2012 Best Practice
Seminar
Housekeeping
Mobiles on Silent please
Toilets are…
Agenda
Introduction
What's new
–
R75.45
–
R75.40VS
–
E80.40 with integrated management
Best Practices
Introduction
Who am I?
–
David Rawle
–
Technical Director of Bytes Security Partnerships
–
15 years working within the industry
Who are we?
–
6th biggest Check Point reseller in the UK
Introduction
We will remain an autonomous part of Bytes
We are currently focused on growing SPARC
–
Fundamental to keep the current Direct to
Engineer model
–
Will be consulting with customers and seeking
R75.45
New Gaia features:
– Ability to configure 6in4 tunnels.
– Backup and restore, including scheduled backups.
– Policy Based Routing
– Support for PPPoE interfaces. See sk79880.
– Ability to configure SNMP traps for RAID issues.
– TACACS+ authentication.
– e1000 driver updated to version 7.6.15.
– Monitor mode on 10GbE ports, with automatic "one legged" bridge creation.
– 2012 appliances automatic license fetch during the First Time Wizard.
– ISP Redundancy. See sk25129.
Automatic Software Updates
– Get updates for licensed Check Point products directly through the Operating System.
– Download and install R75.45 more easily and quickly.
– For R75.45 installation using Automatic Software Updates for Gaia, refer to sk81680
Aggregation of logs of the IPS Non Compliant HTTP and Non Compliant DNS protections.
Log Server performance improvements enables writing logs in a more efficient way. This solved
capacity issues in specific scenarios
Anti-Malware report Expose the severity and category of the malwares found in the overview and
additional pages to allow better high level understanding of Anti-Bot and Anti-Virus Blade findings.
R75.45
Very few customers have upgraded to it
Provides specific fixes
R75.40VS
Otherwise know as main-train R7X VSX
Simple Virtual System configuration
Demo
New in E80.40
What's new?
E80.40 with integrated Management
N etwor k P ol icyAlongside
with Network
Security
management
R75.40
En d p oi n t P ol icyEndpoint
Security
Management
E80.40
SMART-1
Security Management
E80.40
Additional features in Endpoint Security E80.40
Manage
150,000 seats
of FDE & ME
Custom image
in full disk
Encryption
Scan
Multiple
AD trees
Web-remote
help to remediate
passwords
Manage
80,000 seats
full E80 suite
Getting –Started
Wizard
Set alerts & notifications
including email alerts
Configure &
preview user
messages
Introducing
Document Security
Select authorised users & classification
to protect your document
Secure
access from
smartphones
Secure
access from
PC & Mac
Business
Container
VPN App
Web Portal
for Business
Applications
VPN Client
What is Check
Point Mobile
Business Application?
Protect Business Data
Bring Your Own Device
Part of the Mobile Access
Best Practices – Recover Laptops
How to recover a broken FDE Laptop
Demo
Best Practices – FDE Boot Protection
SSD’s don’t all require full encryption
But you cant just configure pre-boot
protection
Best Practices - Syslogging
Best Practices – Check Point VE
Check Point Virtual Edition
What is it useful for?
How about DLP
–
Check Point VE
–
DLP
–
Linked to SmartCentre
Best Practices – Check Point VE
Available for the following Hypervisors
–
ESX v4.0
–
ESX v4.1
–
ESXi v4.0
–
ESXi v4.1
–
ESXi v5.0
–
ESXi v5.1
Available in the following license breaks
–
8 Core
–
16 Core
Best Practices - Backups
We talk about this every year…
SPLAT
–
“backup –n --ftp
ipaddress username password
”
–
“backup –n --scp
ipaddress username password
”
–
Use “crontab –e” to edit the cron job and schedule
Gaia
–
To save a backup locally:
•
add backup local
–
To save a backup on a remote server using ftp:
•
add backup ftp ip VALUE username VALUE password plain
–
To save a backup on a remote server using tftp:
•
add backup tftp ip VALUE
–
To save a backup on a remote server using scp:
Best Practices - Backups
Gaia – Restores
–
To restore a backup from a locally held file:
•
set backup restore local <TAB>
–
To restore a backup from a remote server using ftp:
•
set backup restore ftp ip VALUE username VALUE password
plain
–
To restore a backup from a remote server using tftp:
•
set backup restore tftp ip VALUE file VALUE
–
To restore a backup from a remote server using scp:
•
set backup restore scp ip VALUE username VALUE password
plain
Best Practices - Backups
Gaia – Scheduled Backups
–
To add a scheduled backup locally:
– add backup-scheduled name VALUE local
–
To add a scheduled backup on a remote server using ftp:
