1 Day Training On Firewall

In compliance with ISO-9001 Cost Effective Quality Manpower Training Services
1 Day Training on Firewall

Agenda
1) HA
2) NAT
3) QOS
4) SSL VPN for Mobile Clients
5) IP sec VPN
6) Licensing
7) Traffic monitoring
8) Dual ISP fail over
9) Advance Troubleshooting
10) New features in Gaia.
High Availability
Networks carry information that is the lifeblood of your
business, often making network outages or degraded
performance unacceptable. To help ensure business
continuity and balanced performance, several high
availability solutions are available for IP appliances. Virtual
Router Redundancy Protocol (VRRP) and patented IP
clustering technology provide robust and scalable high
availability for IP appliances. These technologies allow
several independent IP appliances to join together for a
common security goal as one virtual machine.
When using VRRP, at least one active appliance and a hot-
standby are deployed as a cluster. The backup appliance is
ready to assume any active appliance functions in case of any
failures. In addition to processing network traffic in parallel, IP
clustered appliances share information about the context of
that traffic to enable the cluster to survive the failure or
degradation of any of its individual appliances. By dividing and
conquering, clustering can allow several appliances to work in
concert to take on a task that would tax any single member.
And all the appliances can be centrally managed from one
location. VRRP, IP Clustering and external load balancers are
supported across all IP appliances.
Key benefits
High Availability Limits any disruption to network uptime
should a security appliance face unforeseen performance
issues. Transparently redistributes workloads to surviving
cluster appliances without impacting communication
throughout the cluster.
Scalability Enables security administrators to improve
performance and adapt to increasing traffic by adding cluster
members that divide the workload among more appliances for
efficient processing.

Resiliency and fault tolerance Avoids simultaneous failures
through clustering, and enables active IP appliance
maintenance possible through workload redistribution.
Administrators can perform transparent "rolling upgrades," in
which nodes are gracefully removed from the cluster,
upgraded, and reinserted, all without any disruption to end-
user operations.
Features

High Availability across all IP Appliances
Check Point IP appliances offer a range of high availability
technologies to ensure critical services remain live under the
most demanding conditions. Customers can choose from
Virtual Router Redundancy Protocol (VRRP), patented high-
performance IP Clustering technology, or external load
balancers for their high availability requirements. Using these
advanced technologies avoids network down time and related
loss of productivity, customer frustration, or negative impact
on business reputation.

Virtual Router Redundancy Protocol (VRRP)
VRRP allows two or more IP appliances to represent a single
virtual IP appliance, with only one functioning as a firewall at
any given time. If the IP appliance routing data on behalf of the
virtual IP appliance fails, an arrangement is made automatically
for another physical IP appliance to replace it. Network traffic
continues with minimal or any disruption.
IP Clustering
IP Clustering technology allows up to four devices to act as a
single network entity, sharing one internal and one external IP
address. IP packet processing is distributed among all cluster
member gateways to achieve equal member processing loads.
By its nature, IP Clustering adds scalability. When the cluster is
reaching its capacity limits, additional cluster members can be
added to increase performance. IP Clustering also provides
sub-second fail-over; while VRRP fail-over time to the standby
appliance is usually a few seconds.
IP Platforms also support external load balancers.

NAT (Network Address Translation)
NAT (Network Address Translation) is a feature of the Firewall
Software Blade and replaces IPv4 and IPv6 addresses to add
more security. You can enable NAT for all SmartDashboard
objects to help manage network traffic. NAT protects the
identity of a network and does not show internal IP addresses
to the Internet. You can also use NAT to supply more IPv4
addresses for the network.

The Firewall can change both the source and destination IP
addresses in a packet. For example, when an internal computer
sends a packet to an external computer, the Firewall translates
the source IP address to a new one. The packet comes back
from the external computer, the Firewall translates the new IP
address back to the original IP address. The packet from the
external computer goes to the correct internal computer.
How Security Gateways Translate Traffic

A Security Gateway can use these procedures to translate IP
addresses in your network:
Static NAT - Each internal IP address is translated to a different
public IP address. The Firewall can allow external traffic to
access internal resources.
Hide NAT - The Firewall uses port numbers to translate all specified
internal IP addresses to a single public IP address and hides the internal
IP structure. Connections can only start from internal computers,
external computers CANNOT access internal servers. The Firewall can
translate up to 50,000 connections at the same time from external
computers and servers.

