Check Point Security Administration NGX III (R65) — A 4-day course

Synopsis

Check Point Security Administration III NGX (R65) offers comprehensive training to enhance enterprise knowledge of VPN-1 NGX, network planning, route-based VPN, and troubleshooting procedures.

Course Objectives

On completion of this course, delegates will be able to:

How to troubleshoot NGX product problems using troubleshooting guidelines
How to monitor and evaluate security gateway and OS performance
How to back up, restore, and upgrade a SmartCenter Server and VPN-1 Pro Security Gateway
How to troubleshoot NGX problems using troubleshooting utilities
How to perform NGX kernel debugging
How to perform user level process debugging
How to troubleshot security server issues
How to use VPN debugging tools
How to troubleshoot remote access VPN issues
How to configure advanced VPNs
How to troubleshot ClusterXL problems

Suitable for

System administrators, security managers, or network engineers supporting installations of VPN-1 NGX, and who needs the tools to troubleshoot and maintain these installations.
A CCSE seeking their Check Point Certified Security Expert Plus NGX (CCSE Plus NGX) certification

Prerequisites

Publicly scheduled dates, locations, and prices

London — £1995 (+VAT)

16–19 Mar 2010
25–28 May 2010

Reading — £1995 (+VAT)

27–30 Apr 2010

Course Contents:

General Troubleshooting

Troubleshooting Guidelines
- Identifying the Problem
- Collecting Related Information
- Listing Possible Causes
- Testing Causes Individually and Logically
- Consulting Various Reference Sources
Before Installing VPN-1 NGX
IP forwarding and Boot Security
SIC and ICA Issues
- SIC Port Use
- Root Causes
- Verifying the Certificate
- Maintaining SIC
- Resetting SIC
- Using fwm sic_reset
Network Address Translation
Lab: Initial installation
- Install the Security Gateway
- Install the City Site Web server
- Install Primary SmartCenter Server
Lab: Enable SCP on Secureplatform (optional)
- Implement SCP on Secureplatform

Network Monitoring

State Tables and Kernel Memory
- fw tab Command
- fw ctl pstat
- CPU and Memory Stats
- SmartView Monitor
- SNMP - (Simple Network Management Protocol)
- Configuring SNMP
- Using snmptrap
Lab: Configure SNMP
- Configure SNMP on Secureplatform
- Testing snmp locally
- Installing SNMP Manager
- Test snmp queries from SNMP Manager
- SNMP Trap
Lab: Configure SNMP Manager (optional)
- Installing SNMP Manager
- Test snmp queries from SNMP Manager
- SNMP Trap

Disaster Recovery

Filing Structure
- $CPDIR
- $FWDIR/conf
- $FWDIR/lib/*.def Files
- $FWDIR/log
- Files on the Security Gateway
Recovery Methods
- Backup and Restore
- Restoring with Snapshot
- Restoring with Upgrade_export and Upgrade_import
- Restore from a cpinfo
- Restore from database revision control
- Manual Restore
Lab: Recovering SmartCenter Server

Troubleshooting Utilities

cpinfo
- Overview
- cpinfo File
- InfoView
- Opening SmartDashboard in InfoView
- DbEdit
- objects_5_0.C Editing
- GuiDBedit
- cp_merge
- Freeware tools
Lab: Using cpinfo
- Run cpinfo on the Security Gateway
- Examine cpinfo Output File
- Run cpinfo on the SmartCenter Server
Lab: Analyzing cpinfo in InfoView
- Open Gateway cpinfo in Infoview
- Review Installed Products, System, License, and Other Information
- Launch SmartDashboard in InfoView
Lab: Object Filler (optional)
- Converting Cisco to Check Point

Protocol Analyzers

tcpdump
snoop
fw monitor
Wireshark
Lab: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor
- Configure Automatic Static NAT for www.yourcity.cp
- Run fw monitor while webdallas Browses
- the NAT Address of www.yourcity.cp
- Disable Client-Side NAT
- Add Host Route on fwyourcity Gateway
- Run fw monitor while Browsing NAT IP Address
- Run fw monitor to Capture Clients Browsing NAT IP of www.yourcity.cp

NGX kernel debugging

fw ctl debug
fw Commands
fw ctl Commands
Other fw Commands
fw Advanced Commands
fwm Commands
Lab: fw ctl debug

User-level process debugging

NGX User Processes
Debugging fwd
Debugging fwm
Debugging cpd
Watchdog process - cpwd
Lab: Using cpd and fwm Debugging
Run debugs
- Debug the Security Gateway
- Debug the SmartCenter Server
Replicate the Problem
Turn off debugs
View the Output

