Checkpoint Day One Bootcamp

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
guys I see a lot of background noise can you mute yourself whenever you have a question mic on okay and I'm recording the class so at the end of the day online as well as physical school hey I am just writing the agenda one of the things we are going to cover so I will cover installation types first I will give you today checkpoint basics plus installation checkpoint basics which will be the platform you are going to use this are 8210 because right now exam is only available for us also at this time what is released is RIT dot forty is being released but they do not have exam and in CCS a right now what is being covered is RIT Don't Tell so I'm going to cover that black hole the version number is that I will cover things creation times distributed and standalone okay and I am also going to cover after that we will be covering firewall after firewall we will cover NAT rules this is all going to be hands-on real labs nor theory right so Kure will be there just to give you idea but I will show you em single laugh right let's not like just theories covered in the lab is no that will be done for each of the items then we are going to do HTTP inspection okay which is basically more like an intercepting thing then we will do mobile access mobile access is a fancy name given to remote access VPN and in this remote access are a remote access VPN switch will have over DPL the SSL SSL with the network extender and I'm also going to cover IB SEC remote access okay so three kind of three VPN will be basically covered in this then I am going to cover site to site VPN hey these are the labs I am going to cover plus the Curie of these okay and then I'm going to cover clustering okay and after that I am going to cover IDs and D board these are basically small topics which are basically there okay so this is majorly your CCS a slavers put it into the pointers further it has a lot of stuff so firewall has a lot of you know the implicit rule explicit rules how to create your rules then you have layered approach which is a new firewall thing that they have so there are lot of other things inside it geolocation filtering lot of stuff is there so that will all be covered but these are the let's say call them the Japanese okay and this the most important for you because you will find a lot of information of the Internet of these things you may not find very advanced netting information look you will not find a lot of extra details of clustering real practical slabs working labs you won't find people are struggling to seek clustering working it the low load of curing alert her trusting but they do not have a inkless been shown to the students right so that will be basically done so this is the agenda that we have full and is being recorded so you can refer to the reporting anytime once you see that class so check bite again is a UTM solution right unified threat management and it basically covers a huge number of devices which are able to look at checkpoint website itself so we'll go to the chat checkpoint platform comparison okay so as I said it's a UTM as a unified threat management solution and it has various platforms available which is for small offices they have 3100 series you diems right now what does a UTM contain basically UTM contains let's go down here to see what other things in views it should be at the bottom somewhere here it is okay so there is a firewall that is I didn't give in his heart okay this is one I forgot I will also be covering identity other universe so firewall and in the awareness IPSec VPN just being and clustering mobile access IPS application control content of alias URL filtering antivirus and his family bought and dlb and couple of more things here hey this is what is a UTM solution is no more or firewall solution right like you have done Cisco is a file that justifiable it doesn't have all these functionalities or maybe it has queue but it doesn't have the complete firewall functionality right so UTM are the devices which have these features and we look at all these features how nicely they are integrated and how easily you can basically acts store firewall solution right the way it is designed that that's a whole point that even after having so many features check point is designed in such a way that you will not face many problems if you face checkpoint will actually give you the error message exactly where exactly is the error okay it's a beautifully designed interface so these are the blades that we are going to do and let's go back up to see the comparisons here so checkpoint sells various appliance models as well as VM models right so these are the plans model appliance means physical firewall sold to the customer so 3100 series if you see you are not so if you are able to see it clearly is a branch office solution which means it is going to be for this small office list so now I am recording it myself I will give you later okay I'll send you the recordings the group focused on so these are different models we have 3,100 3,200 is for branch office for small offices which means a little bigger office than branch office is 5000 series and midsize is again 5000 but it's 58 and 5600 of these if you look at the capacity itself why they are like that so you can see the kind of capacity difference which is there this can handle firewall blade can handle for gbps maximum but here these models can handle 14.5 yes right so based on the capacity they have named these as the printers right of course the pricing varies varies because these are the higher models so they will be charging higher price for it okay and then you have IPS and the firewall next-generation firewall the ng firewall we will discuss in detail you see the firewall they are saying firewall and they are saying next generation what is the difference [Music] so check pipe it in the email bilirubin is there let's give me one second you hi because this is gonna name my mother yes hello right we were talking about these models and you see the ng firewall throughput is much less as compared to the firewall and the VPN IPs and other things that we have right because ng firewall has to do a lot of activities we will discuss what are those activities you see that IBS the threat prevention is even lesser right with the same hardware because it actually contains a lot of stuff inside it there is more inspection that happens inside it because of that we have to you know the processing is more and the throughput is less because the efforts are more ok what are the various NIC so these are the physical aspect of the appliance so these are physical devices so these are the physical aspect of the appliance what is the RAM being used how much of the total weight and all of those things are basically for these platforms right a detailed overview of them further they have for large enterprises they have bigger appliances fifteen thousand and twenty three thousand CDs okay you don't need to remember model numbers and all that nobody cares about it so don't put it like a engineering Bram exams but somebody's going to ask you to cram something remember the concepts right how does network how does firewall work what is threat prevention so basically the if you look at it the throughput that you have is much much higher right is much much higher and as compared to the basic mode like 4gb peers and here how much 58d business so that is suitable for a large enterprise these are all separate modules absolutely absolutely these are all firewall intercepted module VPN is something else I guess something LMG firewall is different basically in the Cisco solution most of the time they are integrated as one package right so you don't see them as two little different things you see them as different features here they are different technologies altogether the reality is they are all different technologies on the core of the operating system right but different memory used to sell them different so you see that these are large enterprises you have like telcos and all that I can tell for those so they have a bigger solution here so the datacenter telcos and they have 44,000 which gives you up 377 GBS so think about from for Gbps for a small office to 377 Gbps what is he VPS gigabit per second right so that's a kind of throughput possible is gigabit per second and then it doubles it with 64,000 it doubles to eight hundred eighty degrees okay they have couple of more model for small to branch offices 1400 and the capacity is much lower these are branch office solution most of the time all the solutions have all the features available to them for the features you have to buy licenses if you want firewall license you buy a firewall license if you want to buy IPs threat prevention so all these are basically license ways you have to purchase likes and separately for anything that you want to buy in a checkpoint speech other than the physical appliance you have to be licensed separately because these are software licenses right so this is how many blades that they want you g 15 15 plus put it on modes kind of 16 16 different features are basically there right generally in all other vendors also these are available but they try to bundle them as together so these are different appliances then checkpoint has virtual solutions also which is like a VM which I'm going to use today as of the solution right so we will look at now the installation types okay so installation types there are multiple inspection types first I'm going to talk about standalone okay and then we have distributed distributed is the most famous but if you have a very small office you can have stand-alone what is the difference in stand-alone what happens is you have a management server plus the place in single installation right so in standalone what will happen is you have management server plus blades in the single installation and distributed what happens is you have management server separately installed yes a management server will be separately installed plus you will have blades or separately installed come now there are a couple of things like in checkpoint in nursery PSA and other things we basically utilize single platform to manage everything right here in checkpoint we have a management station so there will be a management station okay and there will be firewalls so this is an SDN approach in Sdn what happens is you have a controller right so let's put this as ms management server and these are the blades these are the this is the official name given to each the firewall so the UTM solutions are basically plates so management server is responsible for managing these plates right which means any configuration you will do you will do at management station can you do any configuration on the blade directly no you think you can do basic maintenance tasks on the plane you want to delete something locally on the configuration you want to add routing switching you want to add you know any kind of IP address you can locally do all the bleep that is possible but anything related to the firewall solution the UTM solution IPS threat detection VPN IPSec VPN remote access SSL anything has to be done using management server this is the SDM controller this is the software-defined networking controller right so in this solution you will be able to manage a huge number of plates using a single management server this management server is known as smart also these days sorry so management server is known as smart control it used to be called smart dashboard in the previous version right because some blade still works on the smart dashboard so it used to be smart dashboard and now it's no more spa dashboard it is known as smart console and using smart console you are going to manage all these blades there are lot of configuration which can be done using CLI but that will be all related to these blades and will not be anything related to the management server function which is basically all the five of the unified threat detection conference all that has to be configured using systems ok so smart console will be basically responsible for managing these blades anything related to the UTM functions will be done here anything related to the basic management of the routing switching IP addressing everything will be done at the blade length I think these are the basic if we are not getting into clustering and advanced things right now we will do at the end of it once you have a good control over the local stuff now there are two things that we need to discuss here one is smart console which we discussed is a software for the management server software or management software okay the other operate the system that you have is old guy right so this is basically where and when we are going to use those tools you will realize what is guy and what is part also because on the top of it it will with it it will be visible to us that this is Gaia and this is Markham so when we install a blade or even management server the base operating system the base of readings will be physical okay the base operating system of the blades will be Gaia what will be the function of where the functions are going to be the hardware management which basically means anything related to IP addressing now he protocol switching functions a routing protocol BGP OSPF IP addressing static route dynamic routing all that vrrp right backups updates upgrades right update and upgrade these are two different solution right update is a smaller bit