28.3.16
23.3.16
Checkpoint CSA Notes-2
NAT ADDRESS TRANSLATION
Why -> Private IP, Security, Limited IPs
What to translate: Source or Destination
How to Translate: Static or Dynamic
Where translation is done
Mostly for servers
Static - Destination NAT -> Translation happen on the Ingress Interface
Mostly for end-user pc/clients
Source - Dynamic NAT ->
NAT Hide
Firewall Tab
-> NAT
Network Objects -> Network
-> Internal-HQ
-> NAT Tab
-> Add Automatic Address Translation -> Translation method -> Hide
-> Save
-> Install Policy (PUSH)
From internal HQ PC ping public IP
SMART TRACKER
-> go to bottom (down icon)
-> validate the log if ping was translated outside
XlateSrc -> Translated Source Address
NAT Static
Firewall Tab
-> NAT
Network Objects -> Notes
-> Test PC}
-> NAT Tab
-> Add Automatic Address Translation -> Translation method -> Static
-> Check the global address (public IP/routed IP)
-> Save
-> Install Policy (PUSH)
XLateDst -> Translated Destination Address
POLICY PACKAGES AND DATABASE VERSIONS
1. Install and link Gateway to Manager
2. Include new Firewall in Policies
Policy Packages can deploy specific targets of rules for X numbers of firewalls
New Policy Package
- set of policy can be push to one or more gateways
Dashboard
-> File
-> New
-> Blank Screen (need to pollute the policy)
Dashboard
-> File -> Save -> Install Policy
-> SELECT TARGETS
- Only choose the specific firewall for the new policy packahge
-> File -> Save -> Install Policy
-> Advance Option
-> Create Database version - to create snapshots and versions to restore
Database Version Control
-> File -> Database Revision Control
-> Create -> Creating a version
-> Automatically create old version -> Configure
-> Action -> Restore Version
Separation of rules
-> Right Click -> Add a section title -> Below -> Rule Name
SMART VIEW TRACKER
Modes: Log, Active, Audit
Queries: Predefined and Custom
Care and Feeding:
- Global Properties
- $FWDIR/log
- Other event destinations
Smart View Tracker ---> MGR <---logs--- br="" firewall="">
Active Mode
- Realtime activity
- Manual Block
Smart Console
-> Smart View Tracker
3 Modes
-> Network Endpoint
-> Actve
-> Management
Edit Filter
-> Specific (What service)
-> Add
-> Contain or Equal
-> OK
Edit Filter
-> Follow
-> Destination or Source
Save Query As -> Predefined searches to be save
SMART BLOCKER
Launch Menu
-> Tools -> Block Connection
-> Block Intruder
-> Blocking Scope
-> Blocking Timeout
Management Mode
Right Click a Rule in the policy -> View Rule Logs (smart tracker will be open)
Smart Dash Board
-> Global Settings
-> Global Properties
-> Logs and Alert
-> Time Settings
Exessive Log grade period: 62 Seconds
Smart View Tracker Resoliving Timeout: 20 Seconfs
Virtual Link statistics logging interval: 60 seconds
Status Fetching Interval: 60 seconds
-> Alerts
Send email
Send snmp
Network Objects
-> Manager
-> Logs -> Enable Smartlog
-> Log Storage
Configure log file size
Create logfile base on timing
-> Additional Logging
Set to a different logging servers
SMART VIEW MONITOR
Provides statistics of
Gateways, Traffic, Counters, Tunnels, Users
Create and view suspicious activity rules
Set Thresholds and see alerts
SmartConsole
-> SmartView Console
Gateway Status
Traffic
- Top Services
- Top QOS Rules
- Top Destinations
- Top Security Rules
- Packet Size Distribution
- Top VOIP users
- Top Interfaces
- Virtual Link
- Top Tunnels
- Top P2P-Top Sources
- Common Services History
- Top Connections
System Counters-System
-System History
-Firewall
-Firewall History
-VPN
-VPN History
-Content Inspection
-Firewall Security
-Firewall Server
Tunnels
-Tunnel on Community
-Permanent Tunnels
-Down Permanent Tunnels
-Tunnels on Gateway
Gateway Status-> Click Desired Firewall -> Configure Threshold
-> CPU, Free Disk space, Status connection,
Launch Menu
-> Tools
-> Start System Alert Daemon
Software Blade must be enabled (Software License)
Monitoring should be tick on the Gateway Properties
Dynamic Rules via Smart View Monitor
Icon - Suspicious Activity Rules
-> Show on all Checkpoint Gateways
-> Refresh
Why -> Private IP, Security, Limited IPs
