Académique Documents
Professionnel Documents
Culture Documents
Guide
NG FP3
For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at
http://support.checkpoint.com/kb/
Chapter 1 Configuring
VPN-1/FireWall-1
Configuring Check Point Products 25
Licenses 26
The Trial Period 27
Administrators 30
SMART Clients 36
PKCS#11 Token 37
Key Hit Session/Random Pool 38
Certificate Authority 39
Secure Internal Communication 40
Fingerprint 43
High Availability 45
Interfaces 45
VPN-1 Accelerator Driver 45
SNMP Extension (Unix only) 45
Automatic Start of Check Point Modules (Unix only) 46
Secure Internal Communications for Distributed Configurations 46
Communicating Components 46
Security Benefits 46
Administrative Benefits 46
SIC Certificates 46
Communications between the SmartCenter Server(s) and Modules 48
Communications Between the SmartCenter Server and the SMART Client 48
Enabling Communication between Modules 49
Resetting the Trust State of the Module 54
SIC Automatic Renewal 56
Log Viewing and Management 56
Frequently Asked Questions—Installing, Upgrading, Configuring 57
62
Chapter 2 SmartUpdate
Introduction to SmartUpdate 63
Purpose 63
Table of Contents 3
Why use SmartUpdate 63
Installing SmartUpdate 64
Supported Products and Platforms 64
How to Upgrade Remote Check Point Nodes 64
1. Prerequisites for Remote Upgrade 64
2. Upgrading or Installing the SmartCenter Server 65
3. Configuring the SmartCenter Server 65
4. Adding Products to the Product Repository 65
5. Using SmartUpdate to Upgrade Check Point Nodes 67
Starting the SmartUpdate GUI 68
Elements of the SmartUpdate GUI 69
Products and Licenses tabs 70
Product and License Repositories 71
License Type Icons 72
Operation Status 73
Docking Windows 75
Searching for Text 75
Printing Views 76
SmartUpdate Menus and Toolbar 76
Product Management 84
Introduction to Product Management 84
Managing the Product Repository 85
Installing Products—Overview 87
Upgrading All Products 88
Installing a Single Product 89
Uninstalling a Product 92
Verifying an Installation 94
Booting a Check Point Node 95
Getting Check Point Node Data 96
Stopping an Operation and Clearing Completed Operations 96
License Management 97
Introduction to License Management 98
License Types: Central, Local 98
The Trial Period 99
Version 4.1 License Support 99
Obtaining Licenses 100
License Structure and Elements 100
Installing a License for the SmartCenter Server 101
Before Using SmartUpdate License Management 101
Adding a License to the License Repository 101
Attaching a License to a Check Point Node 105
Attaching an Evaluation License to all Check Point Nodes 108
Detaching a License from a Check Point Node 109
Getting Locally Installed Licenses From a Check Point Node 111
Deleting a License from the License Repository 112
Viewing License Properties 113
Viewing Installed Products 115
Checking for Expired Licenses 115
Exporting a License to a File 117
4
Automatically Upgrading Version 4.1 Licenses 117
Licensing Glossary 119
SmartUpdate Architecture 121
SmartUpdate FAQ 122
General SmartUpdate FAQ 122
Remote Installation FAQ 123
Licensing FAQ 125
Table of Contents 5
VPN-1/FireWall-1 Proprietary Users 158
Defining Users and Groups 158
User Properties 162
User Groups 166
User Database 167
Database Installation 167
Generic User Profiles 168
Generic User Overview 168
Example: Defining a Generic User Profile 169
Using Generic User Profiles 169
Generic User Notes 170
Generic User Profile Properties window 170
External Users and Groups 171
Groups of RADIUS Users 171
Associating a Radius Server with a FireWall-1 Enforcement Module 171
Groups of Windows NT users 172
6
Network Properties Window — General Tab 202
Network Properties Window — NAT (Address Translation) Tab 203
Domains 203
Domain Properties Window 203
Open Security Devices 203
Overview 204
OSE Device Properties Window — General Tab 204
OSE Device Properties Window — Topology Tab 205
Defining Router Anti-Spoofing Properties 206
Embedded Devices 208
Overview 208
Embedded Devices window — General tab 208
Embedded Device Properties — Topology tab 209
Interface Properties Window — General Tab 209
Interface Properties Window — Topology Tab 210
Embedded Device Properties — SNMP Tab 210
Embedded Device Properties — NAT tab 211
Groups 211
Simple Group 211
Group with Exclusion 213
Viewing Groups with an Exclusion 214
Showing Group with an Exclusion Objects in the SmartMap View 214
UAS High Availability Group 215
Logical Servers 215
Address Ranges 216
Address Range Properties Window — General Tab 216
Address Range Properties Window — NAT Tab 216
Gateway Clusters 216
Dynamic Objects 216
Table of Contents 7
Resources 232
Overview 232
Wild Cards 233
URI Resources 233
URI Definition window — General tab 234
URI Definition window — Match tab (wild cards specification) 235
URI Definition window — Match tab (file specification) 239
URI Definition window — Match tab (UFP) 240
URI Definition window — Action tab 241
URI Definition window — CVP tab 243
URI Definition window — SOAP tab 243
URI for QoS Definition window 244
SMTP Resources 245
SMTP Security Server 245
FTP Resources 250
FTP Definition window — General tab 250
FTP Definition window — Match tab 251
FTP Definition window — CVP tab 251
TCP Resources 252
TCP Resource Properties 252
CIFS Resources 255
CIFS Overview 255
Support of the CIFS protocol 255
Configuring CIFS Stateful Inspection 255
Specifying the allowed disk/print shares 256
Logging 256
Known limitations 256
List Of Supported Services 257
List of Supported TCP Services 257
List of Supported UDP Services 265
List of Supported RPC Services 269
List of Supported ICMP Services 271
List of Supported Other IP Protocol Services 272
Notes for Services 272
8
VPN-1 Pro 282
VPN-1 Early Versions Compatibility 282
VPN-1 Advanced 282
VPN-1 Net 282
Remote Access — VPN SecuRemote/SecureClient 282
Remote Access — VPN 282
Remote Access — Secure Configuration Verification 282
Remote Access — Early Versions Compatibility 282
FloodGate-1 Properties 282
Bandwidth Control 282
SmartMap 283
Management High Availability 283
LDAP (Account Management) 283
Connect Control 285
Servers Availability 285
Servers Persistency 285
Server Load Balancing 285
Open Security Extension (OSE) Access List 286
Stateful Inspection 287
Log and Alert 289
Track Options 289
Logging Modifiers 290
Time Settings 290
Alert Commands 291
On Which Machine Are the Alert Scripts Executed? 292
Extranet Management Interface 292
SmartDashboard Customization 293
Table of Contents 9
Rule Base Query window 328
Rule Base Query Clause window 329
Disabling Rules 330
Searching the Rule Base 330
Installing and Uninstalling Policies 331
Installing Security Policies 331
Installing Access Lists 331
Installing Other Policies 332
Installing the Security Policy 333
Uninstalling the Security Policy 338
Connection Persistence during a new Policy installation 339
Installing a VPN-1\FireWall-1 From a Previous Database Version 340
Notes on Installing and Uninstalling Policies 340
