Checkpoint R80.20 Manuel utilisateur

28 December 2020

Guide

NEXT GENERATION

SECURITY GATEWAY

R80.20

Classification: [Protected]

C H A P TE R 1

2020 Check Point Software Technologies Ltd.

distributed under licensing restricting their use, copying, distribution, and decompilation. No part

of this product or related documentation may be reproduced in any form or by any means without

prior written authorization of Check Point. While every precaution has been taken in the

preparation of this book, Check Point assumes no responsibility for errors or omissions. This

publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in

subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS

252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page https://www.checkpoint.com/copyright/ for a list of our trademarks.

Refer to the Third Party copyright notices

https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/ for a list of

relevant copyrights and third-party licenses.

Important Information

Latest Software

We recommend that you install the most recent software release to stay up-to-date

with the latest functional improvements, stability fixes, security enhancements and

protection against new and evolving attacks.

Certifications

For third party independent certification of Check Point products, see the Check Point

Certifications page

https://www.checkpoint.com/products-solutions/certified-check-point-solutions/.

Check Point R80.20

For more about this release, see the R80.20 home page

http://supportcontent.checkpoint.com/solutions?id=sk122485.

Latest Version of this Document

Open the latest version of this document in a Web browser

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_

NextGenSecurityGateway_Guide/html_frameset.htm.

Download the latest version of this document in PDF format

http://downloads.checkpoint.com/dc/download.htm?ID=61492.

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments

mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Next Generation

Security Gateway R80.20 Guide.

Revision History

Date Description

Updated:

Important:

•Load Sharing modes are only supported with the required R80.20

Jumbo Hotfix Accumulator. For instructions, see sk162637

https://supportcontent.checkpoint.com/solutions?id=sk162637.

•To upgrade a ClusterXL that works in a Load Sharing mode from a

lower version to R80.20, follow these steps in the same

maintenance window:

a) Upgrade the ClusterXL to R80.20.

b) Install the required R80.20 Jumbo Hotfix Accumulator. For

instructions, see sk162637

https://supportcontent.checkpoint.com/solutions?id=sk162637.

Date

Description

28 December 2020 Updated fw up_execute (on page 517)

28 October 2019 Updated:

•Load-Balancing Methods (on page 293) - "Domain" and "Round Trip"

load balancing methods are

not

supported for Logical Servers

22 September 2019 Added to the applicable topics:

Warning -The R80.20 ClusterXL does

not

support the Load Sharing

modes (R80.20 Known Limitation MB-30)

26 March 2019 Updated:

•IPS Updates (on page 185)

•Kernel Debug Syntax (on page 557) - added information about the

unified log file

Added:

•Automatically Saving Messages During a Crash

28 November 2018 Updated:

•Working with Kernel Parameters on Security Gateway (on page 547)

•Kernel Debug on Security Gateway (on page 557)

27 November 2018 Updated:

•Command Line Reference (on page 312) (added syntax for

commands)

Added:

•Working with Kernel Parameters on Security Gateway (on page 547)

•Kernel Debug on Security Gateway (on page 557)

04 October 2018 Improved formatting and document layout for HTML guide

26 September 2018 First release of this document

Important Information

Next Generation Security Gateway Guide R80.20 | 5

SmartConsole Toolbars

For a guided tour of SmartConsole, click What's New in the left bottom corner of SmartConsole.

Global Toolbar (top left of SmartConsole)

Description and Keyboard Shortcut

The main SmartConsole Menu

The Objects menu.

Also leads to the Object Explorer Ctrl+E

Install policy on managed gateways

Ctrl+Shift+Enter

Navigation Toolbar (left side of SmartConsole)

Description and Keyboard Shortcut

Gateways & Servers configuration view

Ctrl+1

Security Policies Access Control view

Security Policies Threat Prevention view

Ctrl+2

Logs & Monitor view

Ctrl+3

Manage & Settings view - review and configure the Security Management

Server settings

Ctrl+4

Command Line Interface Button (left bottom corner of SmartConsole)

Description and Keyboard Shortcut

Open a command line interface for management scripting and API

What's New Button (left bottom corner of SmartConsole)

Description and Keyboard Shortcut

Open a tour of the SmartConsole

Objects and Validations Tabs (right side of SmartConsole)

Description

Objects Manage security and network objects

Validations Validation warnings and errors

Important Information

Next Generation Security Gateway Guide R80.20 | 6

System Information Area (bottom of SmartConsole)

Description

Task List Management activities, such as policy installation tasks

Server Details The IP address of the Security Management Server

Connected

Users

The administrators that are connected to the Security Management Server

Contents

Important Information ......................................................................................................3

SmartConsole Toolbars................................................................................................5

Terms...............................................................................................................................16

