8/4/2019 0789731096

1/32

SmartDashboard

Terms youll need to understand:

Network object

Cleanup rule

Stealth rule

Anti-spoofing

Concepts youll need to master:

Creating an object

Creating a rule

Understanding the behavior of a simple rule base

Using the command line

Installing and uninstalling a policy from the GUI

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3

8/4/2019 0789731096

2/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 340

Out of all the SmartConsole utilities, youll be spending the most time in

SmartDashboard. This is where the security policy is defined and pushed out

to the enforcement points.

Before we continue, though, some terms have to be explained. They help younot only at exam time, but in your everyday job as well.

The security policy is a combination of rules and system properties that

come together to define how the firewalls protect your network.

In the real world, a security policy is usually associated with a document that

defines in plain language which activities are permitted, which are denied, and what

procedures exist for monitoring. This is where youll find things such as your

acceptable use policy and incident handling procedures. As a security guy (or gal),you have the job of implementing solutions that follow and enforce the policy,

which includes firewalls.

However, in Check Point land, a security policy refers to the configuration of the

firewalls (which should be in accordance with your company security policy). Keep

them straight, for both the exam and the auditors.

The rules themselves are individual statements that permit or deny traffic.

When you collect all the rules in an ordered list, its called the rule base. The

rule base is processed from top to bottom, stopping at the first match. In

conformance with the that which is not permitted is prohibited philoso-

phy of Check Point, any unmatched packets are silently dropped.

The rule base is only half of the security policy. The other half is the prop-

erties of the policy, which affect the generated INSPECT code by implicit-

ly adding extra rules, changing timing values, and turning on additional

security checks.

It is the whole security policy that is enforced by each enforcement point,not just the rule base.

Working Within SmartDashboardFigure 3.1 shows the SmartDashboard interface. It is divided into several

panes that can be turned on and off through the View menu.

The leftmost pane in the example is the objects tree. The upper-right paneis the rule base, and the lower-right pane is the objects list. Through the

View menu, you can turn on other options such as SmartMap, which shows

a graphical representation of your network.

8/4/2019 0789731096

3/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 41

Figure 3.1 SmartDashboard view showing the various panes.

One important thing to note is that only one person can have a security pol-

icy open for writing at a given time. Anyone connecting in while this person

has the policy locked has the choice of connecting back later or opening a

read-only version of the policy. This is to ensure that two people do not

make changes that adversely impact each other. The status of the policy is

located in the lower-right part of the SmartDashboard frame.

Objects Tree The leftmost pane is called the objects tree. Objects are the basis of allFireWall-1 configurations because they represent everything from a host

that gets protected to a time of day at which rules are enforced. Even the

enforcement points themselves are represented by objects.

When creating rules, one selects the necessary objects (creating new ones if

needed) and drags them into the rule base. If the object is edited later, the

change carries over into the rule base.

Across the top of the objects tree are tabs to select the various sections:

Network ObjectsMatches objects representing an IP address, such ashosts, networks, and groups.

ServicesMatches the layer 4 port, or the layer 3 protocol.

8/4/2019 0789731096

4/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 342

ResourcesMatches upper-layer protocols, such as http URLs (outsidethe scope of the CCSA).

Servers and OPSEC ApplicationsDefines hosts that will be integrated

into the system, such as antivirus servers and other OPSEC devices (out-side the scope of the CCSA).

Users and AdministratorsDefines users and groups that will be used inauthentication rules.

VPN CommunitiesDefines sites that communicate over Virtual PrivateNetworks (outside the scope of the CCSA).

Although you can manage these objects from the objects tree, each compo-nent has an identical menu option under the Manage menu. For example, to

create a new network object you could right-click on the network branch in

the objects tree, or select Manage, Network Objects, New.

Network ObjectsNetwork objects represent such things as hosts, firewalls, address ranges, and

networks. Under the network objects tree you will find the objects broken

down in a similar fashion: Check PointA Check Point firewall product running on some device. It

may or may not be under your control.

NodeA host, or in the case of a multihomed host, a gateway.

Interoperable DeviceA nonCheck Point firewall that will be involved ina VPN connection.

NetworkAn object representing a network and network mask.

GroupA collection of other objects, including other groups.

Address RangeA contiguous list of network addresses, similar to a net-work, but not necessarily defined by a network and netmask combina-

tion (for example, 192.168.0.1 to .99).

Dynamic ObjectAn object whose address is not fixed but is resolved oneach enforcement point.

There exist several other types of network objects, such as domains and voice-over-

IP objects, but they are outside the scope of the CCSA exam.

8/4/2019 0789731096

5/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 43

Simple objects such as nodes, networks, and address ranges represent their

real-life counterparts. For example, if you have a main server that is only

allowed to talk to one network, you are going to need an object representing

the mail server, and one representing the network. Later, youll drag theseobjects into a rule in order to make it enforce your policy. In these simple

objects, there is very little to configure other than a name and the IP infor-

mation, except for perhaps Network Address Translation (NAT), which is

examined later in the book.

More complex objects, such as Check Points, bring with them more options

to configure depending on the type of device. Check Points are firewall

objects that run software, such as FireWall-1. Although there are several

types of Check Points that can be configured, it really comes down towhether the device is managed by the SmartCenter Server you are logged in

to. If so, it is a regular gateway; otherwise, it is an externally managed gate-

way.

An externally managed gateway looks similar to a regular Check Point, though there

is no SIC connection. No SIC connection means you cant push a security policy

to it.

