With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.

www.syngress.com/solutions
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page i
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page ii
Check Point
™
NG
VPN-1/FireWall-1
Advanced Configuration and Troubleshooting
Jim Noble
CCSI, CISSP, Technical Editor
Doug Maxwell
CCSI, NSA
Kyle X. Hourihan
NSA
Robert Stephens
CCSI, CISSP
Barry J. Stiefel
CCSI, CISSP
Cherie Amon
CCSI
Chris Tobkin
CCSI
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or

other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:
The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a
Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names
mentioned in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 YV4PK9H7G3
002 TKXD37T6CVF
003 8J9HF5TBAA
004 Z2BMQUH89Y
005 U8MPT3L33T
006 HAXXR54ES6
007 G8D4EPQLUK
008 EJ69BKMRD7
009 579KP7V6FH
010 TRCA7UM39Z
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Check Point NG VPN-1/FireWall-1 Advanced Configuration and Troubleshooting
Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings

may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-97-3
Technical Editors: Jim Noble, Doug Maxwell, Cover Designer: Michael Kavish
Victor Chang Page Layout and Art by: Shannon Tozier and
Technical Reviewer: Kyle X. Hourihan Patricia Lupien
Acquisitions Editor: Jonathan Babcock Copy Editors: Darlene Bordwell, Darren Meiss
Indexer: Rich Carlson
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page iv
v
Acknowledgments
v
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,
Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell,
Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Kristin
Keith, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of
Publishers Group West for sharing their incredible marketing experience and
expertise.
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell,
AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti,
Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making
certain that our vision remains worldwide in scope.
David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which
they receive our books.

Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene
Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates
for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at
Jaguar Book Group for their help with distribution of Syngress books in Canada.
David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis,
Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout
Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the
Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of
Syngress books in the Philippines.
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page v
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page vi
vii
Contributors
Cherie Amon (CCSI, CCSA, CCSE, NSA) is technical editor of and
contributor to the best selling Check Point Next Generation Security
Administration (Syngress Publishing, ISBN: 1-928994-74-1), as well as the
Nokia Network Security Solutions Handbook (Syngress, ISBN: 1-931836-
70-1). Cherie is a Senior Professional Security Engineer at Integralis, a
systems integrator specializing in IT and e-commerce security solutions.
She is both a Check Point and Nokia Certified Security Instructor and
has been installing, configuring, and supporting Check Point products
since 1997. Cherie currently provides third-tier technical support to
Integralis clients and acts as Technical Lead for many managed firewall
accounts. Cherie is a member of USENIX and SAGE.
Chris Tobkin (CCSI, CCSE+, CCSE, CCSA, MCP) has over eight years
of security-related experience in a wide range of products and technolo-
gies. Chris is currently employed as a Security Engineer for Check Point

Software Technologies, Ltd. His career began in programming C, C++,
and Perl. While studying for his MIS degree, his job at the University of
Minnesota included systems and network administration, and later,
database administration and project management. His interest in security
was recognized and applied to each of these areas. Chris later moved on
to a security services company where he was able to hone his skills in
social engineering, penetration testing, firewalling, policy development,
intrusion detection, and teaching courses in security, including Check
Point.
Simon Coffey (CCSI, CCSA, CCSE) is a support consultant based in
the Integralis European Support Centre in Reading, United Kingdom.
Integralis is one of Europe's leading specialists in the IT security market.
Simon has many years experience providing support, training, and installa-
tion services for security products, specializing in Check Point solutions
and Nokia firewall appliances. He is also a member of the Theale
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page vii
viii
Volunteer Networking Group, a local forum for discussing current real-
world issues.
Robert Stephens (CISSP, CCSI, NSI, NSA-IAM) is a Senior Security
Consultant with VigilantMinds, where he provides enterprise security
assessments and penetration services, along with engineering services, for
managed Check Point VPN-1/FireWall-1 solutions for VigilantMinds
clients. Prior to this he was the Technical Lead for Check Point and Nokia
training and courseware development with VeriSign. Robert holds a bach-
elor’s degree in Criminology from the University of Pittsburgh and a
master’s degree in Management Information Systems from Duquesne
University.
Barry J. Stiefel (CISSP, CCSI, MCSE, CCSA, CCSE, CCNA, A+),
co-author of the best selling Next Generation Check Point Certified Security