Check Point Next Generation Security Gateway Solution .............................................18

Overview of Firewall Features ...................................................................................18

How to Use this Guide .................................................................................................18

Components of the Check Point Firewall Solution....................................................20

Mirror and Decrypt..........................................................................................................21

Introduction to Mirror and Decrypt ............................................................................21

Mirror and Decrypt Requirements.............................................................................24

Configuring Mirror and Decrypt in Gateway mode ....................................................25

Preparing the Security Gateway................................................................................. 26

Configuring Mirror and Decrypt in SmartConsole....................................................... 27

Configuring Mirror and Decrypt in VSX mode............................................................32

Preparing the VSX Gateway ....................................................................................... 34

Configuring Mirror and Decrypt in SmartConsole for One Virtual System.................... 35

Configuring Mirror and Decrypt in SmartConsole for Several Virtual Systems ............ 40

Mirror and Decrypt Logs.............................................................................................45

ICAP Client.......................................................................................................................46

Introduction to ICAP....................................................................................................46

ICAP Client in Check Point Security Gateway ............................................................51

ICAP Client User Disclaimer.......................................................................................52

Configuring ICAP Client in Gateway mode .................................................................53

Configuring ICAP Client in VSX mode.........................................................................54

The ICAP Client Configuration File.............................................................................55

Example of the ICAP Client Configuration File..........................................................67

Advanced ICAP Client Configuration..........................................................................70

Configuring Additional ICAP Response Headers for Enforcement............................... 70

Configuring Additional HTTPS Status Code, which ICAP Client Sends in RESPMOD...... 76

Configuring Connection Timeout for ICAP Connections............................................... 78

Configuring ICAP Client Data Trickling Parameters.................................................... 79

Hardware Security Module (HSM) ..................................................................................82

Why Use an HSM? .......................................................................................................82

The Check Point Environment with Gemalto SafeNet HSM Appliance .....................83

Workflow for Setting Up Your HSM Environment......................................................83

Step 1: Extracting the Gemalto Help Package...........................................................84

Step 2: Configuring the Gemalto HSM Appliance Server to Work with Check Point

Security Gateway ........................................................................................................84

Step 3: Configuring the Gemalto HSM Client Workstation........................................85

Step 4: Creating the CA Certificate on the Gemalto HSM Appliance Server ............86

Step 5: Configuring the Check Point Security Gateway to Work with the Gemalto

HSM Appliance Server ................................................................................................87

(A) Installing the Gemalto HSM Simplified Client Software Packages on the Check Point

Security Gateway ...................................................................................................... 88

(B) Establishing a Trust Link between the Check Point Security Gateway and the Gemalto

HSM Appliance Server............................................................................................... 88

Configuring HTTPS Inspection on the Check Point Security Gateway to Work with the

Gemalto HSM Appliance Server................................................................................. 90

Additional Actions for a Gemalto HSM Appliance Server..........................................91

Disabling Communication from the Check Point Gateway to the Gemalto HSM Appliance

Server ...................................................................................................................... 91

Deleting a Trust Link with the HSM Appliance Server................................................. 91

Configuring a Second Interface on a Gemalto HSM Appliance for NTLS....................... 92

Monitoring HTTPS Inspection on Check Point Gateway When Working with the

Gemalto HSM Appliance Server .................................................................................92

SmartConsole logs.................................................................................................... 93

SNMP ....................................................................................................................... 95

cpstat https_inspection ........................................................................................... 101

Creating an Access Control Policy ...............................................................................107

Managing Gateways ..................................................................................................107

Manually Updating the Gateway Topology ................................................................ 107

Dynamically Updating the Topology ......................................................................... 107

Introducing the Unified Access Control Policy ........................................................108

Creating a Basic Access Control Policy ...................................................................109

Basic Rules............................................................................................................. 109

Use Case - Basic Access Control.............................................................................. 109

Use Case - Inline Layer for Each Department........................................................... 110

Creating Application Control and URL Filtering Rules ........................................... 112

Monitoring Applications........................................................................................... 112

Blocking Applications and Informing Users.............................................................. 113

Limiting Application Traffic ..................................................................................... 113

Using Identity Awareness Features in Rules ............................................................ 114

Blocking Sites......................................................................................................... 115

Blocking URL Categories......................................................................................... 116

Ordered Layers and Inline Layers............................................................................117

The Need for Ordered Layers and Inline Layers ....................................................... 117

Order of Rule Enforcement in Inline Layers ............................................................. 117

Order of Rule Enforcement in Ordered Layers ......................................................... 118

Creating an Inline Layer .......................................................................................... 119

Creating a Ordered Layer ........................................................................................ 120

Enabling Access Control Features........................................................................... 121

Types of Rules in the Rule Base............................................................................... 122