To create a new Check Point gateway, select the Manage, Network Objects

menu item, click the New button, and then select Gateway. Next, give it a

name and an IP address that your SmartCenter Server can contact it on. You

must then initialize SIC by selecting Communication, and then entering the

password you submitted during the enforcement point installation.

If you forgot the password already, or things just arent working, you can reset SIC

on the enforcement point by going into the Check Point configuration utility (or

cpconfig on Unix platforms), entering the Secure Internal Communications menu,

and selecting the Reset option.

After initializing SIC, you should set the product information so that the

proper options are shown. First, click the Get Version button to set the prod-

uct versions. Then, check the boxes under the version that correspond with

the role of the firewall, such as Firewall and VPN. Note that SVN

Foundation is already checked, because you have established SIC connectiv-

ity. As you click products, more items appear in the left pane of the window.

The detailed configurations of the items relevant to the CCSA exam are

investigated throughout the rest of the book.

8/4/2019 0789731096

6/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 344

Network objects can be combined with other network objects through the

use of groups. Groups act merely as a container to hold multiple objects, so

they do not have any configurable properties themselves other than their

name, appearance, and members.Groups can also include other groups. When including a group inside anoth-

er group, you have the choice of adding the members separately or adding

the group object itself. For instance, if the Servers group has five node

objects inside of it and you want to add it to the ImportantNodes group,

adding the members separately will add the five node objects into

ImportantNodes. If you add the group instead, only the one group object

shows up. Functionally, they are the same because the INSPECT compiler

has to check for all hosts, but they have different management implications.If you were to add a new node to the Servers group, it would show up only

in ImportantNodes if you chose to add the group object. If you added the

members separately, the connection to the Servers group would be lost, and

no changes would be propagated from one group to the other.

It is of extreme importance to understand that only other network objects

can be placed inside a network group. Adding a user or a service is forbidden.

It is correct to have different network objects, such as nodes and networks,

within the same group, because they are all network objects.

Network groups can only contain network objects.

By using the groups in the rule base, you can manage part of your security

policy through group membership rather than constantly modifying the rulebase. For example, you may have a rule that controls access to all the fire-

walls. By creating a group object containing all the firewalls and using that

in the rule, you make your rule base simpler. As you add more firewalls, sim-

ply drop the Check Point object into the group object and push your policy

out to the devices. This saves the complexity of finding all the rules that need

to be changed.

As with so many other things, changes in group memberships dont actually take

effect until you push the policy to the enforcement point.

8/4/2019 0789731096

7/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 45

ServicesServices represent layer 37 protocols. When building your rule base, you

will on many occasions want to match certain protocols, such as SMTP or

HTTP, which is where services come into play.

Services are not limited to the traditional TCP and UDP ports. ICMP types can

also be matched, permitting you to block only echo-request type packets while

allowing destination-unreachable packets to be passed through. Furthermore, IP

protocols themselves can be matched, such as OSPF routing and GRE tunnels.

Depending on the service, it may specify more than simply a port number.

FTP, for example, has several different objects that represent passive FTP or

the normal PORT mode. Depending on the method chosen, FireWall-1 alsohas to keep state of the data connections that will be generated in response to

commands. Secure Shell (SSH) has different objects, some of which match

specific protocol versions.

Services under the Other branch not only can represent IP protocols such as

OSPF and GRE, but also can have INSPECT code attached to the rule to

further qualify traffic.

The RPC branch of the tree contains services related to Remote Procedure

Calls, a Unix method of communicating between applications. Rather thanfixed port numbers, RPCs use program numbers which are dynamically

mapped to TCP and UDP ports by a service called the portmapper.

FireWall-1s Stateful Inspection can watch for the portmapper packets and

read the TCP or UDP port that must be opened to allow the RPC if it has

been permitted by the security policy.

Although hundreds of services are predefined, the administrator can create

new ones as needed through the Manage, Services, New menu options.

Similar to network groups, service groups can also be created. Service groups

can contain only other services, so mixing them with users and networks is

not allowed. Service groups are very helpful because applications often

require several ports to be opened for proper operation. Service groups let

the administrator collect these ports into one object, ensuring consistency in

configuration, and easier understanding for others.

Users and AdministratorsUsers and administrators are used to identify people rather than machines.Accounts can be defined locally, pulled off an existing directory, or a combi-

nation of both.

A more detailed look at this tab will happen when we look at authentication

in general in Chapter 7, Authentication and Users.

8/4/2019 0789731096

8/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 346

The Rule BaseAs mentioned before, the rule base is composed of multiple rules. Figure 3.2

shows a sample rule base.

Figure 3.2 A sample rule base.

Each rule is independent of the others and is processed in sequence, mean-

ing that the whole rule must match and that a lower numbered rule could

potentially negate the effects of a higher numbered rule.

This last point could use some more explanation. Take for instance the fol-

lowing plain-English rules:

1. HostA can connect to any web server using HTTP.

2. No one can connect to WebServer1.

HostA is able to connect to WebServer1 via HTTP by virtue of rule 1, even

though rule 2 says that no one can connect to WebServer1. Because rules are

processed in order, stopping with the first match, rule 1 is matched and rule

2 is never considered.

Examining a RuleUnderstanding the individual components of a rule is important to under-

standing the function of the whole rule. One of the things youll be expected

to do on both the exam and in real life is to look at a rule base and determine

what traffic is matched, and what actions will be performed.

8/4/2019 0789731096

9/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 47

These are the fields of a rule:

NumberThe rules position in the rule base.

SourceA set of network objects representing the origin of the traffic. DestinationA set of network objects representing the recipient of the

traffic.

VPNIf desired, can specify that the traffic is to be encrypted.

ServiceA set of service objects indicating which protocols are to bematched.

