CheckPoint Firewall Interview Question Part 5

Interview Question

I would like to cover some important and frequently asked Q&A in this Page. You all are also invited to share your replies and suggestions. I hope this page will be useful for all the Network and Network Security Domain Students, Job-Seekers, Professionals, Trainers, etc.


Q.1      What is Checkpoint Architecture? 

Check Point has developed a Unified Security Architecture that is implemented throughout all of its security products. This Unified Security Architecture enables all Check Point products to be managed and monitored from a single administrative console and provides a consistent level of security. 

The Check Point Unified Security Architecture is comprised of four main components:

Core Technologies: - Check Point uses a common set of core technologies, such as INSPECT for security inspection, across multiple layers of security.

Central Management: - All Check Point products can be managed and monitored from a single administrative console.

Open Architecture: - Check Point has built its security architecture to be open and interoperable in a heterogeneous environment. For example, Check Point products can interoperate with other network and security equipment from third-party vendors to enable cooperative enforcement of Security Policies.

Universal-update Ability: - Check Point has consolidated multiple security-alert and update functions to ease update procedures and help Administrators ensure that security is always up-to-date.

Q.2      How Checkpoint Component communicate and Sync with each other?
Secure Internal Communications (SIC) is the Check Point feature that ensures components, such as Security Gateways, SmartCenter Server, SmartConsole, etc. can communicate with each other freely and securely using a simple communication initialization process.

Q.3      What are the major differences between SPLAT and GAIA?

Gaia is the latest version of Checkpoint which is a combination of SPLAT and IPSO. Here are some benefits of Gaia as compare to SPLAT/IPSO.

1. Web-Based user interface with Search Navigation
2. Full Software Blade support
3. High connection capacity
4. Role-Based administrative Access
5. Intelligent Software updates
6. Native IPv4 and IPv6 Support
7. ClusterXL or VRRP Clusters
8. Manageable Dynamic Routing Suite
9. Full Compatibility with IPSO and SecurePlatform.

For more information you can checkpoint official page on this topic:

Q.4      What are the different – different Checkpoint Ports and purpose of these ports?


