SECURE IT SOLUTIONS

Course Overview
Designed for more experienced security professionals, NGX II&III certification is one of the most highly recognized and respected vendor-specific security certifications available.

This course is for professionals who already have working knowledge of the CheckPoint Firewall-1 and would like to get more hands-on, trouble-shootng experience.

It provides more in-depth skills and expertise in managing and supporting Check Point products. Proficiencies include configuring and managing VPN-1/FireWall-1 as an Internet security solution and virtual private network (VPN), using encryption technologies to implement site-to-site and remote access VPNs, and configuring content security by enabling Java blocking and anti-virus checking.

It delves into trouble-shooting techniques, using network analyzers, reading sniffer traces, how to use "fw monitor" and other tools.

The course is further enhanced by WCP Instructors with additional trouble-shooting labs. Various break case scenarios are analyzed and you will be taught how to troubleshoot and resolve the issues.

Take this class if:

You are a systems administrator, security manager, or network engineer implementing VPN-1/FireWall-1 for VPN deployments
Want to earn Check Point Certified Security Expert (CCSE NGX) NGX certification

Prerequisites
Check Point Security Administration NGX I, or equivalent knowledge and experience

NGXII - Course Contents

Chapter 1 SmartUpdate

Introduction to SmartUpdate

SmartUpdate Architecture

Upgrading Packages

Prerequisites for Remote Upgrades
Retrieving Data From VPN-1 Gateways
Adding New Packages to the Package Repository
Verifying the Viability of a Distribution
Transferring Files to Remote Devices
Upgrading Edge Firmware with SmartUpdate
Rebooting the VPN-1 Gateway
Recovering From a Failed Upgrade
Deleting Packages From the Package Repository
Managing Licenses.
License Upgrade
Retrieving License Data From VPN-1 Gateways
CPInfo
SmartUpdate Command Line

Lab 1: Updating an Installation with SmartUpdate

Review

Chapter 2 Upgrading VPN-1

Preinstallation Configuration

Distributed Installation

Upgrading to VPN-1 NGX R65

Upgrade Guidelines
Upgrade Order
Upgrade Export/Import
Upgrading via SmartUpdate

VPN-1 Backward Compatibility

Supported Versions

Licensing VPN-1

Obtaining Licenses
Supported Upgrade Paths
Contract Verification
Performing License Upgrade
Pre-Upgrade Considerations
Pre-Upgrade Verification Tool
Web Intelligence License Enforcement

Upgrading on SecurePlatform

Upgrading SmartCenter Server

Using the Pre-Upgrade Verification Tool

Gateway Upgrade

Gateway Upgrade with SmartUpdate

Review

Chapter 3 Encryption and VPNs

Securing Communication

Privacy
Symmetric Encryption
Symmetric Disadvantages
Asymmetric Encryption
Diffie-Hellman
Integrity
Authentication
Two Phases of Encryption
Encryption Algorithms

IKE

ISAKMP
Oakley
ISAKMP/Oakley
Phase 1 Phase 2
IKE Example
Tunneling-Mode Encryption

Certificate Authorities

Certificates
Multiple Certificate Authorities
Certificate Authority Hierarchy
Local Certificate Authority
CA Service via the Internet
Internal Certificate Authority
CA Public Keys
Creating Certificates

Review

Chapter 4 Introduction to VPNs

The Check Point VPN

How a VPN Works
Specifying Encryption

VPN Deployments

Site-to-Site VPNs
Remote-Access VPNs

VPN Implementation

Three Critical VPN Components
VPN Setup
How a VPN Works
VPN Communities
VPN Topologies
Choosing a Topology
Authentication Between Community Members
Dynamically Assigned IP Gateways
Routing Traffic Within a VPN Community
Access Control and VPN Communities
Excluded Services
Special Considerations for Planning a VPN Topology
Authorizing Control Connections in VPN Communities
Integrating VPNs into a Rule Base