Viewing the Inspection Script 341
Inspection Code Loading 341
Installing Access Lists 342
Importing Access Lists 342
Managing Imported Access Lists in the Rule Base 343
Verifying and Viewing Access Lists 344
Installing Access Lists 345
Boot Security 345
Auxiliary Connections 345
When a Security Policy is Installed 346
10
Configuring ACE (SecurID) Servers 363
ACE and DES 364
ACE and the Rule Base 364
LDAP (Lightweight Directory Access Protocol) Account Units 364
LDAP Account Unit Properties Window — General Tab 365
LDAP Account Unit Properties Window — Users Tab 366
LDAP Account Unit Properties Window — Encryption Tab 367
Certificate Authority 368
Certificate Authority Properties Window — General Tab 368
Certificate Authority Properties Window — VPN-1 CM Tab 369
Certificate Authority Properties Window — Advanced Tab 370
SecuRemote DNS 370
SecuRemote DNS General Tab 370
OPSEC Servers and Clients 371
Defining OPSEC Applications 373
OPSEC Application Properties Window — General Tab 373
Managing OPSEC Products From the SmartDashboard 377
Communication Window 381
Definition Window — CVP Options Tab 382
OPSEC Definition Window — UFP Options Tab 383
OPSEC Definition Window— AMON Options Tab 384
OPSEC Definition Window— CPMI Permissions 384
OPSEC UFP and CVP Groups 384
OPSEC SIC Configuration 386
Table of Contents 11
Navigating Through the Log File 418
Log File Management 418
Opening a Different Log File 418
Saving the Currently Displayed Log Entries 418
Starting A New Log File 419
Deleting the Contents of the Active Log File 420
Blocking Connections 420
Viewing a Previous Database Version 421
Fetching Log Files From a Remote Machine 421
Displaying Specified Log Files of a Specific Node 424
Redirecting Logging to Another Master 424
Installing the User Database on a CLM 425
Exporting Log Data to Another Application 425
Menus 426
Log File Menu 426
View Menu 427
Query Menu 427
Tools Menu 428
Window Menu 428
Help Menu 429
SmartView Tracker Toolbar 429
SmartView Tracker Toolbar Buttons and Their Corresponding Menu Commands 430
Query Properties Toolbar 430
Toolbar Buttons For the Query Properties Toolbar 431
12
Using the Critical Notifications Pane 456
Multi-View Select Synchronization 456
System Alert 457
The Modules Pane 458
The Network Object System Alert Definition Pane 458
Understanding System Alert Options 459
System Alert Monitoring Mechanism 461
Find 461
Alerts 461
Disconnecting a Client 462
Reconnecting to the Server 463
Menus 464
File Menu 464
View Menu 464
Modules Menu 465
Products Menu 465
System Alert Menu 467
Tools Menu 467
Window Menu 467
Help Menu 469
Check Point SmartView Status Toolbar 469
Table of Contents 13
NAT (Network Address Translation) 485
When the DAIP Module’s IP address changes ... 485
When the SmartCenter Server’s IP address changes ... 485
When the DAIP Module’s name changes ... 485
Chapter 16 SmartMap
Introduction to the SmartMap 491
Network Objects 492
Enabling and Disabling SmartMap 492
Docking and Undocking the SmartMap Window 492
Using the SmartMap View 493
Displaying the Network Object and Interface Information 493
Working with Network Objects 493
SmartMap View Options 494
Modes 494
Zooming and Scrolling 495
Navigator Window 497
Arrange Styles 498
Toggle the SmartMap View 499
Customization Options 499
Print out the SmartMap View 503
Exporting the Topology Map 504
Saving the SmartMap View 507
Editing Network Objects 507
Editing Object/Interface Properties 507
Adding New Objects 508
Removing Network Objects 508
Defining a New Group 509
Editing the Network Topology 509
Containing and Contained Networks 509
New Topology Object Types 511
Topology Collapsing 518
How to Collapse Locales 518
How to Collapse Other Topology Structures 519
Working with Topology Folders 519
Viewing External Objects 521
Editing External Objects 521
Viewing Gateway Clusters 522
Integration of the SmartMap View and the SmartDashboard 522
14
Paste Network Object(s) in the Rule Base 522
Dragging & Dropping 522
Show Objects 523
Showing Objects with Network Address Translation (NAT) 524
Understanding Rules Shown in the SmartMap View 524
Showing a Rule in the SmartMap View, by selecting Show from the Rule Base menu 525
Showing a Rule by dragging it from the Rule Base to the SmartMap View 526
Calculations 528
Understanding Topology Calculation 528
Calculating Topology Information 529
The SmartMap Helper 532
Solving Duplicated Networks 533
Solving Unresolved Object Interfaces 533
Menu Commands and Toolbar 534
Cursor Modes 536
Chapter 17 Management
High Availability
Overview 537
Primary vs. Secondary 537
Active vs. Standby 538
Restrictions 538
Using Management High Availability 539
Configuration and Usage 539
Synchronization 540
Properties 543
Upgrading to a New Version 545
SmartView Tracker 545
Table of Contents 15
cpstat 567
fwm lichosts 569
fwm ver 569
fwm sam 570
Utilities 575
fwm ctl 576
fwm gen 579
fwm kill 580
fwell 581
fwm tab 584
dynamic_objects 585
dbedit 587
queryDB_util 591
Log File Management 593
fwm log 593
fwm logswitch 596
fwm logexport 598
fwm repairlog 599
fwm mergefiles 600
fwm lslogs 601
fwm fetchlogs 603
fw lea_notify 604
log_export 604
ClusterXL: High Availability and Load Sharing 609
cphastart 609
cphastop 609
cphaprob 609
fwm hastat 614
User Database Management 615
fwm ikecrypt 615
fwm dbimport 616
fwm dbexport 618
ldapmodify 620
ldapsearch 621
License Management 624
Local Licensing Commands 624
cplic put... 624
cplic del 627
cplic print 628
cplic check 629
Remote Licensing Commands 631
cplic put <object name> ... 631
cplic del <object name> ... 633
cplic get 634
cplic upgrade 635
License Repository Commands 639
cplic db_add 639
cplic db_rm 640
cplic db_print 641
16
Product Management 643
Product Repository Management 643
cppkg Overview 643
cppkg add 643
cppkg del 645
cppkg print (search) 648
cppkg setroot 649
cppkg getroot 650
Remote installation 651
cprinstall Overview 651
cprinstall upgrade 651
cprinstall verify_upgrade 652
cprinstall install 653
cprinstall uninstall 654
cprinstall get 656
cprinstall verify 657
cprinstall boot 658
cprinstall stop 659
cprinstall (cpstart/cpstop) 660
VPN-1 Accelerator Card 661
vpn accel 661
lunadiag 661
VPN Commands 662
vpn ver 662
vpn debug 662
vpn drv 663
vpn intelrng 663
Daemons 664
Check Point Remote Installation Daemon (cprid) 664
CPsyslogD 664
FloodGate-1 666
SmartView Monitor 666
rtmstart 666
rtmstop 666
rtm d 667
rtm debug 667
rtm drv 667
rtm ver 668
rtm stat 668
rtm monitor — Interface Monitoring 668
rtm monitor — Virtual Link Monitoring 671
Options Reporting Tool Commands 671
Starting the Reporting Tool 671
Scheduling and Distributing Reports and Replacing the Management 672
Generating Reports 678
Reporting Server Commands 679
Upgrading FWR, RPF and DEF Files 679
Log Consolidation Engine Commands 680
log_consolidator 680
Table of Contents 17
686
OPSEC 686
upgrade_fwopsec 686
Glossary 689
Index 713
18
Preface
Summary of Contents
Chapter 1, “Configuring VPN-1/FireWall-1” describes how to configure Check Point
VPN-1/FireWall-1.