Administrators for Access Control Layers................................................................ 124

Sharing Layers........................................................................................................ 124

Visual Division of the Rule Base with Sections.......................................................... 125

Exporting Layer Rules to a .CSV File ........................................................................ 125

Managing Policies and Layers ................................................................................. 125

The Columns of the Access Control Rule Base .......................................................126

Source and Destination Column............................................................................... 126

VPN Column............................................................................................................ 127

Services & Applications Column .............................................................................. 128

Content Column...................................................................................................... 131

Actions Column....................................................................................................... 132

Tracking Column..................................................................................................... 134

Unified Rule Base Use Cases ...................................................................................134

Use Case - Application Control and Content Awareness Ordered Layer .................... 134

Use Case - Inline Layer for Web Traffic.................................................................... 135

Use Case - Content Awareness Ordered Layer......................................................... 136

Use Case - Application & URL Filtering Ordered Layer............................................. 138

Rule Matching in the Access Control Policy ............................................................139

Examples of Rule Matching ..................................................................................... 139

Best Practices for Access Control Rules .................................................................142

Installing the Access Control Policy ........................................................................143

Analyzing the Rule Base Hit Count...........................................................................144

Enabling or Disabling Hit Count ............................................................................... 144

Configuring the Hit Count Display ............................................................................ 145

Preventing IP Spoofing .............................................................................................146

Configuring Anti-Spoofing....................................................................................... 146

Anti-Spoofing Options ............................................................................................. 148

Translating IP Addresses (NAT)...............................................................................148

To Learn More About NAT ....................................................................................... 149

UserCheck Interactions in the Access Control Policy .............................................149

Configuring the Security Gateway for UserCheck ..................................................... 149

Blocking Applications and Informing Users.............................................................. 151

UserCheck for Access Control Default Messages ..................................................... 151

Creating a UserCheck Interaction Object.................................................................. 152

Example UserCheck Message Using Field Variables ................................................ 153

Localizing and Customizing the UserCheck Portal.................................................... 153

UserCheck Frequency and Scope............................................................................. 153

UserCheck Settings................................................................................................. 154

UserCheck CLI ........................................................................................................ 155

Revoking Incidents.................................................................................................. 156

UserCheck Client .................................................................................................... 157

Blade Settings...........................................................................................................165

Inspection Settings.................................................................................................. 165

Configuring Inspection Settings............................................................................... 165

Creating a Threat Prevention Policy ............................................................................168

Threat Prevention Components ...............................................................................168

IPS.......................................................................................................................... 169

Anti-Bot.................................................................................................................. 170

Anti-Virus ............................................................................................................... 171

SandBlast ............................................................................................................... 172

Assigning Administrators for Threat Prevention ....................................................174

Analyzing Threats .....................................................................................................174

Out-of-the-Box Protection from Threats.................................................................175

Getting Quickly Up and Running with the Threat Prevention Policy ........................... 175

Enabling the Threat Prevention Software Blades ..................................................... 175

Installing the Threat Prevention Policy .................................................................... 178

Introducing Profiles ................................................................................................ 178

Optimized Protection Profile Settings ...................................................................... 179

Predefined Rule...................................................................................................... 180

The Threat Prevention Policy ...................................................................................181

Workflow for Creating a Threat Prevention Policy.................................................... 181

Threat Prevention Policy Layers.............................................................................. 181

Threat Prevention Rule Base................................................................................... 183

Creating Threat Prevention Rules ...........................................................................184

Configuring IPS Profile Settings .............................................................................. 184

Blocking Viruses..................................................................................................... 185

Configuring Anti-Bot Settings.................................................................................. 186

Configuring Threat Emulation Settings.................................................................... 188

Configuring Threat Extraction Settings.................................................................... 191

Configuring a Malware DNS Trap............................................................................. 192

Exception Rules ...................................................................................................... 193

The Check Point ThreatCloud...................................................................................195

Updating IPS Protections......................................................................................... 196

Threat Prevention Scheduled Updates..................................................................... 197

Updating Threat Emulation...................................................................................... 197

To Learn More About Threat Prevention .................................................................197

Creating Shared Policies ..............................................................................................198

Shared Policies .........................................................................................................198

Configuring HTTPS Inspection .................................................................................199

Inspecting HTTPS Packets....................................................................................... 199

Configuring Gateways to inspect outbound and inbound HTTPS................................ 200

Configuring the Geo Policy .......................................................................................208

Adding Users to the Policy............................................................................................210

Using Identity Awareness .........................................................................................210

Identity Sources...................................................................................................... 210

Enabling Identity Awareness ................................................................................... 211

Creating Access Roles............................................................................................. 212

Using Identity Awareness in the Access Control Policy............................................. 213

