Top 26 Checkpoint Firewall Interview Questions You Must Prepare 19.Mar.2024

@Insert the Checkpoint CD into the computers CD Drive.

@You will see a Welcome to Checkpoint SecurePlatform screen. It will prompt you to press any key. Press any key to start the installation,otherwise it will abort the installation.

3.You will now receive a message saying that your hardware was scanned and found suitable for installing secureplatform. Do you wish to proceed with the installation of Checkpoint SecurePlatform.

Of the four options given, select OK, to continue.

4.You will be given a choice of these two:

  • SecurePlatform
  • SecurePlatform Pro

Select Secureplatform Pro and enter ok to continue.

5.Next it will give you the option to select the keyboard type. Select your Keyboard type (default is US) and enter OK to continue.

6.The next option is the Networking Device. It will give you the interfaces of your machine and you can select the interface of your choice.

7.The next option is the Network Interface Configuration. Enter the IP address, subnet mask and the default gateway.

For this tutorial, we will set this IP address as 1.1.1.1 255.255.255.0 and the default gateway as 1.1.1.2 which will be the IP address of your upstream router or Layer 3 device.

8.The next option is the HTTPS Server Configuration. Leave the default and enter OK.

9.Now you will see the Confirmation screen. It will say that the next stage of the installation process will format your hard drives. Press OK to Continue.

10.Sit back and relax as the hard disk is formated and the files are being copied.

Once it is done with the formatting and copying of image files, it will prompt you reboot the machine and importantly REMOVE THE INSTALLATION CD. Press Enter to Reboot.

Note: Secureplatform disables your Num Lock by over riding System BIOS settings, so you press Num LOck to enable your Num Lock.

For the FIRST Time Login, the login name is admin and the password is also admin.

11.Start the firewall in Normal Mode.

12.Configuring Initial Login:

Enter the user name and password as admin, admin.

It will prompt you for a new password. Chose a password.

Enter new password: check$123

Enter new password again: check$123

You may choose a different user name:

Enter a user name:fwadmin

Now it will prompt you with the [cpmodule]# prompt.

@The next step is to launch the configuration wizard. To start the configuration wizard, type “sysconfig”.

You have to enter n for next and q for Quit. Enter n for next.

14.Configuring Host name: Press 1 to enter a host name. Press 1 again to set the host name.

Enter host name: checkpointfw

You can either enter an ip address of leave it blank to associate an IP address with this hostname. Leave it blank for now.

Press 2 to show host name. It now displays the name of the firewall as checkpointfw.

Press e to get out of that section.

15.Configuring the Domain name.

Press 2 to enter the config mode for configuring the domain mode. Press 1 to set the domain name.

Enter domain name:yourdomain.com

Example:

Enter domain name: checkpointfw.com

You can press 2 to show the domain name.

@Configuring Domain Name Servers.

You can press 1 to add a new domain name server.

Enter IP Address of the domain name srever to add: Enter your domain name server IP Address HERE.

Press e to exit.

Network Connections.

@Press 4 to enter the Network Connections parameter.

Enter 2 to Configure a new connection.

Your Choice:

  1. eth0
  2. eth1
  3. eth2
  4. eth3

Press 2 to configure eth@(We will configure this interface as the inside interface with an IP address of 192.168.1.1 and a subnet mask of 255.255.255.@The default gateway will be configured as 1.1.1.1.)

Press 1) Change IP settings.

Enter IP address for eth1 (press c to cancel): 192.168.1.1

Enter network Mask for interface eth2 (press c to cancel): 255.255.255.0

Enter broadcast address of the interface eth2 (leave empty for default): Enter

Pres Enter to continue….

Similarly configure the eth2 interface, which will be acting as a DMZ in this case with 10.10.10.1 255.255.255.0.

Press e to exit the configuration menu.

18.Configuring the Default Gateway Configuration.

Enter 5 which is the Routing section to enter information on the default gateway configuration.

  1. Set default gateway.
  2. Show default gateway.

Press 1 to enter the default gateway configuration.

Enter default gateway IP address: 1.1.1.2

@Choose a time and date configuration item.

Press n to configure the timezone, date and local time.

This part is self explanatory so you can do it yourself.

The next prompt is the Import Checkpoint Products Configuration. You can n for next to skip this part as it is not needed for fresh installs.

2@Next is the license agreement.You have the option of V for evaluation product, U for purchased product and N for next. If you enter n for next. Press n for next.

Press Y and accept the license agreement.

21.The next section would show you the product Selection and Installation option menu.

Select Checkpoint Enterprise/Pro.

Press N to continue.

2@Select New Installation from the menu.

Press N to continue.

2@Next menu would show you the products to be installed.

Since this is a standalone installation configuration example, select

VPN Pro and

Smartcenter

Press N for next

24.Next menu gives you the option to select the Smartcenter type you would like to install.

Select Primary Smartcenter.

Press n for next.

A validation screen will be seen showing the following products:

VPN-1 Pro and Primary Smartcenter.

Press n for next to continue.

Now the installation of VPN-1 Pro NGX R60 will start.

2@The set of menu is as follows:

Do you want to add license (y/n)

You can enter Y which is the default and enter your license information.

2@The next prompt will ask you to add an administrator. You can add an administrator.

