Check Point Firewall Administration R81.10+ E-Book

Check Point Firewall Administration R81.10+

A practical guide to Check Point firewall deployment and administration

Vladimir Yakovlev

BIRMINGHAM—MUMBAI

Check Point Firewall Administration R81.10+

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Preet Ahuja

Senior Editor: Shazeen Iqbal

Content Development Editor: Romy Dias

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Ashwin Dinesh Kharwa

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Nilesh Mohite

Senior Marketing Coordinator: Hemangi Lotlikar

First published: August 2022

Production reference: 1040822

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80107-271-7

www.packt.com

To my parents. It’s all your fault 😊

Foreword

One of my colleagues recently told me that no matter when you get into an industry, you’re always getting in on the ground floor of something. For me, that something ended up being the early days of Check Point FireWall-1, and what ultimately became the cyber security industry.

I’ve seen Check Point’s various products and services grow and change over the last 26 years. I’ve helped a lot of people make the best use of Check Point products, both directly and indirectly, including writing my own Check Point books in the early 2000s. While a lot has changed since, including Check Point’s corporate logo, the core philosophy behind every Check Point product and service has not.

These days, you need a lot more than just network firewalls to Secure Your Everything. Even so, firewalls still play a critical role in most environments by defining boundaries between both private and public networks, enabling controlled access to network resources, blocking malicious content, and preventing both data exfiltration and the unauthorized use of systems.

In the 20 years since Essential Check Point FireWall-1 NG was published, I’ve been asked numerous times if I was going to write another book on Check Point firewalls. If I were going to do so, I’d probably take the approach that Vladimir has taken in this book. There are concise explanations of the essential features of the Check Point Quantum Security Gateway and Management products, along with step-by-step instructions and annotated screenshots!

If you’re just getting started with deploying Check Point Quantum Security Gateways, or you’re trying to refresh your knowledge, this book is a great place to start. There’s also CheckMates (https://community.checkpoint.com), Check Point’s official cyber security community, which is full of additional learning resources and discussions to help those who want to continue their learning on Check Point after finishing this book.

Dameon D. Welch (a.k.a. PhoneBoy) Cyber Security Evangelist Check Point Software Technologies, Ltd.

Contributors

About the author

Vladimir Yakovlev, CISSP, is an infrastructure and security solutions architect and CTO at Higher Intelligence LLC., with over 20 years of Check Point experience.

He is recognized as a champion in the ISC2 and Check Point CheckMates communities and has been awarded Member of the Year and Contributor of the Year designations by peers, while also speaking at regional and international conferences.

Vladimir has previously held the roles of Sr. V.P. of Technology and CISO, responsible for the design, implementation, and operation of multiple iterations of secure and resilient infrastructures in the financial industry.

He enjoys helping others in the field of cybersecurity and can often be found in the CheckMates, LinkedIn, and ISC2 communities.

This project wouldn’t have happened without the encouragement and help from two authors of previous books dedicated to Check Point: Dameon D. Welch (a.k.a. PhoneBoy), my Technical Reviewer, and Timothy Hall, who went above and beyond in engaging with me in deep-dives on a multitude of subjects and sanity checks. Thank you both!

Huge thanks to all members of the Packt editing team and, especially, Romy Dias.

Last but not least, to my family, who tolerated my virtual absence for a year, and, specifically, to my son, Sam Yakovlev. He was (against his will) subjected to the first technical reading of this book, and is mainly responsible for defending the dignity of the English language (and the Oxford comma) from me.

About the reviewer

Dameon D. Welch, widely known as “PhoneBoy,” is a Cyber Security Evangelist for Check Point Software Technologies. He is the public face of CheckMates, the Check Point cyber security community.

A recognized industry security veteran, with more than two decades of experience, Welch is best known for his creation of the PhoneBoy FireWall-1 FAQ in the mid-1990s. It was used by Check Point and thousands of its customers worldwide. He is also the author of Essential Check Point FireWall-1 NG: An Installation, Configuration, and Troubleshooting Guide.

I’d like to thank everyone who has supported and encouraged me over the years.

Table of Contents

Preface

Part 1: Introduction to Check Point, Network Topology, and Firewalls in Your Infrastructure and Lab

Chapter 1: Introduction to Check Point Firewalls and Threat Prevention Products

Technical requirements

Learning about Check Point's history and the current state of the technology

"In the beginning, there was FireWall-1"

Check Point today

Understanding the Check Point product lineup and coverage

Introducing the Unified Management concepts and the advantages of security product consolidation

Familiarization with the Security Management Architecture (SMART)

Determining how we learn

Navigating the Check Point User Center

Summary

Further reading

Chapter 2: Common Deployment Scenarios and Network Segmentation

Understanding your network topology

Common topology scenarios and exercises

Learning about network segmentation

User network segmentation

North-South and East-West

Protecting the core

Protecting the perimeter

Sizing appliances for new implementations and determining load on current systems

Summary

Further reading

Chapter 3: Building a Check Point Lab Environment – Part 1

Technical requirements

Lab topology and components

Lab topology

Lab components

Downloading the prerequisites

Downloading Oracle VirtualBox and the VirtualBox extension pack

Downloading the Windows Server ISO

Installing Oracle VirtualBox

Installing the VirtualBox extension pack

Deploying the VyOS router

Summary

Chapter 4: Building a Check Point Lab Environment – Part 2

Technical requirements

Creating a Windows base VM

Creating a Windows Server base VM in the GUI

Windows Server base image scripted

Finalizing the Windows Server base VM installation

Creating a Check Point base VM

Check Point base image scripted

Finalizing the Check Point base VM installation

Creating linked clones

Preparing cloned Windows hosts

Preparing cloned Check Point hosts

Summary

Part 2: Introduction to Gaia, Check Point Management Interfaces, Objects, and NAT