ActionA set of predefined items telling the gateway what to do with

the packet if this rule is matched.

TrackA set of predefined items indicating whether any log entries orother notifications are to be made if this rule is matched.

Install OnSpecifies which enforcement points will enforce this rule.

TimeOptionally specifies the time at which this rule will be enforced.

CommentFor administrative purposes, allows you to make a comment

about who put in the rule, what it does, and any other pertinent infor-mation.

The Source, Destination, and Service fields use objects from the object tree.

By double-clicking, or right-clicking and selecting Edit, you can see the

specifics of the object. If multiple objects are within the same column, this

forms an OR relationship. If no objects are placed in the column, it defaults

to Any, meaning any value will match.

If the icon for the cell has an through it, like the source address in Figure3.3, the selection is negated. That is, a match will occur only if the cells value

is not matched. With multiple objects in the column, none of the objects can

match for the rule itself to be considered a match. For instance, the rule in

the example will match any HTTP packets that dont come from Network1

or Network2.

Figure 3.3 A rule with a negated source address.

8/4/2019 0789731096

10/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 348

When youre reading a rule, it is important to understand that a rule repre-

sents the conversation, not the individual packets. Allowing traffic for a par-

ticular source to a given destination implicitly allows packets in the return

direction after the connection has been established.The action of the rule tells FireWall-1 what to do when a match is found.

These are the possible actions:

AcceptPermit this packet for further processing.

DropDiscard the packet with no notification to the sender.

RejectDiscard the packet, sending an ICMP unreachable message tothe sender.

User AuthRequire user authentication to allow this connection.

Client AuthRequire client authentication to allow this connection.

Session AuthRequire session authentication to allow this connection.

The authentication rules are covered in Chapter 7.

Most often, you will be using Accept and Drop. Firewall administrators often prefer to

make protected machines invisible, except for what needs to be exposed. Rejecting apacket sends notice back to the sender, making it visible to the attacker even though

it is not accepting the packets.

In addition to deciding the action, the firewall must also decide whether any

logging is needed. The Track column dictates what logging will happen, and

may take one of the following options:

NoneDoes nothing.

LogSends a logging entry to the logging server.

AccountLogs more information about the flow, including number ofpackets and size.

AlertLogs the event, but also sends a pop-up message to theSmartConsole.

SNMP TrapSends an SNMP trap to a management station.

MailEmails the details about the event.

User DefinedRuns a user-supplied script.

The Install On column allows you to select which firewalls are to enforce the

rule. For instance, if you have a mail server in a DMZ in Winnipeg, theres

8/4/2019 0789731096

11/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 49

little point in having the same rule enforced in Calgary. Either network

objects representing the enforcement points will be here (Check Points or

Groups), or the phrase Policy Targets, meaning all firewalls.

The Time column allows you to dictate when the rule is valid. Within thecell are time objects, available through Manage, Time, that specify a time or

date range.

Finally, comments are necessary for administrative sanity. The comment

field should contain a description of why the rule is there, or any other spe-

cial notes (including Dont delete this or Oracle will break!).

Creating and Deleting RulesTo create a new rule, first determine where it is to be inserted. The Rules,

Add Rule menu option then gives you four choices:

Bottom

Top

Below

Above

The first two optionsBottom and Topplace the new rule at the bottom

or top of the policy, respectively. Below and Above place the new rule next to

the currently highlighted rule, either above or below, depending on which

you chose.

The rule that is created, called the default rule, is shown in Table 3.1.

Table 3.1 The Default Rule

Source Destination Service Action Track Install On Time

Any Any Any Drop None Policy Targets Any

As the default rule shows, it specifies that all packets are to be dropped on all

firewalls. You must change the relevant fields to do what you want.

All cells can be configured by right-clicking within the cell. The Action and

Track columns give you a menu with the available options; the rest of the fieldsrequire you to select Add and then select the objects you want from the menu.

If it turns out you forgot to create an object, this menu also has the option to

create a new object. You can also populate cells by dragging objects from the

objects tree, or dragging objects from other cells.

8/4/2019 0789731096

12/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 350

One of the options available when you right-click one of the Source,

Destination, or Service cells is Negate Cell. As discussed previously, this

causes a red to be displayed through the icon, and has the effect of match-

ing anything except for the contents of the cell.

To remove a rule from service, you have two options. One is to highlight the

rule and press the Delete key; the other is to select the Rules, Delete menu

item. This removes the rule completely from the rule base. If you just wantto disable it temporarily, right-clicking on the rules number will give you the

Disable Rule(s) option (or select Rules, Disable Rule). The rule will have a

red through the rules number, and will not be enforced. To re-enable the

rule, do the same thing again.

Deleting all the objects in a cell returns it to the default of Any.

When you add, delete, change, or disable a rule, it doesnt take effect until you push

the security policy to the enforcement points.

Hiding and Unhiding RulesWhen working on a large rule base, you may be distracted by extra rules.

SmartDashboard allows you to hide the rules from viewing, while still

enforcing them. Contrast this with disabling or deleting a rule, which stops

the rule from being processed.

You can hide a rule from view by highlighting it and selecting Rules, Hide,Hide. Rules can be unhidden through Rules, Hide, Unhide. Note that when

a rule is hidden, the numbering remains unchanged, and a small white spac-

er appears, letting you know that there are hidden rules there.

A rule is enforced even if it is hidden. Its still compiled into the security policy even

if it doesnt show in SmartDashboard. Youll get a warning message informing you

of this if you push a policy with hidden rules.

