Вы находитесь на странице: 1из 47

VPN Tunnel

We can Build a tunnel in Check Point Firewall as:

1. Encryption: Encryption can be done using DES, 3DES & AES Symmetrical Algorithms.
2. Data Integrity:- It can be done using Hashing algorithms such as MD5 & SHA.
3. Authentication: It can be done using Pre shared Keys.

We build the tunnel using IPsec Standards such as IKEv1, Ikev2. Here we use IKEv1 phase 1 &
phase2 to build an VPN tunnel.

1. In IKEV1 Phase 1 we use Negotiation (Data Integrity) such as Hashing Algorithms MD5 or SHA.
2. We use Encryption such as DES, 3DES or AES to unlock the Data.
3. Authentication can be done using Digital Certificates or Pre Shared Key using Diffie Hellman
4. Same steps are used to build IKEV2 tunnel also.
5. At last the Payload is encrypted its re encapsulated & put the packets in IPSEC Tunnel using
ikev2 phase tunnel. If somebody wants to snip the Packets from Outside. ESP protects it.
6. At last Encryption Security Payload Protocol 50 in Layer protects the IPsec tunnel & Secure from
unwanted access.
7. THE ESP encrypts the Packet from source Site in Destination It Decrypts the Packet & accepts it
by the Receiver.
1. In Checkpoint We call VPN as VPN Community for Entire Network As shown Below :

2. The Networks Such as & are called as Domains as shown above.
3. In Checkpoint we can Build VPN’S as Mesh VPN, Star VPN ,Central Hub & Spoke, Site to Site VPN.
4. In Checkpoint we can build Hub & Spoke as Central & Spoke as shown above in star.

5. We can disable NAT for VPN using NAT Exception.

Steps to Create VPN In check point:-

1. Go to FW1- HQ & enable the IPSEC VPN

2. Go to FW-2 & Enable Ipsec

3. Click Ok & Push the policy.

4. Next Step is to Add an Networks to VPN Domain in Topology as shown Below:
5. We can add all the IP address to Domain or we can Select Manual Network as shown Below:
6. Go to Fw2- Branch to select VPN Domain

7. After these Create a VPN Community by clicking More Option in Smart DashBoard & select IPSEC
8. Here we need to Create a New Community As shown Below:

9. Click on New & select as shown below

10. Here Click on Star Community & name it as Our Corp 2 to Branches below:

11. Then we need to add an Gateway in Center Gateways as shown Below:

12. Click on Add & Add FW1 as below
13. Go to Satellite Gateway section & add Fw2- Branch as below:
14. Here we can use Encription Method & Suite as below:-

15. We can create custom as well:

16. Next we need to set Tunnel Management as below:

17. Here Next in advanced Settings go & do the VPN Settings & Disable the NAT below:
18. Now here VPN Community is Identified as below:

19. Now get back to Firewall Tab & Create a new Rule to involve VPN Community:

20. Here we created the VPN Rule as Anything can be allow from 10.1.1 Network to 10.2.2 Network
21. Click on VPN Any Traffic, Click on Edit Cell To select VPN Communities
22. Here add our corp to Branch Community as shown Below:

23. Then the New Rule Looks like:

24. In Policy Targets we nedd to Specify same Because this policy needs to be installed in both the

25. Then Install & Push the Policy in both the Firewalls.
26. To Check the Output we need to ping from 10.1.1 Network to as below

Here the Output is request timed out.

27. To Troubleshoot this VPN go to Smart View Tracker & Filter the source

28. Click on edit Filter

29. Add my CMD PC address in the source click ok

30. Now it Displays the LOG as Shown Below:

31. Look the details Here it says Refer Rule 2 is dropped so make the Changes
32. Now Disable the Rule 2 & Push the Policy, Check the Output:
33. In Smart View Tracker Also check the Output:

34. Check the VPN:

35. Here we have implied rules also to check vpn, it says ike is enabled:

36. To check VPN in CMD use command as below:

37. If we press 1 it shows as below:

38. Press 2
BACKUP & Restore:

Here we can do Backup of 3 types

1. DB Version: In this we can take Policy rules Backup.

2. System Backup: In this we can take Network object Backup of entire gateway etc.
3. Image/ Snapshot: It is used to take OS Backup

1. Login to the Manager via Https as shown below, we have plenty of options.

2. To make the DNS Server Settings go to DNS:

3. To do Backup Go to Sys Backup as below:

4. Click on Add Backup & select the following

5. Here it shows Backup is created successfully

6. Highlight the Backup & export to:

7. It says Backup is Exported to our Computer

8. Later we can Import this file.
9. We can schedule the Backup also as shown below:
IMAGE Backup:
1. We can do image Backup as below:

2. TO Restore Backup we use:

1. To check Configuration use Tab Key as shown Below:

2. To do Back up in CMD use: add Backup Command & press Tab Key

3. To check Backup use show backup

4. To Restore Back up we use:

5. After this do a Reboot.

Smart Update:-

1. To Install License we use Smart Update as below:

2. To Test Contract & License :

3. Go to File & check

4. Select the Properties as shown Below:

5. In policy Management check all the OS & other Details:

6. Check License & Contracts: Go to that tab

7. To install Package from DVD: Click Add Packages from CD or DVD

8. Click Ok & Import
9. To see info of all packages:

10. It Displays the Output Below:

11. To Upgrade Right Click:

Additional Features:

1. Remote access VPN

2. We give SSL Portal access to access Company DMZ from home.

3. Authentication:
4. Select The Mobile Access in the Gateway
5. Click OK It shows:

6. Click Next & Give Outside IP address in Main URL Because Users will connect from outside
7. Specify the access Resources to outside as below we specify DMZ IIS server to access from

8. Check Active Directory

9. Click Next & Run Test

10. Here we need to select the users to access the Applications. In this we have selected full active
Directory users to access such as LDAP Group
11. Click Next & Finish, Follow the Rules

12. We can specify Logo as below:

13. Save & Push the Policy on Firewalls.
14. Check the Output

15. Click on DMZ web IIS Server

16. Verify the Output:
17. Go to Smart Log to check the Ouput of Specfic user what he is doing in company Network

18. To Block Certain Traffic from Different Country Use IPS tab As shown Below:
19. To Block this Turn on the Protection to Prevent as Shown Below:

20. Click on add & Block the Traffic from Kazakhstan foe example
21. Select Block

22. Do Network Excemptions From Specific PC to turn off logging

R77 Features:-

1. Blocking the Malware in Firewall Itself if any user tries to download Malicious File
2. Complaince Blade supports assistance of wrong rules creation.
3. In Smart Dash Board Management Itself We can do Changes for all the Gateways Such As DNS
Settings Etc in Centralized Management itself.

1. Routes also can be added in Smart Dashboard itself without logging to the HTTPS Gateway mode
2. We can Add DNS server here itself