Chapter 2, “SmartUpdate” describes how to use Check Point SmartUpdate.
Chapter 3, “Graphical User Interface,” describes how to use the Check Point Graphical
User Interface (GUI).
Chapter 4, “Managing Users and Administrators,” describes how to define and manage
users, including users defined on an LDAP Server.
Chapter 5, “Network Objects,” describes how to define network objects (gateways,
hosts, routers, switches, and others).
Chapter 6, “Services and Resources,” describes how to define network services.
Chapter 7, “Global Properties,” describes how to define VPN-1/FireWall-1 properties.
Chapter 8, “Security Policy Rule Base,” describes how to define and enforce a Security
Policy’s rules.
19
Chapter 9, “Time and Scheduled Event Objects,” describes how to define the time
objects used in rules.
Chapter 10, “Server Objects and OPSEC Applications,” describes how to define Server
objects.
Chapter 11, “SmartView Tracker,” describes the SmartView Tracker.
Chapter 12, “SmartView Status,” describes the SmartView Status.
Chapter 13, “User Monitor,” describes the management of SecuRemote users.
Chapter 14, “Dynamically Assigned IP Addresses,” describes how to define and
configure Modules whose IP addresses are not fixed, but dynamically assigned.
Chapter 15, “Virtual Links,” describes how to define and monitor virtual links.
Chapter 16, “SmartMap” describes how to use SmartMap.
Chapter 17, “Management High Availability,” describes how to use Management High
Availability.
Glossary, is a glossary of terms sometimes encountered in discussions of IP networks.
Note - For additional technical information about Check Point products, consult Check
Point’s SecureKnowledge database at http://support.checkpoint.com/kb/
21
What Typographic Changes Mean
The following table describes the typographic changes used in this book.
TABLE P-1 Typographic Conventions
23
Shell Prompts in Command Examples
The following table shows the default system prompt and superuser prompt for the C
shell, Bourne shell, Korn shell and DOS.
TABLE P-3 Shell Prompts
Shell Prompt
C shell prompt machine_name%
C shell superuser prompt machine_name#
Bourne shell and Korn $
shell prompt
Bourne shell and Korn #
shell superuser prompt
DOS current-directory>
Configuring
VPN-1/FireWall-1
In This Chapter
25
Configuring Check Point Products
Licenses page 26
The Trial Period page 27
Administrators page 30
SMART Clients page 36
PKCS#11 Token page 37
Key Hit Session/Random Pool page 38
Certificate Authority page 39
Secure Internal Communication page 40
Fingerprint page 43
High Availability page 45
Interfaces page 45
VPN-1 Accelerator Driver page 45
SNMP Extension (Unix only) page 45
Automatic Start of Check Point Modules (Unix only) page 46
Automatic Start of Check Point Modules (Unix only) page 46
Licenses
Use this option to:
• view license details
• add required licenses for the host
• delete licenses from the host (Windows only). On Unix, to delete or overwrite a
license use the cplic del command (see “cplic del” on page 820).
You do not need a license to run the SMART Client.
Use the cpconfig Licenses option to manage Local licenses only. Central licenses are managed
via SmartUpdate. For details about the differences between Local and Central Licenses, and for
information about centrally managing licenses on remote hosts, see Chapter 2 “Smart Update”
on page 67 of the Check Point SmartCenter Guide.
Note - For a DAIP Module, do not use cpconfig to installing a license. A DAIP Modules can
use only a Central license, which must be installed using the cplic put command.
Obtaining Licenses
If you have not yet obtained your license(s), see “Obtaining Licenses” on page 127 of the Check
Point Getting Started Guide. You can add licenses after completing the other cpconfig
configuration options.
If all installed licenses are removed during the 15 day trial periods, the product will regain full
functionality until the end of trial period.
If no licenses are installed, the remaining trial period is displayed when starting SmartUpdate
and any of the other Check Point SMART Clients.
To see the remaining trial period, perform the Get Check Point Node Licenses operation in
SmartUpdate, or open the cpconfig Licenses tab on the Enforcement Module, or run the
command cplic print locally on the Enforcement Module.
The license(s) that belong to this host are added. After installing the license, you should import
the licenses to the Smart Update License Repository (see “Adding a License to the License
Repository” on page 114).
2 The User Center results page and the license email received from the User Center
contains the license installation instructions. To enter the license data, either:
• Copy the license string to the clipboard. Copy the string that starts with cplic
put... and ends with the last SKU/Feature, then click Paste License, or
3 Click Calculate, and make sure the result matches the validation code received from
the User Center.
4 Click OK.
To Delete a License
1 In the Licenses window, select the license to be deleted.
2 Click Delete, or press the Delete key on the keyboard.
Administrators
FIGURE 1-4 Administrators window
In This Section
To Add an Administrator
You must define at least one administrator, otherwise no one will be able to use the
SmartCenter Server you have just installed.
The administrator password should be at least four characters long, with no spaces.
1 Click Add to specify an administrator. The Add Administrator window is displayed.
FIGURE 1-5 Add Administrator window
4 Specify the Administrator’s Permissions. The following table shows the available
administrator permissions options.