Administrator, is the founder of Information Engine, Inc., a San Francisco
security training and consulting firm (www.Information-Engine.com).
Previously, he was the Founding Manager of Information Systems at
Galileo Technology, an instructor at the University of California, and
President of the Windows NT Engineering Association. Barry has devel-
oped and teaches the only independent Check Point FireWall-1 training
course and is developing CPUG.org, the Check Point User Group. Barry
has earned a bachelor’s of Science, as well as a master’s in Business
Administration. In his lab, he has more firewalls and routers than he needs,
but not as many as he wants.
Yinal Ozkan (CISSP, CCSE) is a Senior Security Engineer at Integralis.
He currently provides low level troubleshooting support for enterprise
level customers.Yinal is a strategic contributor for large scale deployment
projects and security awareness implementation initiatives. His specialties
include smart cards, financial systems security, and network security sys-
tems. He enjoys focusing on financial sector clients.Yinal holds a bach-
elor's degree from Istanbul Technical University, and is a member of the
ISSA and ISACA.Yinal lives in Manchester, CT.
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page viii
ix
Thorsten Behrens (CCSE, CCNA, CNE-5, CNE-4) is a Senior Security
Engineer with Integralis.Thorsten provides technical expertise to all of
Integralis’ Managed Security Services and Support clients. He is responsible
for complete client satisfaction on a technical and support level for clients,
and is a leading member of the Integralis QA team.Thorsten’s specialties
include Check Point FireWall-1, Cisco PIX and routers, network design
and troubleshooting, and communications infrastructure (including Frame
Relay, ISDN, and ATM).Thorsten is a German national who currently
resides in Springfield, MA with his family, Christopher, Amberlea,
and Caitlin.

Kurt Falde (MCSE, MCSA, MCP, CCSE, CCSA, A+) is the Senior
Systems Engineer for INFO1 Holding Company, Inc., located in Atlanta,
GA. Kurt is responsible for maintaining the corporate Active Directory
network and the Check Point Firewall structures throughout the com-
pany’s multiple sites. He provides direction, implementation and trou-
bleshooting for the numerous VPN's that the company maintains for
business-to-business connectivity. He is currently engaged in managing
the merging of several new sites into the corporate Active Directory net-
work as well as security infrastructure. Kurt has spent the last nine years
working in the IT industry. His enthusiasm with using computers, how-
ever, goes back about fifteen years. Kurt holds a bachelor’s degree in
Mechanical Engineering from Pensacola Christian College. Kurt currently
lives in Sugarhill, GA with his wife,Tara, and their cat, Mr. Kitty.
Daniel Kligerman (CCSA, CCSE, Extreme Networks GSE, LE) is a
Consulting Analyst with TELUS Enterprise Solutions Inc., where he spe-
cializes in routing, switching, load balancing, and network security in an
Internet hosting environment. Daniel is a contributing author for Check
Point Next Generation Security Administration (Syngress Publishing, ISBN: 1-
928994-74-1). A University of Toronto graduate, Daniel holds an honors
bachelor’s of Science degree in Computer Science, Statistics, and English.
Daniel currently resides in Toronto, Canada. He would like to thank
Robert, Anne, Lorne, and Merita for their support.
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page ix
x
Martin Summers (CCSA, CCSE) is a consultant with Integralis, where
he provides technical support for Integralis customers and the Articon
Integralis group. His specialties include UNIX and troubleshooting net-
work systems. Martin has previously worked as Project Manager and
Senior Engineer at BBC Monitoring, part of the BBC World Service.
Martin currently resides in Reading, United Kingdom with his wife, Julie.

