Ques 1. What Is Cleanup Rule In Checkpoint Firewall?
The Security Gateway drops all communication attempt that do not match a rule. The only
way to monitor the dropped packets is to create a Cleanup rule that logs all dropped traffic.
The cleanup rule, also known as the “none of the above” rule, drops all communication not
described by any other rules, and allows us to specify logging for everything being dropped
by this rule.
Ques 2. What Is NAT?
Network address translation (NAT) is the process of modifying IP address information in IP
packet headers while in transit across a traffic routing device.
Ques 3. What Are The Two Types Of Check Point Ng Licenses?
There are two methods of licensing in Checkpoint – (a) central License (b) local license.
· Local license is binded to ip address of the gateway.
· Central license is attached to management server ip and licenses are attached to the
gateway from the management server.
Ques 4. What Is Source NAT?
Source NAT is the translation of the source IP address of a packet leaving the Checkpoint
device. Source NAT is used to allow hosts with private IP address to access a public network.
In below given example, Client IP of 192.168.0.1 (Private IP) is converted to 200.0.0.1 (Public
IP) via SNAT feature.
Ques 5. Which Application In Check Point Technology Can Be Used To Configure Security Objects?
To configure security objects, “SmartDashboard” is required.
Ques 6. What Is IPsec?
Internet protocol security (IPsec) is a secure network protocol suite that authenticates and
encrypts the packet of data sent over an internet protocol network. It is used in virtual
private networks (VPNs). The IP Security (IPsec) Protocol is a standard providing privacy,
integrity, and authenticity to information transferred across IP networks. IPsec provides IP
network-layer encryption. IPsec has two modes, tunnel mode and transport mode.
Ques 7. What Is Destination NAT?
Destination network address translation (DNAT) is a technique for transparently changing
the destination IP address of an end route packet and performing the inverse function for
any replies. In below given example, Destination IP of 200.0.0.1 which hits the Checkpoint
FW gets translated to private IP of 192.168.0.1 (Server).
Ques 8. What Is Explicit Rule In Checkpoint Firewall?
An explicit rule is a rule that you create in the rule base. Explicit rule are displayed together
with implicit rule in the correct sequence, when we select to view implied rules.
Ques 9. What Is SmartDashboard?
SmartDashboard is the Smart Console client that lets us manage security policies and
network objects.
In Smart Dashboard, we can manage all aspects of your network security. The settings
defined in the various tabs are applied to gateways and/or endpoints to enforce the security
that we choose to implement.
Ques 10. What Is 3 Tier Architecture Component Of Checkpoint Firewall?
The 3 tier architecture component are:
· Smart Console
· Management Server
· Gateways
Ques 11. Which are the key Security Zones?
Below are the key security zones:
· External network – Is Insecure network like Internet.
· Internal network – Trusted Company data used by authenticated users
· Perimeter – The border between the internal and external networks.
· DMZ – Internet facing Company servers that can be accessed from insecure Internet.
Ques 12. Difference between Automatic NAT and Manual NAT?
Below table provides difference between Automatic NAT and Manual NAT –
Further some of the situations where Manual NAT rule creation may be warranted –
· Instances where remote networks only allow specific IP address.
· Situations where translation is desired for some services, and not for others.
· Environments where more granular control of address translation in VPN tunnels is
needed
· Enterprises where address translation rule base order must be manipulated.
· When port address translation is required (port forwarding)
· Environments where granular control of address translation between internal
networks is required.
· When a range of IP address, rather than a network, will be translated.
Ques 13. What Are The Functions Of Cpd, Fwm, And Fwd Processes?
· Check Point Daemon (cpd) is a core process available on every Check Point product.
Among other things, it allows the following –
o Secure internal communication (SIC) functionality – Ports 18xxx are used for
this communication.
o Status – Pull the application monitoring (AMON) status from the
GW/Management using Smart Event.
o Transfer of messages between FireWall-1 processes.
o Policy installation – Receives the policy on the gateway and pushes it
forward to relevant processes and the Kernel.
· Firewall management (fwm) is available on any management product, including
multi-domain security management and on products that require direct GUI access,
such as SmartEvent. It provides the following –
o GUI client communication – This is communication between the
management server and the GUI client.
o Database manipulation – This includes all actions that are performed on the
MGMT, such as object creation, rules and users.
o Policy compilation – fwm handles the policy compilation that is later applied
to network traffic during the inspection process.
o Management HA sync – The sync management is handled in management.