Chapter 5: Gaia OS, the First Time Configuration Wizard, and an Introduction to the Gaia Portal (WebUI)

Technical requirements

Learning about Gaia's roots – a historical note

Using the First Time Configuration Wizard

Using the FTW for the primary management server

First Time Configuration Wizard for gateways

First-time configuration using the CLI

Rerunning the FTW

Introduction to the Gaia Portal (WebUI)

Toolbar

Navigation tree

Widgets and status bar

Summary

Chapter 6: Check Point Gaia Command-Line Interface; Backup and Recovery Methods; CPUSE

Learning about the Check Point Gaia CLI

Introduction to Expert mode

Configuring Gaia using CLISH

Saving Gaia configuration, backups, snapshots, and migration tools

Gaia OS-level configuration backup

System backup

Snapshots

Server migration tools

Saving and loading the configuration

Saving the configuration to a file

Loading the configuration

Offline configuration editing and comparison

Using CPUSE

CPUSE in WebUI

CPUSE in the CLI

CPUSE in offline mode

Summary

Chapter 7: SmartConsole – Familiarization and Navigation

Technical requirements

Introduction to the SmartConsole application and Demo Mode

Installing the SmartConsole application

Initializing Demo Mode

SmartConsole components, capabilities, and navigation

Global toolbar

Session management toolbar

Objects bar and the Validations and Session panes

Logged-in administrator's pending changes or publish status

Management server(s) status and actions

Task information area

The WHAT'S NEW popup recall and management script CLI and API

Summary

Chapter 8: Introduction to Policies, Layers, and Rules

Access Control policies, layers, and rules

Policies

Layers

Rules

Packet flows and acceleration

Inspection chains

Content inspection

Best practices for Access Control rules

Threat prevention exemptions

Column-based matching

APCL/URLF layer structure

Actions and user interactions (UserCheck)

Content Awareness

Logs, tracking depth, and oddities

Oddities – CPEarlyDrop and insufficient data passed

Summary

Chapter 9: Working with Objects – ICA, SIC, Managed, Static, and Variable Objects

Working with objects

Object categories

Static and variable object categories

Introduction to Internal Certificate Authority and Secure Internal Communication

Internal Certificate Authority

Secure Internal Communication

Gateways and servers

Activation keys

Creating a gateway cluster

Anti-Spoofing

Creating networks and Host objects

Networks

Hosts

Variable objects

Dynamic objects

Zones (conditional)

Domains

Updatable objects

Access roles

Variable objects in DevOps and DevSecOps

Summary

Chapter 10: Working with Network Address Translation

The need for NAT

NAT policies, rules, and processing orders

Automatic NAT

Automatic static NAT

Automatic dynamic NAT

Preventing unnecessary NAT

When NAT is not enough

Many-to-less

Manual static NAT

NAT pools

Bells and whistles

NAT logging

Summary

Part 3: Introduction to Practical Administration for Achieving Common Objectives

Chapter 11: Building Your First Policy

Defining the access control policy structure

Creating rules for the firewall/networking layer

Defining hosts for broadcast addresses

Creating rules for DHCP traffic

Configuring rules for noise suppression

Configuring rules for core services

Configuring rules for privileged access

Rules that have corresponding entries with an empty threat prevention profile

Configuring internal access rules

Configuring DMZ access rules

Configuring rules for access to updatable objects

Configuring rules for probes

Non-optimized rules

Creating the APCL/URLF layer and rules

Enabling APCL/URLF in the properties of the cluster

Creating an outbound CA certificate for HTTPS inspection and enabling HTTPS Inspection in the properties of the cluster

Configuring the HTTPS Inspection policy

Distributing and installing the outbound CA and ICA certificates to the client machines

Changing the website categorization to Hold mode

Using Identity Awareness and access roles

Preparing Active Directory for integration with Identity Awareness

Enabling Identity Awareness and browser-based authentication

Creating and using access roles

Testing access role-based rules

Summary

Chapter 12: Configuring Site-to-Site and Remote Access VPNs

An introduction to site-to-site VPN capabilities

Configuring a remote gateway and creating its policy

Building a site-to-site VPN using gateways managed by the same management server

Star community – To center only

Star community – To center or through the center to other satellites, to Internet and other VPN targets