Jamie Caesar (CCSE, CCNP) is the Senior Network Engineer for
INFO1 Holding Company, Inc., where he is responsible for enterprise
network design, deployment, and security for voice and data networks, as
well as developing secure, highly available solutions for client connectivity.
Jamie is also a co-author of Managing Cisco Network Security, Second Edition
(Syngress Publishing, ISBN: 1-931836-56-6). Jamie holds a bachelor's
degree in Electrical Engineering from Georgia Tech and he resides out-
side Atlanta, GA with his wife, Julie.
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page x
xi
Kyle X. Hourihan (NSA) is the Course Development Manager and a
Senior Technical Trainer for Nokia Internet Communications in
Mountain View, CA. He designs, writes, and teaches Nokia Internet
Division's internal and external training material. He conducts Train-the-
Trainer sessions for Nokia Authorized Training Partners as well as high-
end training for Nokia's internal R&D and TACs (Telephone Assistance
Centers). Kyle has been working in Network Security since 1999, and
previously worked for 3Com as a Senior Instructor and Developer for
their Carrier Systems Division (Commworks). He began his career
working as a programmer writing code for Cisco IOS, implementing
minor routing protocols, and performing software QA on their routers.
Kyle earned a bachelor’s of Science in Computer Science from the
University of Maryland, College Park. He is a co-author of the highly
acclaimed Nokia Network Security Solutions Handbook (Syngress Publishing,
ISBN: 1-931836-70-1), and he is also a co-author of Freesoft.org
(www.freesoft.org), a comprehensive source of Internet engineering
information. Kyle resides in Palo Alto, CA.
Technical Reviewer
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page xi
xii

Jim Noble (CISSP, CCSA, CCSE, CCSI, CCSE+, CNX) is the
Network and Security Director for INFO1 Holding Company, Inc. He
and his team are responsible for the design of the company's networking
infrastructure, security architecture, telecommunications strategy, and data
center design. He comes from an Army Intelligence background, and has
11 years of Information Systems experience. Jim has five years experience
with Check Point FireWall-1 and is very interested in securing informa-
tion. INFO1 Holding Company, Inc., an information technology com-
pany, is one of the four largest credit information providers to the
mortgage industry.The company provides credit information and other
related services including flood certifications, fraud detection, tax return
verifications, and business reports to mortgage and banking clients
throughout the country.The company is known for its industry leading
technology, and through its nationwide processing centers, has earned a
reputation for excellent customer service. INFO1 uses advanced elec-
tronic data exchange in XML, X12 and other standard and proprietary
formats over secure Internet and Private Wide Area Network connec-
tions.
Victor Chang (CCSA, CCSE, CCNA) is the Product Line Support
Team Lead for IPSO and Hardware with Nokia. He currently provides
Product Line Escalation Support for the Nokia IP Series Appliances and
assists Product Management in new product development. Victor cur-
rently resides in Fremont, CA. He would like to thank his parents,Tsun
San and Suh Jiuan Chang, Ricardo and Eva Estevez, as well as the rest of
his family and friends. Without their love and support none of this would
have been possible.
Doug Maxwell (CCSI, NSA) is a Senior Professional Services Engineer
with Integralis in East Hartford, CT. He primarily designs and implements
the integration of Nokia and other Check Point firewalls, as well as IDS
solutions into enterprise networks, and teaches Nokia Security

Technical Editors
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page xii
xiii
Administration and Check Point NG to clients. He is also the Lead
Engineer for the Integralis-US S3 team, which provides network security
auditing, penetration testing, and computer forensic services. His special-
ties include UNIX network security and firewall/IDS network integra-
tion. Doug holds a bachelor’s of Science degree in Computer Science
from the University of Massachusetts at Amherst, and is a member of the
Association for Computing Machinery (ACM), USENIX, and the System
Administrator's Guild (SAGE). Doug is a contributing author for Check
Point Next Generation Security Administration, (Syngress Publishing, ISBN:
1-928994-74-1). He happily resides in Ellington, CT with his wife and
two-year-old son.
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page xiii
259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page xiv
Contents
xv
Foreword xxix
Chapter 1 FW-1 NG Operational Changes 1
Introduction 2
Static NAT Changes from 4.x to NG 2
Server-Side NAT 4
Version 4.x Destination Static NAT 6
How It Really Works 8
Client-Side NAT 9
How It Really Works 10
Bidirectional NAT 11
Automatic ARP 11
When ARP Is Automatic 13