Querying the Rule BaseSometimes hiding rules isnt enough to do what you want. Often, you want

to ask questions like What rules apply to HTTP traffic? This is where

queries come in.

8/4/2019 0789731096

13/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 51

Queries are handled through the Search menu, or by a right-click on the col-

umn heading in the rule base. For example, right-clicking on the Service head-

ing and selecting Query Column brings up the dialog shown in Figure 3.4.

Figure 3.4 The Rule Base Query Clause dialog showing the available options.

The pull-down at the upper left called Column lets you select the column tosearch from. All the relevant objects then appear in the left side of the dia-

log. If you highlight the objects you are interested in, and click Add, they are

moved to the right side of the screen. If there is more than one object on the

right side, the radio buttons at the top become enabled, and can be used to

determine whether all the objects need to appear in the rule.

There is also a check box at the bottom of the dialog that negates the selec-

tion.

From here, you can click Apply to hide all the rules except those that match

your query, or save your query with the Save button.

The Search, Manage Rule Queries menu option brings up a dialog showing

your saved queries. By highlighting a saved query and clicking And, you can

further refine your query to handle multiple columns. The Or button shows

rules that match either query.

Finally, Search, Clear Rules Query unhides all the rules and shows the entire

rule base.

8/4/2019 0789731096

14/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 352

The Security PolicyAs mentioned before, the security policy encompasses both the rule base that

dictates what traffic is allowed, and the global properties that introduce addi-tional behavior into the firewall.

A firewall administrator should understand how to develop a rule base, and

how to manage the global properties to effectively secure the network.

A Skeleton Rule BaseCheck Point recommends that there be a few standard rules in your rule

base, for both security reasons and ease of management.

The first recommended rule is the stealth rule. The purpose of the stealth

rule is to disallow any communication to the firewall itself, protecting it from

attacks. This rule should be placed near the top of the rule base, with the

only rules above it being those that permit or require access to the firewall.

A stealth rule looks like the one shown in Table 3.2.

Table 3.2 The Stealth RuleSource Destination Service Action Track Install On Time

Any Firewalls Any Drop Log Policy Targets Any

Here, the stealth rule matches anything pointed at the firewall itself and

drops it with a log entry. The Firewalls object is assumed to be a group con-

taining all the Check Point objects under management.

Check Point also recommends the use of a cleanup rule, which drops andlogs all traffic not caught by other rules. Recall that the default behavior of

FireWall-1 is to drop any packet that is not explicitly permitted, without log-

ging it. From a security and troubleshooting standpoint, having a log of

dropped packets is extremely beneficial. Table 3.3 shows the cleanup rule.

Table 3.3 The Cleanup Rule

Source Destination Service Action Track Install On Time

Any Any Any Drop Log Policy Targets Any

Note that the rule specifies Any for the Source, Destination, and Service

fields. Any packet that doesnt get matched by a previous rule will be

matched by this one. Because the action is set to Log, you will have a record

of the packet details.

8/4/2019 0789731096

15/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 53

Implicit and Explicit RulesNormally only the rules you enter are shown in the rule base. These are

called explicit rules, because they were created explicitly. However, there are

many rules that are also enforced by the firewall that you do not see. These

are called implicit rules (or implied rules), and they either are a part of every

policy or are added and removed as part of features and options that you con-

figure in other parts of the interface.

To view the implicit rules, pull down the View menu and select Implied

Rules.

Youre viewing the implicit rules, but the menu option says Implied.

Whether or not you are viewing the implicit rules has no bearing on what

gets pushed out to the enforcement points. All enforcement points receive

the implied rules, and they cannot be disabled.

Global PropertiesThe global properties of the policy can be accessed from the Policy, Global

Properties menu. This brings up a dialog showing all the property sections,

along with their values. The important ones will be examined in more detail.

None of the changes to the global properties takes effect until the policy is pushed to

the enforcement point.

FireWall-1 Implied Rules The options under the FireWall-1 Implied Rules section are shown in

Figure 3.5.

The changes to these settings add implicit rules into the rule base. If an option

is enabled, you have three choices of where it will be placed in the rule base:

FirstThe rule will be placed before the explicit rules.

LastThe rule will be placed after the explicit rules.

Before LastThe rule will be placed before the last explicit rule.

8/4/2019 0789731096

16/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 354

Figure 3.5 The FireWall-1 global propertiesdefaults shown.

The significance of the Before Last option is that it doesnt interfere with the

cleanup rule, which drops all traffic. If you have a cleanup rule and place theimplicit rule in the last position, it will never be consulted.

The choice of First versus Last/Before Last has to do with your rule base.

Again, an incorrect choice may cause your stealth rules to block packets that

the implicit rule would otherwise allow.

Rules that govern packets coming in to the firewall (for example, RIP and DHCP)

are probably best placed first in the rule base. The other rules should probably go

through the rule base first, and thus be placed before last. The exception to this

would be if you want the behavior to occur regardless of your rule base. Because

you will almost always have a cleanup rule, you will rarely select Last.

The options in the FireWall-1 implied rules cover basic behavior of the fire-

wall itself:

Accept VPN-1 & FireWall-1 Control ConnectionsAllows required com-

munications between SmartConsole clients, the SmartCenter manage-ment server, and enforcement points.

Accept Outgoing Packets Originating from GatewayLets the enforcementpoint itself send packets to other destinations.

Accept RIPAccepts Routing Information Protocol packets (UDPport 520).

8/4/2019 0789731096

17/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 55

Accept Domain Name over UDP (Queries)Allows DNS requests to tra-verse the firewall.

Accept Domain Name over TCP (Zone Transfer)Allows DNS zone trans-

fers (such as secondary DNS servers pulling a zone from the primary),and large TCP responses to DNS queries.

