r81 workshop - check point checkmates
TRANSCRIPT
1©2020 Check Point Software Technologies Ltd.
Roman Dario Perez | Professional Services Consultant
[email protected] | + 52 5545 000651
New ERA is Here
R81 WORKSHOP
2©2020 Check Point Software Technologies Ltd.
• Management
Integrated Central Deployment Tool CDT
Revision & control changes
NAT Policy Improvements
Cross Domain Search
Concurrent policy installation
Identity Awarenes for Azure AD
Datacenter object
CLI to gateway trhough management
License SmartConsole
MultiTacacs support
• Gateway
Spike Detective sk166454
Infinity Threat Prevention
GRE/xVLAN
TLS1.3 Inspection
Cluster policy consolidation
Elephant Flow Improvement
• Endpoint
Web Management, Support for Linux
Tacacs for Remote Help
• VSX
DNS per VS
VR VSLS
VTI
Multibridge
vsx_util downgrade
Mix Mode L2 + L3 on same VS
• VPN
VPN Multi-Ciphers in single VPN Community and granual
method per peer
Multiqueue
Mobile Access Blade service per tab
VPN Multi-Ciphers in single VPN Community and granual
method per peer
Agenda
3©2020 Check Point Software Technologies Ltd.
MANAGEMENT
4©2020 Check Point Software Technologies Ltd.
CDT• Integrated on SmartConsole (auto updatable)
• VSX upgrade Support
• Multiple Check Point devices can be selected to be updated
• Cluster upgrade without Network interrumption
• Cluster can handle different versión
• Installation package available over Gateways & servers tab / Actions. Packages should be upload to package repository before. On MDS should be upload in Global Domain
Limitation:
• SMB and SP/Maestro, Standalone, are not supported
• SMS/MDS and Gateway shouldn’t have proxy to communicate internally
• CDT Can’t install over ClusterXL LS mode
• HDT 3100/3200 doesn’t Support eth1-eth4
• Downgrade to 2.6 kernel
5©2020 Check Point Software Technologies Ltd.
Revision & control change
• R80 start to use session, but user justsee how many changes are pendingto publish. But no which changes are pending to publish
• R81 allow compare between 2 policy on revisión seccion
• Policy can be now be edited frompolicy directly .
• Policy can be exported to cvs format.
ActionsControl
Changes
Edit policy
6©2020 Check Point Software Technologies Ltd.
NAT
• New Objects supports
• Domain objects
• Updatable objects
• Security Zone objects
• Access Role objects
• Data Center objects
• Hit Count is now supported in NAT rulebase
• Name field availability in NAT Rule
7©2020 Check Point Software Technologies Ltd.
New NAT rulebase – NAOS support “new” objects in NAT rulebase
Access Roles
Security Zones
Updatable Objects
Data Center Objects
Domain Objects
Dynamic Objects
8©2020 Check Point Software Technologies Ltd.
• SmartConsole:
• Login to system domain
• Go to “Global Object Explorer” (Ctrl+E)
• Search for objects
• Check objects Usages (Where used)
• API
• Use a show command from the System domain with arguments “domains-to-process.1 ALL_DOMAINS_ON_THIS_SERVER ignore-warnings true”
• Use where-used command on a global object from the System domain with arguments “domains-to-process.1 ALL_DOMAINS_ON_THIS_SERVER ignore-warnings true”
Cross Domain search
9©2020 Check Point Software Technologies Ltd.
Concurrent policy installation
• R80 and below just allow on policy installation at time.
• R81 allow push policy simultaneously
• Limit to 5, (just Access Control/NGTP, QoS/Desktop is not supported) more than 5 will be in queue
10©2020 Check Point Software Technologies Ltd.
Identity Awarenes for Azure AD
• Configure an Azure AD object –
• In SmartConsole, from the Gateways & Servers navigation pane click New > More > Server > Data Center > Azure AD
• *There is also an option to configure Azure directory via the IDA wizard
11©2020 Check Point Software Technologies Ltd.
Datacenter object
• Add data center query objects to the rule base: SmartConsole > New > Cloud > Data Center Queries
• Configuration options: Must enable IA blade and IA web APIs on every GW
12©2020 Check Point Software Technologies Ltd.