21           TCP       ftp File transfer Protocol (control)
21           UDP      ftp File transfer Protocol (control)
22           Both      ssh SSH remote login
25           Both      SMTP Simple Mail transfer Protocol
50                         Encryption IP protocols esp – IPSEC Encapsulation Security Payload
51                         Encryption IP protocols ah – IPSEC Authentication Header Protocol
53           Both      Domain Name Server
69           Both      TFTP Trivial File Transfer Protocol
94           TCP      Encryption IP protocols fwz_encapsulation (FW1_Eencapsulation)
137         Both      Netbios-ns NETBIOS Name Service
138         Both      netbios-dgm NETBIOS Datagram
139         Both      netbios-ssn NETBIOS Session
256         TCP      FW1 (fwd) policy install port FWD_SVC_PORT
257         TCP      FW1_log FW1_log FWD_LOG_PORT
258         TCP      FW1_mgmt FWM_SSVVC_PORT
259         TCP      FW1_clientauth_telnet
259         UDP      RDP Reliable Datagram Protocol
260         TCP      sync
260         UDP      FW1_snmp FWD_SNMP_PORT
261         TCP      FW1_snauth Session Authentication Daemon
262         TCP      MDQ – mail dequer
263         TCP      dbs
264         TCP      FW1_topop Check Point SecureClient Topology Requests
265         TCP      FW1_key Check Point VPN-1 Public key transfer protocol
389         Both      LDAP Secure Client connecting to LDAP without SSL
443                       SNX VPN can use 443 too
444         TCP      SNX VPN SNX VPN tunnel in connectra only
500         UDP      IPSEC IKE Protocol (formerly ISAKMP/Oakley)
500         TCP      IKE over TCP
514         UDP     Syslog Syslog
636         LDAP   Secure Client connecting to LDAP with SSL
900         TCP      FW1_clntauth_http Client Authentication Daemon
981                       Management https on the edge
1494       TCP      Winframe Citrix
1645       TCP       Radius
1719       UDP      VOIP
1720       TCP       VOIP
2040       TCP       MIP meta Ip admin server
2746    UDP   UDP encapsualtion for SR VPN1_IPSEC_encapsulation VPN1_IPSEC    encapsulation
2746       TCP       CPUDPENCap
4000                      Policy Server Port (Redmond)
4433       TCP       Connectra Admin HTTPS Connectra admin port
4500       UDP       NAT-T NAT Traversal
4532       TCP       SNDAEMON_PORT sn_auth_trap: sn_auth daemon Sec.Serv comm,
5001       TCP       Meta IP Web Connection, MIP
5002       TCP       Meta IP DHCP Failover
5004       TCP       Meta IP UAM
5005       TCP       Meta IP SMC
6969       UDP       KP_PORT KeyProt
8116       UDP       Check Point HA SyncMode= CPHAP (new sync mode)
8116       UDP       Connection table synchronization between firewalls
8989       TCP       CPIS Messaging MSG_DEFAULT_PORT
8998       TCP       MDS_SERVER_PORT
9000                      Command Line Port for Secure Client
10001     TCP       Default CPRSM listener port for coms with RealSecure Console
18181     TCP       FW1_cvp Check Point OPSEC Content Vectoring Protocol
18182     TCP       FW1_ufp Check Point OPSEC URL Filtering Protocol
18183     TCP     FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM API)
18184     TCP       FW1_lea Check Point OPSEC Log Export API
18185     TCP       FW1_omi Check Point OPSEC Objects Management Interface
18186    TCP     FW1_omi-sic Check Point OPSEC Objects management Interface with Secure Internal Communication
18187     TCP       FW1_ela Check Point OPSEC Event Loging API
18190     TCP       CPMI Check Point Management Interface
18191     TCP       CPD Check Point Daemon Proto NG
18192     TCP       CPD_amon Check Point Internal Application Monitoring NG
18193     TCP       FW1_amon Check Point OPSEC Appication Monitoring NG
18201     TCP       FGD_SVC_PORT
18202     TCP       CP_rtm Check Point Real time Monitoring
18203     TCP       FGD_RTMP_PORT
18204     TCP       CE communication
18205     TCP       CP_reporting Check Point Reporting Client Protocol
18207     TCP       FW1_pslogon Check Point Policy Server logon Protocol
18208     TCP       FW1_CPRID (SmartUpdate) Check Point remote Installation Protocol
18209     TCP       FWM CA for establishing SIC communication
18210     TCP       FW1_ica_pull Check Point Internal CA Pull Certificate Service
18211     TCP       FW1_ica_pull Check Point Internal CA Push Certificate Service
18212     UDP       Connect Control – Load Agent port
18213     TCP       cpinp: inp (admin server)
18214     TCP       cpsmc: SMC
18214     UDP       cpsmc: SMC Connectionless
18221     TCP       CP_redundant Check Point Redundant Management Protocol NG
18231     TCP       FW1_pslogon_NG Check Point NG Policy Server Logon Protocol
18231     TCP       NG listens on this port by default dtps.exe
18232     TCP       FW1_sds_logon Check Point SecuRemote Distribution Server Protocol
18233 UDP    Check Point SecureClient Verification Keepalive Protocol FW1_scv_keep_alive
18241     UDP      e2ecp
18262     TCP      CP_Exnet_PK Check Point Public Key Resolution
18263     TCP      CP_Exnet_resolve Check Point Extranet remote objects resolution
18264     TCP     FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services
19190     TCP     FW1_netso Check Point OPSEC User Authority Simple Protocol
19191     TCP      FW1_uaa Check point OPSEC User Authority API
65524            FW1_sds_logon_NG Secure Client Distribution Server Protocol (VC and Higher)

Q.5      How SIC work? What are the different ports of SIC?

Secure Internal Communication (SIC) lets Check Point platforms and products authenticate with each other. The SIC procedure creates a trusted status between gateways, management servers and other Check Point components. SIC is required to install polices on gateways and to send logs between gateways and management servers.

These security measures make sure of the safety of SIC:

1. Certificates for authentication
2. Standards-based SSL for the creation of the secure channel
3. 3DES for encryption

The Internal Certificate Authority (ICA)

The ICA is created during the Security Management server installation process. The ICA is responsible for issuing certificates for authentication. For example, ICA issues certificates such as SIC certificates for authentication purposes to administrators and VPN certificates to users and gateways.

