Escolar Documentos
Profissional Documentos
Cultura Documentos
Study Guide
TRADEMARKS
2003-2010 Check Point Software Technologies Ltd. All rights reserved. Check
Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security,
Check Point Endpoint Security On Demand, Check Point Express, Check Point
Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding
Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid
Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG,
NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile,
Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home,
Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL,
SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1,
SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advi-
International Headquarters:
5 HaSolelim Street
Tel Aviv 67897, Israel
Tel: +972-3-753 4555
U.S. Headquarters:
Document #:
Revision:
R71001
Content:
Mark Hoefle
Graphics:
Jeffery Holder
Chapter 1
Chapter 2
Management Portal
Chapter 3
Smart Workflow
11
Chapter 4
SmartProvisioning
17
Chapter 5
25
Chapter 6
Acceleration
31
Chapter 7
High Availability
37
Chapter 8
Clustering
43
Chapter 9
49
Chapter 10
Balancing
Chapter 11
61
Chapter 12
67
Chapter 13
73
Preface
The Check Point Certified Security
Expert Exam
The Check Point Security Expert R70 / R71 course is intended to provide an understanding of upgrading and advanced configuration of Check Point software blades,
installing and managing VPNs (on both internal and external networks), gaining the
maximum security from Security Gateways, and resolving Gateway performance
issues. The Check Point Security Expert R70 / R71 Study Guide supplements
knowledge you have gained from the Check Point Security Expert R70 / R71
course, and is not a sole means of study.
The Check Point Certified Security Expert R71 (CCSE) exam covers the following
topics:
Define how the Management Portal aids in managing and troubleshooting
security configurations.
Describe how to extend access to network policy settings to outside auditors
Identify the advantages of SmartWorkflow in tracking, approving, and auditing
security policy changes.
Assess the benefits of policy life-cycle management and change management.
Determine typical SmartWorkflow administrative and use processes.
Identify the advantages of SmartProvisioning as a centralized management
tool.
1
Answer
How do I register?
Chapter
Management Portal
The Check Point Management Portal Software Blade allows the extension of
browser-based management access to outside groups, such as technical support
staff or auditors, while still maintaining centralized administrative control of policy
enforcement. Management Portal users can view security policies, check on the status of all Check Point products, and administrator activity, manage firewall logs,
and edit, create and modify internal users.
Objectives:
Configure Administrative access to the Security Management server from
an offsite machine to facilitate remote management of corporate Security
Gateways.
Key Element
Page
Number
p. 03
p. 03
p. 04
p. 04
p. 05
Topic
Key Element
Page
Number
L-p. 1
L-p. 2
Build Gateways
L-p. 7
L-p. 11
Establishing SIC
L-p. 12
L-p. 15
Configure Management Portal on
Corporate Site
L-p. 16
L-p. 18
L-p. 22
L-p. 27
Answer
Answer
The Management Portal allows all of the following EXCEPT:
1. View administrator activity.
2. Schedule policy installation.
3. View the status of Check Point products.
4. Manage firewall logs.
Chapter
Smart Workflow
11
Key Element
Change Management
Page
Number
p. 11
p. 12
Task Flow
p. 12
SmartWorkflow Toolbar
p. 15
p. 17
p. 20
p. 21
Assigning Permissions
p. 21
Enabling SmartWorkflow
p. 21
Configuring SmartWorkflow
p. 22
p. 23
Comparing Policies
p. 26
Approving Sessions
p. 27
Auditing Changes
p. 28
12
Topic
Key Element
Lab 3: SmartWorkflow
Page
Number
L-p. 29
L-p. 30
Configure SmartWorkflow
L-p. 33
L-p. 36
L-p. 42
Repair Sessin 1
L-p. 45
L-p. 50
Disable SmartWorkflow
L-p. 51
13
14
Answer
Answer
Which of the following can NOT approve a change in a SmartWorkflow
Session?