CLI to gateway through management
• Jump to Security Gateway fromSmartConsole selecting gateway /actions/ open Shell
13©2020 Check Point Software Technologies Ltd.
License SmartConsole
• Manage license have been added to Main Smart Console, selecting the object and move to tab “license” in lower pane
14©2020 Check Point Software Technologies Ltd.
Multiple tacacs
• Currently user can authenticatejust one Tacacs server. If that useris unable to reach the main tacacsother admin need change tacacsserver for that specific user.
• R81 can handle Tacacs group up to 2 tacacs servers, can be addedto that group
15©2020 Check Point Software Technologies Ltd.
Management HA
• Allow R80.x Management release High availability between Domain Management Servers (DMS) and Security Management Server (SMC).
• Multi Domain Management Server (MDS) customers who act as a managed service provider platform (MSP) wish to allow database backup on remote site for a single domain.
Limitation
• MDS-HA for Secondary must be performed as clean-install from R77
16©2020 Check Point Software Technologies Ltd.
GATEWAY
17©2020 Check Point Software Technologies Ltd.
Spike Detective
• A new daemon to inspect CPU consumption and detect spikes
• A spiked CPU core’s utilization is > 80% and is over 1.5 times the system average (meaning other cores are not as stressed)
• A spiked thread is running on a spiked core and presents high utilization for a significant time duration (at least 3 seconds)
• What happen when a spike is detected?
• The spike is registered to a log file /var/log/spike_detective/spike_detective.log
• The spike will also appear in cpview and be saved to cpview_history sk166454
100%
10%
7%
12%
core 0
core 1
core 2
core 3
[Expert]# cat /var/log/spike_detective/spike_detective.logInfo: Spike, Spike Start Time: 17/06/20 05:23:04, Spike Type: CPU, Core: 1, Spike Duration (Sec): 3, Initial CPU Usage: 99, Average CPU Usage: 99, Perf Taken: 1Info: Spike, Spike Start Time: 17/06/20 05:26:26, Spike Type: CPU, Core: 7, Spike Duration (Sec): 3, Initial CPU Usage: 89, Average CPU Usage: 89, Perf Taken: 1Info: Spike, Spike Start Time: 17/06/20 05:45:09, Spike Type: CPU, Core: 3, Spike Duration (Sec): 6, Initial CPU Usage: 81, Average CPU Usage: 90, Perf Taken: 1Info: Spike, Spike Start Time: 17/06/20 05:45:12, Spike Type: Thread, Thread ID: 19944, Thread Name: wstlsd, Spike Duration (Sec): 3, Initial CPU Usage: 99, Average CPU Usage: 99, Perf Taken: 0Info: Spike, Spike Start Time: 17/06/20 05:45:39, Spike Type: CPU, Core: 2, Spike Duration (Sec): 3, Initial CPU Usage: 84, Average CPU Usage: 84, Perf Taken: 1
18©2020 Check Point Software Technologies Ltd.
Infinity Threat Prevention
• Automatically updated policy profiles with the lastest technologies and recommendations that protectsfrom envolving cyber security threats
• Zero daily maintenance of policy of protections, without compromising of security or connectivity
• Auto-learning, in the past profile was set to detect only and require static analysis
• Out of the box policy profiles based on business & IT security needs
• Easy selection of a policy profile that is tailored to your needs
• Zero daily maintenance of policies and protections, without compromising on security or connectivity
• Simple customization without compromising on Check Point recommended security
19©2020 Check Point Software Technologies Ltd.
• Object can change on profile, to Detect/No Protection/ Accordingto Profile. Drag and drop or remove/add (+)
20©2020 Check Point Software Technologies Ltd.
GRE / xVLAN
Generic routing encapsulation (GRE) is an IP encapsulation protocol which is used to transport IP packets over a network. GRE allows routing of IP packets between private IPv4 networks which are separated over public IPv4 internet. RFC2784 : sk169794
VXLAN is a tunneling protocol that encapsulates Layer 2 Ethernet frames in Layer 3 UDP packets, enabling you to create virtualized Layer 2 subnets, or segments, that span physical Layer 3 networks.
• Defined in RFC 7348
21©2020 Check Point Software Technologies Ltd.