What to translate: Source or Destination
How to Translate: Static or Dynamic
Where translation is done
Mostly for servers
Static - Destination NAT -> Translation happen on the Ingress Interface
Mostly for end-user pc/clients
Source - Dynamic NAT ->
NAT Hide
Firewall Tab
-> NAT
Network Objects -> Network
-> Internal-HQ
-> NAT Tab
-> Add Automatic Address Translation -> Translation method -> Hide
-> Save
-> Install Policy (PUSH)
From internal HQ PC ping public IP
SMART TRACKER
-> go to bottom (down icon)
-> validate the log if ping was translated outside
XlateSrc -> Translated Source Address
NAT Static
Firewall Tab
-> NAT
Network Objects -> Notes
-> Test PC}
-> NAT Tab
-> Add Automatic Address Translation -> Translation method -> Static
-> Check the global address (public IP/routed IP)
-> Save
-> Install Policy (PUSH)
XLateDst -> Translated Destination Address
POLICY PACKAGES AND DATABASE VERSIONS
1. Install and link Gateway to Manager
2. Include new Firewall in Policies
Policy Packages can deploy specific targets of rules for X numbers of firewalls
New Policy Package
- set of policy can be push to one or more gateways
Dashboard
-> File
-> New
-> Blank Screen (need to pollute the policy)
Dashboard
-> File -> Save -> Install Policy
-> SELECT TARGETS
- Only choose the specific firewall for the new policy packahge
-> File -> Save -> Install Policy
-> Advance Option
-> Create Database version - to create snapshots and versions to restore
Database Version Control
-> File -> Database Revision Control
-> Create -> Creating a version
-> Automatically create old version -> Configure
-> Action -> Restore Version
Separation of rules
-> Right Click -> Add a section title -> Below -> Rule Name
SMART VIEW TRACKER
Modes: Log, Active, Audit
Queries: Predefined and Custom
Care and Feeding:
- Global Properties
- $FWDIR/log
- Other event destinations
Smart View Tracker ---> MGR <---logs--- br="" firewall="">
Active Mode
- Realtime activity
- Manual Block
Smart Console
-> Smart View Tracker
3 Modes
-> Network Endpoint
-> Actve
-> Management
Edit Filter
-> Specific (What service)
-> Add
-> Contain or Equal
-> OK
Edit Filter
-> Follow
-> Destination or Source
Save Query As -> Predefined searches to be save
SMART BLOCKER
Launch Menu
-> Tools -> Block Connection
-> Block Intruder
-> Blocking Scope
-> Blocking Timeout
Management Mode
Right Click a Rule in the policy -> View Rule Logs (smart tracker will be open)
Smart Dash Board
-> Global Settings
-> Global Properties
-> Logs and Alert
-> Time Settings
Exessive Log grade period: 62 Seconds
Smart View Tracker Resoliving Timeout: 20 Seconfs
Virtual Link statistics logging interval: 60 seconds
Status Fetching Interval: 60 seconds
-> Alerts
Send email
Send snmp
Network Objects
-> Manager
-> Logs -> Enable Smartlog
-> Log Storage
Configure log file size
Create logfile base on timing
-> Additional Logging
Set to a different logging servers
SMART VIEW MONITOR
Provides statistics of
Gateways, Traffic, Counters, Tunnels, Users
Create and view suspicious activity rules
Set Thresholds and see alerts
SmartConsole
-> SmartView Console
Gateway Status
Traffic
- Top Services
- Top QOS Rules
- Top Destinations
- Top Security Rules
- Packet Size Distribution
- Top VOIP users
- Top Interfaces
- Virtual Link
- Top Tunnels
- Top P2P-Top Sources
- Common Services History
- Top Connections
System Counters-System
-System History
-Firewall
-Firewall History
-VPN
-VPN History
-Content Inspection
-Firewall Security
-Firewall Server
Tunnels
-Tunnel on Community
-Permanent Tunnels
-Down Permanent Tunnels
-Tunnels on Gateway
Gateway Status-> Click Desired Firewall -> Configure Threshold
-> CPU, Free Disk space, Status connection,
Launch Menu
-> Tools
-> Start System Alert Daemon
Software Blade must be enabled (Software License)
Monitoring should be tick on the Gateway Properties
Dynamic Rules via Smart View Monitor
Icon - Suspicious Activity Rules
-> Show on all Checkpoint Gateways
-> Refresh
21.3.16
JNCIA-Junos 102 Notes
Draft Notes on my JNCIA-Junos journey however on the process I just went studying rather than logging most of eveythings here.