Initializing the Trust Establishment Process

Communication Initialization establishes a trust between the Security Management server and the Check Point gateways. This trust lets Check Point components communicate securely. Trust can only be established when the gateways and the server have SIC certificates.

Note - For SIC to succeed, the clocks of the gateways and servers must be synchronized.

The Internal Certificate Authority (ICA) is created when the Security Management server is installed. The ICA issues and delivers a certificate to the Security Management server.

To initialize SIC:

1. Decide on an alphanumeric Activation Key.
2. In SmartDashboard, open the gateway network object. In the General Properties page of the gateway, click Communication to initialize the SIC procedure.
3. In the Communication window of the object, enter the Activation Key that you created in step 2.
4. Click Initialize.

The ICA signs and issues a certificate to the gateway. Trust state is Initialized but not trusted. The certificate is issued for the gateway, but not yet delivered.

SSL negotiation takes place. The two communicating peers are authenticated with their Activation Key.

The certificate is downloaded securely and stored on the gateway.

After successful Initialization, the gateway can communicate with any Check Point node that possesses a SIC certificate, signed by the same ICA. The Activation Key is deleted. The SIC process no longer requires the Activation Key, only the SIC certificates.

Checkpoint SIC Ports

18209     tcp          NGX Gateways <> ICAs (status, issue, or revoke).
18210     tcp          Pulls Certificates from an ICA.
18211     tcp          Used by the cpd daemon (on the gateway) to receive Certificates. 

Q.6      Checkpoint Packet flow for SNAT and DNAT?
In case of SNAT


Session lookup

Policy lookup



In case of DNAT


Session lookup

Policy lookup


Q.7      What is the main different between cpstop/cpstart and fwstop/fwstart?
Using cpstop and then cpstart will restart all Check Point components, including the SVN foundation. Using fwstop and then fwstart will only restart VPN-1/FireWall-1. 

Q.8      What are the functions of CPD, FWM, and FWD processes?
CPD – CPD is a high in the hierarchical chain and helps to execute many services, such as Secure Internal Communication (SIC), Licensing and status report.
FWM – The FWM process is responsible for the execution of the database activities of the SmartCenter server. It is; therefore, responsible for Policy installation, Management High Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log Display, etc.
FWD – The FWD process is responsible for logging. It is executed in relation to logging, Security Servers and communication with OPSEC applications.

Q.9      What is Anti-Boat?
Q.10    How to block ICMP tunnel in checkpoint?
Q.11    Difference between fwstop and cpstop?
Q.12    What are the services which impacted during cpstop and spstart?
Q.13    What is CPinfo? And why it is used?
Q.14    What are Cluster_XL, Secure_XL and CORE_XL?
Q.15    What is Provider1?
Q.16    What is MDF Database?
Q.17    How to configure SMC HA?
Q.18    How to check License via Smartview Monitor?
Q.19    How to configure perform DNAT before routing via Global Properties?


Q.1      Which protocol use in Checkpoint for Clustering?
Q.2      How Cluster_XL works? What the ports used by Cluster_XL?
Q.3      What are the New and Legacy Mode in Clustering?
Q.4      What are Delta and Full Mode in Clustering?
Q.5      Step by Step Process of Configuring Checkpoint Cluster?
Q.6      How to use VRRP for Checkpoint Clustering?


Q.1      Difference between IPSec and SSL VPN?
Q.2      Difference between Domain Base and Route Base VPN?
Q.3   What are the protocols of IPSec? And what are the Protocol numbers of IPSec Protocols.?
Ans.   IPSec use two Protocols AH (Authentication Header) and ESP (Encapsulated Security Payload). AH works on Protocol number 51 and ESP works on Protocol number 50. 
Q.4      What is NAT traversal? Where it used?
Q.5      How use NAT in VPN Tunnel?
Q.6      What is Norm in IPSec?
Q.7    What the Phases of IPSec VPN? And many messages being exchanged in MAIN and QUICK Mode? What are these messages?
Q.8      What is Encryption Domain?
Q.9     IPSec works at which OSI layer?
Ans.   IP Layer (Network Layer and provide security services Network Layer and above). 


  1. Very selective question on TCP Los Angeles checkpoint firewall.Get an idea about it by reading this blog post.


Post a Comment

Popular posts from this blog

tcpdumps in Checkpoint Firewall

Download IOS Image for Router