CCSA R71 Study Guide

70
Copyright © Check Point Software Technologies Ltd. All rights reserved. Printed by Check Point Press A Division of Check Point Software Technologies Ltd. First Printing December 2009 RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. © 2003-2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. TRADEMARKS ©2003-2010 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Endpoint Security On Demand, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectCon- trol, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Coopera- tive Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall- 1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Client- less Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider- 1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlat- form, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, Smart- Center UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advi-

Transcript of CCSA R71 Study Guide

Page 1: CCSA R71 Study Guide

Copyright © Check Point Software Technologies Ltd. All rights reserved.Printed by Check Point PressA Division of Check Point Software Technologies Ltd.First Printing December 2009

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

© 2003-2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

TRADEMARKS ©2003-2010 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Endpoint Security On Demand, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectCon-trol, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Coopera-tive Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Client-less Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlat-form, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, Smart-Center UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advi-

Page 2: CCSA R71 Study Guide

sor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trade-marks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pend-ing applications.

DISCLAIMER OF WARRANTYCheck Point Software Technologies Ltd. makes no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.

Page 3: CCSA R71 Study Guide

International Headquarters: 5 Ha’Solelim StreetTel Aviv 67897, IsraelTel: +972-3-753 4555

U.S. Headquarters: 800 Bridge ParkwayRedwood City, CA 94065Tel: 650-628-2000Fax: 650-654-4233

Technical Support, Education & Profes-sional Services:

8333 Ridgepoint Drive, Suite 150Irving, TX 75063Tel: 972-444-6612Fax: 972-506-7913E-mail any comments or questions about our courseware to [email protected] questions or comments about other Check Point documentation, e-mail [email protected].

Document #: CCSA R70 Study Guide

Revision: R70001

Content: Mark Hoefle

Graphics: Jeffery Holder

Page 4: CCSA R71 Study Guide
Page 5: CCSA R71 Study Guide

Security Administrator R70 / R71 Study Guide

Exam # 156-215.71

Page 6: CCSA R71 Study Guide
Page 7: CCSA R71 Study Guide

Preface The Check Point Certified Security Administrator Exam 1

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Check Point Technology Overview 7

Check Point Technology Overview Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2 Deployment Platforms 13

Deployment Platforms Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 3 Introduction to the Security Policy 19

Introduction to the Security Policy Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 4 Monitoring Traffic and Connections 25

Introduction to the Monitoring Traffic and Connections Topics . . . . . . . . . . . . . . . 26

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 5 Using SmartUpdate 31

Introduction to the SmartUpdate Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Chapter 6 Upgrading to R71 35

Introduction to the Upgrading to R71 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 7 User Management andAuthentication 39

Introduction to the User Management and Authentication Topics. . . . . . . . . . . . . . 40

Page 8: CCSA R71 Study Guide

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Chapter 8 Encryption and VPNs 45

Introduction to the Encryption and VPNs Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 9 Introduction to VPNs 51

Introduction VPNs Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Chapter 10 Messaging and Content Security 57

Introduction to the Messaging and Content Security Topics . . . . . . . . . . . . . . . . . . . 58

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Page 9: CCSA R71 Study Guide

Preface

1

The Check Point Certified Security Administrator Exam

The Check Point Security Administrator R70 / R71course provides an understand-ing of basic concepts and skills necessary to configure the Check Point Security Gateway, configure Security Policies, and learn about managing and monitoring se-cure networks. The Check Point Security Administrator R70 / R71Study Guide sup-plements knowledge you have gained from the Security Administrator R70 /R71course, and is not a sole means of study.

The Check Point Certified Security Administrator R71exam covers the following topics:

Describe Check Point’s unified approach to network management, and the key elements of this architecture

Design a distributed environment using the network detailed in the course topology

Install the Security Gateway version R71 in a distributed environment using the network detailed in the course topology

Given Check Point’s latest integration of CoreXL technology, select the best security solution for your corporate environment

Given network specifications, perform a backup and restore the current Gateway installation from the command line

Page 10: CCSA R71 Study Guide

Preface: The Check Point Certified Security Administrator Exam

2 Check Point Security Administrator R70 / R71 Study Guide

Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line

Deploy Gateways using sysconfig and cpconfig from the Gateway command line

Use the Command Line to assist support in troubleshooting common problems on the Security Gateway

Given the network topology, create and configure network, host and gateway objects

Verify SIC establishment between the SmartCenter Server and the Gateway using SmartDashboard

Create a basic Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use

Configure NAT rules on Web and Gateway servers

Evaluate existing policies and optimize the rules based on current corporate requirements

Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime

Use queries in SmartView Tracker to monitor IPS and common network traffic and troubleshoot events using packet data

Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality

Using SmartView Monitor, configure alerts and traffic counters, view a Gateway's status, monitor suspicious activity rules, analyze tunnel activity and monitor remote user access based on corporate requirements

Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications

Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways

Upgrade and attach product licenses using SmartUpdate

Page 11: CCSA R71 Study Guide

Preface: The Check Point Certified Security Administrator Exam

Check Point Security Administrator R70 / R71Study Guide 3

Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely

Manage users to access to the corporate LAN by using external databases

Select the most appropriate encryption algorithm when securing communication over a VPN, based on corporate requirements

Establish VPN connections to partner sites in order to establish access to a central database by configuring Advanced IKE properties