JUNIPER DEVICE PORTFOLIO
M-Series Scale
- Enterprise Routers
- L3/L2 VPNS
- Service Providers
J-Series Scale
- Smaller organizations
- Virtual separation of control plane and data plane (cheaper)
- Hardware separation
- Robust selection compare to SRX series
MX-Series Scale
- 3D Devices - scalability
- Availability - highest level of uptime / redundancy
- Agility - Extreme flexible on functions
EX-Series
- Layer 3 Switch routing capabilities
- Layer 2 Switch
QFX-Series (Nexus Cisco Comparison)
- Data Center devices
- TOR / EOR
- Virtualization (comparable to VDC)
SRX-Series
- Service Gateway Devices
- Flexible / act as Switch, WIFI, FW, VOIP, Router
DEVICE ARCHITECTURE
- Operating systems is based in FreeBSD
- Multi software process
1. RPD - routing process (routing protocl daemon)
2. MGD - management daemon
3.SNMPD - snmp daemon
Routing Engine (RE)
[ RT FT ]
[ FT ]
Packet Forwarding Engine (PFE)
Control Plane - RE
Forwarding - PFE
CLI MODES
Configure and Edit are the same
root> configure
root#
root> edit
root#
Comparison
root> show system | display set
cisco> show run | include interface
TROUBLESHOOTING WITH JUNOS
Credits to my collegue who has given these commands which was very helpful during my study. And now I am sharing the information without his knowledge for others to learn.
Basic troubleshoot
show security flow session
show log traffic_log | last 50
show log messages
show system processes summary
show system processes extensive
show chassis routing-engine
monitor start traffic_log | match 389
Remote VPN users
show security dynamic-vpn users
set access profile dyn-vpn-access-profile client user1 firewall-user password 1234
Check alarms and card status
show chassis fpc pic-status
show chassis cluster status
show system alarms
Routing and ping
traceroute routing-instance SNAP_HealthBridge source x.x.x.x y.y.y.y
ping routing-instance SNAP_HealthBridge source x.x.x.x y.y.y.y record-route count 1 wait 1
ping routing-instance SNAP_HealthBridge source x.x.x.x y.y.y.y count 10000 rapid
JUNIPER DEVICE PORTFOLIO
M-Series Scale
- Enterprise Routers
- L3/L2 VPNS
- Service Providers
J-Series Scale
- Smaller organizations
- Virtual separation of control plane and data plane (cheaper)
- Hardware separation
- Robust selection compare to SRX series
MX-Series Scale
- 3D Devices - scalability
- Availability - highest level of uptime / redundancy
- Agility - Extreme flexible on functions
EX-Series
- Layer 3 Switch routing capabilities
- Layer 2 Switch
QFX-Series (Nexus Cisco Comparison)
- Data Center devices
- TOR / EOR
- Virtualization (comparable to VDC)
SRX-Series
- Service Gateway Devices
- Flexible / act as Switch, WIFI, FW, VOIP, Router
DEVICE ARCHITECTURE
- Operating systems is based in FreeBSD
- Multi software process
1. RPD - routing process (routing protocl daemon)
2. MGD - management daemon
3.SNMPD - snmp daemon
Routing Engine (RE)
[ RT FT ]
[ FT ]
Packet Forwarding Engine (PFE)
Control Plane - RE
Forwarding - PFE
CLI MODES
Configure and Edit are the same
root> configure
root#
root> edit
root#
Comparison
root> show system | display set
cisco> show run | include interface
TROUBLESHOOTING WITH JUNOS
Credits to my collegue who has given these commands which was very helpful during my study. And now I am sharing the information without his knowledge for others to learn.
