CCSA R71 Study Guide

Copyright Check Point Software Technologies Ltd. All rights reserved.Printed by Check Point Press A Division of Check Point Software Technologies Ltd. First Printing December 2009RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. 2003-2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

TRADEMARKS 2003-2010 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Endpoint Security On Demand, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advi-

sor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending applications. DISCLAIMER OF WARRANTY Check Point Software Technologies Ltd. makes no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.

International Headquarters:

5 HaSolelim Street Tel Aviv 67897, Israel Tel: +972-3-753 4555

U.S. Headquarters:

800 Bridge Parkway Redwood City, CA 94065 Tel: 650-628-2000 Fax: 650-654-4233

Technical Support, Education & Professional Services:

8333 Ridgepoint Drive, Suite 150 Irving, TX 75063 Tel: 972-444-6612 Fax: 972-506-7913 E-mail any comments or questions about our courseware to [email protected]. For questions or comments about other Check Point documentation, e-mail [email protected].

Document #: Revision: Content: Graphics:

CCSA R70 Study Guide R70001 Mark Hoefle Jeffery Holder

Security Administrator R70 / R71 Study Guide

Exam # 156-215.71

Preface The Check Point Certified Security Administrator Exam

1

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1

Check Point Technology Overview

7

Check Point Technology Overview Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2

Deployment Platforms

13

Deployment Platforms Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 3

Introduction to the Security Policy

19

Introduction to the Security Policy Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 4 Monitoring Traffic and Connections

25

Introduction to the Monitoring Traffic and Connections Topics . . . . . . . . . . . . . . . 26 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 5

Using SmartUpdate

31

Introduction to the SmartUpdate Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Chapter 6

Upgrading to R71

35

Introduction to the Upgrading to R71 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 7 User Management and Authentication

39

Introduction to the User Management and Authentication Topics . . . . . . . . . . . . . . 40

Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Chapter 8

Encryption and VPNs

45

Introduction to the Encryption and VPNs Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 9

Introduction to VPNs

51

Introduction VPNs Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Chapter 10

Messaging and Content Security

57

Introduction to the Messaging and Content Security Topics . . . . . . . . . . . . . . . . . . . 58 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

PrefaceThe Check Point Certified Security Administrator ExamThe Check Point Security Administrator R70 / R71course provides an understanding of basic concepts and skills necessary to configure the Check Point Security Gateway, configure Security Policies, and learn about managing and monitoring secure networks. The Check Point Security Administrator R70 / R71Study Guide supplements knowledge you have gained from the Security Administrator R70 / R71course, and is not a sole means of study. The Check Point Certified Security Administrator R71exam covers the following topics: Describe Check Points unified approach to network management, and the key elements of this architecture Design a distributed environment using the network detailed in the course topology Install the Security Gateway version R71 in a distributed environment using the network detailed in the course topology Given Check Points latest integration of CoreXL technology, select the best security solution for your corporate environment Given network specifications, perform a backup and restore the current Gateway installation from the command line

1

Preface: The Check Point Certified Security Administrator Exam

Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line Deploy Gateways using sysconfig and cpconfig from the Gateway command line Use the Command Line to assist support in troubleshooting common problems on the Security Gateway Given the network topology, create and configure network, host and gateway objects Verify SIC establishment between the SmartCenter Server and the Gateway using SmartDashboard Create a basic Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use Configure NAT rules on Web and Gateway servers Evaluate existing policies and optimize the rules based on current corporate requirements Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime Use queries in SmartView Tracker to monitor IPS and common network traffic and troubleshoot events using packet data Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality Using SmartView Monitor, configure alerts and traffic counters, view a Gateway's status, monitor suspicious activity rules, analyze tunnel activity and monitor remote user access based on corporate requirements Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways Upgrade and attach product licenses using SmartUpdate2Check Point Security Administrator R70 / R71 Study Guide


Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely Manage users to access to the corporate LAN by using external databases Select the most appropriate encryption algorithm when securing communication over a VPN, based on corporate requirements Establish VPN connections to partner sites in order to establish access to a central database by configuring Advanced IKE properties Configure a pre-shared secret site-to-site VPN with partner sites Configure a certificate based site-to-site VPN using one partner's internal Configure a certificate based site-to-site VPN using a third-party CA Configure permanent tunnels for remote access to corporate resources Configure VPN tunnel sharing, given the difference between host-based, subnet-based and gateway-based tunnels Configure Check Point Messaging Security to test IP Reputation, content based anti-spam, and zero hour virus detection Based on network analysis disclosing threats by specific sites, configure a Web-filtering and antivirus policy to filter and scan traffic Implement default or customized profiles to designated Gateways in the corporate network