Changing portals’ URLs and renewing a gateway cluster certificate

An introduction to Check Point remote access VPN solutions

Configuring a remote access IPSec VPN

Cloning a policy

Creating local user templates, groups, users, and access roles

Configuring a gateway or cluster for remote access

Configuring global properties for remote access

Configuring a VPN community for remote access

Configuring access control policy rules for remote access

Configuring a DHCP server for a remote access Office Mode IP range

Preparing remote client

Testing a remote access VPN

Summary

Chapter 13: Introduction to Logging and SmartEvent

Logging into a single security domain

Configuring logging on gateways or clusters

Security management servers or log servers

Logging with management high availability or log servers

Strategies for the effective use of management high availability and log servers

Smart-1 Cloud

Introduction to SmartEvent

Initial configuration

Views

Events

Security incidents

Reports

Automatic reactions

Summary

Chapter 14: Working with ClusterXL High Availability

ClusterXL in HA mode

Virtual MAC

Cluster member priority

Network interfaces

Critical devices

Cluster Control Protocol, Full Sync, and routing synchronization

Cluster member states

Failover

Edge cases

Recovery

ClusterXL HA failover simulations

Manual failover test

Catastrophic failure and recovery simulation

Conclusion

Alternative preferred HA options

Summary

Chapter 15: Performing Basic Troubleshooting

Troubleshooting constraints and your actions

Typical issues and the tools to solve them

Troubleshooting prerequisites

Stability issue troubleshooting example

Troubleshooting intermittent issues

Troubleshooting connectivity issues

Service Requests – getting them right every time

TAC and JHFAs

Community resources and engagements

Postmortems and lessons learned

Summary

Appendix: Licensing

Licensing

Containers and blades

Licensing for gateways

Licensing for management servers

Central and local licenses

License activation

Offline activation

Licensing options for hardware appliances

Evaluation licenses for the lab

SmartUpdate and additional information

Other Books You May Enjoy

Preface

Check Point Firewall Administration R81.10+ was written to help security administrators develop the necessary skills for effective deployment and operation of Check Point firewalls or high-availability clusters to improve network segmentation, configure site-to-site or remote access VPNs, and implement airtight access control policies.

Who this book is for

This book is for those new to Check Point firewalls or those who are catching up to the current R81.10++ releases. Although intended for information/cybersecurity professionals with some experience in network or IT infrastructure security, it may also be helpful for IT professionals looking to shift their career focus to cybersecurity. Some familiarity with Linux and bash scripting is a plus.

It may also be useful for technical decision makers as a tool to take Check Point firewalls for a spin before committing resources to proof of concept or in anticipation of purchasing the product. Your security administrators will be better prepared for Proof of Concept (PoC) or implementation after reading it and building their own lab prior to undertaking formal training and certification.

What this book covers

Chapter 1, Introduction to Check Point Firewalls and Threat Prevention Products, covers the evolution of Check Point security products and capabilities, security management architecture, and the creation of a user account to access relevant software and information.

Chapter 2, Common Deployment Scenarios and Network Segmentation, looks at firewall placement in common network topologies, network segmentation, as well as performance and capacity assessments of existing firewalls.

Chapter 3, Building a Check Point Lab Environment – Part 1, delves into lab topology, components, software, and resources, as well as looking at the installation of Oracle VirtualBox, deployment, and describing a process configuration of a virtual router.

Chapter 4, Building a Check Point Lab Environment – Part 2, explains creating Windows Server and Check Point base images and creating and preparing linked clones for the rest of the lab components.

Chapter 5, Gaia OS, the First Time Configuration Wizard, and an Introduction to the Gaia Portal (WebUI), introduces Gaia, the operating system in use by Check Point management servers and gateways. This chapter also covers the First Time Configuration Wizard and Gaia web interface.

Chapter 6, Check Point Gaia Command-Line Interface; Backup and Recovery Methods; CPUSE, covers accessing and using the Check Point Gaia command-line interface and expert mode shells. Backup and recovery options and Check Point Update Service Engine are also covered.

Chapter 7, SmartConsole – Familiarization and Navigation, provides a detailed examination of SmartConsole features, components, and capabilities and teaches you being comfortable with the Check Point primary management interface.

Chapter 8, Introduction to Policies, Layers, and Rules, covers policy packages, blades (features) used in Access Control policies, and their use in layers. The chapter also looks at policy organization methods, rules’ structure and capabilities, and their placement based on the packet flows and use of acceleration technology.

Chapter 9, Working with Objects – ICA, SIC, Managed, Static, and Variable Objects, looks at the Internal Certificate Authority and Secure Internal Communication and how these factor into the creation of other Check Point managed objects. The chapter also looks at creating your first high-availability cluster and the rest of the objects for lab components, learning about different object types and their properties.

Chapter 10, Working with Network Address Translation, introduces network and port address translation using automatic and manual NAT options. The chapter goes on to look at the use of NAT in object properties, policies, and rules, and additional relevant configuration options, as well as NAT logging and interpretation of NAT log data.

Chapter 11, Building Your First Policy, defines policy structure while accounting for the most common scenarios likely to be encountered in any infrastructure. The creation of rules and, when necessary, additional objects is also covered, as is expanding a policy’s capabilities and granularity by enabling additional features, rules, and objects.

Chapter 12, Configuring Site-to-Site and Remote Access VPNs, looks at configuring VPNs for communication with peers, data, or service providers as well as implementing remote access capabilities using Check Point IPSec VPN features. The chapter also looks at utilizing Access Roles for granular remote access.

Chapter 13, Introduction to Logging and SmartEvent, explains how logging works in Check Point, and how to use different configuration options to best address your infrastructure's logging requirements. The chapter also introduces SmartEvent, which simplifies the work of Check Point administrators by providing enhanced views, reporting capabilities, and automated reactions.

Chapter 14, Working with ClusterXL High Availability, provides an explanation of the ClusterXL HA mechanism, operating a fault-tolerant cluster, and alternative Check Point offerings for high availability and load sharing.

Chapter 15, Performing Basic Troubleshooting, looks at troubleshooting constraints and your actions. The chapter introduces typical issue categories, approaches, and tools helpful for solving them. It also looks at initiating and handling service requests interaction with Check Point Technical Assistance Centers. The chapter goes on to detail resources available from, and interaction with, the CheckMates user community.

Appendix, Licensing, introduces Check Point licensing terminology, specific information for management servers and gateways, and licensing for a lab environment.

