Following my post on Check Point CCSA Exam notes, in this post I’m gonna write notes on CCSE exam. Though this time I won’t fall into configuration and try to only point out the more important and real-world-applicable things.
Management Server HA
- When adding a new Check Point host as a Secondary Management Server, do not Initialize SIC before selecting Network Policy Management feature!
- After adding the host, save and Install the policy; synchronization will then work.
As a reminder, whenever you reset the SIC for a Gateway from Management Server, it should be re-initialized from the Gateway by cpconfig; don’t forget to exit cpconfig!
Check Point calls its clustering solution ClusterXL which supports up to 8 Cluster members and can be implemented in two main flavors:
- Multicast mode: 50/50, very efficient and excellent performance
- Unicast mode: 70/30, to be used in environments where an intermediate device has issues with multicast MAC address (IGMP Snooping)
Expert@GAiA-2:0]# cphaprob state
Cluster Mode: Load Sharing (Unicast) with IGMP Membership
Number Unique Address Assigned Load State
1 192.168.0.101 30% Active (pivot)
2 (local) 192.168.0.102 70% Active
- High Availability (HA)
- New Mode: Each member has its own physical IP address
- Legacy Mode: Both members have the same physical IP address
To make kernel changes permanent, they should be written in $FWDIR/modules/fwkern.conf
Continue reading “Check Point CCSE Notes”
Below you will find some very basic Cisco IOS EEM applets which can be used as a module in more complex applets, such as configuration wizards.
Obviously, EEM applets are able to be implemented for many automation use cases; i.e. monitoring SLA/tracks, making actions based on syslog patterns, re-configuring route-maps, ACLs, BGP configuration and whatever you can imagine…
Have in mind that in the first applet, I’ve used different values for each result, just to have it more clear and understandable; though as a matter of fact, from a Programming/Performance point of view, the less variables we use, the better it is. Also, these can be better tuned and get shortened based on specific scenarios and requirements, which I leave to the reader.
event manager applet PING_TEST
event none sync yes default 100 maxrun 150
action 1 cli command "enable"
action 10 puts nonewline "\rPLEASE ENTER DESTINATION IP ADDRESS: "
action 11 gets IP
action 12 cli command "ping $IP"
action 13 set C_RESULT "$_cli_result"
action 14 string match "*100 percent*" "$C_RESULT"
action 15 set M_RESULT "$_string_result"
action 20 if $M_RESULT eq "0"
action 21 puts "\rFIRST PING FAILED with MATCH result of $M_RESULT !"
action 22 puts "HERE IS THE CLI RESULT FOR 1ST PING"
action 23 puts "$_cli_result"
action 24 puts "\rNOW I AM TRYING FOR 2ND PING"
action 25 cli command "ping $IP"
action 26 set C_RESULT "$_cli_result"
action 27 string match "*100 percent*" "$C_RESULT"
action 28 set M_RESULT_2 "$_string_result"
action 30 if $M_RESULT_2 eq "0"
action 31 puts "\r2ND STRING MATCH RESULT IS $M_RESULT_2"
action 32 puts "BOTH 1ST and 2ND PING FAILED!!!"
action 33 puts "\rHERE IS FAILED THE CLI RESULT FOR 2ND PING"
action 34 puts "$_cli_result"
action 35 puts "\r!!!!!! DESTINATION UNREACHABLE !!!!!!"
action 40 else
action 41 puts "2ND PING WORKED!"
action 42 puts "2ND STRING MATCH RESULT IS $M_RESULT_2"
action 43 puts "\rHERE IS THE SUCCESSFULL CLI RESULT FOR 2ND PING"
action 44 puts "$_cli_result"
action 45 puts "\r!!!!!! DESTINATION IS REACHABLE !!!!!!"
action 46 end
action 50 else
action 51 puts "\rFIRST STRING MATCH RESULT IS $M_RESULT"
action 52 puts "\rHERE IS THE SUCCESSFUL CLI RESULT FOR 1ST PING"
action 53 puts "$_cli_result"
action 54 puts "\r!!!!!! DESTINATION IS REACHABLE !!!!!!"
action 99 end
An updated version of the script without the additional variables follows:
Continue reading “Some basic EEM applets”
I have been always thinking of creating a set of questions-to-be-asked for Network design projects. Though, it’s really hard to have the same template for every project, but usually there some general questions applying to all.