Accept ICMP RequestsAllows all ICMP messages, including echo-response and echo-reply packets.

Accept CPRID Connections (SmartUpdate)Accepts connections to theCheck Point Remote Installation Daemon for FireWall-1 upgrades.

Accept Dynamic Address Modules DHCP TrafficAllows modules config-

ured as dynamically addressed to accept DHCP packets.

By default, control connections, CPRID, DHCP, and packets originating

from the gateway itself are accepted.

Note that it is possible to lock yourself out of the firewall by pushing control

connections to the end of the policy, or disallowing them entirely. After this

point, you will not be able to push a policy to fix it!

Security ServersCheck Point security servers provide deeper inspection of some protocols by

taking over part of the connection for popular services. The properties here

control the welcome messages that the services provide, any upstream

HTTP proxies, and HTTP servers to protect.

Much of the functionality is now available under SmartDefense, but you will

be expected to know where this configuration is.

Stateful Inspection PropertiesStateful Inspection relies heavily on tracking connections that pass through

the firewall. To avoid running out of memory from too many connections,

the firewall must know when to stale out older ones. Also, the firewall must

know how to deal with protocols that dont have intrinsic state, such as UDP

and other IP protocols.

Figure 3.6 shows the default settings for the Stateful Inspection properties.

The Default Session Timeouts control how long state table entries will be

held. Those called virtual sessions do not have intrinsic state in the proto-

col, but Stateful Inspection tracks state nonetheless. For example, if a host

8/4/2019 0789731096

18/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 356

Figure 3.6 Stateful Inspection default timeouts and other properties.

Likewise, with UDP protocols, replies are tracked based on source and desti-

nation address and ports, called Stateful UDP. Where a UDP protocol is

defined as a service in the objects tree, replies can be accepted by checking the

Accept Replies option in the advanced properties of the service itself. Where

there is no service defined, this global property sets the behavior. If the reply is

on a different port, the Any Port option must be checked to accept the packet.

For Stateful ICMP, replies to echo-requests are accepted if the Replies boxis checked. The Errors box controls whether ICMP error messages are

allowed. If an upper-layer connection was permitted by the rule base but

resulted in an ICMP error message from the remote host, this option will

allow it through.

As with the Stateful UDP options, you have the option of allowing response

packets in unknown services to be accepted.

One of the benefits of tracking every facet of the conversations flowingthrough the firewall is that you know the state of the connection on both

ends, and can drop anything that is out of the ordinary. For example, in a

TCP connection, if the firewall sees a packet for an established connection,

but knows the connection doesnt exist, it will drop it if the Drop Out of

State TCP Packets option is checked.

sends an ICMP packet to another host, Stateful Inspection will open a state

table entry watching for reply packets.

8/4/2019 0789731096

19/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 57

Log and Alert The Log and Alert properties control the tracking type of some internal

events. For example, the VPN Successful Key Exchange property dictates

how you are notified when a VPN connection is made. The options you have

in this page are the same tracking options you have in the rule base.

Alert Commands is a related set of properties that controls how some of the

events are actually run. For example, if an alert is set to email, this page

defines how the email is sent. This is also where the user-defined alerts are

defined.

Anti-SpoofingSpoofing refers to an attacker forging the source address of a packet to make

it look as though it comes from a higher security network. Because the rule

base looks at IP addresses, among other things, if someone could spoof the

source address of a connection, it could be used to allow a connection that

would otherwise not be allowed.

Check Point implements anti-spoofing measures by checking the sourceaddress of every packet against a predefined view of the network layout

(called the topology). Figure 3.7 shows a case in which spoofing is happen-

ing. The BadGuy host is attempting to send a packet to Host2 that looks as

though it is from Host1. Because the packet is being received on interface 1,

but the source address belongs to a network on interface 2, it is being

spoofed.

Firewall

BadGuy Host1 Host2

Spoofed!SRC = Host1

DST = Host2

Figure 3.7 A network in which spoofing is happening.

To properly protect yourself against IP spoofing, you must define the topol-

ogy of your network within each gateways topology property. Figure 3.8

shows the topology properties of a sample enforcement point.

8/4/2019 0789731096

20/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 358

Figure 3.8 General topology properties of a gateway.

Each interface and its corresponding IP address is listed in the topology. The

name of the interface must be the same as it is in the underlying OS. Using

the Get button, you can populate these entries automatically through SVN

Foundation. When clicking Get, you have the option of simply pulling down

the interface name and network information, or also calculating the per-

interface topology, which is shown in Figure 3.9.

Figure 3.9 Detailed topology configuration of an interface.

8/4/2019 0789731096

21/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 59

To properly implement anti-spoofing, the enforcement point must know all

the possible addresses that can come from a particular interface. There are

three options, not including undefined:

Internal, defined by interface IP and netmask

Internal, defined by a specific network object

External

Internal topologies are used for your internal network, in which you under-

stand all the networks. If there are no networks beyond the locally connect-

ed interface, you can choose to use the interfaces IP and netmask to define

the topology (such as a stub network). If there are networks beyond the inter-face, such as those connected by a router or another firewall, then you should

create a group object containing all the network objects, and choose the

Specific option, selecting your group object.

An external interface includes all the networks that are not covered by the

internal interfaces. Put another way, a network is valid on an external inter-

face if it is not defined as part of an internal interface. Figure 3.10 shows a

sample network that uses the three types.

Internet

192.168.1.0/24

192.168.2.0/24 192.168.3.0/24

Figure 3.10 A network making use of the three types of topology settings.