Check Point Security Administrator R70 / R71Study Guide

3


Frequently Asked Questions

Frequently Asked QuestionsThe table below provides answers to commonly asked questions about the CCSA R70 / R71exam:Question What are the Check Point recommendations and prerequisites? Answer Check Point recommends you have at least 6 months to 1 year of experience with the products, before attempting to take the CCSA R70 exam. In addition, you should also have basic networking knowledge, knowledge of Windows Server and/or UNIX, and experience with TCP/IP and the Internet. Check Point also recommends you take the Check Point Security Administrator R70 class from a Check Point Authorized Training Center (ATC). We recommend you take this class before taking the CCSA R70 exam. To locate an ATC, see: http://atc.checkpoint.com/ atclocator/locateATC How do I register? Check Point exams are offered through Pearson VUE, a third-party testing vendor with more than 3,500 testing centers worldwide. Pearson VUE offers a variety of registration options. Register via the Web or visit a specific testing center. Registrations at a testing center may be made in advance or on the day you wish to test, subject to availability. For sameday testing, contact the testing center directly. Locate a testing center from the VUE Pearson Web site: www.pearsonvue.com What is the exam structure? The exams are composed of multiple-choice and scenario questions. There is no partial credit for incorrectly marked questions.

4

Check Point Security Administrator R70 / R71 Study Guide

Preface: The Check Point Certified Security Administrator Exam Question How long is the exam? Do I get extra time, if I am not a native English speaker?

Frequently Asked Questions Answer

The following countries are given 120 minutes to complete the exam. All other regions get 150 minutes: Australia Bermuda Canada Japan New Zealand Ireland South Africa UK US

For more exam and course information, see:http://www.checkpoint.com/services/education/

5



Frequently Asked Questions

6


ChapterCheck Point Technology Overview

1

Check Point technology is designed to address network exploitation, administrative flexibility and critical accessibility. This chapter introduces the basic concepts of network security and management based on Check Points three-tier structure, and provides the foundation for technologies involved in the Check Point Software Blade Architecture, as discussed in the introduction. This course is lab-intensive, and in this chapter, you will begin your hands-on approach with a first-time installation using standalone and distributed topologies. Objectives: Describe Check Points unified approach to network management, and the key elements of this architecture Design a distributed environment using the network detailed in the course topology Install the Security Gateway version R71 in a distributed environment using the network detailed in the course topology

7

Chapter 1: Check Point Technology Overview

Check Point Technology Overview Topics

Check Point Technology Overview TopicsThe following table outlines the topics covered in the Check Point Technology Overview chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.Topic Network Access Control The Check Point Firewall Mechanisms for Controlling Network Traffic Packet Filtering Stateful Inspection Application Intelligence Key Element Page Number p. 03 p. 04 p. 05 p. 06 p. 07 p. 08

Security Gateway Inspection Archi- p. 08 tecture INSPECT Engine Packet Flow Deployment Considerations The DMZ Bridge Mode Bridge Mode and STP Security Policy Management SmartConsole Components SmartDashboard SmartView Tracker Table 1-1: Check Point Technology Overview Topics p. 13 p. 14 p. 15 p. 17 p. 09 p. 10 p. 11 p. 12

8


Check Point Technology Overview Topics

Chapter 1: Check Point Technology Overview Page Number p. 18 p. 20 Centralized Event Correlation p. 21

Topic

Key Element SmartView Monitor

SmartEvent

Real-Time Threat Analysis and Pro- p. 21 tection Intelligent Event Management The SmartEvent Architecture SmartProvisioning SmartUpdate Security Management Server p.21 p. 43 p. 22 p. 24 p. 25 p. 26 Managing Users in SmartDashboard p. 26 Users Database Creating Administrators in SmartDashboard Securing Channels of Communication SIC The Internal Certificate Authority (ICA) ICA Clients SIC Between Security Management Servers and Components Administrative Login Using SIC p. 27 p. 28 p. 29 p. 30 p. 30 p. 30 p. 32 p. 33