When ARP Is Manual 13
Upgrading 4.x to NG 14
The 4.x Upgrade Process 16
When to Rebuild 16
Summary 18
Solutions Fast Track 19
Frequently Asked Questions 20
Chapter 2 Smart Clients 23
Introduction 24
SmartDashboard 24
What’s New in NG SmartDashboard? 25
New Panes 25
New Policy Tabs 28
New Menu Items and Toolbars 29
New Object Types 31
The Extended Object Properties Screen 34
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xv
xvi Contents
Extended Administrator Access 34
A GUI Overview of New FP3 Features 35
The New Policy Installation Interface 36
Using Sections in the Security Rule Base 38
Version Control with Database Revision Control 38
SmartView Status 39
What’s New in SmartView Status? 39
The Panes 39
Changes in the Menu and the Toolbar 42
Highlights of SmartView Status 42
Disconnecting a Client 42
Other Fancy Features 43

SmartView Tracker 43
What’s New in SmartView Tracker? 43
The Panes 43
Menu Changes 45
Highlights From the SmartView Tracker 45
Remote File Management 45
View in SmartDashboard 46
Command-Line Options 46
SmartView Monitor 48
Installation 48
The Interface 48
Traffic Monitoring 49
Monitor Using Check Point System Counters 49
Monitor by Service 50
Monitor Using Network Objects 51
Monitor by QoS 51
Monitor Using Top Firewall Rules 51
Monitor Using Virtual Links 52
Generating Reports 53
Check Point Systems Counter Reports 53
Traffic Reports 53
User Monitor 53
The Interface 54
Managing Queries 55
Summary 56
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xvi
Contents xvii
Solutions Fast Track 57
Frequently Asked Questions 58
Chapter 3 Advanced Authentication 61

Introduction 62
Active Directory 62
Setting Up Active Directory for FireWall-1 Authentication 63
Active Directory Installation and Basic Configuration 64
Enabling LDAP Over SSL 69
Delegation of Control 72
Active Directory Schema Management 73
Extending Your Schema 76
Enabling SSL Communication Between VPN-1/
FireWall-1 and Active Directory 79
Setting Up the Firewall for AD Authentication 81
Configuring Global Properties for Active Directory 82
Defining the Active Directory Account Unit 83
Configuring LDAP Administrators 89
User Management on Active Directory 90
Configuring the Rule Base 92
Troubleshooting 94
Suggested Uses of MS-AD Authentication 95
Standard LDAP 96
Setting Up the LDAP for FireWall-1 Authentication 97
Setting Up the Firewall for LDAP Authentication 99
Defining a New User 102
Suggested Uses of LDAP Authentication 104
RADIUS 105
Setting Up the Firewall for RADIUS Authentication 106
Setting Up RADIUS for FireWall-1 Authentication 108
Suggested Uses of RADIUS Authentication 109
TACACS+ 110
Setting Up the Firewall for TACACS+ Authentication 111
Setting Up TACACS+ for FireWall-1 Authentication 112

Suggested Uses of TACACS+ Authentication 114
General User Management 114
Self-Service User Management with ADSI 117
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xvii
xviii Contents
Summary 121
Solutions Fast Track 122
Frequently Asked Questions 123
Chapter 4 Advanced VPN Concepts 125
Introduction 126
What Are SEP and MEP? 126
Sample Scenario 128
Exploring SEP 129
Exploring MEP 131
SEP Configuration Examples 131
Scenario One 131
Scenario Two 132
MEP Configuration Examples 135
Scenario One 135
Setup of New York Firewall 140
Setup of San Diego Firewall 142
Combinations of MEP and SEP 146
VPN Modes 146
Transparent Mode 147
Connect Mode 147
Routing Between VPN Connections 150
Dynamic IP Address VPN Connections 151
Summary 153
Solutions Fast Track 153
Frequently Asked Questions 155