Review

Chapter 5 Site-to-Site VPNs

Site-to-Site VPN

Domain-Based VPN
Route-Based VPN
VPN Routing Process for VTIs
Routing Multicast Packets Through VPN Tunnels
VPN Tunnel Management
Permanent Tunnels
VPN Tunnel Sharing
Wire Mode
Wire Mode in a MEP Configuration
Wire Mode with Route-Based VPN
Wire Mode Between Two VPN Communities
Directional VPN Enforcement
Directional Enforcement Between Communities

Multiple Entry Point VPNs

VPN High Availability with MEP

Traditional Mode VPNs

Lab 2: Two-Gateway IKE Encryption (Shared Secret)

Lab 3: Two-Gateway IKE Encryption (Certificates)

Review

Chapter 6 Remote Access VPNs

Remote Access VPN

Extending SecuRemote with SecureClient
Connect Mode
Establishing Remote Access — Workflow
Office Mode
How Office Mode Works
Office Mode Planning
IP Pool vs. DHCP
Routing-Table Modifications
Multiple External Interfaces
Before Configuring Office Mode
Desktop Security Policy
Policy Expiration and Renewal
Policy Server HA
Wireless Hotspot/Hotel Registration
Logging
SecureClient Mobile

VPN Routing — Remote Access

Hub Mode

SSL Network Extender

How SSL Network Extender Works
Prerequisites
Clientless VPN
Special Considerations for Clientless VPN
Configuring Clientless VPN
Creating Appropriate Rules in the Rule Base

Lab 4: Configuring Remote Access in an IKE VPN

Lab 5: Using SecuRemote in an IKE VPN

Lab 6: Remote Access and Office Mode

Lab 7: SSL Network Extender

Review

Chapter 7 High Availability and ClusterXL

Management High Availability

Management High Availability Environment
Synchronization Status

ClusterXL

Load Sharing
ClusterXL Modes
Legacy High Availability Mode
New High Availability Mode
Load Sharing Multicast Mode
Load Sharing Unicast (Pivot) Mode
Cluster Control Protocol
Synchronizing Clusters
The Synchronization Network
How State Synchronization Works
Synchronized-Cluster Restrictions
Sticky Connections
The Sticky Decision Function

CPHA Commands

cphastart
cphastop
cphaprob
cphaprob Example
fw hastat

Debugging ClusterXL Issues

fw ctl pstat Sync Output
ClusterXL Configuration Issues

Modes of ClusterXL Supporting SecureXL

Crossover-Cable Support

Lab 8: Deploying New Mode HA

Lab 9: Load Sharing Unicast (Pivot) Mode

Lab 10: Configuring Load Sharing Multicast Mode (Optional)

Review

NGX III - Course Contents

What You Will Learn

Troubleshooting NGX product problems using troubleshooting guidelines
Using cpinfo and log files for file management
Using protocol analyzers to capture and analyze network traffic
Troubleshooting NGX problems using NGX debugging tools
Using fw and fw advanced commands for troubleshooting
Troubleshooting specific Security Server issues
Using VPN log files and vpn debug to troubleshoot VPN connections
Capturing traffic flow using ike debug, sr_service debug, and srfw monitor
Identifying differences between route- and domain-based VPNs
Identifying, debugging, and using relevant commands to troubleshoot Eventia Reporter problems

About The Labs

Collecting configuration files from an NGX installation
Review and analyzing cpinfo output in InfoView
Using GuiDBedit to create services and objects, and modify an object’s global properties
Using fw logswitch to switch active and audit logs
Using fwm logexport to export logs
Comparing client- and server-side NAT using fw monitor
Using fwm and cpd debugging to troubleshoot a stand-alone installation problem
Generating and interpreting a file containing fw ctl pstat information
Using fw stat to verify a Gateway’s Policy installed status
Using fw unloadlocal to uninstall a Security Policy
Using fwm load to install a Policy
Running ike debug on Gateways, and analyzing output using IKEview
Observing IKE by running ike debug
Running srfw monitor on a SecureClient desktop
Configuring route-based VPNs for VPN redundancy
Configuring dynamic routing using OSPF through VPN tunnels