1.

What is firewall?

A firewall is a hardware or software installed to provide security to the

private networks connected to the internet. They can be implemented in

both hardware and software, or a combination of both. All data

entering or leaving the Intranet passes through the firewall which allows

only the data meeting the administrators’ rules to pass through it.

2.

What are the types of firewalls?

1. Packet Filtering Firewall: This type of Firewall detects packets

and block unnecessary packets and makes network traffic

release.

2. Screening Router Firewalls: It's a software base firewall

available in Router provides only light filtering.

3. Computer-based Firewall: It's a firewall stored in server with

an existing Operating System like Windows and UNIX.

4. Hardware base Firewall: Its device like box allows strong

security from public network. Mostly used by big networks.

5. Proxy Server: Proxy server allows all clients to access Internet

with different access limits. Proxy server has its own firewall

which filters the all packet from web server.

3.

What is Pix Firewall Security? How does it differ from a

firewall?

CISCO pix firewall security is stateful firewall. It uses ASA Technology.

4.

What can't a firewall protect against?

Firewalls can't protect against attacks that don't go through the firewall.

Many corporations that connect to the Internet are very concerned about

proprietary data leaking out of the company through that route.

Unfortunately for those concerned, a magnetic tape can just as effectively be

used to export data. Many organizations that are terrified (at a management

level) of Internet connections have no coherent policy about how dial-in

access via modems should be protected.

5.

Will IPSEC make firewalls obsolete?

IPSEC (IP Security) refers to a set of standards developed by the Internet

Engineering Task Force (IETF). There are many documents that collectively

define what is known as ``IPSEC'' [4]. IPSEC solves two problems

which have plagued the IP protocol suite for years: host-to-host

authentication (which will let hosts know that they're talking to the

hosts they think they are) and encryption (which will prevent

attackers from being able to watch the traffic going between

machines).

6.

What is a network firewall?

A firewall is a system or group of systems that enforces an access

control policy between two networks. The actual means by which this is

accomplished varies widely, but in principle, the firewall can be thought of as

a pair of mechanisms: one which exists to block traffic, and the other

which exists to permit traffic. Some firewalls place a greater emphasis on

blocking traffic, while others emphasize permitting traffic.

Probably the most important thing to recognize about a firewall is that it

implements an access control policy. If you don't have a good idea of what

kind of access you want to allow or to deny, a firewall really won't help you.

It's also important to recognize that the firewall's configuration, because it is

a mechanism for enforcing policy, imposes its policy on everything behind it.

Administrators for firewalls managing the connectivity for a large number of

hosts therefore have a heavy responsibility.

7.

What is synchronization and why is it important?

With respect to multithreading, synchronization is the capability to control

the access of multiple threads to shared resources. Without synchronization,

it is possible for one thread to modify a shared object while another thread is

in the process of using or updating that object's value. This often leads to

significant errors.

8.

What are the critical resources in a firewall?

1. Service Critical Resource

2. Email

3. Disk I/O

4. Netnews Disk I/O

5. Web Host

6. OS Socket Performance

7. IP Routing Host OS Socket Performance

8. Web Cache

9. Host OS Socket Performance, Disk I/O

9.

What are some common attacks, and how can I protect my

system against them?

Each site is a little different from every other in terms of what attacks are

likely to be used against it. Some recurring themes do arise, though.

10.

What is the difference between gateway and firewall?

A network gateway joins two networks together through a

combination of hardware and software. A network firewall guards a

computer network against unauthorized incoming or outgoing

access. Network firewalls may be hardware devices or software

programs.

11.

What is the difference between router ACLs and Firewall ACLs?

Fundamental purpose:

1. Routers are designed to route traffic, not stop it.

2. Firewalls are designed to examine and accept/reject traffic. But

the both ACL are do the same job. Depending upon our

requirements we do our ACL configuration on it.

12.

A trace route command work across the firewall? why?