TABLE 1-1 Add and Edit Administrator Permission Options
To Delete an Administrator
1 Select the Administrator to be deleted.
2 Click Delete in the Administrators window.
Concurrent Sessions
In order to prevent more than one administrator from modifying a Security Policy at the same
time, VPN-1/FireWall-1 implements a locking mechanism.
Any number of administrators can view a Security Policy at the same time, but only one of
them can have write permission at any given moment. Upon opening a Security Policy, an
administrator is granted write permission only if both of the following conditions are true
• The administrator has been assigned Read/Write or User Edit privileges.
• No other administrator currently has write permission for the Security Policy at
this time.
For example, suppose Bob and Alice are both administrators. Bob has Read/Write privileges
and Alice has User Edit privileges. Suppose no one has the Security SmartDashboard open. If
Alice opens the Security SmartDashboard, she will be granted User Edit permission. If Bob
opens the same Security Policy before Alice closes it on her workstation, then Bob will not be
granted Read/Write permission. Instead, he will be asked whether he wishes to quit or to open
the Security Policy with Read Only permission.
During the Read Only session, another administrator with Read/Write privileges can log in and
be granted write permission.
3 Add a rule to the Rule Base specifying Client Authentication or Client Encryption
as the Action, for example, the rule shown below:
TABLE 1-2 Rule Base Example
SMART Clients
FIGURE 1-7 SMART Clients window
Specify the SMART Clients, that is, the remote computers from which administrators will be
allowed to connect to the SmartCenter Server.
There is no need to define a SMART clients that is on the same machine as the SmartCenter
Server. If no SMART clients are defined, you will be able to manage the SmartCenter Server
you have just installed only from a SMART clients running on the same machine.
The connection between the SMART clients and the SmartCenter Server is enabled in
SmartCenter by checking the Accept VPN-1 & FireWall-1 control connections property in the
FireWall-1 Implied Rules page of the Global Properties window.
If the connection between the SMART clients and the SmartCenter Server passes through a
VPN/FireWall Module, then the Security Policy must be re-installed on the VPN/FireWall
Module so that the newly added SMART clients can connect to the SmartCenter Server.
PKCS#11 Token
FIGURE 1-8 PKCS#11 Token window
Use this window to register a cryptographic token for use by VPN-1/FireWall-1, to see details
of the token, and to test its functionality.
For configuration details, see the “PKCS#11 Token” on page 58 of Check Point Virtual Private
Networks.
You are asked to enter random keystrokes. The random data collected in this session is used in
various cryptographic operations.
Enter random characters containing at least six different characters. Do not type the same
character twice in succession, and try to vary the delay between the characters. Keystrokes that
are too fast or too similar to preceding keystrokes are ignored.
Keep typing until you hear a beep and the bar is full.
Certificate Authority
FIGURE 1-10Certificate Authority window
Certificate Authority
This option allows you to create an Internal Certificate Authority (ICA) on SmartCenter Server,
and create a Secure Internal Communication (SIC) certificate for the SmartCenter Server.
SIC certificates are used to authenticate communication between Check Point communicating
components, or between Check Point communicating components and OPSEC Applications.
Management FQDN
cpconfig tries to resolve the FQDN (fully qualified domain name) of the SmartCenter Server
and supplies this as a default. If this is not the correct FQDN, change the contents of the
Management FQDN field. This may be useful if there is a problem resolving the FQDN of the
SmartCenter Server.
Specifying the correct FQDN ensures that the Certificate Revocation List (CRL) can be reliably
retrieved by a communicating component, so that it can properly authenticate a certificate.
A fully qualified domain name consists of a host name and a domain name. For example,
www.checkpoint.com is a fully qualified domain name.
The ICA needs the FQDN in order to insert the CRL Distribution Point correctly in every
certificate it issues. Communicating components retrieve the CRL by reading the certificate and
looking for the CRL Distribution Point. The location of the CRL distribution point is an
HTTP address in the form http://FQDN/<CRL_filename>.
To see the location of the CRL applicable for a certificate, in SmartDashboard, edit the
SmartCenter Server object, and in the VPN page, select the certificate and click Edit > View.
The CRL Distribution Point is one of the fields in the certificate.
The Secure Internal Communication window is used to establish trust between this machine
and the Primary SmartCenter Server. Once trust is established this machine can communicate
with other Check Point communicating components. Trust is established by creating a certificate
on the SmartCenter Server and delivering it to this machine.
Where this is a machine with a dynamically assigned IP address (DAIP Module), the
SmartCenter Server can push a certificate to the DAIP Module if the current IP address of the
DAIP module is known when initializing SIC (in SmartDashboard, in the Communications
window of the DAIP object).
For information about communications in a distributed environment, see “Secure Internal
Communications for Distributed Configurations” on page 160 of the Check Point Getting Started
Guide or page 48 of the Check Point SmartCenter Guide.
Note - If the Module has dynamic IP address, see “Defining a Module with a Dynamic IP
Address” on page 480 of the Check Point SmartCenter Guide.
b In the Check Point Gateway — General Properties page fill in the Module name
and IP address.
c Check the appropriate product.
Note - For the next step to work, the SVN Foundation and the VPN-1/FireWall-1 services
must be running on the Module, and there must be IP connectivity from the Management
Server to the Module.
Trust will be established and the Module will be able to communicate when the
certificate is successfully delivered to the Module, the Trust State is Trust
established, and the SIC name (or DN) of the Module is reported in the General
page of the Workstation Properties window.
2 For the other half of this procedure, see “How to Reset the Trust State of the
Module” on page 169.
Fingerprint
FIGURE 1-13Fingerprint window
The Fingerprint window shows the fingerprint of the SmartCenter Server. The fingerprint is
text string derived from the certificate of the SmartCenter Server. It is used to verify the identity
of the SmartCenter Server being accessed via the SMART clients. You should compare this
fingerprint to the fingerprint displayed in SmartCenter the first time a SMART clients connects
to this SmartCenter Server.
Note - In a Management High Availability configuration, you can view and save the
Fingerprint. For the...
• primary SmartCenter Server — in the Fingerprint window once the ICA Initialization
has succeeded (see FIGURE 21-13).
• secondary SmartCenter Server — in the Secure Internal Communication tab, if the
Trust Status is Trust Established.
4 Make sure the fingerprint of the SmartCenter Server is identical to the fingerprint
displayed in the SMART clients.
Note - You should not make a first-time connection to a SmartCenter Server from a SMART
clients, unless you have the SmartCenter Server fingerprint to hand, and are able to
confirm it is the same as the fingerprint displayed in the SMART clients.
High Availability
FIGURE 1-15High Availability window
Turn on the State Synchronization and the ClusterXL High Availability and Load sharing
capability.
See Chapter 3, “ClusterXL in the Check Point FireWall-1 Guide for information on how to
configure a High Availability environment.