1. Customer Superusers.
2. Provider-1 Superusers.
3. FireWalll Administrators
4. FireWall Managers.
15
Chapter
SmartProvisioning
The Check Point SmartProvisioning software blade enables you to manage and
maintain thousands of gateways from a single Security Management server or Provider- 1 CMA, with features to define, manage, and provision large-scale deployments of Check Point gateways.
Objectives:
Determine and implement the appropriate Provisioning deployment
scenario based on corporate requirements.
Modify different properties on remote Gateways (i.e., DNS, Networking)
per corporate requirements.
17
Chapter 3: SmartProvisioning
Key Element
SmartProvisioning Overview
Page
Number
p. 33
SmartProvisioning Management
p. 33
Enabling SmartProvisioning
p. 34
SmartProvisioning Console
p. 36
Tree Pane
p. 36
Workspace Pane
p. 36
Status View
p. 37
SmartProvisioning Wizard
p. 39
SmartProvisioning Profiles
p. 40
UTM-1 Edge-Only SmartProvision- p. 41
ing
Gateway Management
p. 44
Adding Gateways to SmartProvisioning
p. 44
p. 45
Real-Time Gateway
Actions
p. 45
Remotely Controlled Gateways
p. 45
p. 47
18
Chapter 3: SmartProvisioning
Topic
Key Element
Executing Commands
Page
Number
p. 47
p. 48
p. 48
p. 49
p. 50
Tracking
p. 51
Log Servers
p. 52
p. 53
p. 55
Scheduling Backups
p. 55
Configuring Hosts
p. 56
p. 57
p. 57
Configuring Routing
p. 58
Managing Software
p. 58
p. 59
Distributing Packages
p. 59
p. 60
Applying Changes
p. 62
Maintenance Mode
p. 63
p. 64
UTM-1 Edge Ports
p. 64
19
Chapter 3: SmartProvisioning
Topic
Key Element
Provisional Settings
Understanding Dynamic
Objects
Page
Number
p. 65
p. 68
p. 68
p. 68
p. 69
Command Line
p. 70
20
Chapter 3: SmartProvisioning
Topic
Key Element
Lab 4: SmartProvisioning
Page
Number
L-p. 53
Enable SmartProvisioning
L-p. 54
L-p. 63
L-p. 66
L-p. 68
L-p. 69
21
Chapter 3: SmartProvisioning
22
Answer
Chapter 3: SmartProvisioning
Answer
Which version is the minimum requirement for SmartProvisioning??
1. R70.2
2. R65-HFA 40
3. R70
4. R71
23
Chapter
SSL Portal-Based VPN
Check Point SSL VPN Software Blade is a comprehensive remote access solution
that allows mobile and remote workers to connect easily and securely from any location, with any Internet device to critical resources. This software blade option integrates easily into your existing Check Point gateway, enabling more secure and
operationally efficient remote access for your endpoint users. The data transmitted
by remote access is decrypted and then filtered and inspected in real-time by Check
Points gateway security services such as anti-virus, intrusion prevention and Web
security. The SSL VPN Software Blade also includes secure methods for authentication, and the ability to check the security posture of the remote device.
Objectives:
Configure applications for SSL VPN remote access based on corporate
and user requirements.
25
Key Element
Page
Number
p. 75
Key Features
p. 76
p. 77
p. 78
Cluster Deployment
p. 79
p. 79
p. 80
p. 81
Configuration Workflows
p. 83
The SSL VPN Wizard
p. 84
p. 84
User Workflow
p. 84
p. 84
Protection Levels
p. 86
Introduction to Applications
p. 87
Web Applications
p. 87
File Shares
p. 87
Citrix Services
p. 88
26
Topic
Key Element
Page
Number
p. 88
Native Applications
p. 89
27
Topic
Key Element
Page
Number
L-p. 71
L-p. 72
L-p. 73
L-p. 73
L-p. 73
L-p. 78
L-p. 81
L-p. 85
L-p. 88
L-p. 93
L-p. 96
L-p. 98
L-p. 98
28
29
Answer
Answer
Where is the ideal place to deploy your SSL VPN:
1. SSL VPN enabled on the gateway
2. Anywhere
3. Deployed in DMZ
4. In front of the external interface on the gateway
30
Chapter
Acceleration
The Check Point Acceleration and Clustering Software Blade delivers a set of advanced technologies, SecureXL and ClusterXL, that work together to maximize
performance and security in high-performance environments.
