cp r75 firewall adminguide

Download CP R75 Firewall AdminGuide

Post on 24-Oct-2014

53 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

FirewallR75Administration Guide

15 December 2010

2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important InformationLatest SoftwareWe recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest DocumentationThe latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11660 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision HistoryDate 15 December 2010 Description First release of this document

FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Firewall R75 Administration Guide).

ContentsImportant Information .............................................................................................3 Access Control .......................................................................................................9 Check Point Access Control Solution .................................................................. 9 Rules and the Rule Base ....................................................................................10 Rule Base Elements ......................................................................................10 Implied Rules .................................................................................................11 Order of Rule Enforcement ............................................................................11 Example Access Control Rule........................................................................11 Special Considerations for Access Control ....................................................11 Defining Access Control Rules .......................................................................13 Defining an Access Control Policy ................................................................13 Preventing IP Spoofing .......................................................................................14 Configuring Anti-Spoofing ..............................................................................15 Excluding Specific Internal Addresses ...........................................................16 Legal Addresses ............................................................................................16 Multicast Access Control ....................................................................................17 Multicast Routing Protocols............................................................................17 Dynamic Registration Using IGMP .................................................................17 IP Multicast Group Addressing .......................................................................17 Per-Interface Multicast Restrictions................................................................18 Configuring Multicast Access Control .............................................................19 Cooperative Enforcement ...................................................................................19 Enforcement Mode ........................................................................................20 NAT Environments .........................................................................................20 Monitor Only Deployment Mode .....................................................................20 Configuring Cooperative Enforcement ...........................................................20 End Point Quarantine (EPQ) - Intel AMT .........................................................21 Configuring End Point Quarantine (EPQ) .......................................................21 Authentication.......................................................................................................26 Configuring Authentication..................................................................................26 How the Gateway Searches for Users ...........................................................26 Authentication Schemes .....................................................................................27 Check Point Password ...................................................................................27 Operating System Password ..........................................................................27 RADIUS .........................................................................................................27 SecurID..........................................................................................................29 TACACS ........................................................................................................30 Undefined ......................................................................................................31 Authentication Methods ......................................................................................31 User Authentication .......................................................................................31 Session Authentication ..................................................................................32 Client Authentication ......................................................................................34 Creating Users and Groups ................................................................................39 Creating User Groups ....................................................................................39 Creating a User Template ..............................................................................39 Creating Users ...............................................................................................40 Installing User Information in the Database....................................................40 Configuring Authentication Tracking ...................................................................40 Configuring Policy for Groups of Windows Users ...............................................40 Network Address Translation ..............................................................................41 NAT Modes ........................................................................................................41 Static NAT .....................................................................................................42

Hide NAT .......................................................................................................42 NAT Rule Base...................................................................................................44 Rule Match Order ..........................................................................................44 Automatic and Manual NAT Rules .................................................................45 Bidirectional NAT ...........................................................................................45 Understanding Automatically Generated Rules ..............................................45 Planning Considerations for NAT........................................................................46 Hide Versus Static .........................................................................................46 Automatic Versus Manual Rules ....................................................................46 Choosing the Hide Address in Hide NAT .......................................................47 Specific Deployment Considerations..............................................................47 Configuring NAT .................................................................................................48 General Steps for Configuring NAT................................................................48 Basic Configuration - Network Node with Hide NAT .......................................49 Sample Configuration (Static and Hide NAT) .................................................50 Sample Configuration (Using Manual Rules for Port Translation)...................51 Advanced NAT Configuration .............................................................................51 Connecting Translated Objects on Different Interfaces ..................................51 Internal Communication with Overlapping Addresses ....................................51 Security Management Behind NAT ................................................................54 IP Pool NAT ...................................................................................................55 ISP Redundancy ...................................................................................................60 ISP Redundancy Overview .................................................................................60 ISP Redundan