Вы находитесь на странице: 1из 22


What is Firewall?

A firewall is a network security system, either hardware or software based, that controls incoming and
outgoing network traffic based on a set of rules.

Types of firewall:

Stateful firewalls: In order to recognize a packet's connection state, a firewall needs to record all
connections passing through it to ensure it has enough information to assess whether a packet is the
start of a new connection, a part of an existing connection, or not part of any connection. This is what's
called "stateful packet inspection." Stateful inspection was first introduced in 1994 by Check Point
Software in its FireWall-1 software firewall, and by the late 1990s, it was a common firewall product

This additional information can be used to grant or reject access based on the packet's history in the
state table, and to speed up packet processing; that way, packets that are part of an existing connection
based on the firewall's state table can be allowed through without further analysis. If a packet does not
match an existing connection, it's evaluated according to the rule set for new connections.

Application-layer firewalls:As attacks against Web servers became more common, so too did the need
for a firewall that could protect servers and the applications running on them, not merely the network
resources behind them. Application-layer firewall technology first emerged in 1999, enabling firewalls to
inspect and filter packets on any OSI layer up to the application layer.

The key benefit of application-layer filtering is the ability to block specific content, such as
known malware or certain websites, and recognize when certain applications and protocols -- such
as HTTP, FTP and DNS -- are being misused.

Firewall technology is now incorporated into a variety of devices; many routers that pass data between
networks contain firewall components and most home computer operating systems include software-
based firewalls. Many hardware-based firewalls also provide additional functionality like basic routing to
the internal network they protect.

Proxy firewalls: Firewall proxy servers also operate at the firewall's application layer, acting as an
intermediary for requests from one network to another for a specific network application. A proxy
firewall prevents direct connections between either sides of the firewall; both sides are forced to
conduct the session through the proxy, which can block or allow traffic based on its rule set. A proxy
service must be run for each type of Internet application the firewall will support, such as an HTTP proxy
for Web services.
SSL VPN(Secure Socket Layer VPN)

SSL VPN:- This products allow users to establish secure remote access
Sessions from virtually any Internet-connected web browser. Delivering the ability
for people to access e-mail, critical information systems, files, and other network
A resource from virtually anywhere is not a trivial task.

Goals of SSL
1. Confidentiality of communications (primary use)
2. Integrity of Data (primary use—not noticed by users)
3. Authentication of Server (relies on user to be technically well informed)
4. Authentication of Client (rarely used, but has applications for SSL VPN)

Symmetric Cryptography: Data Confidentiality

Symmetric algorithms use the same key for encryption and decryption and, therefore,
both parties in a conversation must share a common key

Asymmetric Cryptography: Data Confidentiality

Asymmetric cryptography addresses the problem of key exchange. It uses key pairs; one
key in a pair is called a public key and another is called a private key. The public key is
not secret as it is shared with the public. The private key, on the other hand, remains
private and only its owner should ever have access to it. Data encrypted with one in key
in a key pair can only be decrypted with the corresponding key in the pair. It cannot be
decrypted with the same key with which it was encrypted.
For example, when Tom wants to send a message to Joe that only Joe should be able to read, Tom
encrypts the message with Joe's public key. Since the message can be decrypted only with Joe's private
key, and only Joe possesses that key, only Joe can read the message. Likewise, when Joe
responds to Tom, he encrypts his message with Tom's public key.


Internet Protocol Security (IPsec) is a protocol for securing IP communications

by authenticating and encrypting each IP packet of a communication session. IPsec includes
protocols for establishing mutual authentication between agents at the beginning of the session and
negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting
data flows between host-to-host, between security gateway network-to-network, or between a
security gateway and a host (network-to-host)


To configure IPSec we need to setup the following in order:

- Create extended ACL
- Create IPSec Transform
- Create Crypto Map
- Apply crypto map to the public interface
Site-to-Site IPSec VPN
Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video
between two sites (e.g offices or branches). The VPN tunnel is created over the Internet public network
and encrypted using a number of advanced encryption algorithms to provide confidentiality of the data
transmitted between the two sites.