Hide NAT with Port Translation - Use one IP address and let
external users access multiple application servers in a hidden
network. The Firewall uses the requested service (or
destination port) to send the traffic to the correct server. A
typical configuration can use these ports: FTP server (port 21),
SMTP server (port 25) and an HTTP server (port 80). It is
necessary to create manual NAT rules to use Port Translation.

QoS
Check Point's QoS is a policy-based QoS management solution
from Check Point Software Technologies Ltd., satisfies your
needs for a bandwidth management solution. QoS is a unique,
software-only based application that manages traffic end-to-
end across networks, by distributing enforcement throughout
network hardware and software.

QoS enables you to prioritize business-critical traffic, such as
ERP, database and Web services traffic, over less time-critical
traffic. QoS allows you to guarantee bandwidth and control
latency for streaming applications, such as Voice over IP (VoIP)
and video conferencing. With highly granular controls, QoS
also enables guaranteed or priority access to specific
employees, even if they are remotely accessing network
resources through a VPN tunnel.

QoS is deployed with the Security Gateway. These integrated
solutions provide QoS for both VPN and unencrypted traffic to
maximize the benefit of a secure, reliable, low-cost VPN
network.
QoS leverages the industry's most advanced traffic inspection
and bandwidth control technologies. Check Point-patented
Stateful Inspection technology captures and dynamically
updates detailed state information on all network traffic. This
state information is used to classify traffic by service or
application. After a packet has been classified, QoS applies QoS
to the packet by means of an innovative, hierarchical,
Weighted Fair Queuing (WFQ) algorithm to precisely control
bandwidth allocation.

QoS provides the following features and benefits:
Flexible QoS policies with weights, limits and guarantees: QoS enables
you to develop basic policies specific to your requirements. These basic
policies can be modified at any time to incorporate any of the Advanced
QoS features described in this section.
Integration with the Security Gateway: Optimize network performance f
or VPN and unencrypted traffic: The integration of an organization's
security and bandwidth management policies enables easier policy
definition and system configuration.
Performance analysis through SmartView Tracker: monitor the
performance of your system by means of log entries recorded in
SmartView Tracker.
Integrated DiffServ support: add one or more Diffserv Classes of Service
to the QoS Policy Rule Base.
Integrated Low Latency Queuing: define special classes of service for
"delay sensitive" applications like voice and video to the QoS Policy Rule
Base.
Integrated Authenticated QoS: provide QoS for end-users in dynamic IP
environments, such as remote access and DHCP environments.
Integrated Citrix MetaFrame support: deliver a QoS solution for the
Citrix ICA protocol.
No need to deploy separate VPN, Firewall and QoS devices: QoS and
Firewall share a similar architecture and many core technology
components, therefore users can utilize the same user-defined network
objects in both solutions. ware and software.


Proactive management of network costs: QoS's monitoring
systems enable you to be proactive in managing your network
and thus controlling network costs.
Support for end-to-end QoS for IP networks: QoS offers
complete support for end-to-end QoS for IP networks by
distributing enforcement throughout network hard
SSL VPN for Mobile Clients

Check Point Mobile Access Software Blade is the safe and easy
solution to connect to corporate applications over the internet
with your Smartphone, tablet or PC. The solution provides
enterprise-grade remote access via both Layer-3 VPN and SSL
VPN, allowing you simple, safe and secure connectivity to your
email, calendar, contacts and corporate applications.
Simply connect from mobile devices
Secure connectivity for smartphones, tablets, PCs and laptops
Provides client-based and web-based VPN connectivity
Easy access for mobile workers using managed or unmanaged devices

Keeps your data secure
Communicate securely with proven encryption technology
Verify authorized users with two-factor authentication and User-
Device pairing
Unified management for simple deployment and
administration
Fully integrated with Check Point Security Policy Manager
Activate user-certificates with one click
Deploy and configure the Mobile Access Software Blade on your
existing Security Gateway

IPSec VPN
Secure VPN connectivity for remote and mobile users, branch
offices
Simple, centralized management of remote access and site-to-
site VPNs
Enhanced IPSec VPN security against Denial of Service (DoS)
attacks
Security policy may be applied in varying degrees based on
encryption level
Flexibility to build the VPN solution that meets your specific
needs