of Raiden is basically that you have a full upgrade of the OS itself updates are small patches and all that and a huge number of things which we are going to see once we happen I wound up and running so whether you're installing management server or you're installing the blades right what you have to do this though you have to basically install Gaia first because everything works on the door of the Gaia ok so let's say we will start with management server when you are installing management server what will be installed first in the operating system Gaia because that is the PC you need to give IP address to management server then will you do that you will do it Gaia on the top of it you will install management server and this is a two-step process you will see that when we installed any of the thing you will see the two-step process first will be Gaia the second step will be either management server or bleed already ok so what is a plane blade means played software plus Gaia on the top of Gaia what is management server many bits per server is management server on the top of the I am you cannot avoid Gaia right you can't avoid the idea has to be busy easier yes yeah check point is you can bring one here from correct Naiya is the base operating system of the checkpoint right it doesn't have any meaning it is not there is no short form it's it's an Italian word basically which is the name of you know that they have a meaning principal mother of all okay but it doesn't have any short form like G as any short former a has an issue there's nothing like that lot of other platforms also and the gaya is built on the top of Linux right so it is based on the Linux kernel further you have the operating system installed on it and on the top of the install the operating system you have either the blade or the management service or there is any question up to here you know okay so this is one aspect the other aspect we have is that we can have it installed this is one installation where you have one management server management server plug and multiple blades so I don't have official documentation how many gigs are supported with manipul server you can find it basically in the official guide and other places so one management server can manage a huge number of plate right the other one you have is you have multi domain you have multi domain installations [Music] it was clear he can the sending the link okay so multi-domain a multi domain server in multi domain server what will happen is let's say when large companies write very large companies what happens is you have let's say India it has its management server right one ms and multiple blades let's say UK also has the similar stuff okay we have us also with this on please sometime it's as big as 40 blades 50 blades so one ms server and its blades let's say 40 blades under one management correct then another ms server and then you have blades for it and then you have another ms server you have blades for it now this is actually a si si se a syllabus this is covered in si si si right like advanced clustering and all that so you have multiple management servers who are managing their respective countries India you have let's say this one in UK you have this one and in the US you have this one so in multi domain what will happen is there is you can have it installed as a multi domain server that can also be clustered together which will further manage these servers correct what is the benefit the benefit is you can create a global policy and apply the global policy and you can manage all that otherwise these people will use it they have to create those policies let's say there is an attack happens and the you as a company let's say I will give an example of HP HP sells printer laptops desktops and hundreds of activities in different countries right they operating on almost 130 to 150 countries they have big business billions of dollars offices now these people realize there is some new virus or some morbid software malware software it has emerged and checkpoint has issued that creates this particular racial rule or IPS rule which will prevent this virus spread or you know something you have so what you can do is you can create it at multi domain server and push it to all the MS which is these are local ms and then further will push it to all the blades they will be able to push it at all the blades simultaneously they can do that okay so that is the purpose of your multi domain server now guys can you hear me I think most of the participants yes okay I will just check okay so are you clear about the single domain and multi-domain right single domain this is your record single domain okay and these are gold multi do it in single domain what other things do things I told you do with the installation types standalone and distributed right in single domain I told you to type of installation standalone and distributed we will do both of them today we will see what does standalone look like what is this looks like okay we'll go back again to the standalone will distributed one more time so in standalone what was the thing what used to happen ms server and blades were in a single solution most I'll tell you most of the blades most of the appliances specially the Soho appliance is the small business appliances they do not generally buy devices they have a very limited budget in that they generally buy both the solutions together so you will have a ready-made this thing ready in which you will in the appliance you will have MS and plate pre-configured in the what is the benefit benefit is that you are basically saving some money what is the drawback drawback is you are losing some amount of RAM and resources then it's not a great idea because if things fail generally you will have both the things down here let me give you an example of the distributed which will show you the benefit in distributed what happens is and this is the 90% of the practices in large companies you will have management server which is smart and soul and you will have a good number of plates in the distributed system will have better and allied management right correct centralized management right so what will happen is you will have management control management server which is smart console and these will be plays different blades will be manager using this particular solution now only when you want to make any change you will actually use this right only when you are making any change you will basically create the configuration here and you will push to the respective blade you can push in a single goal or you can individually depending on how what kind of policy you have created you can create a single policy for all the blades if they have the similar configuration or they are part of the cluster or something okay but if they are not part of cluster you have to create separate policies and apply those separate firewalls before they will be installed at different locations in distributed what is the benefit is that you are basically having a copy of everything you are doing save that this even when your management server goes down even if your smart consumer a tional your blades will be operational [Music] okay guys can you mute yourself there is a lot of background noise coming okay so what is the benefit when if it is one that you have a copy of everything at a different place other than these blades right generally you can have it in also working into a kind of clustering solution master and slave kind of relationship so that your management server also has a backup so if the primary server goes down the secondary you have so even for management station you can have your solution installed like that okay so that is your distributed you will do the configuration push it to the respective firemen right any kind of changes has to be done using valuable server and your menu but will be active at all the time ok so I will show you the examples of an installation today which will be first Gaia after that respected either it will be smart and soul or it will be our blade on the top of the Gaia Gaia has to be the base of it right so I am going to use a VM to do that I already have some installation and remove all those I need rather these for I do the installation I will tell you the minimum requirements which are required in your resources which are required so is 4vm hey if you have distributed you can have 4gb each sorry 4gb each or played for blade you can have 4gb and you can have poor smart console you can have a management server you can have 4 GB so 4 GB each Ram generally it's recommended 40 DB but I'll say 60 GB is as a good minimum hard drive required okay and 2 cores are required to 4 CPUs to virtual course I can rather say once equal to CPU to virtual cores are required otherwise your installation will not work minimum 3 adapters network adapters one for management and 2 for minimum who interfaces inside and outside you can have up to eight different places in a VM ok which are supported and logically you can create as many as you want but it will be active at one time in the VM this is a limit that they have it this is about distributed if you have stand alone which waste management and the blade will be in a single solution in that issue should use minimum 8 GB 2 core again generally recommended before but to minimum will work and 60 GB minimum should be required and 3 adaptors Musa the tributed and stand alone first we will do a stand alone and then parallely we will start a distributed to see I will try to add two firewalls to a single man mixer okay so we will go and create a new VM after the class I will share the image and this recorded video so I have a gaya image this is a guy I am HR 8210 I am going to install it this is the kernel you require generally you should require the 64 bit now if you have less than 4gb it is itself is going to put it into 30 30 30 to 30 any problem I am going to name it our plant alone because first installation we are doing is standing right I have a spaceship I am basically going to focus in here so what is the minimum hard drive is at 60 game otherwise there will be a slow bowel and you will feel a lot of you can choose single or virtual it depends on your hard drive how would you process it I generally chose multiple people go here what is the RAM we discussed minimum industry de how many sequels to correct and how many adapters use bridge always and go here and do into here again and do bridge again hey bridge again see it after its minimum if you want to add one more is absolutely fine you can add a to 8 so that's absolutely ok we have for interfaces I will just go and check in ATP of RAM minimum virtual CPUs for a physical interfaces for adapters all in the bridge mode right no image is already selected and I'm installing it in the deed right so this is a standalone installation I'm doing let's see what happens and how does it start so this it says install install gaya you see that it's asking us to install gaya current so the base operating system is going to be gaya okay what are the materials I will provide you so this is the syllabus right these are all the labs and the theory being covered material I will tell you what that official curriculum dope plus lab guide I'll have all videos for it and H write the image to install it and all that will be basically there so these are the three things which you will be getting with this class generally it goes around six six six weekends four hours generally four hours each do you want to so this process will install the checkpoint are gaya are hated an operating system and in city the applications say okay what language us and this is about the Vadra your disk size is 59 TB you'll ask me to settle the password for admin the username is admin as it is visible there it is checking all the interfaces how many interfaces you have all are up good is asking me to set up the management IP of the checkpoint so I will just say some since maybe 99 do you want to go and continue with it it is going to format that for hardrive I am okay with that so right now what is being installed is Gaia once the Gaia installation is done it will ask me do you want to install management server or do you want to install blade or do you want mean soul boss Frank so that is where the process will basically start generally this doesn't take much time the other process will be basically taking minute but this should be so package installation you can see the items being installed it's installing assets and other basic things as I said the guy outfit ipv4 Network stack it will have routing protocols also that will have all vrrp and other things also so anything that is acquired in a basic operating system everything is calling that and then the web hold software guys can you mute yourself please okay now once this is done we will get a message on the screen that the rest of the installation you can do using the web interface now we see that what's happening checkpoint software blades are being installed so recopied not installed this this is the difference what was happening in gaya was installation but what is happening here is 14 right because installation is we may or may not make it a plane it is our choice a still I have a choice although I am given the name of the machinist and alone I still have a choice do I want to make it only management server or both or only bleed right because that option we get after the guy is the base of dating system is in Seoul so right now it is coping management server