27.The next prompt will ask you to add a GUI Client. Enter the IP Address of the machine from where you want to manage this firewall.

2@The final process of installation is creation of the ICA. It will promtp you for the creation of the ICA and follow the steps. The ICA will be created. Once the random is configured ( you dont have to do anything), the ICA is initialized.

After the ICA initialized, the fingerprint is displayed. You can save this fingerprint because this will be later used while connecting to the smartcenter through the GUI. The two fingerprints should match. This is a security feature.

The next step is reboot. Reboot the firewall.

Anti-Spoofing is the feature of Checkpoint Firewall. which is protect from attacker who generate IP Packet with Fake or Spoof source address. Its determine that whether traffic is legitimate or not. If traffic is not legitimate then firewall block that traffic on interface of firewall.

NAT stand for Network Address Trlation. Its used to map private IP address with Public IP Address and Public IP address map with Private IP Address. Mainly its used for Provide Security to the Internal Network and Servers from Internet. NAT is also used to connect Internet with Private IP Address. Because Private IP not route able on Internet.

Stealth Rule Protect Checkpoint firewall from direct access any traffic. Its rule should be place on the top of Security rule base. In this rule administrator denied all traffic to access checkpoint firewall.

Using cpstop and then cpstart will restart all Check Point components, including the SVN foundation. Using fwstop and then fwstart will only restart VPN-1/FireWall-1.

Its tool of smart console. Its used to Configure Rule, Policy object, Create NAT Policy, Configure VPN and Cluster.

IP Sec (IP Security) is a set of protocol. which is responsible for make secure communication between two host machine, or network over public network such as Internet. IPSec Protocol provide Confidentiality , Integrity, Authenticity and Anti Replay protection. There is two IPSec protocol which provide security

  1. ESP (Encapsulation Security Payload)
  2. AH (Authentication Header).

In Asymmetric Encryption there is two different key used for encrypt and decrypt to packet. Me that one key used for Encrypt packet, and second key used to for decrypt packet. Same key can not encrypt and decrypt.

Hide NAT used to trlate multiple private IP or Network with single public IP address. Me many to one trlation. Its can only be used in source NAT trlation. Hide NAT can not be used in Destination NAT.

Standalone deployment : In standalone deployment, Security Gateway and Security management server installed on same Machine.

Distributed deployment: In Distributed deployment, Security Gateway and Security Management Server installed on different machine.

Central and Local licenses: Central licenses are the new licensing model for NG and are bound to the SmartCenter server. Local licenses are the legacy licensing model and are bound to the enforcement module.

CPD :CPD is a high in the hierarchichal chain and helps to execute many services, such as Secure Internal Communcation (SIC), Licensing and status report.

FWM: The FWM process is responsible for the execution of the database activities of the SmartCenter server. It is; therefore, responsible for Policy installation, Management High Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log Display, etc.

FWD:The FWD process is responsible for logging. It is executed in relation to logging, Security Servers and communication with OPSEC applications.

Automatic NAT:                 

  • Automatic created by Firewall Network Security Administrator
  • Can not modify                  
  • Can not create “No NAT” rule  
  • Can not create Dual NAT
  • Port forwarding not possible
  • Proxy ARP by default enabled

Manual NAT:

  • Manually Created by Network Security
  • Can be Modify  
  • Can be Create “No NAT” rule
  • Can be Create Dual NAT  
  • Port forwarding possible
  • Proxy ARP by default not enable 

ESP:ESP Protocol is a part of IPsec suit , Its provide Confidentiality, Integrity and Authenticity. Its used in two mode Trport mode and Tunnel mode.

AH:Its is also part of a IPsec suit, Its provide only Authentication and Integrity, Its does not provide Encryption. Its also used to two mode Trport mode and Tunnel mode.

VPN (Virtual Private Network) is used to create secure connection between two private network over Internet. Its used Encryption authentication to secure data during trmission. There are two type of VPN

  • Site to Site VPN.
  • Remote Access VPN.

When request to trlate Destination IP address for connect with Internal Private network from Public IP address. Only static NAT can be used in Destination NAT.

Source NAT used to initiate traffic from internal network to external network. In source NAT only source IP will trlated in public IP address.

  • Smart Console.
  • Security Management.
  • Security Gateway.

  • Save Public IP to save cost.
  • Security with hide Internal Network.
  • Avoid Routing.
  • Publish Server over Internet.
  • Overlapping Network.
  • Access Internet from Private IP address.

Cleanup rule place at last of the security rule base, Its used to drop all traffic which not match with above rule and Logged. Cleanup rule mainly created for log purpose. In this rule administrator denied all the traffic and enable log.

SIC stand for “Secure Internal Communication”. Its a checkpoint firewall feature that is used to make secure communication between Checkpoint firewall component. Its used when Security Gateway and Security management server installed in Distributed deployment. Its Authentication and Encryption for secure communication.

  • SAM Database.
  • Address Spoofing.
  • Session Lookup.
  • Policy Lookup.
  • Destination NAT.
  • Route Lookup.
  • Source NAT.
  • Layer 7 Inspection.
  • VPN.
  • Routing.

It's a rule in ruse base which is manually created by network security administrator that called Explicit rule.