Check Point Firewall Secure internal communication | SIC

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome to my channel my name is magnus and today we're going to talk about secure internal communication or in short seek shakepoint products and platforms are using sick to authenticate to each other sick is based on ssl certificates when you first install your management server this include the ca or the certificate authority it's also mentioned as ikea internal certificate authority this is what creates the certificate used for sick for r71 gateways and above then we use aes128 for gateways below r71 then it's triple deaths but you guys should be running r80 anyway so aes128 when we did install the gateways we did put in a one-time password to connect to gateway and management and after this one-time password is used the rest of the communication is using certificates in this video we are going to reset the seek on one of the gateways so we are able to check the different status of sick so if we're going to network objects and gateways and servers and if we click on the cluster then on the cluster members we can see we have both gateways here so if we take this phone for example we do edit and here you see the secure internal communication and you have the cn but if you press here communication you see trust established so sick has a few different statuses and if you want to like test this you can just press test seek status and you want to see communicating so here you see communicating and trust established and communicating that means everything is hunky-dory everything is working just fine so if we would log into this gateway now and just reset the sick then we can see a different status so let's login to the gateway and for that we use secure crt so we log into the gateway with the admin account and we need to go into export and here we can run cp config and cp config it allows you to reset the sick so here you have secure internal communication and what we want to do here is to press 5 so when we are in here we can actually see the current state and the trust state is trust established so this is actually good but let's say that our certificate has been compromised or something like that then we need to reset it so let's press yes and you see here note this the secure internal communication will be reset now and all checkpoint services will be stopped using cp stop no communication will be possible until you have reset and re-initialize the communication properly are you sure you want to continue yes and let's put in a new activation key so i will just put in shake point one two three and press enter check point one two three and what we need to do here now is that you see here um hardening os initial policy will be applied until the first policy has been installed and what we want to do now is to press 11 to exit and you see here now all the processes are stopped and well maybe we even get kicked out because the we will have the initial policy and the initial policy is more or less uh deny any all the processes are now stopped and you see that it's even the initial policy so you see here installing security policy initial policy on all all cp gateway 2 and that's our gateway and we can try to log into this one again and i believe this will actually work yeah we can still log in so that's good type exit here but let's go back to the to the management station and just see what we have for status now so to close here and test sick so we see here not communicating so we have an we have an error and peer does not have the certificate try to re-establish the trust so more or less it's broken now we don't have the sick communication not communicating and if we don't have the certificate let's try to install the policy this should fail because you see here it's even red so if we hold hover over this red we see that secure internal communication is not operating on cp gateway 2. verify that is initialized or what's not reset and the reason why this will fail is because we have this one install on each selected gateway independently but for clusters if installation and cluster members fail do not install on that cluster but let's just verify that this is a lab so we have the possibility to do all the testing that we can normally not do in production and just to verify that we actually have traffic we can we can do ping and it's working and the reason why it's working well this part he's not part of the cluster anymore so if we log in to the gateway number one and we go to expert and we go to cph probe start we see that we are active and lost the gateway number two is no longer part of this cluster you see here if we go to gateway number two and it run the same command h a module is not started so this one has like zero if we go back to clich and we just check the configuration it will still have all the configuration for the interfaces we can still log into it we have the snmp traps and so on so you see here we still have all the interfaces so more or less this is a well freshly installed box so to say it cannot do anything and how to fix this well just go back into the firewall cluster and cluster members gateway number two double click on it communication and then reset and reset was done please reinstall the firewall policy in order to update the crl you must install file policy on all security gateways okay so here you have one more trust uninitialized so let's uh put in the password point one two three check point one two three and press initialize and now we have trust established closed okay okay and we need to publish it and let's try to install the policy again and this is still um still complaining but i think that if we installed um if we start to install in the access policy this will work or hopefully it will work so installation was succeeded and after that we can actually install the the threat prevention policy and you see here youtube application requires okay well we can fix that later just install the policy again so we have the threat prevention and i was going to show you the other way around instead if we stop the sick from the management station and let's see what type of statuses we have on the gateway because they will mismatch and one important factor when it comes to sick is to make sure that you have the correct time on all the gateways and management stations all right so let's go back into expert mode here and just verify that it's still working and we have the trust established so cp config and then press number five and we see here that the trust is established so just take no here and eleven so let's reset it from the management station instead so you do like this cluster members gateway number two communication reset yes and uh let's put in a one-time password here from start sudo shake point one two three four check point one two three four and we do initialize so it says failed to connect to the security gateway so here you have a different status initialize but trust has not been established so if you for example already prep everything in the in the management station but you haven't fixed on the gateway you will have this status so how do we fix this one well we put in the same password on the gateway so let's try that so cp config and five and uh trust establish i wasn't expecting that one actually let's do like this eleven let's try to push the policy i was hoping it would show something else because now i have an incorrect sick can we push the policy let's try hopefully this will fail ah failed and the reason why it's failing is because pier 6 certificate has been revoked try to reset sick on the pier or re-establish the trust and here it fails on gateway number one because security