Check Point Security Administration NGX III (R65)

 

Chapter 1: General Troubleshooting 

• Troubleshooting Guidelines.
• Identifying the Problem
• Collecting Related Information
• Listing Possible Causes
• Testing Causes Individually and Logically
• Consulting Various Reference Sources
• Before Installing VPN-1 NGX
• IP Forwarding
• Routing
• Connectivity
• IP forwarding and Boot Security
• SIC and ICA Issues
• SIC Port Use
• Root Causes
• Verifying the Certificate
• Maintaining SIC 
• Resetting SIC
• ii Check Point Security Administration III NGX (R65)
• Using fwm sic_reset
• Network Address Translation
• Hide NAT
• Static NAT
• Debugging NAT

Lab 1: Initial installation.

• Install the Security Gateway
• Install the City Site Web server
• Install Primary SmartCenter Server

Lab 2: Enable SCP on Secureplatform (optional)

• Implement SCP on Secureplatform
• Enable the SCP Server 
• Testing SCP

Chapter 2: Network Monitoring

• State Tables and Kernel Memory
• fw tab Command
• fw ctl pstat 
• CPU and Memory Stats 
• SmartView Monitor
• SNMP - (Simple Network Management Protocol) 
• Configuring SNMP
• Using snmptrap

Lab 3: Configure SNMP

• Configure SNMP on Secureplatform
• Testing snmp locally
• snmpwalk
• snmpget
• snmpgetnext.
• SNMP Manager
• Test snmp queries from SNMP Manager
• SNMP Trap
• Check Point Security Administration III NGX (R65) iii

Lab 4: Configure SNMP Manager (optional) 

• Installing SNMP Manager 
• Test snmp queries from SNMP Manager
• SNMP Trap 

Chapter 3: Disaster Recovery 

• Filing Structure
• $CPDIR.
• $FWDIR/conf
• $FWDIR/lib/*.def Files
• $FWDIR/log 
• Files on the Security Gateway
• Recovery Methods .
• Backup and Restore 
• Restoring with Snapshot
• Restoring with Upgrade_export and Upgrade_import 
• Restore from a cpinfo
• Restore from database revision control 
• Manual Restore

Lab 5: Recovering SmartCenter Server 

• Recovering a SmartCenter Server 

Chapter 4: Troubleshooting Utilities

• cpinfo
• Overview
• cpinfo File 
• InfoView 
• Opening SmartDashboard in InfoView
• DbEdit 
• objects_5_0.C Editing 
• iv Check Point Security Administration III NGX (R65)
• GuiDBedit 
• cp_merge
• Freeware tools 

Lab 6: Using cpinfo 

• Run cpinfo on the Security Gateway
• Examine cpinfo Output File
• Run cpinfo on the SmartCenter Server 

Lab 7: Analyzing cpinfo in InfoView 

• Open Gateway cpinfo in Infoview 
• Review Installed Products, System, License, and Other Information 
• Launch SmartDashboard in InfoView

Lab 8: Object Filler (optional)

• Converting Cisco to Check Point 
• Importing the objects
• Importing the rules   

Chapter 5: Protocol Analyzers

• tcpdump
• snoop 
• fw monitor 
• Wireshark

Lab 9: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor 

• Configure Automatic Static NAT for www.yourcity
• Run fw monitor while webdallas Browses
• the NAT Address of www.yourcity.cp
• Disable Client-Side NAT
• Add Host Route on fwyourcity Gateway
• Run fw monitor while Browsing NAT IP Address
• Run fw monitor to Capture Clients Browsing NAT IP of www.yourcity.cp
• Check Point Security Administration III NGX (R65) v
• Review
• Review Questions
• Review Answers

Chapter 6: NGX kernel debugging

• fw ctl debug
• fw ctl kdebug
• fw ctl debug Flags 
• Examples of fw ctl debug 
• zdebug 
• fw Commands
• fw ctl Commands
• fw ctl install 
• fw ctl uninstall 
• fw ctl iflist
• fw ctl arp
• fw ctl pstat 
• fw ctl conn
• Other fw Commands
• fw sam
• fw lichosts 
• fw log
• fw repairlog
• fw mergefiles
• fw fetchlogs
• fw Advanced Commands 
• fw fwd
• fw fwm
• fw fetchlocal 
• fw unloadlocal
• fw dbloadlocal
• fw defaultgen 
• fw getifs
• fw stat
• fwm Commands 
• Use 

Lab 10: fw ctl debug

• Run fw ctl debug
• vi Check Point Security Administration III NGX (R65)  

Chapter 7: User-level process debugging

• NGX User Processes
• Debugging fwd 
• Debug options 
• Debugging fwm
• Debug Options
• Debugging by Restarting fwm 
• Debugging Licensing
• Debugging SmartUpdate
• Debugging cpd
• cpd_admin usage 
• Debugging SIC
• Watchdog process - cpwd

Lab 11: Using cpd and fwm Debugging

• Run debugs
• Debug the Security Gateway
• Debug the SmartCenter Server
• Replicate the Problem
• Turn off debugs
• View the Output  

Chapter 8: Security Servers

• The Folding Process
• Overview 
• Example of packet flow
• Transparent Connections 
• Rule Order 
• Security Server Default Messages
• Check Point Security Administration III NGX (R65) vii
• Troubleshooting Security Server Issues
• Reviewing CPU and Memory
• Editing fwauthd.conf
• Listing Possible Causes 
• Identifying Issue Sources 
• Analyzing Results
• Debugging Security Servers 
• TDERROR_ALL_ALL Flag
• SMTP Security Servers
• Multiple Security Server Troubleshooting
• Messaging Security 
• Architecture 
• Debugging Messaging Security  

