Account in checkpoint can be kept locally or remotely. For remote account we can use several protocols like LDAP, Radius, TACACS, SecureID. TACACS is using encrypted session, RADIUS is encrypting just the password and for LDAP you can choose to encrypt it with the SSL. In production you should always use the encryption. There are Full Article…
Smart Monitor is very powerful tool. It can answer questions like CPU, memory, disk usage, traffic bandwidth, etc. In this tool you can also set the threshold values to trigger alarms so you can be proactive. Another important feature of Monitor is to create and view suspicious activity rules. As it is very dangerous to Full Article…
SmartView tracker is an excellent tool. Checkpoint implements not just brilliant logging but also tools via which you can dig into the log files and file the logs you really need. With SmarView Tracker you can query the data and find what you need. SmartView Tracker has 3 main categories or modes: Log – you Full Article…
If you want to use the smartConsole applications for managing the FWs, login to mgmg server via https and click on head border to download now the smartconsole. After downloading you just install it 😉 You will see a loooot of applications. You can install all. Main application for managing the fw is called SmartDashboard. Full Article…
When you have more firewall under you management domain you have more options to implements policy. Either you configure one policy package and within this policy package you create specific sections for specific firewalls or you create specific policy packages for specific firewalls. The first is good for small environment, the latter is more used. Full Article…
General overview of checkpoint rules are: Mgmt rules – needed for the access of physical server. You should allow also ssh and https for specified client because you may have problems with SIC so you want to connect directly to FW Stealth rules – you dont want any external user connect to the FW, you Full Article…
Checkpoint is using more or less the same types of NAT as Cisco ASA. It has source/destination NAT, static/dynamic NAT, PAT called Hide NAT. Same as in ASA, the destination NAT is performed before routed. In most configuration they will need you to choose from static and hide nat. The difference between these two is Full Article…
Make the exact checkpoint lab as on cbtnuggets is. In a LAB we will use: Distributed solution We will not use HA We will be in Routed mode As a topology we will use this: Installation of Gaia for first half is same for both FW and MGMT server. Then you choose that you want Full Article…
Checkpoint technology implements something called SMART. It states for Security Mgmt. Architecture. This architecture implements different elements: Console or smart console PC – its the admin pc with all the smart dashboard and other applications to manage checkpoint Management Server – admin access first the management server, which is centralized management for all checkpoint FWs Full Article…
Euclidean algorithm (EA) This algorithm computes gcd or greatest common divider. This is very important in PKC (public key cryptography). So if somebody gives you two integers r0,r1, find gcd(r0,r1), i. e. the largest integer that divides both numbers. Example r0=27, r1=21. How to solve this? lets do prime factorization 27 = 3x3x3 21 = Full Article…
RSA has been invented in 1977 and till that time everyone things that encryption/decryption can be done only with one symetric key. As header says this is public key cryptosystem, so we gonna have two keys for encryption / decryption and that is public key and private key. I know about this setup so lets Full Article…
To achieve high availability BIG-IP uses failover managers that monitor various parts and services of BIG-IP When failover manager detects failed process, it will do one of several actions which can be configured. It can restart the process, failed to standby mate, reboot. Here are some failover managers: watchdog – performs hardware health check overdog Full Article…
Upgrade process is quite straightforward: Backup standby unit Upgrade standby unit Active system forced to standby Verify upgraded unit works OK Do same steps with other system. Note that no configuration changes should be done while BIG-IP systems are running different versions. Upgrade files You can can download upgrade / hot fixes in askF5 pages. Full Article…
F5 supports active / standby redundancy. One device is active serving all the traffic request and one is waiting in standby mode for a break in network or active device itself. When two BIG-IP systems are configured in a redundant pair, there are individual settings unique to each device: Hostname (bigip1.verizon.com, bigip2.verizon.com) Unit ID (1,2) Full Article…
An iRule is a powerful and flexible feature within the BIG-IP® local traffic management system that you can use to manage your network traffic. Using syntax based on the industry-standard Tools Command Language (Tcl), the iRulesTM feature not only allows you to select pools based on header data, but also allows you to direct traffic Full Article…
When you need to ensure that server responses always return through the BIG system, or when you want to hide the source addresses of server-initiated requests from external devices, you can implement a SNAT. A secure network address translation (SNAT) is a BIG-IP® Local Traffic ManagerTM feature that translates the source IP address within a Full Article…
In some cases, you might want to allow a client on an external network to send a request directly to a specific internal node (thus bypassing the normal load balancing server selection). To send a request directly to an internal server, a client normally needs to know the internal nodes IP address, which is typically Full Article…
Basic terminology NODE = Real IP address of server Pool Member = Real IP address + Port Pool = Grouping of pool members Pool members do not have to listen on the same port. They can be on same IP address and diferent port number. Virtual Server = IP adress + port often called a Full Article…
BIG-IP® Local Traffic ManagerTM offers several features that you can use to intelligently control your SSL traffic. Some of the SSL traffic-management features are: The ability to authenticate clients and servers to maintain secure connections between a client system and the BIG-IP system, and between the BIG-IP system and a target web server The ability Full Article…
BIG-IP LTM can check status and health of the members and nodes to assure it doesn’t send the client request to non operational server. Monitor is a test BIG-IP performs on a node or member. The monitor can be as simple as ping or more advanced like sending L7 requests with appropriate responses. A monitor Full Article…