To get the most out of this book

You will need a Windows 10 or 11 PC with 24-32 GB of RAM and approximately 200 GB of free disk space to replicate the VirtualBox lab environment described in the book. If you are experienced in and prefer to use different virtualization platforms, adapt virtual hardware and networking requirements for the lab to a platform of your choice. All software required for the labs is available in free, trial, or evaluation versions. You will be required to register on some of the vendors’ portals for access to their products.

Additional software includes VirtualBox, PuTTY, WinSCP, and Notepad++ and you’ll be instructed to install them on relevant physical or virtual hosts throughout the book.

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

If you are using the digital version of this book, I suggest viewing it in two-page, side-by-side format. This will make it easier to process text referencing screenshots, commands, or code on adjacent pages. Alternatively, download the PDF with figures, referenced later in this document, and use it to look up information referenced in the text.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Check-Point-Firewall-Administration-R81.10-. If there’s an update to the code, it will be updated in the GitHub repository.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/ImE2Y.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, CLI menu choices, commands, and user input. Here is an example: “When logged in to CPCM1, execute the command, set expert-password.”

A block of code or sequential uninterrupted commands is set as follows:

When commands are shown in the context of a particular shell, are interactive, or are combined with step descriptions, they are shown like this:

Any command-line input or output is written as follows:

CPXXX> show date

Date 02/02/2022

CPXXX > show time

Time 18:19:17

$ cd css

Bold indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Once the Plugins Admin window is opened, scroll down until you see Compare and check the checkbox.”

Italics indicates either internal or external references, such as “In Chapter 7, SmartConsole – Familiarization and Navigation, we saw how to do that using the management CLI.” It is also used to denote a specific keypress, such as “press Enter.”

Additionally, italics are used to indicate an emphasis on specifics, such as in the following sentence: “Even though the domain objects are defined, created, and modified in SmartConsole, we must use associated CLI tools on the gateways where the policies containing these objects are installed, and not on the management server.”

[#], [A], and [a] indicate the numerical or letter-based points of interest in figures (screenshots), typically referencing screenshots following the text, unless explicitly noted otherwise, as follows:

“To illustrate how to create additional server objects (also referred to as a Check Point Host object), let’s click on the New icon [1] in the Actions menu of the GATEWAYS & SERVERS view, click More [2], and then click Check Point Host… [3]:”

Sample image showing [] instances

Keywords are used whenever a new important term is used in the context of the chapter or a section, such as: “Access roles are the ultimate tool for the implementation of the zero-trust concept in your environment.”

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Legal disclaimer

This document was created using the official VMware icon and diagram library.

Copyright© 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at https://www.vmware.com/go/patents. VMware does not endorse or make any representations about third-party information included in this document, nor does the inclusion of any VMware icon or diagram in this document imply such an endorsement.

All copyrights are property of their respective owners including Check Point®

Share your thoughts

Once you’ve read Check Point Firewall Administration R81.10+, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Part 1: Introduction to Check Point, Network Topology, and Firewalls in Your Infrastructure and Lab

In this portion of the book, you will be introduced to Check Point products and, specifically, firewalls. We’ll look at them in the context of different infrastructure topologies and segments. You will create a realistic lab environment that will be used in subsequent chapters.

The following chapters will be covered in this section:

Chapter 1: Introduction to Check Point Firewalls and Threat Prevention Products

In this chapter, we will learn about the past and the present of Check Point Software Technologies in the context of evolving cybersecurity challenges. We will become familiar with the three main product lines, their components, and their relevance to the threat prevention capabilities of Check Point firewalls. We will examine the flexibility and advantages of security management architecture, address the learning process, and go through the user and account creation process in preparation for the following chapters.

In this chapter, we are going to cover the following main topics:

Technical requirements

For this chapter, we will need a web browser for access to the Check Point User Center and a smartphone running either iOS or Android, with an authentication manager application of your choice and a time-based, one-time password functionality, such as Google or Microsoft Authenticator, to enable second-factor authentication for access to the User Center.

Learning about Check Point's history and the current state of the technology

To get a sense of the product and the company behind it, it is good to have perspective. When were they founded? How long have they been in business? How consistent is their performance over time? What areas of cybersecurity is the company working in and how well are they rated? To find the answers to these questions, let's look at the past and the present of Check Point Software Technologies.

"In the beginning, there was FireWall-1"

In 1994, FireWall-1, released by Check Point Software Technologies, effectively launched the commercial firewall market and, according to Gartner, Check Point has been named a leader in the Network Firewallscategory 21 times since.

The company received the following mention at the Cybersecurity Excellence Awards for 2016: "All of the US Fortune 100, and over 90% of the Fortune 500, rely on Check Point solutions to protect their networks and data." 1

Shortly after launching FireWall-1, Check Point released VPN-1 for remote access and secure connectivity with peers and, over the years, continued to introduce additional components, enhancements, and new products. Since then, the cybersecurity arena has become saturated with many entrants bringing new products to the market. Throughout all of this time, Check Point's expanding product line, and especially their evolving management interface, has been recognized as the gold standard against which all competitors are measured.

Check Point firewalls were originally created to run on multiple operating systems and hardware, hence the name of the company, Check Point Software Technologies.

This is an important distinction when compared with the offerings provided by other vendors that were creating their solutions based on specialized ASICs (Application-Specific Integrated Circuits). When cloud computing ushered in a new era in information technology, Check Point was able to immediately offer the same degree of protection to cloud-based environments as was previously available to traditional infrastructures. Since Check Point enterprise firewalls were running on x86/x64 platforms, they did not require porting or emulation to do that.

