Check Point Firewall R80.40 - Training Lab 7 | New interfaces and Antispoofing
ฝัง
- เผยแพร่เมื่อ 29 ส.ค. 2024
- In this video we have added a few more boxes.
An additional windows 10 PC and a cisco CSR1000V router, this is used to verify and test how it is to add both interfaces, routing and make sure that antispoofing is correctly configure.
This video is part of the Free Check Point CCSA Training and we basing it on R80.40 that is currently the newest recommended release from check point.
Affiliate links
Computer.
AMD Ryzen 7 3700X 8-Core, 16-Thread - amzn.to/2QGX1k1
Corsair Vengeance LPX 32GB (2X16GB) DDR4 3200 - amzn.to/3svzzEu
ASUS ROG Strix B550-F - amzn.to/31rYRri
1TB NVMe SSD - amzn.to/2O2Jl1W
8TB WD RED - amzn.to/3cqkyOG
Dell U3419W - amzn.to/2PEGk8f
Dell P2421 - amzn.to/3w5nJDd
Logitech MX3 - amzn.to/39ovLxn
Logitech MX Keys - amzn.to/2Pht0a5
TH-cam Gear.
Sony AX43 - amzn.to/2Pz1THB
Rode NT-USB with Rode PSA-1 - amzn.to/3u1o1sZ
Elgato Green screen - amzn.to/3dhaoz9
Elgato Stream Deck - amzn.to/2PC9wgo
Elgato Camlink 4K - amzn.to/3sqWiBw
Elgato KeyLight - amzn.to/2NYD6Mr
Samsung T5 500G - amzn.to/3rvFqrW
It's a pity i just discovered this channel today... :(. Great JOB Magnus!
You are just in time for the R81.20 updated serie am building ;)
Hi Magnus,
Just want you to know that these videos are very informative and helpful for me who's new to CP. More power to you! Thanks!
Junnair Manla Thank You for watching and commenting :)
More videos on the way for next week.
Are you planning to go for the CCSA certificate?
@@MagnusHolmberg-NetSec I already got the CCSA last June 2020 but as you know, there are gaps between certificates and the real-world scenario.
Your videos depict real-world instances and I really love them. I'm planning to take CCSE but still looking for a good online-training (self-paced) resource.
Your channel is underrated. I'll help you gain more likes and subscribers by sharing these with my friends.
Congratz! i thought the cert was really hard when i did it, but i took mine when it was R71 and i passed with 1% :D
And i fully agree, the certificate test things that is in my view "google knowledge" and not really real world.
Its getting better and better but still missing a lot of things.
Thanks :) The reason why i started to make videos is that we are managing 300+ firewalls and there is always new ppl starting.
So instead of doing all training 1 to 1 some can be done by checking the videos, and just taking a CCSA dosn´t cover what i actually want them to know.
CCSA and CCSE dosn´t even mention VSX or MDS and thats the products that we are using.
When i did go for my CCSE i used CBT nuggets, am not sure if they have anything up to date when it comes to R80.
Thank you, if you find it valuable its much appreciated :)
One of the best and realistic Video. Thanks Magnus
Thank you for watching :)
Antispoofing is one of those things that you just need to see in real life or in a real lab to understand it good :)
And its something all tech will face and experience.
@@MagnusHolmberg-NetSec I'm new to this Checkpoint Firewall and going through your playlist now please suggest me any links or videos if you have... thanks once again
@@mohitsingh4630 going thru the ccsa playlist will give you are good base on check point so i would start with that.
If working for larger organisation like MSP, they normally uses VSX with MDS that is somewhat diff, but rules etc the CCSA playlist will give you a really good start.
@@MagnusHolmberg-NetSec Thanks for your Guidance I'll go through the playlist and will let you know... Thanks again for your time and Guidance 🙏🏻
Very helpful!! Thanks for the demonstration !
You are so welcome!
Beautifully explained !! Thank you
Rizwan Rashid Thank You :)
Checking out the CCSA course that you sent me and thinking on what should be next.
Excellent work !!
Thank you, enjoy the rest of the serie :)
Awesome, very informative, and a good explanation. Thanks.
Thank you :)
Any specific topic you would like to see more information about?
Good one Magnus..
Thank You for watching and commenting
Thank you Sir, this is beautiful.
Your welcome!
Such a informative video Magnus, really appreciated. I have one doubt that why there is requirement of no nat.
Within checkpoint nat is performed as soon as the traffic passes the box.
So let’s say you have 3 interface and 2 is internal rfc1918 addresses.
Nat will be done between all interfaces as default. So it’s not only performed when going towards the external interface and out on the internet.
That’s why no nat is needed.
@@MagnusHolmberg-NetSec thanks for the clarification Magnus
Thank you for the explanation. I have a pair of Checkpoint virtual firewalls, and I have eth1-9 configured, but I need to add another ethernet interface, and I can't figure out how to add a new one. Can you advise? I'm running R81.20. Thanks.
Would you be able to enable subtitles for the video? Your videos help a lot. thanks
Subs are enable by default from youtube, so should be availble for all videos :)
Happy Christmas Magnus
Happy holidays, enjoy :)
thanks for the video, what is the software you are using to present?
To record the screen I use OBS.
The rest is normal office PowerPoint and VMware workstation
Awesome video, is checkpoint dose not sync the configuration between the HA cluster like other vendors?
There is a function to sync members to each other like routing etc. But default. No there is no sync between the members.