Chapter 9: VPN Debugging Tools

• IKE Basics 
• Phase 1 
• Phase 2 
• Encryption Issues 
• Troubleshooting Overview
• VPN Debugging Tools 
• VPN Log Files
• vpn debug Command 
• vpn Command
• Comparing SAs 
• Troubleshooting Tables
• Encryption-Troubleshooting Table
• Common Error Messages 

Lab 12: Troubleshooting Site to Site VPN

• Configure the local Gateway 
• Configure the peer 

Lab 13: Debug Site to Site #1

• Replicate the failure
• viii Check Point Security Administration III NGX (R65)

Lab 14: Debug Site to Site #2

• Troubleshooting Site to Site failure

Chapter 10: Debugging Remote Access

• Remote Access Overview
• SecureClient Ports
• Ports Used Through the Tunnel
• SecureClient Packet Flow.
• Creating a Site
• Connecting to the Site
• Encrypting Data
• Connectivity Enhancements
• IKE over TCP
• UDP Encapsulation
• NAT-T
• Visitor Mode
• Link Selection for Remote Access
• Overview
• Link-Selection Methods in VPN-1 NGX
• SecuRemote/SecureClient Debugging Tools
• srfw monitor
• cpinfo
• IKE Debug and SR_Service Debug
• srfw ctl Debug
• Troubleshooting Table
• SSL Network Extender
• What does a SNX connection look like?
• Troubleshooting SNX.
• Troubleshooting the client
• SecureClient Mobile
• Client Deployment
• Debugging SecureClient Mobile

Lab 15: UDP encapsulation, NAT-T and Visitor Mode

• Configuration for this lab
• Check Point Security Administration III NGX (R65) ix
• Gateway Side: Enable Office Mode on the Gateway
• Gateway Side: Create the SecureClient User
• Gateway Side: Configure the Remote Access Community
• Client Side: Installing and Creating the site
• UDP Encapsulation
• NAT-T
• Visitor Mode

Lab 16: SNX Network Extender

• Configure SNX (SSL Network Extender)
• Connecting with the client
• Review vpnd

Chapter 11: Advanced VPN

• Route-Based VPN
• Domain-Based VPN.
• VPN Tunnel Interface
• VPN Routing Process
• Best Practices
• Numbered/Unnumbered VTIs
• Configuring Numbered VTIs
• Configuring Unnumbered VTIs
• Dynamic VPN Routing
• Configuring Dynamic VPN Routing Using OSPF
• Wire Mode
• How Wire Mode Works
• Wire Mode in Route-Based VPN
• Directional VPN Rule Match
• Interface Groups
• Tunnel Management
• Permanent Tunnels
• VPN Tunnel Sharing
• x Check Point Security Administration III NGX (R65)
• Tunnel-Management Configuration
• VPN Tunnel Sharing Configuration

Lab 17: Route-Based VPN Using Static Routes

• Configure fwyourcity to Join MyIntranet Community
• COnfigure fwpartnercity Gateways to Join MyIntranet Community
• Add Participating Gateways to MyIntranet
• Create VTIs on fwyourcity
• Configure VTI Topology in Gateway Object
• Add Static Routes to Internal Networks
• Enable VPN Directional Rule Match
• Configure Wire Mode

Lab 18: Dynamic VPN Routing Using OSPF

• Update the Policy for OSPF Routing.
• Configure OSPF Interfaces
• Configure OSPF on fwyourcity
• Reconfigure Anti-Spoofing on fwyourcity
• Verify Routes and OSPF Configuration
• Test VPN tunnels

Chapter 12: ClusterXL

• Configuration Recommendations
• Recommendations for ClusterXL
• Recommendations for State Synchronization
• Troubleshooting ClusterXL
• cphaprob
• cphaprob state
• cphaprob -a if
• cphaprob -i list
• cphaprob -d <device> -s problem -t 0 register
• cpstat ha -f all
• Check Point Security Administration III NGX (R65) xi
• fw ctl debug -m cluster
• Kernel Flags
• fwha_enable_if_probing and fwha_monitor_if_link_state
• fwha_restrict_mc_sockets (0 by Default)
• fwha_use_arp_packet_queue (0 by Default)
• fwha_send_gratuitous_arp_var
• fw_gratuitous_arp_timeout
• fw_allow_connection_traffic_drop (1 by Default)
• fwha_allow_simultaneous_ping
• fwconn_merge_all_syncs
• fwtcpstr_reject_synced (On by Default)
• New behavior in NGX
• Lab 19: Running cphastart -d
• Run cphastop on Cluster Members
• Run cphastart -d on Cluster Members .
• Lab 20: Manual Failover Using cphaprob -d Device Command
• Configure ClusterXL new mode HA
• Generate Failover in New Mode HA Cluster
• Lab 21: State Sync
• Run FTP session

• (CP-NGX1) Check Point Security Administration NGX I
• (CP-NGX2) Check Point Security Administration NGX II

The Security Administration NGX III certification exam is now available at Pearson VUE.  The certification associated with this course is the CCSE Plus NGX R65. The exam number is 156-515.65.