Firewall and SmartDefense
Administration Guide
Version NGX R65
701682 March 13, 2007

© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point
Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,
Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,
FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless
Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,
Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,
SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,
SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,
TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-
1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web
Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,
Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check
Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The
products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by
other U.S. Patents, foreign patents, or pending applications.
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.

Table of Contents 5
Contents
Preface
Who Should Use This Guide.............................................................................. 16
Summary of Contents....................................................................................... 17
Section 1: Network Access .......................................................................... 17
Section 2: Connectivity ............................................................................... 18
Section 3: SmartDefense............................................................................. 19
Section 4: Application Intelligence ............................................................... 19
Section 5: Web Security .............................................................................. 21
Section 6: Appendices ................................................................................ 21
Related Documentation .................................................................................... 22
More Information ............................................................................................. 25
Feedback ........................................................................................................ 26
Network Access
Chapter 1 Access Control
The Need for Access Control ............................................................................. 30
Solution for Secure Access Control .................................................................... 31
Access Control at the Network Boundary ....................................................... 31
The Rule Base ............................................................................................ 32
Example Access Control Rule ....................................................................... 33
Rule Base Elements.................................................................................... 33
Implied Rules............................................................................................. 34
Preventing IP Spoofing................................................................................ 35
Multicast Access Control ............................................................................. 37
Cooperative Enforcement............................................................................. 40
End Point Quarantine (EPQ) - Intel(r) AMT .................................................... 42
Special Considerations for Access Control .......................................................... 44
Spoofing Protection..................................................................................... 44

Simplicity .................................................................................................. 44
Basic Rules................................................................................................ 45
Rule Order ................................................................................................. 45
Topology Considerations: DMZ ..................................................................... 45
X11 Service................................................................................................ 46
Editing Implied Rules.................................................................................. 46
Configuring Access Control ............................................................................... 47
Defining Access Control Rules...................................................................... 47
Defining a Basic Access Control Policy.......................................................... 47
Configuring Anti-Spoofing............................................................................ 49
Configuring Multicast Access Control ............................................................ 50
6
Configuring Cooperative Enforcement ........................................................... 51
Configuring End Point Quarantine (EPQ) - Intel(r) AMT................................... 52
Activating EPQ ........................................................................................... 52
Connection Authentication Data ................................................................... 53
Quarantine Policy Data................................................................................ 54
Encrypting the Password.............................................................................. 55
Malicious Activity Script and Alert................................................................ 55
Logging Activity .......................................................................................... 57
To Quarantine a Machine Manually............................................................... 57
Chapter 2 Authentication
The Need for Authentication ............................................................................. 60
The VPN-1 Solution for Authentication .............................................................. 61
Introduction to VPN-1 Authentication ........................................................... 61
Authentication Schemes.............................................................................. 62
Authentication Methods............................................................................... 64
Configuring Authentication ............................................................................... 73
Creating Users and Groups........................................................................... 73
Configuring User Authentication................................................................... 75

Configuring Session Authentication .............................................................. 76
Configuring Client Authentication ................................................................. 81
Configuring Authentication Tracking ............................................................. 87
Configuring a VPN-1 Gateway to use RADIUS ................................................ 87
Granting User Access Using RADIUS Server Groups ....................................... 90
Associating a RADIUS Server with a VPN-1 Gateway ...................................... 92
Configuring a VPN-1 Gateway to use SecurID ................................................ 93
Configuring a VPN-1 Gateway to use TACACS+ .............................................. 95
Configuring Policy for Groups of Windows Users............................................. 96
Connectivity
Chapter 3 Network Address Translation (NAT)
The Need to Conceal IP Addresses .................................................................. 100
Check Point Solution for Network Address Translation ....................................... 101
Public and Private IP addresses ................................................................. 101
NAT in VPN-1 .......................................................................................... 102
Static NAT ............................................................................................... 103
Hide NAT................................................................................................. 104
Automatic and Manual NAT Rules .............................................................. 105
Automatic Hide NAT for Internal Networks .................................................. 106
Address Translation Rule Base ................................................................... 107
Bidirectional NAT ..................................................................................... 108
Understanding Automatically Generated Rules............................................. 109
Port Translation ........................................................................................ 111
Table of Contents 7
NAT and Anti-Spoofing.............................................................................. 111
Routing Issues.......................................................................................... 111
Disabling NAT in a VPN Tunnel.................................................................. 113
Planning Considerations for NAT ..................................................................... 114
Hide Versus Static .................................................................................... 114
Automatic Versus Manual Rules ................................................................. 114