Trace route is based on ICMP type 30 under Windows and UDP under NIX;

trace route packets that would hit the firewall should be dropped similarly

any echo replay coming from inside the firewall should be restricted

outbound.

13.

Can you define Packet filtering?

Packet filtering is the process of passing or blocking packets at a

network interface based on source and destination addresses, ports,

or protocols. The process is used in conjunction with packet mangling

and Network Address Translation (NAT). Packet filtering is often part of

a firewall program for protecting a local network from unwanted intrusion.

The packet filter examines the header of each packet based on a

specific set of rules, and on that basis, decides to prevent it from

passing (called DROP) or allow it to pass (called ACCEPT).

14.

Can you explain circuit level gateway?

The circuit level gateway firewalls work at the session layer of the

OSI model. They monitor TCP handshaking between the packets to

determine if a requested session is legitimate. And the information

passed through a circuit level gateway, to the internet, appears to

have come from the circuit level gateway. So, there is no way for a

remote computer or a host to determine the internal private ip

addresses of an organization, for example. This technique is also called

Network Address Translation where the private IP addresses

originating from the different clients inside the network are all mapped to

the public IP address available through the internet service provider and

then sent to the outside world (Internet). This way, the packets are tagged

with only the Public IP address (Firewall level) and the internal private IP

addresses are not exposed to potential intruders.

15.

Can you explain stateful inspection?

Stateful inspection, also known as dynamic packet filtering, is a

firewall technology that monitors the state of active connections and

uses this information to determine which network packets to allow

through the firewall. Stateful inspection has largely replaced an older

technology, static packet filtering. In static packet filtering, only the headers

of packets are checked -- which means that an attacker can sometimes get

information through the firewall simply by indicating "reply" in the header.

Stateful inspection, on the other hand, analyzes packets down to the

application layer. By recording session information such as IP addresses and

port numbers, a dynamic packet filter can implement a much tighter security

posture than a static packet filter can.

16.

Can you explain the concept of demilitarized zone?

The concept of the DMZ, like many other network security concepts, was

borrowed from military terminology. Geopolitically, a demilitarized zone

(DMZ) is an area that runs between two territories that are hostile to one

another or two opposing forces' battle lines. The DMZ likewise provides a

buffer zone that separates an internal network from the often hostile

territory of the Internet. Sometimes it's called a "screened subnet" or a

"perimeter network," but the purpose remains the same.

17.

What is Application level Gateway?

An application layer gateway (ALG) is a feature on ScreenOS gateways

that enables the gateway to parse application layer payloads and take

decisions on them. Although there are other ScreenOS features, such as

deep inspection, in which the gateway inspects traffic at the application

layer, ALGs are typically employed to support applications that use the

application layer payload to communicate the dynamic Transmission Control

Protocol (TCP) or User Datagram Protocol (UDP) ports on which the

applications open data connections. Such applications include the File

Transfer Protocol (FTP) and various IP telephony protocols. The dynamic

TCP, UDP, or other ports that are opened by the ScreenOS gateway to

permit these data or secondary channels are referred to as pinholes, and are

active strictly for the duration of activity on the data channel.

18.

Can you explain the concept of demilitarized zone?

The concept of the DMZ, like many other network security concepts, was

borrowed from military terminology. Geopolitically, a demilitarized zone

(DMZ) is an area that runs between two territories that are hostile to one

another or two opposing forces' battle lines.

The DMZ likewise provides a buffer zone that separates an internal network

from the often hostile territory of the Internet. Sometimes it's called a

"screened subnet" or a "perimeter network," but the purpose remains the

same.

19.

What is the meaning of bastion host?

A bastion host is a specialized computer that is deliberately exposed on a

public network. From a secured network perspective, it is the only node

exposed to the outside world and is therefore very prone to attack. It is

placed outside the firewall in single firewall systems or, if a system has two

firewalls, it is often placed between the two firewalls or on the public side of

a demilitarized zone (DMZ).