and it is also popping the blade software but it is copying it's not installing okay now here it says your installation of Gaia is complete now you can go to this particular IP and do HTTP because the rest of the thing will not accrue CLI people happen in graphical so your secure Linux is installed on the top of secure Linux guy is installed on the top of the Gaia it will give us option what is that you want to install okay so let's see how what what's basically happening the first step is secure Linux the second step on the second layer on the top of it is Gaia the third thing you have is your choice so let's say here this is secure linux linux shell after that you have Daiya on the top of it you have three choices right either blade or smart console management server or those hey you do have another option of installing or multi domain manager you have four choices rather you have four choices here which part we are talking about when you have a question you can unmute yourself and ask question there is no problem with that the top layer okay okay so basically what happens here is that you have secured Linus the first step on the top of it it's died of reading system on the top of it we can have played the firewall itself or the management server right watch played plus management server which is called the standalone installation if you say moves right it will be called standalone or you have multi domain management which we just is this basically which can manage multiple this is distributed installations right mike is not sure who's that fellow this one your magic yeah can you notice that I have one question is it the three layer architecture for the chip and this one which on which explaining that's correct that's correct so you have secure Linux being installed because that will secure that I operating system on the top of the Gaia you have the third layer which is basically you will choose either you think install it as a plate or a smart console for both for multi domain manager but that has to be secured using these two basic arrays know what a my question is my question is is it the three letter K it is called three layer architecture for the checkpoint no no it is not called anything basically they don't have it explained as a multi-layer they have it as that you generally install Gaea I am just explaining the guy is installed on the top of the secure lines they don't have any often layered name word okay thank you thick okay so you have secure line each guy on the top of it this we will see if we have anything here so I will do HTTPS to the given address which is basically 99 here it is and I will use admin and the password the firewall asked me to add the time of installation now this is the second step it is asking me he says are 80 first time configuration Gaea is done now what is that we installing we will see what is that we are installing right because right now also not confirm what is that we are installing so continue with our 80 configuration wool management IP which we configured and I'm using that right now which interface is being used for management and which is used for other things what is the post name of this firewall if you want to go to Internet right now you can keep your DNS IPs also 4.2.2 tolerate it a bit if you have props in your company you can use proxy then the time it is basically picking up the right time so I don't need to buy at the time because it has picked up right time from my machine right or from the VM now here it's asking me what is that you want to install do you want to install blade or security management software or multi-domain man okay so here we want to install standalone so here now again is asking me do you want to install only the blade only the management or both correct what is our installation right now stand alone what is tangelo means both together so I will choose a gateway and management station together what if it was stand alone I will only be opting for just one right so I'll just say this the other thing is asking me is it going to be part of cluster if you have + ting installed and it is you want to enable clustering you can click on this option right or any time when you have your into the company as network running you can convert any device to cluster anytime but you cannot cannot convert or standalone the cluster remember that stand alone and clustering is not supported right only the distributed mode supports plus 3 plus ting is not supported in standalone installations so right now I am doing stand alone I have a question here like it divides if you have a standalone device and I attend device little influenza cluster know that device will not become part of the cluster later it will create problem Oh changes our vacation about that cluster only we use for the security management or course security gateway here so that's a nice question you generally it is used for the blades it's only for the blades okay thank you but here is a very interesting thing define security management as so here if you are choosing this you have only see the clustering is disabled right the clustering is disabled what is left is here is that is it the first security management smart console and as a primary or are you installing it as a secondary also okay so let me explain this in the diagram here we have two things you can have your management server as primary and secondary right but if you see that when I click on primary and secondary what happened the clustering is disabled that means clustering is not there for management server clustering has nothing to do with management circa correct why clustering has nothing to do with management server I'll explain so here it is let's say if I have so what are the cases where you use clustering let's say you have one checkpoint fair one you have second checkpoint firewall in clustering what happens is generally you have you generally combine them as one single solution to the underlying user so let's say there you have the users so users will not come to know these are two different devices they will understand this single cluster and they will basically pass on the traffic to cluster the cluster could be active active or active standby but clustering is basically associated with the data interfaces that means you are passing the data so outside interface will be one plus the inside will be part of our cluster and they will be either have same address or different address with the virtual IP depending on what is that you are implementing right we are our PHS RPG MVP type now what happens this is then clustering is a data forwarding concept clustering is for data forwarding didn't see okay do you mean similar to archery high availability that's right this is this is high availability only it's high-availability itself the second thing we have here is right in this you have active active and active standby the second concept we have is what about management servers now you see that management servers generally have one interface they do not have three interfaces in a management server there is nothing called inside and outside because management servers are not doing data forwarding in data or traffic and all that they are used for management they are not blades right so they will be generally primary and secondary so that's the reason you see here when I'm clicking that I will make it management server the clustering option is disabled because clustering is not for man right similarly I will remove this if you see that I click on security gateway it is only picking clustering and primary and secondary is disabled because primary and secondary concept is known forgiveness what is the concept forget this clustering correct it's not possible to have high availability in the stand alone oh great that is absolute okay so you see that the point here because both the options were selected it was giving me both these options here today but if I say security gateway you see that concept is clearly meant for only the deep phase and if I just click on this then the concept is made or only primary and secondary for the security man if the primary server is down the secondary server excuse me under the class turret yeah I think there is a vrrt cluster yes could you give us a banana daddy no this is not the right time for we are a free clustering there is a topic of PLAs think there is a complete chapter on clustering which we will be doing calling sixth class at that time I will be discussing about that okay right now the protocol being used for this e this is the basic installation I'm just teaching the super basic installation of the checkpoint in the first class correct so guys are we clear about it security gateway has a clustering doesn't have a primary and secondary before that is for management sir management server generally has one IP address correct what I do is or although I named it like that let me do this one okay I am going to basically keep it as security management server notice standalone okay and then we will install another one has a tree so I'll just say security management although so good idea because we have created for interfaces let's do that as yes who can manage it you can give the list of those guys or you can do it later and I am going to install both though options here security gateway and security management because we have named it as standalone I will do it parallely I am going to install another checkpoint firewall here as standalone so I will just go here click the same image same kernel and I'll say this sorry this is going to be distributed but I'll say just blade blade one where do you want to keep it I want to keep it in the D Drive somewhere down here or the solar or even somewhere how much is I said 60 dB it's just a blade so 4gb is enough right and I need three adapter because it is self-blame so minimum three or four adapters I can choose I'll pick up one more yeah for this three interfaces dumb processors minimum two processors hey blade I will start the installation right now and the other installation is also going on also you will see that this wizard and all that will not come in home and any other web browser you have to use specifically Internet Explorer Oni so if you try to do this installation it will not happen in any other browser it will only happen in Internet Explorer yes so management server for this particular blade will be the same the distributed one the stories they stand alone one so I will tell you what is that we have done we have first bundle which is standalone which is a combination of inside it you have a combination of both ms and play what is that we named it we named it standalone and this is called standalone installation right and if we the other installation that I have right now going on that is going to be just a plain this is going to be just a blade plain one so this ms will be basically responsible for managing this and managing this absolutely so these blades not no matter how many blades you basically create you can have a huge number of blades in the future they will all be managed using the this particular solution okay so this he can manage this blade and he can also manage easily but can they be part of cluster can you in the future q can you put them as cluster knowing mark stand-alone doesn't support class string it will not have option of enabling plus P we will see the clustering option it will not have the option enable for I will show you basically once the installation is done this is I think we started again okay will do so this installation will start parallely you yeah we can use the same standalone for the distributed plates if of the future yes we can do that this is exactly what we are doing we have standalone installation but in the future I am adding another blade here and we will be able to see this blade under the standalone [Music] it is not possible to have a che in stand alone because you will not get that option when you have the installation completed you will see that this option will not be available in the stand alone mode the option itself is disabled hey let's see what is the progress okay so this is done now let me show you the connectivity and the other things that we should have so in our first installation which is basically our management server and blade put together in a single solution right the management IP is actually shared because they are both two different things on a single VM right so they do not have two management IP is what do they have they have one management IP for it right so they will have one management IP being shared what is the management IP that we are using so 172 16 0.99 but if I am going to have any you know further blade in the future all those blades will have their own man with that right but for my smart console and management because I am sharing two VMs in a single body in a standalone installation I am sharing two different VMs being put together or two operating system put together in a single machine or single appliance I will have single management IP for these correct and similarly if I go to the distributed here I will have these will be managed using this guy the OL will be managed using the MS component here right manuals photo server which is smart console which used to be smart dashboard let's see what is the status now if we have this thing ready you see that when I did this first time what came the result came that install your this thing now when I'm doing it for the second time but came the whole configuration thinking