Summary of Check Point's NGX R65

This last section of the chapter excerpt will summarize the material covered in the previous chapters.

By Ralph Bonnell

Service Provider Takeaway: Check Point's NGX R65 is the primary security software platform for the company's enterprise firewall, VPN and management solutions. NGX R65 is the newest release from the company. This section of the chapter excerpt, from Check Point NGX R65 Security Administration by Ralph Bonnell, will summarize the concepts learned in previous sections.

Downlaod the .pdf of the chapter here.

Check Point releases a major upgrade to its core VPN-1 product every two or three years, and version NGX R65 is the latest in this line.

SmartDefense and Web Intelligence have received moderate upgrades in the NGX R65. This is still a fascinating set of tools for the network security administrator to understand and configure against all sorts of higher-level attacks.

Eventia Reporter provides a way to tackle those large and growing log fi les and provide detailed, informative reports and traffic analysis.

VPN functionality has seen significant improvements and now delivers on the full promise of the enhanced community-based VPNs we saw in the previous version.

SecurePlatform continues to evolve and improve. The product line is now split, with the addition of SecurePlatform Pro, which offers dynamic routing and support for Remote Authentication Dial-in User Service (RADIUS) authentication for firewall administrators. Dynamic routing adds some risk and some complexity, and is now available to those larger organizations that wish to more fully integrate the underlying router in their Check Point firewalls into their existing dynamic routing configuration.

Solutions Fast Track

New SmartPortal Features

■SmartPortal allows the firewall administrator to extend browser-based access to the SCS to persons outside the security team and to those on PCs without the GUI clients.

■SmartPortal is essentially a secure Web interface into your SCS for viewing policies and logs.

■You can install SmartPortal either on a dedicated server or on the SCS itself.

■With SmartPortal, you can limit access to specific IP addresses.

New FireWall-1/VPN-1 Features

■The "Hacker versus Firewall" arms race has moved up the stack to a higher level.

■SmartDefense and Web Intelligence have capabilities in three broad categories: defense against attacks, implicit defenses, and abnormal-behavior analysis.

■The SmartDefense Service is an annual subscription service that provides ongoing and real-time updates and configuration advisories.

Edge Support for CLM

■The NGX R65 provides Edge support for the customer log module (CLM). This support will allow the administrator to choose the destination for the logs.

■The NGX R65 introduces an additional infrastructure that enables the use of management plug-ins.

■The NGX R65 is the first version to manage Connectra gateways centrally.

Integrity Advanced Server

■For Integrity 6.6 on the R65 installation CD, the embedded datastore now supports up to 2,000 concurrent users, removing the need for an external database.

■Logs, which are now stored on the embedded Check Point Log Server, integrate with Check Point and third-party reporting tools.

■Customers with more than 2,000 concurrent users should continue to use Integrity 6.5 until Integrity 7.0 is released.

New VPN Features

■Rather than creating individual encryption rules to handle the traffic between VPN terminator gateways, the user need only create a VPN community and then specify the gateways and properties. With NGX R65, Check Point has preserved this useful and simple mental model and has added some additional functionality.

■Enforcement of VPN rules by direction of connection is now possible.

■You can now enable VPN connections in NGX as wire mode, reflecting the fact that communications over the VPN are inherently trusted.


■Interface bonding facilitates the construction of a redundant, fully meshed topology in High Availability mode configurations.

■If a failure occurs on the active switch connection, the active interface senses the failure and will fail over to the supplementary bonded interface that is connected to the second switch.

■The Multicast group, source address, and incoming and outgoing interface indexes of Multicast traffic are synchronized among all cluster members for cluster deployments in the NGX R65.

NGX R65 Operational Changes
  New SmartPortal Features
  New Firewall-1/VPN-1 Features
  Edge Support for CLM
  Integrity Advanced Server
 Check Point NGX R65 FAQs

Reprinted from Chapter one of Check Point NGX R65 Security Administration by Ralph Bonnell. Printed with permission from Syngress, a division of Elsevier. Copyright 2007. For more information about this title, please visit

Dig Deeper on Managed network services technology