TLS1.3 Inspection• The new TLS engine (“TLSIO”) is currently off-by-default and should be enabled using a global
parameter on the Gateway.
• To enable it:
1. Add “fwtls_enable_tlsio=1” to $FWDIR/boot/modules/fwkern.conf
2. Reboot the Gateway
• To disable it:
1. Remove “fwtls_enable_tlsio=1” from $FWDIR/boot/modules/fwkern.conf
2. Reboot the Gateway
• To check if it is enabled or disabled after the reboot:
• fw ctl get int fwtls_enable_tlsio
• Note: make sure that USFW is also enabled on the Gateway, otherwise the new engine will not be used.
22©2020 Check Point Software Technologies Ltd.
Cluster Policy failure and consolidation
To set the value on-the-fly (does not survive reboot):
fw ctl set int fwha_cluster_policy_consolidation_disable 1
To set the value permanently:
Add this line to the $FWDIR/boot/modules/fwkern.conf file and reboot:
fwha_cluster_policy_consolidation_disable=1
23©2020 Check Point Software Technologies Ltd.
Elephant Flow
• Accelerate elephant flow (single connection) throughput
• Fwaccel stat See under ‘Pipleline Streaming Path’
o Shows total bytes in Pipeline Path.• Fw_mux all
o See in the bottom
o Shows concurrent connections in Pipeline Path.
Note: painfull traffic HTTP 53%, up to 83% traffic in general could be accelerated
Limitation: no support for CIFS
24©2020 Check Point Software Technologies Ltd.
Elephant Flow
• Current status
• Each connection is being processed on a single core
• The connection throughput is bounded by single core throughput
• New accelerated path
• Each connection will be processed on additional 2 cores
• IPS (Pattern Matcher) and Anti-Virus (MD5/Sha1/Sha256) calculations will be done on a dedicated core
• Available in R80.40 JHF #2
25©2020 Check Point Software Technologies Ltd.
Elephant Flow
• In order to enable add to fwkern.conf:o sxl_disable_psl_medwell=0o sxl_disable_cpas_medwell=0o mux_run_lite_apps_on_host=1
• Reboot
• Disable the feature by altering this global variables:o sxl_disable_psl_medwell=1o sxl_disable_cpas_medwell=1o mux_run_lite_apps_on_host=0
• Reboot
26©2020 Check Point Software Technologies Ltd.
ENDPOINT
27©2020 Check Point Software Technologies Ltd.
• Endpoint Web Management – new face for the product and easier management
• New Endpoint URL Filtering
• Keeping management services on port 443
• Developer Protection
• Non-persistent VDI (VMware)
• Application Control:
• Support multiple versions per EXE
• Terminate on execution
• Allow/Block Windows Linux Sub-System
• Compliance – WSUS support (Windows Server Update Services)
• Report Help Support Tacacs autentication
• Suport for Linux from #84.00
28©2020 Check Point Software Technologies Ltd.
VSX
29©2020 Check Point Software Technologies Ltd.
DNS per VS
Isolating each instanceSX-M1-R81:0> set dns mode
VSX-M1-R81:0> set virtual-system 1
Context is set to vsid 1
VSX-M1-R81:1> set dns primary 8.8.4.4
VSX-M1-R81:1> show dns
DNS setup
Name Value
Mode per-vs
Domain
DNS server 8.8.4.4
DNS server
30©2020 Check Point Software Technologies Ltd.
Virtual Router on VSLS
• Previously in order to use VR VSX must be on HA. VSLS wasn’t supported.
• Virtual Router stay as Active/Standby/Backup (No Active/Active)
• VS and VR must be part on same group with vsx_utilvsls on management
• Fail-over must be per group and not per VS. Otherwiselatency is expected.
• Review configuration #cphaprob show_vsls_groupCheck CP_R81_VSX_AdminGuide
31©2020 Check Point Software Technologies Ltd.
VTI on VSX
• Create a VPN Tunnel Interface (How to create: R81 VSX admin guide - vsx_provisioning_tool).