Objectives:
Configure and verify that traffic throughput is enhanced using SecureXL
on a SecurePlatform Pro Security Gateway.
31
Chapter 5: Acceleration
Key Element
Page
Number
p. 95
p. 95
p. 96
Throughput Acceleration
p. 96
p. 96
p. 97
p. 98
HTTP 1.1
p. 99
p. 100
UDP Pseudo-Connections
p. 100
Packet Flow
p. 101
SecureXL API
p. 102
VPN Capabilities
p. 103
p. 105
Supported Platforms and Features
p. 106
Performance Tuning
p. 107
p. 107
Packet Flows
p. 108
32
Chapter 5: Acceleration
Topic
Key Element
Page
Number
p. 108
p. 109
p. 109
33
Chapter 5: Acceleration
Topic
Key Element
Lab 6: SecureXL
Page
Number
L-p. 101
L-p. 102
L-p. 104
34
Chapter 5: Acceleration
35
Answer
Chapter 5: Acceleration
Answer
What is the maximum number of cores supported by CoreXL?
1. 6
2. 8
3. 4
4. 12
36
Chapter
High Availability
Check Point High Availability limits any disruption to network uptime should a security gateway face unforeseen performance issues. High Availability transparently
redistributes workloads to surviving cluster gateways without impacting communication throughout the cluster.
Objectives:
Deploy New Mode HA on a new cluster member.
37
Key Element
Page
Number
p. 115
p. 116
p. 117
Synchronization Modes
p. 117
Synchronization Status
p. 117
38
Topic
Key Element
Page
Number
L-p. 107
L-p. 109
L-p. 110
Reconfigure Routing
L-p. 113
L-p. 123
L-p. 125
L-p. 125
L-p. 126
Test Failover
L-p. 128
Method 1
L-p. 128
Method 2
L-p. 129
Method 3
L-p. 129
39
40
Answer
Answer
What could be a reason why synchronization between primary and
secondary Security Management Servers does not occur?
1. You have installed both Security Management Servers on different
server systems (e.g. one machine on HP hardware and the other one
on Dell).
2. You did not activate synchronization within the Global Properties.
3. You are using different time zones.
4. If the set of installed products differ from each other, the
Security Management Servers do not synchronize the database
to each other..
41
Chapter
Clustering
The Check Point Acceleration and Clustering Software Blade delivers a set of advanced technologies, SecureXL and ClusterXL, that work together to maximize
performance and security in high-performance environments.
Objectives:
Learn the standard configurations for ClusterXL
Learn how packets travel through a cluster
Learn the basics of how VRRP works on the IP appliance
43
Chapter 7: Clustering
Key Element
Page
Number
p. 125
Installing ClusterXL
p. 126
Clusteing terms
p. 126
p. 128
p. 129
p. 130
p. 131
Cluster Synchronization
p. 131
p. 131
Sticky Connections
p. 133
The Sticky Decision Function
ClusterXL Configuration
Issues
p. 133
p. 134
p. 134
Crossover-Cable Support
p. 134
VRRP Overview
p. 135
How VRRP Works
p. 136
44
Chapter 7: Clustering
Topic
Key Element
Page
Number
p. 137
p. 138
45
Chapter 7: Clustering
Topic
Key Element
Page
Number
L-p. 131
L-p. 132
L-p. 133
L-p. 137
L-p. 139
L-p. 141
Configure VPN in a Cluster
L-p. 142
L-p. 142
L-p. 145
L-p. 147
L-p. 148
L-p. 149
46
Chapter 7: Clustering
47
Answer
Chapter 7: Clustering
Answer
By default, a standby Security Management Server is automatically
synchronized by an active Security Management Server, when:.
