QAHandbookCheckpoint.docx
- 文档编号:10152092
- 上传时间:2023-02-08
- 格式:DOCX
- 页数:56
- 大小:798.30KB
QAHandbookCheckpoint.docx
《QAHandbookCheckpoint.docx》由会员分享,可在线阅读,更多相关《QAHandbookCheckpoint.docx(56页珍藏版)》请在冰豆网上搜索。
QAHandbookCheckpoint
CheckPointHandbook
Version:
V1.0
Contents
1IntroductionaboutCheckpoint1
2Topology2
2.1Topologybeforetheapplicationinstalled2
2.2NATTopology4
2.3VPNTopology4
3NAT(NetworkAddressTranslation)5
3.1Topology5
3.2AutomaticMode(Hide)NAT5
3.3AutomaticStaticNAT10
3.4ManualHideNAT13
3.5ManualStaticNAT18
4VPN25
4.1VPNTopology25
5IPv6pack34
6BasicPolicy38
6.1GeneralAction38
6.2Track39
7CheckpointService40
7.1Stop/StartCheckpointService40
7.2Checkpointprocess42
8SecureXL43
8.1SecureXLinstallation43
8.2SecureXLModuleConfiguration43
8.3AtAPMon/offSecureXL44
8.4CheckoutSecureXLStatus45
9CoreXL46
9.1Enable/DisableCoreXL46
9.2CheckoutCoreXLStatus47
10HA50
10.1HApackinstall50
10.2ChangeHAstatus50
11HowtogeneratetheLicenseforSmartCenter.52
12HowtoimportthelicenseintotheSmartCenter.54
1IntroductionaboutCheckpoint
CheckPointSecurityGatewayprovidesacomprehensivesecuritysolutionforverylargeenterprisesandorganizations.Itintegratesaccesscontrol,authentication,andencryptiontoguaranteethesecurityofnetworkconnections,theauthenticityoflocalandremoteusers,andtheprivacyandintegrityofdatacommunications.
2Topology
2.1Topologybeforetheapplicationinstalled
24.0.2.10/2424.0.2.1/2425.0.2.1/2425.0.2.10/24
Inthiscondition,thetrafficcanpassthroughtheXOStotheServerfromClient.
vap-groupr65xslinux_v3
max-load-count1
ap-listap5ap7
load-balance-vap-list12345678910
ip-forwarding
ip-flow-ruler65_lb
actionload-balance
activate
circuitmgmtcircuit-id1038
device-namemgmt
vap-groupr65
ip-forwarding
ip192.168.211.172/24192.168.211.255increment-per-vap192.168.211.173
circuitsynccircuit-id1040
device-namesync
vap-groupr65
ip-forwarding
ip24.254.254.166/2424.254.254.255increment-per-vap24.254.254.167
circuitshincircuit-id1027
device-nameshin
vap-groupr65
ip-forwarding
ip24.0.2.1/2424.0.2.255
circuitshoutcircuit-id1028
device-nameshout
vap-groupr65
ip-forwarding
ip25.0.2.1/2425.0.2.255
interfacegigabitethernet1/1
logicalshin
circuitshin
interfacegigabitethernet1/2
logicalmgmt
circuitmgmt
interfacegigabitethernet1/6
logicalshout
circuitshout
iproute192.168.213.0/24192.168.211.1vap-groupr65circuitmgmt
BecausetheIPofmanagementgigabitethernetis192.168.211.x,sothestaticIProuteneedstobeaddedasbelow:
iproute192.168.213.0/24192.168.211.1vap-groupr65circuitmgmt
IftheinstallationofR7xfinished,thetrafficCANNOTpassthroughtheXOStotheServerfromClientbeforethepolicyispushedbySmartdashboard.
2.2NATTopology
BeforeyousettheNAT,youcanpingtoServerfromClient,iftheIPRange(FW1)isdifferentfromtheClientorServer,youmustconfigureIPRouteinServeraftertheNAThadbeensetifyouwanttosendthetraffictoServer.
TheFW1’sIPistheIPwhichfacesdirectlytotheexternal,afteryouhavedonetheNATconfigurationandpushedthepolicy,therealsourceIPCANNOTbeseenonthedestinationtargetmachine.