To help make this an easy-to-follow exercise, we have split it into two steps that are required to get the
Site-to-Site IPSec VPN Tunnel to work.
These steps are:
(1) Configure ISAKMP (ISAKMP Phase 1)
(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)

ClusterXL Gateway Cluster Solution

A ClusterXL cluster is a group of identical Check Point Security Gateways connected in such a way that
if one fails, another immediately takes its place.

ClusterXL is a software-based Load Sharing and High Availability solution that distributes network
traffic between clusters of redundant Security Gateways and provides transparent failover between
machines in a cluster.

o A High availability cluster ensures gateway and VPN connection redundancy by

providing transparent failover to a backup gateway in the event of failure.
o A Load Sharing cluster provides reliability and also increases performance, as all
cluster members are active

ASA Firewall Failover Method

Stateless (Regular) Failover
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new
active unit takes over.

Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state information to the standby
unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user
applications are not required to reconnect to keep the same communication session.
Q: - What is Data encryption?
Data encryption ensures data safety and very important for confidential or critical data. It protect data
from being read, altered or forged while transmission.

Q: - What is the Public Key Encryption?

Public key encryption use public and private key for encryption and decryption. In this mechanism,
public key is used to encrypt messages and only the corresponding private key can be used to decrypt
them. To encrypt a message, a sender has to know recipient's public key.

2) What is the difference between Encoding, Encryption and Hashing?

Ans- At a very high level, all these 3 terms might appear to be similar and people often confuse
between them. But each of the technique is distinct and has different use case. The purpose of
encoding is to transform data so that it can be properly (and safely) consumed by a
different type of system, e.g. binary data being sent over email, or viewing special
characters on a web page. The goal is not to keep information secret, but rather to ensure that
it’s able to be properly consumed. It does not require a key as the only thing required to decode it
is the algorithm that was used to encode it. Examples: ASCII, Unicode, URL Encoding, Base64.
The purpose of encryption is to transform data in order to keep it secret from others. It uses
a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to
perform the encryption operation. Examples: AES, Blowfish, RSA. The purpose of hashing
is to take arbitrary input and produce a fixed-length string that has the following attributes:

1. The same input will always produce the same output.

2. Multiple disparate inputs should not produce the same output.
3. It should not be possible to go from the output to the input.
4. Any modification of a given input should result in drastic change to the hash.

Examples- MD5, SHA1, SHA2 etc. Hashing is often used in computer forensics to verify
integrity of the digital evidence.

3) What is the difference between proxy, firewall, IDS and IPS?

A proxy server is a server (a computer system or an application) that acts as an intermediary for
requests from clients seeking resources from other servers. A client connects to the proxy server,
requesting some service, such as a file, connection, web page, or other resource available from a
different server and the proxy server evaluates the request as a way to simplify and control its
complexity. Firewall is basically meant for network traffic control/filtering mainly at layer-3. It
allows/denies packets and connections based on certain pre-defined rules. IDS- Intrusion
Detection System is an application which tries to detect intrusion attempts based on attack
signature database it has. IPS- Intrusion Prevention System detects the intrusion (like IDS) and
goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based
on rules)

1. proxy – Squid
2. Firewall- IPTables, CISCO Pix, ZoneAlarm
4. IPS- IBM Proventia

Stateful inspection:
also known as dynamic packet filtering, is a firewall technology that monitors the state of active
connections and uses this information to determine which network packets to allow through the

Stateful inspection has largely replaced an older technology, static packet filtering. In static packet
filtering, only the headers of packets are checked -- which means that an attacker can sometimes get
information through the firewall simply by indicating "reply" in the header. Stateful inspection, on the
other hand, analyzes packets down to the application layer. By recording session information such as IP
addresses and port numbers, a dynamic packet filter can implement a much tighter security posture
than a static packet filter can.

Anti-Spoof protection uses the routing table to verify if an incoming packet's source IP address was
spoofed. In most cases, subnets do not overlap across multiple interfaces (each physical interface has a
unique subnet) but when a subnet is configured on more than one interface, configuring Anti-Spoofing
protection can be confusing.