Table 1-1: Check Point Technology Overview Topics

Check Point Security Administrator RR70 / 71 Study Guide

9


Check Point Technology Overview Topics Page Number L-p. 1

Topic Lab 1: Distributed Installation

Key Element

Install Security Management Server L-p. 3 Configure Security Management Server - sysconfig Install Secure Platform on the Corporate Security Gateway Configure the Corporate Security Gateway using the WebUI Install SmartConsole Launch SmartDashboard Lab 2: Branch Office Security Gateway Installation Install SecurePlatform on Branch Gateway Configure Branch Gateway WebUI Table 1-1: Check Point Technology Overview Topics L-p. 11 L-p. 28 L-p. 30 L-p. 39 L-p. 45 L-p. 49 L-p. 50 L-p. 56

10


Sample CCSA R70 Exam Question


Sample CCSA R70 Exam QuestionWhat would be the benefit of upgrading from SmartDefense to IPS R70?: 1. Completely rewritten engine provides improved security performance and reporting. 2. There is no difference - IPS R70 is the new name. 3. The SmartDefense technology expands IPS-1 to IPS R70. 4. The SmartDefense is replaced by the technology of IPS-1.

Check Point Security Administrator RR70 / 71 Study Guide

11


Answer

AnswerWhat would be the benefit of upgrading from SmartDefense to IPS R71?: 1. Completely rewritten engine provides improved security performance and reporting. 2. There is no difference - IPS R70 is the new name. 3. The SmartDefense technology expands IPS-1 to IPS R70. 4. The SmartDefense is replaced by the technology of IPS-1

12


ChapterDeployment Platforms

2

Before delving into the intricacies of creating and managing Security Policies, it is beneficial to know about Check Points different deployment platforms, and understand the basic workings of Check Points UNIX-based and Linux operating systems (IPSO and SecurePlatform) that support many Check Point products. For those familiar with Linux and UNIX this section will be a review. But for those with little to no Linux/UNIX experience, this will be a welcome guide Objectives: Given network specifications, perform a backup and restore the current Gateway installation from the command line. Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line. Deploy Gateways using sysconfig and cpconfig from the Gateway command line.

13

Chapter 2: Deployment Platforms

Deployment Platforms Topics

Deployment Platforms TopicsThe following table outlines the topics covered in the Deployment Platforms chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.Topic UTM-1 Edge Appliance Managing UTM-1 Edge Security Management Server SmartProvisioning Managing UTM-11 Edge Provider-1 Power-1 Appliances IP Appliances IP Network Voyager IPSO IPSO Command Line Interface (CLI) SecurePlatform Hardware Compatibility Testing Tool Managing Your SecurePlatform System Critical Check Point Directories CoreXL Multicore Acceleration CoreXL Architecture Table 2-2: Deployment Platforms Topics Key Element Page Number p. 39 p. 40 p. 40 p. 41 p. 42 p. 43 p. 44 p. 46 p. 47 p. 49 p. 50 p. 50 p. 51 p. 53 p. 54

14

Check Point Security Administrator R71 Study Guide

Deployment Platforms Topics

Chapter 2: Deployment Platforms Page Number p. 55 p. 56 L-p. 67 Set Expert Password Apply Other Useful Commands Add and Delete Administrators via the CLI Perform backkup and restore L-p. 68 L-p. 71 L-p. 72 L-p 74

Topic

Key Element CoreXL and Performance Pack Working with CoreXL

Lab 3: Command Line Interface Tool

Table 2-2: Deployment Platforms Topics


15



Sample CCSA R70 Exam QuestionWhat is the primary benefit of using upgrade_export over either backup or snapshot? 1. upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and snapshot will not. 2. upgrade_export has an option to backup the system and SmartView Tracker logs while backup and snapshot will not. 3. The backup and snapshot commands can take a long time to run whereas upgrade_export will take a much shorter amount of time. 4. upgrade_export is operating system independent and can be used when backup or snapshot is not available.

16


Answer


AnswerWhat is the primary benefit of using upgrade_export over either backup or snapshot? 1. upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and snapshot will not. 2. upgrade_export has an option to backup the system and SmartView Tracker logs while backup and snapshot will not. 3. The backup and snapshot commands can take a long time to run whereas upgrade_export will take a much shorter amount of time. 4. upgrade_export is operating system independent and can be used when backup or snapshot is not available.


17


Answer

18


ChapterIntroduction to the Security Policy

3

The Security Policy is essential in administrating security for your organizations network. This chapter examines how to create rules based on network objects, and modify a Security Policys properties. In addition, this chapter will teach you how to apply Database Revision Control and Policy Package management, to decrease the burden of management when working with rules and objects. Objectives: Given the network topology, create and configure network, host and gateway objects. Verify SIC establishment between the Security Management Server and the Gateway using SmartDashboard. Create a basic Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use. Configure NAT rules on Web and Gateway servers. Evaluate existing policies and optimize the rules based on current corporate requirements. Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime.

