Check Point NG VPN-1/FireWall-1

Configuring Codecs on an H.323 Gateway Normally you configure only one codec when you configure a dial peer on a gateway. However, you can configure a prioritized list of codecs to increase the probability of establishing a connection between endpoints during the H.245 exchange phase. Codec-order preservation is enabled by default in Cisco gateways running […]

Implementing SIP Gateways (Examining VoIP Gateways and Gateway Control Protocols) Part 2

Call Setup Using a Redirect Server A redirect server is programmed to discover a path to the destination. Instead of forwarding the INVITE to the destination, the redirect server reports back to a UA with the destination coordinates the UA should try next, as indicated in Figure 5-26. Figure 5-26 Call Setup Using a Redirect […]

Understanding and Configuring SmartDefense (Check Point) Part 2

Denial of Service This section of SmartDefense deals with some common Denial of Service (DoS) attacks that are used to crash the target machine. These particular attacks are able to crash systems by sending illegal packets (packets that do not conform to the RFC standard for the specific protocol) that the receiving system is unable […]

Understanding and Configuring SmartDefense (Check Point) Part 3

SYN Attack A SYN attack is a Denial of Service attack that abuses the flags that are used to initiate a TCP session.This attack can cause the destination server to stop accepting new connections from valid hosts because it is busy waiting for responses from the attacker’s false sessions. Notes from the Underground TCP 3-Way […]

Understanding and Configuring SmartDefense (Check Point) Part 4

Small PMTU PMTU stands for Path Maximum Transmission Unit. Each hop between the client and server may have a different maximum packet size. PMTU is a method for a server to discover what the smallest MTU is when communicating with a client. Once the client discovers the smallest MTU of any hop along the path […]

Understanding and Configuring SmartDefense (Check Point) Part 5

HTTP This section contains the attacks that exploit vulnerabilities in the HTTP protocol. Most of these features are designed to filter malformed requests that usually are not seen in a valid HTTP stream by checking for excessive field lengths and abnormal characters. In addition, Check Point has added a new feature that scans for HTTP […]

Understanding and Configuring SmartDefense (Check Point) Part 6

Mail and Recipient Content This SMTP category focuses on scanning the data that is passed in an e-mail, specifically the Multipurpose Internet Mail Extensions (MIME) information that is used to identify the accompanying data in the e-mail message. When an e-mail message is created, MIME information is placed in the e-mail header to describe to […]

Troubleshooting Performance Pack (Check Point)

Few areas of Performance Pack will need troubleshooting. Check Point has made Performance Pack a very simple product. It seamlessly improves the performance of Firewall-1/VPN-1, with very little configuration necessary. If you do suspect Performance Pack is causing trouble, turn it off using fwaccel off, then see whether your issue remains. That being said, there […]

Special Considerations for ClusterXL in Load-Sharing Mode (High Availability and Clustering) (Check Point)

We have covered the principles of how ClusterXL in Load-Sharing mode works. We now contrast and compare how the special considerations for ClusterXL in Load-Sharing mode differ relative to other cluster modes. Network Address Translation ClusterXL in Load-Sharing mode is actually quite forgiving with regard to NAT and how proxy ARP is performed, unlike HA […]

Static NAT Changes from 4.x to NG (FW-1 NG Operational Changes) (Check Point) Part 1

Introduction In the latest release of FireWall-1 NG, Feature Pack 3 (NG-FP3), Check Point Software has introduced many new features.This topic discusses some fundamental changes in software’s methods of operation from 4.x to NG.Some of the key changes in NG include a much faster kernel, a revamp of static Network Address Translation (NAT), and the […]