Check Point CCSE Notes

Following my post on Check Point CCSA Exam notes, in this post I’m gonna write notes on CCSE exam. Though this time I won’t fall into configuration and try to only point out the more important and real-world-applicable things.

Management Server HA

  • When adding a new Check Point host as a Secondary Management Server, do not Initialize SIC before selecting Network Policy Management feature!
  • After adding the host, save and Install the policy; synchronization will then work.

As a reminder, whenever you reset the SIC for a Gateway from Management Server, it should be re-initialized from the Gateway by cpconfig; don’t forget to exit cpconfig!

ClusterXL

Check Point calls its clustering solution ClusterXL which supports up to 8 Cluster members and can be implemented in two main flavors:

  1. Load-sharing
    • Multicast mode: 50/50, very efficient and excellent performance
    • Unicast mode: 70/30, to be used in environments where an intermediate device has issues with multicast MAC address (IGMP Snooping)
  2. High Availability (HA)
    • New Mode: Each member has its own physical IP address
    • Legacy Mode: Both members have the same physical IP address

To make kernel changes permanent, they should be written in $FWDIR/modules/fwkern.conf

Continue reading “Check Point CCSE Notes”

Share this!

Some basic EEM applets

Below you will find some very basic Cisco IOS EEM applets which can be used as a module in more complex applets, such as configuration wizards.

Obviously, EEM applets are able to be implemented for many automation use cases; i.e. monitoring SLA/tracks, making actions based on syslog patterns, re-configuring route-maps, ACLs, BGP configuration and whatever you can imagine…

Have in mind that in the first applet, I’ve used different values for each result, just to have it more clear and understandable; though as a matter of fact, from a Programming/Performance point of view, the less variables we use, the better it is. Also, these can be better tuned and get shortened based on specific scenarios and requirements, which I leave to the reader.

Continue reading “Some basic EEM applets”

Share this!

Check Point CCSA Notes

CheckPoint is the largest pure-play security vendor globally, and has a long history of being a respected security solutions provider and the company’s devices are one of the most deployed firewalls in use today.

Till now, for eighteen consecutive years Check Point has been positioned in the “Leaders” quadrant in the Magic Quadrant for Enterprise Network Firewalls. Check Point is also positioned in the “Leaders” for Unified Threat Management (UTM) for five years till now. Gartner evaluates each vendor’s Enterprise Network Firewall offerings on a scale of completeness of vision and ability to execute.

Traffic Control Methods:

  • Packet Filtering in OSI Layer 3 (Network) and Layer 4 (Transport)
  • Stateful control by Inspect Engine, again at L3 and L4 but with more focus on L4
  • Application Awareness

Check Point Operating system:

We talk here about both Management Server and the Gateways (firewalls) OS.

  • IPSO was the initial version, based on BSD (Nokia’s IPSO).
  • SecurePlatform (SPLAT), based on Redhat
  • GAiA is the latest version!

Deployment Notes

With small environments, it’s possible to have the Management Server and Gateway on the same hardware. This is called Standalone deployment.

Continue reading “Check Point CCSA Notes”

Share this!

Cisco ACI – 2 – Provisioning a fabric

As mentioned in the last post, let’s make the first step happen: Making an online fabric!

Turn on the UCS server which you have chosen for the APIC role!
It’s presumed that we start with CIMC utility to setup the APIC. As it is with all other Cisco CLIed products, we get a simple wizardish script as below:

I’m sure you have the Cisco ACI Fundamentals open, but let me take a look into some of the parameters which was asked:

  • TEP Address pool: Every leaf and spine node in the fabric, will be automatically assigned at least one Tunnel End Point address.
  • Multicast Address pool: will be used for multicast traffic through the network
  • VLAN ID: is used for communication inside the fabric infrastructure network

After a while, the APIC would be up and accessible via the web management interface using the OOB IP address. Now, we have to discover the physical switching nodes.

I never like to go through GUI, so I just name the steps and mention the more important parts.

  1. From the GUI go to: Fabric tab >> Inventory sub-menu
  2. Click on Fabric Membership (left)
  3. Hence your APIC is at least connected to one Nexus switch, you should see a single leaf node. LLDP is the magic which makes this happen. But we have not yet registered the switch, so there is no ID, name and IP listed.
  4. Double click on each field and simply assign a node ID. After a short break, you will see an IP address for the node. Notice that the IP is assigned from the range we specified for TEP pool during the wizard.
  5. The switch is registered!

Now, we have officially a leaf node, the rest of network will be discovered and you can see the spine nodes appearing on the Fabric Membership page. As you guess, we have to register these nodes the same as the leaf switch. As the result, the remaining switches will pop up and available for membership.

Once all the switching topology –including other leaf nodes– is discovered, we can initialise the same setup procedure for other APICs and form an APIC Cluster. Keep in mind that we have to use different controller ID, management IP, etc.

By the time all APICs are running, the fabric is almost ready and we can see a graphical topology via Fabric | Inventory section in the APIC GUI.

One more thing to do would be to configure the switching nodes with management IP so they can be managed directly. This is done inside Tenants tab and then the Mgmt tenant, where on the left there is Node Management Addresses which let us to configure management IPs for every single fabric node. The next step is to configure at least an Out-of-Band Contract under Security Policies menu, in order to permit traffic into OOB management interfaces. Finally, under Node Management EPGs, we should assign the OOB contract to our OOB EPG.

Share this!