Frequently Asked Questions.
How This Book Came to Be.What This Book Is and Is Not.Conventions.Acknowledgments.
1. Introduction to Firewalls.
What Is a Firewall?What a Firewall Cannot Do.An Overview of Firewall Security Technologies.What Kind of Firewall Is FireWall-1?Do You Really Need FireWall-1?More Information.
2. Planning Your FireWall-1 Installation.
Network Topology.Developing a Site-Wide Security Policy.Fun with Check Point Licensing.Summary.
3. Installing FireWall-1.
Selecting an Operating System.Installing the Operating System.Beginning the FireWall-1 Installation.Upgrading from FireWall-1 4.1.Summary.
4. Building Your Rulebase.
The Management GUIs.The Rulebase Components.The Rulebase.Making Your First Rulebase.Frequently Asked Questions.Troubleshooting.Summary.
5. Logging and Alerting.
SmartView Status.SmartView Tracker.Alerts.Log Maintenance.Summary.
6. Common Issues.
Common Configuration Questions.Common Error Messages in the System Log.Service-Related Questions.Problems with Stateful Inspection of TCP Connections.Problems with FTP.Summary.
7. Remote Management.
The Components.Secure Internal Communication.Special Remote Management Conditions.What You Can Do with Remote Management.Moving Management Modules.Highly Available Management Modules.Troubleshooting Remote Management Issues.Large-Scale Management Issues.Security Policies.Summary.
8. User Authentication.
Passwords.How Users Authenticate.Setting Up Authentication.Setting Up User Authentication.Setting Up Session Authentication.Setting Up Client Authentication.Integrating External Authentication Servers.Clientless VPN.Frequently Asked Questions.Troubleshooting Authentication Problems.Summary.Sample Configurations.
9. Content Security.
The Security Servers.The HTTP Security Server.The FTP Security Server.The SMTP Security Server.The TCP Security Server.General Questions about the Security Servers.Debugging the Security Servers.SummarySample Configurations.
10. Network Address Translation.
Introduction to Address Translation.RFC1918 and Link-Local Addresses.How NAT Works in FireWall-1.Implementing NAT: A Step-by-Step Example.Limitations of NAT.Troubleshooting NAT with a Packet Sniffer.Summary.Sample Configurations.
11. Site-to-Site VPN.
Introduction to a VPN.A Word about Licensing.FWZ, IPSec, and IKE.How to Configure Encryption.Frequently Asked Questions about VPNs in FireWall-1.Troubleshooting VPN Problems.Summary.Sample Configurations.
12. SecuRemote and SecureClient.
Introduction to SecuRemote and SecureClient.A Word about Licensing.Configuring SecuRemote on FireWall-1.Office Mode.Microsoft L2TP Clients.High-Availability and Multiple Entry Point Configurations.Microsoft Networking and SecureClient.SecureClient Packaging Tool.Frequently Asked Questions.Troubleshooting.No Response for Desktop Policy Server.Summary.Sample Configurations.
13. High Availability.
State Synchronization's Role in High Availability.Implementing High Availability.Frequently Asked Questions Regarding State Synchronization.Error Messages That Occur with ClusterXL or State Synchronization.Summary.
What Is INSPECT?Basic INSPECT Syntax 5How Your Rulebase Is Converted to INSPECT.Sample INSPECT Code.Summary.
Appendix A. Securing Your Bastion Host.
Securing Solaris.Securing Windows NT.Securing Windows 2000.Securing Linux.
Appendix B. Sample Acceptable Usage Policy.
Appendix C. firewall-1.conf File for Use with OpenLDAP v1.
Appendix D. firewal1.schema File for Use with OpenLDAP v2.
Appendix E. Performance Tuning.
Number of Entries Permitted in Tables.Memory Used for State Tables.Tweaks for Specific Operating Systems.
Appendix F. Sample defaultfilter.pf File.
Appendix G. Other Resources.
Appendix H. Further Reading.
This book explains how to build, implement, and maintain Check Point FireWall-1 NG, the follow-on to the world's best-selling firewall product. It's packed with tools, tricks, tips, and checklists not found anywhere else. Every major feature of FireWall-1 NG is covered. Filled with screen shots and sample configurations, this book features step-by-step instructions that can be replicated easily on standard equipment. "Phoneboy has made a name for himself in the Firewall industry in relation to Check Point. People will buy his book because he is a good resource, and they appreciate his knowledge base."--Jed Daniels, support engineer, Nokia"This book is an update to an already classic work. Dameon has taken his original definitive guide and updated it thoroughly for NG. No other book on the market is informed by his depth of experience with Check Point. Accept no substitutes!"--Matthew Gast, Trapeze Networks
Dameon D. Welch-Abernathy, a.k.a. "PhoneBoy," has been supporting, deploying, and teaching Check Point FireWall-1(R) since 1996. He has assisted and instructed thousands of network professionals and currently maintains the largest industry FAQ site on FireWall-1(R) NG at http://blog.phoneboy.com/. Dameon works for Product Line Support at Nokia. 0321180615AB10212003