this is the which is which operating system it is here on the top you see guy so you will come to know what is dryer and what is smart also again as I said the Gaia is the base of rating system for configuring all the routing protocols like here GRP bgp multi casting creating user who we manage various things we are RP or clustering correct licensing and upgrade and updates backups and everything else is all the properties of the ayah you can not do any of these activities using smart and so on yes we can basically convert a standalone to the distributed okay but we will only have it as blade then there will be issues related to that so this is you see that always wherever wherever you are sitting on the right hand side you will come to know is it a Gaia or it is a standalone operating system okay now let me see how to install the smart console on the top of it you see there is a smart console software you download it in your machine it's an exe file and install it correct I have it installed so what I will do is I will just have the installed component here this is how it looks like correct what is my IP address here 99 and admin and the password that I said I will login to this also you see that these are interfaces are DHCP server static routes and all that we will see all those things there whatever you can do here remember that whatever can be done from here can not be done using spark and soul and whatever can be done at smart console cannot be done that I'm going to actually put it all into the documentation so generally the first time it takes time okay so let's give it five minutes for this to come back this to access this in the smart console it takes generally first time it takes time so let's see what can be done in smart console and what can be done in a Gaia this is Gaia this is smart consume so Gaia you can do item to taste config race routing protocols BDT use via via GRP right kind of thing whatever protocols available multi casting women all that ERRP plus string enable or other things basically these are enablement of the features a backup license etc users who can manage user rules etc what is that you can manage in smart console anything any blade related activity real UTMC software all the blades will be only manageable now can you manage any of these features in Guyot nor can you manage any of these the smart consoled no these are completely two separate things so because this is a secure operating system installation on the top line X on the top of it you have installed these these components here which will be managed using this management software you cannot manage these using Gaia no and not be managed and the Gaia cannot manage any of the these features correct because these are two different functionalities these are completely logical software operation related stuff this is operating system related features these are all operating system only these are firewall gendered storm surge other Christians came up about for example if I have five router by firewalls I want you figure about team protocol on those so I have two one by one learning and configure them or you have to be one by one and do individual configuration of those using the Gaia of individual firewalls correct okay thank you yes okay so that's the difference between smart console and Gaia sir who won Ksenia in that if you have the management server then you can continue through the manual server right you no need to log into all devices one by one type no he asked something else he asked me about routing protocols routing protocol so you can log them through the management server array it doesn't have smart console let's look at this line smart console management server is this is management server it doesn't have a functionality except these features ok a job of the smart console is to manage planes and the job of Gaia is to manage the OS ok right so for all the routing protocol IP interface and you know properties of that all that has to be done using Gaia because that's the OS for it these blades have specific function see this evil managed firewall rules VPN rules IP set rules you know netting rules IPS signature installations and all that this software is not configured designed to manage or understand the base layer properties because there is a dedicated operating system frame now that's the reason I showed you here see how will you manage anything smart also related do you have any firewall rule damn here nothing because this is not designed menacing that is this is no designer that particularly this is designed for the local function you can see the properties of it like here on the right hand side you can see which blade is passing how much traffic because at bricklayer you need to see how much which plates are enabled and how much traffic what is the throughput what is a packet rate but are the throughput all that you can see at this but that is network related property but can you configure a firewall or IPS or anything from here no there is a dedicated software for that right this is got it thank you no indication solution failed so let's go here to see you want to install it let's do this installation and then we'll go back and check the toggle there this is I'm installing the standalone sorry the distributed blade so till gaya there is no difference again okay I will take its same properties I will give this ITP one sorry 2:16 0.98 maybe it's okay we want to continue yes so installation starts I will go back to this to see what is the problem with this turn alone is not allowing me maybe my username password is something is wrong with it okay my cap slope goes on okay so I see only one blade here you know if it was distributed there will be two planes one for management other for the the blade itself but right now only one blade I have and this is the firewall that I have I need to take all the properties of it right now only firewall is enabled and no other feature no other blade is enabled in this particularly in this gateway no other feature is enabled today and if I look at interfaces also the interfaces are only one interfaces they're management interface nothing else is there the other features are all disabled at this time for this firewall I can create a rule there is a default rule here the by default the rule is to deny on the traffic I'll say accept it for the timing okay and I'll give you a brief about all the interface thing here so this is how your smart also looks like again I said that always look at right hand side you'll see where are you sitting you're sitting in smartphone so right now now you see that here there is no tab whatsoever here to configure routing protocol vgpu OSPF because if this software is not designed for that it is designed to give you or to control your firewall function IPS function threat detection functions are all that correct this case is basically to manage the UTM solution and not the guy of OS iOS is his responsibility to configure the basic features today so we go to the gateways and here I can see if I have more gateways I will be able to see them I have a fifteen two weeks license is basically available this is the CPU utilization yes it is very different from our 77 completely different rather there used to have different blades visible here no more those blades are here okay and this is something called unified rules or unified security policy which is basically here in this you can have all policies at a single piece this is one rule sorry by default one rule is their clean up rule what do you mean by clean up clean up rule is basically the last rule of the firewall or default rule of the five hole which basically denies everything it's like permit what you want to permit and deny all at the end of it say I will come to these topics these are not basically the topics which is basically you can start from anywhere this is a one-day task to basically explain all the rules and the firewall policies because once we come to firewall we will actually have to do a lot of stuff I am just giving a brief overview of the all the functionalities all the interface itself what does the interface look like what are the features here okay then we will get into the individual things like fire moon at that time we will see the explicit rule implied rules so here we have a pry tool I will explain what are implied rules what are default my booze and what are the things that you can configure right so let's look at it the interface here you have objects here you can create object or on the right hand side you have object you can create objects from then you have objects on the top of it or you have of this on the right hand side you can choose to create objects the way you wherever you want to create these objects will be further used in different parts of policies right these are like getting a CL or network objects you might have to get most of their celebrity seals and all that you can create all those stuff here you can create VPN remote VPN or site-to-site VPN and you can have different stuff here then we have gateways and servers here all your blades will be visible all your management stations will be visible to you you can see the CPU utilization of that plus the RAM and other things here what is the percentage of your resources being used you can also see your license what licenses you have up to what time those licenses are active is it the trial license for two weeks or three weeks or is it uh basically full flag licenses when you install it you have all licenses available to you as a trial for I believe fifteen days or so okay so this is your gateway well you can see that if you click on any of the Gateway you have a choice to enable any of the feature that you want to enable okay a gateway means a physical appliance right or a VM right now we are using a VM and you have a choice here to enable any of the features that you want to one by one when we start a chapter let's say Venice Beach which a probable access we will see for by Nexus will enable the future right if I click on it right now it will ask me to configure it if I enable the feature it will so here it is it's asking me you want to enable SSL VPN or IPSec VPN what platforms you want to use it will start configuration similarly I touch on anything it will ask me to configure that so these are actually full chapters in their server here you have all the basic properties of your if you have advanced net going on or HTTP inspection going on and all other stuff is basically here then you have security policy you have to kind of policy firehole policies or IPS policy thread prevention policies okay so firewall policy under firewall policy you can edit and you have different policies here which you can go and you can edit the layer in firewall you have application layer URL filtering content awareness and mobile access under firewall so four blades are there under fire for a rest of the other blades are there under the thread prevention so when you go under the thread prevention you see these blades here okay you can edit and you can see what are the blade so IPS ant about antivirus threat emulation threat extraction all these blades are available under threat prevention question is there I mean the management services available next to network security sir we say that is correct absolutely right right so you see that six blade seven blades are here plus four blades are there in the final ten blades rest of the other blades like IPSec VPN and everything else are there under the gateway you have to enable those features and then you can do that right so ten blade blades are there in these policies you can have up to ten blades here okay some of the policies still work under the old dashboard option if you go here you will see still smart dashboard is built into it if I go to the blades here you will see which blades will still work underscore - book like DLP will work under smart - good mobile access will work and respond - and this pan will work on the smart - food I study phase inspection Wilbur girl's father okay so smart dashboard as I said was the old in our 77 and before we used to have something full smart - boom and that used to manage so some of the functionality still has not moved completely to Sparkle so okay but some of the features they have moved it now like mobile access we just saw has now being moved to the smart console as well it's there in smart console as well but if you click here smart dashboard will pop up so smart console has smart dashboard software installed in it you don't need to install smart - but again it is built into the smart console okay so you can basically use it here it's a little complicated stuff this was our 77 at that time we used to have it we don't need to do it we have an option now which says that you want to configure even mobile access using the latest policy so once you configure here you go back [Music] I have not turned on those interfaces so mobile access option will not be visible here because I have not enabled the feature once I enable it will give me an option that you can still move your policy from smart dashboard to smart consume ok the second interface we discuss there are two things here rather three but the firewalls are all firewall policies for different policies are there under policy netting is there just under that you can create your NAT manual loop that or static leg or pad or whatever rules you want to create is available here policy under threat prevention what is that that is basically your