Basic troubleshoot
show security flow session
show log traffic_log | last 50
show log messages
show system processes summary
show system processes extensive
show chassis routing-engine
monitor start traffic_log | match 389
Remote VPN users
show security dynamic-vpn users
set access profile dyn-vpn-access-profile client user1 firewall-user password 1234
Check alarms and card status
show chassis fpc pic-status
show chassis cluster status
show system alarms
Routing and ping
traceroute routing-instance SNAP_HealthBridge source x.x.x.x y.y.y.y
ping routing-instance SNAP_HealthBridge source x.x.x.x y.y.y.y record-route count 1 wait 1
ping routing-instance SNAP_HealthBridge source x.x.x.x y.y.y.y count 10000 rapid
Checkpoint CSA Notes-1
SMART ARCHITECTURE
Smart Console -> Management Server -> Gateway (Firewall)
Policy are created -> Policy are stored -> Policy are pushed/implemented
TRAFFIC CONTROL METHODS
1. Packet Filtering
2. Stateful - remember the ports and IP address in the session (inspect)
- Transport and Network Layer
3. Application Awareness - application layer
- looking at the content
OPERATING SYSTEM HISTORY
1. IPSO
2. Secure Platform
3. GAIA
INSTALLING CHECKPOINT OPTIONS
1. Standalone vs Distributed
2. High Availability
3. Routed vs Bridged
4. Topology / Addressing
Communication Manager and GW(Firewall)
Login via console PC
1. Firewall
- Network management
1. Network Interfaces -> Configure ETHX (0,1,2)
2. IPV4 Static Route -> Add Gateway -> X.X.X.X (ETH0)
- System Management
1. Messages -> Banner Messages -> MABUHAY!
2. Manager Server
- Network Management
1. Network Interfaces (verify)
2. IPV4 Static Route (verify) 10.1.1.111
- System Management
1. Messages -> Banner Messages -> MABUHAY!
- Overview
1. Manage Software Blade using Smart Console -> Download Now -> Install everything
PC Console
1. Launch the smart dashboard
Manager
To verify the fingerprint on smart dashboard
1. Lock Database override
2. cpconfig -> certificate fingerprint -> exit
2. Network Objects
-> Checkpoint
-> Management Server
-> Security Gateway Management
-> Classic
-> Checkpoint Gateway General Properties (fill up)
- Name - FW Name
- IPV4 IP Address
- Comment - FW Comment
-> Network Security
- Tick the feature / license based
- IPS, Monitoring, IPS, IPSec/VPN
-> Platform -verify Hardware OS
-> Trusted Communication
- Authentication -> One time password -> Initialize
- To connect the Manager to the Firewall
- Certificate Status -> Trust Established
- The new Gateway will be seen
-> Topology
- Verify the interfaces
- Interface will be assigned automatic as external if Gateway
is configured
-> Nodes
-> Node
-> Host Object
- Configure Name, IP Address, Comment
-> Network
-> Network
-> General
- Configure Name, Comment, Network Address and Mask
CREATING/INSTALLING POLICIES
Adding rules for security policy
- Mgmt, Stealth, Internal, Cleanup
- Implied Rules
Firewall
-> Policy -> Launch Menu -> Rules -> Add Rule -> Top or Bottom
MANAGEMENT RULE: RULE ID 1
- Name: Allow Traffic Management
- Source: Node PC
-> Creating New Host -> New -> Host
Configure Host Node Properties -> Name, IP Address,
- Service: Go to Dish
- Destination: Firewall HQ
- Action: [Accept] [Reject] [Drop]
- Track: Log
- Install On: Target Firewall
MALICIOUS: RULE ID 2
- Name: Malicious
- Source: Any
- Service: Any
- Destination: Firewall HQ
- Action: [Drop]
- Track: Log
- Install On: Target Firewall
OUR USERS: RULE ID 3
- Name: Our Users
- Source: Internal-HQ
- Service: Any
- Destination: Any
- Action: [Accept]
- Track: Log
- Install On: Target Firewall
CLEAN UP: RULE ID 4
- Name: DENY
- Source: Any
- Service: Any
- Destination: Any
- Action: [Drop]
- Track: Log
- Install On: Target Firewall
SAVING THE POLICY
1. Save Icon
2. Control + S
3. Launch Menu -> File -> Save
IMPLIED RULES
1. Launch Menu -> Policy -> Global Properties
2. Edit Global Properties
- Implied Rules
- Accept control Connections
- Accept remote access control connections
- Accept Smart Update connections
- Accept IPS-1 management connections
- Accept outgoing packet originating from gateway -> Before Last
- Track
- Log Implied Rules
3. To verify
Launch Menu -> View -> Implied Rules
PUSING THE POLICY
1. Launch Menu -> Policy -> Install POLICY
2. Or Icon Install POLICY
Inside Install POLICY
Revision Control
- Create Database; snapshot
- Once done it will deploy the policy
- Policy Installation status -> date and succeeded
3. To verify in Firewall
FW> fw stat
FW> fw fetch IP.Address.of.Manager
Troubleshooting via CLI
FW> fw stat
FW> show configuration interfaces
FW> fw fetch [location]
Smart Console -> Management Server -> Gateway (Firewall)
Policy are created -> Policy are stored -> Policy are pushed/implemented
TRAFFIC CONTROL METHODS
1. Packet Filtering
2. Stateful - remember the ports and IP address in the session (inspect)
- Transport and Network Layer
3. Application Awareness - application layer
- looking at the content
OPERATING SYSTEM HISTORY
1. IPSO
2. Secure Platform
3. GAIA
INSTALLING CHECKPOINT OPTIONS
1. Standalone vs Distributed
2. High Availability
3. Routed vs Bridged
4. Topology / Addressing
Communication Manager and GW(Firewall)
