Training Courses : Network & System Engineers : CheckPoint

Training Courses
Check Point Certified Security Administrator and Expert- CCSA&CCSE (R77.3)

Code: CCSA&CCSER77.3
Type: EDITC Bundles
Category: CheckPoint

This course enables the participants to defend their organization’s network against any threats. More specifically the participants will benefit as follows: Be prepared to defend against network threats, evaluate existing security policies and optimize the rule base, manage user access to corporate LANs, monitor suspicious network activities and analyze attacks, troubleshoot network connections, protect email and messaging content, build, test and troubleshoot numerous deployment scenarios, apply insider tips troubleshooting Check Point Security Systems, practice advanced upgrading techniques, migrate to a clustering security solution, create events for compliance reporting and manage internal and external access to corporate resources



Duration: 35 hours
Location: EDITC & MMC Conference Center, 16 Imvrou Street, 1055 Nicosia
Language: English
Attendance: 4-16
 

Topics

Chapter 1: Introduction to Check Point Technology
Check Point Security Management Architecture (SMART)

  • SmartConsole
  • Security Management Server
  • Security Gateway

The Check Point Firewall

  • OSI Model
  • Mechanism for controlling
  • Network traffic.
  • Packet Filtering
  • Stateful Inspection
  • Application Intelligence

Security Gateway Inspection Architecture
INSPECT Engine Packet Flow

  • Deployment Considerations
  • Standalone Deployment
  • Distributed Deployment
  • Standalone Full HA
  • Bridge Mode

Check Point Smart Console Clients

  • SmartDashboard
  • Smartview Tracker
  • SmartLog
  • SmartEvent
  • SmartView Monitor
  • SmartReporter
  • SmartUpdate
  • SmartProvisioning
  • SmartEndpoint

Security Management Server

  • Managing Users in SmartDashboard
  • Users Database

Security Channels of Communication

  • Secure Internal Communication
  • Testing the SIC Status
  • Resetting the Trust State

Lab 1: Distributed Installation

  • Install Security Management Server
  • Configure Security Management Server - WebUI
  • Configuring the Management Server
  • Install Corporate Security Gateway
  • Configure Corporate Security Gateway - WebUI
  • Configuring the Corporate Security Gateway
  • Installing SmartConsole

Lab 2: Branch Office Security Gateway Installation

  • Install SecurePlatform on Branch Gateway
  • Configuring Branch Office Security
  • Gateway with the First time Configuration Wizard Configure Branch Gateway – WebUI

Chapter 2: Deployment Platforms
Check Point Deployment Platforms

  • Security Appliances
  • Security Software Blades
  • Remote Access Solutions

Check Point Gaia

  • History - Power of Two
  • Gaia
  • Benefits of Gaia
  • Gaia Architecture
  • Gaia System Information

Lab 3: CLI Tools

  • Working in Expert Mode
  • Applying Useful Commands in CLISH
  • Add and Delete Administrators via the CLI
  • Perform Backup and Restore

Chapter 3: Introduction to the Security Policy
Security Policy Basics

  • The Rule Base
  • Managing Objects in SmartDashboard
  • SmartDashboard and Objects
  • Object-Tree Pane
  • Objects-List Pane
  • Object Types
  • Rule Base Pane

Managing Objects

  • Classic View of the Objects Tree
  • Group View of the Objects Tree

Creating the Rule Base

  • Basic Rule Base Concepts
  • Delete Rule
  • Basic Rules
  • Implicit/Explicit Rules
  • Control Connections
  • Detecting IP Spoofing
  • Configuring Anti-Spoofing

Rule Base Management

  • Understanding Rule Base Order
  • Completing the Rule Base

Policy Management and Revision Control

  • Policy Package Management
  • Database revision Control
  • Multicasting

Lab 4:Building a Security Policy

  • Create Security Gateway Object
  • Create GUI Client Object
  • Create Rules for Corporate Gateway
  • Save the Policy
  • Install the Policy
  • Test the Corporate Policy
  • Create the Remote Security Gateway Object
  • Create a New Policy for the Branch Office
  • Combine and Organize Security Policies

Lab 5: Configure the DMZ

  • Create DMZ Objects in SmartDashboard
  • Create DMZ Access Rules
  • Test the Policy

