Question 1: What is Checkpoint Firewall Architecture?
Answer:Check Point has developed a Unified Security Architecture that is implemented throughout all of its security products. This Unified Security Architecture enables all Check Point products to be managed and monitored from a single administrative console and provides a consistent level of security.
Question 2: What is stateful inspection?
Answer:Stateful inspection was invented by Check Point, providing accurate and highly efficient traffic inspection. The inspection engine examines every packet as it is intercepted at the network layer. The connection state and context information are stored and updated dynamically in the kernel table.
Question 3: What is the policy installation process in Checkpoint firewall?
Answer:
a. INITIATION – Policy installation is initiated by the GUI.b. VERIFICATION – The information in the database is verified.c. CONVERSION – The information in the database is converted.d. CODE GENERATION & COMPILATION – The policy is translated to the INSPECT language and compiled with the INSPECT compiler.e. CPTA – Checkpoint Policy Transfer Agent transfers the policy to the firewall gateway using SIC.f. COMMIT – The gateway is instructed to load the new policy.
Question 4: What is the main purpose of the Security management server?
Answer:The Security management server is used for administrative management of the security policy and stores the database and objects.
Question 5: What is the difference between standalone and distributed installation?
Answer:
Standalone deployment: The simplest deployment, where the management server and the gateway are installed on the same machine.
Distributed deployment: A more complex deployment, where the gateway and management server are deployed on different machines.
Question 6: What is SIC?
Answer:Secure Internal Communication (SIC) is the Check Point feature that ensures components, such as Security Gateways, Security Management servers, etc., can communicate securely. The following security measures are taken to ensure SIC safety:
Certificates for authentication
Standards-based SSL for the creation of the secure channel
3DES for encryption
Question 7: What is the Internal Certificate Authority (ICA)?
Answer:The Internal Certificate Authority (ICA) is created during the management server installation process. It is responsible for issuing certificates for:
SIC
VPN
Certificates for gateways
Users
Question 8: What is FW unload local?
Answer:Fwunloadlocal is a command used to detach the security policy from the local machine.
Question 9: What is the stealth rule in Checkpoint firewall?
Answer:The stealth rule prevents users from connecting directly to the gateway. The stealth rule, placed at the top of the rule base, protects your gateway from port scanning, spoofing, and other types of direct attacks.
Question 10: What is the FW Monitor command?
Answer:FW Monitor is a packet analyzer tool available on every Check Point security gateway. It provides kernel-level inspection and works for Layers 3 and above in the OSI model. There are four inspection points as a packet passes through the kernel (or virtual machine):
i – Before the virtual machine, in the inbound direction (Pre-Inbound)
I – After the virtual machine, in the inbound direction (Post-Inbound)
o – Before the virtual machine, in the outbound direction (Pre-Outbound)
O – After the virtual machine, in the outbound direction (Post-Outbound)
Question 11: What are the two types of Check Point NG licenses?
Answer:
Central licenses – The new licensing model, bound to the Security Management server.
Local licenses – The legacy licensing model, bound to the enforcement module.
Question 12: What are the functions of CPD, FWM, and FWD processes?
Answer:
CPD: CPD is high in the hierarchical chain and helps execute many services, such as Secure Internal Communication (SIC), Licensing, and status reporting.
FWM: The FWM process is responsible for executing the database activities of the Management server, including policy installation, HA synchronization, saving the policy, database read/write actions, log display, etc.
FWD: The FWD process is responsible for logging. It handles logging, security servers, and communication with OPSEC applications.
Question 13: What are the major differences between SPLAT and GAIA platforms?
Answer:Gaia is the latest version of Check Point, combining SPLAT and IPSO. Some benefits of Gaia compared to SPLAT/IPSO are:
Web-based user interface with search navigation
Full Software Blade support
High connection capacity
Role-based administrative access
Intelligent software updates
Native IPv4 and IPv6 support
ClusterXL or VRRP clusters
Manageable dynamic routing suite
Question 14: What ports are used in SIC?
Answer:
8210 (TCP): Pulls certificates from an ICA.
18211 (TCP): Used by the cod daemon (on the gateway) to receive certificates.
Question 15: What are the different Checkpoint Ports and their purposes?
Answer:
PORT | TYPE | SHORT DESCRIPTION |
256 | TCP | FW1 Checkpoint Security Gateway Service |
257 | TCP | FW1_log Protocol (used for delivering logs from FWM) |
259 | TCP | FW1_clientauth_telnet (Client Authentication) |
500 | UDP | IPSEC IKE Protocol (formerly ISAKMP/Oakley) |
900 | TCP | FW1_clntauth_http (Client Authentication) |
4433 | TCP | Management server portal |
4500 | UDP | NAT-T (NAT Traversal) |
8116 | UDP | Check Point Cluster Control Protocol (CCP) |
18190 | TCP | CPMI Check Point Management Interface |
18191 | TCP | CPD Check Point Daemon Protocol |
18192 | TCP | CPD_amon Check Point Internal Application Monitoring |
18210 | TCP | FW1_ica_pull Check Point Internal CA Pull Certificate Service |
18211 | TCP | FW1_ica_push Check Point Internal CA Push Certificate Service |
Question 16: What’s the difference between tcpdump and fwmonitor?
Answer:
Tcpdump: Displays traffic coming or leaving to/from a firewall interface.
FW Monitor: Tells you how the packet is going through the firewall, including routing and NAT decisions. FW Monitor captures traffic at four key points in the firewall, namely i, I, o, and O.
Question 17: What is bi-directional NAT?
Answer:If bi-directional NAT is selected, the gateway will check all NAT rules to see if there is a source match in one rule and a destination match in another rule. The gateway will use the first matches found and apply both rules concurrently.
Question 18: What are the stages of a phase 2 IKE exchange?
Answer:Peers exchange more key material and agree on encryption and integrity methods for the IPsec key. The DH key is combined with the key material to produce the symmetrical IPsec key.
Question 19: Why is a cleanup rule needed explicitly in Checkpoint Smart Dashboard?
Answer:A cleanup rule is required to drop all traffic that did not match any of the other rules. While there is an implied rule in Checkpoint that drops packets if no rule exists, logging is not enabled for this implied rule.
Question 20: What is the difference in Snapshot/Backup/Upgrade Export (Migrate Export)/Database Revision Control?
Answer:
Snapshot: Backs up everything, including drivers. It can only be restored to the same device and exact same state.
Backups: Backs up Check Point configuration and OS system parameters. It is smaller than a snapshot and can be restored to a different machine.
Database Revision Control: Creates a version of your current policies, object database, IPS updates, etc. Useful for minor changes but cannot restore your system in case of failure.
Migrate Export (Upgrade Export): Backs up all Check Point configurations, independent of hardware or OS. Can only be upgraded, not downgraded.