r81 workshop - check point checkmates

1©2020 Check Point Software Technologies Ltd.

Roman Dario Perez | Professional Services Consultant

[email protected] | + 52 5545 000651

New ERA is Here

R81 WORKSHOP

mailto:[email protected]


• Management

Integrated Central Deployment Tool CDT

Revision & control changes

NAT Policy Improvements

Cross Domain Search

Concurrent policy installation

Identity Awarenes for Azure AD

Datacenter object

CLI to gateway trhough management

License SmartConsole

MultiTacacs support

• Gateway

Spike Detective sk166454

Infinity Threat Prevention

GRE/xVLAN

TLS1.3 Inspection

Cluster policy consolidation

Elephant Flow Improvement

• Endpoint

Web Management, Support for Linux

Tacacs for Remote Help

• VSX

DNS per VS

VR VSLS

VTI

Multibridge

vsx_util downgrade

Mix Mode L2 + L3 on same VS

• VPN

VPN Multi-Ciphers in single VPN Community and granual

method per peer

Multiqueue

Mobile Access Blade service per tab

VPN Multi-Ciphers in single VPN Community and granual

method per peer

Agenda


MANAGEMENT


CDT• Integrated on SmartConsole (auto updatable)

• VSX upgrade Support

• Multiple Check Point devices can be selected to be updated

• Cluster upgrade without Network interrumption

• Cluster can handle different versión

• Installation package available over Gateways & servers tab / Actions. Packages should be upload to package repository before. On MDS should be upload in Global Domain

Limitation:

• SMB and SP/Maestro, Standalone, are not supported

• SMS/MDS and Gateway shouldn’t have proxy to communicate internally

• CDT Can’t install over ClusterXL LS mode

• HDT 3100/3200 doesn’t Support eth1-eth4

• Downgrade to 2.6 kernel


Revision & control change

• R80 start to use session, but user justsee how many changes are pendingto publish. But no which changes are pending to publish

• R81 allow compare between 2 policy on revisión seccion

• Policy can be now be edited frompolicy directly .

• Policy can be exported to cvs format.

ActionsControl

Changes

Edit policy


NAT

• New Objects supports

• Domain objects

• Updatable objects

• Security Zone objects

• Access Role objects

• Data Center objects

• Hit Count is now supported in NAT rulebase

• Name field availability in NAT Rule


New NAT rulebase – NAOS support “new” objects in NAT rulebase

Access Roles

Security Zones

Updatable Objects

Data Center Objects

Domain Objects

Dynamic Objects


• SmartConsole:

• Login to system domain

• Go to “Global Object Explorer” (Ctrl+E)

• Search for objects

• Check objects Usages (Where used)

• API

• Use a show command from the System domain with arguments “domains-to-process.1 ALL_DOMAINS_ON_THIS_SERVER ignore-warnings true”

• Use where-used command on a global object from the System domain with arguments “domains-to-process.1 ALL_DOMAINS_ON_THIS_SERVER ignore-warnings true”

Cross Domain search


Concurrent policy installation

• R80 and below just allow on policy installation at time.

• R81 allow push policy simultaneously

• Limit to 5, (just Access Control/NGTP, QoS/Desktop is not supported) more than 5 will be in queue


Identity Awarenes for Azure AD

• Configure an Azure AD object –

• In SmartConsole, from the Gateways & Servers navigation pane click New > More > Server > Data Center > Azure AD

• *There is also an option to configure Azure directory via the IDA wizard


Datacenter object

• Add data center query objects to the rule base: SmartConsole > New > Cloud > Data Center Queries

• Configuration options: Must enable IA blade and IA web APIs on every GW


CLI to gateway through management

• Jump to Security Gateway fromSmartConsole selecting gateway /actions/ open Shell


License SmartConsole

• Manage license have been added to Main Smart Console, selecting the object and move to tab “license” in lower pane


Multiple tacacs

• Currently user can authenticatejust one Tacacs server. If that useris unable to reach the main tacacsother admin need change tacacsserver for that specific user.

• R81 can handle Tacacs group up to 2 tacacs servers, can be addedto that group


Management HA

• Allow R80.x Management release High availability between Domain Management Servers (DMS) and Security Management Server (SMC).

• Multi Domain Management Server (MDS) customers who act as a managed service provider platform (MSP) wish to allow database backup on remote site for a single domain.

Limitation

• MDS-HA for Secondary must be performed as clean-install from R77


GATEWAY


Spike Detective

• A new daemon to inspect CPU consumption and detect spikes

• A spiked CPU core’s utilization is > 80% and is over 1.5 times the system average (meaning other cores are not as stressed)

• A spiked thread is running on a spiked core and presents high utilization for a significant time duration (at least 3 seconds)

• What happen when a spike is detected?