1. The Security Policy is saved.
2. The Security Policy is installed.
3. The user database is installed.
4. The standby Security Management Server starts for the first time.
48
Chapter
Advanced Networking - Routing
The Check Point Advanced Networking Software Blade makes it easier for administrators to deploy security within complex and highly utilized network environments making this ideal for high-end enterprise and datacenter environments where
performance and availability are critical.
Objectives:
Configure VPN in a clustered environment, and demonstrate VPN
failover.
Configure and test VPN Tunnel Interfaces (VTIs) for a clustered
environment.
49
Chapter 8: Advanced Networking - Routing Check Point Advanced Networking Routing Topics
Key Element
Advanced Networking
Blade
Page
Number
p. 143
p. 145
p. 147
p. 147
p. 147
p. 147
p. 148
Interfaces
p. 149
Kernel Interfaces
p. 149
Martian Addresses
p. 150
p. 151
BGP Decision Process
p. 152
Dynamic Capabilities
p. 153
p. 154
p. 155
50
Topic
Key Element
Page
Number
p. 157
SNMP Multiplexing
(SMUX)
p. 159
p. 160
p. 161
Protocol Independent Multicast
Access Lists
p. 160
p. 163
p. 163
p. 165
p. 165
p. 166
Route Flap Damping
p. 167
Route Maps
p. 167
p. 168
Multicast Routing Protocols
p. 169
p. 169
p. 169
p. 169
p. 171
VPN Connections
p. 171
51
52
Answer
Answer
Which statement is TRUE for route-based VPNs?
1. Route-based VPNs replace domain-based VPNs.
2. IP Pool NAT must be configured on each gateway.
3. Route-based VPNs are a form of partial overlap VPN Domain.
4. Dynamic-routing protocols are not required.
53
Answer
54
Chapter
Advanced Networking Load
Balancing
The Check Point Advanced Networking Software Blade provides for flexible server
load balancing. Each connection request is directed to a specific server based on one
of the Advanced Networking Software Blades pre-defined load balancing algorithms.
Objectives:
Configure Load Sharing Unicast (Pivot) and Multicast Mode on a cluster
member.
55
Chapter 9: Advanced Networking Load Balancing Check Point Advanced Networking Load
Key Element
Page
Number
p. 175
ConnectControl
p. 175
Methods of Load-Balancing
p. 176
p. 177
p. 177
p. 178
p. 179
p. 181
Server Availability
p. 182
Load Measuring
p. 183
56
57
Answer
Answer
In which ClusterXL Load Sharing mode, does the pivot machne get
chosen automatically by ClusterXL
1. Hot Standby Load Sharing
2. CCP Load Sharing
3. Unicast Load Sharing
4. Multicast Load Sharing
58
Answer
59
Chapter
Advanced Networking - QoS
10
The Advanced Networking blade lets you to prioritize business-critical traffic such
as ERP, database, and Web services traffic over less time-critical traffic. It also allows you to guarantee bandwidth and control latency for streaming applications
such as Voice over Internet Protocol (VoIP) and video conferencing. In addition,
with highly granular controls, the Advanced Networking blade enables guaranteed
or priority access to specific employeeseven if they are remotely accessing network resources through a VPN tunnel.
Objectives:
Setup and verify the best QoS configuration, using the Advanced
Networking Software Blade, for your corporate environment, and test
and confirm a bandwidth control Policy.
61
Key Element
Quality of Service
Page
Number
p. 189
p. 190
p. 192
QoS Gateway
p. 193
p. 193
QoS SmartConsole
p. 194
QoS Configuration
p. 195
Client/Server Interaction
p. 196
p. 197
p. 199
Default Rule
p. 200
p. 200
p. 201
p. 202
p. 203
Deploying QoS
p. 204
62
Topic
Key Element
Sample Bandwidth Allocations
Page
Number
p. 205
63
Topic
Key Element
Page
Number
L-p. 155
L-p. 156
L-p. 156
L-p. 157
L-p. 157
L-p. 159
L-p. 159
L-p. 161
L-p. 163
L-p. 164
L-p. 164
L-p. 165
64
65
Answer
Answer
Shich Check Point QoS feature is used to dynamically allocat relative
portions of available bandwidth?