Check Point today

Check Point's products are now deployed in 88 countries and more than 100,000 businesses. It has offices in 75 countries, over 3,500 security experts, and a world-acclaimed research and intelligence organization2. Its firewall and threat prevention product line has offerings that cover an entire spectrum of clients; from small offices to enterprises, carrier networks, government agencies, and industrial control systems. They are available in the largest number of cloud services, including Amazon AWS, Microsoft Azure, Oracle Cloud, Google Cloud services, Alibaba Cloud, and IBM Cloud.

Check Point Software Technologies was recognized as a Microsoft Security 20/20 Partner Award Winner for Most Prolific Integration Partner in 2020, and for Most Transformative Integration Partner in 20213.

By protecting networks, hosts, data, workloads on hypervisors, containers, and microservices from advanced threats while using unified management architecture, Check Point remains at the forefront of cybersecurity. It has grown organically and, through judicious acquisitions and integration of complementary products over the years, and is now the largest publicly traded cybersecurity company in Israel, a nation known worldwide for its remarkably strong information security and intelligence capabilities.

With an unparalleled commitment to product evolution and quality, its ever-growing list of partners, dedicated support for automation, and orchestration for organizations adopting DevSecOps practices, it is the best choice for anyone looking to embark on their journey of becoming a member of the cyber defense elite.

Now that we've learned a little about the company's history, let's take a look at Check Point's product line.

Understanding the Check Point product lineup and coverage

The scope of Check Point offerings could be better understood when looking at the following chart depicting the three main branches of products:

Figure 1.1 – Check Point unified security architecture components

The Quantum branch is primarily concerned with hardware appliances, but it does include Check Point's own cloud-hosted scalable management solution (Quantum Smart-1 Cloud).

The small business appliances in the Quantum branch are running an embedded version of Check Point's firewall. They are different from the rest of the lineup in that category, but they, too, could be managed from the same centralized management solutions as the rest.

The CloudGuard branch, while primarily concerned with cloud-based solutions, includes those for the on-premises virtualization environments, such as VMware vSphere, Microsoft Hyper-V, and Nutanix. Additionally, the management servers deployed in the cloud as VMs are also considered to be part of the CloudGuard product line.

The Harmony branch contains solutions necessary to safeguard endpoints inside, as well as outside, of your organization (including BYOD and mobile devices) and to provide your users with multiple choices for secure remote connectivity.

Now that we have learned about the scope of Check Point products, let's take a look at the benefits of having a single vendor solution protecting your infrastructure and data.

Introducing the Unified Management concepts and the advantages of security product consolidation

Historically, security-conscious enterprises were practicing defense-in-depth by layering and combining multiple solutions in the hope of preventing systems and network compromise. While this approach was viable 10 years ago, it is getting progressively more difficult to maintain it.

Let's look at the evolution of the threats over time to get a better idea of why this is so by using the following diagram:

Figure 1.2 – Attack generations and types, escalation, and the response over time

In addition to the complexity and advances of the attacks, the numbers of bad actors, as well as the number of different attacks, are increasing exponentially. The field of offensive cybersecurity is attracting an ever-increasing number of people, not all of them ethical hackers. This contributes to the snowballing effect and the number of compromised systems, networks, and companies. The latest batch of attacks focusing on the supply chain is yet another manifestation of this trend.

The sheer number of cybersecurity vendors and point solutions, each trying to address different problem areas, makes it a virtual impossibility for smaller teams to manage them effectively. It takes years to gain proficiency with a single product, let alone multiple ones. Add to this the rapid development cycles of each vendor trying to keep up with evolving capabilities of cybercriminals and offerings by competition, and you will have to spend most of your time learning about new features and changes in all of these products, while at the same time fighting compatibility issues.

For a while, the combination of Security Information and Event Management (SIEM) solutions as hubs for the consolidation of logs, their correlation, and Security Orchestration Automation and Response (SOAR) actions based on pre-defined conditions looked like a possible solution to this problem. However, these options failed to address the multi-vendor cost of human capital, further complicating the operations of smaller security teams. They are now primarily relegated to larger enterprises, carrier networks, and Managed Security Services Providers (MSSPs) that can afford to keep staffed Security Operations Centers (SOCs) and dedicated data science and analytics specialists. For most other companies, SIEMs are either becoming log graveyards or are mostly used for after-the-fact investigations and audits, but not for proactive threat prevention.

Important Note

For the organizations that do utilize SIEMs, Check Point has out-of-the-box integration with ArcSight, LogRhythm, QRadar, RSA, McAfee, Splunk, and Sumologic, and its log exporter can be configured to work with any syslog-, CEF-, LEEF-, and JSON-compliant product. There is also a dedicated Check Point app for Splunk (https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm) for seamless integration.

Serious advances in active prevention or response have also been made by several dedicated Endpoint Detection and Response (EDR) vendors. Unfortunately, the EDRs are relying on the installation of their agents on managed endpoints. Components of the infrastructure that do not have the agents remain unprotected.

All the networking gear, printers, copiers, conference room equipment, CCTV, building access and environmental controls, and other innumerable Internet of Things (IoT) devices are the shadow army that could be exploited and used for attacks or snooping on your infrastructure. The same applies to all devices on which the OS or firmware is controlled by the vendor or those that are supplied by service providers or business peers.

To compensate, EDR vendors are now actively expanding their integration with partners and going through the rapid acquisitions of complementary businesses to improve the coverage of their products.