The interface on 192.168.1.0/24 has no networks attached, so it can be

defined by using the configured IP and netmask. Only packets with a source

IP in that network will be accepted on that interface. The adjacent interfacehas 192.168.2.0/24 connected locally, but also 192.168.3.0/24 on a locally

attached router. Thus, a group object will have to be created with the two

network objects inside of it. The remaining interface, connected to the

Internet, is an external interface, so the networks on it are irrelevant.

Anything except for 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 will

be considered valid.

The network guys in the crowd might be thinking, Why not create a network object

of 192.168.2.0/23 to cover both networks on the second interface?You could, but

using a group allows for easier changes later when you add more networks, and its

clearer to those who are looking at the configuration.

8/4/2019 0789731096

22/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 360

There are two more rules that might come in handy:

The same network can appear on multiple internal interfaces.

You can have multiple interfaces defined as external.

In the first case, it is possible for a network to be valid on multiple internal

interfaces, such as having multiple paths to the same destination. However,

it cannot appear to be coming from any external interfaces (by definition of

an external interface). In the second case, the same behavior of calculating

external topology applies to all externally defined interfacesthat is, any

network not included on any of the internal interfaces is valid on all external

interfaces.

Verifying and Installing a SecurityPolicyNone of your hard work in defining the security policy would be of any use if

you didnt push it out to the enforcement points. This approach also has the

benefit of allowing you to make all your changes at once, making them activein one action, and letting you revert to a previous configuration if necessary.

If you want to check your policy for correctness, you can also verify it with-

out having to install. The act of installing also forces verification before the

actual push. Verifying a policy checks for errors such as conflicting rules,

shown in Table 3.4, and contradicting NAT rules (for example, a single stat-

ic NAT for several hosts).

Table 3.4 Two Rules That Will Cause a Verification Failure

Source Destination Service Action Track Install On Time

Any Any HTTP Drop None Policy Targets Any

Any Host1 HTTP Accept None Policy Targets Any

Here, the second rule can never be reached because all HTTP traffic is

denied in the first rule. Verification will fail with Rule 1 Conflicts with Rule

2 for services http.The actual installation of the policy is done through the Policy, Install menu

option. You then are prompted to specify which gateways receive the policy.

By default, all are selected. After you click OK, the policy is verified and sent

to the gateways. If there are any problems, you will receive an error telling

you what the problem is.

8/4/2019 0789731096

23/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 61

To only verify the policy, select Policy, Verify. This will run the verification

stage and give you a report on any errors.

To remove the policy from the enforcement point, select Policy, Uninstall.

This removes the policy, placing the firewall in a state in which it is open tothe world, but will not pass packets.

When you unload a policy, youre dropping your pants to the world! This is usually

used only if something goes wrong and you need to start over with your policy.

Rule Processing OrderAs said earlier, the rule base is processed in order. However, other things

happen in the security policy besides checking your defined rules. This is the

order of operations:

1.Anti-spoofing checks

2. Rule base

3. Network Address Translation

When you take into account the FireWall-1 global properties, you end up

with the following order:

1.Anti-spoofing checks

2. First Implicit Rules

3. Explicit Rules (except for the final rule)

4. Before Last Implicit Rules

5. Last Explicit Rule (should be cleanup rule)

6. Last Implicit Rules

7. Network Address Translation

When we look at Network Address Translation (NAT) in Chapter 8,

Network Address Translation, youll see how it changes the source and/or

destination addresses of the packet. Because NAT happens after the rule base

is consulted, your rules will refer to the translated address in many cases. If

you are using the NAT properties of the network object to implement NAT

(also called automatic NAT), this is taken care of for you.

8/4/2019 0789731096

24/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 362

Because anti-spoofing checks are done before anything else, you will find

that if the topology is defined incorrectly, no conversation will occur regard-

less of the rule base. A log entry will be made to this effect.

Command-Line UtilitiesA significant amount of administration can be done from the command line

on both the SmartCenter Server and the FireWall-1 enforcement points.

The command line provides a low-bandwidth and efficient way of getting

information and performing emergency and maintenance actions.

Most commands are actually options to either the fw or the fwm executablesthat is, they take the form offw command options. The fw executable is for the

FireWall-1 enforcement module, and fwm is for the SmartCenter Server.

Getting Basic InformationThe first thing you want to know about a device is the version of software it

is running. fw ver and fwm ver give this information:

C:\WINNT\FW1\R55\conf>fw verThis is Check Point VPN-1(TM) & FireWall-1(R) NG with

Application Intelligence (R55) HFA_04, Hotfix 093 - Build 003

C:\WINNT\FW1\R55\conf>fwm ver

This is Check Point SmartCenter Server NG with

Application Intelligence (R55) HFA_04, Hotfix 093 - Build 001

As you can see, the major version (NG with Application Intelligence), the

release (R55), and any hotfixes (Hotfix Accumulator 04 and Hotfix 093) are

listed, along with the build number.

If you ever open a case with Check Point support, you will likely have to pro-

vide a cpinfo dump to them. Running cpinfo dumps an incredible amount of

information, so redirecting it to a file (for example, cpinfo > Winnipeg.cpinfo)

is suggested. With your file, support can view your entire policy, including

rules and options, so be cautious about sending it out!

To get a snapshot of what policy is installed, and which interfaces are being

protected, fw stat is used. With a policy loaded and active, you will see some-

thing like this:C:\WINNT\FW1\R55\conf>fw stat

HOST POLICY DATE

localhost Standard 15Dec2004 22:10:41 : [>PCnet0] [PCnet2] [

8/4/2019 0789731096

25/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 63

Here you can see that the Standard policy is loaded, and was installed at

around 10 p.m. on December 15, 2004. Three interfaces are protected, with

the arrows showing the direction of packets.