19

Chapter 3: Introduction to the Security Policy

Introduction to the Security Policy Topics

Introduction to the Security Policy TopicsThe following table outlines the topics covered in the Introductions to the Security Policy chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.Topic Security Policy Basics The Rule Base Managing Objects in SmartDashboard SmartDashboard and Objects Managing Objects Creating the Rule Base Basic Rule Base Concepts Default Rule Basic Rules Implicit/Explicit Rules Control Connections Detecting IP Spoofing Rule Base Management Understanding Rule Base Order Completing the Rule Base Policy Management and Revision Control Policy Package Management Database Revision Control Table 3-3: Security Policy Topics Key Element Page Number p. 63 p. 63 p. 64 p. 65 p. 67 p. 69 p. 69 p. 70 p. 72 p. 73 p. 74 p. 75 p. 76 p. 77 p. 78 p. 79 p. 79 p. 80

20


Introduction to the Security Policy Topics

Chapter 3: Introduction to the Security Policy Page Number p. 82 IP Addressing Hide NAT Static NAT NAT - Global Properties Configuring Automatic NAT Object Configuratin - Hide NAT Hide NAT Using Another Interface IP Address Manual NAT p. 83 p. 84 p. 85 p. 87 p. 89 p. 89 p. 90 p. 92 p. 94 L-p. 77 Create Security Gateway Object Create GUIclient Object L-p. 79 L-p. 85

Topic Network Address Translation

Key Element

Multicasting Lab 4: Building a Security Policy

Create Rules for Corporate Gateway L-p. 86 Save the Policy Install the Policy Test the Corporate Policy Create the Remote Security Gateway Object Establish SIC with the Branch Office Create a New Policy for the Branch Office Combine Policies Table 3-3: Security Policy Topics Check Point Security Administrator R70 Study Guide L-p 91 L-p. 92 L-p. 96 L-p. 97 L-p. 99 L-p. 103 L-p. 107

21


Introduction to the Security Policy Topics Page Number L-p. 115 Create DMZ Objects in SmartDash- L-p. 116 board Create DMZ Access Rule Test the Policy L-p. 118 L-p. 118 L-p. 119 Configure Hide NAT on the Corporate Network Test the Hide NAT Address Open SmartView Tracker Configure Static NAT on the DMZ Server Test the Static NAT Address Observe Hide NAT Traffic Using fw monitor Configure Wireshark Observe the Traffic Observe Static NAT Traffic Using fw monitor L-p. 120 L-p. 122 L-p 123 L-p. 125 L-p. 127 L-p. 128 L-p. 130 L-p. 132 L-p. 133

Topic Lab 5: Configure the DMZ

Key Element

Lab 6: Configuring NAT

Table 3-3: Security Policy Topics

22




Sample CCSA R70 Exam QuestionA Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server? 1. Nothing else must be configured. 2. Automatic ARP must be unchecked in the Global Properties. 3. A static route must be added on the Security Gateway to the internal host. 4. A static route for the NAT IP must be added to the Gateway's upstream router.


23


Answer

AnswerA Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server? 1. Nothing else must be configured. 2. Automatic ARP must be unchecked in the Global Properties. 3. A static route must be added on the Security Gateway to the internal host. 4. A static route for the NAT IP must be added to the Gateway's upstream router.

24


ChapterMonitoring Traffic and Connections

4

To manage your network effectively and to make informed decisions, you need to gather information on the networks traffic patterns. Objectives: Use queries in SmartView Tracker to monitor IPS and common network traffic and troubleshoot events using packet data. Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality. Using SmartView Monitor, configure alerts and traffic counters, view a Gateway's status, monitor suspicious activity rules, analyze tunnel activity and monitor remote user access based on corporate requirements.

