=====Smart Directory (LDAP)=====
-> User Directory Software Blade used to integrate SGW with LDAP erver
-> Account Unit // LDAP Server in Smartdirectory
------------Acquisition Sources
Captive Portal Browser-Based Authentication
Unidentified users log in with a user name and password in a Captive Portal. After authentication, the user clicks a link to go to the destination address
- Used for Identity Enforcement
-Identity based enforcement for NON-AD Users (non windows and guests users )
Endpoint Identity Agent
A lightweight Endpoint Identity Agent authenticates users securely with Single Sign-On (SSO)
Identity enforcement for Data Centers
Protecting highly sensitive servers
When accuracy in detecting identity is crucial
AD QUERY
-Basic identity enforcement in internal network
-Leveraging identity in the Internet application control
-Identity-based auditing and logging
-> User Directory Software Blade used to integrate SGW with LDAP erver
->Tshoot : use FWmonitor
->Ports :
Default port for SSL connection with LDAP Server : 636
TCP connections with LDAP Server : 389
-> Account Unit // LDAP Server in Smartdirectory
-> dsquery user -name administrator //identify DN Name
-Authorization : managed by Gateway
-Authentication:
*cpauth (LDAP )
*fwssd (legacy )
*cvpnd (for SSL VPN users)
*vpnd ( remote access clients )
-All Account Unit Users : Reference all Groups defined on the LDAP sever for Authentication
-Only SubTree : Reference a specific group defined on the LDAP sever for Authentication
-fwm : authentication for logging
--Account Unit : Interface which allows interaction between SMS and LDAP
-Priority : based on Account Unit or Gateway
-make_au , au_auth, au_fetchuser, cpLdapGetUser, cpldapCheck, au_auth_auth
//debugs user authentication process
==============Smart Provisioning
-Authorization : managed by Gateway
-Authentication:
*cpauth (LDAP )
*fwssd (legacy )
*cvpnd (for SSL VPN users)
*vpnd ( remote access clients )
-All Account Unit Users : Reference all Groups defined on the LDAP sever for Authentication
-Only SubTree : Reference a specific group defined on the LDAP sever for Authentication
-fwm : authentication for logging
--Account Unit : Interface which allows interaction between SMS and LDAP
-Priority : based on Account Unit or Gateway
-make_au , au_auth, au_fetchuser, cpLdapGetUser, cpldapCheck, au_auth_auth
//debugs user authentication process
==============Smart Provisioning
------------Acquisition Sources
Captive Portal Browser-Based Authentication
Unidentified users log in with a user name and password in a Captive Portal. After authentication, the user clicks a link to go to the destination address
- Used for Identity Enforcement
-Identity based enforcement for NON-AD Users (non windows and guests users )
Endpoint Identity Agent
A lightweight Endpoint Identity Agent authenticates users securely with Single Sign-On (SSO)
Identity enforcement for Data Centers
Protecting highly sensitive servers
When accuracy in detecting identity is crucial
AD QUERY
-Basic identity enforcement in internal network
-----------------Interface and Routing
ifconfig -a > filename.txt //save interface information (windows)
ifconfig >filename.txt //save interface information (GAIA)
ifconfig >filename.txt //save interface information (GAIA)
netstat -rn > filename.txt //save routing information (windows)
/etc/sysconfig/network.C //save IP address and routing (GAIA)
/etc/sysconfig/network.C //save IP address and routing (GAIA)
----------------Zero Downtime -----after all cluster upgraded
cphaprob set_ccp multicast
-----CPSIZEME-----
./cpsizeme //run cpsizeme
./cpsizeme -V check version
./cpsizeme -p username:password@proxy_address:port
->by default it is run every 24 hours
->filename : cpsizeme_of_gwname.xml
--------Route Based VPN using VTI
The VTI may be configured in two ways:
• Numbered : For each Security Gateway, you configure a local IP address, a remote address, and the local IP address source for outbound connections to the tunnel.
• Unnumbered : define a proxy interface
-Supported on SPLAT and GAIA
-VTIs cannot use an exisiting physical interface IP Address
-VTIs can share IP addresses
VPN Routing using VPN tunnel interfaces (VTI) : Route based VPN
Route based VPN : Not supported by Core XL
VPN Routing file : $FWDIR/conf/vpn_route.conf
-Domain Based VPN takes precedence over Route based VPNs
-Un numbered VPN Tunnel Interfaces (VTIs) : Must be assigned a Proxy Interface
VTIs in a Clustered Environment
When configuring numbered VTIs in a clustered environment, a number of issues need to be considered:
• Each member must have a unique source IP address.