Recognizing that the effective prevention of complex modern attacks requires more than just loosely coupled integration between various security tools, in 2017, Check Point developed and introduced its Infinity architecture. Tightly integrated products covering all aspects of security infrastructure with common management and enforcement policies dramatically improve detection and prevention rates.

Check Point was perfectly positioned to address these challenges since its ThreatCloud is one of the most established and largest commercial worldwide threat detection networks. The likelihood of Check Point encountering new attacks or variants of exploits closer to home is pretty good because of its huge global presence. The quality of the data is great since the product coverage extends from networks to endpoints, mobile, cloud, IoT, and industrial systems. Its analytics are supercharged by the ML and AI to identify malware DNA, a set of unique code segments and behavior characteristics that associates each newly encountered malware with a previously known malware family whenever such similarities can be identified. This helps to predict and prevent other, non-immediately apparent attack capabilities and vectors of emerging zero-day threats.

Having all these abilities provided by products from the same security vendor, as well as using common terminology, configuration, logging, analysis, management interfaces, and forensics capabilities, eliminates the complexity and the overhead of multiple point solutions. It also significantly improves your chances of deterrence and the containment of cyber attacks.

In January 2018, the MITRE Corporation released Adversarial Tactics, Techniques, and Common Knowledge version 1 (ATT&CK v1), a framework that validated Check Point's vision for unified security. And in the same month, Check Point announced Infinity Total Protection, a simple, all-inclusive, per-user, per-year subscription covering all of its products, including hardware, software, 24x7 premium support, and network security, as well as endpoint, mobile, cloud, and data security with real-time threat prevention.

Competitors realizing the advantages of this approach adopted similar strategies and a new term, Extended Detection and Response (XDR), was coined.

Important Note

Although it is unlikely that your organization is relying on a single vendor's solutions for all or even most of its cybersecurity needs, strategic consolidation resulting in massive benefits should be considered.

Most likely, Check Point firewalls in your environment are a part of the heterogeneous security infrastructure consisting of multiple point products. In this case, it is imperative to understand their roles, capabilities, and limitations in order to extract maximum value from the product while keeping track of what it is not designed or configured to do, and where complementary security solutions should be applied.

Network segmentation, network access control, threat prevention for individual network segments, categories, and hosts continue to remain some of the key elements of overall sound security posture. Having the benefit of threat intelligence generated by sensors present in all categories of information technology covered by the Infinity architecture makes Check Point firewalls some of the most effective threat prevention and detection tools in your cybersecurity arsenal.

Important Note

Check Point's mantra is prevention first, so it is often the case that engineers must, on purpose, disable prevention in the demo environments to showcase the product's detection capabilities at multiple points in the attack's kill chain.

Now that we know that vendor consolidation may yield better overall results by offering unified visibility of attacks, let's look at what the Security Management architecture can do for the administration of the Check Point infrastructure.

Familiarization with the Security Management Architecture (SMART)

Check Point's Security Management architecture is the foundational principle behind the centralized administration of multiple products and devices using common management interface(s).

Smart in the name of Check Point products dates back to when it was used as the acronym for Security Management Architecture. It is now present in the name of management servers and services, as well as Smart-1 products and their components: SmartLog and SmartEvent, Check Point's GUI, and the SmartConsole. There is also a migration tool for transition from competing solutions called SmartMove. In a nutshell, SMART could be described as a collection of the administrative stations, management, log, monitoring, and analytics servers that manage a variety of the gateways, endpoints, cloud-based inspection, and threat prevention products designed to seamlessly work together. It is practically infinitely scalable.

The following is a simple diagram depicting a basic implementation of the Check Point gateway and management infrastructure and their components:

Figure 1.3 – Basic components of Check Point's management architecture

Important Note

Although we commonly refer to it as a firewall, a correct definition would be gateway, where a firewall is just one of the components.

SmartConsole is the Windows-based management client application that is connected to all of your management servers, regardless of the components they are running. It will be your primary interface for managing the Check Point infrastructure.

In the context of network architecture, a basic implementation could look as simple as the following:

Figure 1.4 – All-in-one implementation. Management and gateway on a single device

In Figure 1.4, a single all-in-one device is acting as both a management server and a gateway. This is appropriate for the smallest environments that are aspiring to have world-class protection, but either lack the budget or justification to implement a distributed Check Point environment. It is also appropriate for small-scale labs where you may explore new release features and functionality.

In a slightly more demanding environment, which I would recommend as a good starting point, the management server running all of its constituent components resides on a separate appliance or a virtual machine. In this case, the gateway is running on a dedicated appliance as follows:

Figure 1.5 – Basic implementation with a dedicated management server

The advantage of this approach is the ability to manage many gateways from a common management server using a common object database.

Important Note

The functionality of the gateway is not dependent on the availability of the management server: even if it is down for maintenance or is being upgraded, the gateways continue to function and are logging locally. Once the management server comes back online, the logs are being automatically ingested by the management server.

Scaled further, SmartEvent is split from the management and log server to provide dedicated log correlation and reporting, as follows:

Figure 1.6 – SmartEvent log correlation and reporting on a dedicated server

This is a typical precursor for the expansion to either a multi-site or a hybrid environment, where a common SmartEvent server is used for log correlation, reporting, and analytics with multiple management and log servers. Since SmartEvent cannot be part of high-availability management, it should reside on a separate appliance or virtual machine. This is also one of the ways to offload your existing management server appliance if its utilization is consistently high.