After the policy has been uninstalled, the output changes:

C:\WINNT\FW1\R55\conf>fw stat

HOST POLICY DATE

localhost - - : >PCnet0 PCnet2 fw ctl iflist0 : PCnet0

1 : PCnet1

2 : PCnet2

3 : NDISWANIP

fw stat does not show inactive interfaces by default (use the inactive flag to

show the inactive interfaces), but iflist shows all.

Managing ServicesAll the Check Point services on the machine can be managed through thecommand line. To completely restart all Check Point processes, except for

CPRID (the remote installation daemon), use cprestart. Likewise, to only

start or stop the services, use cpstart and cpstop.

If you just need to start and stop the basic services, such as the firewall dae-

mon, management station, and SNMP, use the fwstart and fwstop commands.

This leaves both CPRID and cpshared running.

To manage CPRID services, use cpridstop and cpridstart to stop and start the

service.

Managing the PolicyAlthough you cant easily edit the policy from the command line, you can

push, pull, and unload a policy.

From the management station, you can push a policy to an enforcementpoint using fwm load. This command requires you to supply the name of a

policy script (*.W, located in %FWDIR%\conf on Windows platforms, or

$FWDIR/conf on Unix platforms) and optionally the name of an enforcement

point to send it to. This operation compiles the script and sends it off to the

8/4/2019 0789731096

26/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 364

enforcement point. In this example, the Standard policy is sent to the local-

host:

C:\WINNT\FW1\R55\conf>fwm load Standard.W

Standard.W: Security Policy Script generated into Standard.pf

Standard:

Compiled OK.

Installing CPMAD Policy On: localhost

CPMAD policy installed successfully on winnipeg...

CPMAD policy installation complete

CPMAD policy installation succeeded for:

winnipeg

Installing VPN-1/FireWall-1 policy on: localhost ...

VPN-1/FireWall-1 policy installed successfully on winnipeg...

VPN-1/FireWall-1 policy installation complete

VPN-1/FireWall-1 policy installation succeeded for:

winnipeg

The messages here show that the policy installed successfully on the combi-nation SmartCenter Server/VPN-1 Gateway.

If you are on a gateway, and want to pull down a policy, you execute fw fetch

master, wheremaster is the SIC name of your management station:

C:\WINNT\FW1\R55\conf>fw fetch localhost

Installing Security Policy Standard on all.all@winnipeg

Fetching Security Policy from localhost succeeded

Here, the Standard policy was retrieved and installed.

Finally, to unload the policy, use fw unloadlocal:

C:\WINNT\FW1\R55\conf>fw unloadlocal

Uninstalling Security Policy from all.all@winnipeg

Done.

C:\WINNT\FW1\R55\conf>fw stat

HOST POLICY DATE

localhost - - : >PCnet0

8/4/2019 0789731096

27/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 65

LogsAlthough SmartView Tracker is normally used to manage logs, it is possible

to perform some actions at the command line. These commands are helpful

for automating maintenance tasks or when scripting reports:

fw log aShows the log of accounting data.

fw logswitchRotates the logs.

fwm logexportDumps the logs to the screen or a file.

Performance ConsiderationsBecause a good deal of the packet delay through the firewall is due to evalu-

ating your security policy, it stands to reason that there are things you can do

to make the process more efficient.

On the SmartCenter Server itself, defining the name to IP mapping in the local

hosts file rather than through DNS can help performance. On Unix systems,

this is /etc/hosts. In Windows, it is %SystemRoot%\system32\drivers\etc\hosts.

For the gateways, the following changes in your rule base will increase per-

formance:

Log connections sparinglyLogging takes time to process, so dont logwhat you dont intend to read.

Minimize your rule bases complexityThe more rules, the longer it takesto process. Complex rules, such as those with many objects inside, com-

pile into a larger security policy too.

Use network objects or address ranges instead of multiple host objectsIts easi-er to check whether an address falls within a network boundary than it is

to check it against multiple host entries.

Put your high-traffic rules at the beginningRules are checked one by one,stopping at the first match, so make sure that the match happens early

for frequently used rules.

In general, simplicity equals better performance, not to mention better security.

8/4/2019 0789731096

28/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 366

Exam Prep Questions1. You have hidden rule 13, which drops all HTTP packets to a particular

web server, but packets are still being dropped. What is the likely causeof this problem?

A. You did not push the policy to the enforcement point(s).

B. A rule after rule 13 also blocks access.

C. Hiding a rule does not remove it from the security policy.

D. The server has a network problem.

E. You must save the policy to the SmartCenter Server.

Answer: C. A is not correct because a hidden rule is still compiled intothe security policy. B is not correct because rule 13 is still valid and itwill therefore block the packet regardless of a successive rule. C is cor-rect because the rule will still be enforced by the gateway, even thoughits hidden from view to SmartDashboard. D is not correct because it isthe rule causing the drops, not a network problem. E is not correctbecause saving the policy to the SmartCenter Server has no effect onthe enforcement points.

2. Trying to gain privileges by making a packet that is received on oneinterface look as though it is from a network connected to a different

interface is called what? A. Network Address Translation (NAT)

B. Anti-spoofing

C. Buffer overflow

D. Spoofing

E. Remote Procedure Call (RPC)

Answer: D. A is not correct because NAT is used on the gateway, andis not for gaining privileges. B is not correct because anti-spoofing is

used to protect against this attack, not the attack itself. C is not correctbecause a buffer overflow works by getting a host to execute maliciouscode by filling unchecked buffers, not by faking addresses. D is correctbecause spoofing involves manipulating addresses to make a packetlook as though it comes from another interface. E is not correctbecause RPCs are used by applications and operating systems to com-municate.