Stealth rule:Stealth rule should prevent all direct connections to the Security gateway
Source: Any
Destination: Security gateway
Service: Any
Action: Drop
This rule will drop all connections to the Security gateway, so it will become "invisible" to the outside

Stealth Rule - to prevent direct access to the security gateway

Cleanup Rule - to drop and log all traffic not permitted in previous rules

Explicit and Implied Rules

These are the types of rules in the Rule Base:
o Explicit rules - Rules that you create to configure which connections the Firewall allows
o Implied rules - Rules that are based on settings in the Global Properties menu

Implied rules allow connections for different services that the Security Gateway uses. For example,
the Accept Control Connectionsoption allows packets that control these services:

o Installing the security policy on a Security Gateway

o Sending logs from a Security Gateway to the Security Management server
o Connecting to third party applications, such as RADIUS and TACACS authentication

ClusterXL Gateway Cluster Solution

A ClusterXL cluster is a group of identical Check Point Security Gateways connected in such a way that
if one fails, another immediately takes its place.

ClusterXL is a software-based Load Sharing and High Availability solution that distributes network
traffic between clusters of redundant Security Gateways and provides transparent failover between
machines in a cluster.

o A High availability cluster ensures gateway and VPN connection redundancy by

providing transparent failover to a backup gateway in the event of failure.
o A Load Sharing cluster provides reliability and also increases performance, as all
cluster members are active

How ClusterXL Works

ClusterXL uses unique physical IP and MAC addresses for the cluster members and virtual IP
addresses to represent the cluster itself. Virtual IP addresses do not belong to an actual machine
interface (except in High Availability Legacy mode, explained later).

ClusterXL provides an infrastructure that ensures that data is not lost due to a failure, by ensuring
that each cluster member is aware of connections passing through the other members. Passing
information about connections and other Security Gateway states between the cluster members is
known as State Synchronization.

Security Gateway Clusters can also be built using OPSEC certified High Availability and Load Sharing
products. OPSEC certified clustering products use the same State Synchronization infrastructure as
UPGRADE Process.(Checkpoint)
Export utility tool of the version for which you are creating a backup file. The backup file has the current
system configuration (for example, objects, rules, and users).

Route based vs Policy based VPNS

Most firewalls support both policy based and route based VPN’s. Which one we are supposed to use in
most cases doesn't really matter, but there are a couple of things to consider.

Route based VPN is more flexible, more powerful and recommended over policy based. However a
policy based VPN is usually simpler to create.

A route based VPN creates a virtual IPSec interface, and whatever traffic hits that interface is encrypted
and decrypted according to the phase 1 and phase 2 IPSec settings.

In policy based VPN the tunnel is specified within the policy itself with an action of "IPSec". Also for
policy based VPN only one policy is required. A route based VPN is created with two policies, one for
inbound and another for outbound with a normal "Accept" action.

A static route is also required for a route based VPN, so anything destined to the remote network must
go through the virtual IPSec interface which was created when specifying this within the Phase 1

A route based VPN is also required when using redundant VPN connection. A route based VPN only
works in route mode, where policy based VPN works in both route and transparent mode.


If your requirement is to create redundant VPN connections and your firewall is in route\NAT mode
(99% of the time it is) then use a route based VPN. If you don’t require redundant VPN connections then
you can use a policy based VPN. There are other reasons to use one or the other as well but they are
rarely required.
Model Cheat Sheet
1. Physical Layer (Layer 1)

o Responsible for transmission of bits across a physical circuit

o Focused on hardware: connectors, cables, repeaters, etc.