And in a more typical data center environment, high-availability management and site-specific log servers are implemented to manage a larger number of gateways and clusters, as illustrated in the following diagram:

Figure 1.7 – Management high availability with dedicated log servers for multi-site environments

When your gateways and clusters under management generate a massive number of logs, it may be necessary to provide adequately sized log servers for each logically grouped location (typically based on geography or a specific data center).

The environment shown in Figure 1.7 allows you to ensure that the management servers used to create, manage, and install security policies in your environment will perform consistently, irrespective of the load on log servers.

Scaled even further, it may look like this:

Multiple SmartConsoles and API clients  multi-domain management servers/security management servers  multiple enterprise environments comprised of gateways, clusters, scalable platforms, hyperscale solutions, and/or endpoints  logging to dedicated log servers with monitoring and analytics provided by SmartEvent servers and forwarding logs to an SIEM of your choice

The more complex and expansive your infrastructure, the more granular implementation of Check Point management you may require to assure the necessary performance and redundancy.

Another option that should be specifically mentioned here is Quantum Smart-1 Cloud, a cloud-based management environment that is redundant and scalable on demand to accommodate your enterprise. Check Point takes care of the maintenance updates, upgrades, and high availability in the background, while you are simply administering your infrastructure from it. We will revisit management options in a later chapter to compare the advantages of different choices for specific circumstances.

As you go through this book, you will acquire valuable foundational knowledge equally applicable to all of the implementations described previously.

We now understand that the Security Management architecture allows you to grow your company and maintain the same level of protection, regardless of its scale or model. Before we go all technical, let's look at learning approaches, available options, and the reasoning behind this book's format.

Determining how we learn

There is a widely adopted learning and retention concept representation known as either the learning pyramid or the cone of experience. This is depicted in the following diagram:

Figure 1.8 – Learning and retention4

Not everyone agrees with the exact quantification of the results, but there is no denying that the more of these activities and mediums of learning you are exposed to, the better the outcome.

The comprehension of concepts from reading the material varies depending on how well it is written. If the book or guide is well illustrated, it makes it easier to tie the concepts to real-world applications. Watching someone doing it in a video affirms the validity of the printed or static material. When you are working on a subject in your own lab environment, your confidence in being able to reproduce the results and your level of comfort with expanding your knowledge of the subject grow even further.

Follow the instructions in the book and its complementary online materials to get the most out of it. Choose your own names, emails, and fictional or real company names for registration on portals and access to the products we will be using in the lab.

Some of you may not have the necessary computing capabilities at your disposal to replicate the lab. For them, and those who may be reading this book during your commute, the included screenshots should provide a close approximation of the experience.

We now understand the learning methodologies that impact our comprehension and retention. In the next section, we will familiarize ourselves with the Check Point User Center and configure credentials required for access to resources used in the labs.

Navigating the Check Point User Center

The Check Point User Center is the portal for access to a variety of resources, and the place where you will create or manage your Check Point accounts, users, and products. It is also a place where you generate and download licenses and support contracts.

It is accessible at https://usercenter.checkpoint.com.

Figure 1.9 – User Center

We will be using the ASSETS/INFO and TRY OUR PRODUCTS sections to obtain and maintain our lab licenses as we go through the book.

From the User Center, you can get to Support Center, a place where you can open and manage Service Requests (SRs), report security issues, subscribe to or access the PRO Support portal (a proactive monitoring and reporting service), and gain access to the technical documentation, alerts, subscriptions, product downloads, and search capabilities across SecureKnowledge articles, downloads, documentation, and CheckMates community posts and discussion threads.

The following screenshot shows Support Center:

Figure 1.10 – Support portal

Both portals are interlinked, but if you know what you need, it is simpler to get to the right place through a corresponding link.

The Support Center may be accessed at https://supportcenter.checkpoint.com.

Important Note

While it is not necessary to register with Check Point in order to download and try their firewall product, this trial will be limited to 15 days. To extend it beyond the initial 15 days, you will have to go through the registration process to request a trial or lab license(s).

Since we must learn how to register and manage users and accounts and how to license the product, we will now start with the registration process.

Follow these steps to register as a portal user and create an account:

Figure 1.11 – Sign Up Now

Populate the fields with your information and then click Submit.

Figure 1.12 – Sign Up; user information

Figure 1.13 – Securing User Center access

Figure 1.14 – Turning on 2-Step Verification

Figure 1.15 – Backup codes for 2FA

Figure 1.16 – Authentication app as the default 2FA

We can now securely log on to the User Center and access its resources.

Summary

In this chapter, we learned about the history and the present-day state of the technology and services offered by Check Point. We saw the flexibility and scalability of the Secure Management architecture and learned about the advantages of consolidated security solutions, and why they are emerging as the preferred choice for addressing today's complex threat environments. We have also created and secured our User Center account.

Now that we understand the modular nature of Check Point management architecture, we are ready to look at firewall locations within common network topologies and talk about the significance of their placement.

In the following chapter, we will address where and when certain features are better employed for different outcomes. We will learn how to determine the utilization of your currently deployed firewalls and calculate the capacity for new ones.

Further reading

Chapter 2: Common Deployment Scenarios and Network Segmentation

In this chapter, we will learn about the importance of knowing your network architecture and where the firewalls are deployed. We will look at it from the point of view of administrators inheriting an existing architecture, as well as those who are responsible for making suggestions for the new implementations. We will also briefly discuss the sizing methodology for new devices and the performance of your existing firewalls.

In this chapter, we are going to cover the following main topics:

Understanding your network topology

As a firewall administrator, you must have a thorough understanding of the network in which these firewalls are implemented. The firewall can only control and inspect the traffic that is traversing it.