• Every interface on each member requires a unique IP address.
• All VTIs going to the same remote peer must have the same name.
• Cluster IP addresses are required
Display VTI configured properly
#vpn shell show interface detailed <VTI_name>
----Link Selection
-Probe Links for availability
-User Load Sharing to distribute VPN traffic
-Use Links based on services
-Setup Links for remote access
----Third Party logging
using protocol : LEA - log export API
------MEP VPNs
--Probing Protocol : Sends UDP RDP to Port 259 to see if an IP is accessible
--Define as a Star VPN Community
-----------Public Key Infrastructure
by Certificate Authorities , Digitel Certificates and Public key encryption
---POLICY INSTALL
1. Initiation - made by a SmartConsole application
Check Point Management Interface (CPMI) policy installation command is sent to FWM on the Management Server where the 2. verification and 3. compilation takes place.
2. Code Generation and Compilation : FWM forwards command to CPD
3. CPD invokes Checkpoint Policy transfer Agent (CPTA) thats sends policy to Security GW
4. FWD on SGW updates all user processes for enforcement i.e. VPND (VPN issues) , FWSSD
5. CPD than initiates the Kernel Replacement
-------------Smartevent
Running in learning Mode
Multiple Database tables
Consolidation Rules
--Smartevent Database Backup : eva_db_backup
--Save the Smartevent Database on the new sever : eva_db_restore
------------Smart reporter
--Smart reporter policy
--Consolidation Policy
--generates a smart event report from its SQL Database--Smart reporter generates EXPRESS REPORT from Smartview Monitor History file
--implements a consolidation Policy
--backup events stored in Smartevent server : $RTDIR/distrib and $RTDIR/events_db
--Database settings (linux) : $RTDIR/Database/conf/my.cnf
-- Database settings (windows) %RTDIR%\Database\conf\my.ini
---Reports can be used for Attempted Port scans , Possible Worm/Malware Activity , Analyzing traffic patterns against public resources
---Smartreporter-Express Reports : Historical System Information
-- Smartreporter Queries : Filtered Queries
Time Last hour , Last Day , Lask week
Type , Scans , DoS , Unauthorized Entry
State Open , Closed , False Alarm
------SmartView Tracker
Length of time a TCP connection was open
--------Processes
FWD --> FWSSD (child process) //whenever there is a connection initiated to the firewall
Check Point log management daemon (cplmd) //Runs on the Security Management Servers . Used for Log management . Starts when Smart View Tracker is started.
---Connections Table
fw tab -t connections -s //number of connections through FW
fw -i 0 tab -t connections -s //number of connections through core 0
---Users
#set user admin shell /bin/bash // to go to bash shell
-$FWDIR/conf/fwauth.NDB // user definition store in this file
-make_au , au_auth, au_fetchuser, cpLdapGetUser, cpldapCheck, au_auth_auth //debugs user authentication process
-#fwm dbimport //import user database :
----Security Server configuration
$FWDIR/conf/fwauthd.conf //Security Server configuration stored under
---Smart Event
---Identity awareness Processes
1. pdp
2. pep
---Cluster XL
-Limit 6
-Zero Downtime Upgrade : Upgrade all cluster member except one at the same time
-Minimal Effort Upgrade : Treat each cluster member as an individual GW
-Full connectivity Upgrade : supported on minor versions
-fw ctl conn -a //check if same product installed
-Critical Device fwd , filter
-Sticky Decision Function (SDF)
//not supported when performance pack or Hardware based accelerator card is used
// not supported -SecureXL and Sticky Decision Function in ClusterXL Load Sharing mode
// supports Secure Client/Securemote/SSL
-Sticky Connections : all connections in either direction handled by single cluster member (HA)
-gratuitous arp //cluster member takes over VIP
-Cluster XL protocol : ClusterXL Control Protocol (CCP) uses multicast by default, because it is more efficient than broadcast. If the connecting switch cannot forward multicast traffic, it is possible, though less efficient, for the switch to use broadcast to forward traffic
-cphaconf set_ccp broadcast
-cphaconf set_ccp multicast
-----CPSIZEME-----
./cpsizeme //run cpsizeme
./cpsizeme -V check version
./cpsizeme -p username:password@proxy_address:port
->by default it is run every 24 hours
->filename : cpsizeme_of_gwname.xml
--------Route Based VPN using VTI
The VTI may be configured in two ways:
• Numbered : For each Security Gateway, you configure a local IP address, a remote address, and the local IP address source for outbound connections to the tunnel.