2. Data Link Layer (Layer 2)

o Establishes connections among host machines. Can reach any machine on the
network, but cannot reach machines on other networks.
o Breaks data into frames, transmits frames, and processes acknowledgment frames
sent back by receiver--error checking function
o Provides Medium Address Code (MAC)
o A bridge is a layer 2 device

3. Network Layer (Layer 3)

o Responsible for routing and relaying data (packets) from one device to another
through the network
o Routing decisions made by layer 3 address (i.e. IP address)
o A router is a layer 3 device

4. Transport Layer (Layer 4)

o Responsible for handling the processes that use the network for communication.
These functions include flow control, error detection and correction & congestion
o Get’s data from one computer’s port to another’s
o Example: TCP

5. Session Layer (Layer 5)

o Maintains and manages sessions between applications

o Half duplex and full duplex communication; synchronization
o Example: web conferencing applications

6. Presentation Layer (Layer 6)

o Responsible for representation of data, translation of data

o Formatting data for display
o Example services: encryption, compression

7. Application Layer (Layer 7)

o Provides network services to user applications
o Layer closest to user
o Example: email

Cisco ASA packet flow:

1. ACL’s will be checked first.

2. NAT rules will checked second.
3. Inspect policies will applied next.
4. Then after all that the packet enters IPS-AIM Module for inspection, after that it leaves
through the egress interface.

Checkpoint Packet flow:

Routing for the destination IP -->
Rule base for a matching rule to allowed--> -->
NAT (WHAT IS THE sequence on which it checks for the differnt type of translation) -->
VPN -->
Anti-virus check -->
URL filtering -->
ARP --> egress interface.

Fortigate Packet flow:

5. •a route is found for the packet,

6. •its source NAT IP and port number are selected,
7. •It is matched with a policy (in this case policy ID 5),
8. •Source is performed and the packet is forwarded.

Juniper SRX Packet flow:

1. Pull the packet from the input interface queue.

2. Apply policers to the packet.
3. Perform stateless (that is, non-flow) packet filtering.
4. Decide on first path or fast path.
5. Filter the packet for output.
6. Apply shapers to packet.
7. Transmit the packet.

Q: - What is Digital Signatures ?

Digital signature is an attachment to an electronic message used for security purpose. It is used to
verify the authenticity of the sender.
Q: - How do you use RSA for both authentication and secrecy?
RSA is a public key encryption algorithm. The RSA algorithms are based on the mathematical part that
it is easy to find and multiply large prime numbers together, but it is extremely difficult to factor their
For authentication: One can encrypt the hash (MD4/SHA) of the data with a private key. This is known
as digital signature.
For Secrecy: Secrecy/confidentiality is achieved by encrypting the data with public key and decrypting
with private key.

Q: - If you are a victim of Denial of Service (Dos) then what you do?
The function of a denial of service attack is to flood its target machine with too much traffic and
prevents it from being accessible to any other requests or providing services.
To prevent DoS attacks firewall can be configured as a relay; in this approach the firewall responds on
behalf of the internal host. During the attack, the firewall responds to the SYN sent by the attacker;
since the ACK never arrives, the firewall terminates the connection.
By Keeping protocols and Antivirus software up-to-date, we can prevent to be a victim of DoS. A
regular scanning of the machine is also necessary in order to detect any “anomalous― behavior.

Q: - What are the differences among encoding, encryption and hashing?

Encoding: Basically encoding is used to protect the integrity of data as it crosses through
communication network to keep its original message upon arriving. It is primarily an insecure function
because it is easily reversible.
Encryption: Encryption is basically designed for confidentiality and data integrity and reversible only if
you have the appropriate key.
Hashing: With hashing the operation is one-way i.e. non-reversible. It takes an input (or ,message )
and returns a fixed-size string, which is called the hash value.

Q: - if We have to generate a hash function then what characteristics are needed in a secure
hash function?
A secure hash function should have the following characteristics:

I. The output generated by a hash function should be of a fixed length.

II. It should be very easy to find out a hash function for a given message.
III. If a hash value is given of a message than it is almost impossible to get that message.
IV. The two different messages should not have the same hash value; it is against the hash function

Q: - What is Authentication Header and how it provides the protection to IP header?

Basically Authentication Header protects IP header and provides the complete authenticity to the IP
AH may work in two ways: transport mode and tunnel mode.
In tunnel mode; AH protects the IP header using two IP header layers inner and outer. Inner IP
header is used to contain the source and destination addresses, and the outer IP header is used to
contain the security gateway information.

Q: - Explain the functionality of PING.