Chapter 5 Advanced VPN Client Installations 157
Introduction 158
The Difference Between SecuRemote and SecureClient 158
Using DNSInfo Files 159
Encrypting Internal Traffic 160
Using SR/SC from Behind a CP-FW-1 System 161
Using SecureClient 163
Creating Rules for Internal Connections to Remote Clients 165
Examples of Common Deployments 166
L2TP Tunnels Terminating on a Check Point FP3 Box 174
Office Mode SecureClient 181
FP3 Clientless VPNs 182
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xviii
Contents xix
Summary 185
Solutions Fast Track 185
Frequently Asked Questions 188
Chapter 6 High Availability and Clustering 191
Introduction 192
Designing Your Cluster 192
Why Do You Need a Cluster? 192
Resilience 192
Increased Capacity 193
High Availability or Load Sharing? 193
Load Sharing 193
High Availability 193
Clustering and Check Point 193
Operating System Platform 193
Clustering and Stateful Inspection 194
Desire for Stickiness 194

Location of Management Station 194
A Management Station on a Cluster-Secured Network 195
Management Station on Internal Network 196
Connecting the Cluster to Your Network:
Hubs or Switches? 198
FireWall-1 Features, Single Gateways vs. Clusters:
The Same, But Different 198
Network Address Translation 199
Security Servers 199
Remote Authentication Servers 200
External VPN Partner Configuration 200
Installing FireWall-1 NG FP3 201
Checking the Installation Prerequisites 201
Installation Options 202
Installation Procedure 202
Check Point ClusterXL 207
Configuring ClusterXL in HA New Mode 208
Prerequisites for Installing ClusterXL in HA New Mode 208
Configuration of ClusterXL HA New Mode 209
Testing ClusterXL in HA New Mode 224
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xix
xx Contents
Test 1: Pinging the Virtual IP Address of Each Interface 224
Test 2: Using SmartView Status to
Examine the Status of the Cluster Members 224
Test 3: FTP Session Through the
Cluster When an Interface Fails 225
Command-Line Diagnostics on ClusterXL 226
How Does ClusterXL HA New Mode Work? 229
ClusterXL HA New Mode Failover 231

ClusterXL Failover Conditions 234
Special Considerations for ClusterXL in HA New Mode 237
Network Address Translation 237
Configuring ClusterXL in HA Legacy Mode 239
Configuring ClusterXL in Load-Sharing Mode 241
Prerequisites for Configuring ClusterXL in
Load-Sharing Mode 241
Configuration of ClusterXL in Load-Sharing Mode 242
Testing ClusterXL in Load-Sharing Mode 242
Test 1: Pinging the Virtual IP Address for Each Interface 242
Test 2: Using SmartView Status to
Examine the Status of the Cluster Members 242
Test 3: FTPing Through ClusterXL
Load Sharing During Failover 243
Command-Line Diagnostics for ClusterXL 244
How ClusterXL Works in Load-Sharing Mode 247
ClusterXL Load-Sharing Mode Failover 249
Special Considerations for
ClusterXL in Load-Sharing Mode 251
Network Address Translation 251
User Authentication and One-Time Passcodes 251
Nokia IPSO Clustering 251
Nokia Configuration 251
A Few Points About Installing an Initial
Configuration of NG FP3 on Nokia IPSO 253
Check Point FireWall-1
Configuration for a Nokia Cluster 254
Configuring the Gateway Cluster Object 254
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xx
Contents xxi

Nokia Cluster Configuration on Voyager 258
Voyager Configuration 258
Testing the Nokia Cluster 263
Test 1: Pinging the Virtual IP Address of Each Interface 263
Test 2: Determining the Status
of Each Member in the Cluster 264
Test 3: FTPing Through a Load-Sharing
Nokia Cluster During Interface Failure 265
Command-Line Stats 267
How Nokia Clustering Works 269
Nokia Cluster Failover 272
Nokia Failover Conditions 273
Special Considerations for Nokia Clusters 273
Network Address Translation 274
Defining the Cluster Object Topology 274
Nokia IPSO VRRP Clusters 275
Nokia Configuration 275
Nokia VRRP Configuration on Voyager 277
Voyager Configuration 277
Testing the Nokia VRRP Cluster 281
Test 1: Pinging the Virtual IP Address for Interface 281
Test 2: Finding Which Member Responds to Administrative
Connections to the VIPs 282
Test 3: Determining the Status
of Each Member in the Cluster 282
Test 4: FTPing Through a VRRP Cluster During
Interface Failure 282
Command-Line Stats 283
How VRRP Works 284
Special Considerations for Nokia VRRP Clusters 286