25

Chapter 4: Monitoring Traffic and ConnectionsIntroduction to the Monitoring Traffic and Connec-

Introduction to the Monitoring Traffic and Connections TopicsThe following table outlines the topics covered in the Monitoring Traffic and Connections chapter of the Check Point Security Administrator R70 / R71Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71Courseware handbook, and is not meant to be a sole means of study.Topic SmartView Tracker Log Types SmartView Tracker Tabs Action Icons Log-File Management Administrator Auditing Global Logging and Alerting Time Settings Blocking Connections SmartView Monitor SmartView Monitor Login Customizable Views Monitoring Suspicious Activity Rules Monitoring Alerts Gateway Status SmartView Tracker vs. SmartView Monitor Table 4-4: Monitoring Traffic and Connections Topics Key Element Page Number p. 101 p. 102 p. 103 p. 104 p. 105 p. 106 p. 228 p. 108 p. 109 p. 110 p. 111 p. 111 p. 116 p. 116 p. 118 p. 121

26


Introduction to the Monitoring Traffic and Connections Topics Chapter 4: Monitoring Traffic and Page Number L-p. 137 Launch SmartView Tracker Track by Source and Destination Modify the Gateway to Activate SmartView Monitor View Traffic Using SmartView Monitor Table 4-4: Monitoring Traffic and Connections Topics L-p. 138 L-p. 142 L-p. 144 L-p 146

Topic Lab 7: Monitoring with SmartView Tracker

Key Element


27

Chapter 4: Monitoring Traffic and Connections


Sample CCSA R70 Exam QuestionA third-shift Security Administrator configured and installed a new Security Policy early this morning. When you arrive, he tells you that he has been receiving complaints that Internet access is very slow. You suspect the Security Gateway virtual memory might be the problem. Which SmartConsole component would you use to verify this? 1. This information can only be viewed with fw ctl pstat command from the CLI. 2. SmartView Tracker. 3. Eventia Analyzer. 4. SmartView Monitor

28


Answer


AnswerA third-shift Security Administrator configured and installed a new Security Policy early this morning. When you arrive, he tells you that he has been receiving complaints that Internet access is very slow. You suspect the Security Gateway virtual memory might be the problem. Which SmartConsole component would you use to verify this? 1. This information can only be viewed with fw ctl pstat command from the CLI. 2. SmartView Tracker. 3. Eventia Analyzer. 4. SmartView Monitor


29


Answer

30


ChapterUsing SmartUpdate

5

SmartUpdate extends your organizations ability to provide centralized policy management across enterprise-wide deployments. SmartUpdate can deliver automated software and license updates to hundreds of distributed Security Gateways from a single management console. Objectives: Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications. Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways. Upgrade and attach product licenses using SmartUpdate.

31

Chapter 5: Using SmartUpdate

Introduction to the SmartUpdate Topics

Introduction to the SmartUpdate TopicsThe following table outlines the topics covered in the SmartUpdate chapter of the Check Point Security Administrator R70 / R71Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71Courseware handbook, and is not meant to be a sole means of study.Topic SmartUpdate and Managing Licenses SmartUpdate Architecture SmartUpdate Introduction Overview of Managing Licenses Service Contracts Licensing R71 Obtaining a License Key Upgrading Licenses SmartUpdate Options The SmartUpdate Command Line Table 5-5: Using SmartUpdate Topics Key Element Page Number p. 127 p. 128 p. 130 p. 132 p. 138 p. 140 p. 140 p. 141 p. 141 p. 141

32




Sample CCSA R70 Exam QuestionYou are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways at five geographically separate locations. What is the BEST method to implement this HFA? 1. Send a Certified Security Engineer to each site to perform the update. 2. Use SmartUpdate to install the packages to each of the Security Gateways remotely. 3. Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote installation command and monitor the installation progress with SmartView Monitor. 4. Send a CD-ROM with the HFA to each location and have local personnel install it.


33


Answer

AnswerYou are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways at five geographically separate locations. What is the BEST method to implement this HFA? 1. Send a Certified Security Engineer to each site to perform the update. 2. Use SmartUpdate to install the packages to each of the Security Gateways remotely. 3. Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote installation command and monitor the installation progress with SmartView Monitor. 4. Send a CD-ROM with the HFA to each location and have local personnel install it.

34


ChapterUpgrading to R71

6

This chapter shows how to upgrade an existing Security Management server and security gateway to R71. Upgrades are used to save Check Point product configurations, Security Policies, and objects, so that Security Administrators do not need to recreate Gateway and Security Management Server configurations. This chapter lists guidelines for deciding when to upgrade, versus doing a new installation. Objectives: Based on current products or platforms used in an enterprise network, perform a pre installation compatibility assessment before upgrading to R71. Given R71 licensing restrictions, obtain a license key. Install a Contract File on platforms such as Windows, SecurePlatform, Linux, Solaris and IPSO.