• The spike is registered to a log file /var/log/spike_detective/spike_detective.log

• The spike will also appear in cpview and be saved to cpview_history sk166454

100%

10%

7%

12%

core 0

core 1

core 2

core 3

[Expert]# cat /var/log/spike_detective/spike_detective.logInfo: Spike, Spike Start Time: 17/06/20 05:23:04, Spike Type: CPU, Core: 1, Spike Duration (Sec): 3, Initial CPU Usage: 99, Average CPU Usage: 99, Perf Taken: 1Info: Spike, Spike Start Time: 17/06/20 05:26:26, Spike Type: CPU, Core: 7, Spike Duration (Sec): 3, Initial CPU Usage: 89, Average CPU Usage: 89, Perf Taken: 1Info: Spike, Spike Start Time: 17/06/20 05:45:09, Spike Type: CPU, Core: 3, Spike Duration (Sec): 6, Initial CPU Usage: 81, Average CPU Usage: 90, Perf Taken: 1Info: Spike, Spike Start Time: 17/06/20 05:45:12, Spike Type: Thread, Thread ID: 19944, Thread Name: wstlsd, Spike Duration (Sec): 3, Initial CPU Usage: 99, Average CPU Usage: 99, Perf Taken: 0Info: Spike, Spike Start Time: 17/06/20 05:45:39, Spike Type: CPU, Core: 2, Spike Duration (Sec): 3, Initial CPU Usage: 84, Average CPU Usage: 84, Perf Taken: 1


Infinity Threat Prevention

• Automatically updated policy profiles with the lastest technologies and recommendations that protectsfrom envolving cyber security threats

• Zero daily maintenance of policy of protections, without compromising of security or connectivity

• Auto-learning, in the past profile was set to detect only and require static analysis

• Out of the box policy profiles based on business & IT security needs

• Easy selection of a policy profile that is tailored to your needs

• Zero daily maintenance of policies and protections, without compromising on security or connectivity

• Simple customization without compromising on Check Point recommended security


• Object can change on profile, to Detect/No Protection/ Accordingto Profile. Drag and drop or remove/add (+)


GRE / xVLAN

Generic routing encapsulation (GRE) is an IP encapsulation protocol which is used to transport IP packets over a network. GRE allows routing of IP packets between private IPv4 networks which are separated over public IPv4 internet. RFC2784 : sk169794

VXLAN is a tunneling protocol that encapsulates Layer 2 Ethernet frames in Layer 3 UDP packets, enabling you to create virtualized Layer 2 subnets, or segments, that span physical Layer 3 networks.

• Defined in RFC 7348


TLS1.3 Inspection• The new TLS engine (“TLSIO”) is currently off-by-default and should be enabled using a global

parameter on the Gateway.

• To enable it:

1. Add “fwtls_enable_tlsio=1” to $FWDIR/boot/modules/fwkern.conf

2. Reboot the Gateway

• To disable it:

1. Remove “fwtls_enable_tlsio=1” from $FWDIR/boot/modules/fwkern.conf

2. Reboot the Gateway

• To check if it is enabled or disabled after the reboot:

• fw ctl get int fwtls_enable_tlsio

• Note: make sure that USFW is also enabled on the Gateway, otherwise the new engine will not be used.


Cluster Policy failure and consolidation

To set the value on-the-fly (does not survive reboot):

fw ctl set int fwha_cluster_policy_consolidation_disable 1

To set the value permanently:

Add this line to the $FWDIR/boot/modules/fwkern.conf file and reboot:

fwha_cluster_policy_consolidation_disable=1


Elephant Flow

• Accelerate elephant flow (single connection) throughput

• Fwaccel stat See under ‘Pipleline Streaming Path’

o Shows total bytes in Pipeline Path.• Fw_mux all

o See in the bottom

o Shows concurrent connections in Pipeline Path.

Note: painfull traffic HTTP 53%, up to 83% traffic in general could be accelerated

Limitation: no support for CIFS


Elephant Flow

• Current status

• Each connection is being processed on a single core

• The connection throughput is bounded by single core throughput

• New accelerated path

• Each connection will be processed on additional 2 cores

• IPS (Pattern Matcher) and Anti-Virus (MD5/Sha1/Sha256) calculations will be done on a dedicated core

• Available in R80.40 JHF #2


Elephant Flow

• In order to enable add to fwkern.conf:o sxl_disable_psl_medwell=0o sxl_disable_cpas_medwell=0o mux_run_lite_apps_on_host=1

• Reboot

• Disable the feature by altering this global variables:o sxl_disable_psl_medwell=1o sxl_disable_cpas_medwell=1o mux_run_lite_apps_on_host=0

• Reboot


ENDPOINT


• Endpoint Web Management – new face for the product and easier management

• New Endpoint URL Filtering

• Keeping management services on port 443

• Developer Protection

• Non-persistent VDI (VMware)

• Application Control:

• Support multiple versions per EXE

• Terminate on execution

• Allow/Block Windows Linux Sub-System

• Compliance – WSUS support (Windows Server Update Services)

• Report Help Support Tacacs autentication

• Suport for Linux from #84.00


VSX


DNS per VS

Isolating each instanceSX-M1-R81:0> set dns mode

VSX-M1-R81:0> set virtual-system 1

Context is set to vsid 1

VSX-M1-R81:1> set dns primary 8.8.4.4

VSX-M1-R81:1> show dns

DNS setup

Name Value

Mode per-vs

Domain

DNS server 8.8.4.4

DNS server


Virtual Router on VSLS

• Previously in order to use VR VSX must be on HA. VSLS wasn’t supported.