IPs and all those policies you can create exceptions and there you have the global policy fold this is shared policy right it's the Geo policy which means you can block traffic out right traffic from any of the country so sitting there you can block I have tried any country's traffic you don't both you can state away block it or you can monitor it with you if you can just on a monitor that's fine or you can basically block it or you can make create an exception these are default inspections things I will talk about it one cycle actually I'm done with these features here basic features logging and monitoring whatever is happening in your firewall can be basically seen from here or you can create your Curie's and you can further go to your thread prevention or access access policies if you have any firewall rule hitting or you can basically create an IPS play dent abort and all that this is for your logging and monitoring okay then you have management and settings which is basically your all the blades your basic which user can do what right now admin is locked in and equities conflicting superuser you can create more users what permissions they have you create a user for eat only and all those things what are the blades you have and their each blade internal configuration you want to do you can basically say how many sessions right now only adminis logged in if you are installing new versions and other things if you have policy and you created multiple versions of the policies you will be able to see it you can also go to CLI using the command line you can see what are the new features in this operating system so these are it will tell you what of the new features into our 8210 you can click on it it's more like a basic idea it will tell you what are the changes and what are the other things you can basically run from different places you want to run any script and all that okay so this is basically using what's new see lies you can run your scripts from here and install the policy you can install the policy which means when you create a thing you need to push it to the gateways okay so I will push first policy of our security policy first policy I am going to push to our firewall and I will say right now see that it's asking me is at access control or threat prevention I do not have throat prevention I'm just saying access control save it what is my gateway it's a standalone it has gateway mannequin so I'm calling pet bolts so policy is being pushed to the blink right now whatever policy we have what is the policy this we have a say ACL which permits everything first time it will take some time by when it's pushing the objects in a new firewall relocation first we have to publish your policy and then in this product policy okay I'm coming to that so basically you have two options you publish the policy when you publish the policy you are basically saving the policy in the management server okay and generally you save it and you install it but if you click on install it actually publishes sales in the one copy saved in management server and it installs in the gate AHA yeah hey so you click on publish and you see the option control s right which means save but if you install the policy which means save the one copy into management server and install it in the me you okay so you will be able to see your changes if you want to see what are your you know session creation let's say I will say use or one kind of thing you can give the con but not the changes you have made you can basically in each session whatever change you make you can you can put it here it will work as a notepad each time the policy is saved it will be the changes will also be first possible or you will be able to see those things correct each time the policy same the revision copy of that is save them so you will come to know that what time what changes were made three changes published by admin and all those things are base if you here you there's any question about it this this is the probably the easiest interface possible to configure such a huge amount of features there are 16 total blades right out of 15 plus the management server is also known as blade and you see that most of it basically templates can be configured using one single tab this is really amazing stuff at one time what used to happen is you have to go on the top to eat late and do this one figuration that means you have to remember the configuration at different places but here you can do it single please okay we will see now we will go back we have to add 1 more plate this installation is complete okay before that I go somewhere else I'll show you the clustering thing what was the problem in the clustering that I was telling you hey you see that there is no option for clustering here enough standalone thing right do you see any clustering option I will just show you the similar stuff on the other gateway and you will see that on this gateway when I go there we will see there will be option available to convert it into cluster because there is no option to convert it I cannot mean him but if I go to a distributed gateway and I do the similar commands that will be option available to convert each cluster so that is the reason a stand alone cannot be part of a cluster stand alone you have to convert it to muted and then you can make it part of plus that can be I will open one more tab we need to install the second guy but that will be just as a distributed so I will just go here 0.98 and so this will be HTTP okay it's asking me the same options again but this time I'm going to pick up a different option last time I had security management gave you both together this time what I am doing and speaking gave me prick when I pick up this option it will ask me a password it did not ask me this passport last time you can remember why because the Gateway and the management servers were installed on the same family same VM right but now this password is required because I need to connect this gateway to the management circle smart from Swan so this password during the installation what I have configured I need to remember that password and I need to put that password into and it is an activation key absolutely ok once this is going on I will go back to this place here and we will go back to the grid some couple of more options I have to show you so the first option that you have is when you add a new gateway you have an option to configure and you get so once our gateways ready we can have it as this all you can add a cluster if you are adding a cluster you can add clustered here and you can basically see all that the turn options will be there and you can run your scripts here you can run one time or you can create all the scripts in the future you can open your message access to your device let me give you this here this is my ssh axis so configuration I can see this whole configuration as this if I want to check something I can say set but it works on set based commands if you have configured juniper and some other devices they will work on set this stuff set routing protocol set interface and all that can be basically set interface name it right it's zero I want to put something and then I can say options and other interfaces here are the other options ipv4 address ipv6 address and all those that can be done also it now because it doesn't give me the dream option I will do SSH from money machine 172 16 0.99 so configuration and we can see that all these commands are set base commands you can pick up any interface the other interfaces are not yet configured you can configure using CLI but the best option is always I am it's much easier to do it there you can configure set route you can configure ipv6 addresses everything possible him now this is your base shell after that you have something pool expert mode you can set up your expert mode so set expert password and say some password it says that you have another thing open so first you unlock it if I say expert and I give the password of expert mode this is where the real jet point operating system starts and you will have very different Linux based commands and all those things will be basically visible to you I think CP conflicts still works here and you can have all your VPN terminal related stuff etc candies so you can all do your directory installation and other things modify any file you want to go deep into the operating system and configure anything you can basically do it otherwise generally or all the tools are available here and you can check the Kiros so let's say I want to check if these firewalls are into this or no so I want to check CP checkpoint firewall H a high availability so what are the roles because high clustering is not enabled rules are not there so lot of commands are basically available in the basic mode but these are for calling tree show configuration show interface all those commands are monitoring command CP config the this cpha probe all these are monitoring if you want to do anything complex you have to go to expert mode which will impact the configuration let's say the second thing I can say is this base operating stuff all that you know that you have a disk shell is all monitoring and whatever you want to do at the expert mode is smart and slow stuff so smart console if you want to do using CLI is available in expert gaya whatever you want to do is available in baseball okay all Gaius stuff can be done using the set commands here you can use set commands and you see what are the septum and these are the sentiments BGP voice fear you know everything can be basically done using sector box but you want to do anything related to firewall and others related stop using CLI then expert mode is basically smart console you can call it like that okay let's see our other firewall if it has come or not we'll go through this 98 but the installation is done just look at it again so installation is completed and that's the reason we are here otherwise the wizard will come now how do I connect other firewall Here I am installing new gateway so more this gateway I'll name it plate 1 although you can name it here 172 16 0.98 sorry what kind of firewall it is is it some appliance model or is it a VM so it's a VM so open server otherwise you have to tell what appliance it is what physical appliance ok now this is the place where it is going to ask me that password one-time password remember that in the distributed it asked me a password so I will say that password here trust is not established yet because the password has to be matched okay now because the password is there the trust of this is enable and the trust is established now I should have two gateways cracked on the top I have two gauges blade one and the standalone correct so I have blade one and the other five or two firewall service we are able with one management station now I will show you we will go to other firewall and the square root this firewall and we will do SSH okay 170 216 0.98 il SSS - this increase the font size will say CP conflict you see that there is an option here I am going to do side by side CB like quite config okay you see the option on both side and you will see that this the stand alone doesn't have option for clustering but here there is an option in vista buted there is an option for trust enabling the trust that is above that's the reason in stand alone the clustering is not allowed and distributed only you can go to the type it into Google you will find can find articles clearly telling standalone roses is clustering it has to be in the distributed mode also in the companies in molenbeek uh please you will have this debug info so that's much safe you will have clustering available right so that is the difference between okay so it doesn't have that option and it has that option okay now let's go back to our firewall here there was something related to trust there is something related to the Gateway will trust established what is this trust the trust is that password room right during installation we set up a password in the password matches I'll just the Gateway because I know the secret password on that bad that user admin has the same admitting a set up that beat otherwise some other gate we can configure into our network there is no trust process and then it can create problem correct that is one the second thing the beauty of this trust is this is called secure internal internal communications see okay the purpose of this sake is that whatever communication I have further with this gateway is all going to be encrypted okay I am going to issue certain certificates to this guy that certificate that we are basically talking about at the time of SSS that was the certificate BC him that's a certificate or we can see that certificate do this thing here here it is okay so we can see that certificate being issued we have trust established that's the reason now management server can push the configuration list to this guy and this blade has to trust the management server now Trust is a two-way process right it's a two-way process so the management server can do all the communication will be spur table all the these components blades will trust the management server this man is smart right you can if in any case your trust is broken you have an option to re-establish your trust you can reset your sync you can reset your SiC here correct but again this option is only available in here you do not have this option in Staniel why because the smart console and Gateway are not two things so there is