Skip to main content

Featured

Basics of VXLAN

 Maximum number of VLAN is 4000 where  VXLAN can give 16 million Virtualization by adding 24 bit VNI network Identifier. This Vxlan encapsualtion is called Virtual Ethernet modul or VEM. Each VEM has IP address. The IP is assigned to interface VTEP==>> Vxlan Tunnel end point Each VTEP interfaces associated with one or more VNIs. VXLAN usage is can create multiple tunnels over a underlay network. Mainly used on Spine- Leaf Design  bum traffic for broadcast VXLAN can do the load balance between the port channel. Multiple VNI can associated with same multicast group. ========================================= HSRP VS VRRP VS GLBP HSRP and GLBP is cisco properatory VRRP is opensource protocol. HSRP active and standby and VRRP follows master and slave. VRRP can use interface IP as virtual IP. HSRP sents Hello messages but VRRP sents adverticements. GLBP is used to do for load balancing between routers. It uses different mac address for different machine traffic. SSO: ====...

Check point Related Knowledges:

 SIC ==>> Secure internal communication.


This is the protocol to use make secure connection between Check point devices like connection between Security gateway and Security management server in the distributed deployment. 

It is using SSL.


SIC measures for validation 

Authentication certificate.


Triple DES for encryption

Standard based SSL for secure channel creation.

It works on TCP 18209


INSPECT engine in Firewall:

===========================


INSPECT Engine it inspect each packets and maintains a table which is stateful.  even it created a virtual state table for a connection less protocol such as UDP, RCP etc.. which help the firewall to inspect and monitor the traffics. 


Rules in Check points:

======================


Stealth Rule :

 Which allows limits the traffic which goes to the gateway ,


Ex:

===


It allows only authenticated administrators traffic to gateway and blocks others traffic to the gateway.


Clean up rule:

==============


It blocks all the traffic which comes to the firewall and logs the same which help admin to analyze all the traffic.

It placed at last.


Explicit Rule: 

==============


Created by admin.



Implicite Rule:

===============


The rule burned with firewall which is not visible. 



Advantages of Checkpoint:

=========================


1.Single point of management means gateways can be managed by smart console.

2. Open Architecute means it can work with other security protects.

3.It updates it security software's often to avoid latest attackers.


Bit Map checkpoint firewall 


Licence :


Local license is issued for the firewall gateway IP address.


Central license is issue and assigned to a IP address of ManagmentSmartcenter


TCP timeout is 60 minutes

UDP 2 minutes 

ICMP 2Seconts



==========================

Type of check points;


Standard Checkpoint: Checks based on Objects 

BitMap checkpoint:  Checks Webpage pixel by pixel.

Image checkpoint: Check Webpages Source location.

Table checkpoint: Checks on Table cells

Text Checkpoint : Checks Texts in Webpages.



=================================


Check point XLs."



Core XL:

========


It makes CPU to run multiple task at same time.



Secure XL:


It is the accelerate the solution and maximize the performance. 

But not compromise the security 

When we enable the SecureXl some intensive process is taken care by Virtualization software instead of Firewall kernel.


ClusterXL:


VSX virtual system extension:

It is Virtual firewall(Context or VRF) default is VS0


Cluster XL uses Unique Virtual IP and MAC address.


It uses CCP for Cluster Device communications.


No need any rule or plicy 


It run on UPD port 8116

Delta Sync It the Sync of Checkpoint Cluster Sync. It taken care directly by Checkpoint Kernel.

Routing configuration on Checkpoint Gaia. 

When we configure a routing on the Checkpoint there are three types of option in Next hope.


Normal: Accept and forward packets.

Reject: Drop packets, and send unreachable messages.

Black Hole: Drop packets, but don't send unreachable messages.



Local scope :



This option is helpfull if we enable it, It will communicate to the cluster evethough the cluster is in different subnet. 


When we add some a gateway in the checkpoint we can add a IP as a gateway or a local interface also configure as gateway. 


We can add many gateways and configure a priority as per the requirments. 


We  can also enable the Ping responce time and count of Ping which is hitting the route and the interface.


Check point Packet flow:

===================







Comments

Popular Posts