Choosing the Hide Address in Hide NAT...................................................... 115
Configuring NAT ............................................................................................ 116
General Steps for Configuring NAT ............................................................. 116
Basic Configuration (Network Node with Hide NAT) ..................................... 117
Sample Configuration (Static and Hide NAT) ............................................... 118
Sample Configuration (Using Manual Rules for Port Translation) ................... 120
Configuring Automatic Hide NAT for Internal Networks................................. 121
Advanced NAT Configuration .......................................................................... 122
Allowing Connections Between Translated Objects on Different Gateway Interfaces
122
Enabling Communication for Internal Networks with Overlapping IP Addresses 123
SmartCenter Behind NAT .......................................................................... 127
IP Pool NAT ............................................................................................. 131
Chapter 4 ISP Redundancy
The Need for ISP Link Redundancy ................................................................. 138
Solution for ISP Link Redundancy ................................................................... 139
ISP Redundancy Overview ......................................................................... 139
ISP Redundancy Operational Modes ........................................................... 140
Monitoring the ISP Links ........................................................................... 141
How ISP Redundancy Works ...................................................................... 141
ISP Redundancy Script ............................................................................. 143
Manually Changing the Link Status (fw isp_link) .......................................... 143
ISP Redundancy Deployments.................................................................... 144
ISP Redundancy and VPNs ........................................................................ 147
Considerations for ISP Link Redundancy .......................................................... 149
Choosing the Deployment .......................................................................... 149
Choosing the Redundancy Mode................................................................. 149
Configuring ISP Link Redundancy ................................................................... 150
Introduction to ISP Link Redundancy Configuration ..................................... 150
Registering the Domain and Obtaining IP Addresses..................................... 150

DNS Server Configuration for Incoming Connections .................................... 151
Dialup Link Setup for Incoming Connections ............................................... 152
SmartDashboard Configuration ................................................................... 152
Configuring the Default Route for the ISP Redundancy Gateway .................... 154
Chapter 5 ConnectControl - Server Load Balancing
The Need for Server Load Balancing ................................................................ 158
ConnectControl Solution for Server Load Balancing ........................................... 159
Introduction to ConnectControl................................................................... 159
Load-Balancing Methods ........................................................................... 160
ConnectControl Packet Flow....................................................................... 161
8
Logical Server Types ................................................................................. 161
Persistent Server Mode.............................................................................. 164
Server Availability ..................................................................................... 166
Load Measuring ........................................................................................ 166
Configuring ConnectControl ............................................................................ 167
Chapter 6 Bridge Mode
Introduction to Bridge Mode ........................................................................... 170
Limitations in Bridge Mode........................................................................ 171
Managing a Gateway in Bridge Mode .......................................................... 171
Configuring Bridge Mode ................................................................................ 172
Bridging Interfaces ................................................................................... 172
Configuring Anti-Spoofing.......................................................................... 172
Displaying the Bridge Configuration ............................................................ 173
SmartDefense
Chapter 7 SmartDefense
The Need for SmartDefense ........................................................................... 178
SmartDefense Solution................................................................................... 180
Introducing SmartDefense ......................................................................... 180
Defending Against the Next Generation of Threats........................................ 181