no question of trust see when you are installed in the single box but if there is the question of trust the question of trust only arises then you have a different device if I am installed in single box single VM right the Gateway and the management server there is no question of trust so they have not given you that option here that you can reset your safe because you are server how can you reset yourself your server yourself sir this has to be reset I need to ask you the communication again when I am a different gate right so that is the difference between a distributed and the standalone board here there's any question any doubt on these two things all the secret liquid stuff and all that now I go back it's clear okay now I will go back here guru preference global properties and you will see these are the properties of a firewall generally ICMP is not allowed you cannot bring any way by default these are by default rules which are above the ACL in the firewall in the firewall policy you will create a site that is those initials are generally facials are generally right through the firewall not to the power right but you see that by default I was able to tell it an sss-sorry I was able to SSH to the family right have I configured any rule for that on any of the Gateway but I am able to assess such to both the gateways because the default rule off which is called implicit rule allows that communication which is basically here by default but ICMP was not there okay so these rules are hidden rules these are stealth rules which are applied before the ACA these are generally the first rule or before the last these are these rules are basically available they are all hidden from them firewall rules you will not be able to see them under the firewall okay but you can tame the rule anytime you can basically change it you can disable it here these are two the fire rule most of the time it is - the fire will not leave the fire okay all these rules are basically and these are you see that these rules are little advanced you have VPN authentication without access and all that if I configure the similar stuff from the main gateway you will not be able to see that the second option you have is inspection setting this is a mood if you guys have done a essay at the end of essay you have by default some policy type inspect ICMP inspect sip have you seen that when you do sure on correct all those policies are default policies which tells you what to check what not to check by the food which means what is to be inspected and what not to be inspected and if to be inspected what to be blocked and what north of it wrong checkpoint firewall has these rules by default enabled for you or these rules are available for you you some of the rules are active a lot of rules are enacted but you can choose to have these rules are generally four protocols which are which do not work on a single port okay so let me explain you what is that so these firewalls are there any known as stateful firewalls all new firewall these days are stateful firewalls stateful firewalls what happens is a state table is created for each connection passing through the firewall so let's say this is a firewall so any inside user who's going if you have a rule for him to go from inside to outside he will be able to come back on the inside okay so what happens is this rule applies to all the traffic which uses single destination port let's say you were tailgating to the outside world absolutely fine I have no problem man the stateful rule understand the user there is a user one who went to telnet to some property let me put it as our IP edited as two zero one dot one dot one this user did telnet to this particular ideal port number 20 I am fine with it because he comes back on the same port event and the traffic comes back this is now the destination and that becomes source and the destination is the port he was using as a source here what if this communication was fdp fdp goes on 21 20 21 and comes on point because one is used for communication and the other used for data channel now the firewalls get confused with this this was a problem 40 years back not anymore right but all those applications and I will give you lot of applications like these it's 3 to 3 mgcp right all these video / applications of the voice over IP applications or video over IP applications use one channel or two channels one for reliability one for audio or two for video at different ports and those ports are also random firewall generally drops these from these applications it used to drop these days what happens is all firewall vendors are smart they have found ways of checking these rules and allowing them back up by tracking these rules it's called inspection that means the firewall has the capability to inspect time in protocols static protocols are those which are using 1/4 or all the communication for the data and the communication dynamic ports are those which are the shell codes are used which are basically used for one port for communication 140 nothing like a please and although that disappeared so for that these protocols are by default you see that mgcp sccp skinny sip all these protocols checkpoint has and the DCP IP various tcp/ip malicious intent traffic is by the father is all active and the action is set to drop so by default firewall has a huge amount of functionality is ready if inspecting the traffic even before you have note enabled a single rule here it is still fine with it put all those hidden are active right now so all those rules are active at this time guys guys can you please mute yourself desert background will stop me from saloon so there are creation of global global something global properties and then from there if I change any except ICMP requests and that applies on all the blades or only on the management side I actually went to the individual blade to do that ok I went to the individual blade to do that you can change it for individual games you can go to the blade and this individual properties also can beat you yeah can you show me please how can I do that yes yes so you can go to inspection settings and you can basically change and you can apply to which gateway will pro-life create your policy and apply to this need whatever blade you want to apply yeah yeah I'm not talking about this side I'm a bit yeah if you go to the I follow right left corner and from there if you go to the world properties and not that one enclosed closed agendas please so this this is the place this is the place to make changes to the blades and the policies here this is the base this is the place I showed you all the policies of ng CP and all this stuff is there so you can you have your time then you can create your profile in that you choose your individual policies okay listen the cost policy and you can apply your vikas policy to your name all right because policy you want to make any change you can make any change America's policy and apply it to your the Gateway that you want to apply it okay okay now I have three policies it should basically show me the sign policy added and here I have because policy you see that so I am changing a default policy to the COS policy because policy further under because policy you can make any changes you can disable anything any of the blade you can activate any of the properties of those protocols etc okay so the basics any question on this guy's the next section we'll have the next class that we have will have more detail this is more like it of demo a lot of people here for the demo in this we are going to have a discussion on those policies that we just discussed plus unified policies here we will create under and then adding these two things will be there I generally don't take breaks so then only these will be known stop classes there's any question any doubt till now whatever we have configured i I didn't about the policies misspoke I mean think policies right so and we have multiple policies or you know like if we want to create a new person this would be cool so Bureau I will tell you what is that we discussed about the inspection settings for individual gateway that was not the standard firewall policy this is the default implied rule policy and we can create these two okay so this was the implied policy this is not the default policy this is the implied policy inspection policy basically for the for these policies if you want to create a new policy all you have to do is create you can go here and we can create policies as well that is absolutely fine we can create a new policy and we can name it anything let's say that was standard policy I will say because firewall Falls but I'll say blade one policy blade one so for blade one I have this plate - I have another policy those are also possible that is absolutely fine so what I am doing is for this standard policy will go to make one of the gateways I have to get visa and the standard two policy which is basically if I go here plate one policy will go to the other blade now other the blade policy is dropping and the standard policy is permitting great one quick question the question said add policy your voice breaking can you speak a little clearer that can you hear me now yes yes is better yeah under char policy is the inspection think is being applied so does that mean the inspection settings are common to to the Gateway no no that's what I said that you by default is shared but I changed it to the individual gateway I went to the Gateway and changed his policy I changed his policy I can change the policy but how do I see that policy goes through this table you can see from here right this is this is the place Iook now your gateway of 98 has because policy 99 has befall policy this is what I just changed right I manually changed yeah I got it for it I got it yeah right so the the shared policy is by default shared but it is doesn't mean that you are forced to share you can basically change it any time these are kind of can be changed right I just showed you the example this particular blade is now changed to because default policy okay okay how you cannot find new inspection to the new policy applies for a blade once it's done this is already done this is how you do it I just he apply because polish dot may be a plate I believe that this week overwrite and default instruction policy will no luck to be able to maybe now so let me explain here let's come back to this we are getting confused between two things so we have a gateway in that we have two policies one is implied policy which is basically default inspection force or inspection policy okay the second one we have is firewall policy the inspection policy comes before firewall policy so for this particular gateway GW I have given because policy as inspection policy and blade one policy has firewall policy report the point weak-ass policy I configured under inspection for inspection related stuff and firewall rule policy like ACL is I configured the name I've given is plate one policy these are two different policies these are different policies I could show you both the configuration of both so here it's the default is vikas policy and here the blade 1 policy is I will apply through the secondary which is basically again draw I convert it because otherwise I will lose the access a few things now when I try to install it will ask me remember that I said install policy blade 1 I did I did not go to standard and say install policy I went to blade 1 and click on install policy now it will ask me blade 1 policy where do you want to install it today in that case I will choose blade number 1 which is 98 that one quick question now see before that it was not asking me before that it was because there was one policy so it was pushing along the blade now it is asking me which policy you want to push I am saying blade 1 policy now he is asking me out of 2 blade where do you want to push this policy I'll say late one so this firewall policy is for this sir one question there's a custom is the implied policy is the default policy can customize that on right you can yeah you can customize bones yes which is fixed or there is no interface to five so I okay yes what is the portion there can you open the MS paint MS paint okay yeah you have because inspection policies right then and the DS policy which means it yeah this is what we created for the fire I understand that that is for a steel and that top one for inspection but this by inspection policies right now have your voices breaking no by default right all the world will have default inspection policies am i right this is what it is yeah exactly oh now we have custom and created a new parts called US policy and really in default in spreadsheets still be applicable or so how is it work not a default now because the change that was the name of the policy see I don't know if you guys are aware of MPF okay on the Cisco ASE in Cisco ASSA what happens is there is this all these are under inspection rules right that is known as modular policy framework MBA and then you have ACL applied on the interfaces so this is exactly same property of the same thing you have modular policy framework this is your inspection rules right under that you if you do show policy map kind of thing all that inspection policy says inspect FTP and all that that is basically all deep packet inspection this is known as deep packet inspection this policy is basically the name is changed to because and further any change can be done to with us by default the name was default okay and