Ping Is particularly used to check if the system is in network or not. It also gives packet lost
information. In windows ping command is written as ping ip_address. The output returns the data
packets information. The number of packets sent, received and lost is returned by PING.

If you had to both encrypt and compress data during transmission, which would
you do first, and why?

If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or
do they enjoy the challenge and think through it? I was asked this question during an interview at
Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to
figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then
encrypt. If you encrypt first you’ll have nothing but random data to work with, which will
destroy any potential benefit from compression.

What’s the difference between symmetric and public-key cryptography

Standard stuff here: single key vs. two keys, etc, etc.

In public-key cryptography you have a public and a private key, and you often
perform both encryption and signing functions. Which key is used for which

You encrypt with the other person’s public key, and you sign with your own private. If they
confuse the two, don’t put them in charge of your PKI project.
What’s the difference between Diffie-Hellman and RSA?

Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they

get that far, make sure they can elaborate on the actual difference, which is that one requires you
to have key material beforehand (RSA), while the other does not (DH). Blank stares are

Q.1 What is Checkpoint Architecture?

Check Point has developed a Unified Security Architecture that is implemented throughout all of
its security products. This Unified Security Architecture enables all Check Point products to be
managed and monitored from a single administrative console, and provides a consistent level of
The Check Point Unified Security Architecture is comprised of four main components:

Core Technologies: - Check Point uses a common set of core technologies, such as INSPECT
for security inspection, across multiple layers of security.

Central Management: - All Check Point products can be managed and monitored from a single
administrative console.

Open Architecture: - Check Point has built its security architecture to be open and
interoperable in a heterogeneous environment. For example, Check Point products can
interoperate with other network and security equipment from third-party vendors to enable
cooperative enforcement of Security Policies.

Universal-update Ability: - Check Point has consolidated multiple security-alert and update
functions to ease update procedures and help Administrators ensure that security is always up-

Q.2 How Checkpoint Component communicate and Syns with each other?
Secure Internal Communications (SIC) is the Check Point feature that ensures components,
such as Security Gateways, SmartCenter Server, SmartConsole, etc. can communicate with
each other freely and securely using a simple communication-initialization process.

Q.3 What are the major differences between SPLAT and GAIA?
Gaia is the latest version of Checkpoint which is a combination of SPLAT and IPSO. Here are
some benefits of Gaia as compare to SPLAT/IPSO.

1. Web-Based user interface with Search Navigation

2. Full Software Blade support
3. High connection capacity
4. Role-Based administrative Access
5. Intelligent Software updates
6. Native IPv4 and IPv6 Support
7. ClusterXL or VRRP Clusters
8. Manageable Dynamic Routing Suite
9. Full Compatibility with IPSO and SecurePlatform.

Q.5 How SIC work? What are the different ports of SIC?
Secure Internal Communication (SIC) lets Check Point platforms and products authenticate
with each other. The SIC procedure creates a trusted status between gateways, management
servers and other Check Point components. SIC is required to install polices on gateways and
to send logs between gateways and management servers.

These security measures make sure of the safety of SIC:

1. Certificates for authentication

2. Standards-based SSL for the creation of the secure channel
3. 3DES for encryption

The Internal Certificate Authority (ICA)

The ICA is created during the Security Management server installation process. The ICA is
responsible for issuing certificates for authentication. For example, ICA issues certificates such
as SIC certificates for authentication purposes to administrators and VPN certificates to users
and gateways.

Initializing the Trust Establishment Process

Communication Initialization establishes a trust between the Security Management server and
the Check Point gateways. This trust lets Check Point components communicate securely. Trust
can only be established when the gateways and the server have SIC certificates.

Q.4 What are the different – different Checkpoint Ports and purpose of these ports?