Network and Transport Layers .................................................................... 182
Web Attack Protection............................................................................... 182
How SmartDefense Works.......................................................................... 183
Online Updates......................................................................................... 184
Categorizing SmartDefense Capabilities ...................................................... 184
SmartDefense Profiles ............................................................................... 186
Monitor-Only Mode ................................................................................... 187
Network Security ........................................................................................... 188
Japanese Language Support for SmartDefense Protections ......................... 188
SmartDefense Single Profile View ............................................................ 189
Denial of Service ...................................................................................... 190
IP and ICMP ............................................................................................ 191
TCP......................................................................................................... 191
Fingerprint Scrambling.............................................................................. 192
Successive Events..................................................................................... 192
DShield Storm Center................................................................................ 192
Port Scan................................................................................................. 193
Dynamic Ports .......................................................................................... 194
Application Intelligence.................................................................................. 195
Mail ........................................................................................................ 195
FTP ......................................................................................................... 195
Microsoft Networks ................................................................................... 195
Table of Contents 9
Peer-to-Peer ............................................................................................. 196
Instant Messengers ................................................................................... 196
DNS ........................................................................................................ 196
VoIP ........................................................................................................ 196
SNMP...................................................................................................... 197
Web Intelligence............................................................................................ 198
Web Intelligence Protections...................................................................... 198

Web Intelligence Technologies ................................................................... 199
Web Intelligence and ClusterXL Gateway Clusters ........................................ 199
Web Content Protections ........................................................................... 200
Customizable Error Page............................................................................ 200
Connectivity Versus Security Considerations ................................................ 201
Web Security Performance Considerations................................................... 203
Backward Compatibility Options for HTTP Protocol Inspection....................... 205
Web Intelligence License Enforcement........................................................ 205
Understanding HTTP Sessions, Connections and URLs................................. 207
Configuring SmartDefense .............................................................................. 210
Updating SmartDefense with the Latest Defenses ........................................ 210
SmartDefense Services................................................................................... 211
Download Updates .................................................................................... 211
Advisories ................................................................................................ 212
Security Best Practices.............................................................................. 213
Configuring SmartDefense Profiles .................................................................. 214
Creating Profiles ....................................................................................... 214
Assign a Profile to the Gateway .................................................................. 214
View Protected Gateways by a Profile .......................................................... 215
SmartDefense StormCenter Module ................................................................. 216
The Need for Cooperation in Intrusion Detection .......................................... 216
Check Point Solution for Storm Center Integration........................................ 217
Planning Considerations ............................................................................ 221
Configuring Storm Center Integration .......................................................... 222
Application Intelligence
Chapter 8 Content Inspection
Anti Virus Protection ...................................................................................... 228
Introduction to Integrated Anti Virus Protection ........................................... 228
Architecture ............................................................................................. 229
Configuring Integrated Anti Virus Scanning.................................................. 229

Database Updates..................................................................................... 230
Understanding Scan By Direction and Scan By IP ........................................ 231
Scanning by Direction: Selecting Data to Scan............................................. 235
File Type Recognition................................................................................ 237
Continuous Download................................................................................ 238
10
Logging and Monitoring ............................................................................. 239
File Size Limitations and Scanning............................................................. 240
VPN-1 UTM Edge Anti Virus ...................................................................... 242
Web Filtering................................................................................................. 243
Introduction to Web Filtering ..................................................................... 243
Terminology ............................................................................................. 244
Architecture ............................................................................................. 244
Configuring Web Filtering .......................................................................... 245
Chapter 9 Securing Voice Over IP (VoIP)
The Need to Secure Voice Over IP ................................................................... 248
Introduction to the Check Point Solution for Secure VoIP................................... 249
Control Signalling and Media Protocols ............................................................ 250
VoIP Handover............................................................................................... 251
When to Enforce Handover......................................................................... 252
VoIP Application Intelligence .......................................................................... 253
Introduction to VoIP Application Intelligence............................................... 253
Restricting Handover Locations Using a VoIP Domain................................... 254
Controlling Signalling and Media Connections ............................................. 255
Preventing Denial of Service Attacks........................................................... 255
Protocol-Specific Application Intelligence ................................................... 256
VoIP Logging ................................................................................................. 257
Protocol-Specific Security............................................................................... 258
Securing SIP-Based VoIP................................................................................ 259
SIP Architectural Elements in the Security Rule Base .................................. 260

