmartUpdate Architecture

Upgrading PackagesUpgrading Packages

Prerequisites for Remote Upgrades Retrieving Data From VPN-1 Gateways Adding New Packages to the Package Repository Verifying the Viability of a Distribution Transferring Files to Remote Devices Upgrading Edge Firmware with SmartUpdate Rebooting the VPN-1 Gateway Recovering From a Failed Upgrade Deleting Packages From the Package Repository

Managing LicensesManaging Licenses

Central license: package license tied to IP address of SmartCenter Server

Local license: package license tied to IP address of VPN-1 Gateway, and cannot be transferred to Gateway with different IP address

License Upgrade Retrieving License Data From VPN-1 Gateways CPInfo SmartUpdate Command Line

1Updating an Installation with Updating an Installation with

SmartUpdateSmartUpdate

Review Questions & AnswersReview Questions & Answers

1. What can be upgraded remotely using SmartUpdate?

VPN-1 Gateways Hotfixes, HFAs, and patches Third-party OPSEC applications UTM Edge devices Nokia operating systems Check Point SecurePlatform

2. What two repositories does SmartUpdate install on the SmartCenter Server?

License & Contract Repository in $FWDIR\conf Package Repository in C:\SUroos (Windows),

/var/suroot (UNIX)

3. What does the Pre-Install Verifier check?

Operating-system compatibility Disk-space availability Package not already installed Package dependencies met

4. What are the benefits of using a central license?

Only one IP address is needed for all licenses. A license can be moved from one Gateway to another. A license remains valid when changing Gateway IP

addresses.

2Upgrading VPN-1Upgrading VPN-1

Determine which VPN-1 upgrade strategy is appropriate, given a variety of scenarios.

Determine VPN-1 license requirements, based on upgrade strategy.

Preinstallation ConfigurationPreinstallation Configuration

– Remove any services not running that might be considered a security risk.

– Ensure your network and Gateway are properly configured, with special emphasis on routing.

– Log in to each of the hosts, and Ping the other hosts.– Enable IP routing/forwarding.– Confirm that DNS is working properly. – Note names/IP addresses of the Gateway’s interfaces.– Confirm Gateway’s name corresponds to IP address of

Gateway’s external interface.– Isolate the computers on which you will be installing VPN-1

components from the network.– Verify you have correct version of software for all VPN-1

components.

Distributed InstallationDistributed Installation

VPN-1 Client/Server Configuration

Upgrading To VPN-1 NGX R65Upgrading To VPN-1 NGX R65

Upgrade Guidelines Upgrade Order Upgrade Export/Import Upgrading via SmartUpdate

VPN-1 Backward CompatibilityVPN-1 Backward Compatibility

Supported Versions

Licensing VPN-1Licensing VPN-1

Obtaining Licenses Supported Upgrade Paths Contract Verification

Performing License UpgradePerforming License Upgrade

Two Upgrade Methods Trial Licenses

Pre-Upgrade ConsiderationsPre-Upgrade Considerations

Pre-Upgrade Verification Tool Web Intelligence License Enforcement Upgrading on SecurePlatform

Upgrading SmartCenter ServerUpgrading SmartCenter Server

Using the Pre-Upgrade Verification Tool

Gateway UpgradeGateway Upgrade

Gateway Upgrade with SmartUpdate

1. What is the correct order for a VPN-1 upgrade?

SmartCenter Server first, then Security Gateway

2. What should be done before installing a VPN-1 Security Gateway?

– Remove any services not running that may be a security risk.– Make sure your network and Gateway are properly configured.– Test network communication.– Enable IP routing/forwarding– Confirm DNS is working properly.– Note the names and IP addresses of the Gateway’s interfaces.– Confirm the Gateway is shown in the hosts files correctly.– Isolate the computers.– Verify the correct version of software for you OS

3. What methods are there for upgrading licenses?

Centrally, from the SmartCenter Server via SmartUpdate

Locally at the Check Point machine

4. Which products can be upgraded to NGX R65?

– VPN-1 Pro Gateways– SecurePlatform– SmartView Monitor– Eventia Reporter– UserAuthority Server– Policy Server– Check Point QoS– Nokia OS– UTM-1

Part 2: Virtual Private NetworksPart 2: Virtual Private Networks

Chapter 3: Encryption and VPNs

Chapter 4: Introduction to VPNs

Chapter 5: Site-to-Site VPNs

Chapter 6: Remote Access VPNs

Encryption and VPNsEncryption and VPNs

Explain encryption for VPNs. Compare and contrast common encryption methods. Describe the process for setting up a encrypted VPN

tunnels.

Securing CommunicationSecuring Communication

Privacy

Shared-Secret Key

Symmetric Encryption

Symmetric Disadvantages Asymmetric Encryption

Diffie-Hellman Encryption

Integrity– Hash Function

Authentication– Digital Signature

Two Phases of Encryption Encryption Algorithms

IKEIKE

ISAKMP Oakley ISAKMP/Oakley Phase 1 Phase 2 IKE Example

IKEIKE

Tunneling-Mode Encryption– Encrypted Packet

Certificate AuthoritiesCertificate Authorities

Certificates Multiple Certificate

Authorities Certificate Authority

Hierarchy

Local Certificate Authority

CA Service via the Internet

Internal Certificate Authority CA Public Keys

– CA Action

Creating Certificates

1. What three tenets of network communication do Security Administrators need to ensure?

Confidentiality — No one, other than the intended parties, can understand the communication.

Integrity — The sensitive data passed between the communicating parties is unchanged.

Authentication — The communicating parties must be sure they are connecting with the intended party.

2. Which encryption system uses a different key for encryption and decryption?

Asymmetric cryptographic systems

3. What two modes does VPN-1 supply for IKE Phase 1 between Gateways?

Main mode (default) Aggressive mode

4. Which encryption method encapsulates an entire packet, adding its own encryption protocol header to the packet?

Tunnel-mode encryption

4Introduction to VPNsIntroduction to VPNs

Select the appropriate VPN deployment to meet requirements, given a variety of scenarios.

Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements.

Adjust NGX R65 VPN configuration settings to correct a problem, given symptoms of a configuration problem.

The Check Point VPNThe Check Point VPN

– Check Point VPN Topology

Simplified VPN Tunnel

How a VPN Works– Gateway-to-Gateway Network configuration

Specifying Encryption

VPN DeploymentsVPN Deployments

Site-to-Site VPNs

VPN DeploymentsVPN Deployments

Remote-Access VPNs

VPN ImplementationVPN Implementation

Three Critical VPN Components– Complete VPN

VPN Setup– Two-Network Configuration

How a VPN Works

– VPN Tunnel

VPN Communities

VPN Topologies– Basic Meshed Community

– Star VPN Community

Choosing a Topology– Star and Mesh Combined

– Different Encryptions in Mesh Communities

– Special Condition

– Three VPN Communities

Authentication Between Community Members Dynamically Assigned IP Gateways Routing Traffic Within a VPN Community Access Control and VPN Communities

– Access Control in VPN Communities

Special Considerations for Planning a VPN Topology

Integrating VPNs into a Rule Base

1. What is a VPN Community?

A collection of VPN enabled Gateways capable of communication via VPN tunnels

2. What is a meshed VPN Community?

A VPN Community in which a VPN site can create a VPN tunnel with any other VPN site within the Community

3. Which is the preferred means of authentication between VPN Community members, and why?

Certificates, because they are more secure than pre-shared secrets

4. If both domain-based VPN and route-based VPN are configured, which will take precedence?

Domain-based VPN

5. When planning a VPN topology, what questions should be asked?

Who needs secure/private access? From the point of view of the VPN, what will be the

structure of the organization? How will externally managed Gateways authenticate?

Site-to-Site VPNsSite-to-Site VPNs

Select the appropriate VPN deployment to meet requirements, given a variety of scenarios.

Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements.

Adjust VPN configuration settings to correct a problem, given symptoms of a configuration problem.

Site-to-Site VPNSite-to-Site VPN

Domain-Based VPN

Simple VPN Routing

Route-Based VPN VPN Routing Process for VTIs

Routing to a Virtual Interface

Route-Based VPN

Routing Multicast Packets Through VPN Tunnels

Multicasting

VPN Tunnel ManagementVPN Tunnel Management

Permanent Tunnels

Permanent Tunnel in MEP Environment

VPN Tunnel Sharing

Wire ModeWire Mode

Wire Mode in a MEP Configuration

Wire ModeWire Mode

– Wire Mode in MEP

Wire ModeWire Mode

Wire Mode with Route-Based VPN– Wire Mode in a Satellite Community

Wire ModeWire Mode

Wire Mode Between Two VPN Communities

Directional VPN EnforcementDirectional VPN Enforcement

Directional Enforcement Between Communities

Directional Enforcement Within a Community

Directional Enforcement Between Communities– Directional VPN between Mesh and Star Communities

Multiple Entry Point VPNsMultiple Entry Point VPNs

VPN High Availability with MEP

Traditional Mode VPNsTraditional Mode VPNs

Organizations with large VPN deployments with complex networks may continue to work within Traditional Mode.

VPN Domains and Encryption Rules

2Two-Gateway IKE EncryptionTwo-Gateway IKE Encryption

(Shared Secret)(Shared Secret)

3Two-Gateway IKE Encryption

(Certificates)

1. What type of VPN does the use of VPN tunnel interfaces support?

Route-based VPNs

2. What are the three types of VPN tunnel sharing supported by VPN-1?

One VPN tunnel per each pair of hosts One VPN tunnel per subnet pair One VPN tunnel per Gateway pair

3. What is the advantage of a Wire Mode VPN?

Improves connectivity by allowing existing connections to fail over successfully by bypassing firewall enforcement, and relying on the security of the trusted VPN connection itself

4. What are the primary benefits of Multiple Entry Point VPNs?

High Availability Load Sharing

Remote Access VPNsRemote Access VPNs

Configure VPN-1 to support remote-access VPNs, given a variety of business requirements.

Remote Access VPNRemote Access VPN

VPN-1 SecuRemote enables you to create a VPN tunnel between a remote user and your organization’s internal network.

Extending SecuRemote with SecureClient Connect Mode Establishing Remote Access — Workflow

Remote Access VPNRemote Access VPN

Workflow for Establishing Remote Access VPN

Office ModeOffice Mode

How Office Mode Works

Office ModeOffice Mode

– Office Mode Process

Office Mode PlanningOffice Mode Planning

IP Pool vs. DHCP Routing-Table Modifications Multiple External Interfaces Before Configuring Office Mode

Desktop Security PolicyDesktop Security Policy

Policy Expiration and Renewal Policy Server HA Wireless Hotspot/Hotel Registration Logging SecureClient Mobile

VPN Routing — Remote AccessVPN Routing — Remote Access

VPN routing provides a way of controlling how VPN traffic is directed.

VPN routing can be implemented with Gateways and remote-access clients.

Configuration for VPN routing is performed either through SmartDashboard, or by editing routing-configuration files.

– Simple VPN Routing

Hub Mode

SSL Network ExtenderSSL Network Extender

SSL Network Extender is connected to an SSL enabled Web server that is part of the Security Gateway.

SSL Network Extender It is via SmartDashboard. How SSL Network Extender Works Prerequisites

Clientless VPNClientless VPN

Clientless VPN provides secure SSL-based communication between clients and servers that support HTTPS.

Two phases:– Establishing a secure channel– Communication phase

– Communication Phase

Special Considerations for Clientless VPN Configuring Clientless VPN Creating Appropriate Rules in the Rule Base

4Configuring Remote Access in an IKE

5Using SecuRemote in an IKE VPN

6Remote Access and Office Mode

7SSL Network Extender

1. When a SecuRemote/SecureClient needs to know the elements of the organization’s internal network to build a connection, how is that information sent?

Over a connection secured and authenticated using IKE over SSL

2. What is the most recommended and manageable method for client-Gateway authentication?

Digital Certificates

3. What problem does Office Mode solve?

Nonroutable IP addresses; Office Mode enables a VPN-1 Gateway to assign a remote client an IP address.

4. What is the advantage of SSL Network Extender

Simple to implement, easy-to-use remote-access solution

Part 3: High AvailabilityPart 3: High Availability

Chapter 7: High Availability and ClusterXL

High Availability and ClusterXLHigh Availability and ClusterXL

Identify the features and limitations of Management High Availability.

Identify the benefits and limitations of different modes in a ClusterXL configuration.

Configure a ClusterXL VPN, given a specific business scenario.

Implement and test State Synchronization, given a business scenario.

Management High AvailabilityManagement High Availability

– Management High Availability Deployment

Management High Availability Environment Synchronization Status

– Typical Management High Availability Example

ClusterXLClusterXL

– VPN-1 Gateway Cluster

ClusterXLClusterXL

Load Sharing

ClusterXL ModesClusterXL Modes

Legacy High Availability Mode New High Availability Mode Load Sharing Multicast Mode Load Sharing Unicast (Pivot) Mode

– Load Sharing Unicast Mode

– Cluster Member Forwarding Packet

Cluster Control Protocol

Synchronizing ClustersSynchronizing Clusters

The Synchronization Network How State Synchronization Works Synchronized-Cluster Restrictions

Sticky ConnectionsSticky Connections

The Sticky Decision Function

cpha Commandscpha Commands

cphastart cphastop cphaprob cphaprob Syntax cphaprob Example fw hastat

Debugging ClusterXL IssuesDebugging ClusterXL Issues

fw ctl pstat Sync Output

ClusterXL Configuration IssuesClusterXL Configuration Issues

Modes of ClusterXL Supporting SecureXL Crossover-Cable Support

8Deploying New Mode HA

9Load Sharing Unicast (Pivot) Mode

10Configuring Load Sharing Multicast

Mode (Optional)

1. For Management HA to function properly, what data must be synchronized and backed up?

2. In ClusterXL, what benefit does State Synchronization provide?

Ensures no data is lost in case of a cluster member failure; all connection information and VPN state information is synchronized between the members.

3. What does Load Sharing in Multicast Mode do?

Enables you to distribute network traffic between cluster members

4. In what two modes does State Synchronization work?

Full sync, which transfers all VPN-1 kernel-table information from one cluster member to another

Delta sync, which transfers changes in the kernel tables between cluster members

5. What is a “sticky” connection?

When all of a connection’s packets are handled, in either direction, by a single cluster member

Ngx II r65 Slides

Documents

Transcript of Ngx II r65 Slides

NGX tutorial

ngx openresty: an Nginx ecosystem glued by Lua - agentzhagentzh.org/misc/slides/ngx-openresty-ecosystem.pdf · # a connection pool that can cache up to ... an Nginx upstream module

NGx Sequencing 101-platforms

Check Point VPN-1 NGX R65 User Guidedownloads.checkpoint.com/.../FILE/CC-Check_Point_VPN-1_NGX_R65_User... · SSL Network Extender Download ... Check Point VPN-1 Power/UTM NGX R65

Rešenjau oblasti računarskih mreža i sigurnosti day... · Software Edition NGX R65 NGX R65 NGX R65 NGX R65 NGX R65 NGX R65 10/100 Ports 1 - - - - - 10/100/1000 Ports 4 4 6 8 8

NGX Price Index Methodology Guide · 2020. 8. 14. · NGX Price Index Methodology Guide September 2020 Version ICE NGX Canada Inc.

new generation NGX - Interempresas

BOEING PMDG 737 NGX - cpv. · PDF file1 BOEING PMDG 737 NGX INTRODUCTION Par Michel Schopfer Le manuel de référence est : PMDG 737 NGX (Introduction)

Review: PMDG 737 NGX

Checkpoint NGX User Authority

Checkpoint NGX CLI

Checkpoint NGX R65 Releasenotes

Check Point NGX R65 VSX-1 Appliance Gettingstarted

PG-09188-001 v1.1.0 | May 2019 NVIDIA NGX Programming Guide · NGX feature supports one API, however, NGX does not limit the number of APIs that. Integrating NGX With Your Application

Checkpoint NGX ClusterXL

Five Myths of Threat Management - cdn.ttgtmedia.com€¦ · Check Point UTM-1 2050 NGX R65 SecureDefense 27% 32% Cisco ASA5540 7.2.3 Block at 85% confidence 20% 30% Block at 55% confidence

737 NGX Tutorial

Presentation Team NGX

Checkpoint NGX Release Notes

Firewall and SmartDefense - asm.mdstorage.asm.md/docs/CheckPoint NGX R65/CheckPoint_R65...Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1,