Network Address Translation 286
Connections Originating from
a Single Member in the Cluster 287
Third-Party Clustering Solutions 287
Clustering and HA Performance Tuning 287
Data Throughput or Large Number of Connections 288
Improving Data Throughput 288
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xxi
xxii Contents
Improving for Large Number of Connections 290
Final Tweaks to Get the Last Drop of Performance 296
Summary 297
Solutions Fast Track 298
Frequently Asked Questions 301
Chapter 7 SecurePlatform 305
Introduction 306
The Basics 306
Installation 306
Configuration 307
Web User Interface Configuration 308
Command-Line Configuration 314
CPShell 321
Backup and Restore 323
Applying OS and Application Updates 324
Adding Hardware to SecurePlatform 326
Adding Memory 326
Adding NICs 327
Adding a Second Processor 328
Configuring SecurePlatform for a Second Processor 329
Adding Hard Drives 332

FireWall-1 Performance Counters 338
Firewall Commands 338
cpstat 338
fw ctl pstat 340
vpn tu 342
fwaccel 342
Summary 344
Solutions Fast Track 344
Frequently Asked Questions 345
Chapter 8 SmartCenter Management Server,
High Availability and Failover, and SMART Clients 349
Introduction 350
SmartCenter Server:The Roles of a Management Server 350
Internal Certificate Authority 352
VPN Certificates 352
Management Server Backup Options 352
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xxii
Contents xxiii
Protecting the Configuration 353
Enforcement Point Functions 353
Logging 354
Installing a Secondary Management Server 354
SMART Clients 358
SMART Client Functions 359
SMART Client Login 359
SmartDashboard 362
SmartDefense 363
SmartView Status 365
SmartView Tracker 366
SmartView Monitor 366

User Monitor 367
SmartUpdate 367
Summary 374
Solutions Fast Track 374
Frequently Asked Questions 376
Chapter 9 Integration and Configuration of CVP / UFP 379
Introduction 380
Using CVP for Virus Scanning E-Mail 380
Configuring CVP 380
A Generic CVP Solution 381
Troubleshooting CVP 387
URL Filtering for HTTP Content Screening 388
Setting Up URL Filtering with UFP 389
Using Screening without CVP 395
Summary 397
Solutions Fast Track 397
Frequently Asked Questions 398
Chapter 10 SecureClient Packaging Tool 401
Introduction 402
Installing the SecureClient Packaging Tool 403
Installing by Default 403
Installing Explicitly 403
Starting the SecureClient Packaging Tool 403
Creating a Profile 404
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xxiii
xxiv Contents
The Welcome Window 404
The General Window 405
The Connect Mode Window 406
Transparent Mode 407

Connect Mode 407
Mode Transition 408
The SecureClient Window 408
The Additional Options Window 409
The Topology Window 410
The Certificates Window 412
The Silent Installation Window 413
The Installation Options Window 414
The Operating System Logon Window 414
The Finish Window 416
Managing SecureClient Profiles 416
Creating a New Profile From an Existing Profile 416
Deleting a Profile 417
Editing a Profile 418
Creating SecureClient Installation Packages 418
The Welcome Window 418
The Package Generation Window 419
Deploying SecuRemote Packages 420
Summary 421
Solutions Fast Track 421
Frequently Asked Questions 423
Chapter 11 SmartDefense 425
Introduction 426
Understanding and Configuring SmartDefense 427
General 427
Anti-Spoofing Configuration Status 429
Denial of Service 431
Teardrop 433
Ping of Death 434
LAND 434

IP and ICMP 434
Fragment Sanity Check 435
259_ChkPt_VPN_TOC.qxd 4/4/03 12:14 PM Page xxiv