Hi Magnus,
When i get TCP packet out of state logs with First packet isn't SYN and TCP Flags ACK, is this anything with anti-spoofing when having asymmetric routing?
antispoofing will block asymetrical routing yes, (or well you can allow it to be asymetrical, but i would recommend it)
Hello, Magnus. Do you have any video on how to configure a BOND INTERFACE in the Firewalls? Or maybe some documentation that you can share, to know how to configure it? Thanks for your support.
sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Topics-GAG/Bond-Interfaces.htm
Check this one and you find how to do it :)
Hello Magnus,
Great video! This is something pretty useful. Can you please just clarify something for me? The way i understand it, is that if you select antispoofing and "this network only" it will not allow another source to enter this interface, in this case eth3. Is my understanding correct?
Thank you.
George
Yes thats correct!
And just as a referense, "external" will be everything else then what is on the inside.
It dose not mean none RFC1918 ip addresses, but EVERYTHING that is not defined to be on the inside. (all interfaces are counted)
@@MagnusHolmberg-NetSec you are awesome!!!
Hello, would it have been possible to remove the no nat from the automatic rules so as not to have a duplicate?
If you make sure to not have any object with automatic nat filled in, (this include host, networks etc) then there should be no automatic nat left.
Hi Magnus,
What is the difference between "Get Interfaces with Topology" and "Get Interfaces without Topology"?
Do we only use "with" during initial setup as it may ruin the topology/Interfaces especially when some antispoofing is in place?
Junnair Manla if you’re stuff is configure correctly it doesn’t matter really.
With means that it will build the antispoofing based on the routing table.
So that is what actually working anyway.
Personally I try to do this manually and have own built groups for the antispoofing, if you do with topology, check point will create objects representing the antispoofing group, networks etc and am not a fan of that.
So the reason why I pick not to do with topology is estestic as I want to create my own objects, groups etc after a specific standard.
@@MagnusHolmberg-NetSec Thanks for the clear explanation!
Hello, Magnus.
I am now replicating this labs episode, and I have a query.
Is it necessary those rules in the NAT section, that have as source, the "NET_10.10.10.0.0_24" and as destination, the same "NET_10.10.10.0.0_24"?
Because trying to interpret that rule, it is as if in the background, it does not make any NAT, but then what sense would it make to place that rule? Or is it necessary for something in particular?
Just like that, it makes a rule in the same direction from source to destination, with the NET_192.168.254.X_24.
I'm still curious, what would be the purpose of these NATs I'm telling you.
Thanks for you time.
The 10.10.10.0/24 to 10.10.10.0/24 nat is created automatically when doing a automatic hide nat.
What the rule mean is that no nat is performed. Qa is it needed.. not really but that’s how check point present it,
@@MagnusHolmberg-NetSec
Thanks for the answers, Magnus.
The lab, I have replicated it so far with success, but at the moment, the only problem is that from my Windows_2 which has the IP 10.10.10.10.10/24, I can't get out to the Internet.
I have not seen so far that anything additional has been configured on the Cisco Router, just the interfaces and a default route, but nothing more than that.
Do I need to configure a NAT on the Cisco Router?
The problem is that I only don't have the output to the Internet, the rest works fine.
No need for NAT in the cisco router, this is just a transit node.
So the important is to have a route from check point to vmnet3 via cisco. and in the cisco that you have a default route to check point.
The nat is performed in the check point.
Interface, Routing, Antispoofing, NAT and then a Rule to actually permit the traffic to the internet :)
So one of the first step is just to check if the traffic is reaching the firewall cluster, and also check that NAT is applied to the traffic when pinging to like 8.8.8.8
If you trying to surf, remember to set a DNS :)
Btw troubleshooting and rechecking the work is how you learn. :D
@@MagnusHolmberg-NetSec Hi Magnus how do i get the iso file for the router used, please help with source
Also i am confused, on how to integrate the router to the existing topology
Mangus can you make tutorial how to setup the router?
There is a video called, how to setup Cisco 1000v on my channel :)
how to set up cisco router
Wow -
Thank you, hope you do enjoy the content
if it works with a L3 switch instead of router?
A L3 switch would be the same as a router so yes. But I do t know if they can be run in VMware, so in VMware I needed something I know working and these routers can be run in VMware :)
@@MagnusHolmberg-NetSec i am doing a similar topology but using a L3 switch, only can ping from default gateway ip but from pc not....
@@burstdarkangel i would check all the config again :)
And ping each step so you see how far it goes.
PC -> L3 Switch - yes / no
PC -> L3 switch linknet interface to CP - Yes / no
If it already stop there there is missing routing within the L3 switch.
PC -> L3 -> CP Linknet interface. - Yes / No
Well then check the stuff i talked about in the video, routing, rules, anit-spoofing
So normal troubleshooting. :)
@@MagnusHolmberg-NetSec Hi, finally it works!! , the issue was the L3 switch image... thanks for your video
@@burstdarkangel hehe great, that’s what’s labs are for. Now you will not forget how to do that when needed to troubleshoot in lab ;)
What is ur system configuration??
If you referring to my lab setup.
I use VMware workstation on a AMD3900X with 64GB ram.
And then 1TB Flash drive.
@@MagnusHolmberg-NetSec thank u very much
Hi Magnus, its possible to import policies and rulebase
When it comes to check point to check point it’s migrate export and migrate import, it’s not only the rule base but the full info regarding a mgmt server.
When it comes from other vendors there is a conversion tool for cisco, juniper and Palo Alto. For importing rules
@@MagnusHolmberg-NetSec Thanks Magnus
Need to configure Lab setup from production configurations
@@bkavirajan migrate export will work fine then :) its more or less a backup.
Then u can add that on your new platform so you have a copy of your production environment. More or less this is how an "advance upgrade" is done.
Check under $FWDIR/bin/upgrade_tools/
There u have the migrate export so you can get out a file with all info from your mgmt server :)
if you want to test something cool, then check
community.checkpoint.com/t5/General-Topics/Easy-Backup-Tool-migrate-export-all-GAIA-configs/td-p/79632