Supported SIP RFCs and Standards............................................................ 261
Secured SIP Topologies and NAT Support ................................................... 262
Application Intelligence for SIP.................................................................. 264
Configuring SmartDefense Application Intelligence Settings for SIP............... 265
Synchronizing User Information ................................................................. 267
SIP Services............................................................................................. 267
Using SIP on a Non-Default Port ................................................................ 268
ClusterXL and Multicast Support for SIP ..................................................... 268
Securing SIP-Based Instant Messenger Applications .................................... 268
Configuring SIP-Based VoIP....................................................................... 269
Troubleshooting SIP....................................................................................... 278
Securing H.323-Based VoIP ........................................................................... 279
H.323 Architectural Elements in the Security Rule Base .............................. 279
Supported H.323 RFCs and Standards ....................................................... 280
Secured H.323 Topologies and NAT Support............................................... 280
Application Intelligence for H.323 ............................................................. 283
SmartDefense Application Intelligence Settings for H.323............................ 284
H.323 Services ........................................................................................ 286
Configuring H.323-Based VoIP .................................................................. 287
Securing MGCP-Based VoIP............................................................................ 303
The Need for MGCP .................................................................................. 303
MGCP Protocol and Devices....................................................................... 304
MGCP Network Security and Application Intelligence ................................... 305
Table of Contents 11
Secured MGCP Topologies and NAT Support ............................................... 307
Synchronizing User Information.................................................................. 308
Configuring MGCP-Based VoIP ................................................................... 309
Securing SCCP-Based VoIP............................................................................. 311
The SCCP Protocol.................................................................................... 311
SCCP Devices........................................................................................... 312

SCCP Network Security and Application Intelligence .................................... 312
ClusterXL Support for SCCP ....................................................................... 313
Configuring SCCP-Based VoIP .................................................................... 313
Chapter 10 Securing Instant Messaging Applications
The Need to Secure Instant Messenger Applications.......................................... 320
Introduction to Instant Messenger Security....................................................... 321
Understanding Instant Messenger Security ....................................................... 322
NAT Support for MSN Messenger over SIP ....................................................... 323
NAT Support for MSN Messenger over MSNMS ................................................ 324
Logging Instant Messenger Applications........................................................... 324
Configuring SIP-based Instant Messengers ....................................................... 325
Configuring MSN Messenger over MSNMS ....................................................... 327
Configuring Skype, Yahoo and ICQ and Other Instant Messengers....................... 328
Chapter 11 Microsoft Networking Services (CIFS) Security
Securing Microsoft Networking Services (CIFS)................................................. 330
Restricting Access to Servers and Shares (CIFS Resource) ................................. 331
Chapter 12 FTP Security
Introduction to FTP Content Security ............................................................... 334
FTP Enforcement by the VPN-1 Kernel ............................................................ 334
FTP Enforcement by the FTP Security Server.................................................... 335
Control Allowed Protocol Commands........................................................... 335
Maintaining Integrity of Other Protected Services......................................... 335
Avoiding Vulnerabilities in FTP Applications ................................................ 335
Content Security via the FTP Resource........................................................ 336
Configuring Restricted Access to Specific Directories ........................................ 337
Chapter 13 Content Security
The Need for Content Security ........................................................................ 340
Check Point Solution for Content Security ........................................................ 341
Introduction to Content Security................................................................. 341
Security Servers........................................................................................ 342