· Fwd allows other processes, including the kernel, to forward logs to external log
servers as well as the SMS. It is related to policy installation and used to
communicate with the kernel using command line tools such as the fw commands,
Kernel variables, or using kerbel control commands.
Ques 14. What Is the main Different Between Cpstop/cpstart And Fwstop/fwstart?
· Cpstop: Stop all Check Point services except cprid.
· Cpstart: Start all Check Point services except cprid.
· Fwstop: Stop the firewall
· Fwstart: Start the firewall
Ques 15. What Is The Packet Flow Of Checkpoint Firewall?
It is the way in which packets are analyzed when going through a firewall checkpoint:
· The packet arrives at the security gateway and is intercepted by the NIC on the
inbound.
· The firewall kernel inbound chain begins inspecting the packet
· Once the packet is matched against the rule base, a log is generated and sent from
the kernel to the user mode process, fwd, located in the security gateway.
· The fwd process on the security gateway sends the log to the fwd process on the
management server, where it is forwarded to fwm via cpd.
· Fwm sends the log to the relevant SmartConsole application, such as SmartView
tracker.
· At the same time, depending on routing decisions made by the OS and excluding
specific scenarios such as VPN routing, the packet is routed to a selected NIC. The
packet must go through the firewall kernel again, only this time through the
outbound chain to the appropriate NIC and to the network.
Ques 16. What is Stealth Rule in checkpoint firewall?
Stealth rule prevents any users from connecting directly to the Gateway. Protecting the
Gateway in this manner makes the Gateway transparent to the network. The Gateway
becomes invisible to users on the network.
Ques 17. What Is SIC?
Secure internal communication (SIC) let’s Check Point platforms and products authenticate
with each other. The SIC procedure creates a trusted status between gateways,
management servers and other Check Point components. SIC is required to install policies on
gateways and to send logs between gateways and management servers.
Ques 18. What are the major differences between SPLAT and GAIA?
Gaia is the latest version of Checkpoint which is a combination of SPLAT and IPSO. Here are
some benefits of Gaia as compare to SPLAT/IPSO.
· Web-Based user interface with Search Navigation
· Full Software Blade support
· High connection capacity
· Role-Based administrative Access
· Intelligent Software updates
· Native IPv4 and IPv6 Support
· ClusterXL or VRRP Clusters
· Manageable Dynamic Routing Suite
· Full Compatibility with IPSO and SecurePlatform.
Ques 19. What is Checkpoint Architecture?
Checkpoint Architecture consist of three components:
· GUI = A SmartDashboard is a SmartConsole GUI application that is used by the
system administrator to create and manage the security policy.
· MM = The security Management server used by the system administrator to manage
the security policy. The organization’s databases and security policies are stored on
the security management.
· FW = The security gateway enforces the organization’s security policy and acts as a
security enforcement point.
Ques 20. What is Hide NAT?
Hide NAT is a many-to-one relationship, where multiple computers on the internal network
are represented by a single unique address. This enhances security because connections can
only be initiated from the protected side of the Security Gateway. This type of NAT is also
referred to as Dynamic NAT.
Ques 21. Difference between standalone deployments distributed deployment?
· Standalone deployment: In a standalone deployment, the security management
server and security gateway are installed on the same computer or appliance.
· Distributed deployment: In a distributed deployment, the security gateway and the
security management server are installed on different computers or appliances.
Ques 22. What is Anti-Bot?
The Check Point Anti-bot software blade detects bot-infected machines, prevents bot
damages by blocking bot C&C Communications, and is continually updated from
ThreatCloud, the first collaborative network to fight cybercrime.
Ques 23. Difference between fwstop and cpstop?
“cpstop” stops all checkpoint services while “fwstop” stops the firewall.
Ques 24. What is CPinfo? And why it is used?
CPInfo is an auto-updatable utility that collects diagnostics data on a machine at the time of
execution and uploads it to Check Point servers.
The CPInfo output file allows analyzing setups from a remote location. Check Point support
engineers can open the CPInfo file in a demo mode, while viewing actual customer Security
Policies and Objects. This allows in-depth analysis of customer’s configuration and
environment settings. This is used when a case is generated in Checkpoint, since it has all the
information of the management and the gateway to be analyzed.
Ques 25. What is MDS Database?