The bastion host processes and filters all incoming traffic and

prevents malicious traffic from entering the network, acting much

like a gateway. The most common examples of bastion hosts are

mail, domain name system, Web and File Transfer Protocol (FTP)

servers. Firewalls and routers can also become bastion hosts

20.

What are types of firewall architecture ?

1. Screening Router Architecture

2. Dual-Homed Host Architecture

3. Screened Host Architecture

4. Screened Subnet Architecture

21.

Explain about Screening Router Architecture?

In this architecture a firewall consists of nothing more than a screening

router. Host on the Local Network and hosts on the Internet are allowed to

communicate directly. The communication is restricted to the type that is

allowed by a screening router. The security of the whole Local Network

depends on the correct ACL of the router and on the amount of services

permitted.

22.

Circuit level gateway advantages and disadvantages?

The following are the advantages of Circuit Level Gateways:

1. Private network data hiding

2. Avoidance of filtering individual packets

3. Flexible in developing address schemes

4. Don't need a separate proxy server for each application

5. Simpler to implement

The following are the disadvantages of Circuit Level Gateways:

1. Active content cannot be scanned or disallowed commands.

2. Can only handle TCP connections – new extensions proposed for

UDP

3. TCP/IP stacks are mandatorily be modified by vendor for using CL

Gateways.

23.

What is IP spoofing and how can it be prevented?

IP spoofing is a mechanism used by attackers to gain unauthorized access

to a system. Here, the intruder sends messages to a computer with an IP

address indicating that the message is coming from a trusted host. This is

done by forging the header so it contains a different address and make it

appear that the packet was sent by a different machine. Prevention:-

1. Packet filtering: - to allow packets with recognized formats to

enter the network

2. Using special routers and firewalls

3. Encrypting the session

24.

What is the use of area and perimeter?

A lot of times, area and perimeter is used to help with a lot of home

improvement projects like carpeting and hardwood flooring and painting.

This is used to help give a good estimate of how much material you would

need for these sort of projects. To find out what the outside of the shape is

(perimeter), and to find out the inside size (area).

25.

Can you explain screened subnet architecture?

A screened subnet (also known as a "triple-homed firewall") is a

network architecture that uses a single firewall with three network

interfaces.

The purpose of the screened subnet architecture is to isolate the DMZ and its

publicly-accessible resources from the intranet, thereby focusing external

attention and any possible attack on that subnet. The architecture also

separates the intranet and DMZ networks, making it more difficult to attack

the intranet itself. When a properly configured firewall is combined with the

use of private IP addresses on one or both of these subnets, attack becomes

that much more difficult.

26.

Can you explain screened host architecture?

screened host architecture is a lower-security, lower-cost alternative to the

screened subnet architecture discussed in the previous sections. The

screened host architecture is often used by very small sites that are facing

significant cost constraints.

In a screened host architecture, there is no perimeter net, no interior router,

and often no bastion host per se. (Obviously, there is a host that the outside

world talks to, but this host is often not dedicated solely to that task.) What

you have instead is a single router (most analogous to the exterior router in

the dual-router screened subnet architecture) and a services host that

provides Internet services to internal and external clients (and is often used

for other tasks as well).

The router is there to protect and control access to the internal net, and the

services host is there to interact with the outside world, much like a bastion

host. We call it a services host, rather than a bastion host, because it's often

fulfilling many other roles. For example, it's probably the mail server, Usenet

news server, and DNS server for the site; it might possibly be a file server,

print server, and so on, as well; it might even be the only machine the site

has.

27.

Can you explain dual home architecture?

In this architecture a firewall consists of Dual-Homed Host machine

(machine having two or more IP addresses each for specific physical

port). One port of the machine connects to the Local Network and the other

port/ports connect to the Internet. The IP datagram forwarding is turned off

on the Dual-Homed Host machine, thus there is no direct TCP/IP connection

between the Local Network and the Internet.

