Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking
Uploaded by Vinay Kumar

Checkpoint

advertisement 
Checkpoint Firewall
R80.x
Firewall: - A firewall is a network security device that monitors incoming and
outgoing network traffic and permits or blocks data packets based on a set of
security rules.
Firewall Types: -
Architecture: -Checkpoint firewall has 3 tier
architecture which consist of (Checkpoint Components)
a. Smart Management Server
b. Smart gateway
c. Smart Console
Objects (network/ groups/profiles etc) /policies (nat
/security policy etc.)/config are created by smart
console, saved on Smart management and enforced by
Smart gateway
All 3 components communicate using SIC (Secure
Internal Communication) in between, SIC uses aes-128
ssl encryption
Reste SIC on gateway
#cpconfig
Choose option number 5
Checkpoint Firewall
R80.x
Deployment: Standalone- Smart management server and gateway
on same box
Smart Mgmt+gateway
Console
Internet
Distributed-Smart management server and gateway on
different boxes
switch
Gateway
Smart Mgmt
Firewall: - A firewall is a network security device that monitors incoming and
outgoing network traffic and decides whether to allow or block specific traffic based
on a defined set of security rules.
Packet Flow: Anti-Spoofing- Anti-Spoofing detects if a packet with an IP address that is behind a
certain interface, arrives from a different interface. For example, if a packet from an
external network has an internal IP address, Anti-Spoofing blocks that packet.
Checkpoint Firewall
R80.x
Sam Database: - SAM is a utility integrated in SmartView Monitor. It blocks activities
that you see in the SmartView Monitor results and that appear to be suspicious. For
example, you can block a user who tries several times to gain unauthorized access
to a network or internet resource.
A Security Gateway with SAM enabled has Firewall rules to block suspicious
connections that are not restricted by the security policy. These rules are applied
immediately (policy installation is not required).
1. Relative: next 2hours/ 8 hours/ next day/ next week
2. Absolute: 01/01/2022-01/10/2022
3. Never – part of relative/ blocked forever
How to identify attack/suspicious activity
1. Reactive: after attack/ TCP SYN
2. Proactive: we use some tools to collect logs, like SIEM etc.
Session Lookup: - firewall will check whether connection is first or existing session
1. First path: - new connection/ no session on fw/ policy lookup will happen
2. Fast path: - existing session/ no -policy lookup
Policy Lookup: - There are 2 types of policy on checkpoint firewall
1. Implied: -created by system and can’t be modified, by default logging is disabled for
all implicit
2. Explicit: -crated by admin, can be modified
a. Management policy
b. Stealth rule or policy
c. Access policy
d. Cleanup Rule
Checkpoint Firewall
R80.x
Destination Nat
Route Lookup
Source Nat
Layer 7 Inspection
Threat Prevention
VPN encryption
Routing
Checkpoint Firewall
R80.x
Consider these points when configuring VRF in your network:










A switch/router with VRF-lite is shared by multiple customers, and all customers have their own
routing tables.
Because customers use different VRF tables, the same IP addresses can be reused. Overlapped IP
addresses are allowed in different VPNs.
VRF-lite lets multiple customers share the same physical link between the PE and the CE. Trunk
ports with multiple VLANs separate packets among customers. All customers have their own
VLANs.
VRF-lite does not support all MPLS-VRF functionality: label exchange, LDP adjacency, or
labeled packets.
For the PE router, there is no difference between using VRF-lite or using multiple CEs. multiple
virtual Layer 3 interfaces are connected to the VRF-lite device.
The Catalyst 4500 series switch supports configuring VRF by using physical ports, VLAN SVIs,
or a combination of both. The SVIs can be connected through an access port or a trunk port.
A customer can use multiple VLANs as long as they do not overlap with those of other customers.
A customer’s VLANs are mapped to a specific routing table ID that is used to identify the
appropriate routing tables stored on the switch.
The Layer 3 TCAM resource is shared between all VRFs. To ensure that any one VRF has
sufficient CAM space, use the maximum routes command.
A Catalyst 4500 series switch using VRF can support one global network and up to 64 VRFs. The
total number of routes supported is limited by the size of the TCAM.
Most routing protocols (BGP, OSPF, EIGRP, RIP and static routing) can be used between the
CE and the PE. However, we recommend using external BGP (EBGP) for these reasons:
 – BGP does not require multiple algorithms to communicate with multiple CEs.
 – BGP is designed for passing routing information between systems run by different
administrations.