Multi-Domain Security Management is a centralized management solution for large-scale,
distributed environments with many different network Domains. This solution is ideal for
enterprises with many subsidiaries, branches, partners and networks. Multi-Domain Security
Management is also an ideal solution for managed service providers, cloud computing
providers, and data centers.
Centralized management gives administrators the flexibility to manage polices for
many diverse entities. Security policies should be applicable to the requirements of different
departments, business units, branches and partners, balanced with enterprise-wide
requirements. MDS Database is the database when using Multi Domain in Checkpoint.
Ques 26. How to configure SMS HA?
To configure SMS HA (Management HA), must follow this points:
· Configuring a Secondary Server in SmartDashboard
In the SmartDashboard connected to the Primary server, you create a network object to
represent the Secondary Security Management. You then synchronize the Primary and
Secondary Security Management servers.
To configure the secondary server in SmartDashboard:
1) Open SmartDashboard.
2) In the Network Objects tree, right-click Check Point and select Host.
3) In the Check Point Host window, enter a unique name and IP address for the server.
4) In the Software Blades, section, select the Management tab. Select Network Policy
Management. This automatically selects the Secondary Server, Logging and Status,
and Provisioning options.
5) Optional: To use Endpoint Security, select Endpoint Policy Management.
6) Click Communication to create SIC trust between the Secondary Security
Management and the Primary Security Management.
a) Enter and confirm the SIC Activation Key that you entered in the Check Point
Configuration Tool.
b) Click Initialize to create a state of trust between the Security Management
servers.
c) If the trust is not created, click Test SIC Status to see what you must do to create
the trust successfully.
d) If you have to reset the SIC, click Reset, reset the SIC on the Secondary Server
and then click Initialize.
e) Click Close.
7) Click OK.
8) Select File > Save.
9) Start manual synchronization.
For environments with Endpoint Security, see Manual Synchronization with Endpoint
Security.
Failover
Security Management failover is a manual procedure. If the Active Security Management
fails or it is necessary to change the Active Security Management to a Standby, you must do
these steps to prevent data loss:
If the Active Security Management is responsive:
1) Manually synchronize the Active and Standby Security Management servers.
2) Change the Active Security Management to Standby.
3) Change the Standby Security Management to Active.
If the Active Security Management has failed and you cannot change it:
1) Manually change the Standby Security Management to Active.
Important – If you have two Security Management servers that are set to Active at the same
time, unexpected behavior can occur.
Changing a Server to Active or Standby
Whenever possible, change the Active Security Management to Standby before you change
the Standby Security Management to Active.
To change an Active Endpoint Security Management Server to Standby:
1) Connect to the Active Security Management with SmartDashboard.
2) Go to Policy > Management High Availability.
3) Click Change to Standby.
4) Click Yes to confirm the change.
To change a Standby Security Management to Active:
1) Connect to the Standby Security Management with SmartDashboard.
2) The Server Login window opens.
3) Make sure that no peer server is Active.
4) Click Change to Active.
5) Click Yes to confirm the change.
Ques 27. Which protocol use in Checkpoint for Clustering?
We can use any of two protocols –
· VRRP
· clusterXL
VRRP is a cluster solution where two or more gaia-based security gateways work together as
one security gateway. We can configure VRRP cluster for High Availability or load sharing.
Cluster XL is a Checkpoint solution. It provides high availability and load sharing. It
distributes traffic between clusters of redundant gateways so the computing capacity of
multiple machines may be combined to increase total throughput.
Ques 28. What are Delta and Full Mode in Clustering?
· Delta synchronization: Transfers changes in the kernel tables between cluster
members. Delta sync is handled by the firewall kernel, using UDP multicast or
broadcast on port 8116.
· Full synchronization: Transfers all firewall kernel table information from one cluster
member to another. It is handled by the fwd daemon, using an encrypted TCP
connection. Full synchronization is used for initial transfers of state information for
thousands of connections. If a cluster member is brought up after failing down, it
will perform full sync. Once all members are synchronized, only updates are
transferred via delta sync. Delta sync is much quicker than full sync.
Ques 29. How to Install Checkpoint Firewall NGX on Secure Platform?
The user can run the tool either install by booting from the CD that contains it, booting from
a disk and accessible a local CD, or booting from a diskette and accessing the CD through the
network.