3. Which three of the following are FireWall-1 global properties?

A. Accept RIP

B. Accept HTTPS

C. Accept Control Connections

D. Anti-spoofing

E. Accept Outgoing Packets Originating from Gateway

8/4/2019 0789731096

29/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 67

Answer: A, C, and E. A is correct because there is a FireWall-1 globalproperty that enables the gateway to accept RIP. B is not correctbecause there is no such option. C is correct because by default, controlconnections are enabled in the global properties. D is not correctbecause anti-spoofing is configured at the Check Point level, not theglobal level. E is correct because there is an option to accept packetsoriginating from the gateway.

4. With reference to the sample policy below, what is the function ofrule 1?

Rule # Source Destination Service Action Track

1 Any Firewall Any Drop Log

2 Any HTTPServer HTTP Accept None

A. Is the cleanup rule

B. Is the stealth rule

C. Prevents firewalls from sending packets

D. Prevents spoofing attacks against the firewall

E. Works with rule 2 to protect HTTPServer

Answer: B. A is not correct because the cleanup rule is the final rule, anddrops everything. B is correct because the stealth rule drops packets sent

to the firewall. C is not correct because this rule blocks packets into thefirewall but does not specify what happens to packets with a source of thefirewall. D is not correct because spoofing is not handled through the rulebase. E is not correct because rules 1 and 2 are independent.

5. With reference to the sample policy shown here, who can access port 80on HTTPServer?

Rule # Source Destination Service Action Track

1 Any Firewall Any Drop Log

2 Net1 HTTPServer HTTP Drop None

3 Net2 HTTPServer HTTPS Accept None

4 Any HTTPServer HTTP Accept Log

A. Net1

B. Net2

C. Net1 and Net2

D. Anyone except Net1

E. Invalid policy; rule 2 masks rule 4

Answer: D. A is not correct because rule 2 explicitly drops any packets fromNet1 to HTTPServer on port 80. B is not the correct answer because eventhough Net2 can access HTTPServer on port 80, it is not the best answer.C is not correct because Net1 cannot connect to the HTTP server. D iscorrect because rule 2 blocks Net1, and rule 4 allows everyone else. E isnot correct because rule 2 does not mask rule 4it is more specific.

8/4/2019 0789731096

30/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 368

6. Which of the following will have a negative impact on a gatewaysthroughput? (Choose two.)

A. Small rule base

B. Groups of hosts used instead of network objects C. Tracking option on all rules set to Log

D. High-traffic rules near the top of the rule base

E. Multiple administrators logged in to SmartConsole

Answer: B and C. A is not correct because a smaller rule base is goodfor performance, because fewer rules need to be checked on average. Bis correct because network objects are more efficient than a group ofhosts. C is correct because logging decreases FireWall-1 performance.D is not correct because high-traffic rules should be near the top of the

rule base so that fewer rules need to checked on average. E is not cor-rect because the number of administrators logged in to a SmartConsoledoes not affect the performance of the gateways.

7. Which of the following commands changes the installed security policyto one that will certainly accept control connections?

A. cpstop

B. fw fetch localhost

C. fw unloadlocal

D. fwm unloadlocal E. fwstop

Answer: C. A is not correct because cpstopwill stop all the CheckPoint services, and no one will be able to connect. B is not correctbecause it will fetch the latest policy from the management server,which is not guaranteed to allow control connections. C is correctbecause fw unloadlocal removes the policy from the gateway and allowsmanagement connections. D is not correct because unloading the poli-cy is done on the enforcement point through fw, not on the manage-ment server through fwm. E is not correct because fwstopwill stop thefirewall service and will not allow anyone to connect.

8. Where are the global properties located?

A. Global Properties under Management Station Properties

B. View, Global Properties

C. Manage, Global Properties

D. Manage, Policy, Global Properties

E. Policy, Global Properties

Answer: E. A is not correct because the global properties are not aproperty of the management station. B is not correct because the Viewmenu is for changing the look and feel of the SmartDashboard. C isnot correct because the Manage menu is for managing objects. D is notcorrect for the same reasons as C. E is correct because that is wherethe Global Properties menu item is found.

8/4/2019 0789731096

31/32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SmartDashboard 69

9. Which of the following objects may appear in a group together?(Choose three.)

A. Check Points

B. Other groups C. Time objects

D. Nodes configured as a gateway

E. Services

Answer: A, B, and D. A is correct because a Check Point is anothertype of network object, and can share a group with other networkobjects. B is correct because groups can be nested. C is not correctbecause time objects are not network objects, and thus cannot begrouped with other network objects. D is correct because nodes,

whether configured as a host or a gateway, are network objects. E isnot correct because services cannot be grouped with network objects.

10. Which of the following have a SIC connection to the SmartCenterServer? (Choose two.)

A. Check Point, Gateway

B. Check Point, Externally Managed Gateway

C. Check Point, Host

D. Nodes, Gateway

E. Nodes, Host

Answer: A and C. A is correct because a Check Point gateway is man-aged by the SmartCenter Server and has a SIC connection. B is notcorrect because an externally managed gateway is not managed by theSmartCenter Server, and thus does not have a SIC connection. C iscorrect because a Check Point host is the same as a Check Point gate-way in terms of management. D is not correct because a node does nothave a policy and is not managed. E is not correct for the same reasonsas D.

8/4/2019 0789731096

32/32