You permit communication between Local Network and the Internet in either

of two ways:

1. Users on the Local Network are given accounts on the Dual-

Homed Host machine. In order to use Internet services the must

rlogin on the Dual-Homed Host machine. The fact that you allow

accounts on the machine weakens its security greatly (it now

depends on each user and user that have access to it, more

correctly it depends on the users' ability to choose "strong"

passwords). Once the outsider succeeds to rlogin on the Dual-

Homed Host machine he/she can access the entire Local Network.

2. Dual-Homed Host runs proxy program for each service you want

to permit, thus there is no more need for users to rlogin to the

machine in order to access the Internet. They can communicate

via proxy software.

The only host that can be accessed and thus attacked from the

Internet is the Dual-Homed host machine. Thus it must have

much greater level of security than the ordinary host on the Local

Network. The excessive logging and auditing of system state

must be performed, only secure software and necessary software

installed and so on. This architecture is much more secure than

the Screening Router Architecture. But still once the Dual-Homed

Host is subverted the entire Local Network is vulnerable to attack.

28.

What is Routing table?

A routing table stores the routes of the various nodes in a network. Nodes

can be any electronic device connected to the network. The table is usually

stored in a router or the network computer as a database or file. This

information helps to found the best possible path. The routing table has at

least 3 fields: the destination network id, cost of the path, next hop or

address to send the packet.

29.

What is Routing Protocols?

Routing protocols are used to assist in achieving the basic purpose of

routing. They specify the routers the method to communicate with each

other. They help the routers select the best possible path between nodes.

There are different types of protocols such as link-state routing protocols,

path vector protocols and distance vector routing protocols. These protocols

prevent routing loops to form or break if formed already. They help to decide

preferred routes from a sequence of hop costs.

30.

What is SNMP (Simple Network Management Protocol)?

SNMP or Simple Network Management Protocol is typically used for

managing the network. Managing the network includes managing the nodes

present in the network. These nodes may be server, routers, bridges and

hubs. SNMP agents are used to achieve this. Managing the network is

essential because it helps to monitor network performance, detect network

faults or failures, audit network usage etc. the SNMP messages like TRAP,

GET or SET may be invoked by network elements or network management

system.

31.

What is POP3 (Post Office Protocol 3)?

POP3 or Post Office Box 3 is used for receiving emails. It is a client

server protocol which holds the email. Once the email is downloaded

from the server, POP3 deletes it from the server. Ordinal numbers are

used to identify specific messages.

32.

What is NNTP (Network News Transfer Protocol)?

NNTP or Network News Transfer Protocol is used to manage the notes

posted on Unset newsgroup (a collection of posted notes on a subject posted

by different users). NNTP servers are responsible for managing Usenet

newsgroup collected globally. A NTTP client is a part of the web browser also

called as a news reader. It uses a reserve port no 119.

33.

What is HTTP (Hypertext Transfer Protocol)?

HTTP or Hyper Text Transfer Protocol is provides a set of rules to

transfer files, videos, images over the world wide web. When the web

browser is opened, a HTTP request call is made. A web server

contains a HTTP daemon. This daemon is used to wait for HTTP

requests and handle them when they arrive. The web browser from

where HTTP requests are made is called as a client. These requests

are sent to the server. It uses a reserved port no 80.

34.

What is IGMP protocol?

Internet Group Management Protocol, allows internet hosts to multicast.

i.e. to send messages to a group of computers. There may be a group of

internet hosts interested to multicast. IGMP allows router to determine which

host groups have members on a given network segment. It helps to

establish group memberships. It is commonly used for streamlining videos

and gaming. The protocol can be implemented both as a host side and

router side. The host side is responsible to notify its membership in a group.

The notification is made to a local router. This local router (router side) in

turn sends out queries.

35.

What is NetBIOS protocol?

NetBIOS (Network Basic Input/output System) Protocol allows

applications on separate computers to communicate over a LAN. It runs over

TCP/IP giving each computer in the network a NetBIOS name and IP

address. E.g. It can be used for computers running Windows 2000 (or

before) to join a computer network running Windows 2000 (or later).