Chapter 4: Monitoring Traffic and Connections

  • Smart View Tracker
  • Log Types
  • SmartView Tracker Tabs
  • Action Icons
  • Log-File Management
  • Administrator Auditing
  • Global Logging and Alerting
  • Time Setting
  • Blocking Connections

Smart View Monitor

  • Customized Views
  • Gateway Status View
  • Traffic View
  • Tunnels View
  • Remote Users View
  • Cooperative Enforcement View

Monitoring Suspicious Activity Rules

  • Monitoring Alerts

Gateway Status

  • Overall Status
  • Software Blade Status
  • Displaying Gateway Information

Smart View Tracker VS Smart View Monitor
Lab 6: Monitoring with Smart View Tracker

  • Launch SmartView Tracker
  • Track by Source and Destination
  • Modify the Gateway to Active
  • SmartView Monitor


Chapter 5: Network Address Translation
Introduction to NAT

  • IP Addressing
  • Hid NAT
  • Choosing the Hide Address in Hide NAT
  • Static NAT
  • Original Packet
  • Reply Packet
  • NAT Global Properties
  • Object Configuration - Hid NAT
  • Hide NAT Using Another Interface
  • Static NAT

Manual NAT

  • Configuring Manual NAT
  • Special Considerations
  • ARP

Lab 7: Configure NAT
Configure Static NAT on the DMZ Server

  • Test the Static NAT Address
  • Configure Hide NAT on the Corporate Network
  • Test the Hide NAT Address
  • Observe Hide NAT Traffic Using fw monitor
  • Configure Wireshark
  • Observe Traffic
  • Observe Static NAT Traffic Using fw monitor

Chapter 6: Using Smart Update
Smart Update and Managing Licenses

  • SmartUpdate Architecture
  • SmartUpdate Introduction
  • Overview of Managing Licenses
  • License Terminology
  • Upgrading Licenses
  • Retrieving License Data from Security Gateways
  • Adding New Licenses to the License & Contract Repository
  • Importing License Files
  • Adding License Details Manually
  • Attaching Licenses
  • Detaching Licenses
  • Deleting Licenses From License & Contract Repository
  • Installation Process

Viewing License Properties

  • Checking for Expired Licenses To Export a License to a File

Service Contracts p.

  • Managing Contracts Updating Contracts

Chapter 7: User Management and Authentication
Creating users and groups

  • User Types

Security Gateway Authentication

  • Types of Legacy Authentication p. 142
  • Authentication Schemes p. 143
  • Remote User Authentication p. 145
  • Authentication Methods p. 146

User Authentication

  • User Authentication Rule Base
  • Considerations

Session Authentication

  • Configuring Session Authentication

Client authentication

  • Client Authentication and Sign-On Overview
  • Sign-On Methods
  • Wait Mode
  • Configuring Authentication Tracking

LDAP User Management with UserDirectory

  • LDAP Features
  • Distinguished Name
  • Multiple LDAP Servers
  • Using an Existing LDAP Server
  • Configuring Entities to Work with the Gateway
  • Defining an Account Unit
  • Managing Users
  • UserDirectory Groups

Lab 8: Configuring User Directory

  • Connect User Directory to Security
  • Management Server

Chapter 8: Identity Awareness
Introduction to Identity Awareness

  • AD Query
  • Browser-Based Authentication
  • Identity Agents
  • Deployment

Lab 9: Identity Awareness

  • Configuring the Security Gateway
  • Defining the User Access Role
  • Applying User Access Roles to the Rule Base
  • Testing Identity Based Awareness
  • Prepare Rule Base for Next Lab

Chapter 9: Introduction to Check Point VPNs
The Check Point VPN
VPN Deployments

  • Site-to-Site VPNs
  • Remote-Access VPNs

VPN Implementation

  • VPN Setup
  • Understanding VPN Deployment
  • VPN Communities
  • Remote Access Community

VPN Technologies

  • Meshed VPN Community
  • Star VPN Community
  • Choosing a Topology
  • Combination VPNs
  • Topology and Encryption Issues

Special VPN Gateway Conditions

  • Authentication Between Community Members
  • Domain and Route-Based VPNs
  • Domain-Based VPNs
  • Route-Based VPN