This brings us to a question about your role as the firewall administrator. Depending on the size of the company you are working for, the maturity of its security practices, its budget, and the size of your security team, your responsibilities may vary greatly.

In a typical large financial organization, there may be dedicated positions for firewall administrators that are limited to the creation and modification of objects, rules, security policies, and troubleshooting. Actual engineering and implementation may be handled by a different team or team member.

In smaller organizations, firewall administration is just one of the functions you are likely to perform, and there are several other security controls you may be responsible for. Networking in these kinds of companies is typically handled by separate teams, but the deployment of firewalls and their integration with the rest of the infrastructure may fall under your purview.

In even smaller companies, or companies with smaller information security and IT teams, you may be wearing multiple hats and, realistically, responsible not only for the firewall administration but also for the complete engineering of network and security controls. In these cases, you may have much greater flexibility in shaping your company's security posture.

Regardless of the circumstances, having access to the network topology data and knowing where the firewalls are located will allow you to perform your job efficiently and minimize the chances of misconfiguration. This will significantly improve your troubleshooting performance.

Let's consider a scenario where you are a firewall administrator unaware of the infrastructure and topology changes being made as depicted in the following figure:

Figure 2.1 – A and B, undocumented topology changes

Scenario A in Figure 2.1 depicts a firewall/cluster with connectivity to internal networks, the internet, and a demilitarized zone (DMZ). The DMZ contains a single application server running Windows Server OS with IIS.

The change is made by the application and networking teams, aiming to improve the performance of the application by deploying a load balancer and adding new instances of the application server.

Scenario B in Figure 2.1 shows the environment after the change. There is now a new host – a load balancer running a different OS. There is also a new application server. The IP address of the existing application server has changed, and it is now residing on a different network behind a load balancer. The old application server's IP address is now assigned to the load balancer.

A possible outcome here is that if you are to receive a call from application owners claiming issues with access or performance, you cannot identify the IP addresses they are referring to.

Your threat prevention policy, which may have been tailored toward protecting Windows Server OS and IIS, doesn't cover the load balancer.

The example I have just presented illustrates the importance of communication between departments, as well as the necessity of being aware of the changes to the infrastructure you are protecting.

In a larger organization with well-established change controls, you will be in the loop and instructed to make the necessary changes to objects and policies.

In a smaller organization, you are likely to be aware of the pending changes. You will be able to alert the interested parties about the alterations to objects and policies that may be required.

In a mid-sized organization with separate IT and information security departments, poor internal communications, and poorly established change controls, you are likely to be surprised by these kinds of situations. It will then be up to you to create and maintain the network diagrams describing the environment in which your firewalls are operating.

Important Note

For a real-world example of how this can impact your environment, see the summary by Rapid7 describing recently discovered and disclosed vulnerabilities in the commonly used F5 load balancers, as shown in the following link: https://www.rapid7.com/blog/post/2021/03/18/f5-discloses-eight-vulnerabilities-including-four-critical-ones-in-big-ip-systems/.

Should you encounter this or a similar situation, write a concise report for your manager that details the issue and suggests improvements in handling topology changes in the future. Establish rapport with your colleagues in IT so that relevant information will be relayed between departments even in the absence of formal procedures.

Your circumstances as a firewall administrator may vary depending on a large number of factors. For instance, you may be designated as an administrator during the initial implementation of the product. Alternatively, you may be hired or appointed long after these firewalls were put in place. Your network infrastructure may be expertly crafted to take maximum advantage of the security controls your firewalls are offering, or it may be lacking in some regard. It may also be that you have inherited an environment that has grown organically over time and its topology and utilization of firewalls are way out of date, and, upon examination, should really be redesigned from scratch.

Regardless of the situation you find yourself in, make the best of it by determining whether security could be improved based on the placement of the firewalls and their capabilities, utilization, and licensed features. If you see an opportunity for improvements, write a detailed proposal and submit it to your manager or to other interested parties, depending on the organization's structure and practices.

When talking about network topology in the context of firewalls, we will inevitably come across the term DMZ. DMZ (or demilitarized zone) generally refers to a segment of the network isolated from both internal and external networks. Access to specific services running on hosts located in DMZs, as well as access from DMZs to hosts and services on internal network segments, is controlled by a security policy.

Technically, DMZ is a category and not a particular zone – that is, you may have multiple zones serving as individual DMZs, each designated for the type of servers or networks that require partial isolation from the internal network and are accessible either from the internet or one or more external entities.

Having talked about zones, it would be helpful to have a quick look at how Check Point uses them:

We will discuss zones in more detail later when learning about gateway and cluster objects and when learning about policies and rules.

Now, let's look at several commonly encountered simple network topologies and try to analyze them, figure out the advantages and shortcomings of each, and suggest if and how they could be improved.

Common topology scenarios and exercises

Look at each of the following diagrams and write a summary describing the traffic flows, the content of each protected enclave (that is, the topology of the network behind firewall interfaces), possible issues with the topology, and how those issues could be addressed.

Then, read on to compare your conclusions with those given in the chapter.

Scenario 1 – a single gateway with four interfaces

The following figure illustrates Scenario 1:

Figure 2.2 – A single gateway with four interfaces

Exercise

Take a minute to study Figure 2.2. Identify the protected enclaves.

Use your notepad to describe the possible reasons for this design, as well as its advantages and shortcomings. Suggest improvements to this topology.

The diagram in Figure 2.2 describes a simple network consisting of the internal, external, and two DMZ segments.

The environment described in Figure 2.2 is suboptimal for the following reasons: