R80 Reference

Check Point Software Technologies, Ltd. - Main YouTube Channel

"Best Practices" Solutions and Documents by product - sk111303 

Introduction to Check Point - Videos

• Best Practices Video
• R77 Technical Demo Video
• R80 Technical Demo Video

• vSEC Discussion Video

• Threat Prevention (SandBlast™) Video

SecureKnowledge Articles (SKs)

Support Articles

• The Check Point Uploader - File Uploader to Check Point User Center - sk108152
• Check Point utility to upload files to Check Point UserCenter that were requested by Check Point
  Support.

• How to verify that Security Gateway and/or Security Management Server can access Check Point servers? - sk83520
• Security Gateways and Security Management Server require access to the Internet (either directly, or via configured proxy) for various Software Blades. The sk lists relevant connectivity tests.

• Practical troubleshooting steps for logging issues - sk38848
• Practical troubleshooting steps that have proven effective in resolving a wide variety of logging issues.

• Check Point Processes and Daemons - sk97638
• It is useful to understand the potential impact of an unhealthy daemon (e.g. if you see high CPU for the cpd daemon in top, what might that affect?).

• Performance analysis for Security Gateway NGX R65 / R7x - Sk33781
• A list of commands that can be run and files that can be used to monitor and troubleshoot the  performance of the Security Gateway.

• Ports used by Check Point software - sk52421

SK Tools References

• How to run the First Time Configuration Wizard through CLI in Gaia ('config_system ...') - sk69701
• Check Point Security Gateway and Check Point Security Management require running the First Time Configuration Wizard in order to be configured correctly. The First Time Configuration Wizard is available in Gaia Portal and also through CLI.

• CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - sk92449
• Next-gen software upgrade and hotfix infrastructure

• CPView Utility - sk101878
• CPView Utility is a text based built-in utility that can be run ('cpview' command) on Security Gateway / Security Management Server / Multi-Domain Security Management Server. CPView Utility shows statistical data that contain both general system information (CPU, Memory, Disk space) and information for different Software Blades (only on Security Gateway). The data is continuously updated in easy to access views.

• cpstat: command-line utility to query many specific data points of firewall health

Advanced Technical Reference Guides

Technical Reference Guides - in-depth troubleshooting guides for a specific functional areas:

• Identity Awareness - sk86441

• SecureXL - sk98722

• Multi-Domain Management - sk95329

R80 -

• R80 Community Exchange site: https://community.checkpoint.com/

• R80 Main Sk Article - sk108623

SandBlast - Threat Emulation Technical References:

• SandBlast™ Threat Protection - PDF

• Threat Prevention - Documentation

• Threat Emulation Engine Update - Sk92509

• Anti-Bot DNS Trap  - Sk74060

• MTA ATRG - Sk109699

• Threat Emulation supported file types - Sk106123

• R77 Threat Prevention Guide page 107 - Indicators Configuration

vSec Best Practices:

• vSEC Gateway for NSX - Best Practices - sk111575

• ATRG: vSEC for VMware NSX - Best Practices - sk111060

EndPoint and Remote Access

• EndPoint Best Practices - Series of videos - sk103395

• Check Point License Guide - sk11054

• Check Point Remote Access Solutions - sk67820

• Endpoint Security Server versions and supported Endpoint Security Client versions - Sk107255

R80 -

R80.10 Early Availability Program

As we are expanding our EA installations I would like to invite you to participate in the Early Availability Program of R80.10. Candidates should commit their Production environment in order to get on-site Early Availability engineer.

The registration process consists of filling out a short questionnaire to characterize the candidates for this EA program and NDA papers.

In order to register to the new R80.10 please fill in the following questionnaire (link below) and our early availability engineer will contact you.

WHAT’S NEW IN R80.10?

Check Point recently released Next Generation Security Management R80 setting the standard for reliability and ease-of-use in security management.

Check Point R80.10 extends R80 functionality to complete our vision for security consolidation, unified policy, and integrated threat management..

R80.10 will include:

Unified Access & Data Policy

1. Unified Policy

• Unified security rule-base for Access blades: Firewall, VPN, Application Control, URL Filtering, Data Awareness, Mobile Access Blade

• Unified log for network, protocol, application, user, accessed resources, file and data types.

2. Powerful Policy Model Architecture

• Layered policy to support delegation and segregation of duties

• Sub policy to define a set of rules as one management unit, independent from the rest of the rule-base.

• Security zones bound to network interfaces to simplify security policy management.

3. Firewall and Application Control Enhancement

• Application criteria now includes match by recommended services and by application signature.
• Service criteria now includes match by protocol signature and by service port.

4. Integrated Data Awareness

• Data Awareness adds file types, data types, and direction in the new unified policy, combining data with other security policy objects for granular rules..

5. Additional Enhancements:

• New FQDN mode, to match fully qualified domain name of Domain Objects.

• Domain Objects and Dynamic Objects support SecureXL accept templates.

Identity Awareness:

• Large scale Identity Awareness, for support of 200K users.

• Identity Collector Agent to collect user information from different identity sources (AD/ISE).

• Web REST API for IDA.

• LDAPv3 support for better nested group handling.

Mobile Access:

• Support Mobile Access in the unified rule base of R80 / R80.10.

• Multiple Login Options, and multiple authentication factors, for Mobile Access and IPSec VPN. 