Access Control and VPN Communities

  • Accepting All Encrypted Traffic
  • Excluded Services
  • Special Considerations for Planning a VPN Topology

Integrating VPNs into a Rule Base

  • Simplified vs. Traditional Mode VPNs
  • VPN Tunnel Management
  • Permanent Tunnels
  • Tunnel Testing for Permanent Tunnels
  • VPN Tunnel Sharing

Remote Access VPNs

  • Multiple Remote Access VPN Connectivity Modes
  • Establishing a Connection Between a Remote User and a Gateway

Lab 10: Site-to-site VPN Between Corporate and Branch Office

  • Define the VPN Domain
  • Create the VPN Community
  • Create the VPN Rule and Modifying the Rule Base
  • Test VPN Connection
  • VPN Troubleshooting

Chapter 10: Upgrading
Backup and Restore Security Gateways and Management Servers

  • Snapshot management
  • Upgrade Tools
  • Backup Schedule Recommendations
  • Upgrade Tools
  • Performing Upgrades
  • Support Contract

Upgrading Standalone Full High Availability
Lab 1: Upgrading to Check Point R77

  • Install Security Management Server
  • Migrating Management server Data
  • Importing the Check Point Database
  • Launch SmartDashboard
  • Upgrading the Security Gateway

Chapter 11: Advanced Firewall
Checkpoint Firewall Infrastructure

  • GUI Clients
  • Management

Kernel Tables

  • Connections Table
  • Connections Table Format

Check Point Firewall Key Features

  • Packet Inspection Flow
  • Policy Installation Flow
  • Policy Installation Process
  • Policy Installation Process Flow

Network Address Translation

  • How NAT Works
  • Hide NAT Process
  • Security Servers
  • How a Security Server Works
  • Basic Firewall Administration
  • Common Commands

FW Monitor

  • What is FW Monitor
  • C2S Connections and S2C Packets
  • fw monitor

Lab 2: Core CLI Elements of Firewall Administration

  • Policy Management and Status
  • Verification from the CLI
  • Using cpinfo
  • Run cpinfo on the Security Management Server
  • Analyzing cpinfo in InfoView
  • Using fw ctl pstat
  • Using tcpdump

Chapter 12: Clustering and Acceleration
VRRP

  • VRRP vs ClusterXL
  • Monitored Circuit VRRP
  • Troubleshooting VRRP

Clustering and Acceleration

  •  Clustering Terms
  • ClusterXL
  • Cluster Synchronization
  • Synchronized-Cluster Restrictions
  • Securing the Sync Interface
  • To Synchronize or Not to Synchronize

ClusterXL: Load Sharing

  • Multicast Load Sharing
  • Unicast Load Sharing
  • How Packets Travel Through a Unicast
  • LS Cluster
  • Sticky Connections

Maintenance Tasks and Tools

  •  Perform a Manual Failover of the
  • FW Cluster
  • VPN Capabilities

CoreXL: Multicore Acceleration

  •  Supported Platforms and Features
  • Default Configuration
  • Processing Core Allocation
  • Allocating Processing Cores
  • Adding Processing Cores to the Hardware
  • Allocating an Additional Core to the SND
  • Allocating a Core for Heavy Logging
  • Packet Flows with SecureXL Enabled

Lab 3 Migrating to a Clustering Solution
 Installing and Configuring the Secondary Security Gateway

  • Re-configuring the Primary Gateway
  • Configuring Management Server Routing
  • Configuring the Cluster Object
  • Testing High Availability
  • Installing the Secondary Management Server

Configuring Management High Availability

Chapter 13: Advanced User Management

User Management

  • Active Directory OU Structure
  • Using LDAP Servers with Check Point
  • LDAP User Management with User Directory
  • Defining an Account Unit
  • Configuring Active Directory Schemas
  • Multiple User Directory (LDAP) Servers
  • Authentication Process Flow
  • Limitations of Authentication Flow
  • User Directory (LDAP) Profiles

Troubleshooting User Authentication and User Directory (LDAP)

  • Common Configuration Pitfalls
  • Some LDAP Tools
  • Troubleshooting User Authentication

Identity Awareness

  • Enabling AD Query
  • AD Query Setup
  • Identifying users behind an HTTP Proxy
  • Verifying there’s a logged on AD user at the source IP
  • Checking the source computer OS
  • Using SmartView Tracker