35

Chapter 6: Upgrading to R71

Introduction to the Upgrading to R71

Introduction to the Upgrading to R71The following table outlines the topics covered in the Upgrading to R71 chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71Courseware handbook, and is not meant to be a sole means of study.Topic Backward Compatibility for Gateways Upgrading Security Management Server Key Element Page Number p. 147 p. 147

IPS-1 Upgrade Paths and Interoper- p. 148 ability Upgrade Notes Upgrade Configuration Distributed Installation Web Intelligence Licnese Enforcement Lab 8: Upgrading a Security Gateway Locally Upgrade SecurePlatform Using a CDROM Table 6-6: Upgrading to R70 Topics p. 148 p. 149 p. 151 p. 151 L-p. 153 L-p. 154

36




Sample CCSA R70 Exam QuestionYou currently do not have a Check Point software subscription for one of your products. What will happen if you attempt to upgrade the license for this product? 1. The license is not upgraded. 2. It is upgraded with new available features, but cannot be activated. 3. It is deleted. 4. The license will be upgraded with a warning.


37


Answer

AnswerYou currently do not have a Check Point software subscription for one of your products. What will happen if you attempt to upgrade the license for this product? 1. The license is not upgraded. 2. It is upgraded with new available features, but cannot be activated. 3. It is deleted. 4. The license will be upgraded with a warning.

38


ChapterUser Management and Authentication

7

If you do not have a user-management infrastructure in place, you can make a choice between managing the internal-user database or choosing to implement an LDAP server. If you have a large user count, Check Point recommends opting for an external user-management database, such as LDAP. Check Point authentication features enable you to verify the identity of users logging in to the Security Gateway, but also allow you to control security by allowing some users access and disallowing others. Users authenticate by proving their identities, according to the scheme specified under a Gateway authentication scheme, such as LDAP, RADIUS, SecurID and TACACS. Objectives: Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely. Manage users to access to the corporate LAN by using external databases

39

Chapter 7: User Management and AuthenticationIntroduction to the User Management and Authen-

Introduction to the User Management and Authentication TopicsThe following table outlines the topics covered in the User Management and Authentication chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.Topic Creating Users and Groups in SmartDashboard User Types Security Gateway Authentication Introduction to Authentication Methods Authentication Schemes Remote User Authentication Authentication Methods User Authentication Configuring User Authentication Session Authentication Key Element Page Number p. 159 p. 159 p. 161 p. 161 p. 163 p. 165 p. 165 p. 166 p. 168 p. 169

Configuring Session Authentication p. 170 Client Authentication Configuring Client Authentication Resolving Access Conflicts p. 170 p. 173 p. 174

Configuring Authentication Tracker p. 175 Table 7-7: User Management and Authentication Topics

40

Check Point Security Administrator R70 / R 71 Study Guide

Introduction to the User Management and Authentication Topics Chapter 7: User Management and Page Number p. 175 LDAP Features Multiple LDAP Servers Using an Existing LDAP Server Configuring Entities to Work with the Gateway Managing Users SmartDirectory Groups Lab 9: Client Authentication Use Manual Client Authentication with FTP and Local User Modify the Rule Base Test Manual Client Authentication Use Partially Automatic Client Auth with a Local User Use Partially Automatic Client Auth with LDAP Verify SmartDashboard Integration Test Active Directory Authentication Create a Database Revision Table 7-7: User Management and Authentication Topics p. 176 p. 178 p. 178 p. 179 p. 182 p. 183 L-p. 165 L-p. 167 L-p. 170 L-p. 173 L-p. 174 L-p. 179 L-p. 186 L-p. 188 L-p. 189

Topic LDAP User Management with SmartDirectory

Key Element


41

Chapter 7: User Management and Authentication


Sample CCSA R70 Exam QuestionChoose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server. 1. Configure a server object for the LDAP Account Unit, and create an LDAP resource object. 2. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties. 3. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object. 4. Enable LDAP in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit.

42


Answer


AnswerChoose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server. 1. Configure a server object for the LDAP Account Unit, and create an LDAP resource object. 2. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties. 3. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object. 4. Enable LDAP in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit.


43


Answer

44


ChapterEncryption and VPNs

8

The Check Point Security Gateway enables you to create site-to-site Virtual Private Networks (VPNs) that provide secure communication between two defined participants, by encrypting the communication on unsecured public networks, such as the Internet. Objectives: Select the most appropriate encryption algorithm when securing communication over a VPN, based on corporate requirements. Configure a certificate-based site-to-site VPN using one partner's internal CA. Establish VPN connections to partner sites in order to establish access to a central database by configuring Advanced IKE properties.

45

Chapter 8: Encryption and VPNs

Introduction to the Encryption and VPNs Topics

Introduction to the Encryption and VPNs TopicsThe following table outlines the topics covered in the Encryption and VPNs chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.Topic Securing Communication Privacy Symmetric Encryption Asymmetric Encryption Diffie-Hellman Integrity Authentication Two-Phases of Encryption Encryption Algorithms IKE ISAKMP Oakley ISAKMP/Oakley Phase 1 Phase 2 How a VPN Works Tunneling-Mode Encryption Certificate Authorities Table 8-8: Encryption and VPNs Topics Key Element Page Number p. 189 p. 190 p. 191 p. 192 p. 193 p. 194 p. 195 p. 196 p. 196 p. 197 p. 197 p. 197 p. 197 p. 198 p. 199 p. 200 p. 202 p. 203

46


Introduction to the Encryption and VPNs Topics

Chapter 8: Encryption and VPNs Page Number p. 204 p. 204 p. 205 p. 206 p. 206 p. 207 L-p. 191

Topic

Key Element Certificates Multiple Certificate Authorities Local Certificate Authority CA Service via the Internet Internal Certificate Authority Creating Certificates

Lab 10: Site-to-Site VPN Between Corporate and Branch Offfice Define the VPN Domain Create the VPN Community Create the VPN Rule and Modifying the Rule Base Test VPN Connection Failed Negotiation Example Table 8-8: Encryption and VPNs Topics

L-p. 193 L-p. 196 L-p. 202 L-p. 205 L-p. 209


47



Sample CCSA R70 Exam QuestionYour organization maintains several IKE VPNs. Executives in your organization want to know which mechanism Security Gateway R70 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives? 1. Certificate Revocation Lists 2. Application Intelligence. 3. Digital signatures. 4. Key-exchange protocols.

48


Answer


AnswerYour organization maintains several IKE VPNs. Executives in your organization want to know which mechanism Security Gateway R70 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives? 1. Certificate Revocation Lists 2. Application Intelligence. 3. Digital signatures. 4. Key-exchange protocols.


49


Answer

50


ChapterIntroduction to VPNs

9

Virtual Private Ntworking technology leverages the Internet to build and enhance secure network connectivity. Based on standard Internet secure protocols, a VPN enables secure links between special types of network nodes: the Gateways. Siteto-site BPN ensures secure links between Gateways. A Remote Access VPN ensures secure links between Gateways and remote access clients. Objectives: Configure a pre-shared secret site-to-site VPN with partner sites. Configure permanent tunnels for remote access to corporate resources. Configure VPN tunnel sharing, given the difference between host-based, sup-unit-based, and gateway-based tunnels..

51

Chapter 9: Introduction to VPNs

Introduction VPNs Topics

Introduction VPNs TopicsThe following table outlines the topics covered in the Introduction to VPNs chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.Topic The Check Point VPN VPN Deployments Site-to-Site VPNs Remote Access VPNs VPN Implementation VPN Setup Understanding VPN Deployment VPN Communities VPN Topologies Meshed VPN Community Star VPN Community Choosing a Topology Topology and Encryption Issues Special VPN Gateway Conditions Authenticating Between Community Members Domain and Route-Based VPNs Access Control and VPN Communites Accepting all Encrypted Traffic Table 9-9: Check Point Introduction to VPNs Topics Key Element Page Number p. 213 p. 213 p. 214 p. 215 p. 216 p. 217 p. 217 p. 218 p. 220 p. 220 p. 221 p. 221 p. 223 p. 224 p. 225 p. 226 p. 227 p. 229

52


Introduction VPNs Topics

Chapter 9: Introduction to VPNs Page Number p. 229 p. 230 Simplified vs. Traditional Mode VPNs p. 231 p. 231 Permanent Tunnels VPN Tunnel Sharing p. 232 p. 233 p. 234 SecuRemote p. 234

Topic

Key Element Excluding Services

Integrating VPNs into a Rule Base

VPN Tunnel Management

Remote Access VPNs

Multiple Remote Access VPN Con- p. 235 nectivity Modes Office Mode Visitor Mode Hub Mode Establishing a Connection Between a Remote User and a Gateway Lab 11: Two-Gateway IKE Encryption Using Certificates Save Certificate for Export p. 235 p. 235 p. 235 p. 236 L-p. 215

L-p. 216

Add Partner Machine to VPN Com- L-p. 218 munity Creating Object for Partner Gateway Modify VPN Domain for Partner Gateway Table 9-9: Check Point Introduction to VPNs Topics L-p. 218 L-p. 222


53


Introduction VPNs Topics Page Number L-p. 225 L-p. 226 L-p. 229 L-p. 230 L-p. 231 L-p. 235 L-p. 237 Create Remote-Access Group Configure Gateway for IKE Encryption Create a Remote User Group Configure Remote Access Community Ojbect L-p. 239 L-p 240 L-p. 240 L-p. 241

Topic

Key Element Add the Partner Network to the VPN Community Create Partner Site Certificate Authority Modify the Rule Base Install and Verify Security Gateway Configuration Test Encryption with Certificates Revert to Standard Security Policy

Lab 12: Remote Access and Office Mode

Configure VPN Domain for Remote L-p. 244 Access Configure Office Mode IP Pool Modify the Rule Base for Remote Access Create a Site Using the Site Wizard Verify Office Mode IP Assignment Test the Remote Connection Table 9-9: Check Point Introduction to VPNs Topics L-p. 245 L-p. 247 L-p. 249 L-p. 255 L-p. 256

54




Sample CCSA R70 Exam QuestionWhen using an encryption algorithm, which is generally considered the best encryption method? 1. DES. 2. AES 3. Triple DES 4. CAST cipher


55


Answer

AnswerWhen using an encryption algorithm, which is generally considered the best encryption method? 1. DES. 2. AES 3. Triple DES 4. CAST cipher

56


ChapterMessaging and Content Security

10

Access control firewalls prevent unauthorized traffic from passing through the Gateway. However, hackers also attempt to misuse allowed traffic and services. Some of the most serious threats in today's Internet environment come from attacks that attempt to exploit the application layer. Access control devices cannot easily detect malicious attacks aimed at these services. Objectives: Configure Check Point Messaging Security to test IP Reputation, content based anti-spam, and zero hour virus detection. Based on network analysis disclosing threats by specific sites, configure a Web-filtering and antivirus policy to filter and scan traffic.

57

Chapter 10: Messaging and Content Security Introduction to the Messaging and Content Security

Introduction to the Messaging and Content Security TopicsThe following table outlines the topics covered in the Messaging and Content Security chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gained from the Security Administrator R70 / R71 Courseware handbook, and is not meant to be a sole means of study.Topic Antivirus Protection Anti-Virus Signature Database Updates Antivirus Scanning Content Security Scanning in Practice POP3 Protocol Example FTP Protocol Example HTTP Protocol Example DMZ Example Scan by Direction Options File Type Recognition Continuous Download Logging and Monitoring File Size Limitations and Scanning UTM-1 Edge Antivirus Basic URL Filtering Architecture Anti-Spam and Mail Table 10-10: Messaging and Content Security Topics Key Element Page Number p. 243 p. 244 p. 245 p. 246 p. 247 p. 248 p. 249 p. 250 p. 251 p. 254 p. 255 p. 256 p. 256 p. 258 p. 259 p. 260 p. 261

58


Introduction to the Messaging and Content Security TopicsChapter 10: Messaging and Content SePage Number p. 263 p. 265 L-p. 259 Revert to Standard Security Policy Configure Mail Server Object Modify Rule Base Observe Mail Traffic Modify the Gateway Properties Configure Anti-Spam for Monitor Only Analyze to Gateway Analyze Logs Reconfigure Policy to Block Attacks Table 10-10: Messaging and Content Security Topics L-p. 261 L-p. 262 L-p. 264 L-p. 265 L-p. 267 L-p. 268 L-p. 270 L-p. 272 L-p. 274

Topic

Key Element Architecture Logging and Monitoring

Lab 13: Messaging and Content Security


59

Chapter 10: Messaging and Content Security


Sample CCSA R70 Exam QuestionWhich antivirus scanning method does not work if the Gateway is connected as a node in proxy mode? 1. Scan by Direction 2. Scan by File Type 3. Scan by Server 4. Scan by IP Address

60


Answer


AnswerWhich antivirus scanning method does not work if the Gateway is connected as a node in proxy mode? 1. Scan by Direction 2. Scan by File Type 3. Scan by Server 4. Scan by IP Address


61


Answer

62


Documents

CCSA R71 Study Guide