Multiple remote access VPN connectivity modes to support
road warriors
Comprehensive set of remote access VPN client choices
Multiple VPN creation methods, including route-based and
domain-based VPNs
Integrated into Check Point Software Blade Architecture
Simple activation of IPSec VPN on any Check Point security
gateway
Centralized logging and reporting via a single console

Licensing
If you have not yet migrated to Software Blade licenses, use
the migration options from Check Points website. Migration to
Software Blades is free of charge to purchasers of the Software
Subscription service (Enterprise Base Support).
Licenses are required for management servers and Security
Gateways.
Check Point software is activated using a certificate key. The
certificate key is used to generate a license key for products
that you want to evaluate or purchase. To purchase Check
Point products, contact your reseller.

To get a license key from the Check Point User Center:

Add the required Check Point products/evaluations to your User Center account: selectAccounts &
Products > Add Products.
Generate a license key for your products/evaluations: select Accounts & Products > Products.
Select your products and click Activate License. The selected product evaluations are assigned
license keys.
Complete installation and configuration:
Read and accept the End Users License Agreement.
Import the product license key. Using the Check Point Configuration Tool or SmartUpdate to
import the license. SmartUpdate lets you centrally upgrade and manage Check Point software
and licenses. The certificate keys associate the product license with the Security Management
server:
The new license remains valid even if the IP address of the Security Gateway changes.
Only one IP address is needed for all licenses.
A license can be detached from one Security Gateway and assigned to another.

Licensing Multi-Domain Security Management

Multi-Domain Security Management licenses are associated with the IP
address of the licensed entity.
To add a Management domain, you must add a Domain license to Multi-
Domain Security Management.
To add a Management Software Blade to a Multi-Domain Server, you
must add the required blade licenses to Multi-Domain Security
Management.
Multi-Domain Security Management licenses can be imported using the
Check Point command-line licensing tool or the SmartDomain Manager.

Traffic monitoring

The Check Point Monitoring Software Blade presents a
complete picture of network and security performance,
enabling fast responses to changes in traffic patterns or
security events. The Software Blade centrally monitors Check
Point devices and alerts to changes to gateways, endpoints,
tunnels, remote users and security activities.

Comprehensive network security monitoring for faster
response to threats
Real-time information on Check Point productss
Monitor connectivity between gateways and remote user traffic
Cooperative Enforcement verifies connections from internal and
remote hosts
Simplified network security management for maximum efficiencies
Single management console with predefined and customizable
interfaces
Detailed or summary graphs and charts for analysis of traffic patterns
Automatically modify access privileges upon detection of suspicious
activity

Activate network security monitoring on any Check Point Security
Management server
Supported on Check Point Appliances and open servers

Gateway Monitoring
The Monitoring Software Blade provides real-time information on Check Point
gateways in the organization. Custom and predefined queries enable
administrators to view in-depth information, such as system data, network
activity, policy and license status about specific gateways.
Network Traffic Monitoring
The Monitoring Software Blade also delivers a comprehensive view of network
usage. It can generate detailed or summary graphs and charts for analysis of
network traffic patterns, audit and estimate costs of network use, identify
departments and users that generate the most traffic, and detect and monitor
suspicious activity.

Suspicious Activity Monitoring and Alerts
The Monitoring Software Blade integrates the Check Point suspicious
activity monitoring protocol for modifying access privileges upon
detection of any suspicious network activity, such as attempts to gain
unauthorized access. Alerts can also be automatically sent to
administrators for certain predefined system events such as when
free disk space is below an acceptable threshold or if a security policy
has been changed. These alerts point to potential system security
threats and provide information to assist in avoiding, minimizing or
recovering from damage.

