Check Point CCSE Notes

Following my post on Check Point CCSA Exam notes, in this post I’m gonna write notes on CCSE exam. Though this time I won’t fall into configuration and try to only point out the more important and real-world-applicable things.

Management Server HA

  • When adding a new Check Point host as a Secondary Management Server, do not Initialize SIC before selecting Network Policy Management feature!
  • After adding the host, save and Install the policy; synchronization will then work.

As a reminder, whenever you reset the SIC for a Gateway from Management Server, it should be re-initialized from the Gateway by cpconfig; don’t forget to exit cpconfig!

ClusterXL

Check Point calls its clustering solution ClusterXL which supports up to 8 Cluster members and can be implemented in two main flavors:

  1. Load-sharing
    • Multicast mode: 50/50, very efficient and excellent performance
    • Unicast mode: 70/30, to be used in environments where an intermediate device has issues with multicast MAC address (IGMP Snooping)
  2. High Availability (HA)
    • New Mode: Each member has its own physical IP address
    • Legacy Mode: Both members have the same physical IP address

To make kernel changes permanent, they should be written in $FWDIR/modules/fwkern.conf

Continue reading “Check Point CCSE Notes”

Share this!

Some basic EEM applets

Below you will find some very basic Cisco IOS EEM applets which can be used as a module in more complex applets, such as configuration wizards.

Obviously, EEM applets are able to be implemented for many automation use cases; i.e. monitoring SLA/tracks, making actions based on syslog patterns, re-configuring route-maps, ACLs, BGP configuration and whatever you can imagine…

Have in mind that in the first applet, I’ve used different values for each result, just to have it more clear and understandable; though as a matter of fact, from a Programming/Performance point of view, the less variables we use, the better it is. Also, these can be better tuned and get shortened based on specific scenarios and requirements, which I leave to the reader.

Continue reading “Some basic EEM applets”

Share this!

Network Design Project Initial Questions

I have been always thinking of creating a set of questions-to-be-asked for Network design projects. Though, it’s really hard to have the same template for every project, but usually there some general questions applying to all.

Skimming through the web, I came to an interesting article on Cisco Learning Network : Unleashing CCDE. I am pasting the questions list here, but with my own text marking:

Listed are some of the initial questions to ask your customers at the onset of a new network design project:

1. Business objectives, pain points and perceived constraints
  • Who are the key stakeholders, sponsors, end users?
  • Why is there a project in the first place? What are the drivers for the redesign of your existing network?
  • What are the current pain points?
  • Which business outcomes the customer expects to achieve?
  • What is the business growth plan 3-5 years, capacity planning, scaling requirements?
  • Are there any regulatory constraints such as HIPAA, PCI, Fed, and Local Government that affect the organization and industry? Other known constraints?
  • Is there specific equipment, vendors, or protocols preferred or are absolutely out of the question?
  • What are the implementation timelines and milestones?
  • What are the key success factors? Are there known barriers to success?
  • What is the customer tolerance to risk? Conservative or bleeding edge?
2. Desired characteristics and capabilities
  • What is the current state of the network (baseline), to compare after the implementation of the new design?
  • Are there any documentation available, features in use, versions, is standardization consistent?
  • What is the financial investment (cost/budget, cost-benefit analysis) x desired business, operational, and innovation outcomes, followed by a technical translation of these needs/goals to a technology environment?
  • What are the desired characteristics of the new network: redundancy/resiliency/convergence, speed, security, cost, application performance, simplicity, manageability, capabilities? Load balancing, load sharing?
  • Public, private or hybrid cloud?
3. Footprint, policies, method of access and traffic patterns
  • What is the geographical distribution, connectivity options/capabilities on the branches?
  • Where do the servers reside in the network, their known vulnerabilities and how the services align with the security policies?
  • What are the current and future traffic patterns, north-south, east-west, or both?
  • What are the current and future applications’ requirements and tolerance to delay, packet drop, and jitter?
  • What is the company security, infrastructure policies? Do you have specific design/architecture principles to adhere to? Any project management methodology or tools? Network management?
  • What are the established SLA’s if any, and the level of success achieved for these SLA’s?
  • Does the network support the business, the network is the business, or both?
  • Are there best practices?
  • Will there be a test lab or group, a prototype, a development area?
Share this!

Check Point CCSA Notes

CheckPoint is the largest pure-play security vendor globally, and has a long history of being a respected security solutions provider and the company’s devices are one of the most deployed firewalls in use today.

Till now, for eighteen consecutive years Check Point has been positioned in the “Leaders” quadrant in the Magic Quadrant for Enterprise Network Firewalls. Check Point is also positioned in the “Leaders” for Unified Threat Management (UTM) for five years till now. Gartner evaluates each vendor’s Enterprise Network Firewall offerings on a scale of completeness of vision and ability to execute.

Traffic Control Methods:

  • Packet Filtering in OSI Layer 3 (Network) and Layer 4 (Transport)
  • Stateful control by Inspect Engine, again at L3 and L4 but with more focus on L4
  • Application Awareness

Check Point Operating system:

We talk here about both Management Server and the Gateways (firewalls) OS.

  • IPSO was the initial version, based on BSD (Nokia’s IPSO).
  • SecurePlatform (SPLAT), based on Redhat
  • GAiA is the latest version!

Deployment Notes

With small environments, it’s possible to have the Management Server and Gateway on the same hardware. This is called Standalone deployment.

Continue reading “Check Point CCSA Notes”

Share this!

DRBD with Cluster File System on Debian Jessie

Hi,

I’m Sina Moghaddas, and this my first post as a co-author to my brother 🙂

In this post, I am going to show you how to setup DRBD with OCFS2.

DRBD® refers to block devices designed as a building block to form highly available (HA) clusters. This is done by mirroring a whole block device via an assigned network. DRBD can be understood as a network based raid-1.

OCFS2 is a general-purpose, shared-disk, clustered filesystem for Linux, which is capable of providing both high performance and high availability.

ok, here we go 😉

Continue reading “DRBD with Cluster File System on Debian Jessie”

Share this!