• Syntax
• add interface vd <Name of Virtual Device Object> vpn_tunnel {numbered | unnumbered} {peer <Name of VPN Peer Object>} {local <Tunnel Local IP> remote <Tunnel Remote IP> | dev <Name of Local Interface>} [tunnel_id <Tunnel ID>]
Limitation
Unnumbered VPN Interfaces are not supported
VTI can be configured only via CLI by
vsx_provisioning_tool
Parameter Value Notes
vd <Name of Virtual Device Object>
Object name Specifies the name of the Virtual Device object (as configured in SmartConsole).
Mandatory parameter, if this is the first command in a transaction.
vpn_tunnel {numbered | unnumbered}
true
false
Specifies the type of the VPN tunnel:
numbered - Uses a specified, static IPv4 addresses for local and remote connections.
unnumbered - Uses the interface and the remote peer name to get IPv4 addresses.
Note: currently only numbered
{peer <Name of VPN Peer Object>}
Object name Specifies the name of the remote peer object as defined in the VPN community in SmartConsole.
{local <Tunnel Local IP> remote <Tunnel Remote IP>}
IPv4 configuration Specifies the IPv4 addresses in dotted decimal format for the VPN tunnel endpoints:
local <Tunnel Local IP> - IPv4 address of the VPN tunnel on this Virtual Device
remote <Tunnel Remote IP> - IPv4 address of the VPN tunnel on the remote VPN peer
Applies to the Numbered VTI only.
{dev <Name of Local Interface>}
Interface name Specifies the name of an existing local interface on this Virtual Device.
The new VPN Tunnel Interface is bound to this local interface.
Applies to the Unnumbered VTI only.
[tunnel_id <Tunnel ID>] Integer Specifies the unique Tunnel ID (integer from 1 to 32768).
Note - If the specified ID is already used by another VPN tunnel on this VSX Gateway or
VSX Cluster Member, this parameter is ignored and the next available ID is used instead.
32©2020 Check Point Software Technologies Ltd.
QoS per VS
• R81 Support now QoS
• Review CP_R81_VSX_AdminGuide.pdf
33©2020 Check Point Software Technologies Ltd.
VPN
34©2020 Check Point Software Technologies Ltd.
Multi Cipher
• Provide the ability for cipher granularity per externally managed gateways in single community
• Limitation
• Supported only for externally
managed
• No BC support
• Not relevant for LSV
Gateway D
Gateway AGateway C
Gateway B
Externallymanaged GW
VPN Community
Cipher X
Community Default Cipher
35©2020 Check Point Software Technologies Ltd.
Mobile Access
• SNX was develoved for NGX. In order to change the application over MOB user must termiante the taskand move to new one. All configuration was legacy.
• R81 have a new core for Remote Access. All application can be open in parallel, each app will use in a new tab, without terminate the previous one.
• Multiqueue for remote Access is now available, using all SND defined on gateway/cluster.
• Limitation about length for Internal User improve from 4-8, up to 16 caracters. Available from R80.10 sk168032, and included by default on R81
36©2020 Check Point Software Technologies Ltd.
COMPATIBILITY
37©2020 Check Point Software Technologies Ltd.
Compatibility
• Supported • No supported
Note: Smart-1 205 and 210 can run just as SMS or Log Server NO BOTH with default memory
R81 Management Servers can manage Securit y Gateways of t hese versions:
Gateway Type Release Version
Securit y Gateway R77.30,R80.10, R80.20, R80.30, R80.40
VSX R77.30,R80.10, R80.20, R80.30, R80.40
Maest ro Securit y Groups R80.20SP, R80.30SP
Appliance Release Version
1100 Appliances R77.20.x
1200R Appliances R77.20.x
1400 Appliances R77.20.x
1550, 1590 Appliances R80.20.x
60000/ 40000 Scalable PlatformsR76SP, R76SP.10, R76SP.20, R76SP.30, R76SP.40, R76SP.50, R80.20SP
Appliance
UTM-1
POWER-1
VPN-1
SMART-1 5,10,25,50
2012 appliance, 2000, 4000, 12000, 21000 series
IP Appliance
VSX-1
DPL-1
IPS-1
IP VPN
AS
Xbeam
38©2020 Check Point Software Technologies Ltd.
FAQ
39©2020 Check Point Software Technologies Ltd.
THANK YOU