21 TCP ftp File transfer Protocol (control)
21 UDP ftp File transfer Protocol (control)
22 Both ssh SSH remote login
25 Both SMTP Simple Mail transfer Protocol
50 Encryption IP protocols esp – IPSEC Encapsulation Security Payload
51 Encryption IP protocols ah – IPSEC Authentication Header Protocol
53 Both Domain Name Server
69 Both TFTP Trivial File Transfer Protocol
94 TCP Encryption IP protocols fwz_encapsulation (FW1_Eencapsulation)
137 Both Netbios-ns NETBIOS Name Service
138 Both netbios-dgm NETBIOS Datagram

139 Both netbios-ssn NETBIOS Session

256 TCP FW1 (fwd) policy install port FWD_SVC_PORT
257 TCP FW1_log FW1_log FWD_LOG_PORT
259 TCP FW1_clientauth_telnet
259 UDP RDP Reliable Datagram Protocol
260 TCP sync
261 TCP FW1_snauth Session Authentication Daemon
262 TCP MDQ – mail dequer
263 TCP dbs
264 TCP FW1_topop Check Point SecureClient Topology Requests
265 TCP FW1_key Check Point VPN-1 Public key transfer protocol
389 Both LDAP Secure Client connecting to LDAP without SSL
443 SNX VPN can use 443 too
444 TCP SNX VPN SNX VPN tunnel in connectra only
500 UDP IPSEC IKE Protocol (formerly ISAKMP/Oakley)
500 TCP IKE over TCP
514 UDP Syslog Syslog
636 LDAP Secure Client connecting to LDAP with SSL
900 TCP FW1_clntauth_http Client Authentication Daemon
981 Management https on the edge
1494 TCP Winframe Citrix
1645 TCP Radius
2040 TCP MIP meta Ip admin server

2746 UDP UDP encapsualtion for SR VPN1_IPSEC_encapsulation

VPN1_IPSEC encapsulation
4000 Policy Server Port (Redmond)
4433 TCP Connectra Admin HTTPS Connectra admin port
4500 UDP NAT-T NAT Traversal
4532 TCP SNDAEMON_PORT sn_auth_trap: sn_auth daemon Sec.Serv comm,
5001 TCP Meta IP Web Connection, MIP
5002 TCP Meta IP DHCP Failover
5004 TCP Meta IP UAM
5005 TCP Meta IP SMC
6969 UDP KP_PORT KeyProt
8116 UDP Check Point HA SyncMode= CPHAP (new sync mode)
8116 UDP Connection table synchronization between firewalls
9000 Command Line Port for Secure Client
10001 TCP Default CPRSM listener port for coms with RealSecure Console
18181 TCP FW1_cvp Check Point OPSEC Content Vectoring Protocol
18182 TCP FW1_ufp Check Point OPSEC URL Filtering Protocol

18183 TCP FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM
18184 TCP FW1_lea Check Point OPSEC Log Export API
18185 TCP FW1_omi Check Point OPSEC Objects Management Interface
18186 TCP FW1_omi-sic Check Point OPSEC Objects management Interface with Secure
Internal Communication
18187 TCP FW1_ela Check Point OPSEC Event Loging API
18190 TCP CPMI Check Point Management Interface
18191 TCP CPD Check Point Daemon Proto NG
18192 TCP CPD_amon Check Point Internal Application Monitoring NG
18193 TCP FW1_amon Check Point OPSEC Appication Monitoring NG
18202 TCP CP_rtm Check Point Real time Monitoring
18204 TCP CE communication
18205 TCP CP_reporting Check Point Reporting Client Protocol
18207 TCP FW1_pslogon Check Point Policy Server logon Protocol
18208 TCP FW1_CPRID (SmartUpdate) Check Point remote Installation Protocol
18209 TCP FWM CA for establishing SIC communication
18210 TCP FW1_ica_pull Check Point Internal CA Pull Certificate Service
18211 TCP FW1_ica_pull Check Point Internal CA Push Certificate Service
18212 UDP Connect Control – Load Agent port
18213 TCP cpinp: inp (admin server)
18214 TCP cpsmc: SMC