Interfaces
A ROBO Gateway is an object which inherits most of its properties and its policy from the
Profile object to which it is mapped. Each ROBO gateway represents a large number of
gateways, which subsequently inherit the properties stipulated by the Profile object.
Select the IP addresses that represent the interfaces defined for each object from the drop down
list.
Security Benefits
Securing communication allows you to be absolutely sure that
• a SMART Client is connecting to a SmartCenter Server to which it is authorized
to connect,
• the Security Policy loaded on a VPN/FireWall Module came from the SmartCenter
Server, rather than a machine pretending to be the SmartCenter Server.
• data privacy and integrity have been maintained
Administrative Benefits
As well as enhancing security, SIC substantially eases the administration of large installations by
reducing the number of configuration actions. It is no longer necessary to perform fw putkey
operations between pairs of communicating components. Instead, it is simply a matter of
performing a simple initialization procedure for each component from the SmartDashboard.
SIC Certificates
Secure Internal Communication for Check Point SVN components uses:
• Certificates for authentication, and
• Standards-based SSL for encryption.
SIC Certificates uniquely identify Check Point-enabled machines or OPSEC applications across
the VPN-1/FireWall-1 system. For example, a computer may have one certificate for Check
Point products and a certificate for each OPSEC application. Certificates are created by the
Internal Certificate Authority (ICA) on the SmartCenter Server for communicating components
managed by the SmartCenter Server.
For information about certificates and their benefits, see “Certificates” on page 23 of Check
Point Virtual Private Networks.
Note - VPN certificates (those used for IKE for example), and SIC certificates are used for
different purposes and are managed differently.
• VPN certificates are managed from the VPN page of the VPN-1 installed object (see
“Workstation Encryption Properties” on page 94 of Check Point Virtual Private
Networks)
• SIC certificates are managed from the Communication window on the General page
of any Check Point installed object (see “Enabling Communication between Modules” on
page 22).
Management
Server
Internet
router
Intranet FireWalled
Gateway
router
The ICA creates a certificate for the SmartCenter Server machine during the SmartCenter
Server installation. The ICA itself is created automatically during the installation procedure (see
“Installing VPN-1/FireWall-1 (Windows)” on page 115 or “Installing VPN-1/FireWall-1
(UNIX)” on page 123 of the Check Point Getting Started Guide)
Certificates for the VPN/FireWall Modules and any other communicating component are
created via a simple initialization from the SmartDashboard (see “Enabling Communication
between Modules” on page 22). Upon initialization, the ICA creates, signs, and delivers a
certificate to the communicating component. Every Module can verify the certificate for
authenticity.
Once the administrator approves the identity of the SmartCenter Server, the administrator’s
name and password are securely sent to the SmartCenter Server.
The administrator’s name and password are used to authenticate the user as a Policy Management
authorized user.
Note - If the Module has dynamic IP address, see “Defining a Module with a Dynamic IP
Address” on page 480 of the Check Point SmartCenter Guide.
b In the Check Point Gateway — General Properties page fill in the Module name
and IP address.
c Check the appropriate product.
Note - For the next step to work, the SVN Foundation and the VPN-1/FireWall-1 services
must be running on the Module, and there must be IP connectivity from the Management
Server to the Module.
Trust will be established and the Module will be able to communicate when the
certificate is successfully delivered to the Module, the Trust State is Trust
established, and the SIC name (or DN) of the Module is reported in the General
page of the Workstation Properties window.
3 From the SmartDashboard, open the General page of the Check Point Gateway
window of the Module (FIGURE 0-4) and change the Version to NG.
FIGURE 1-19Gateway Properties window — General page
The Trust State as reported in cpconfig in the Secure Internal Communication and in the
SmartDashboard in the Communication window can be in one of three states:
• Uninitialized —The Module is not initialized and therefore cannot communicate
because it has not received a certificate from the Internal Certificate Authority on
the SmartCenter Server.
• Initialized but trust not established —
This sends the certificate to the Module, and completes the SIC configuration of
the Module.
4 Reinstall the Security Policy on the Module.
To allow a Module that has been reset to communicate, the Module must be re-initialized.
You can also Reset a Module by deleting the Module object from the
SmartDashboard. Proceed as follows:
a In the SmartDashboard, choose Network Objects from the Manage menu.
b Select the Module object, and click Remove.
3 Install the Security Policy on all Modules. This also deploys the new CRL to all
Modules.
Administrators
Add or delete administrators using the Check Point Configuration application on a
VPN-1/FireWall-1 GUI Client. On Windows, go to Start > Programs > Check Point
Management Clients > Check Point Configuration NG FP3. If your logging station is running
under Unix, then you can add or delete administrators using the cpconfig command. See
“Configuring Check Point Products” in this book.
GUI Clients
Add or delete GUI Clients using the Check Point Configuration application. If your logging
station is running under Unix, then you can add or delete GUI Clients by using the cpconfig
command. See “Configuring Check Point Products” on page 25”.
First of all, you must ensure that you have a valid license for the new machine. Once the license
issue is resolved, the simplest procedure is as follows:
1 Install VPN-1/FireWall-1 on the new machine.
If your SmartCenter Server manages VPN/FireWall Modules on other machines, you
must repeat the fwm putkey procedure for all the machines (see “Secure Internal
Communications for Distributed Configurations).
2 Make a copy of the Security Policy files from the old machine.
For information on which files to backup, see “How do I back up my Security
Policy?” on page 58.
3 Restore the Security Policy backup files (see step 2 above) to the new machine.
4 Start the GUI on the new machine to confirm that the Security Policy was
successfully transferred.
5 If the new machine is the FireWalled gateway, then define the new machine as a
gateway.
In the new machine’s Workstation Properties window, check the Gateway flag.
6 Delete the old machine from the Network Object Manager.
Alternatively, you can leave the old machine, but uncheck the VPN-1 & FireWall-1
Installed flag in its Workstation Properties window.
The above procedure describes the simplest case: where the SmartCenter Server and
VPN/FireWall Modules are on one machine, and the Security Policy is installed on gateways. If
your configuration is more complicated, you will have to modify the procedure accordingly.
Question: What Objects are Carried Over from the Previous Version?
When you upgrade to a new version of VPN-1/FireWall-1, the installation procedure carries
the following elements over to the new version:
• VPN-1/FireWall-1 database (users and network • Properties
objects)
• Key database • Encryption Parameters
• Rule Base
VPN-1/FireWall-1 attempts to merge your database with its own new database. For example,
you will have the benefit of services defined in the new version and you will retain the services
you defined in the previous version. In the case of a name conflict, the old objects (the ones you
defined) will be retained.
After upgrading, VPN-1/FireWall-1 loses its state, so you must start the GUI and install the
Security Policy.
Question: If I change the IP address of a network object, when does the change take
effect?
You must re-install the Security Policy for the change to take effect.
When you re-install a Security Policy, VPN-1/FireWall-1 internal state tables are cleared, so
there is the possibility that some connections may be lost, as follows:
• FTP data connections
If you have an open FTP connection and the Security Policy is re-installed before
the FTP server attempts to open the back connection, then the back connection
will be rejected.
• UDP connections
• An open encrypted session will be dropped if the newly installed Security Policy
allows the session to be unencrypted.
If you are concerned about losing these connections, then you should take care to re-install your
Security Policy during off-peak hours.
Version 4.0 and 4.1 VPN/FireWall Modules on hosts and gateways managed by an NG
SmartCenter Server, validate communication between them using an authentication password
that is used to set up a secure link.
For this to work, you must have installed the SmartCenter Server with backward compatibility.
If you have a NG management and a 4.1 or 4.0 Module, and you need to re-establish
communication between them (e.g after installing a new 4.1 Module or adding a log server to a
Module) you need to use the fwm putkey authentication password (the “old way”). This is done
using either
• the cpconfig configuration utility and SmartDashboard, or
• the command line
If you do not enter the password in the command line (using the -p <password>
syntax), you will be prompted for the password twice, as follows:
fwm putkey Chelsea London Paris
Enter secret key: <password>
Again secret key: <password>
Alternatively, you can use a different password for every host pair, as follows:
1 Login to BigBen and enter the following commands:
fwm putkey -p <password1> Chelsea
fwm putkey -p <password2> London
fwm putkey -p <password3> Paris
Question: Is SIC tolerant of Network Address Translation (NAT)? If there is a NAT device
between the SmartCenter Server and the Module, will communication be
affected?
SIC is completely tolerant of NAT because the SIC protocol is based on certificates and “SIC
Names” and not on IP addresses. A NAT device between the SmartCenter Server and the
Module will not have any effect on their ability to communicate using SIC.
Question: How do I prevent the fingerprint of a SmartCenter Server appearing the first
time a SMART client connects to it?
1 On the SMART client machine, open the Registry Editor (on Windows machines,
use Regedit).
2 Go to the Registry entry;
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Connection\5.0\
Question: How do I prevent the SMART client recognizing a SmartCenter Server to which
it has already connected?
1 On the SMART client machine, open the Registry Editor (on Windows machines,
use Regedit).
2 Go to the Registry entry;
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Connection\5.0\Known Servers
This entry contains the Names and fingerprints of SmartCenter Servers that the
SMART client recognizes.
3 Select the Name of the SmartCenter Server that the SMART client should no longer
recognize.
4 Click Delete.
Question:
SmartUpdate
In This Chapter
Introduction to SmartUpdate
Purpose
SmartUpdate is used to centrally manage remote software installations and licensing of Check
Point products.
63
How to Upgrade Remote Check Point Nodes
Installing SmartUpdate
SmartUpdate is silently installed together with the VPN-1/FireWall-1 SmartCenter Server. The
Product Management component of SmartUpdate requires a separate license, in addition to the
Management license (see “Introduction to Product Management” on page 84).
The SmartUpdate Management (GUI) Client is installed by default with the other Management
Clients.
• fw putkey connection between the SmartCenter Server and version 4.1 remote Check
Point Nodes.
• CPutil installed and configured. This is required for CPRID, which is needed for all
remote product operations.
The CPutil package and associated Release Notes are available on the Check Point 2000
CD and from http://www.checkpoint.com/techsupport/installation/ng/index.html
Chapter 2 SmartUpdate 65
How to Upgrade Remote Check Point Nodes
Note - The user name and the password are transmitted using SSL secured communication.
3 Select the product(s) to download. You can view a filtered list of products (for example,
view only the product upgrade packages for installed products), and the the Release Notes.
4 Click Download. The product(s) are downloaded and added to the Product Repository.
The packages are downloaded to a temporary directory on the GUI Client machine and
then transferred to the SmartCenter Server, under the $SUROOT directory.
The Check Point Download Center web site can also be accessed manually at
http://www.checkpoint.com/techsupport/downloads/downloads.html
b Navigate to the desired .tgz file on the local disk and click Open.
Or,
Drag and drop the product package .tgz file into the Product Repository window.
Chapter 2 SmartUpdate 67
How to Upgrade Remote Check Point Nodes
In This Section
Windows Action
System
Windows Select Start>Programs>Check Point Management
Clients>SmartUpdate NG FP3.
Licenses tab
Management Server
Gateway
Product Repository
This window is
Attached License in floating
the Licenses tab...
...and in the
License Repository
License Repository
This window is
docked
Operation Status entry:
Double click
to see Operation Details Management Server
to which GUI is connected
User permissions
Chapter 2 SmartUpdate 69
How to Upgrade Remote Check Point Nodes
The Managed Check Point Nodes tree structure can be expanded or collapsed to display all or
hide all the installed products or licenses. To expand or collapse the tree, right click on the tree
root and choose Expand/Collapse or use the button or the button on the toolbar.
• The License Repository shows all attached and unattached licenses (Click on the
toolbar, or Licenses> View Repository in the menu).
FIGURE 2-5 License Repository
To sort the licenses or products in ascending or descending order, click a column title.
Chapter 2 SmartUpdate 71
How to Upgrade Remote Check Point Nodes
Icon Meaning
Attached Central License— this license has been added to the License
Repository and attached to (installed on) a Check Point Node.
Unattached Central License— this license has been added to the License
Repository and is available for attachment to a Check Point Node.
Attached Local License— This icon (colored yellow) represents both NG
Local and 4.1 Local Licenses. This license has been
• installed locally and retrieved into the License Repository, or
• added to Repository and automatically attached to the remote Check
Point Node.
Evaluation License— A “floating”, limited evaluation license that is not
associated with a specific IP address. It can be attached to any Check Point
Node, and to more than one Check Point Node at a time.
For more information about License Types, see “License Types: Central, Local” on page 98.
To view only one type of license, right click (FIGURE 2-7) in the License Repository window.
Operation Status
The Operation Status window shows current and past SmartUpdate operations.
FIGURE 2-8 Operation Status window
Note -
1. A log file of SmartUpdate remote product operations is generated in the $SUROOT\log
directory. The filename is <Check Point Node name>_SmartUpdate.elg.
2. An audit log of SmartUpdate Operations is available in the SmartView Tracker.
Chapter 2 SmartUpdate 73
How to Upgrade Remote Check Point Nodes
Operation completed.
A warning.
The Operation Details window shows the operation description, start and finish times, and
progress history. The window is resizable. An example is shown in FIGURE 2-10.
Status lines can be copied to the clipboard. Select the line, right click and choose Copy.
FIGURE 2-10Operation Details window
Operation History — The History of the operation, dynamically updated as the operation
progresses.
Docking Windows
• The Product and License Repository windows, and the Operation Status window can be
either docked or floating.
• When SmartUpdate is opened, the Product and License Repository windows are docked in
the lower part of the SmartUpdate main window, and the Operation status view is hidden.
The Operation Status window appears when the first remote operation is performed.
• To toggle between a floating and a docked window, double click the window title, or drag
and drop the window.
• To close or open a window use the toolbar button or the menu item of the window.
• A reopened window opens in its previous size and position (docked or floating).
2 Enter the string for which you would like to search in the Find what field.
Select where you would like to search:
• License Management
• Product Management
• License Repository
Chapter 2 SmartUpdate 75
How to Upgrade Remote Check Point Nodes
• Product Repository
Check Match whole word only to find the sting in the exact manner that it is specified in
the Find window
Check Match case to make your search case sensitive.
Use the Up and Down buttons to choose the direction of your search.
Use the Find next button to continue your search.
Printing Views
To print a view, proceed as follows:
1 From the File menu, select Print.
The window Choose Window is displayed. See FIGURE 2-12.
FIGURE 2-12The Choose Window window
In This Section
SmartUpdate Menu
File Menu
View Menu
Tree Menu
Chapter 2 SmartUpdate 77
How to Upgrade Remote Check Point Nodes
Products Menu
Licenses Menu
Chapter 2 SmartUpdate 79
How to Upgrade Remote Check Point Nodes
Status Menu
Tools Menu
Window Menu
Chapter 2 SmartUpdate 81
How to Upgrade Remote Check Point Nodes
Help Menu
SmartUpdate Toolbar
The SmartUpdate Toolbar provides shortcuts for some menu commands.
Chapter 2 SmartUpdate 83
Product Management
Product Management
In This Section
SmartUpdate provides a central view of available and installed products. The administrator can:
• Upgrade all NG products and the Operating System on a Check Point Node to the latest
version in one click (page 67)
• Upgrade major and minor versions (page 64).
• Uninstall major and minor versions (page 92).
• Manage the Product Repository (page 85).
• View remote operation progress status (page 73).
• Verify an installation (page 94),
• Remotely boot a Check Point Node (page 95),
• Get Check Point Node data (page 96),
• Stop a remote operation (page 96).
SmartUpdate Product Management requires a separate license, in addition to the License for the
SmartCenter Server. Install a license with one of the following SKUs:
CPMP-SUP-1-NG for managing one remote Check Point Node
CPMP-SUP-U-NG for managing an unlimited number of remote Check Point Nodes
Note - The user name and the password are transmitted using SSL secured communication.
3 Select the product(s) to download. You can view a filtered list of products (for example,
view only the product upgrade packages for installed products), and the the Release Notes.
Chapter 2 SmartUpdate 85
Product Management
4 Click Download. The product(s) are downloaded and added to the Product Repository.
The packages are downloaded to a temporary directory on the GUI Client machine and
then transferred to the SmartCenter Server, under the $SUROOT directory.
The Check Point Download Center web site can also be accessed manually at
http://www.checkpoint.com/techsupport/downloads/downloads.html
Note - To upgrade a Check Point HA Cluster, see the FAQ: “How do I upgrade a Check
Point ClusterXL gateway cluster?” on page 124
For updates from version 4.1 to NG FP1, Secure Internal Communication (SIC) is automatically
upgraded.
SmartUpdate product packages (NG FP2 and higher) are the same as ordinary installation
packages.
Before the installation begins SmartUpdate makes sure that the installation will succeed. It
checks that the remote Check Point Node can be reached, that the package to be installed is
valid for the remote Check Point Node — including product dependencies and prerequisites —
and that there is enough disk space. This can also be done separately (see “Verifying an
Installation” on page 94).
If the product upgrade fails, SmartUpdate restores the previously installed version. The
installation can be stopped at any time up until the actual installation (see “Stopping an
Operation and Clearing Completed Operations” on page 96).
The following is an overview of the installation process:
1 Review “How to Upgrade Remote Check Point Nodes” on page 64.
2 Update the Check Point Node OS and product data. (See “Getting Check Point Node
Data” on page 96).
3 Add any required packages to the Product Repository (see “Managing the Product
Repository” on page 85).
Chapter 2 SmartUpdate 87
Product Management
4 Click Upgrade.
The Operation Status window opens and shows the progress of the operation. Each
operation is represented by a single entry. Double click the entry to open the Operation
Details window which shows the operation history.
1. It is highly recommended to use the boot option when installing. For VPN-1/FireWall-1
installations, boot is required to switch the kernel and to make Secure internal
communication work. However, boot ONLY after all installed products are of the same
version.
2. The remote installation may take some time, depending on the network load and the
package size. View operation progress using the Operation Status window (see page 73)
2 Drag and drop a product from the Product Repository onto the Check Point Node in the
Products tab. Make sure the product Operating System matches the destination Check
Point Node OS.
3 Follow the progress of the installation in the Operation Status window (see “Operation
Status” on page 73).
Chapter 2 SmartUpdate 89
Product Management
The Install Product window opens. This window contains all the products that can be
installed on the selected Check Point Node.
FIGURE 2-15Install Product window
3 Select the product that you wish to install. Be sure to check Reboot Check Point Node(s)
only if all products will be of the same version after installation. This will reboot the Check
Point Node following installation.
4 Click Install.
5 Follow the progress of the installation in the Operation Status window (see “Operation
Status” on page 73).
2 Select the Check Point Nodes on which to install the product. Make sure that they all have
the same OS. Either Select All Check Point Nodes, or Ctrl click to select more than one
Check Point Node. Be sure to check Reboot Check Point Node(s) only if all products will
be of the same version after installation. This will reboot the Check Point Nodes following
installation. Click Next.
The window shows the available products in the Repository for the selected Check Point
Nodes.
FIGURE 2-17Install Product wizard — Select a Product
3 Select the product that you wish to install. Make sure the product Operating System
matches the destination Check Point Node OS. Click Finish.
4 Follow the progress of the installation in the Operation Status window. If the product is
installed to more than one Check Point Node, each installation has its own Operation
Status entry (see “Operation Status” on page 73).
Chapter 2 SmartUpdate 91
Product Management
4 Select a Check Point Node on which to install the product. Make sure the product
Operating System matches the destination OS. Either Select All Check Point Nodes, or
Ctrl click to select more than one Check Point Node. Be sure to check Reboot Check
Point Node(s) only if all products will be of the same version after installation.
5 Click Install.
6 Follow the progress of the installation in the Operation Status window (see “Operation
Status” on page 73).
Uninstalling a Product
Products can be uninstalled remotely using SmartUpdate. Uninstalling VPN-1/FireWall-1, SVN
Foundation and FloodGate-1 restores the previously installed version.
