Register for Free Membership to solutions@syngress.com Over the last few years, Syngress has published many best-selling and critically acclaimed books, including Tom Shinder’s Configuring ISA Server 2004, Brian Caswell and Jay Beale’s Snort 2.1 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing One of the reasons for the success of these books has been our unique solutions@syngress.com program Through this site, we’ve been able to provide readers a real time extension to the printed book As a registered owner of this book, you will qualify for free access to our members-only solutions@syngress.com program Once you have registered, you will enjoy several benefits, including: ■ Four downloadable e-booklets on topics related to the book Each booklet is approximately 20-30 pages in Adobe PDF format They have been selected by our editors from other best-selling Syngress books as providing topic coverage that is directly related to the coverage in this book ■ A comprehensive FAQ page that consolidates all of the key points of this book into an easy-to-search web page, providing you with the concise, easy-to-access data you need to perform your job ■ A “From the Author” Forum that allows the authors of this book to post timely updates and links to related sites, or additional topic coverage that may have been requested by readers Just visit us at www.syngress.com/solutions and follow the simple registration process You will need to have this book with you when you register Thank you for giving us the opportunity to serve your needs And be sure to let us know if there is anything else we can to make your job easier Configuring Check Point NGX VPN-1/FireWall-1 Robert Stephens Barry J Stiefel Stephen Watkins Simon Desmeules Technical Editor Eli Faskha Assistant Technical Editor FOREWORD BY DAMEON D WELCH-ABERNATHY A.K.A PHONEBOY Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 JKBBBXZ349 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Configuring Check Point NGX VPN-1/FireWall-1 Copyright © 2005 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN: 1-59749-031-8 Publisher: Andrew Williams Acquisitions Editor: Gary Byrne Technical Editor: Simon Desmeules Assistant Technical Editor: Eli Faskha Page Layout and Art: Patricia Lupien Copy Editors: Adrienne Rebello and Judy Eby Indexer: Odessa&Cie Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc in the United States and Canada For information on rights and translations, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585 Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C J Rayhill, Peter Pardo, Leslie Crandell, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, Rob Bullington, and Aileen Berg The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Chris Hossack, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, and Chris Reinders for making certain that our vision remains worldwide in scope David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, and Siti Zuraidah Ahmad of STP Distributors for the enthusiasm with which they receive our books David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji, Tonga, Solomon Islands, and the Cook Islands v Contributing Authors Ralph Bonnell (CISSP, Linux LPIC-2, Check Point CCSI, Check Point CCSE+, Cisco CCNA, Microsoft MCSE: Security, RSA Security RSA/CSE, StoneSoft CSFE, Aladdin eSCE, CipherTrust PCIA, ArcSight ACIA, SurfControl STAR, McAfee MIPS-I, McAfee MIPS-E, Network Associates SCP, Blue Coat BSPE, Sygate SSEI, Sygate SSEP, Aventail ACP, Radware CRIE) is a Senior Information Security Consultant currently employed at SiegeWorks in Seattle, WA Ralph has been working with Check Point products professionally since 1999 His primary responsibilities include the deployment of various network security products, network security product support, and product training His specialties include Check Point and NetScreen deployments, Linux client and server deployments, Check Point training, firewall clustering, BASH scripting, and PHP Web programming Ralph contributed to Configuring Netscreen Firewalls (Syngress Publishing, ISBN: 1-932266-39-9) Ralph also runs a Linux consulting firm called Linux Friendly Ralph is married to his beautiful wife, Candace In memory of Vincent Sage Bonnell Larry Chaffin (CISSP, PMP, JNCIE, MBCP, CWNP, NNCSE, NNCDE,CCNP, CCDP, CCNP-WAN, CCDP-WAN) is the CEO/Chairman of Pluto Networks and the Vice President of Advanced Network Technologies for Plannet Group He is an accomplished author; he cowrote Managing Cisco Network Security (ISBN: 1-931836-56-6) and has also been a coauthor/ghost writer for 11 other technology books for VoIP, WLAN, security, and optical technologies Larry has more than 29 vendor certifications such as the ones already listed, plus Cisco VoIP, Optical, Security, VPN, IDS, Unity and WLAN He is also certified by Nortel in DMS Carrier Class Switches along with CS100’S, MCS5100, Call Pilot, and WLAN Many other certifications come from vendors like vii Microsoft, VMware, PeopleSoft, Avaya, IBM, and HP Larry has been a Principal Architect around the world in 22 countries for many Fortune 100 companies designing VoIP, Security, WLAN, and optical networks His next project is to write a book on Nortel VoIP and a new security architecture book he has designed for VoIP and WLAN networks Simon Coffey (CISSP, CCSE, CCSA) has eight years’ experience working with Check Point products, providing support, training, and consultancy services He is currently based