Configure a pre-shared secret site-to-site VPN with partner sites

Configure a certificate based site-to-site VPN using one partner's internal

Configure a certificate based site-to-site VPN using a third-party CA

Configure permanent tunnels for remote access to corporate resources

Configure VPN tunnel sharing, given the difference between host-based, subnet-based and gateway-based tunnels

Configure Check Point Messaging Security to test IP Reputation, content based anti-spam, and zero hour virus detection

Based on network analysis disclosing threats by specific sites, configure a Web-filtering and antivirus policy to filter and scan traffic

Implement default or customized profiles to designated Gateways in the corporate network

Page 12: CCSA R71 Study Guide

Preface: The Check Point Certified Security Administrator Exam Frequently Asked Questions

4 Check Point Security Administrator R70 / R71 Study Guide

Frequently Asked QuestionsThe table below provides answers to commonly asked questions about the CCSA R70 / R71exam:

Question Answer

What are the Check Point rec-ommendations and prerequi-sites?

Check Point recommends you have at least 6 months to 1 year of experience with the prod-ucts, before attempting to take the CCSA R70 exam. In addition, you should also have basic networking knowledge, knowledge of Win-dows Server and/or UNIX, and experience with TCP/IP and the Internet.Check Point also recommends you take the Check Point Security Administrator R70 class from a Check Point Authorized Training Cen-ter (ATC). We recommend you take this class before taking the CCSA R70 exam. To locate an ATC, see:http://atc.checkpoint.com/atclocator/locateATC

How do I register? Check Point exams are offered through Pearson VUE, a third-party testing vendor with more than 3,500 testing centers worldwide. Pearson VUE offers a variety of registration options. Register via the Web or visit a specific testing center. Registrations at a testing center may be made in advance or on the day you wish to test, subject to availability. For same-day testing, contact the testing center directly.Locate a testing center from the VUE Pearson Web site:www.pearsonvue.com

What is the exam structure? The exams are composed of multiple-choice and scenario questions. There is no partial credit for incorrectly marked questions.

Page 13: CCSA R71 Study Guide

Preface: The Check Point Certified Security Administrator Exam Frequently Asked Questions

5 Check Point Security Administrator R70 / R71 Study Guide

For more exam and course information, see:

http://www.checkpoint.com/services/education/

How long is the exam?Do I get extra time, if I am not a native English speaker?

The following countries are given 120 minutes to complete the exam. All other regions get 150 minutes:Australia Bermuda Canada Japan New Zealand Ireland South Africa UK US

Question Answer

Page 14: CCSA R71 Study Guide

Preface: The Check Point Certified Security Administrator Exam Frequently Asked Questions

6 Check Point Security Administrator R70 / R71 Study Guide

Page 15: CCSA R71 Study Guide

Chapter

7

1Check Point Technology Overview

Check Point technology is designed to address network exploitation, administrative flexibility and critical accessibility. This chapter introduces the basic concepts of network security and management based on Check Point’s three-tier structure, and provides the foundation for technologies involved in the Check Point Software Blade Architecture, as discussed in the introduction. This course is lab-intensive, and in this chapter, you will begin your hands-on approach with a first-time instal-lation using standalone and distributed topologies.

Objectives:

Describe Check Point’s unified approach to network management, and the key elements of this architecture

Design a distributed environment using the network detailed in the course topology

Install the Security Gateway version R71 in a distributed environment using the network detailed in the course topology

Page 16: CCSA R71 Study Guide

Chapter 1: Check Point Technology Overview Check Point Technology Overview Topics

8 Check Point Security Administrator R70 / R71 Study Guide

Check Point Technology Overview TopicsThe following table outlines the topics covered in the “Check Point Technology Overview” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

Network Access Control p. 03

The Check Point Firewall p. 04

Mechanisms for Controlling Net-work Traffic

p. 05

Packet Filtering p. 06

Stateful Inspection p. 07

Application Intelligence p. 08

Security Gateway Inspection Archi-tecture

p. 08

INSPECT Engine Packet Flow p. 09

Deployment Consider-ations

p. 10

The DMZ p. 11

Bridge ModeBridge Mode and STP

p. 12

Security Policy Manage-ment

p. 13

SmartConsole Components p. 14

SmartDashboard p. 15

SmartView Tracker p. 17

Table 1-1: Check Point Technology Overview Topics

Page 17: CCSA R71 Study Guide

Check Point Technology Overview Topics Chapter 1: Check Point Technology Overview

Check Point Security Administrator RR70 / 71 Study Guide 9

SmartView Monitor p. 18

SmartEvent p. 20

Centralized Event Correlation p. 21

Real-Time Threat Analysis and Pro-tection

p. 21

Intelligent Event Management p.21p. 43

The SmartEvent Architecture p. 22

SmartProvisioning p. 24

SmartUpdate p. 25

Security Management Server

p. 26

Managing Users in SmartDashboard p. 26

Users Database p. 27

Creating Administrators in Smart-Dashboard

p. 28

Securing Channels of Communica-tion

p. 29

SIC p. 30

The Internal Certificate Authority (ICA)

p. 30

ICA Clients p. 30

SIC Between Security Manage-ment Servers and Components

p. 32

Administrative Login Using SIC p. 33

Topic Key Element Page Number

Table 1-1: Check Point Technology Overview Topics

Page 18: CCSA R71 Study Guide

Chapter 1: Check Point Technology Overview Check Point Technology Overview Topics

10 Check Point Security Administrator R70 / R71 Study Guide

Lab 1: Distributed Installa-tion

L-p. 1

Install Security Management Server L-p. 3

Configure Security Management Server - sysconfig

L-p. 11

Install Secure Platform on the Cor-porate Security Gateway

L-p. 28

Configure the Corporate Security Gateway using the WebUI

L-p. 30

Install SmartConsole L-p. 39

Launch SmartDashboard L-p. 45

Lab 2: Branch Office Secu-rity Gateway Installation

L-p. 49

Install SecurePlatform on Branch Gateway

L-p. 50

Configure Branch Gateway - WebUI

L-p. 56

Topic Key Element Page Number

Table 1-1: Check Point Technology Overview Topics

Page 19: CCSA R71 Study Guide

Sample CCSA R70 Exam Question Chapter 1: Check Point Technology Overview

Check Point Security Administrator RR70 / 71 Study Guide 11

Sample CCSA R70 Exam QuestionWhat would be the benefit of upgrading from SmartDefense to IPS R70?:

1. Completely rewritten engine provides improved security performance and reporting.

2. There is no difference - IPS R70 is the new name.

3. The SmartDefense technology expands IPS-1 to IPS R70.

4. The SmartDefense is replaced by the technology of IPS-1.

Page 20: CCSA R71 Study Guide

Chapter 1: Check Point Technology Overview Answer

12 Check Point Security Administrator R70 / R71 Study Guide

AnswerWhat would be the benefit of upgrading from SmartDefense to IPS R71?:

1. Completely rewritten engine provides improved security performance and reporting.

2. There is no difference - IPS R70 is the new name.

3. The SmartDefense technology expands IPS-1 to IPS R70.

4. The SmartDefense is replaced by the technology of IPS-1

Page 21: CCSA R71 Study Guide

Chapter

13

2Deployment Platforms

Before delving into the intricacies of creating and managing Security Policies, it is beneficial to know about Check Point’s different deployment platforms, and under-stand the basic workings of Check Point’s UNIX-based and Linux operating sys-tems (IPSO and SecurePlatform) that support many Check Point products. For those familiar with Linux and UNIX this section will be a review. But for those with little to no Linux/UNIX experience, this will be a welcome guide

Objectives:

Given network specifications, perform a backup and restore the current Gateway installation from the command line.

Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line.

Deploy Gateways using sysconfig and cpconfig from the Gateway command line.

Page 22: CCSA R71 Study Guide

Chapter 2: Deployment Platforms Deployment Platforms Topics

14 Check Point Security Administrator R71 Study Guide

Deployment Platforms TopicsThe following table outlines the topics covered in the “Deployment Platforms” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

UTM-1 Edge Appliance p. 39

Managing UTM-1 Edge — Security Management Server

p. 40

SmartProvisioning p. 40

Managing UTM-11 Edge — Pro-vider-1

p. 41

Power-1 Appliances p. 42

IP Appliances p. 43

IP Network Voyager p. 44

IPSO p. 46

IPSO Command Line Interface (CLI)

p. 47

SecurePlatform p. 49

Hardware Compatibility Testing Tool

p. 50

Managing Your SecurePlatform System

p. 50

Critical Check Point Directories p. 51

CoreXL Multicore Acceler-ation

p. 53

CoreXL Architecture p. 54

Table 2-2: Deployment Platforms Topics

Page 23: CCSA R71 Study Guide

Deployment Platforms Topics Chapter 2: Deployment Platforms

Check Point Security Administrator R71 Study Guide 15

CoreXL and Performance Pack p. 55

Working with CoreXL p. 56

Lab 3: Command Line Interface Tool

L-p. 67

Set Expert Password L-p. 68

Apply Other Useful Commands L-p. 71

Add and Delete Administrators via the CLI

L-p. 72

Perform backkup and restore L-p 74

Topic Key Element Page Number

Table 2-2: Deployment Platforms Topics

Page 24: CCSA R71 Study Guide

Chapter 2: Deployment Platforms Sample CCSA R70 Exam Question

16 Check Point Security Administrator R71 Study Guide

Sample CCSA R70 Exam QuestionWhat is the primary benefit of using upgrade_export over either backup or snapshot?

1. upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and snapshot will not.

2. upgrade_export has an option to backup the system and SmartView Tracker logs while backup and snapshot will not.

3. The backup and snapshot commands can take a long time to run whereas upgrade_export will take a much shorter amount of time.

4. upgrade_export is operating system independent and can be used when backup or snapshot is not available.

Page 25: CCSA R71 Study Guide

Answer Chapter 2: Deployment Platforms

Check Point Security Administrator R71 Study Guide 17

AnswerWhat is the primary benefit of using upgrade_export over either backup or snapshot?

1. upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and snapshot will not.

2. upgrade_export has an option to backup the system and SmartView Tracker logs while backup and snapshot will not.

3. The backup and snapshot commands can take a long time to run whereas upgrade_export will take a much shorter amount of time.

4. upgrade_export is operating system independent and can be used when backup or snapshot is not available.

Page 26: CCSA R71 Study Guide

Chapter 2: Deployment Platforms Answer

18 Check Point Security Administrator R71 Study Guide

Page 27: CCSA R71 Study Guide

Chapter

19

3Introduction to the Security Policy

The Security Policy is essential in administrating security for your organization’s network. This chapter examines how to create rules based on network objects, and modify a Security Policy’s properties. In addition, this chapter will teach you how to apply Database Revision Control and Policy Package management, to decrease the burden of management when working with rules and objects.

Objectives:

Given the network topology, create and configure network, host and gateway objects.

Verify SIC establishment between the Security Management Server and the Gateway using SmartDashboard.

Create a basic Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use.

Configure NAT rules on Web and Gateway servers.

Evaluate existing policies and optimize the rules based on current corporate requirements.

Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime.

Page 28: CCSA R71 Study Guide

Chapter 3: Introduction to the Security Policy Introduction to the Security Policy Topics

20 Check Point Security Administrator R70 Study Guide

Introduction to the Security Policy TopicsThe following table outlines the topics covered in the “Introductions to the Security Policy” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

Security Policy Basics p. 63

The Rule Base p. 63

Managing Objects in SmartDashboard

p. 64

SmartDashboard and Objects p. 65

Managing Objects p. 67

Creating the Rule Base p. 69

Basic Rule Base Concepts p. 69

Default Rule p. 70

Basic Rules p. 72

Implicit/Explicit Rules p. 73

Control Connections p. 74

Detecting IP Spoofing p. 75

Rule Base Management p. 76

Understanding Rule Base Order p. 77

Completing the Rule Base p. 78

Policy Management and Revision Control

p. 79

Policy Package Management p. 79

Database Revision Control p. 80

Table 3-3: Security Policy Topics

Page 29: CCSA R71 Study Guide

Introduction to the Security Policy Topics Chapter 3: Introduction to the Security Policy

Check Point Security Administrator R70 Study Guide 21

Network Address Transla-tion

p. 82

IP Addressing p. 83

Hide NAT p. 84

Static NAT p. 85

NAT - Global Properties p. 87

Configuring Automatic NAT p. 89

Object Configuratin - Hide NAT p. 89

Hide NAT Using Another Interface IP Address

p. 90

Manual NAT p. 92

Multicasting p. 94

Lab 4: Building a Security Policy

L-p. 77

Create Security Gateway Object L-p. 79

Create GUIclient Object L-p. 85

Create Rules for Corporate Gateway L-p. 86

Save the Policy L-p 91

Install the Policy L-p. 92

Test the Corporate Policy L-p. 96

Create the Remote Security Gate-way Object

L-p. 97

Establish SIC with the Branch Office

L-p. 99

Create a New Policy for the Branch Office

L-p. 103

Combine Policies L-p. 107

Topic Key Element Page Number

Table 3-3: Security Policy Topics

Page 30: CCSA R71 Study Guide

Chapter 3: Introduction to the Security Policy Introduction to the Security Policy Topics

22 Check Point Security Administrator R70 Study Guide

Lab 5: Configure the DMZ L-p. 115

Create DMZ Objects in SmartDash-board

L-p. 116

Create DMZ Access Rule L-p. 118

Test the Policy L-p. 118

Lab 6: Configuring NAT L-p. 119

Configure Hide NAT on the Corpo-rate Network

L-p. 120

Test the Hide NAT Address L-p. 122

Open SmartView Tracker L-p 123

Configure Static NAT on the DMZ Server

L-p. 125

Test the Static NAT Address L-p. 127

Observe Hide NAT Traffic Using fw monitor

L-p. 128

Configure Wireshark L-p. 130

Observe the Traffic L-p. 132

Observe Static NAT Traffic Using fw monitor

L-p. 133

Topic Key Element Page Number

Table 3-3: Security Policy Topics

Page 31: CCSA R71 Study Guide

Sample CCSA R70 Exam Question Chapter 3: Introduction to the Security Policy

Check Point Security Administrator R70 Study Guide 23

Sample CCSA R70 Exam QuestionA Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server?

1. Nothing else must be configured.

2. Automatic ARP must be unchecked in the Global Properties.

3. A static route must be added on the Security Gateway to the internal host.

4. A static route for the NAT IP must be added to the Gateway's upstream router.

Page 32: CCSA R71 Study Guide

Chapter 3: Introduction to the Security Policy Answer

24 Check Point Security Administrator R70 Study Guide

AnswerA Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server?

1. Nothing else must be configured.

2. Automatic ARP must be unchecked in the Global Properties.

3. A static route must be added on the Security Gateway to the internal host.

4. A static route for the NAT IP must be added to the Gateway's upstream router.

Page 33: CCSA R71 Study Guide

Chapter

25

4Monitoring Traffic and Connections

To manage your network effectively and to make informed decisions, you need to gather information on the network’s traffic patterns.

Objectives:

Use queries in SmartView Tracker to monitor IPS and common network traffic and troubleshoot events using packet data.

Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality.

Using SmartView Monitor, configure alerts and traffic counters, view a Gateway's status, monitor suspicious activity rules, analyze tunnel activity and monitor remote user access based on corporate requirements.

Page 34: CCSA R71 Study Guide

Chapter 4: Monitoring Traffic and ConnectionsIntroduction to the Monitoring Traffic and Connec-

26 Check Point Security Administrator R71 Study Guide

Introduction to the Monitoring Traffic and Connections Topics

The following table outlines the topics covered in the “Monitoring Traffic and Connections” chapter of the Check Point Security Administrator R70 / R71Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

SmartView Tracker p. 101

Log Types p. 102

SmartView Tracker Tabs p. 103

Action Icons p. 104

Log-File Management p. 105

Administrator Auditing p. 106

Global Logging and Alerting p. 228

Time Settings p. 108

Blocking Connections p. 109

SmartView Monitor p. 110

SmartView Monitor Login p. 111

Customizable Views p. 111

Monitoring Suspicious Activity Rules

p. 116

Monitoring Alerts p. 116

Gateway Status p. 118

SmartView Tracker vs. SmartView Monitor

p. 121

Table 4-4: Monitoring Traffic and Connections Topics

Page 35: CCSA R71 Study Guide

Introduction to the Monitoring Traffic and Connections Topics Chapter 4: Monitoring Traffic and

Check Point Security Administrator R71 Study Guide 27

Lab 7: Monitoring with SmartView Tracker

L-p. 137

Launch SmartView Tracker L-p. 138

Track by Source and Destination L-p. 142

Modify the Gateway to Activate SmartView Monitor

L-p. 144

View Traffic Using SmartView Monitor

L-p 146

Topic Key Element Page Number

Table 4-4: Monitoring Traffic and Connections Topics

Page 36: CCSA R71 Study Guide

Chapter 4: Monitoring Traffic and Connections Sample CCSA R70 Exam Question

28 Check Point Security Administrator R71 Study Guide

Sample CCSA R70 Exam QuestionA third-shift Security Administrator configured and installed a new Security Policy early this morning. When you arrive, he tells you that he has been receiving complaints that Internet access is very slow. You suspect the Security Gateway virtual memory might be the problem. Which SmartConsole component would you use to verify this?

1. This information can only be viewed with fw ctl pstat command from the CLI.

2. SmartView Tracker.

3. Eventia Analyzer.

4. SmartView Monitor

Page 37: CCSA R71 Study Guide

Answer Chapter 4: Monitoring Traffic and Connections

Check Point Security Administrator R71 Study Guide 29

AnswerA third-shift Security Administrator configured and installed a new Security Policy early this morning. When you arrive, he tells you that he has been receiving complaints that Internet access is very slow. You suspect the Security Gateway virtual memory might be the problem. Which SmartConsole component would you use to verify this?

1. This information can only be viewed with fw ctl pstat command from the CLI.

2. SmartView Tracker.

3. Eventia Analyzer.

4. SmartView Monitor

Page 38: CCSA R71 Study Guide

Chapter 4: Monitoring Traffic and Connections Answer

30 Check Point Security Administrator R71 Study Guide

Page 39: CCSA R71 Study Guide

Chapter

31

5Using SmartUpdate

SmartUpdate extends your organization’s ability to provide centralized policy man-agement across enterprise-wide deployments. SmartUpdate can deliver automated software and license updates to hundreds of distributed Security Gateways from a single management console.

Objectives:

Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications.

Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways.

Upgrade and attach product licenses using SmartUpdate.

Page 40: CCSA R71 Study Guide

Chapter 5: Using SmartUpdate Introduction to the SmartUpdate Topics

32 Check Point Security Administrator R70 / R71 Study Guide

Introduction to the SmartUpdate TopicsThe following table outlines the topics covered in the “SmartUpdate” chapter of the Check Point Security Administrator R70 / R71Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

SmartUpdate and Manag-ing Licenses

p. 127

SmartUpdate Architecture p. 128

SmartUpdate Introduction p. 130

Overview of Managing Licenses p. 132

Service Contracts p. 138

Licensing R71 p. 140

Obtaining a License Key p. 140

Upgrading Licenses p. 141

SmartUpdate Options p. 141

The SmartUpdate Command Line p. 141

Table 5-5: Using SmartUpdate Topics

Page 41: CCSA R71 Study Guide

Sample CCSA R70 Exam Question Chapter 5: Using SmartUpdate

Check Point Security Administrator R70 / R71 Study Guide 33

Sample CCSA R70 Exam QuestionYou are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways at five geographically separate locations. What is the BEST method to implement this HFA?

1. Send a Certified Security Engineer to each site to perform the update.

2. Use SmartUpdate to install the packages to each of the Security Gateways remotely.

3. Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote installation command and monitor the installation progress with SmartView Monitor.

4. Send a CD-ROM with the HFA to each location and have local personnel install it.

Page 42: CCSA R71 Study Guide

Chapter 5: Using SmartUpdate Answer

34 Check Point Security Administrator R70 / R71 Study Guide

AnswerYou are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways at five geographically separate locations. What is the BEST method to implement this HFA?

1. Send a Certified Security Engineer to each site to perform the update.

2. Use SmartUpdate to install the packages to each of the Security Gateways remotely.

3. Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote installation command and monitor the installation progress with SmartView Monitor.

4. Send a CD-ROM with the HFA to each location and have local personnel install it.

Page 43: CCSA R71 Study Guide

Chapter

35

6Upgrading to R71

This chapter shows how to upgrade an existing Security Management server and se-curity gateway to R71. Upgrades are used to save Check Point product configura-tions, Security Policies, and objects, so that Security Administrators do not need to recreate Gateway and Security Management Server configurations. This chapter lists guidelines for deciding when to upgrade, versus doing a new installation.

Objectives:

Based on current products or platforms used in an enterprise network, perform a pre installation compatibility assessment before upgrading to R71.

Given R71 licensing restrictions, obtain a license key.

Install a Contract File on platforms such as Windows, SecurePlatform, Linux, Solaris and IPSO.

Page 44: CCSA R71 Study Guide

Chapter 6: Upgrading to R71 Introduction to the Upgrading to R71

36 Check Point Security Administrator R71 Study Guide

Introduction to the Upgrading to R71The following table outlines the topics covered in the “Upgrading to R71” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

Backward Compatibility for Gateways

p. 147

Upgrading Security Management Server

p. 147

IPS-1 Upgrade Paths and Interoper-ability

p. 148

Upgrade Notes p. 148

Upgrade Configuration p. 149

Distributed Installation p. 151

Web Intelligence Licnese Enforce-ment

p. 151

Lab 8: Upgrading a Secu-rity Gateway Locally

L-p. 153

Upgrade SecurePlatform Using a CDROM

L-p. 154

Table 6-6: Upgrading to R70 Topics

Page 45: CCSA R71 Study Guide

Sample CCSA R70 Exam Question Chapter 6: Upgrading to R71

Check Point Security Administrator R71 Study Guide 37

Sample CCSA R70 Exam QuestionYou currently do not have a Check Point software subscription for one of your products. What will happen if you attempt to upgrade the license for this product?

1. The license is not upgraded.

2. It is upgraded with new available features, but cannot be activated.

3. It is deleted.

4. The license will be upgraded with a warning.

Page 46: CCSA R71 Study Guide

Chapter 6: Upgrading to R71 Answer

38 Check Point Security Administrator R71 Study Guide

AnswerYou currently do not have a Check Point software subscription for one of your products. What will happen if you attempt to upgrade the license for this product?

1. The license is not upgraded.

2. It is upgraded with new available features, but cannot be activated.

3. It is deleted.

4. The license will be upgraded with a warning.

Page 47: CCSA R71 Study Guide

Chapter

39

7User Management andAuthentication

If you do not have a user-management infrastructure in place, you can make a choice between managing the internal-user database or choosing to implement an LDAP server. If you have a large user count, Check Point recommends opting for an external user-management database, such as LDAP.

Check Point authentication features enable you to verify the identity of users log-ging in to the Security Gateway, but also allow you to control security by allowing some users access and disallowing others. Users authenticate by proving their iden-tities, according to the scheme specified under a Gateway authentication scheme, such as LDAP, RADIUS, SecurID and TACACS.

Objectives:

Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely.

Manage users to access to the corporate LAN by using external databases

Page 48: CCSA R71 Study Guide

Chapter 7: User Management and AuthenticationIntroduction to the User Management and Authen-

40 Check Point Security Administrator R70 / R 71 Study Guide

Introduction to the User Management and Authentication Topics

The following table outlines the topics covered in the “User Management and Authentication” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

Creating Users and Groups in SmartDashboard

p. 159

User Types p. 159

Security Gateway Authenti-cation

p. 161

Introduction to Authentication Methods

p. 161

Authentication Schemes p. 163

Remote User Authentication p. 165

Authentication Methods p. 165

User Authentication p. 166

Configuring User Authentication p. 168

Session Authentication p. 169

Configuring Session Authentication p. 170

Client Authentication p. 170

Configuring Client Authentication p. 173

Resolving Access Conflicts p. 174

Configuring Authentication Tracker p. 175

Table 7-7: User Management and Authentication Topics

Page 49: CCSA R71 Study Guide

Introduction to the User Management and Authentication Topics Chapter 7: User Management and

Check Point Security Administrator R70 / R71 Study Guide 41

LDAP User Management with SmartDirectory

p. 175

LDAP Features p. 176

Multiple LDAP Servers p. 178

Using an Existing LDAP Server p. 178

Configuring Entities to Work with the Gateway

p. 179

Managing Users p. 182

SmartDirectory Groups p. 183

Lab 9: Client Authentica-tion

L-p. 165

Use Manual Client Authentication with FTP and Local User

L-p. 167

Modify the Rule Base L-p. 170

Test Manual Client Authentication L-p. 173

Use Partially Automatic Client Auth with a Local User

L-p. 174

Use Partially Automatic Client Auth with LDAP

L-p. 179

Verify SmartDashboard Integration L-p. 186

Test Active Directory Authentica-tion

L-p. 188

Create a Database Revision L-p. 189

Topic Key Element Page Number

Table 7-7: User Management and Authentication Topics

Page 50: CCSA R71 Study Guide

Chapter 7: User Management and Authentication Sample CCSA R70 Exam Question

42 Check Point Security Administrator R70 / R 71 Study Guide

Sample CCSA R70 Exam QuestionChoose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server.

1. Configure a server object for the LDAP Account Unit, and create an LDAP resource object.

2. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties.

3. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object.

4. Enable LDAP in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit.

Page 51: CCSA R71 Study Guide

Answer Chapter 7: User Management and Authentication

Check Point Security Administrator R70 / R71 Study Guide 43

AnswerChoose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server.

1. Configure a server object for the LDAP Account Unit, and create an LDAP resource object.

2. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties.

3. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object.

4. Enable LDAP in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit.

Page 52: CCSA R71 Study Guide

Chapter 7: User Management and Authentication Answer

44 Check Point Security Administrator R70 / R 71 Study Guide

Page 53: CCSA R71 Study Guide

Chapter

45

8Encryption and VPNs

The Check Point Security Gateway enables you to create site-to-site Virtual Private Networks (VPNs) that provide secure communication between two defined partic-ipants, by encrypting the communication on unsecured public networks, such as the Internet.

Objectives:

Select the most appropriate encryption algorithm when securing communication over a VPN, based on corporate requirements.

Configure a certificate-based site-to-site VPN using one partner's internal CA.

Establish VPN connections to partner sites in order to establish access to a central database by configuring Advanced IKE properties.

Page 54: CCSA R71 Study Guide

Chapter 8: Encryption and VPNs Introduction to the Encryption and VPNs Topics

46 Check Point Security Administrator R70 / R71 Study Guide

Introduction to the Encryption and VPNs Topics

The following table outlines the topics covered in the “Encryption and VPNs” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

Securing Communication p. 189

Privacy p. 190

Symmetric Encryption p. 191

Asymmetric Encryption p. 192

Diffie-Hellman p. 193

Integrity p. 194

Authentication p. 195

Two-Phases of Encryption p. 196

Encryption Algorithms p. 196

IKE p. 197

ISAKMP p. 197

Oakley p. 197

ISAKMP/Oakley p. 197

Phase 1 p. 198

Phase 2 p. 199

How a VPN Works p. 200

Tunneling-Mode Encryption p. 202

Certificate Authorities p. 203

Table 8-8: Encryption and VPNs Topics

Page 55: CCSA R71 Study Guide

Introduction to the Encryption and VPNs Topics Chapter 8: Encryption and VPNs

Check Point Security Administrator R70 / R71 Study Guide 47

Certificates p. 204

Multiple Certificate Authorities p. 204

Local Certificate Authority p. 205

CA Service via the Internet p. 206

Internal Certificate Authority p. 206

Creating Certificates p. 207

Lab 10: Site-to-Site VPN Between Corporate and Branch Offfice

L-p. 191

Define the VPN Domain L-p. 193

Create the VPN Community L-p. 196

Create the VPN Rule and Modify-ing the Rule Base

L-p. 202

Test VPN Connection L-p. 205

Failed Negotiation Example L-p. 209

Topic Key Element Page Number

Table 8-8: Encryption and VPNs Topics

Page 56: CCSA R71 Study Guide

Chapter 8: Encryption and VPNs Sample CCSA R70 Exam Question

48 Check Point Security Administrator R70 / R71 Study Guide

Sample CCSA R70 Exam QuestionYour organization maintains several IKE VPNs. Executives in your organization want to know which mechanism Security Gateway R70 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives?

1. Certificate Revocation Lists

2. Application Intelligence.

3. Digital signatures.

4. Key-exchange protocols.

Page 57: CCSA R71 Study Guide

Answer Chapter 8: Encryption and VPNs

Check Point Security Administrator R70 / R71 Study Guide 49

AnswerYour organization maintains several IKE VPNs. Executives in your organization want to know which mechanism Security Gateway R70 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives?

1. Certificate Revocation Lists

2. Application Intelligence.

3. Digital signatures.

4. Key-exchange protocols.

Page 58: CCSA R71 Study Guide

Chapter 8: Encryption and VPNs Answer

50 Check Point Security Administrator R70 / R71 Study Guide

Page 59: CCSA R71 Study Guide

Chapter

51

9Introduction to VPNs

Virtual Private Ntworking technology leverages the Internet to build and enhance secure network connectivity. Based on standard Internet secure protocols, a VPN enables secure links between special types of network nodes: the Gateways. Site-to-site BPN ensures secure links between Gateways. A Remote Access VPN en-sures secure links between Gateways and remote access clients.

Objectives:

Configure a pre-shared secret site-to-site VPN with partner sites.

Configure permanent tunnels for remote access to corporate resources.

Configure VPN tunnel sharing, given the difference between host-based, sup-unit-based, and gateway-based tunnels..

Page 60: CCSA R71 Study Guide

Chapter 9: Introduction to VPNs Introduction VPNs Topics

52 Check Point Security Administrator R70 / R71 Study Guide

Introduction VPNs TopicsThe following table outlines the topics covered in the “Introduction to VPNs” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