this is your firewood rules so there is no question once it is TN - because there is no question of touching the default because default is different policy and because is different policy so whatever I do under with us will be applicable to this I may enable some protocols I might be stable some protocols under the cast you correct so this thing is basically done in a si like MPF an ECM right you guys have done a se right - your voice is not coming any question of this yeah this is an I got it sir one question I don't know the Cisco AAC so there is no easy way to learning the checkpoint no no same all firewalls are see the thing is because I have some stupid no I now I don't know that is a so I can learn in checkpoint right yeah and the checkpoint you will also learn it because I will keep wrapping that because most of the students are from that background so at least you will come to know that in ESA there is this thing is called ampere yeah you all right thank you for example similar to a si goes that childbirth - okay and second one this big ass policy correct that's what we are then in this case a man because absolutely and this is deep packet inspection policy which goes up to layer seven and this is our firewall policy which also goes to layer seven but this is customized by us see here under this let's say if we want to block yahoo.com okay or something we can do our self URL filtering and all that right or maybe some shopping sites or social media sites around that we have to do using firewall polls in inspection policy is these packet inspection for protocols which are generally not configured by a mistake because we don't know deep about mgcp e and s except and all those days firewall vendor has much more bigger knowledge than us so they are doing all those complicated tasks for us think about let me give you an example let's say you have to buy a car and you want to drive a car correct you need to know very busy you have zero idea of how a car is manufactured how the engines are manufactured inside engine what are the various components you have how petrol is converted to the you know the torque and how do you basically align it to the wheels and how do you apply the power brakes if you have to learn science behind it you probably will be the factory owner the firewall company says you just become an administrator the rest of the deep stuff I will take here so the car company says you just learn how to handle steering clutch gear and basic stuff the rest of the stuff you don't need to be a PhD from Stanford to understand how to increase the power of the engines because those companies are million-dollar dollars right so you don't have to get into rich science similarly Check Point tells you that you don't get into C++ and Python I will program the operating system you click on the buttons and enable or disable the features right so all the deep packet that is happening most of it is enable say the option that we have we do not have an option to program any of these we have an option to say him in enable or disable the option as simple as that we do not have any other option of it like now it says that because option that you want to move further to a gateway you can configure these options into the gateway okay guys anything else here for the time being any other question of disk whatever I have probably the thing that we discussed before is different from this one okay so what we discussed here implied rules is different from inspection rules right so implied rules are the internal communication allowed or denied before your ACL rule start this is your ACL this is the rule configured by us correct rule configured by us and before that the implied rule and before that inspection implied rules are firewall rules right they are also these are the rules which are allowing the management server to talk to various blades see management server talking to I guess blade management server talking to firewall 8fw one mode you'll fire world module talking to login server which is again management server and all these rules by default they are they will communicate to each other why are they able to communicate because the trust is established okay so let me put it into mspaint all the items this is your firewall in that this you have by default inspection tools section settings which is basically deep packet we call it deep deep packet inspection this is different employees which is to the firewall most of the items are related to the fog one NUI cessation firewall can you - ICMP - firewall didn't do and the firewall talk to the management servers all those are implied on the top of it you have third item which is configured by you fire one fall is correct so the order of operation is inspection settings implied rules firewall policy after firewall policy the NAD policy generally ok after that depending on what you have is VPNs all kind of VPNs and further after that you have all the threat prevention these are the order of operation under threat prevention you have six items antivirus NT both NT malware and intrusion prevention systems and all that then they will come under so this is Laurel corporation this is the first one and then further it keeps on checking all these items there is a possibility something is allowed by firewall policy but is prevented by the IPS or other things correct so it depends on what blades have you enabled if these blades are enabled one by one the item has to pass through the packet has to pass through all the checkpoints see that's the reason they are calling it checkpoint checkpoint number one checkpoint number two checkpoint number three check friend number four checkpoint number five you have 16 total blades to go through maybe you can do the internet access but when you do internet access you downloaded a malware so man we will stop it the firewall is not blocking firewall allows you to go to some website right so final rule is masked you can do to those website websites are clean but then we realize that the melt the file that you have is has a man here so here this threat prevention rule will block it for the point so these are multiple levels of checks and that you have it will keep on passing through those granular rules and if it doesn't match at one point it is going to block it yes is it I think it's good to the part one and if we are already deep a current but the generally the inspection is through the firewall the inspection is through the firewall implied rules are to the firewall if you see all this here it has there is not a single option that we can see which can relate to the firewall it's all through the firewall so inspection settings are through the firewall and implied rules are through the patch for the employee routes are in here these are yes hidden Asians absolutely but again it gives us ability that you can go and you can configure your implied route you can change implied homes this column an AK you can change the implied moods you can log the implied rules you can see in the entire rules generally the logging is not enabled so if something is being stopped by the hidden rules you will not come to know so it's a good idea to do the logging of the hidden news see this another will be configured this room so whatever we choose here logging yes we can enable talk that's fine it has no problem with that correct but the implied rules by loophole doesn't have the loggia neighbor so it's a good idea to keep talking enabled for implied rules so that if anything happens because of the implied rules maybe are not able to do telnet or SSH or septic divorce in implied rules which may be may not be permitted right so if the logging is there we will be at least able to see there's something called application we here yes guys any question yes okay do we not have any inspection for to the firewall trap instruction for to the firewall okay why do you want to inspect anything to the firewall I was just taking in a say right make changes so if I give to open up shall include ye PCIP that will be in state table right correct that is through the firewall yeah no no that is to LA firewall traffic ticket go to the firewall you don't you do not have a state table to the firewall when you have a traffic hitting the firewall through the firewall it cannot have a state table it cannot be part of state table because there is no stateful inspection you will drop to the firewall and you will come back you are not passing through the firewall you cannot post it to the firewall there is no state possibility so what do we call that scenario any technical term for that so that is that is general traffic with it's not a stateful traffic because you go to the firewall policy you tell it to file a CSS file ping to firewall you never pass through the engine to move because only when you pass from one interface to another interface you will hit the stateful tape the state table right or MPF that's the time you will be converted to state stateful traffic but if you are just going to the fire movie generally you have all traffic law except permit and some basic stuff okay requirement of because if there is no traffic passing through the firewall so there is no requirement to inspect anything because by default rules are as such that only limited functions are allowed to the rest everything else is blocked to the path okay that's the reason the inspection policies are not related to tax in any okay guys any other question so here this is the option which is given in the checkpoint firewall here explication wiki and you click on it it will take you to this particular link where you can see all the categories if you want to check any kind of side what are the risk levels the checkpoint has this options here so in the next class when we do firewall rules we will do URL filtering content blocking or content analysis content related features we will actually be able to see this but just to show you the features here you have the application wiki here you can see installation history how many times policies have been installed what was the last time any policy was installed and you can see the certificate being issued to the client okay and you can also see VPN communities you have remote access and this and if you want to create some kind of IPSec VPN and all that those stuff so here these are the options you have on the right-hand side or on the top you have objects and here also you have objects here you can see what version of the operating system you are using smartphones over and all that here you have all kind of services and you can create your own services if these are by default if you want to check for both network or big torrent what ports are being used Trojan different Rosen's by default whole TCP ports are basically given their objects are created for this otherwise you can create any object that you want to create network with it let's say I have a subnet I want to create it I into it from here and you can basically create anything else that you want you want to authenticate using radius to cast and all that all those options are basically there you want to connect it to your cisco nexus epic 9k you can do that AWS as your nsx OpenStack V Center you can connect it to the cloud also those are the options available to you hey the cloud management is possible so huge number of options are basically pre-configured in the object here when we do the examples we will see if you are doing any rate limiting you can choose the rate limiting 10 vs by default these are the hosts but you can actually create a new object if you want to keep your let's say for one user you want to keep the speed of that user to maximum 10 Mbps so you have an option apply that to user and he will not be able to cross 10 Mbps upload or download you can choose you want upload or download you can set for you know certain user and always so huge detailed number of options further if you go inside it you will actually see like I just showed you the cloud options are all that so it does support all the cloud options so everything is well organized if these 8 to 10 windows here dutifully again I told you whatever changes you make you can say this policy I'll say new changes on today you know 16th December 2018 and you can put the configuration you know new firewall rule or for server one and all that so that's basically there when I publish it you see that it will keep a revision history of whatever changes I install it it will keep an idea about my policy that whatever I am doing it will have you can roll back to a previous policy as well absolutely late when I have to configure interfaces and other things have not enabled a thing so it's not taking the phones right now oh there is only one network in Bethesda Phi project level one at least one more interface should be should be configured to have these features or policy so how do we do that we go to both the firewalls I will book here and I will configure at least one two interfaces so let's say this interface I'm configuring and outside and it is 192 168 0 and time you want to get this as inside 190 so two interfaces are configured and enabled ok and I go to the other guy which is 99 this one 98 so I'll go here and then we go outside we'll go to this 168 0 0 1 0 8 my clothes inside my inside enable the interface and 192 try 10 and 8 Haven 0 8 1 0 8 and then here B 1 0 to 1 0 to correct outside 1 0 to inside 1 0 10 separate at 192 and here it is 1 0 at 1 0 its aims of this two fire modes now I will go here and I will pull my