Check Point R75 Terminology and Architecture

Before diving into Check Point firewalls and creating security policies and other stuff it is essential to understand the architecture of Check Point and how it exactly works.  This post will help you to get a feel of what Check Point firewalls are and how it works in a multilayer approach developed by Check Point. Below are the most common terms that should be sufficient for you to get started with Check Point firewalls.

The Terminology

Smart Console – It is a set of GUI applications that allows security administrators to configure and manage the global security policy for the entire organization. There are quite a few clients available in the smart console, each for a different purpose. Of all those clients the main client application used is called SmartDashboard , which is used to configure the security policy of the network. SmartDashboard connects to the Security Management Server which houses the actual security policy database of rules and objects.

Security Management Server – The Security Management Server contains the global security policy for an organization. This policy is defined using the SmartDashboard—however, the policy is actually saved on the Security Management Server. It contains the following databases: Object database, User database, Security rules and Log database. The Security Management Server interacts with the Security Gateways by uploading security rule sets specific to the Security Gateway and by receiving logging information from the Security Gateways. The Security Management Server package can be installed on the following supported platforms: Windows 2003 and 2008, IPSO (FreeBSD) and SPLAT (Linux based).

Security Gateway – They are nothing but the ‘firewalls’ you have always known. Security Gateways are installed/located where the security rules must be applied. So, the security rules are created using the SmartDashboard which is then saved on the Security Management Server and pushed on the intended Security Gateway.

Platforms – Check Point is a complete software based firewall which has to be installed on a Guest OS such as Windows 2003/2008, SPLAT (Check Point Linux distribution based on RHEL) or Nokia IPSO (based on FreeBSD) running on appropriate hardware.
When installing Check Point on Windows you have to make sure that Windows is properly hardened and the OS itself is completely secure. The other flavors SPLAT and IPSO are custom made for installing Check Point on hardware manufactured by Nokia (which is now bought by Check Point) and do not need any hardening process to make it secure as the bare essentials of what is required from the OS is made available and the rest is done away with. Once the guest OS is ready you can install Check Point firewall right away by installing the appropriate image based on your guest OS.
The installation is obviously a little different than the normal applications you install everyday, but you get the point right? And, this is what makes Check Point’s architecture different from the other vendors.

The Architecture

Now that you know what is what, the architecture of Check Point firewalls should be a little easier to understand. Check Point firewalls can be deployed in a standalone fashion or a distributed one. Lets look at the difference between the two:-

Stand-alone deployment:

In a stand-alone deployment, your Security Management Server and Security Gateway is installed on the same platform and your smart console will most probably be installed on a separate platform with which you will access the Security Management server to create policies and push it to the Security Gateway (which is the same device in this case). However, this deployment defeats the whole purpose of Check Point’s three-tiered architecture and is not recommended by Check Point, except for small businesses.

Distributed deployment:

A distributed deployment is more commonly known as a Three-Tired architecture, wherein each component is installed on a separate platform and this type of deployment is highly recommended by Check Point. Smart Console is usually installed on Windows for its ease of use. Security Management Server can be installed on Windows/Linux/FreeBSD platform depending on the requirement. And the Security Gateway too can be installed on a Windows/Linux/FreeBSD platform as per the requirements (but seriously, ‘Windows’ for a ‘security’ gateway?!)

P.S: The terminology defined above mainly applies to R75 but the architecture is the same for below versions as well.

16 thoughts on “Check Point R75 Terminology and Architecture

  1. Excellent post. I had been strugglig for days to understand how Checkpoint works. This post has made me understand all the pieces that checkpoint is made of. Thank you very much. Great effort.

  2. kudos for a really excellent description!!!! I have also searching a lot to clarify the types of installation architecture that Checkpoint uses. This article is great!

  3. can you explain more about function of smart gateway/ security management and how can we installed seperately

  4. Hi Rajnikant,

    What you are referring to as Smart Gateway is actually the Security Gateway. That is the actual physical firewall that separates your inside, DMZ and outside network. You create policies on a Management Server and push it on the Security Gateways which then carry out the function of filtering traffic and much more.

    I won’t be able to explain how to install both of them separately in a few words. If you search well enough on Google, you’ll get some documentation or videos on how to configure and setup a distributed environment.



  5. nice post!! you rock!! Do you have experience with vsx checkpoint? if yes can you please share basic cli commands of it and troubleshooting on it?

  6. Hi Bhushan,

    Yes, I do have some experience with VSX. I had noted down some commands when I worked on VSX gateways, will share those with you when I find it, it’s somewhere in my hard drive.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s