Deploying OPSEC Servers .......................................................................... 343
CVP Servers for Anti-Virus and Malicious Content Protection ......................... 344
Using URL Filtering to Limit Web Surfers.................................................... 348
The TCP Security Server ............................................................................ 351
Configuring Content Security .......................................................................... 352
Resources: What They Are and How to Use Them......................................... 352
Creating a Resource and Using it in the Rule Base....................................... 353
12
Configuring Anti-Virus Checking for Incoming Email..................................... 354
Configuring CVP Checking for Web Traffic with Improved Performance........... 356
Configuring URL Filtering with a UFP Server ............................................... 356
Performing CVP or UFP Inspection on any TCP Service................................. 360
Advanced CVP Configuration: CVP Chaining and Load Sharing ........................... 361
Introduction to CVP Chaining and Load Sharing........................................... 361
CVP Chaining ........................................................................................... 361
CVP Load Sharing ..................................................................................... 363
Combining CVP Chaining and Load Sharing................................................. 364
Configuring CVP Chaining and Load Sharing................................................ 364
Chapter 14 Services with Application Intelligence
Introduction to Services with Application Intelligence........................................ 368
DCE-RPC ...................................................................................................... 368
SSLv3 Service............................................................................................... 369
SSHv2 Service .............................................................................................. 369
FTP_BASIC Protocol Type............................................................................... 369
Domain_UDP Service ..................................................................................... 370
Point-to-Point Tunneling Protocol (PPTP)......................................................... 371
Configuring for PPTP................................................................................. 371
Blocking Visitor Mode (TCPT).......................................................................... 373
Introduction to TCPT................................................................................. 373
Why Block Visitor Mode and Outgoing TCPT?............................................... 373

How VPN-1 Identifies TCPT ....................................................................... 373
When to Block Outgoing TCPT ................................................................... 373
Configuration of Visitor Mode Blocking........................................................ 374
Web Security
Chapter 15 Web Content Protection
Introduction to Web Content Protection ........................................................... 378
Web Content Security via the Security Rule Base .............................................. 379
What is a URI Resource? ........................................................................... 379
Filtering URLs, Schemes and Methods by Source and Destination ................. 379
Basic URL Filtering................................................................................... 380
URL Logging ............................................................................................ 380
Java and ActiveX Security .......................................................................... 381
Securing XML Web Services (SOAP) ................................................................ 382
Understanding HTTP Sessions, Connections and URLs...................................... 383
HTTP Request Example............................................................................. 383
HTTP Response Example........................................................................... 384
HTTP Connections .................................................................................... 384
Understanding URLs................................................................................. 385
Connectivity Versus Security Considerations for Web Surfers .............................. 386
Table of Contents 13
Allowing or Restricting Content .................................................................. 386
Content Compression ................................................................................ 387
Factors Affecting HTTP Security Server Performance......................................... 388
The Number of Simultaneous Security Server Connections............................ 388
How To Run Multiple Instances of the HTTP Security Server......................... 389
Configuring Web Content Protection ................................................................ 390
Blocking URL-based Attacks Using a URI Resource ..................................... 390
Configuring URL Logging........................................................................... 391
Configuring Basic URL Filtering ................................................................. 392
Appendices

Appendix A Security Before
VPN-1 Activation
Achieving Security Before VPN-1 Activation ..................................................... 396
Boot Security ................................................................................................ 396
Control of IP Forwarding on Boot ................................................................ 396
The Default Filter...................................................................................... 397
The Initial Policy ........................................................................................... 399
Default Filter and Initial Policy Configuration ................................................... 402
Verifying Default Filter or Initial Policy Loading............................................ 402
Change the Default Filter to a Drop Filter .................................................... 403
User-Defined Default Filter ........................................................................ 403
Using the Default Filter for Maintenance ..................................................... 404
To Unload a Default Filter or an Initial Policy .............................................. 404
If You Cannot Complete Reboot After Installation......................................... 404
Command Line Reference for Default Filter and Initial Policy ........................ 405
Appendix B Command Line Interface
Index...........................................................................................................
417
14
15
Preface
P
Preface
In This Chapter
Who Should Use This Guide page 16
Summary of Contents page 17
Related Documentation page 22
More Information page 25
Feedback page 26
Who Should Use This Guide

