Firewall R75.40 Administration Guide

Firewall R75.40 Administration Guide 10 April 2012 Classification: [Protected] © 2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=13088 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk67581). Revision History Date 10 April 2012 Description First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Firewall R75.40 Administration Guide). Contents Important Information.............................................................................................3 Access Control .....................................................................................................10 Check Point Access Control Solution .................................................................10 Rules and the Rule Base....................................................................................11 Rule Base Elements......................................................................................11 Implied Rules.................................................................................................12 Order of Rule Enforcement............................................................................12 Example Access Control Rule........................................................................12 Special Considerations for Access Control ....................................................13 Defining Access Control Rules.......................................................................14 Defining an Access Control Policy ................................................................14 Hit Count........................................................................................................16 Preventing IP Spoofing.......................................................................................19 Configuring Anti-Spoofing..............................................................................20 Excluding Specific Internal Addresses...........................................................21 Legal Addresses............................................................................................21 Multicast Access Control....................................................................................22 Multicast Routing Protocols............................................................................22 Dynamic Registration Using IGMP.................................................................22 IP Multicast Group Addressing.......................................................................22 Per-Interface Multicast Restrictions................................................................23 Configuring Multicast Access Control.............................................................24 Cooperative Enforcement...................................................................................24 Enforcement Mode ........................................................................................25 NAT Environments.........................................................................................25 Monitor Only Deployment Mode.....................................................................25 Configuring Cooperative Enforcement...........................................................25 End Point Quarantine (EPQ) - Intel® AMT.........................................................26 Configuring End Point Quarantine (EPQ).......................................................26 IPv6........................................................................................................................31 Enabling IPv6 on a Security Gateway.................................................................31 SecurePlatform..............................................................................................31 IPSO Appliances............................................................................................31 Gaia...............................................................................................................32 Disabling IPv6 on a Security Gateway................................................................32 SecurePlatform..............................................................................................32 IPSO Appliances............................................................................................32 Gaia...............................................................................................................32 Accessing the IPv6 Kernel..................................................................................32 Working with IPv6 in SmartConsole....................................................................33 Creating an IPv6 Object.................................................................................34 Partial Address Based Filtering......................................................................34 IPv6 Rules.....................................................................................................35 IPv6 in SmartView Tracker ............................................................................35 Using ICMPv6 Services in Rules ...................................................................35 Anti-Spoofing for IPv6 Addresses ..................................................................38 Authentication.......................................................................................................41 Configuring Authentication..................................................................................41 How the Gateway Searches for Users...........................................................41 Authentication Schemes.....................................................................................42 Check Point Password...................................................................................42 Operating System Password..........................................................................42 RADIUS.........................................................................................................42 SecurID..........................................................................................................44 TACACS........................................................................................................45 Undefined......................................................................................................46 Authentication Methods......................................................................................46 User Authentication .......................................................................................46 Session Authentication ..................................................................................47 Client Authentication......................................................................................48 Creating Users and Groups................................................................................54 Creating User Groups....................................................................................54 Creating a User Template..............................................................................54 Creating Users...............................................................................................54 Installing User Information in the Database....................................................54 Configuring Authentication Tracking...................................................................55 Configuring Policy for Groups of Windows Users ...............................................55 Network Address Translation ..............................................................................56 NAT Modes........................................................................................................56 Static NAT .....................................................................................................57 Hide NAT.......................................................................................................57 NAT Rule Base...................................................................................................59 Rule Match Order ..........................................................................................59 Automatic and Manual NAT Rules.................................................................60 Bidirectional NAT...........................................................................................60 Understanding Automatically Generated Rules..............................................60 Planning Considerations for NAT........................................................................61 Hide Versus Static.........................................................................................61 Automatic Versus Manual Rules....................................................................61 Choosing the Hide Address in Hide NAT .......................................................62 Specific Deployment Considerations..............................................................62 Configuring NAT.................................................................................................63 General Steps for Configuring NAT................................................................63 Basic Configuration - Network Node with Hide NAT.......................................63 Sample Configuration (Static and Hide NAT).................................................64 Sample Configuration (Using Manual Rules for Port Translation)...................65 Advanced NAT Configuration.............................................................................66 Connecting Translated Objects on Different Interfaces..................................66 Internal Communication with Overlapping Addresses....................................66 Security Management Behind NAT................................................................69 IP Pool NAT...................................................................................................70 ISP Redundancy ...................................................................................................75 ISP Redundancy Overview.................................................................................75 ISP Redundancy Operational Modes.............................................................76 Monitoring the ISP Links................................................................................76 How ISP Redundancy Works.........................................................................77 ISP Redundancy Script..................................................................................78 Manually Changing the Link Status (fw isp_link)............................................78 ISP Redundancy Deployments......................................................................78 ISP Redundancy and VPNs...........................................................................80 Considerations for ISP Link Redundancy ...........................................................81 Choosing the Deployment..............................................................................81 Choosing the Redundancy Mode...................................................................82 Configuring ISP Link Redundancy......................................................................82 Introduction to ISP Link Redundancy Configuration.......................................82 Registering the Domain and Obtaining IP Addresses.....................................82 DNS Server Configuration for Incoming Connections.....................................83 Dialup Link Setup for Incoming Connections..................................................83 SmartDashboard Configuration......................................................................83 Configuring Default Route for ISP Redundancy Gateway..............................85 ConnectControl - Server Load Balancing...........................................................86 ... - tailieumienphi.vn