36.

What is Data encryption?

Data encryption ensures data safety and very important for confidential or

critical data. It protect data from being read, altered or forged while

transmission.

37.

What is the Public Key Encryption?

Public key encryption use public and private key for encryption and

decryption. In this mechanism, public key is used to encrypt messages and

only the corresponding private key can be used to decrypt them. To encrypt

a message, a sender has to know recipient's public key.

38.

Define Digital Signatures.

Digital signature is an attachment to an electronic message used for security

purpose. It is used to verify the authenticity of the sender.

39.

What is CSMA and CD concept?

In CSDA (carrier sense multiple access), presence of any digital signal in a

network is checked before transmission. Data transmission occurs only when

no signal is sensed. CD, Collision detection is responsible for monitoring

carrier in order to avoid signal jam.

40.

What is Ethernet technology?

Ethernet technology is a high speed broadcast bus technology. In this type,

all the station shares a single ether channel and receives every single

transmitted signal.

5 Interview Questions for Firewall Engineers

Your ability to secure data using the right mix of hardware and software is critical

to a company’s operations, and even its bottom line. Among the most important

things recruiters and hiring managers look for during an interview seems basic:

technical competence.

At the same time, they want to see that you can fit into the corporate culture.

That’s the kind of thing many tech people struggle to demonstrate.

This means you can expect your interview to cover areas that seem to have little

relation to one another. So be ready to shift gears quickly as the conversation

goes on. Here are some of the questions you should be ready to field.

What’s the size of your network?

What you should say: Your answer depends on who’s asking the question.

For example, if it’s a technical person conducting the interview, you might

want to answer in terms of nodes. However the idea of a 1,300-node network

probably won’t mean anything to a businessperson. For an executive or

someone in sales, it’s better to say you have 1,500 users.

Why you should say it: You want to qualify your audience. Before you

answer, be sure you understand how it will resonate with the person who’s

asking. If that executive doesn’t know what you’re talking about, he’s got no

basis on which to judge some of your critical experience. Bottom line: Know

your audience.

What’s the most successful firewall project you’ve worked on? What was

your role?

What you should say: If you’re a senior engineer, managers want to hear

that you led the project and designed it, not that you just did what you were

told to do. Structure your answer to identify the possible solutions you looked

at, which one you chose and why, and then get into details of your role.

Come prepared to get into detail about your biggest projects.

Why you should say it: This is where the interviewer gets a sense of who

you are. If you just say you were part of a team, that tells them you haven’t

really worked on a lot of cutting-edge projects. Good interviewers are moving

away from black-and-white questions and pat, right-or-wrong answers. A lot

of their questions will be meant to gauge the complexity of your environment

and how effective you were in working with it.

Describe the biggest security breach you’ve encountered. How did you

handle it, and what would you do differently?

What you should say: Some might say they’ve never had a breach, but that

could imply you. Assuming you have experienced a breach, be sure to help

the interviewer understand what controls and measures you put in place and,

again, highlight your specific role. Don’t just say you had a problem — show

how you overcame it.

Why you should say it: Contrary to the usual advice to be a team player,

it’s important to emphasize your individual contribution. You want the

interviewer to know exactly what you bring to the table. You’re interviewing

for you, not your team.

What percentage of your responsibilities is dedicated to IT security?

What you should say: Tell the truth, but bear in mind having security as just

one of many roles could be a liability to some employers. If security is one of

five or six responsibilities you have, you won’t have knowledge that’s as

deep as someone who handles it full-time. So be sure to put it in perspective.

If you have multiple responsibilities and security is the major one, emphasize

that.

Why you should say it: People want to get to the core of how much of your

day is devoted to IT security. If it’s simply 20 percent of your role, face the

fact that this job’s probably not for you. Bottom line: Make sure you’re a

perfect fit when targeting this position.

Why do you want to work here?