in Reading, UK, working as a Support Consultant with Integralis, a security systems integrator He is also a member of the Theale Volunteer Networking Group Simon was a contributor to Check Point NG VPN1/FireWall-1 Advanced Configuration and Troubleshooting (Syngress, ISBN: 1-931836-97-3) and coauthor of Check Point NG VPN1/FireWall-1 High Availability & Clustering e-book (Syngress) More recently, he has been involved in testing of the early availability release of NGX Chris Geffel (CISSP) is a Manager of Operations at VigilantMinds, Inc., a national managed security services provider (MSSP), headquartered in Pittsburgh, PA Chris is responsible for overseeing VigilantMinds’ Secure Network Services, which include managed firewall and managed Cisco solutions He has more than 10 years of professional experience in information systems, seven of which have been focused on information security Stephen Horvath (CISSP) is an Information Assurance Engineer for Booz Allen Hamilton in Linthicum, MD He has been working with Check Point Firewalls for the last seven years, including Check Point 3.0b, 4.1, NG with Application Intelligence, and NGX Steve was also a beta tester for Check Point’s Edge SOHO devices prior to their release in early 2004 Steve’s technical background is with computer and network forensics, firewalls, enterprise management, viii network and host IDS/IPS, incident response, UNIX system administration, and DNS management He has extensive experience in network design with emphasis on high availability, security, and enterprise resilience Eric Seagren (CISA, CISSP-ISSAP, SCNP, CCNA, MCSE, CNE) has nine years of experience in the computer industry, with the last seven years spent in the financial services industry working for a Fortune 100 company Eric started his computer career working on Novell servers and performing general network troubleshooting for a small Houston-based company While Eric has been working in the financial services industry, his responsibilities have included server administration, disaster recovery, business continuity coordination,Y2K remediation, and network vulnerability assessment He has spent the last several years as an IT architect and risk analyst, designing and evaluating secure, scalable, and redundant networks Eric has also been the technical editor and coauthor of several other publications Robert Stephens (CISSP, CCSE+, NSA, NSA-IAM) was a contributor to Check Point NG VPN-1/FireWall-1 Advanced Configuration and Troubleshooting (Syngress, ISBN: 1-931836-97-3) Robert is a Senior Security Consultant at VigilantMinds Inc., a national managed security services provider (MSSP), headquartered in Pittsburgh, PA Current work responsibilities focus on his firewall expertise He has more than a decade of experience in network design, implementation, and security Robert holds a bachelor’s degree in Criminology from the University of Pittsburgh and a master’s degree in Management Information Systems from Duquesne University ix Barry J Stiefel (“Stee-ful”) (CCSA/CCSE/CCSE+/CCSI, CISSP, NSA IAM, MCSE, CCNA, RCSA/RCSE/RCSI, FCSE) is the Founder and President of CPUG,The Check Point User Group (www.cpug.org) He’s been a Check Point implementer, consultant, courseware developer, author, speaker, and instructor since 1997 and provides the only Check Point training course that includes earning the CCSA and CCSE certifications right in the classroom He is coauthor on CCSA Next Generation Check Point Certified Security Administrator Study Guide and Check Point NG VPN1/FireWall-1: Advanced Configuration and Troubleshooting, both by Syngress Publishing He is also the President of Information Engine, Inc (www.InformationEngine.com), a consulting and technical services firm, and was previously the President of the Windows NT Engineering Association He holds a B.S and MBA from the University of California He lives and works in San Francisco In his lab, he has more firewalls and routers than he needs, but not as many as he wants Stephen Watkins (CISSP) is an Information Security Professional with more than 10 years of relevant technology experience, devoting eight of these years to the security field He currently serves as Information Assurance Analyst at Regent University in southeastern Virginia Before coming to Regent, he led a team of security professionals providing in-depth analysis for a global-scale government network Over the last eight years, he has cultivated his expertise with regard to perimeter security and multilevel security architecture His Check Point experience dates back to 1998 with FireWall-1 version 3.0b He has earned his B.S in Computer Science from Old Dominion University and M.S in Computer Science, with Concentration in Infosec, from James Madison University He is nearly a lifelong resident of Virginia Beach, where he and his family remain active in their church and the local Little League x ... been working with Check Point Firewalls for the last seven years, including Check Point 3.0b, 4.1, NG with Application Intelligence, and NGX Steve was also a beta tester for Check Point s Edge SOHO... IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Configuring Check Point NGX VPN-1/ FireWall-1 Copyright © 2005 by Syngress Publishing, Inc All rights reserved Printed... Simon was a contributor to Check Point NG VPN1 /FireWall-1 Advanced Configuration and Troubleshooting (Syngress, ISBN: 1-931836-97-3) and coauthor of Check Point NG VPN1 /FireWall-1 High Availability