16
Who Should Use This Guide
This guide is intended for administrators responsible for maintaining network
security within an enterprise, including policy management and user support.
This guide assumes a basic understanding of the following:
• System administration
• The underlying operating system
• Internet protocols (for example, IP, TCP and UDP)
Summary of Contents
Preface17
Summary of Contents
This guide describes the firewall and SmartDefense components of VPN-1. It
contains the following sections and chapters:
Section 1: Network Access
This section describes how to secure the networks behind the VPN-1 gateway by
allowing only permitted users and resources to access protected networks.
Chapter Description
Chapter 1, “Access Control” Describes how to set up a security policy to fit
organizational requirements.
Chapter 2, “Authentication” Describes the VPN-1 authentication schemes
(for username and password management) and
authentication methods (how users
authenticate).
Section 2: Connectivity
18
Section 2: Connectivity
This section describes how to give internal users and resources unrestricted yet
secure connectivity across the gateway.
Chapter Description
Chapter 3, “Network Address

Translation (NAT)”
Describes the Network Address Translation (NAT)
process, which involves replacing one IP address
with another. NAT can change both the source
and destination address of the packet. It is used
for both security and administrative purposes.
Chapter 4, “ISP
Redundancy”
Describes the ISP Redundancy feature, which
assures reliable Internet connectivity by allowing
a single or clustered VPN-1 gateway to connect
to the Internet via redundant Internet Service
Provider (ISP) links.
Chapter 5, “ConnectControl -
Server Load Balancing”
Describes the ConnectControl server load
balancing solution, which distributes network
traffic among a number of servers and thereby
reduces the load on a single machine, improves
network response time and ensures high
availability.
Section 3: SmartDefense
Preface19
Section 3: SmartDefense
This section provides an overview of SmartDefense. This
VPN-1
component
enables customers to configure, enforce and update network and application
attack defenses. The DShield StormCenter is also described in detail in this
section. For additional information about specific protections, refer to the

SmartDefense HTML pages and the online help
.
Section 4: Application Intelligence
This section describes Check Point Application Intelligence features, which are
a set of advanced capabilities integrated into VPN-1 and SmartDefense to
detect and prevent application-level attacks. The chapters in this section
Chapter Description
Chapter 7, “SmartDefense” Describes the SmartDefense component, which
actively defends your network, even when the
protection is not explicitly defined in the
Security Rule Base. SmartDefense unobtrusively
analyzes activity across your network, tracking
potentially threatening events and optionally
sending notifications. It protects your
organization from all known (and most unknown)
network attacks using intelligent security
technology.
Section 4: Application Intelligence
20
describe how to protect against application-level attacks for each application
protocol, and how to work with anti-virus (CVP) and URL filtering (UFP)
applications.

Chapter Description
Chapter 8, “Content
Inspection”
Describes VPN-1 CI (Content Inspection)
gateways, which have integrated Anti Virus
technology. Anti Virus protection is available for
the HTTP, FTP, SMTP and POP3 protocols.

Options for each protocol can be centrally
configured.
Chapter 9, “Securing Voice
Over IP (VoIP)”
Describes how to secure VoIP traffic in H.323,
SIP, MGCP and SCCP environments.
Chapter 10, “Securing
Instant Messaging
Applications”
Describes how to secure SIP-based Instant
Messenger and MSN Messenger applications.
Chapter 11, “Microsoft
Networking Services (CIFS)
Security”
Describes how to secure Microsoft Networking
(CIFS) Services by restricting access to servers
and shares.
Chapter 12, “FTP Security” Describes how to provide FTP content security
and configure restricted access to specific
directories.
Chapter 13, “Content
Security”
Describes how to integrate with third party
OPSEC-certified antivirus applications and URL
filtering applications.
Chapter 14, “Services with
Application Intelligence”
Describes how to configure protection for some
of the predefined TCP services that perform
content inspection.

Section 5: Web Security
Preface21
Section 5: Web Security
This section describes the VPN-1 Web Intelligence feature, which provides high
performance attack protection for Web servers and applications
, and VPN-1
Web
Content capabilities.
Section 6: Appendices
This section describes how a VPN-1 gateway protects itself and its networks
during activation and provides a summary of VPN-1 command line interface
commands.