What you should say: Avoid a cookie-cutter answer like “to grow my

career” or “I’m fascinated by your business.” Show that you’ve researched

the company, that you’re motivated, interested and have ideas about how

you can contribute. Prepare by following the basics: Get onto the company’s

website, look at its press releases and financials, and incorporate relevant

details into your answers.

Why you should say it: First, you want to impress the interviewers with how

much you know about the company and tie it back to how you can contribute.

That shows your interest in the job. Second, as important as it is

to demonstrate your technical skills, proving that you can fit into the

employer’s culture can be even more critical. Recruiters say successful hiring

decisions are 60 percent about technical skills and 40 percent cultural fit.

While the technical skills will get you the interview, it’s the cultural fit that

lands you the job.

Which of the applications in Check Point technology can be used to configure

security objects?

Answer:

Smart Dashboard

Question 2 – Which of the applications in Check Point technology can be used to

view who and what the administrator do to the security policy?

Answer:

SmartView Tracker

Question 3 – What are the two types of Check Point NG licenses?

Answer:

Central and Local licenses

Central licenses are the new licensing model for NG and are bound to the Smart

Center server. Local licenses are the legacy licensing model and are bound to the

enforcement module.

Question 4 – What is the main different between cpstop/cpstart and

fwstop/fwstart?

Answer:

Using cpstop and then cpstart will restart all Check Point components, including the

SVN foundation. Using fwstop and then fwstart will only restart VPN-1/FireWall-1.

Question 5 – What are the functions of CPD, FWM, and FWD processes?

Answer:

CPD – CPD is a high in the hierarchical chain and helps to execute many services,

such as Secure

Internal Communication (SIC), Licensing and status report.

FWM – The FWM process is responsible for the execution of the database activities

of the

Smart Center server. It is; therefore, responsible for Policy installation,

Management High

Availability (HA) Synchronization, saving the Policy, Database Read/Write action,

Log

Display, etc.

FWD – The FWD process is responsible for logging. It is executed in relation to

logging, Security

Servers and communication with OPSEC applications.

Question 6 – How to Install Checkpoint Firewall NGX on SecurePlatform?

Answer:

1. Insert the Checkpoint CD into the computers CD Drive.

2. You will see a Welcome to Checkpoint SecurePlatform screen. It will prompt you

to press any key. Press any key to start the installation; otherwise it will abort the

installation.

3.You will now receive a message saying that your hardware was scanned and

found suitable for installing secureplatform. Do you wish to proceed with the

installation of Checkpoint SecurePlatform.

Of the four options given, select OK, to continue.

4.You will be given a choice of these two:

SecurePlatform

SecurePlatform Pro

Select Secure platform Pro and enter ok to continue.

5.Next it will give you the option to select the keyboard type. Select your Keyboard

type (default is US) and enter OK to continue.

6.The next option is the Networking Device. It will give you the interfaces of your

machine and you can select the interface of your choice.

7.The next option is the Network Interface Configuration. Enter the IP address,

subnet mask and the default gateway.

For this tutorial, we will set this IP address as 1.1.1.1 255.255.255.0 and the

default gateway as 1.1.1.2 which will be the IP address of your upstream router or

Layer 3 device.

8.The next option is the HTTPS Server Configuration. Leave the default and enter

OK.

9.Now you will see the Confirmation screen. It will say that the next stage of the

installation process will format your hard drives. Press OK to Continue.

10.Sit back and relax as the hard disk is formatted and the files are being copied.

Once it is done with the formatting and copying of image files, it will prompt you

reboot the machine and importantly REMOVE THE INSTALLATION CD. Press Enter

to Reboot.

Note: Secure platform disables your Num Lock by overriding System BIOS settings,

so you press Num LOck to enable your Num Lock.

For the FIRST Time Login, the login name is admin and the password is also admin.

11.Start the firewall in Normal Mode.

12. Configuring Initial Login:

Enter the user name and password as admin, admin.

It will prompt you for a new password. Chose a password.