2.3VPNTopology
General:
Simply:
OR
3NAT(NetworkAddressTranslation)
In computernetworking, networkaddresstranslation (NAT)istheprocessofmodifying IPaddress informationin IPpacketheaders whileintransitacrossatraffic routingdevice.
ThesimplesttypeofNATprovidesaone-to-onetranslationofIPaddresses. RFC2663 referstothistypeofNATas basicNAT.Itisoftenalsoreferredtoas one-to-oneNAT.
Inourtestprocess,NATincludes2differentmodes,thereareautomaticandmanual,automaticandmanualmodesincludeHidemodeandStaticmode.
3.1Topology
3.2AutomaticMode(Hide)NAT
ThismodemeanshidebehindGWandhidebehindIPaddress.
ConfigurationSteps:
Step1:
CretenetworkobjectforPC1subnet(24.0.2.xsubnetinthiscase)andenableHidebehindgatewayNATonit.Forthat:
1.ExpandtheNetworkssectionofNetworkObjects;
2.Createanewnetwork,specifyName,NetworkAddressandNetMask;
3.ClickontheNATtabwhilestillontheNetworkpropertieswindow;
4.ChecktheAddAutomaticAddresstranslationrulesbox;
5.LeavetheHidebehindGatewayoption;
6.SelectappropriateGW/ClusterorVSfromtheInstallonGatewaydropdownlist.
7.ClickOK.
Step2:
OpenNATtabofFWpolicywindow,verifyautomaticruleswereaddedcorrectly.
Step3:
Pushthecreatedpolicytoappropriatecluster.
Step4:
1.StarttcpdumponPC2.
2.InitiatepingfromPC1toPC2.
3.MakesureICMPcouldpassthrough.
4.VerifytcpdumponPC2showsGateway’spublicIPandnotPC1’srealIP,inthissetupPC2shouldsee25.0.2.1asasource.
01:
19:
25.65145425.0.2.1>25.0.2.10:
icmp:
echorequest(DF)
01:
19:
25.65149525.0.2.10>25.0.2.1:
icmp:
echoreply
01:
19:
26.66816825.0.2.1>25.0.2.10:
icmp:
echorequest(DF)
01:
19:
26.66819125.0.2.10>25.0.2.1:
icmp:
echoreply
Step5:
ReconfigurethecreatedpreviouslynetworkobjectandselectHidebehindIPAddressoption,specifyanIPaddressonasharedexternallink,inthiscaseselectanIPaddressfrom25.0.2.xsubnet,forexample,“hidebehind25.0.2.100”.
Step7:
VerifyNATtabofFWpolicywindowhasupdatedtheautomaticruleappropriately.
Step8:
Pushthecreatedpolicytoappropriatecluster.
Step9:
1.StarttcpdumponPC2.
2.InitiatepingfromPC1toPC2.
3.MakesureICMPcouldpassthrough.
4.VerifytcpdumponPC2showspre-configuredpublicIPandnotPC1’srealIP,inthissetupPC2shouldsee25.0.2.100asasource.
Pingfromclienttoserverandtcpdumponserver:
01:
12:
54.56970725.0.2.100>25.0.2.10:
icmp:
echorequest(DF)
01:
12:
54.56971325.0.2.10>25.0.2.100:
icmp:
echoreply
01:
12:
55.56968425.0.2.100>25.0.2.10:
icmp:
echorequest(DF)
01:
12:
55.56970525.0.2.10>25.0.2.100:
icmp:
echoreply
Step10:
ReconfigurethecreatedpreviouslynetworkobjectandselectHidebehindIPAddressoption,specifyanIPaddressonacompletelydifferentsubnet,forexample,select24.25.10.1whichisnotsharedbetweentheFWandPC2.
Step11:
VerifyNATtabofFWpolicywindowhasupdatedtheautomaticruleappropriately.
Step12:
Pushthecreatedpolicytoappropriatecluster.
Step13:
1.MakesureappropriateroutinginplacetoallowPC2totalktoanIPaddresson24.25.10.xsubnet.
2.StarttcpdumponPC2.
3.InitiatepingfromPC1toPC2.
4.MakesureICMPcouldpassthrough(NeedtoaddtheIProute).
5.VerifytcpdumponPC2showspre-configuredpublicIPandnotPC1’srealIP,inthissetupPC2shouldsee24.25.10.1asasource.
