Checkpoint® Certified Security Administrator Exam cram Notes


23. Important file names used in FireWall-1:

  • $FWDIR/conf/rule_base.W: Security Policy rules are stored in an ASCII format at this location.
  • $FWDIR/conf/objects.C: The properties are stored in this ASCII file.
  • $FWDIR/conf/ Inspection Script is stored in this file. The file is generated from $FWDIR/conf/rule_base.W and $FWDIR/conf/objects.C
  • $FWDIR/temp/rule_base.fc: This is Inspection Code file, compiled from the Inspection script. Note that the Inspection Code is installed on Network objects and used by VPN/FireWall Module to enforce security policy.

24. A Gateway must atleast have two network interfaces, one for the external network connection, and one for internal network connection.

25. The three types of Authentication schemes supported by VPN-1/FireWall-1 are:

  • User Authentication: User Authentication gives access on a per user basis. This can be used for Telnet, FTP, RLOGIN and HTTP,HTTPS. Separate Authentication is required for each connection.
  • Session Authentication: Session Authentication can be used with any service, and Session Authentication is required for each connection as in User Authentication.
  • Client Authentication: Client Authentication gives access on a per host basis. Once a Client is Authenticated, it can be used for any number of conncetions, for any service. Client Authentication is recommended when the client is a single user machine such as a desktop.

26. VPN-1/FireWall-1 services covered by User Authentication are: Telnet, FTP, RLOGIN, HTTP, and HTTPS.

27. VPN-1/FireWall-1 supports third party routers (OPSEC products) such as Cisco, 3Com, Nortel (Bay Networks) routers, Cisco PIX firewalls, and Microsoft RRAS (Formerly known as Steelhead). For this purpose, Check Point's Open Security Extension ( an optional module) is required.

28. VPN-1/FireWall-1 supports two modes of Address Translation:

a. Hide mode: This has a many to 1 relation. Here many invalid addresses are translated to one valid IP address. Dynamically assigned port numbers are used to distinguish between the invalid addresses. This is called Hide mode, since invalid IP addresses are hidden behind the valid IP address.

b. Static mode: This has 1 to 1 correspondence of IP addresses. Here, the invalid IP is translated to a corresponding valid IP. There are two modes of static Address Translation:

  • Static Source mode: This is for outgoing traffic. The connection is initiated by internal clients with invalid IP addresses. This is usually combined with Static Destination mode.
  • Static Destination mode: This is for incoming traffic. This mode is used when servers inside the internal network have invalid IP addresses, so that packets entering the internal network arrive at their proper destinations. This mode is usually combined with Static Source mode.

29. The NAT Rule Base consists of three elements:

  • Original Packet
  • Translated Packet
  • Install On

Original Packet and Translated Packet, in turn, consist of the following:

  • Source
  • Destination
  • Service

"Install On" specifies which firewalled objects will enforce the rule.

Previous      0 1 2 3 4      Next

Please visit our sponsor: images-used/se-banner125X125.gif