Login via console PC
1. Firewall
- Network management
1. Network Interfaces -> Configure ETHX (0,1,2)
2. IPV4 Static Route -> Add Gateway -> X.X.X.X (ETH0)
- System Management
1. Messages -> Banner Messages -> MABUHAY!
2. Manager Server
- Network Management
1. Network Interfaces (verify)
2. IPV4 Static Route (verify) 10.1.1.111
- System Management
1. Messages -> Banner Messages -> MABUHAY!
- Overview
1. Manage Software Blade using Smart Console -> Download Now -> Install everything
PC Console
1. Launch the smart dashboard
Manager
To verify the fingerprint on smart dashboard
1. Lock Database override
2. cpconfig -> certificate fingerprint -> exit
2. Network Objects
-> Checkpoint
-> Management Server
-> Security Gateway Management
-> Classic
-> Checkpoint Gateway General Properties (fill up)
- Name - FW Name
- IPV4 IP Address
- Comment - FW Comment
-> Network Security
- Tick the feature / license based
- IPS, Monitoring, IPS, IPSec/VPN
-> Platform -verify Hardware OS
-> Trusted Communication
- Authentication -> One time password -> Initialize
- To connect the Manager to the Firewall
- Certificate Status -> Trust Established
- The new Gateway will be seen
-> Topology
- Verify the interfaces
- Interface will be assigned automatic as external if Gateway
is configured
-> Nodes
-> Node
-> Host Object
- Configure Name, IP Address, Comment
-> Network
-> Network
-> General
- Configure Name, Comment, Network Address and Mask
CREATING/INSTALLING POLICIES
Adding rules for security policy
- Mgmt, Stealth, Internal, Cleanup
- Implied Rules
Firewall
-> Policy -> Launch Menu -> Rules -> Add Rule -> Top or Bottom
MANAGEMENT RULE: RULE ID 1
- Name: Allow Traffic Management
- Source: Node PC
-> Creating New Host -> New -> Host
Configure Host Node Properties -> Name, IP Address,
- Service: Go to Dish
- Destination: Firewall HQ
- Action: [Accept] [Reject] [Drop]
- Track: Log
- Install On: Target Firewall
MALICIOUS: RULE ID 2
- Name: Malicious
- Source: Any
- Service: Any
- Destination: Firewall HQ
- Action: [Drop]
- Track: Log
- Install On: Target Firewall
OUR USERS: RULE ID 3
- Name: Our Users
- Source: Internal-HQ
- Service: Any
- Destination: Any
- Action: [Accept]
- Track: Log
- Install On: Target Firewall
CLEAN UP: RULE ID 4
- Name: DENY
- Source: Any
- Service: Any
- Destination: Any
- Action: [Drop]
- Track: Log
- Install On: Target Firewall
SAVING THE POLICY
1. Save Icon
2. Control + S
3. Launch Menu -> File -> Save
IMPLIED RULES
1. Launch Menu -> Policy -> Global Properties
2. Edit Global Properties
- Implied Rules
- Accept control Connections
- Accept remote access control connections
- Accept Smart Update connections
- Accept IPS-1 management connections
- Accept outgoing packet originating from gateway -> Before Last
- Track
- Log Implied Rules
3. To verify
Launch Menu -> View -> Implied Rules
PUSING THE POLICY
1. Launch Menu -> Policy -> Install POLICY
2. Or Icon Install POLICY
Inside Install POLICY
Revision Control
- Create Database; snapshot
- Once done it will deploy the policy
- Policy Installation status -> date and succeeded
3. To verify in Firewall
FW> fw stat
FW> fw fetch IP.Address.of.Manager
Troubleshooting via CLI
FW> fw stat
FW> show configuration interfaces
FW> fw fetch [location]
Subscribe to:
Posts (Atom)
