Category Archives: CheckPoint

I got my Check Point CCSA cert on R77

I´ve been working for a long time with Check Point but i did not take any exam, but this was in my objectives for a long time…. So i decided about 1 month ago to start studying for this and was not hard to be honest. The funny thing on Check Point is every Major release it changes the exam Title but that doesn´t mean you don´t know how to work with.


I used the CBT Nuggets GAIA R76 for this and was enough to pass even not be for R77 (minor changes),  i would play more with authentication stuff when i will have time.  This was the first time i used CBT and worth every euro i spent.

Check Point also provide a study guide for this exam, which you can find here.

Videos Overview

1. Welcome! (7 min)
2. Check Point Fundamentals (16 min)
3. Installing GAiA (31 min)
4. Linking the Manager & Firewall (26 min)
5. Pushing Policy (34 min)
6. NAT (34 min)
7. Policy Packages & Database Versions (32 min)
8. SmartView Tracker (28 min)
9. SmartView Monitor (20 min)
10. LDAP (22 min)
11. Identity Awareness (35 min)
12. App Control and URL Filtering (31 min)
13. HTTPS Inspection (26 min)
14. CLI (27 min)
15. IPsec VPNs (Site to Site) (36 min)
16. Backup and Recovery (16 min)
17. Smart Update (14 min)
18. Additional Check Point Features (27 min)
19. CCSA Exam Success (16 min)


Exam: 156-215.77
: 100 +30 extension
Questions: 70 to 100
Minimum to Pass:70%
Valid for: 2 Years

The questions are a random number and because i´m a lucky man i got 100 questions, it freezes me at the beginning but after do 75 of them and with spare time to review i thought i would have a good chance to pass.

I leave here my notes guys to help you out.

And yes, i PASSED! Check Point needs 6 to 8 weeks to issue your certificate and Kit, so keep calm and you will get soon your certification in UserCenter.CCSAReferences:

Security Administration (Check Point Certified Security Administrator (CCSA) R77)

CBT Check Point Security

Check Point Training FAQ


Check Point Order of Operations

Após alguma pesquisa a Check Point não é muito clara neste tema nas plataformas mais recentes. Este “Order of Operations” aplica-se ao FireWall-1 , e eventualmente ás novas plataformas.

Ligações estabelecidas são permitidas desde que estejam listados nas tabelas de estado e são aceites NATED conforme necessário. Para novas conexões, o FireWall-1 segue esta ordem de operações:

  • Inbound anti-spoof check (verifies that the source IP is included in the interface’s Topology setting)
  • Inbound check against the rulebase (includes properties)
  • NAT, if appropriate properties are enabled (see Chapter 10)
  • Outbound check against the rulebase (includes properties)
  • NAT, if appropriate properties are not enabled (see Chapter 10)

A base de regra é aplicada nas direções especificadas nas regras pelo “Install On field“. Na maior parte dos casos, isso significa que ambos entram e saem da gateway. No entanto, se uma regra especifica Src (saída) ou Dst (entrada), a regra aplica-se apenas nessa direção. Uma vez que um pacote coincide com uma regra, ele executa a ação listada no “Action field“,  não processando mais nenhuma regra. Para conexões autenticadas não passando por Security Servers, as regras e propriedades são processadas na seguinte ordem:

  • Rulebase properties listed as First are processed. Matches are accepted and not logged.
  • Rules 1 through n+1 (assuming n rules) are processed and logged according to their individual settings.
  • Rulebase properties listed as Before Last are then processed. Matches are accepted and not logged.
  • Rule n is processed and logged according to its setting.
  • Rulebase properties listed as Last are then processed. Matches are accepted and not logged.
  • The Implicit Drop rule is matched (no logging occurs).


Check Point Firewall

Visio Stencils para Checkpoint

Por vezes torna-se difícil encontrar Stencils de determinados Fabricantes, alguém (Fireverse) teve a brilhante ideia de juntar todos os “bonecos” nos documentos que a Checkpoint disponibiliza para os Empregados, Parceiros e clientes e disponibilizar ao público em geral. Curioso que até ao momento não existe nada Oficial.