Booting from the CD
To boot from the CD:
1. Configure the BIOS of the machine to boot from the CD drive.
2. Insert the CD into the drive.
3. Boot the machine.
Booting from a Diskette and Accessing a Local CD
This option should be used when the hardware platform cannot be configured to boot from
the CD drive (but will boot from a diskette), and has a CD drive.
To boot from a diskette and access a local CD:
1. Insert the CD into the drive.
2. Insert a diskette into the drive.
3. Browse to your CDROM drive and select the SecurePlatform/images folder.
4. Drop the boot.img file on the cprawrite executable.
i. Alternatively, using NT command shell (cmd), run the following
command (where
ii. D: is the CD-ROM drive):
D:\SecurePlatform\images\cprawrite.exe D:\SecurePlatform\images\boot.img
5. Boot the machine.
Booting from a Diskette and Accessing the CD over the Network
This option should be used when the machine to be tested has no CD drive. In this
case, there will be two machines participating:
· The machine in which you will insert the CD
· The machine on which you will run the tool
To boot from a diskette and access a CD over the network:
On the Machine with the CD Drive
Proceed as follows:
1. Insert the CD into the drive of a (Microsoft Windows-based) machine.
2. Insert a diskette into its diskette drive.
3. Browse to the CD drive and select the SecurePlatform/images folder.
4. Drop the bootnet.img file on the cprawrite executable.
Alternatively, using NT command shell (cmd), run the following command (where
D: is the CD-ROM drive):
D:\SecurePlatform\images\cprawrite.exe D:\SecurePlatform\images\bootnet.img
This step writes files to the diskette, which you will transfer to the other machine (the
machine on which the tool will be run).
5. Make the contents available on the network, either by allowing access to the CD
drive, or by copying the CD to a hard disk and enabling access to that disk (for
example, by FTP, HTTP, or NFS).
On the Machine You Are Testing
Proceed as follows:
1. Insert the diskette you created in step 4, above, into the diskette drive of the
2. Machine you are testing.
3. Boot the machine.
4. Configure the properties of the interface through which this machine is connected
to the network, including its IP address, Netmask, default gateway and DNS.
5. You can choose to configure this interface as a dynamic IP address interface.
6. Enable access to the files on the machine with the CD drive (see step 5).
7. Specify the following settings for the other machine:
o IP address, or hostname
o Package Directory
o user/password (if necessary)
8. If you are installing using a serial console, instead of the keyboard and monitor,
make sure that your terminal emulation software is configured as follows:
o 9600 Baud rate
o 8 data bits
o no parity
o no flow control
Using the Hardware Compatibility Testing Tool
The hardware tool automatically tests the hardware for compatibility.
When it finishes, the tool displays a summary page with the following information:
· statement whether the Platform is suitable for installing SecurePlatform
· number of supported and unsupported mass storage devices found
· number of supported and unsupported Ethernet Controllers found
Additional information can be obtained by pressing the Devices button. The devices
information window lists all the devices, found on the machine (grouped according to
functionality).
Use the arrow keys to navigate through the list.
Pressing Enter on a specific device displays detailed information about that device.
The detailed information can be saved to a diskette, to a TFTP Server, or dumped through
the Serial Console. This action can be required in cases where some of the devices are not
supported.
Ques 30. What are major differences between NGFW and NGTP?
Below table illustrates difference between NGFW and NGTP –
Ques 31. Does Checkpoint NGFW support following Software blades – URL filtering, Antivirus,
Anti-spam? If answer is “No”, then which Checkpoint Appliance supports above blades?
No. In that case Checkpoint NGTP (Next Generation Threat Prevention) supports URL
Filtering, Antivirus and Anti-Spam.
Ques 32. Which Checkpoint NGFW/NFGT Models are used in Data Center environment?
For Data Centres and high end enterprise security gateways are used:
· Appliance 23500
· Appliance 23800
· Appliance 23900
· Appliance 26000
Ques 33. 40 Gbps (QSFP) support in Checkpoint Security Gateway Appliances starts with
which model?
QSFP is supported on below appliances (starting with 5600)
· 5600 Appliances
· 5800 Appliances
· 15400 Appliances
· 15600 Appliances
· 16000 Appliances
· 23500 Appliances
· 23800 Appliances
· 23900 Appliances
· 26000 Appliances
Ques 34. What is Asymmetric Encryption?
