20. VPN-1/FireWall-1 ignores other protocol packets
such as IPX, DecNET. These protocols are processed by
other protocols stacks. Note that, if you install an
IPX protocol stack, for example, the IPX packets are
processed by IPX stack independent of VPN-1/FireWall-1.
This could be a security risk and need to be thoroughly
evaluation for need before installing the same.
21. FireWall-1 rule base:
a. Implicit (Pseudo) rules are those that are derived
from the security properties. Explicit rules are those
created in the Rule Base. The implicit rules are NOT
shown by default in the NAT Rule Base. However, you
can select Implied Pseudo Rules" from the View menu
b. Implicit Drop Rule is added by VPN-1/FireWall-1
at the bottom of the Rule Base. The purpose of this
rule is to drop all packets that are not described by
earlier rules in the Rule Base.
c. Stealth rule is the first rule in the Rule Base.
The purpose of the Stealth rule is to prevent traffic
from directly accessing the firewall itself
d. The correct order that Rule Base rules are defined
Security Policy "First" Rule
Security Policy "Before Last" Rule
Security Policy "Last" Rule
e. To disable a rule in Rule Base,
Select the rule in the Rule Base
Right click the rule number and select 'Disable
The policy need to be re-installed for the changes
to take effect.
22. Using the Security Policy Editor, four types
of policies can be defined:
Security Policy: This policy specifies how the
communication is allowed to enter or leave the network.
This also specifies, how the authentication and/or
encryption are handled.
Address_Translation Policy: An Address_Translation
Policy specifies how invalid internal IP addresses
will be translated to valid Ip addresses.
Anti-Spoofing: Anti-Spoofing feature ensures
that the IP addresses of the packets entering the
FireWall are valid.
23. Important file names used in FireWall-1:
$FWDIR/conf/rule_base.W: Security Policy rules are stored
in an ASCII format at this location.
$FWDIR/conf/objects.C: The properties are stored in
this ASCII file.
$FWDIR/conf/rule_name.pf: Inspection Script is stored
in this file. The file is generated from $FWDIR/conf/rule_base.W
$FWDIR/temp/rule_base.fc: This is Inspection Code file,
compiled from the Inspection script. Note that the Inspection
Code is installed on Network objects and used by VPN/FireWall
Module to enforce security policy.
24. A Gateway must atleast have two network interfaces, one
for the external network connection, and one for internal network
25. The three types of Authentication schemes supported by
User Authentication: User Authentication gives access
on a per user basis. This can be used for Telnet, FTP, RLOGIN
and HTTP,HTTPS. Separate Authentication is required for
Session Authentication: Session Authentication can be
used with any service, and Session Authentication is required
for each connection as in User Authentication.
Client Authentication: Client Authentication gives access
on a per host basis. Once a Client is Authenticated, it
can be used for any number of conncetions, for any service.
Client Authentication is recommended when the client is
a single user machine such as a desktop.
26. VPN-1/FireWall-1 services covered by User Authentication
are: Telnet, FTP, RLOGIN, HTTP, and HTTPS.
27. VPN-1/FireWall-1 supports third party routers (OPSEC
products) such as Cisco, 3Com, Nortel (Bay Networks) routers,
Cisco PIX firewalls, and Microsoft RRAS (Formerly known as Steelhead).
For this purpose, Check Point's Open Security Extension ( an
optional module) is required.
28. VPN-1/FireWall-1 supports two modes of Address Translation:
a. Hide mode: This has a many to 1 relation. Here many invalid
addresses are translated to one valid IP address. Dynamically
assigned port numbers are used to distinguish between the invalid
addresses. This is called Hide mode, since invalid IP addresses
are hidden behind the valid IP address.
b. Static mode: This has 1 to 1 correspondence of IP addresses.
Here, the invalid IP is translated to a corresponding valid
IP. There are two modes of static Address Translation:
Static Source mode: This is for outgoing traffic. The
connection is initiated by internal clients with invalid
IP addresses. This is usually combined with Static Destination
Static Destination mode: This is for incoming traffic.
This mode is used when servers inside the internal network
have invalid IP addresses, so that packets entering the
internal network arrive at their proper destinations. This
mode is usually combined with Static Source mode.
29. The NAT Rule Base consists of three elements:
Original Packet and Translated Packet, in turn, consist of
"Install On" specifies which firewalled objects will enforce
Disclaimer: examguides.com is neither
associated nor affiliated with Checkpoint® Software Corp.
or any other company. CCSA, CCSE are registered trademarks of CheckPoint®
Software Corp. and duly acknowledged. The Exam Cram notes material is
a copyright of examguides.com and the same is not approved or endorsed
by respective certifying bodies.