Skimming through the web, I came to an interesting article on Cisco Learning Network : Unleashing CCDE. I am pasting the questions list here, but with my own text marking:
Listed are some of the initial questions to ask your customers at the onset of a new network design project:
1. Business objectives, pain points and perceived constraints
- Who are the key stakeholders, sponsors, end users?
- Why is there a project in the first place? What are the drivers for the redesign of your existing network?
- What are the current pain points?
- Which business outcomes the customer expects to achieve?
- What is the business growth plan 3-5 years, capacity planning, scaling requirements?
- Are there any regulatory constraints such as HIPAA, PCI, Fed, and Local Government that affect the organization and industry? Other known constraints?
- Is there specific equipment, vendors, or protocols preferred or are absolutely out of the question?
- What are the implementation timelines and milestones?
- What are the key success factors? Are there known barriers to success?
- What is the customer tolerance to risk? Conservative or bleeding edge?
2. Desired characteristics and capabilities
- What is the current state of the network (baseline), to compare after the implementation of the new design?
- Are there any documentation available, features in use, versions, is standardization consistent?
- What is the financial investment (cost/budget, cost-benefit analysis) x desired business, operational, and innovation outcomes, followed by a technical translation of these needs/goals to a technology environment?
- What are the desired characteristics of the new network: redundancy/resiliency/convergence, speed, security, cost, application performance, simplicity, manageability, capabilities? Load balancing, load sharing?
- Public, private or hybrid cloud?
3. Footprint, policies, method of access and traffic patterns
- What is the geographical distribution, connectivity options/capabilities on the branches?
- Where do the servers reside in the network, their known vulnerabilities and how the services align with the security policies?
- What are the current and future traffic patterns, north-south, east-west, or both?
- What are the current and future applications’ requirements and tolerance to delay, packet drop, and jitter?
- What is the company security, infrastructure policies? Do you have specific design/architecture principles to adhere to? Any project management methodology or tools? Network management?
- What are the established SLA’s if any, and the level of success achieved for these SLA’s?
- Does the network support the business, the network is the business, or both?
- Are there best practices?
- Will there be a test lab or group, a prototype, a development area?
CheckPoint is the largest pure-play security vendor globally, and has a long history of being a respected security solutions provider and the company’s devices are one of the most deployed firewalls in use today.
Till now, for eighteen consecutive years Check Point has been positioned in the “Leaders” quadrant in the Magic Quadrant for Enterprise Network Firewalls. Check Point is also positioned in the “Leaders” for Unified Threat Management (UTM) for five years till now. Gartner evaluates each vendor’s Enterprise Network Firewall offerings on a scale of completeness of vision and ability to execute.
Traffic Control Methods:
- Packet Filtering in OSI Layer 3 (Network) and Layer 4 (Transport)
- Stateful control by Inspect Engine, again at L3 and L4 but with more focus on L4
- Application Awareness
Check Point Operating system:
We talk here about both Management Server and the Gateways (firewalls) OS.
- IPSO was the initial version, based on BSD (Nokia’s IPSO).
- SecurePlatform (SPLAT), based on Redhat
- GAiA is the latest version!
With small environments, it’s possible to have the Management Server and Gateway on the same hardware. This is called Standalone deployment.
Continue reading “Check Point CCSA Notes”
I’m Sina Moghaddas, and this my first post as a co-author to my brother 🙂
In this post, I am going to show you how to setup DRBD with OCFS2.
DRBD® refers to block devices designed as a building block to form highly available (HA) clusters. This is done by mirroring a whole block device via an assigned network. DRBD can be understood as a network based raid-1.
OCFS2 is a general-purpose, shared-disk, clustered filesystem for Linux, which is capable of providing both high performance and high availability.
ok, here we go 😉
Continue reading “DRBD with Cluster File System on Debian Jessie”