BeforesetAutomaticHideNAT,pingfromclienttoserver,tcpdumponserver
22:
53:
51.31298024.0.2.10>25.0.2.10:
icmp:
echorequest(DF)
22:
53:
51.31298625.0.2.10>24.0.2.10:
icmp:
echoreply
22:
53:
52.31295524.0.2.10>25.0.2.10:
icmp:
echorequest(DF)
22:
53:
52.31296125.0.2.10>24.0.2.10:
icmp:
echoreply
AftersetAutomaticHideNAT,pingfromclienttoserver,tcpdumponserver:
01:
21:
38.87459024.25.10.1>25.0.2.10:
icmp:
echorequest(DF)
01:
21:
39.88767824.25.10.1>25.0.2.10:
icmp:
echorequest(DF)
01:
21:
40.88765424.25.10.1>25.0.2.10:
icmp:
echorequest(DF)
01:
21:
41.88762624.25.10.1>25.0.2.10:
icmp:
echorequest(DF)
Whenyoutcpdumponserver,Ifyouwanttoseethereplyoftheserver,youmustaddthestaticrouteonserver.
[root@xrack-c2-2admin]#routeadd-net24.25.10.0/24gw25.0.2.1
pingtoserverfromclientandtcpdumpitonserver
01:
25:
51.90746724.25.10.1>25.0.2.10:
icmp:
echorequest(DF)
01:
25:
51.90749125.0.2.10>24.25.10.1:
icmp:
echoreply
01:
25:
52.90669024.25.10.1>25.0.2.10:
icmp:
echorequest(DF)
01:
25:
52.90669925.0.2.10>24.25.10.1:
icmp:
echoreply
3.3AutomaticStaticNAT
ConfigurationSteps:
Step1:
CretenetworkobjectforPC1subnet(24.0.2.xsubnetinthiscase)andenableStaticNATonit.Forthat:
1.ExpandtheNetworkssectionofNetworkObjects;
2.Createanewnetwork,specifyName,NetworkAddressandNetMask;
3.ClickontheNATtabwhilestillontheNetworkpropertieswindow;
4.ChecktheAddAutomaticAddresstranslationrulesbox;
5.SelectStaticTranslationmethodoption;
6.EnterTranslatetoIPAddress,thiswouldbethestartingIPaddressfortranslation.SelectanIPaddressfromasubnetthatdoesnotbelongtoFW,andisnotfromasubnetsharedbetweenFWandPC2,forexample,select24.123.0.1.
7.SelectappropriateGW/ClusterorVSfromtheInstallonGatewaydropdownlist.
8.ClickOK.
Step2:
OpenNATtabofFWpolicywindow,verifyautomaticruleswereaddedcorrectly.
Step3:
Pushthecreatedpolicytoappropriatecluster.
Step4:
1.StarttcpdumponPC2.
2.PingfromPC1toPC2.
3.Makesurethetrafficcouldpassthrough.
4.VerifytcpdumponPC2showsGateway’spublicIPandnotPC1’srealIP,inthissetupPC2shouldsee24.123.0.11asasource,pleaseseeexplanationbelow.
Note:
TheautomaticstaticNATdefinesa1:
1mappingusingthedefinedsubnetandconfigured“translateto”IPaddress.ThismeansthatassoonasstaticNATruleiscreated,FWwillpre-calculatealltheIPmappings.
Forexample,inthisscenariowehadcreated24.0.2.0/24networkobjectanddefined24.123.0.1asafirst“translateto”IPaddress.ThismeansthatFWpre-calculatesallthemappings,suchas:
24.0.2.0--->24.123.0.1
24.0.2.1--->24.123.0.2
24.0.2.2--->24.123.0.3
…
24.0.2.10(PC1realsourceIP)--->24.123.0.11(PC1translatedsourceIP)
Step5:
1.KnowingIPtranslationfromabove(PC1correspondingto“public”IPaddressof24.123.0.11),cleartheARPtableonPC2.
2.StarttcpdumponPC1.
3.InitiatepingformPC2toPC1’stranslatedIPaddress,24.123.0.11inthiscase.
4.VerifyPC2canpingtranslatedIPaddressand
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- QAHandbookCheckpoint