1. Guarantees
2. Weighted Fair Queing
3. Low Latency Queuing
4. Differentiated Services
66
Chapter
Check Point IPS
11
This chapter presents basic information on Check Points Intrusion Prevention Software Blade, how intrusion prevention systems work, and prevent network attacks
that the intrusion prevention system can detect.
Objectives:
Implement default or customized profiles to designated Gateways in the
corporate network.
Manage profiles by tracking changes to the network, including
performance degradation, and troubleshoot issues with the network
related to specific IPS policy rules.
67
Key Element
IPS Overview
Page
Number
p. 211
p. 213
p. 215
p. 216
p. 217
IPS Protection
p. 219
IPS Profiles
p. 220
Assigning Profiles
p. 220
Protection Browser
p. 221
Exporting the Protections List
p. 223
Protection Parameters
p. 223
Activating Protections
p. 226
Automatically Activating Protections
p. 226
p. 228
Monitoring Traffic
p. 229
Network Exceptions
p. 231
p. 232
Optimizing IPS
p. 233
68
Topic
Key Element
Page
Number
Performance Management
p. 234
p. 235
Troubleshooting
p. 236
Tuning Protections
p. 237
p. 237
p. 238
p. 239
Managing IPS Protections
p. 240
p. 240
L-p. 167
Modify the Gateway Properties
L-p. 168
L-p. 169
L-p. 172
L-p. 173
Assign to Gateway
L-p. 179
Generate an Attack
L-p. 181
L-p. 184
L-p. 187
Review Logs
L-p. 190
69
70
Answer
Answer
You just upgraded to R71 and are using the IPS Software Blade. You
want to enable all critical protections while keeping the rate of false
positive very low. How can you achieve this?
1. The new IPS system is based on policies and gives you the
ability to activate all checks with critical severity and a high
confidence level.
2. This can't be achieved; activating any IPS system always causes a high
rate of false positives.
3. As in SmartDefense, this can be achieved by activating all the critical
checks manually.
4. The new IPS system is based on policies, but it has no ability to
calculate or change the confidence level, so it always has a high rate
of false positives.
71
72
Answer
Chapter
Data Loss Prevention
12
The need to secure our data goes beyond access to network resources. It isnt
enough to permit or deny access into and out of internal networks where confidential company data is located. Research has shown that one of the greatest threats to
data loss is unintentional and from the inside. The Check Point Data Loss Prevention (DLP) Appliances and Software Blade address the need to protect sensitive
data from leaving secure corporate sites.
Objectives:
Configure DLP Data Types in a rule.
Monitor and adjust DLP Policies
73
Key Element
Page
Number
p. 249
p. 251
p. 252
Deployment Options
p. 253
p. 253
p. 254
p. 255
p. 255
p. 257
My Organization
DLP Policies
p. 259
p. 260
p. 260
p. 261
p. 263
Data Types
P. 264
74
Topic
Key Element
Page
Number
p. 265
p. 266
p. 266
Protecting Files
p. 267
p. 267
p. 267
p. 268
Data Type Groups
p. 269
L-p. 191
Topology Setup
L-p. 192
L-p. 196
L-p. 209
L-p. 210
Employee Name
L-p. 212
Keyword Search
L-p. 218
Template Exercise
L-p. 231
75
76
Answer
Answer
Mark the configuratin options that are available for Data Loss
Prevention in R71
1. A Dedicated DLP Gateway running only the DLP Software
Blade.
2. The DLP Gateway running only the Firewall Software Blade.
3. The DLP Gateway running only the Management Server on the same
machine.
4. The DLP as an integrated software blade, which can be enabled on a
Check Point Security Gateway running other software blades such as
Firewall, IPS and Management.
77
78
Answer