Asymmetric encryption uses two keys to encrypt a plain text. Secret keys are exchanged
over the Internet or a large network. It ensures that malicious persons do not misuse the
keys. It is important to note that anyone with a secret key can decrypt the message and this
is why asymmetrical encryption uses two related keys to boosting security. A public key is
made freely available to anyone who might want to send you a message. The second private
key is kept a secret so that you can only know.
A message that is encrypted using a public key can only be decrypted using a private key,
while also, a message encrypted using a private key can be decrypted using a public key.
Security of the public key is not required because it is publicly available and can be passed
over the internet. Asymmetric key has a far better power in ensuring the security of
information transmitted during communication.
Ques 35. What is Anti-Spoofing?
Spoofing is a technique where an intruder attempts to gain unauthorized access by altering
a packet’s IP address. This alteration makes it appear as though the packet originated in the
part of a network with higher access privileges. The security gateway has a sophisticated
anti-spoofing feature that detects such packets, by requiring that the interface on which a
packet enters a gateway corresponds to its IP address.
Ques 36. What is VPN?
Virtual Private Network technology leverages the internet to build and enhance secure
network connectivity. VPN meets the requirement of communicating parties by providing a
fast, scalable, and resilient connectivity, in additional to some key attributes –
· Confidentiality
· Integrity
· Authentication
Based on standard internet secure protocols, a VPN enables secure links between special
types of network nodes: the gateways. Site-to-site VPN ensures secure links between
gateways. Remote access VPN ensures secure links between gateways and remote access
clients.
Ques 37. What is the difference between standalone deployments distributed deployment?
· Standalone deployment: In a standalone deployment, the security management
server and security gateway are installed on the same computer or appliance.
· Distributed deployment: In a distributed deployment, the security gateway and the
security management server are installed on different computers or appliances.
Ques 38. What are the types of NAT in Checkpoint firewall?
The security gateways supports two types of NAT where the source and/or the destination
are translated:
· Hide NAT: Hide NAT is a many-to-one relationship, where multiple computers on the
internal network are represented by a single unique address. This enhances security
because connections can only be initiated from the protected side of the security
gateway. This type of NAT is also referred to as Dynamic NAT.
· Static NAT: Static NAT is a one-to-one relationship, where each host is translated to
a unique address. This allows connections to be initiated internally and externally.
An example would be a web server or a mail server that need to allow connections
initiated externally.
Ques 39. What is use of Database Revision Control?
Database revision control gives the administrator freedom to create fallback configurations
when implementing new objects and rules, or adjusting rules and objects as networks
change. This can help the administrator test new rules base and object configurations, or can
be used to revert to an earlier configuration for troubleshooting. Consider these point when
saving your policies –
· The database version consists of all policies on a single gateway, and objects and
users configured, including settings in smartdefense and global properties.
· It is an ideal management utility for a stand-alone or distributed deployment with a
single gateway.
· It is configurable to automatically create new database version on policy installation.
Ques 40. Which blade do we investigate when you see high CPU caused by the pdpd process?
Identity Awareness.
Ques 41. Which command would be best suited for viewing the connections table on a
gateway?
fw tab –t connections –s
Ques 42. Which command you run to list established VPN tunnels?
Vpn tu or vpn tunnelutil
Ques 43. Which command displays compression/decompression statistics?
Vpn compstat
Ques 44. Which program you use to analyze Phase I and Phase II packet exchanges?
Ike view
Ques 45. Which folder contains the VPN debug files?
$FWDIR/log
Ques 46. What does a high confidence rating mean in IPS?
The high confidence means the following –
· Vulnerability may lead to non-privileged remote code execution.
· Vulnerability may affect important company assets.
· Vulnerability can be easily exploited.
· The vulnerable software is significantly deployed in corporate environments.
Ques 47. What command you should run to determine if Accept, Drop and NAT templating is
enabled?
fwaccel stats –s
Ques 48. What causes the kernel message “kernel: neighbor table overflow”?
Above message means ARP cache is overflowing.
Most possible reason – Too much traffic on the network (generated by some application, by
some hosts, or by related factors).
Ques 49. How you would determine the value of ‘Maximum concurrent connections’ of the
NAT Table?
This can be done with 2 forms:
· With command “fw tab –t connections –s”
· With smartconsole on the gateway properties:
Ques 50. What command displays the IPV6 routes?
Show ipv6 route static