 – BGP makes it easy to pass attributes of the routes to the CE.
VRF-lite does not support IGRP and ISIS.
VRF-lite does not affect the packet switching rate.
Multicast cannot be configured on the same Layer 3 interface at the same time.
The capability vrf-lite subcommand under router ospf should be used when configuring OSPF as
the routing protocol between the PE and the CE.
Checkpoint Firewall
R80.x
run
MPLS VPN Configuration
1. Run ospf 65000 between PE1-P-PE-2(PE-1 loopback To PE-2 loopback
should be reachable)
2. Enable MPLS LDP between PE-1 to P to PE-2
1.
2.
3.
4.
PE-1 create VRF, RD, RT and advertise Interface
Run IGP (eigrp) between PE to CE
3. Redistribute IGP into BGP and BGP into IGP(that is running on CE)
Enable (activate MP-BGP) between PE-1 To PE-2
All IP addressing already done
CustA-1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface FastEthernet1/0
ip address 10.10.10.1 255.255.255.0
router eigrp 100
no auto-summary
network 1.1.1.1 0.0.0.0
network 10.10.10.0 0.0.0.255
CustA-2
interface FastEthernet1/0
ip address 30.30.30.1 255.255.255.0
interface Loopback0
ip address 3.3.3.3 255.255.255.255
router eigrp 100
no auto-summary
network 3.3.3.3 0.0.0.0
network 30.30.30.0 0.0.0.255
Checkpoint Firewall
R80.x
CustB-1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface FastEthernet2/0
ip address 20.20.20.1 255.255.255.0
router eigrp 200
network 2.2.2.2 0.0.0.0
network 20.20.20.0 0.0.0.255
no auto-summary
CustB-2
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface FastEthernet2/1
ip address 40.40.40.1 255.255.255.0
router eigrp 200
network 4.4.4.4 0.0.0.0
network 40.40.40.0 0.0.0.255
no auto-summary
PE-1
interface FastEthernet0/0
ip address 12.12.12.1 255.255.255.0
router ospf 65000
network 12.12.12.0 0.0.0.255 area 0
ip vrf CustA
rd 65000:1
route-target both 65000:1
exit
Checkpoint Firewall
R80.x
ip vrf CustB
rd 65000:2
route-target both 65000:2
int fa1/0
ip vrf forwarding CustA
ip address 10.10.10.2 255.255.255.0
no shut
int fa2/0
ip vrf forwarding CustB
ip address 20.20.20.2 255.255.255.0
no shut
mpls label range 100 199
int fa0/0
mpls ip
router eigrp 65000
address-family ipv4 vrf CustA
autonomous-system 100
network 10.10.10.0 0.0.0.255
address-family ipv4 vrf CustB
autonomous-system 200
network 20.20.20.0 0.0.0.255
router bgp 65000
no bgp default ipv4-unicast
address-family ipv4 vrf CustA
Checkpoint Firewall
R80.x
redistribute eigrp 100
address-family ipv4 vrf CustB
redistribute eigrp 200
router eigrp 65000
address-family ipv4 vrf CustA
redistribute bgp 65000 metric 100000
10 255 1 1500
exit
address-family ipv4 vrf CustB
redistribute bgp 65000 metric 100000
10 255 1 1500
exit
P
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.0
interface FastEthernet1/1
ip address 23.23.23.1 255.255.255.0
router ospf 65000
network 12.12.12.0 0.0.0.255 area 0
network 23.23.23.0 0.0.0.255 area 0
mpls label range 200 299
int fa0/0
mpls ip
int fa1/1
mpls ip
Checkpoint Firewall
R80.x
PE-2
interface FastEthernet1/1
ip address 23.23.23.2 255.255.255.0
router ospf 65000
network 23.23.23.0 0.0.0.255 area 0
mpls label range 300 399
int fastEthernet 1/1
mpls ip
ip vrf CustA
rd 65000:3
route-target both 65000:1
ip vrf CustB
rd 65000:4
route-target both 65000:2
interface fastEthernet 1/0
ip vrf forwarding CustA
ip add 30.30.30.2 255.255.255.0
no shut
int fa2/1
ip vrf forwarding CustB
ip address 40.40.40.2 255.255.255.0
no shut
Checkpoint Firewall
R80.x
router eigrp 65000
address-family ipv4 vrf CustA
autonomous-system 100
network 30.30.30.0 0.0.0.255
address-family ipv4 vrf CustB
no auto-summary
network 40.40.40.0 0.0.0.255
router bgp 65000
no bgp default ipv4-unicast
address-family ipv4 vrf CustA
redistribute eigrp 100
address-family ipv4 vrf CustB
redistribute eigrp 200
router eigrp 65000
address-family ipv4 vrf CustA
redistribute bgp 65000 metric 100000
10 255 1 1500
exit
address-family ipv4 vrf CustB
redistribute bgp 65000 metric 100000
10 255 1 1500
configure bgp neighboiur
now enable MP-BGP
on PE1
router bgp 65000
neighbor 7.7.7.7 remote-as 65000
neighbor 7.7.7.7 update-source
loopback 0
Checkpoint Firewall
R80.x
neighbor 7.7.7.7 activate
neighbor 7.7.7.7 send-community
PE-2
router bgp 65000
neighbor 5.5.5.5 remote-as 65000
neighbor 5.5.5.5 update-source
loopback 0
address-family vpnv4 unicast
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community
Related documents
Fundamental Functions of the Internet 1
Fundamental Functions of the Internet 1
Iain Grant, Bruntwood
Iain Grant, Bruntwood
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Explanation 4 Variation in Response Functions
Explanation 4 Variation in Response Functions
Compare similarities and differences H1 and H1 Plus
Compare similarities and differences H1 and H1 Plus
Download
advertisement