Redirecting to a Captive Portal ................................................................................ 214

Sample Identity Awareness Rules............................................................................ 214

Using User Directory ................................................................................................216

User Directory Features.......................................................................................... 216

Deploying User Directory ........................................................................................ 216

Account Units.......................................................................................................... 217

Working with LDAP Account Units ........................................................................... 217

Enabling User Directory .......................................................................................... 220

Managing LDAP Information.................................................................................... 220

To Learn More About Adding Users to the Policy....................................................221

Logging and Monitoring ................................................................................................222

Log Analysis ..............................................................................................................223

Configuring Logging................................................................................................ 223

Enabling Log Indexing............................................................................................. 225

Sample Log Analysis............................................................................................... 226

Tracking Options..................................................................................................... 227

Log Sessions........................................................................................................... 229

Views and Reports ....................................................................................................230

Enabling Views and Reports .................................................................................... 231

Catalog of Views and Reports .................................................................................. 231

Views...................................................................................................................... 232

Reports................................................................................................................... 232

Automatic View and Report Updates ........................................................................ 234

Opening a View or Report ........................................................................................ 235

Exporting Views and Reports................................................................................... 235

Scheduling a View or Report.................................................................................... 236

To Learn More About Logging and Monitoring ........................................................236

Maximizing Network Performance and Redundancy ..................................................238

Solutions for Enhancing Network Performance and Redundancy .........................238

CoreXL .......................................................................................................................238

Configuring CoreXL................................................................................................. 239

To Learn More About CoreXL................................................................................... 239

Table des matières

Autres manuels Checkpoint Porte

Checkpoint

Checkpoint QUANTUM SPARK 1535 Manuel utilisateur

Checkpoint

Checkpoint 13000 Series Manuel utilisateur

Checkpoint

Checkpoint 26000 Manuel utilisateur

Checkpoint

Checkpoint QUANTUM SPARK 1570 Manuel utilisateur

Checkpoint

Checkpoint 13000 Series Manuel utilisateur

Checkpoint

Checkpoint QUANTUM SPARK 1595R Manuel utilisateur

Checkpoint

Checkpoint QUANTUM SPARK 1500 Mode d’emploi

Checkpoint

Checkpoint SandBlast TE2000XN-28VM Manuel utilisateur

Checkpoint

Checkpoint 12200 Mode d’emploi

Checkpoint

Checkpoint 730 Manuel utilisateur

Checkpoint

Checkpoint VSX-1 3070 Manuel utilisateur

Checkpoint

Checkpoint 15000 Manuel utilisateur

Checkpoint

Checkpoint 3000 Series Manuel utilisateur

Checkpoint

Checkpoint 21400 VSX G-50 Manuel utilisateur

Checkpoint

Checkpoint 3000 Series Manuel utilisateur

Checkpoint

Checkpoint Quantum Spark 1570R Manuel utilisateur

Checkpoint

Checkpoint Power-1 Manuel utilisateur

Checkpoint

Checkpoint Quantum Spark 1570R Manuel utilisateur

Checkpoint

Checkpoint 16000 Manuel utilisateur

Checkpoint

Checkpoint 1535 Manuel utilisateur

Checkpoint

Checkpoint QUANTUM SPARK 1600 Manuel utilisateur

Checkpoint

Checkpoint 16000 Mode d’emploi

Manuels Porte populaires d'autres marques

LST

LST M500RFE-AS Manuel utilisateur

Kinnex

Kinnex Media Gateway Manuel utilisateur

2N Telekomunikace

2N Telekomunikace 2N StarGate Manuel utilisateur

Mitsubishi Heavy Industries

Mitsubishi Heavy Industries Superlink SC-WBGW256 Manuel utilisateur

ZyXEL Communications

ZyXEL Communications ZYWALL2 ET 2WE Manuel utilisateur

Telsey

Telsey CPVA 500 - SIP Manuel utilisateur

RTA

RTA 460A-NNA4 Fiche technique

Shaw

Shaw Gateway HDPVR Manuel utilisateur

ABB

ABB VSN900 Guide de démarrage rapide

Commander

Commander Pulse Manuel utilisateur

2N Telekomunikace

2N Telekomunikace ATEUS EasyGate 501309E Manuel utilisateur

NETGEAR

NETGEAR C6300BD Manuel utilisateur

Amit

Amit CDW531AM Manuel utilisateur

HMS

HMS Netbiter EasyConnect EC150 Manuel utilisateur

Huawei

Huawei EchoLife HG620 Manuel utilisateur

AT&T

AT&T U-verse 3801 Manuel d'utilisation et d'entretien

Logic IO

Logic IO RTCU MX2 turbo Manuel utilisateur

Suttle

Suttle MediaMAX MXM-521 Manuel utilisateur