Lab 4: Configuring SmartDashboard to Interface with Active Directory

  • Creating the Active Directory Object in SmartDashboard

Verify SmartDashboard Communication with the AD Server

Chapter 14: Advanced Ipsec VPN and Remote Access
Advanced VPN Concepts and Practices

  • IPsec
  • Internet Key Exchange (IKE)
  • IKE Key Exchange Process – Phase 1/ Phase 2 Stages

Remote Access VPNs

  • Connection Initiation
  • Link Selection

Multiple Entry Point VPNs

  • How Does MEP Work
  • Explicit MEP
  • Implicit MEP

Tunnel Management

  • Permanent Tunnels
  • Tunnel Testing
  • VPN Tunnel Sharing
  • Tunnel-Management Configuration
  • Permanent-Tunnel Configuration
  • Tracking Options
  • Advanced Permanent-Tunnel configuration
  • VPN Tunnel Sharing Configuration

Troubleshooting

  • VPN Encryption Issues

VPN Debug

  • vpn debug Command
  • vpn debug on | off
  • vpn debug ikeon |ikeoff
  • vpn Log Files
  • vpn debug trunc
  • VPN Environment Variables
  • vpn Command
  • vpn tu
  • Comparing Sas

Lab 5: Configure Site-to-Site VPNs with Third Party Certificates

  • Configuring Access to the Active Directory Server
  • Creating the Certificate
  • Importing the Certificate Chain and Generating Encryption Keys
  • Installing the Certificate
  • Establishing Environment Specific Configuration
  • Testing the VPN Using 3rd Party Certificates

Lab 6: Remote Access with Endpoint Security VPN

  • Defining LDAP Users and Groups
  • Configuring LDAP User Access
  • Defining Encryption Rules
  • Defining Remote Access Rules

Configuring the Client Side

Chapter 15: Auditing and Reporting
Auditing and Reporting Process

  • Autiding and Reporting Standards

Smart Event

  • Smart Event Intro

Smart Event Architecture

  • Component Communication Process
  • Event Policy User Interface

Smart Reporter

  • Report Types

Lab:7 Smart Event and Smart Reporter

  • Configure the Network Object in SmartDashboard
  • Configuring Security Gateways to work with SmartEvent
  • Monitoring Events with SmartEvent

Generate Reports Based on Activities

 



Who Should Attend
  • Support engineers
  • Systems engineers
  • Network analysts
  • Senior network administrator
  • Network Security Administrators and Technicians
  • Anyone involved in implementing, verifying, and troubleshooting routed and switched enterprise network
     


Purpose

This course enables the participants to defend their organization’s network against any threats. More specifically the participants will benefit as follows: Be prepared to defend against network threats, evaluate existing security policies and optimize the rule base, manage user access to corporate LANs, monitor suspicious network activities and analyze attacks, troubleshoot network connections, protect email and messaging content, build, test and troubleshoot numerous deployment scenarios, apply insider tips troubleshooting Check Point Security Systems, practice advanced upgrading techniques, migrate to a clustering security solution, create events for compliance reporting and manage internal and external access to corporate resources



Objectives

Upon completion of the course the participants will be able to:

  • Install the security gateway in a distributed environment
  • Configure rules on Web and Gateway servers
  • Create a basic rule base in SmartDashboard and assign permissions
  • Schedule backups and seamless upgrades with minimal downtime
  • Monitor and troubleshoot IPS and common network traffic
  • Backup Security Gate and Management Server
  • Build, test and troubleshoot a clustered Security Gateway
  • Upgrade and Troubleshoot a Management Server
  • Configure and Maintain Security Acceleration Solutions
  • Manage, test and optimize corporate VPN tunnels

 



Prerequisites
  • Basic knowledge of networking
  • Windows Server and/or UNIX skills
  • Internet and TCP/IP experience

 



Methodology
1. Training
2. Discusions
3. Labs
4. Exercises


Equipment
1. Training material in english language
2. Personal Computers
3. Video Projector
4. Virual Labs
4. Whiteboard and flip charts




Find Training Courses
Name
Type
v
Category
v
 

© EDUCATION & INFORMATION TECHNOLOGY CENTRE (EDITC). All Rights Reserved. Developed by CMP POLYMEDIA LTD