The Check Point VPN p. 213

VPN Deployments p. 213

Site-to-Site VPNs p. 214

Remote Access VPNs p. 215

VPN Implementation p. 216

VPN Setup p. 217

Understanding VPN Deployment p. 217

VPN Communities p. 218

VPN Topologies p. 220

Meshed VPN Community p. 220

Star VPN Community p. 221

Choosing a Topology p. 221

Topology and Encryption Issues p. 223

Special VPN Gateway Conditions p. 224

Authenticating Between Commu-nity Members

p. 225

Domain and Route-Based VPNs p. 226

Access Control and VPN Communites

p. 227

Accepting all Encrypted Traffic p. 229

Table 9-9: Check Point Introduction to VPNs Topics

Page 61: CCSA R71 Study Guide

Introduction VPNs Topics Chapter 9: Introduction to VPNs

Check Point Security Administrator R70 / R71 Study Guide 53

Excluding Services p. 229

Integrating VPNs into a Rule Base

p. 230

Simplified vs. Traditional Mode VPNs

p. 231

VPN Tunnel Management p. 231

Permanent Tunnels p. 232

VPN Tunnel Sharing p. 233

Remote Access VPNs p. 234

SecuRemote p. 234

Multiple Remote Access VPN Con-nectivity Modes

p. 235

Office Mode p. 235

Visitor Mode p. 235

Hub Mode p. 235

Establishing a Connection Between a Remote User and a Gateway

p. 236

Lab 11: Two-Gateway IKE Encryption Using Certifi-cates

L-p. 215

Save Certificate for Export L-p. 216

Add Partner Machine to VPN Com-munity

L-p. 218

Creating Object for Partner Gate-way

L-p. 218

Modify VPN Domain for Partner Gateway

L-p. 222

Topic Key Element Page Number

Table 9-9: Check Point Introduction to VPNs Topics

Page 62: CCSA R71 Study Guide

Chapter 9: Introduction to VPNs Introduction VPNs Topics

54 Check Point Security Administrator R70 / R71 Study Guide

Add the Partner Network to the VPN Community

L-p. 225

Create Partner Site Certificate Authority

L-p. 226

Modify the Rule Base L-p. 229

Install and Verify Security Gateway Configuration

L-p. 230

Test Encryption with Certificates L-p. 231

Revert to Standard Security Policy L-p. 235

Lab 12: Remote Access and Office Mode

L-p. 237

Create Remote-Access Group L-p. 239

Configure Gateway for IKE Encryption

L-p 240

Create a Remote User Group L-p. 240

Configure Remote Access Commu-nity Ojbect

L-p. 241

Configure VPN Domain for Remote Access

L-p. 244

Configure Office Mode IP Pool L-p. 245

Modify the Rule Base for Remote Access

L-p. 247

Create a Site Using the Site Wizard L-p. 249

Verify Office Mode IP Assignment L-p. 255

Test the Remote Connection L-p. 256

Topic Key Element Page Number

Table 9-9: Check Point Introduction to VPNs Topics

Page 63: CCSA R71 Study Guide

Sample CCSA R70 Exam Question Chapter 9: Introduction to VPNs

Check Point Security Administrator R70 / R71 Study Guide 55

Sample CCSA R70 Exam QuestionWhen using an encryption algorithm, which is generally considered the best encryption method?

1. DES.

2. AES

3. Triple DES

4. CAST cipher

Page 64: CCSA R71 Study Guide

Chapter 9: Introduction to VPNs Answer

56 Check Point Security Administrator R70 / R71 Study Guide

AnswerWhen using an encryption algorithm, which is generally considered the best encryption method?

1. DES.

2. AES

3. Triple DES

4. CAST cipher

Page 65: CCSA R71 Study Guide

Chapter

57

10Messaging and Content Security

Access control firewalls prevent unauthorized traffic from passing through the Gateway. However, hackers also attempt to misuse allowed traffic and services. Some of the most serious threats in today's Internet environment come from attacks that attempt to exploit the application layer. Access control devices cannot easily detect malicious attacks aimed at these services.

Objectives:

Configure Check Point Messaging Security to test IP Reputation, content based anti-spam, and zero hour virus detection.

Based on network analysis disclosing threats by specific sites, configure a Web-filtering and antivirus policy to filter and scan traffic.

Page 66: CCSA R71 Study Guide

Chapter 10: Messaging and Content Security Introduction to the Messaging and Content Security

58 Check Point Security Administrator R70 / R71 Study Guide

Introduction to the Messaging and Content Security Topics

The following table outlines the topics covered in the “Messaging and Content Security” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.

Topic Key Element Page Number

Antivirus Protection p. 243

Anti-Virus Signature Database Updates

p. 244

Antivirus Scanning p. 245

Content Security Scanning in Prac-tice

p. 246

POP3 Protocol Example p. 247

FTP Protocol Example p. 248

HTTP Protocol Example p. 249

DMZ Example p. 250

Scan by Direction Options p. 251

File Type Recognition p. 254

Continuous Download p. 255

Logging and Monitoring p. 256

File Size Limitations and Scanning p. 256

UTM-1 Edge Antivirus p. 258

Basic URL Filtering p. 259

Architecture p. 260

Anti-Spam and Mail p. 261

Table 10-10: Messaging and Content Security Topics

Page 67: CCSA R71 Study Guide

Introduction to the Messaging and Content Security TopicsChapter 10: Messaging and Content Se-

Check Point Security Administrator R70 / R71 Study Guide 59

Architecture p. 263

Logging and Monitoring p. 265

Lab 13: Messaging and Content Security

L-p. 259

Revert to Standard Security Policy L-p. 261

Configure Mail Server Object L-p. 262

Modify Rule Base L-p. 264

Observe Mail Traffic L-p. 265

Modify the Gateway Properties L-p. 267

Configure Anti-Spam for Monitor Only

L-p. 268

Analyze to Gateway L-p. 270

Analyze Logs L-p. 272

Reconfigure Policy to Block Attacks

L-p. 274

Topic Key Element Page Number

Table 10-10: Messaging and Content Security Topics

Page 68: CCSA R71 Study Guide

Chapter 10: Messaging and Content Security Sample CCSA R70 Exam Question

60 Check Point Security Administrator R70 / R71 Study Guide

Sample CCSA R70 Exam QuestionWhich antivirus scanning method does not work if the Gateway is connected as a node in proxy mode?

1. Scan by Direction

2. Scan by File Type

3. Scan by Server

4. Scan by IP Address

Page 69: CCSA R71 Study Guide

Answer Chapter 10: Messaging and Content Security

Check Point Security Administrator R70 / R71 Study Guide 61

AnswerWhich antivirus scanning method does not work if the Gateway is connected as a node in proxy mode?

1. Scan by Direction

2. Scan by File Type

3. Scan by Server

4. Scan by IP Address

Page 70: CCSA R71 Study Guide

Chapter 10: Messaging and Content Security Answer

62 Check Point Security Administrator R70 / R71 Study Guide