• Virtual Router stay as Active/Standby/Backup (No Active/Active)

• VS and VR must be part on same group with vsx_utilvsls on management

• Fail-over must be per group and not per VS. Otherwiselatency is expected.

• Review configuration #cphaprob show_vsls_groupCheck CP_R81_VSX_AdminGuide


VTI on VSX

• Create a VPN Tunnel Interface (How to create: R81 VSX admin guide - vsx_provisioning_tool).

• Syntax

• add interface vd <Name of Virtual Device Object> vpn_tunnel {numbered | unnumbered} {peer <Name of VPN Peer Object>} {local <Tunnel Local IP> remote <Tunnel Remote IP> | dev <Name of Local Interface>} [tunnel_id <Tunnel ID>]

Limitation

Unnumbered VPN Interfaces are not supported

VTI can be configured only via CLI by

vsx_provisioning_tool

Parameter Value Notes

vd <Name of Virtual Device Object>

Object name Specifies the name of the Virtual Device object (as configured in SmartConsole).

Mandatory parameter, if this is the first command in a transaction.

vpn_tunnel {numbered | unnumbered}

true

false

Specifies the type of the VPN tunnel:

numbered - Uses a specified, static IPv4 addresses for local and remote connections.

unnumbered - Uses the interface and the remote peer name to get IPv4 addresses.

Note: currently only numbered

{peer <Name of VPN Peer Object>}

Object name Specifies the name of the remote peer object as defined in the VPN community in SmartConsole.

{local <Tunnel Local IP> remote <Tunnel Remote IP>}

IPv4 configuration Specifies the IPv4 addresses in dotted decimal format for the VPN tunnel endpoints:

local <Tunnel Local IP> - IPv4 address of the VPN tunnel on this Virtual Device

remote <Tunnel Remote IP> - IPv4 address of the VPN tunnel on the remote VPN peer

Applies to the Numbered VTI only.

{dev <Name of Local Interface>}

Interface name Specifies the name of an existing local interface on this Virtual Device.

The new VPN Tunnel Interface is bound to this local interface.

Applies to the Unnumbered VTI only.

[tunnel_id <Tunnel ID>] Integer Specifies the unique Tunnel ID (integer from 1 to 32768).

Note - If the specified ID is already used by another VPN tunnel on this VSX Gateway or

VSX Cluster Member, this parameter is ignored and the next available ID is used instead.


QoS per VS

• R81 Support now QoS

• Review CP_R81_VSX_AdminGuide.pdf


VPN


Multi Cipher

• Provide the ability for cipher granularity per externally managed gateways in single community

• Limitation

• Supported only for externally

managed

• No BC support

• Not relevant for LSV

Gateway D

Gateway AGateway C

Gateway B

Externallymanaged GW

VPN Community

Cipher X

Community Default Cipher


Mobile Access

• SNX was develoved for NGX. In order to change the application over MOB user must termiante the taskand move to new one. All configuration was legacy.

• R81 have a new core for Remote Access. All application can be open in parallel, each app will use in a new tab, without terminate the previous one.

• Multiqueue for remote Access is now available, using all SND defined on gateway/cluster.

• Limitation about length for Internal User improve from 4-8, up to 16 caracters. Available from R80.10 sk168032, and included by default on R81


COMPATIBILITY


Compatibility

• Supported • No supported

Note: Smart-1 205 and 210 can run just as SMS or Log Server NO BOTH with default memory

R81 Management Servers can manage Securit y Gateways of t hese versions:

Gateway Type Release Version

Securit y Gateway R77.30,R80.10, R80.20, R80.30, R80.40

VSX R77.30,R80.10, R80.20, R80.30, R80.40

Maest ro Securit y Groups R80.20SP, R80.30SP

Appliance Release Version

1100 Appliances R77.20.x

1200R Appliances R77.20.x

1400 Appliances R77.20.x

1550, 1590 Appliances R80.20.x

60000/ 40000 Scalable PlatformsR76SP, R76SP.10, R76SP.20, R76SP.30, R76SP.40, R76SP.50, R80.20SP

Appliance

UTM-1

POWER-1

VPN-1

SMART-1 5,10,25,50

2012 appliance, 2000, 4000, 12000, 21000 series

IP Appliance

VSX-1

DPL-1

IPS-1

IP VPN

AS

Xbeam


FAQ


THANK YOU

r81 workshop - check point checkmates

Documents