VPN:

• Multi-core for enhanced performance of VPN (Site-to-Site and Remote-Access VPN).

• Security Gateways behind NAT use of NAT-T to initiate VPN site-to-site tunnel.

Threat Prevention:

• IPS is now part of the Threat Prevention policy, with multiple profiles per gateway and all Threat Prevention blades managed in one rule.

• Threat Prevention Policy installation time considerably improved.

• Threat Prevention Policy support for multi-layers, adding flexibility. 

Additional Features:

• SandBlast Threat Extraction immediately provides users with clean, reconstructed files containing only known safe element

• Support of TLS 1.2 in Mobile Access connections and portals that do not work through multi-portal system. 

Upgrade Method:

• Upgrade to R80.10 and onward will be available online & offline through Check Point’s upgrade engine (CPUSE).

6 Stages of Linux Boot Process (Startup Sequence)

Press the power button on your system, and after few moments you see the Linux login prompt.

Have you ever wondered what happens behind the scenes from the time you press the power button until the Linux login prompt appears?

The following are the 6 high level stages of a typical Linux boot process.

1. BIOS

• BIOS stands for Basic Input/Output System
• Performs some system integrity checks
• Searches, loads, and executes the boot loader program.
• It looks for boot loader in floppy, cd-rom, or hard drive. You can press a key (typically F12 of F2, but it depends on your system) during the BIOS startup to change the boot sequence.
• Once the boot loader program is detected and loaded into the memory, BIOS gives the control to it.
• So, in simple terms BIOS loads and executes the MBR boot loader.

2. MBR

• MBR stands for Master Boot Record.
• It is located in the 1st sector of the bootable disk. Typically /dev/hda, or /dev/sda
• MBR is less than 512 bytes in size. This has three components 1) primary boot loader info in 1st 446 bytes 2) partition table info in next 64 bytes 3) mbr validation check in last 2 bytes.
• It contains information about GRUB (or LILO in old systems).
• So, in simple terms MBR loads and executes the GRUB boot loader.

3. GRUB

• GRUB stands for Grand Unified Bootloader.
• If you have multiple kernel images installed on your system, you can choose which one to be executed.
• GRUB displays a splash screen, waits for few seconds, if you don’t enter anything, it loads the default kernel image as specified in the grub configuration file.
• GRUB has the knowledge of the filesystem (the older Linux loader LILO didn’t understand filesystem).
• Grub configuration file is /boot/grub/grub.conf (/etc/grub.conf is a link to this). The following is sample grub.conf of CentOS.

#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-194.el5PAE)
          root (hd0,0)
          kernel /boot/vmlinuz-2.6.18-194.el5PAE ro root=LABEL=/
          initrd /boot/initrd-2.6.18-194.el5PAE.img

• As you notice from the above info, it contains kernel and initrd image.
• So, in simple terms GRUB just loads and executes Kernel and initrd images.

4. Kernel

• Mounts the root file system as specified in the “root=” in grub.conf
• Kernel executes the /sbin/init program
• Since init was the 1st program to be executed by Linux Kernel, it has the process id (PID) of 1. Do a ‘ps -ef | grep init’ and check the pid.
• initrd stands for Initial RAM Disk.
• initrd is used by kernel as temporary root file system until kernel is booted and the real root file system is mounted. It also contains necessary drivers compiled inside, which helps it to access the hard drive partitions, and other hardware.

5. Init

• Looks at the /etc/inittab file to decide the Linux run level.
• Following are the available run levels
  • 0 – halt
  • 1 – Single user mode
  • 2 – Multiuser, without NFS
  • 3 – Full multiuser mode
  • 4 – unused
  • 5 – X11
  • 6 – reboot
• Init identifies the default initlevel from /etc/inittab and uses that to load all appropriate program.
• Execute ‘grep initdefault /etc/inittab’ on your system to identify the default run level
• If you want to get into trouble, you can set the default run level to 0 or 6. Since you know what 0 and 6 means, probably you might not do that.
• Typically you would set the default run level to either 3 or 5.

6. Runlevel programs

• When the Linux system is booting up, you might see various services getting started. For example, it might say “starting sendmail …. OK”. Those are the runlevel programs, executed from the run level directory as defined by your run level.
• Depending on your default init level setting, the system will execute the programs from one of the following directories.
  • Run level 0 – /etc/rc.d/rc0.d/
  • Run level 1 – /etc/rc.d/rc1.d/
  • Run level 2 – /etc/rc.d/rc2.d/
  • Run level 3 – /etc/rc.d/rc3.d/
  • Run level 4 – /etc/rc.d/rc4.d/
  • Run level 5 – /etc/rc.d/rc5.d/
  • Run level 6 – /etc/rc.d/rc6.d/
• Please note that there are also symbolic links available for these directory under /etc directly. So, /etc/rc0.d is linked to /etc/rc.d/rc0.d.
• Under the /etc/rc.d/rc*.d/ directories, you would see programs that start with S and K.
• Programs starts with S are used during startup. S for startup.
• Programs starts with K are used during shutdown. K for kill.
• There are numbers right next to S and K in the program names. Those are the sequence number in which the programs should be started or killed.
• For example, S12syslog is to start the syslog deamon, which has the sequence number of 12. S80sendmail is to start the sendmail daemon, which has the sequence number of 80. So, syslog program will be started before sendmail.

There you have it. That is what happens during the Linux boot process.