Security Servers

The Folding Process
- Overview
- Example of packet flow
- Transparent Connections
- Rule Order
- Security Server Default Messages
Troubleshooting Security Server Issues
- Reviewing CPU and Memory
- Editing fwauthd.conf
- Listing Possible Causes
- Identifying Issue Sources
- Analyzing Results
Debugging Security Servers
- TDERROR_ALL_ALL Flag
- SMTP Security Servers
- Multiple Security Server Troubleshooting
Messaging Security
- Architecture
- Debugging Messaging Security

VPN Debugging Tools

IKE Basics
- Phase 1
- Phase 2
- Encryption Issues
Troubleshooting Overview
VPN Debugging Tools
- VPN Log Files
- vpn debug Command
- vpn Command
- Comparing SAs
Troubleshooting Tables
- Encryption-Troubleshooting Table
- Common Error Messages
Lab: Troubleshooting Site to Site VPN
- Configure the local Gateway
- Configure the peer
Lab: Debug Site to Site #1
- Replicate the failure
Lab: Debug Site to Site #2
- Troubleshooting Site to Site failure

Debugging Remote Access

Remote Access Overview
SecureClient Ports
SecureClient Packet Flow
- Creating a Site
- Connecting to the Site
- Encrypting Data
Connectivity Enhancements
- IKE over TCP
- UDP Encapsulation
- NAT-T
- Visitor Mode
Link Selection for Remote Access
- Overview
- Link-Selection Methods in VPN-1 NGX
SecuRemote/SecureClient Debugging Tools
- srfw monitor
- cpinfo
- IKE Debug and SR_Service Debug
- srfw ctl Debug
Troubleshooting Table
SSL Network Extender
- What does a SNX connection look like?
- Troubleshooting SNX
- Troubleshooting the client
SecureClient Mobile
- Client Deployment
- Debugging SecureClient Mobile
Lab: UDP encapsulation, NAT-T and Visitor Mode
- Gateway Side: Enable Office Mode on the Gateway
- Gateway Side: Create the SecureClient User
- Gateway Side: Configure the Remote Access Community
- Client Side: Installing and Creating the site
- UDP Encapsulation
- NAT-T
- Visitor Mode
- Lab: SNX Network Extender
- Configure SNX (SSL Network Extender)
- Connecting with the client
- Review vpnd

Advanced VPN

Route-Based VPN
Domain-Based VPN
VPN Tunnel Interface
- VPN Routing Process
- Best Practices
- Numbered/Unnumbered VTIs
- Configuring Numbered VTIs
- Configuring Unnumbered VTIs
Dynamic VPN Routing
Wire Mode
- How Wire Mode Works
- Wire Mode in Route-Based VPN
Directional VPN Rule Match
Tunnel Management
- Permanent Tunnels
- VPN Tunnel Sharing
- Tunnel-Management Configuration
- VPN Tunnel Sharing Configuration
Lab: Route-Based VPN Using Static Routes
- Configure fwyourcity to Join MyIntranet Community
- Configure fwpartnercity Gateways to Join MyIntranet Community
- Add Participating Gateways to MyIntranet
- Create VTIs on fwyourcity
- Configure VTI Topology in Gateway Object
- Add Static Routes to Internal Networks
- Enable VPN Directional Rule Match
- Configure Wire Mode
Lab: Dynamic VPN Routing Using OSPF
- Update the Policy for OSPF Routing
- Configure OSPF Interfaces
- Configure OSPF on fwyourcity
- Reconfigure Anti-Spoofing on fwyourcity
- Verify Routes and OSPF Configuration
- Test VPN tunnels

ClusterXL

Configuration Recommendations
Troubleshooting ClusterXL
Kernel Flags
Lab: Running cphastart -d
- Run cphastop on Cluster Members
- Run cphastart -d on Cluster Members
Lab: Manual Failover Using cphaprob -d Device Command
- Configure ClusterXL new mode HA
- Generate Failover in New Mode HA Cluster
Lab: State Sync
- Run FTP session

Appendix A: Collecting Data

Rule Base Issues
NAT Issues
Anti-Spoofing Issues
SmartDashboard Issues
Logging Issues
Cluster Issues
Security Server Issues
OPSEC Server Issues
LDAP Issues
Core Dump and Dr. Watson Issues

Appendix B: NGX kernel debug

fw kernel module options