gateway policy installed cancelled for me for modules cpg for one and it should say like let's say wow it's failing due to the cluster is not the same that's that's the the point of it but here you see the this this error as well let's see if we can make this bigger well it doesn't matter so installation failed reason peer 6 certificate has been revoked try to reset the sick on the peer 2 and re-establish the trust well let's try it again see if it has changed i don't know i thought it would change but would you like to reinstate a re initialize the communication yes are you sure yes activation key check point one two three four check point one two three four eleven so it will stop everything and hopefully it will fix itself let's see because now it actually has to correct the key on the management station so let's see if it will pick up the correct policy from start i'm not sure let's see all right so it has started and stopped all process and started again and you see here it actually still have the initial policy so if we do firewall start oh sorry cps.5 and we see here it's initial policy well let's go back to the management station and firewall cluster just members number two communication let's see it initialized but trust not established let's test the sick not communicating all right initialize now trust established test sec communicating so they initialize it's more or less send their request again so that's perfect so now everything is hunky-dory so just do close and we do cancel here okay let's do okay okay publish let's see if we can fetch the security policy that would be cool because we still have the initial policy here so let's see if we can fetch it first of all let's see if we have h a like cph probe state so the module is not started so let's install the policy because well we don't have the ha module and um well we can start it manually and so on but it's just easier to push out the policy and uh the gateway will get all the the details it needs to and the reason why i unselect the threat prevention policy is because that one goes faster to install and well the access policy and so on need to be installed before the threat prevention policy so it would be like a dual policy installation when you do like this so we have successfully installed the policy let's do it on the threat prevention as well and if we do the cph probe stat we see that the member and so on is up let's i will clear it here so we see that everything is up and running again the failover hasn't changed but this member the member 2 has already seen that there is already an active member so it putting itself in standby this list is just awesome it first appeared in like r80 20 um i think it's the 3.10 kernel but if you're running the newest and latest and greatest and so on you will have this this awesome list it's so much easier to see this uh this cluster state thing this is not existing in r 77 or in r80 10 so you need to have higher to really see this one you can of course see it in different ones so like for example the last video i did do with the messages file we can just see there tail minus 10 sorry more log slash messages so we can see that the policy installation and so on here and let's see if we can see the cluster let's do 20. um no we cannot see it here ah that's annoying there is a different file where you can check this but well this video is regarding sick and um well i think i have shown you everything regarding sick or everything that you need to know in basic at least um if you want to read more about it there is a nice documentation for secure internal communication and here you have all the information that is certificate based that it's aes128 i even think this is a certificate question so uh remember that one and here you see that it's a one-time password and after that it's certificate based so that's good here you see the one that i mentioned about the time it's really important to have the clock synchronized between your gateways and management station the recommendation is to use ntp and here you see how to initialize the trust you see different six statuses these are the three statuses that you can have communicating and unknown there is no connection between the security gateway and management station and not communicating the security management server can contact the security gateway but cannot establish sick so these three are good to know as well communicating is the one that you want to have then everything is hunky-dory everything is working and here you see the trust state how to reset it that we did just show you can reset it either from the gateway or from the management station and you need to put in the password on on both places a bit on how to troubleshooting the sick um there's a few like ports that needs to be open and this is part of the generic like policy so if you're not going through different firewalls you will not have this problem because it's default open within the checkpoint and if you run into major issues you can do a firewall unload local firewall unload local will remove all the rules so you need to be careful with that one this is like your last result but firewall and local you can use if you really need to access something that you have well totally screwed up and here it says some information regarding the ikea or the certificate authority that is not only used for sick it's actually used for the vpn certificates and for the users if you want to have that one as well and this one i didn't know from start and this one i just find out like recently because well normally i update the management station more often than that but apparently it's five years validity on it so um well if you keep your stuff for more than five years you can encounter this and then you need to just um then you need to extend the certificate they come up like a pop-up window so you will understand it but uh well keep that in mind if you want to know a lot more about the sick well i recommend the forum and for example i found a great post from hako regarding like how and what ports are actually used for sick and when is the sick certificate actually used so uh check out the community and here you can see all the ports used for sick um i guess this is the most common um because that pulls the certificate meaning the gateway needs to reach the management station on this port and um as hecal said here as well there's no keep alive so that's it for this video please like share comment below what you want to see next and i hope to see in the next one take care bye
Info
Channel: Magnus Holmberg
Views: 3,464
Rating: undefined out of 5
Keywords: check point software, cyber security, ccsa, ccse, checkpoint, check point, network, secuirty, firewall, checkpoint training, r80, r80.40, checkpoint firewall, checkpoint firewall training videos, next generation firewall
Id: lKcGzIbJL5M
Channel Id: undefined
Length: 22min 12sec (1332 seconds)
Published: Thu Sep 03 2020
Related Videos
Check Point Firewall R80.x - Training Lab 11 | Compliance blade
Magnus Holmberg
1.3K
Check Point Firewall basics - How to add and generate licens files.
Magnus Holmberg
3.2K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.3M
Check Point Firewall - Bulk operations in mgmt_cli
Magnus Holmberg
5.1K
How to upgrade Check Point R80.10 to r80.30 for MDS with CPUSE
Magnus Holmberg
3K
VSX Cluster deployment & configuration - DemoPoint Academy
Check Point Software Technologies, Ltd.
14K
Best of CheckMates: My Top Check Point CLI Commands
Check Point Software Technologies, Ltd.
6.8K
your home router SUCKS!! (use pfSense instead)
NetworkChuck
1.3M
Configuring HTTPS Inspection Checkpoint R80
Mode44
502
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.