VPN Tunnel Monitoring
The Monitoring Software Blade enables system administrators to
monitor connectivity between gateways. Permanent tunnels can be
set up between Check Point gateways where uninterrupted
connectivity is critical to the organizations business. By constantly
monitoring the status of VPN tunnels, including inbound and
outbound tunnel traffic, the Monitoring Software Blade enables
administrators to track normal tunnel function so that malfunctions
and connectivity problems can be quickly accessed and resolved
Remote User Monitoring
The monitoring of remote users offers valuable information for
identifying and troubleshooting remote connectivity issues. The
Monitoring Software Blade provides comprehensive information on
various aspects of remote user traffic, such as current open sessions,
overlapping sessions, route traffic and connection time.
Cooperative Enforcement Monitoring
The Cooperative Enforcement monitoring feature utilizes the endpoint
security server compliance capability to verify connections arriving
from internal and remote hosts across the network. The logs
generated for authorized and unauthorized hosts can be monitored
via the Monitoring Software Blade.

Flexible, Graphical Reporting
Using custom or predefined queries, administrators can drill down on a
specific segment of traffic or specific gateways to isolate factors that may be
affecting network performance. Multiple views can be displayed within the
same window and viewed side-by-side to enable easy diagnoses of traffic or
security problems.
Tight Integration with Check Point Products
The Monitoring Software Blade is part of Check Point Security Management
solutions, a suite of powerful applications for centrally configuring,
managing and monitoring Check Point perimeter, internal, Web and
endpoint security gateways. This integration results in reduced complexity
and lowers total cost of ownership.

The Monitoring Software Blade is integrated into the Software Blade
Architecture. It can be easily and rapidly activated on existing Check
Point Appliances or open server platforms, saving time and reducing
costs by leveraging existing security infrastructure.
Full integration into the modular Software Blade Architecture allows
for rapid and easy activation on any Check Point Security
Management server.

ISP Redundancy

Make Internet connectivity more reliable with ISP Redundancy.
This connects a Security Gateway or cluster member to the
Internet through redundant Internet Service Provider (ISP)
links.

Item Description
1 Security Gateway
2 Link A to the ISP
3 Link B to the ISP
ISP Redundancy monitors the links and directs the connection. You
can configure this choice to be for Load Sharing or Primary/Backup.
Load Sharing: Uses the two links with a distributed load of connections
going out from the Security Gateway. Connections coming in are
alternated. You can configure best relative loads for the links (set a faster
link to handle more load). New connections are randomly assigned to a
link. If one link fails, the other takes the load.
Primary/Backup: Uses one link for connections going out from the
Security Gateway and coming in. It switches to the backup if the primary
link fails. When the primary link is restored, new connections are assigned
to it. Existing connections continue on the backup link until they are
complete.

Check Point GAiA

Check Point GAiATM is the unified cutting-edge secure
operating system for all Check Point Appliances, open servers
and virtualized gateways. GAiA combines the best features
from IPSO and SecurePlatform into a single unified OS
providing greater efficiency and robust performance. With the
support of the full suite of Software Blades, customers will
benefit from improved connection capacity and the full
breadth and power of Check Point security technologies by
adopting GAiA.

Combining the Best Features of IPSO & SecurePlatform
Secure platform for all Check Point Gateways and Management, open
servers and virtualized gateways
Support the full-range of Software Blades on all Check Point
Appliances, including IP Series
Full compatibility with IPSO and SPLAT command line interface

Increase Operational Efficiency with Wide Range of Features
Feature-rich and intuitive Web-UI to configure and manage the entire
gateway
Role-based administration allowing segregation of duties among
users with different privilege
New Software Update Tool puts system updates on autopilot
Replication of security gateway settings or image to others in minutes
Fast and efficient installation, backup and recovery

A Secure Platform for the Most Demanding Environments
Full integration of IPv6 network security utilizing Check Point
advanced technologies (CoreXL, SecureXL, ClusterXL and VRRP)
High connection capacity with 64-bit operating system
providing up to 70 million concurrent connections
Advanced routing options including ClusterXL and VRRP
clustering, 5 dynamic routing protocols and 6 multicasting
protocols

Web-Based User Interface with Search Navigation
This interface integrates all management functions into a Web-based
dashboard that is accessible via the most popular Web browsers
Internet Explorer, Chrome, Firefox and Safari. The built-in search
navigation delivers instant results on commands and properties. For
the CLI-inclined users, a Shell-Emulator pop-up window is only a
single click away.

1 Day Training On Firewall

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

1 Day Training On Firewall

Cargado por

Copyright:

Formatos disponibles

In compliance with ISO-9001 Cost Effective Quality Manpower Training Services

1 Day Training on Firewall

También podría gustarte