18214 UDP cpsmc: SMC Connectionless

18221 TCP CP_redundant Check Point Redundant Management Protocol NG
18231 TCP FW1_pslogon_NG Check Point NG Policy Server Logon Protocol
18231 TCP NG listens on this port by default dtps.exe
18232 TCP FW1_sds_logon Check Point SecuRemote Distribution Server Protocol
18233 UDP Check Point SecureClient Verification Keepalive Protocol FW1_scv_keep_alive
18241 UDP e2ecp
18262 TCP CP_Exnet_PK Check Point Public Key Resolution
18263 TCP CP_Exnet_resolve Check Point Extranet remote objects resolution
18264 TCP FW1_ica_services Check Point Internal CA Fetch CRL and User Registration
19190 TCP FW1_netso Check Point OPSEC User Authority Simple Protocol
19191 TCP FW1_uaa Check point OPSEC User Authority API
65524 FW1_sds_logon_NG Secure Client Distribution Server Protocol (VC and Higher)
Q.6 Checkpoint Packet flow for SNAT and DNAT?

In case of SNAT


Session lookup

Policy lookup



In case of DNAT

Session lookup

Policy lookup



Question 1 Which of the applications in Check Point technology can be used to configure

Question 2 Which of the applications in Check Point technology can be used to view who and
whatthe administrator do to the security policy?
Answer:SmartView Tracker

Question 3 What are the two types of Check Point NG licenses?

Answer:Central and Local licenses
Central licenses are the new licensing model for NG and are bound to the SmartCenter server. Local licenses
are the legacy licensing model and are bound to the enforcement module.

Question 4 What is the main different between cpstop/cpstart and fwstop/fwstart?

Answer: Using cpstop and then cpstart will restart all Check Point components, including the SVN
foundation. Using fwstop and then fwstart will only restart VPN-1/FireWall-1.

Question 5 What are the functions of CPD, FWM, and FWD processes?
CPD is a high in the hierarchichal chain and helps to execute many services, such as
SecureInternal Communcation (SIC), Licensing and status report.FWM
The FWM process is responsible for the execution of the database activities of theSmartCenter server. It is;
therefore, responsible for Policy installation, Management High Availability (HA) Synchronization, saving the
Policy, Database Read/Write action, LogDisplay, etc.

The FWD process is responsible for logging. It is executed in relation to logging, Security

Servers and communication with OPSEC applications.

Question 6 How to Install Checkpoint Firewall NGX on SecurePlatform?

Answer:1. Insert the Checkpoint CD into the computers CD Drive.
2. You will see a Welcome to Checkpoint SecurePlatform screen. It will prompt you to press any key.Press
any key to start the installation,otherwise it will abort the installation.
3.You will now receive a message saying that your hardware was scanned and found suitable for
installing secureplatform. Do you wish to proceed with the installation of Checkpoint SecurePlatform.Of the
four options given, select OK, to continue.
4.You will be given a choice of these two:SecurePlatformSecurePlatform ProSelect Secureplatform Pro and
enter ok to continue.
5.Next it will give you the option to select the keyboard type. Select your Keyboard type (default is US)and
enter OK to continue.
6.The next option is the Networking Device. It will give you the interfaces of your machine and you
canselect the interface of your choice.

1)From which was the first version of Checkpoint you worked?

 Enhanced Performance: VPN-1 Power R65 on an open server platform has provided
20% greater firewall performance and 100% improvement for SmartDefense
throughput with default settings in testing.
 Management Plug Ins: SmartCenter management server can be updated with new
functionality without the need for a complete upgrade. The first plug in provides
Connectra policy management.
 Endpoint Enforcement: VPN-1 gateways now provide cooperative enforcement with
Integrity to protect the network against non-compliant endpoints. VPN-1 gateways
also work cooperatively with the Intel vPro technology to quarantine endpoints based
on malicious actions.
 Web filtering: VPN-1 UTM and UTM-1 now provide integrated Web filtering.

3)In how many mode we can install the checkpoint?

Installing Standalone
Installing Security Management Server
Installing Security Gateway
Installing Full High Availability Appliances
Deploying Bridge Mode Security Gateways
Installing Management High Availability

5)What is SIC ?
Secure Internal Communications (SIC) is the Check Point feature that ensures
components, such as Security Gateways, SmartCenter Server, SmartConsole, etc. can
communicate with each other freely and securely using a simple communication-
initialization process.