gateways properties here because it doesn't have the topology so guru network management I will try to fetch with the interfaces these are all interfaces have come now now the firewall is ready for configuration of the boss hey similarly I will go to the second gateway and I will bring his topology also he doesn't have all that second gateway whose policy is interfaces ok now I'll go back again to set up inside and outside edges so I will go to the three interfaces hey easy row cannot be because this is management so I will configure it as it is wrongly defined as external it should be internal override it should be internal defined by the proteins IP address that's absolutely fine and he's pooping is not required on the time I don't really need it oh I'll go to this one this is my outside interface so I go and change it to the outside all right this is going to be intimate connected when you do netting and other things it's very important to define which interface is connecting to internet and which connected which is not connected to other now this is my internal network so this is internal absolutely correct right so this firewall is fine I will go to the bead one now okay this is this is blade one movie so I'll go to this firewall here is again wrong so I will go and change this interface it should not be external it should be internal override make it internal defined by this spoofing is not required or management interface okay we will discuss about what is poking today after I set this up this is external interface connecting to internet so that's fine I don't need spoofing but I will just keep it here and this is internal absolutely great so now I should be able to push my policy save and push the policy so I will push for standard policy on this particular blade correct installed you you you you okay done successful we will go to the second policy install policy again pick up blade one policy and apply to blade number one install so two different policies for two different D please okay so that's it second policy though through fine standard got installed on this gateway correct standard boat installing this gateway and blade one policy got installed on blade one show connection here but you can see all the connections basically into your logging and monitoring here you can see what kind of connections are going through and here you should be able to see most of it so if I go through the traffic allowed traffic you will be able to see all what kind of connections are allowed which rule has allowed what's going on everything is basically possible yet further if you want to check for certain post you can basically check for certain crossroads say you have source right source as 172 of 16-0 dot something so we can basic you see for this particular source if any traffic is matching we'll be able to see that if we want to check any destination also that's absolutely fine we can check the destination also so you have all the options available here you will be able to see in the logging and monitoring it has everything needed anything only firewall related traffic any traffic routing just the fireball you can see that what traffic is being dropped right now some broadcast traffic you see that there was some destination is broadcast is being dropped by 505 or does not allow broadcaster for the right double-click on it I will be taller able to II know DP this was okay so that traffic is by default block which book policies be you know blocking it blade one policies blade doing it on blade one and standard policy doing on this particular gateway by default broadcast traffic is not allowed in any of the firewalls right multicast and broadcast traffic on layer three firewalls multicast you have to configure certain rules to allow it broadcast traffic by default is not allowed to pass through the value so we will be able to see everything using logging and monitoring a lot of stuff can be done on the security policy itself once I have it configured I will show you I will also show you in the policy itself what is being permitted is shown here also on the top of it I can see there is a packet mode so when I do next class I will show you how to do a security policy ACL rules and also the multi-layer ACL rules how do you create currently there is your rules this is called unified this is a new feature in our eighty ten which is basically a unified approach of the ACL rules you okay so this isn't a complete topic on its own but if I touch this one it's basically just keep things our company topic on and so on so today was the basic any question guys up here installation type standard with it modes right so let's summarize what is that we have done in this we basically did the brief of it what are the models available right installations we did in those switches installation type is already over here we had two types right distributed and standalone we created a policy for inspections right we did look at implied rules by default implied rules and we also looked at firewall policy we created two policies one is blade one separate policies for two different blades inside the policy we do note once you get anything we just created the structure of the policy how the structure works for them that will be bio rules inside the firewall policy what are the content that we write and the basic stuff about so the other thing that I want to do one more feature here is we configured the interfaces of the fat all right we also saw that how the clustering feature is not available in the standalone mode now the other thing that is very important is if you want for your firewall to go to internet you have to configure your default route correctly so by default this is not set correctly I should have it 0.1 for both my firewalls to go out I need to have correct rules okay so here it is full-screen solo 192 168 0 . now our firewall can go to intimate this is for whom this is for the firewall also your firewall will allow the traffic to go to the Internet because otherwise the inside user when they try to go to Internet if your final routing is not configured correct see what is what is the basic requirement is let me go back to this the basic requirement of Gaia is to provide these features should be configured which is interfaces and this is routing so that this interface becomes this and you give an IP address this becomes outside and you give a now you get this to it and you set a default route this is the responsibility of the Gaia because the traffic has to leave all those functions need to be done by Gaia inside it whatever you have smart console have all the blades and all that those are firewall high top level top layer functions application layer functions and all that after that the traffic has to exit if the default gateway of the guy is not set to the outside world the traffic cannot go out the user cannot go out also from the outside world file let's say telnet or SSH to the outside interface I don't know okay 192 dot 168 of 0.108 now I can tell from telnet or SS from outside world what I be I used I use the outside IP I just want figure this outside that means my because as they the 48 ways I click acted he can go out and I can boil before that I was using management IP s telnet or SSH SSS rather I never used elements correct can I bring the outside world ring 192 168 0.1 I can see it and I think the gatorade outside world also further bring poor dog doo dodoo dodoo I can take it that means I can go drink of it can I ping yahoo.com do you think I will be able to ping yeah you do not have a DNS server container you can only think I read a post name that Marshall is the job of the external DNS server is not there but I can publicize this because I have yet to be set so I don't need any resolution I am directly giving IDs so that's the reason right away should be is the most important requirement from outside world I am able to so from internet you can you know do SSH to your checkpoint because by default you have configured implied rules remember that you have configured implied if you had not configured implied rules for these gateways in that case it was different story if we have not done this here telnet and ssh these big waves see that this one then it was a different story but because this is there okay i same piece here that's the reason I am able to bring it if ICMP I disabled to the fire one thing will be possible that now whatever you do rather implied or physical or anything remember that you have to install the policy otherwise your implied rules will look not go back to firewall the changes we made will no good hole and will be applied to the respective okay and each time you make a change always type some configuration changes whatever it changes you get so you remember that date be seeing this working so you have a local Kachinas as well okay the last feature for today is this interface and T spoofing what is nd sporting so NT spoofing is very simple concept okay let's say you have 10 toes one dot one dot zero subnet slash 24 on this interface okay now if you because in your routing table you have this now because it's your interface you of course it is there in your routing table right we can check that in the guy out there out of our out the table or static routes go to monitoring it should be here it is right it is mine directly connected into this is it is active now this interface which is there in my routing table tomorrow some user trying to come from the outside world for this you accept it right that means somebody is trying to smooth this subnet how is it possible this is my internal subnet or maybe I have couple of internal subnets if you know somebody try to spoof this IP try to come from outside world I will not permit that because the check my firewall knows this networks can only come from this interface here this is called spoofing in nd smooth if you disable this feature is full nt spoofing and if they are allowed they can come from outside world this proof your IP address of next expose but you have to configure this on this firewalls yourself they are by default they are not enabled on the edge faces so you have proper people the interfaces it's not here it has to be on the this one we go to go to an interface and modify and configure the Indies you can leave it detect it or you can't you can log the track of any kind of spoofing happening even though okay guys any question now any kind of doubt any question that we have in fact you can do that the deployment [Music] transparent bonus we will just be very tightly and guys to thank you faces yeah and you can create users name so you want to create different user for different purpose this is what is the next class the ACL rule I will show you how to create the users let's say you create a user here and then there are predefined rules you can create those routes and you can clear through other the roles oh yes yes so here you can create your own defined rules and these are the properties that can be attached to the role and further this role can be applied to the user so one guy is only responsible for routing so create a rule for routing if you want to attach some commands to that particular rule the commands are also you can attach the commands they you should only do those to man so all those things are that in the next class I will explain all these functions we may not do all the the function like BGP and all that is not part of this particular slippers but we will look at all these options I will explain you all the thesis for the last class generally we do clustering very advanced for me once you become comfortable with installation and basic route and all those things then only that box watching comes first you need to have hands-on a good practice of this so that you can each to that level because mobile access site-to-site VPN those are advanced topics once you go through it you reach to the clustering level okay I have a folder available and the email or we have a whatsapp group on so I can add you to that whatsapp group where we only have previous back students and whatever update I put generally I put that please so I will give you the number okay guys any question before I close the today's session honestly I have a question about the what will how we leave it for that we give it the same way yes yes you have to install it in your laptop and there you can you have to practice it in that okay second thing is that about the exam do we cover everything is for the de este exam or it is for the si si si it's nothing of CCAC is covered in this it's only purely si si si yeah I need to hear to hurry yeah it's for si si si whatever I'm coming if you look at the whole book that I've shared you just prepare with that plus you need to know the role you should be able to clear it okay another question is can honestly about lifetime what we have to do after 15 days after 15 days you reinstall it takes 10 minutes to reinstall the firewall or you can purchase six laptop his license as well so depending on what option you like you can go ahead with that I generally prefer the 15 days option it takes four minutes to reinstall and do practice for 15 days okay that means we can give the backup so we did it before on day and we applied a backup to the new installation yes yes correct
Info
Channel: NETWORKERSHOME
Views: 4,638
Rating: undefined out of 5
Keywords:
Id: MufbZOZEg4c
Channel Id: undefined
Length: 168min 33sec (10113 seconds)
Published: Sun Dec 16 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.