Enter new password: check$123

Enter new password again: check$123

You may choose a different user name:

Enter a user name:fwadmin

Now it will prompt you with the [cpmodule]# prompt.

13. The next step is to launch the configuration wizard. To start the configuration

wizard, type “sysconfig”.

You have to enter n for next and q for Quit. Enter n for next.

14.Configuring Host name: Press 1 to enter a host name. Press 1 again to set the

host name.

Enter host name: checkpointfw

You can either enter an ip address of leave it blank to associate an IP address with

this hostname. Leave it blank for now.

Press 2 to show host name. It now displays the name of the firewall as

checkpointfw.

Press e to get out of that section.

15.Configuring the Domain name.

Press 2 to enter the config mode for configuring the domain mode. Press 1 to set

the domain name.

Enter domain name:yourdomain.com

Example:

Enter domain name: checkpointfw.com

You can press 2 to show the domain name.

16. Configuring Domain Name Servers.

You can press 1 to add a new domain name server.

Enter IP Address of the domain name server to add: Enter your domain name

server IP Address HERE.

Press e to exit.

Network Connections.

17. Press 4 to enter the Network Connections parameter.

Enter 2 to configure a new connection.

Your Choice:

1) eth0

2) eth1

3) eth2

4) eth3

Press 2 to configure eth1. (We will configure this interface as the inside interface

with an IP address of 192.168.1.1 and a subnet mask of 255.255.255.0. The

default gateway will be configured as 1.1.1.1.)

Press 1) Change IP settings.

Enter IP address for eth1 (press c to cancel): 192.168.1.1

Enter network Mask for interface eth2 (press c to cancel): 255.255.255.0

Enter broadcast address of the interface eth2 (leave empty for default): Enter

Pres Enter to continue….

Similarly configure the eth2 interface, which will be acting as a DMZ in this case

with 10.10.10.1 255.255.255.0.

Press e to exit the configuration menu.

18.Configuring the Default Gateway Configuration.

Enter 5 which is the Routing section to enter information on the default gateway

configuration.

1.Set default gateway.

2.Show default gateway.

Press 1 to enter the default gateway configuration.

Enter default gateway IP address: 1.1.1.2

19. Choose a time and date configuration item.

Press n to configure the time zone, date and local time.

This part is self explanatory so you can do it yourself.

The next prompt is the Import Checkpoint Products Configuration. You can n for

next to skip this part as it is not needed for fresh installs.

20. Next is the license agreement. You have the option of V for evaluation product,

U for purchased product and N for next. If you enter n for next. Press n for next.

Press Y and accept the license agreement.

21.The next section would show you the product Selection and Installation option

menu.

Select Checkpoint Enterprise/Pro.

Press N to continue.

22. Select New Installation from the menu.

Press N to continue.

23. Next menu would show you the products to be installed.

Since this is a standalone installation configuration example, select

VPN Pro and

Smart center

Press N for next

24.Next menu gives you the option to select the Smart center type you would like

to install.

Select Primary Smart center.

Press n for next.

A validation screen will be seen showing the following products:

VPN-1 Pro and Primary Smart center.

Press n for next to continue.

Now the installation of VPN-1 Pro NGX R60 will start.

25. The set of menu is as follows:

Do you want to add license (y/n)

You can enter Y which is the default and enter your license information.

26. The next prompt will ask you to add an administrator. You can add an

administrator.

27.The next prompt will ask you to add a GUI Client. Enter the IP Address of the

machine from where you want to manage this firewall.

28. The final process of installation is creation of the ICA. It will prompt you for the

creation of the ICA and follow the steps. The ICA will be created. Once the random

is configured (you dont have to do anything), the ICA is initialized.

After the ICA initialized, the fingerprint is displayed. You can save this fingerprint

because this will be later used while connecting to the smart center through the

GUI. The two fingerprints should match. This is a security feature.

The next step is reboot. Reboot the firewall.

Question 7 – What are the types of NAT and how to configure it in Check Point

Firewall?

Answer:

Static Mode – manually defined