6)What is NAT and how many type of NAT supported by CP explain ?

 Static NAT - One to one translation

 Hide/Dynamic NAT - Allows you to NAT multiple IPs behind one IP/Interface
 Automatic NAT - Quick basic address NAT translation.
 Manual NAT - Allows greater flexibility over automatic NAT. Proxy ARP is not automatic, so unless
routed to the firewall Proxy ARPs are required.

 Server Side NAT - destination is NAT`d by the outbound kernel

 Client Side NAT - destination is NAT`d by the inbound kernel

7)What is the unicast and multicast?

A Unicast transmission/stream sends IP packets to a single recipient on a network.

A Multicast transmission sends IP packets to a group of hosts on a network.

10)What is the purpose of clean up rule ?

Since the advent of the firewall (though not necessarily true with early access lists), the default behavior
of a firewall is to drop all traffic that is not explicitly allowed. For this reason, an explicitly defined cleanup
rule is effectively redundant to the default behavior of the firewall. - See more at:

12)How you are taking backup of CP?

Backup via the CLI:run the command: backup

Snapshot via the CLI:run the command: snapshot


Backup via the WebUI:

1. log onto the device via https://<IP-Address> (the default port is 443 unless it has been changed to
avoid a clash with SSL VPN)

2. select Device –> Backup –> Back Up Now

3. select the location you wish to save the file to, supply any credentials for ftp or scp servers, and optionally
select to include logs files in the backup. Then click Apply
4. click Yes to proceed. (on a management server note the warning to close GUI clients)
5. to view the status of the backup, click View Backup Log

14)How you can configure Log server and where in CP we configure it?

>>>From general properties logging & status

17)What are the important communication ports of the checkpoint ?

Check Point's 'FW Monitor' is a powerful built-in tool for capturing network traffic at the packet level.
This table gives a short description of the TCP and UDP ports used by Check Point
VPN-1/FireWall-1 Next Generation. This version is still using more ports, e.g. those for
LDAP (389/tcp, 636/tcp) or L2TP (1701/udp). The ports listed here are specific for
Check Point VPN-1/FireWall-1 NG AI

21)Have you configure Cluster in CP if yes then tell us process?

1. In SmartDashboard, create a new cluster object or double-click an existing cluster

2. Click ClusterXL in the navigation tree.

3. Select High Availability.

4. Click Topology > Edit.

The Edit Topology window opens.

5. Click Add Network.

22)What is VRRP?
VRRP (Virtual Routing Redundancy Protocol) is a cluster solution where two or more
Gaia-based Security Gateways work together as one Security Gateway. You can
configure a VRRP cluster for high availability and/or load sharing. The Check Point
VRRP implementation includes functionality called Monitored Circuit VRRP.

23)What is FW monitor ?
fw monitor is part of every FW-1 installation and the syntax is the same for all possible
installations. Contrary to snoop or tcpdump, fw monitordoes not put a interface into
promiscuous mode because it works as a kernel module.

CoreXL vs SecureXL

1. SecureXL - Increase the efficiency of rule processing

2. CoreXL - Distribute processing in a multi-CPU environment

1)From which was the first version of Checkpoint you worked?Answer: From R65
2)What is the difference between CP NG and CP NGX?Answer:
3)In how many mode we can install the checkpoint?
4)What is architecture of Checkpoint?Answer:
5)What is SIC ?Answer:Secure Internal Communication
6)What is NAT and how many type of NAT supported by CP explain ?Answer: NAT is a
short form of Network Address Trans
7)What is the unicast and multicast?
8)What is the rules define Stealth and Clean up rule ?Answer:Stealth Rule is on the top of the policy and
explicitly blocks access tofirewall. Clean up rule is placed at the bottom of the policy and explicitly drops
andlogs all the traffic that has not matched the other rules

9)Can we configure rules above stealth rule?Answer:Yes, Like to allow access for administrator
10)What is the purpose of clean up rule ?Answer:Clean up rule is placed at the bottom of the policy and
explicitly drops andlogs all the traffic that has not matched the other rules
11)How you can configure smart view client in new pc?