Checkpoint Firewall

Interview Question with

Answer
Question 1:What is Checkpoint Firewall Architecture?
Answer: Check Point has developed a Unified Security Architecture that is implemented
throughout all of its security products. This Unified Security Architecture enables all Check Point
products to be managed and monitored from a single administrative console and provides a
consistent level of security.

Question2: What is a stateful inspection?

Answer: Stateful inspection was invented by checkpoint, providing accurate and highly efficient
traffic inspection. The inspection engine examines every packet as they are intercepted at the
network layer. The connection state and context information are stored and updated
dynamically in kernel table.
Question 3: What is policy installation process in checkpoint firewall?
Answer:

• a. INITIATION - Policy installation is initiated by the GUI.

• b. VERIFICATION -The information in the database is verified

• c. CONVERSION- The information in the database is converted

• d. CODE GENERATION & COMPILATION- Policy is translated to the INSPECT

language and compiled with the INSPECT compiler.

• e. CPTA- checkpoint policy transfer agent transfers the policy to the firewall
gateway using SIC

• f. COMMIT- The gateway is instructed to load the new policy

Question 4: What is the main purpose for the Security management server?
Answer: Security management server is used for administrative management of the security
policy, stores database and objects.

Question 5: What is the difference between standalone and distributed installation?

Answer: A Standalone deployment is the simplest deployment, where the management
server and the gateway are installed on the same machine.
A distributed deployment is a more complex deployment, where the gateway and
management server are deployed on different machines

Question 6: what is SIC?

Answer: Secure Internal Communication (SIC) is the checkpoint feature that ensures
components, such as Security Gateways, Security Management servers, etc. can communicate
freely and securely. The following security measures are taken to ensure the safety of SIC

• Certificates for authentication

• Standards-based SSL for the creation of the secure channel

• 3DES for encryption

Question 7: what is Internal Certificate Authority (ICA)?

Answer: ICA is created during the management server installation process. It is responsible for
issuing certificates for:
 • SIC

• VPN certificates for gateways

• Users

Question 8: What is FW unload local?

Answer. Fwunloadlocal is a command used to detach the security policy from the local
machine.

Question 9: What is stealth rule in checkpoint firewall?

Answer: Stealth rule prevents users from connecting directly to the gateway. Stealth rule at the
top of the rule base protects your gateway from port scanning, spoofing and other types of
direct attacks.

Question10: What is FW Monitor command?

Answer: FW Monitor is a packet analyzer tool available on every checkpoint security Gateway.
It provides Kernel level inspection and works for Layers 3 and above in OSI model. There are
four inspection points as a packet passes through the kernel (or virtual Machine)
i ---- Before the Virtual machine, in the inbound direction (Pre-Inbound)
I ---- After the virtual machine, in the inbound direction (Post – inbound)
o ---- Before the virtual machine, in the outbound direction (Pre Outbound)
O --- After the virtual machine, in the outbound direction (Post Outbound)
Question11: What are the two types of Check Point NG licenses?
Answer: Central and Local licenses
Central licenses are the new licensing model and are bound to the Security management
server. Local licenses are the legacy licensing model and are bound to the enforcement
module.

Question 12: What are the functions of CPD, FWM, and FWD processes?
Answer: CPD – CPD is a high in the hierarchical chain and helps to execute many services, such
as Secure Internal Communication (SIC), Licensing and status report.
FWM – The FWM process is responsible for the execution of the database activities of the
Management server. It is; therefore, responsible for Policy installation, Management High
Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log Display,
etc.
FWD – The FWD process is responsible for logging. It is executed in relation to logging, Security
Servers and communication with OPSEC applications.

Question 13: What are the major differences between SPLAT and GAIA platforms?
Answer: Gaia is the latest version of Checkpoint which is a combination of SPLAT and IPSO.
Here are some benefits of Gaia as compare to SPLAT/IPSO.

1. Web-Based user interface with Search Navigation

2. Full Software Blade support
3. High connection capacity
4. Role-Based Administrative Access
5. Intelligent Software updates
6. Native IPv4 and IPv6 Support
7. ClusterXL or VRRP Clusters
8. Manageable Dynamic Routing Suite

Question14: what ports are used in SIC?

Answer: 8210 TCP Pulls Certificates from an ICA.
18211 TCP Used by the cod daemon (on the gateway) to receive Certificates.

Question15: What are the different Checkpoint Ports and purpose of these ports?
Answer: PORT TYPE SHORT DESCRIPTION
256 TCP FW1 Checkpoint Security gateway Service
257 TCP FW1_log Protocol Used for delivering logs from FWM
259 TCP FW1_clientauth_telnet ( Client Authentication )
500 UDP IPSEC IKE Protocol (formerly ISAKMP/Oakley)
900 TCP FW1_clntauth_http (Client Authentication))
4433 TCP Management server Portal
4500 UDP NAT-T NAT Traversal,
8116 UDP Check Point Cluster Control protocol (CCP)
18190 TCP CPMI Check Point Management Interface,
Protocol for communication between GUI and Management
Server
18191 TCP CPD Check Point Daemon Protocol
Download of rule base from Management Server to FWM
Fetching rule base from FWM to Management server.
18192 TCP CPD_amon Check Point Internal Application Monitoring
18210 TCP FW1_ica_pull Check Point Internal CA Pull Certificate
Service
18211 TCP FW1_ica_pull Check Point Internal CA Push Certificate

Service
Question16: What’s the difference between tcpdump and fwmonitor?
Answer:

Tcpdump displays traffic coming or leaving to/from a firewall interface while fw monitor would
also tell you how the packet is going through the firewall including routing and NAT decisions.

FW Monitor captures traffic at 4 important points in the firewall namely i, I, o & O. You would
see them in the capture in the same sequence.
TCP Dump captures at position i & O of firewall monitor, and you can be sure the traffic has left
the firewall. This is similar to the way captures work on a Cisco PIX/ASA

Question17: what is bi-directional NAT?

Answer:

If Bi-directional NAT is selected, the gateway will check all NAT rules to see if there is a source
match in one rule, and a destination match in another rule. The Gateway will use the first
matches found, and apply both rules concurrently.

Question18: What are the stages of a phase2 IKE exchange?

Answer:

Peers exchange more key material, and agree on encryption and integrity methods for IPsec
Key. The DH Key is combined with the key material to produce the symmetrical IP Sec key.

Question19: Why cleanup rule need to add explicitly in Checkpoint Smart dashboard?
Answer:

Cleanup rule is required to drop all traffic that did not match any of the other rules (from top to
bottom) However there is an Implied rule in Checkpoint that does the same action of dropping
packets if no rule exists ( as you mentioned) but logging is not enabled for this implied rule.
Question20: What Is the Difference in A Snapshot/Backup/Upgrade Export (Migrate
Export)/Database Revision Control
Answer: Snapshot:
The snapshot utility backs up everything, including the drivers, .Snapshot can be used to
backup both your firewall and management modules.
The disadvantages of this utility are that the generated file is very big, and can only be restored
to the same device and exactly the same state (same OS, same Check Point version, and same
patch level).

Backups:
The backup utility backs up your Check Point configuration and your networking/OS system
parameters (such as routing), the backup utility can be used to backup both your firewall and
management modules. The resulting file will be smaller than the one generated by snapshot.
Backup does not include the drivers, and can be restored to different machine (as opposed to
snapshot, which cannot).

Database Revision Control:

This utility creates a version of your current policies, object database, IPS updates, etc. It is
useful for minor changes or edits that you perform in Smart Dashboard. It cannot be used to
restore your system in case of failure.

Migrate Export (Upgrade Export):

'upgrade export' tool backs up all Check Point configurations, independent of hardware, OS or
Check Point version, but does not include OS information.
You can use this utility to backup Check Point configuration on the management station.
If you change the Check Point version you can only go up, in other words you can upgrade not
downgrade.
This utility can be used only on command line and cannot be scheduled.

Recommended backup schedule:

Snapshot - at least once, or before major change (for example: an upgrade), during a
maintenance window.
Backup - every couple of months, depending how frequently you perform changes in your
network/policy. Also before every major change, during a maintenance window.
Upgrade export - every month or more often, depending on how frequently you perform
changes in your network/policy. Also important before upgrade or migration. Can be run
outside a maintenance window.

Question 21 - What is the difference between gateway and firewall?

Answer-

A network gateway joins two networks together through a combination of hardware and
software. A network firewall guards a computer network against unauthorized incoming or
outgoing access. Network firewalls may be hardware devices or software programs.

Question 22 - What is the difference between router ACLs and Firewall ACLs?

Answer-

Routers are designed to route traffic, not stop it.

Firewalls are designed to examine and accept/reject traffic. But the both ACL are do the
same job. Depending upon our requirements we do our ACL configuration on it.

Question 23- What is Packet filtering ?

Answer-

Packet filtering is the process of passing or blocking packets at a network interface

based on source and destination addresses, ports, or protocols. The process is used in
conjunction with packet mangling and Network Address Translation (NAT). Packet
filtering is often part of a firewall program for protecting a local network from
unwanted intrusion. The packet filter examines the header of each packet based on a
specific set of rules, and on that basis, decides to prevent it from passing (called DROP)
or allow it to pass (called ACCEPT).

Question 24 - What is DNS spoofing?

Answer –

Assuming the DNS name of another system by either corrupting the name service cache of a
victim system, or by compromising a domain name server for a valid domain.

Question 25- What is the main different between cpstop/cpstart and fwstop/fwstart?

Answer-

Using cpstop and then cpstart will restart all Check Point components, including the SVN
foundation.

Using fwstop and then fwstart will only restart VPN-1/FireWall-1.

Question 26 - What is Anti-Spoofing

Answer –

Anti-Spoofing is the feature of Checkpoint Firewall. which is protect from attacker who generate
IP Packet with Fake or Spoof source address. Its determine that whether traffic is legitimate or
not. If traffic is not legitimate then firewall block that traffic on interface of firewall.

Question 25 - What is NAT.

Answer –

NAT stand for Network Address Translation. Its used to map private IP address with
Public IP Address and Public IP address map with Private IP Address. Mainly its used for
Provide Security to the Internal Network and Servers from Internet. NAT is also used to
connect Internet with Private IP Address. Because Private IP not route able on Internet.
Question 26- What is Source NAT.

Answer –

Source NAT used to initiate traffic from internal network to external network. In source NAT only source
IP will translated in public IP address.

Question 27 – What is Hide NAT

Answer –

Hide NAT used to translate multiple private IP or Network with single public IP address. Means many to
one translation. Its can only be used in source NAT translation. Hide NAT can not be used in Destination
NAT.

Question 28- Difference between Automatic NAT and Manual NAT.

Answer –

Automatic NAT-

Automatic created by Firewall

Can not modify

Can not create “No NAT” rule

Can not create Dual NAT

Port forwarding not possible

Proxy ARP by default enabled

Manual NAT-

Manually Created by Network Security Administrator

Can be Modify

Can be Create “No NAT” rule

Can be Create Dual NAT

Port forwarding possible

Proxy ARP by default not enable

Question 29- What is 3 trier architecture component of Checkpoint Firewall.

Answer-

Smart Console.

Security Management.

Security Gateway.

Question 30- What is the Packet Flow of Checkpoint firewall.

Answer-

SAM Database.

Address Spoofing.

Session Lookup.

Policy Lookup.

Destination NAT.

Route Lookup.
Source NAT.

Layer 7 Inspection.

VPN.

Routing.

Question 31- What is Explicit rule In Checkpoint Firewall.

Answer –

Its a rule in ruse base which is manually created by network security administrator that called Explicit
rule.

Question 32- What is Difference between ESP and AH IPSec Protocol.

Answer –

ESP – ESP Protocol is a part of IPsec suit , Its provide Confidentiality, Integrity and Authenticity. Its used
in two mode Transport mode and Tunnel mode.

AH – Its is also part of a IPsec suit, Its provide only Authentication and Integrity, Its does not provide
Encryption. Its also used to two mode Transport mode and Tunnel mode.

Question 33- What is Smart Dashboard.

Answer-

Its tool of smart console. Its used to Configure Rule, Policy object, Create NAT Policy, Configure VPN and
Cluster.

Question 34- Checkpoint Packet flow for SNAT and DNAT?

Answer-

In case of SNAT

Antispoofing
Session lookup

Policy lookup

Routing

Netting

In case of DNAT

Antispoofing

Session lookup

Policy lookup

Netting

Routing

Question 35- What are Cluster_XL, Secure_XL and CORE_XL?

Answer-

Core XL-

CoreXL is a performance-enhancing technology for Security Gateways on multi-core

platforms. CoreXL makes it possible for the CPU cores to perform multiple tasks
concurrently. This enhances the Security Gateway performance.

SecureXL-

Patented SecureXL is a technology interface that accelerates multiple, intensive security

operations, including operations that are carried out by Check Point?s Stateful Inspection
firewall. Using SecureXL, the firewall offloads operations to a performance-optimized
software or hardware device, dramatically increasing throughput.
ClusterXL-

ClusterXL is a Check Point software-based cluster solution for Security Gateway redundancy and Load
Sharing. A ClusterXL Security Cluster contains identical Check Point Security Gateways.

A High Availability Security Cluster ensures Security Gateway and VPN connection redundancy by
providing transparent failover to a backup Security Gateway in the event of failure.

ClusterXL uses State Synchronization to keep active connections alive and prevent data loss when
a Cluster Member fails. With State Synchronization, each Cluster Member "knows" about connections
that go through other Cluster Members.

ClusterXL uses virtual IP addresses for the cluster itself and unique physical IP and MAC addresses for
the Cluster Members. Virtual IP addresses do not belong to physical interfaces.CCP runs on UDP port
8116 between the Cluster Members.
Question 36- License types of Checkpoint.

Answer-

Checkpoint have two types of Licensing

1- Central licensing -

2-Local Licensing –
Question 37- Basic command use in Checkpoint.

Answer-