• Unnumbered : define a proxy interface
-Supported on SPLAT and GAIA
-VTIs cannot use an exisiting physical interface IP Address
-VTIs can share IP addresses
VPN Routing using VPN tunnel interfaces (VTI) : Route based VPN
Route based VPN : Not supported by Core XL
VPN Routing file : $FWDIR/conf/vpn_route.conf
-Domain Based VPN takes precedence over Route based VPNs
-Un numbered VPN Tunnel Interfaces (VTIs) : Must be assigned a Proxy Interface
VTIs in a Clustered Environment
When configuring numbered VTIs in a clustered environment, a number of issues need to be considered:
• Each member must have a unique source IP address.
• Every interface on each member requires a unique IP address.
• All VTIs going to the same remote peer must have the same name.
• Cluster IP addresses are required
Display VTI configured properly
#vpn shell show interface detailed <VTI_name>
----Link Selection
-Probe Links for availability
-User Load Sharing to distribute VPN traffic
-Use Links based on services
-Setup Links for remote access
----Third Party logging
using protocol : LEA - log export API
------MEP VPNs
--Probing Protocol : Sends UDP RDP to Port 259 to see if an IP is accessible
--Define as a Star VPN Community
-----------Public Key Infrastructure
by Certificate Authorities , Digitel Certificates and Public key encryption
---POLICY INSTALL
1. Initiation - made by a SmartConsole application
Check Point Management Interface (CPMI) policy installation command is sent to FWM on the Management Server where the 2. verification and 3. compilation takes place.
2. Code Generation and Compilation : FWM forwards command to CPD
3. CPD invokes Checkpoint Policy transfer Agent (CPTA) thats sends policy to Security GW
4. FWD on SGW updates all user processes for enforcement i.e. VPND (VPN issues) , FWSSD
5. CPD than initiates the Kernel Replacement
-------------Smartevent
Running in learning Mode
Multiple Database tables
Consolidation Rules
--Smartevent Database Backup : eva_db_backup
--Save the Smartevent Database on the new sever : eva_db_restore
------------Smart reporter
--Smart reporter policy
--Consolidation Policy
--generates a smart event report from its SQL Database--Smart reporter generates EXPRESS REPORT from Smartview Monitor History file
--implements a consolidation Policy
--backup events stored in Smartevent server : $RTDIR/distrib and $RTDIR/events_db
--Database settings (linux) : $RTDIR/Database/conf/my.cnf
-- Database settings (windows) %RTDIR%\Database\conf\my.ini
---Reports can be used for Attempted Port scans , Possible Worm/Malware Activity , Analyzing traffic patterns against public resources
---Smartreporter-Express Reports : Historical System Information
-- Smartreporter Queries : Filtered Queries
Time Last hour , Last Day , Lask week
Type , Scans , DoS , Unauthorized Entry
State Open , Closed , False Alarm
------SmartView Tracker
Length of time a TCP connection was open
--------Processes
FWD --> FWSSD (child process) //whenever there is a connection initiated to the firewall
Check Point log management daemon (cplmd) //Runs on the Security Management Servers . Used for Log management . Starts when Smart View Tracker is started.
---Connections Table
fw tab -t connections -s //number of connections through FW
fw -i 0 tab -t connections -s //number of connections through core 0
---Users
#set user admin shell /bin/bash // to go to bash shell
-$FWDIR/conf/fwauth.NDB // user definition store in this file
-make_au , au_auth, au_fetchuser, cpLdapGetUser, cpldapCheck, au_auth_auth //debugs user authentication process
-#fwm dbimport //import user database :
----Security Server configuration
$FWDIR/conf/fwauthd.conf //Security Server configuration stored under
---Smart Event
---Identity awareness Processes
1. pdp
2. pep
---Cluster XL
-Limit 6
-Zero Downtime Upgrade : Upgrade all cluster member except one at the same time
-Minimal Effort Upgrade : Treat each cluster member as an individual GW
-Full connectivity Upgrade : supported on minor versions
-fw ctl conn -a //check if same product installed
-Critical Device fwd , filter
-Sticky Decision Function (SDF)
//not supported when performance pack or Hardware based accelerator card is used
// not supported -SecureXL and Sticky Decision Function in ClusterXL Load Sharing mode
// supports Secure Client/Securemote/SSL
-gratuitous arp //cluster member takes over VIP
-Cluster XL protocol : ClusterXL Control Protocol (CCP) uses multicast by default, because it is more efficient than broadcast. If the connecting switch cannot forward multicast traffic, it is possible, though less efficient, for the switch to use broadcast to forward traffic
-cphaconf set_ccp broadcast
-cphaconf set_ccp multicast