Update 30 Outubro 2014

Foram adicionados mais alguns stencils aos já disponibilizados:

Check Point Related Shapes v20140307.vss
Check Point SDP.vss
CheckPointAppliances v20140420.vss
Software Blades v20131202.vss




Comandos Checkpoint

Os comandos na CheckPoint geralmente começam com cp (general), fw (firewall), e fwm (management).


cphaprob stat List cluster status
cphaprob -a if List status of interfaces
cphaprob syncstat <span “>shows the sync status
cphaprob list Shows a status in list form
cphastart/stop Stops clustering on the specfic node
cp_conf sic SIC stuff
cpconfig config util
cplic print prints the license
cprestart Restarts all Check Point Services
cpstart Starts all Check Point Services
cpstop Stops all Check Point Services
cpstop -fwflag -proc Stops all checkpoint Services but keeps policy active in kernel
cpwd_admin list List checkpoint processes
cplic print Print all the licensing information.
cpstat -f all polsrv Show VPN Policy Server Stats
cpstat Shows the status of the firewall
fw tab -t sam_blocked_ips Block IPS via SmartTracker
fw tab -t connections -s Show connection stats
fw tab -t connections -f Show connections with IP instead of HEX
fw tab -t fwx_alloc -f Show fwx_alloc with IP instead of HEX
fw tab -t peers_count -s Shows VPN stats
fw tab -t userc_users -s Shows VPN stats
fw checklic Check license details
fw ctl get int [global kernel parameter] Shows the current value of a global kernel parameter
fw ctl set int [global kernel parameter] [value] Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.
fw ctl arp Shows arp table
fw ctl install Install hosts internal interfaces
fw ctl ip_forwarding Control IP forwarding
fw ctl pstat System Resource stats
fw ctl uninstall Uninstall hosts internal interfaces
fw exportlog .o Export current log file to ascii file
fw fetch Fetch security policy and install
fw fetch localhost Installs (on gateway) the last installed policy.
fw hastat Shows Cluster statistics
fw lichosts Display protected hosts
fw log -f Tail the current log file
fw log -s -e Retrieve logs between times
fw logswitch Rotate current log file
fw lslogs Display remote machine log-file list
fw monitor Packet sniffer
fw printlic -p Print current Firewall modules
fw printlic Print current license details
fw putkey Install authenication key onto host
fw stat -l Long stat list, shows which policies are installed
fw stat -s Short stat list, shows which policies are installed
fw unloadlocal Unload policy
fw ver -k Returns version, patch info and Kernal info
fwstart Starts the firewall
fwstop Stop the firewall
fwm lock_admin -v View locked admin accounts
fwm dbexport -f user.txt used to export users , can also use dbimport
fwm_start starts the management processes
fwm -p Print a list of Admin users
fwm -a Adds an Admin
fwm -r Delete an administrator

Provider 1

mdsenv [cma name] Sets the mds environment
mcd Changes your directory to that of the environment.
mds_setup To setup MDS Servers
mdsconfig Alternative to cpconfig for MDS servers
mdsstat To see the processes status
mdsstart_customer [cma name] To start cma
mdsstop_customer [cma name] To stop cma
cma_migrate To migrate an Smart center server to CMA
cmamigrate_assist If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server


vpn tu VPN utility, allows you to rekey vpn
vpn ipafile_check ipassignment.conf detail‏ Verifies the ipassignment.conf file
dtps lic show desktop policy license status
cpstat -f all polsrv show status of the dtps
vpn shell /tunnels/delete/IKE/peer/[peer ip] delete IKE SA
vpn shell /tunnels/delete/IPsec/peer/[peer ip] delete Phase 2 SA
vpn shell /show/tunnels/ike/peer/[peer ip] show IKE SA
vpn shell /show/tunnels/ipsec/peer/[peer ip] show Phase 2 SA
vpn shell show interface detailed [VTI name] show VTI detail


fw ctl zdebug drop shows dropped packets in realtime / gives reason for drop


router Enters router mode for use on Secure Platform Pro for advanced routing options
patch add cd Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only)
backup Allows you to preform a system operating system backup
restore Allows you to restore your backup
snapshot Performs a system backup which includes all Check Point binaries. Note : This issues a cpstop.


vsx get [vsys name/id] get the current context
vsx set [vsys name/id] set your context
fw -vs [vsys id] getifs show the interfaces for a virtual device
fw vsx stat -l shows a list of the virtual devices and installed policies
fw vsx stat -v shows a list of the virtual devices and installed policies (verbose)
reset_gw resets the gateway, clearing all previous virtual devices and settings.

Installation failed. Reason: Load on Module failed – failed to load Security Policy

Após compilar mais umas regras na Checkpoint NGX R60 deparei-me com o erro que deu origem ao título deste artigo.
Os objectos/regras não gostam (English only) de caracteres especiais, ou seja, acentos. Após removê-los das novas regras e fazer o deploy o problema já era :)