– add backup-scheduled name VALUE ftp ip VALUE username VALUE password plain
–
To add a scheduled backup on a remote server using scp:
• add backup-scheduled name VALUE scp ip VALUE username VALUE password plain
–
To add a scheduled backup on a remote server using tftp:
• add backup-scheduled name VALUE tftp ip VALUE
–
To configure a daily backup schedule:
• set backup-scheduled name VALUE recurrence daily time VALUE
–
To configure a monthly backup schedule:
• set backup-scheduled name VALUE recurrence monthly month VALUE days VALUE time VALUE
–
To configure a weekly backup schedule:
• set backup-scheduled name VALUE recurrence weekly days VALUE time VALUE
–
To show the details of the scheduled backup:
• show backup-scheduled VALUE
–
To delete a scheduled backup:
Best Practices - Backups
Speaking of Backups
VMWare
Best Practices – Gaia Commands
Expert Mode activation
–
“set expert-password plain”
When not in expert mode…
–
Type command then press <TAB>
Best Practices – Gaia Commands
Some other commands available
–
show interface <TAB>
–
set interface <TAB>
–
add user <TAB>
–
save config
–
show commands
–
show commands feature <TAB>
–
show configuration
–
expert
Best Practices – Gaia Commands
One nice “Cisco” type touch
–
“show configuration”
–
Copy the output into Notepad
Best Practices – table.def
Gets flagged as part of the upgrade process
If you modify this file it will be over written at
upgrade
Why would you?
–
See sk31832 for traffic hiding behind Virtual IP
–
NTP typically fails from secondary
–
DNS typically fails from secondary
If NTP and DNS fails the clock will not be right on
your secondary box which means it won’t failover
cleanly
Best Practices – What to Log (or not)
Large amounts of logging kill performance
DO LOG
–
Web Protocols
–
VPN Traffic (except that below)
DO NOT LOG
–
Microsoft/NetBIOS Traffic
–
DNS (except external lookups for browsing)
Best Practices – What to Log (or not)
Best Practices – Tidy up after yourself
We have customers spending large amounts
of money on firewall audits
Sometimes compliance means they
have
to be
done
If you just disable a rule when you don’t need
it anymore and delete objects when you don’t
need them your lives will be much easier
Best Practices – Tidy up after yourself
What are Check Point doing to help
Best Practices – Tidy up after yourself
What are other people doing to help
Best Practices – Monitor Performance
Don’t just monitor CPU
Check Point has a whole SNMP stack built in
Use it monitor other metrics
Best Practices – VPN Cert Renewal
A year ago we said…
“Check Point and IPv6
IPv6
Gaia Supports IPv6
About to EA IPv6 Support in ALL Blades
IPv6 Support for Management
R75.45
New Gaia features:
– Ability to configure 6in4 tunnels.
– Backup and restore, including scheduled backups.
– Policy Based Routing
– Support for PPPoE interfaces. See sk79880.
– Ability to configure SNMP traps for RAID issues.
– TACACS+ authentication.
– e1000 driver updated to version 7.6.15.
– Monitor mode on 10GbE ports, with automatic "one legged" bridge creation.
– 2012 appliances automatic license fetch during the First Time Wizard.
– ISP Redundancy. See sk25129.
Automatic Software Updates
– Get updates for licensed Check Point products directly through the Operating System.
– Download and install R75.45 more easily and quickly.
– For R75.45 installation using Automatic Software Updates for Gaia, refer to sk81680
Aggregation of logs of the IPS Non Compliant HTTP and Non Compliant DNS protections.
Log Server performance improvements enables writing logs in a more efficient way. This solved
capacity issues in specific scenarios
Anti-Malware report Expose the severity and category of the malwares found in the overview and
additional pages to allow better high level understanding of Anti-Bot and Anti-Virus Blade findings.
R75.45
New Gaia features:
– Ability to configure 6in4 tunnels.
– Backup and restore, including scheduled backups.
– Policy Based Routing
– Support for PPPoE interfaces. See sk79880.
– Ability to configure SNMP traps for RAID issues.
– TACACS+ authentication.
– e1000 driver updated to version 7.6.15.
– Monitor mode on 10GbE ports, with automatic "one legged" bridge creation.
– 2012 appliances automatic license fetch during the First Time Wizard.
– ISP Redundancy. See sk25129.
Automatic Software Updates
– Get updates for licensed Check Point products directly through the Operating System.
– Download and install R75.45 more easily and quickly.
– For R75.45 installation using Automatic Software Updates for Gaia, refer to sk81680