Chapter Description
Chapter 15, “Web Content
Protection”
Describes the integrated web security
capabilities that are configured through the
Security Rule Base and how to secure XML Web
Services (SOAP) on Web servers.
Appendix Description
Appendix A, “Security Before
VPN-1 Activation”
Describes the Boot Security and Initial Policy
features, which are used when a computer does
not yet have a VPN-1 security policy installed.
Appendix B, “Command Line
Interface”
Describes command line interface commands
that relate to VPN-1 firewall components.

Related Documentation
22
Related Documentation
This release of VPN-1 includes the following related documentation:
TABLE P-1 VPN-1 Power documentation suite documentation
Title Description
Internet Security Product
Suite Getting Started
Guide
Contains an overview of NGX R65 and step by step
product installation and upgrade procedures. This
document also provides information about What’s
New, Licenses, Minimum hardware and software
requirements, etc.
Upgrade Guide Explains all available upgrade paths for Check Point
products from VPN-1/FireWall-1 NG forward. This
guide is specifically geared towards upgrading to
NGX R65.
SmartCenter
Administration Guide
Explains SmartCenter Management solutions. This
guide provides solutions for control over
configuring, managing, and monitoring security
deployments at the perimeter, inside the network, at
all user endpoints.
Firewall and
SmartDefense
Administration Guide
Describes how to control and secure network
access; establish network connectivity; use

SmartDefense to protect against network and
application level attacks; use Web Intelligence to
protect web servers and applications; the integrated
web security capabilities; use Content Vectoring
Protocol (CVP) applications for anti-virus protection,
and URL Filtering (UFP) applications for limiting
access to web sites; secure VoIP traffic.
Virtual Private Networks
Administration Guide
This guide describes the basic components of a
VPN and provides the background for the
technology that comprises the VPN infrastructure.
Related Documentation
Preface23
Eventia Reporter
Administration Guide
Explains how to monitor and audit traffic, and
generate detailed or summarized reports in the
format of your choice (list, vertical bar, pie chart
etc.) for all events logged by Check Point VPN-1
Power, SecureClient and SmartDefense.
SecurePlatform™/
SecurePlatform Pro
Administration Guide
Explains how to install and configure
SecurePlatform. This guide will also teach you how
to manage your SecurePlatform machine and
explains Dynamic Routing (Unicast and Multicast)
protocols.
Provider-1/SiteManager-1

Administration Guide
Explains the Provider-1/SiteManager-1 security
management solution. This guide provides details
about a three-tier, multi-policy management
architecture and a host of Network Operating Center
oriented features that automate time-consuming
repetitive tasks common in Network Operating
Center environments.

TABLE P-2 Integrity Server documentation
Title Description
Integrity Advanced
Server Installation
Guide
Explains how to install, configure, and maintain the
Integrity Advanced Server.
Integrity Advanced
Server Administrator
Console Reference
Provides screen-by-screen descriptions of user
interface elements, with cross-references to relevant
chapters of the Administrator Guide. This document
contains an overview of Administrator Console
navigation, including use of the help system.
Integrity Advanced
Server Administrator
Guide
Explains how to managing administrators and
endpoint security with Integrity Advanced Server.
Integrity Advanced

Server Gateway
Integration Guide
Provides information about how to integrating your
Virtual Private Network gateway device with Integrity
Advanced Server. This guide also contains information
regarding deploying the unified SecureClient/Integrity
client package.
TABLE P-1 VPN-1 Power documentation suite documentation (continued)
Title Description
Related Documentation
24
Integrity Advanced
Server System
Requirements
Provides information about client and server
requirements.
Integrity Agent for Linux
Installation and
Configuration Guide
Explains how to install and configure Integrity Agent
for Linux.
Integrity XML Policy
Reference Guide
Provides the contents of Integrity client XML policy
files.
Integrity Client
Management Guide
Explains how to use of command line parameters to
control Integrity client installer behavior and
post-installation behavior.

TABLE P-2 Integrity Server documentation (continued)
Title Description
More Information
Preface25
More Information
• For additional technical information regarding Check Point products, refer to
Check Point’s SecureKnowledge at />• To view the latest version of this document in the Check Point User Center, go
to: />