It is highly recommended to boot the remote Check Point Node after uninstalling.
Before the uninstallation begins, SmartUpdate makes sure that the remote Check Point Node
can be reached, and that the product is installed on the remote Check Point Node.
After uninstalling a product, get the Check Point Node data (see “Getting Check Point Node
Data” on page 96).
When downgrading an NG product to version 4.1, if the product had licenses installed on it
remotely from the SmartCenter Server, the licenses will still exist in the License Repository. You
should therefore update the License Repository (see “Getting Check Point Node Licenses into
the License Repository” on page 150).
Alternatively, if you delete the Check Point Node object of the uninstalled product from the c
GUI, the licenses will be detached from this object in the License Repository.
5 Follow the progress of the uninstallation in the Operation Status window (see “Operation
Status” on page 73).
6 After uninstalling, get the Check Point Node data (see “Getting Check Point Node Data”
on page 96) and if the Check Point Node had remotely installed licenses, get the licenses
(see “Getting Check Point Node Licenses into the License Repository” on page 150).
Chapter 2 SmartUpdate 93
Product Management
4 Follow the progress of the uninstallation in the Operation Status window. If the product is
uninstalled from more than one Check Point Node, each uninstallation has its own
Operation Status entry (see “Operation Status” on page 73).
5 After uninstalling, get the Check Point Node data (see “Getting Check Point Node Data”
on page 96), and if the Check Point Node had remotely installed licenses, get the licenses
(see “Getting Check Point Node Licenses into the License Repository” on page 150).
Verifying an Installation
Before installing a product it is possible to test whether the product can be installed on the
remote Check Point Node. The test verifies that
• the Operating System and currently installed products are appropriate for the product to be
installed,
• there is a CPRID connection to the remote machine,
• there is sufficient disk space,
• the product is not already installed, and that
• the product dependencies are fulfilled.
SmartUpdate automatically performs this test before a remote installation begins.
4 Follow the progress of the verification in the Operation Status window (see “Operation
Status” on page 73).
4 Follow the progress of the verification in the Operation Status window. If the verification
is to more than one Check Point Node, each installation verification has its own Operation
Status entry (see “Operation Status” on page 73).
5 Follow the progress of the verification in the Operation Status window (see “Operation
Status” on page 73).
Note - Boot ONLY when all installed products are of the same version.
Chapter 2 SmartUpdate 95
Product Management
2 Follow the progress of the operation in the Operation Status window (see “Operation
Status” on page 73).
Warning - Do not stop the Installation of SVN Foundation. Doing so will require extensive
manual cleanup at the Check Point Node.
To Stop an Operation
1 From the Operation Status window, select the in-progress operation.
2 From the Status menu, select Stop Operation or
Right click, and select Stop Operation
3 Check the Operation status in the Operation Status window (see “Operation Status” on
page 73).
License Management
In This Section
Chapter 2 SmartUpdate 97
License Management
Central Licenses
Check Point NG introduced a new licensing scheme in which the product license is tied to the
IP address of the SmartCenter Server, rather than to the IP address of the Check Point Node. A
license of this kind is called a Central license. The benefits are:
• The new license remains valid when changing the IP address of the Check Point Node.
There is no need to create and install a new license.
• Only one IP address is needed for all licenses.
• A license can be taken from one Check Point Node and given to another.
A Central license is an NG license that has the IP address of the SmartCenter Server.
Local Licenses
A Local license is tied to the IP address of the specific Check Point Node, and can only be used
for a Check Point Node or a SmartCenter Server with that IP address.
Prior to Check Point NG, only Local licenses existed.
Local licenses can be added to the License Repository and automatically attached to a Check
Point Node. Only Local NG licenses can be detached from a remote Check Point Node.
Chapter 2 SmartUpdate 99
License Management
Obtaining Licenses
Obtain licenses from the User Center at http://www.checkpoint.com/usercenter using
SmartUpdate via the License > New License > Add From User Center... menu item (see
“Downloading a License File From the User Center” on page 102). If you need more than one
license, you can download a license file containing multiple licenses from the User Center, and
import all the licenses into the SmartUpdate License Repository.
Before using SmartUpdate, you must install a license for the SmartCenter Server at the
SmartCenter Server machine (see “Installing a License for the SmartCenter Server” on page
101).
Note - Local licenses issued with a hostid can be installed on their target machine
only via the cplic command or cpconfig Configuration Tool.
Once you have obtained license(s), add them to the License Repository (see “Adding a License
to the License Repository” on page 101).
Certificate Key
The certificate key is a string of 12 alphanumeric characters. The string is unique to each
product, and also identifies the license. For an evaluation license your certificate key can be
found inside the mini pack. For a permanent license you should receive your certificate key
from your reseller.
Note - Any characters in the Certificate Key that may look like 'O' or 'I' are most likely '0'
or '1'
Request Details
---------------
Certificate Key: 1BED 4054 433R
Product: CPMP-EVAL-BETA-DES-VNG
Version: NG
Note - In order to show the locally installed SmartCenter Server licenses in the
SmartUpdate GUI, you must first retrieve them into the License repository (see “Getting
Check Point Node Licenses into the License Repository” on page 150).
• By downloading a license file directly from User Center. A license file can contain multiple
licenses.
• By importing a license file received from the User Center.
• Manually (by copying the license details).
Adding a Central license to the License Repository does not install it on any Check Point
Node.
After adding a Central license to the Repository, you can Attach (install) it to a Check Point
Node.
If a Local license is added to the Repository, the license is automatically installed on the Check
Point Node for which it is intended.
Note - The user name and the password are transmitted using SSL secured communication.
3 The generated license file is downloaded to the SmartUpdate GUI Client machine. It is
added to the License Repository. If upgrading, “moving IP” or a converting between Local
and Central License, the license is attached to the appropriate Check Point Node.
or
Select Licenses> View Repository or click to open the License Repository, then
right click in the Licenses Repository, and choose New License> Import File...
2 Browse to the location of the license file, select it, and click Open.
The new unattached Central licenses will appear in the Licenses repository. Local licenses will be
automatically attached to their Check Point Node. The license will get a default name of the
format SKU@ time date. The name of the license can be changed at a later time (see “Viewing
License Properties” on page 113). If the Attach operation fails, the Local licenses will be deleted
from the Repository.
1 The User Center results page and the license email received from the User Center contains
the license installation instructions. From these instructions, copy the license to the
clipboard. You need to copy the string that starts with cplic putlic... and ends with the
last SKU/Feature. For example
cplic putlic 1.1.1.1 06Dec2002 dw59Ufa2-eLLQ9NB-gPuyHzvQ-WKreSo4Zx CPSUITE-
EVAL-3DES-NG CK-1234567890
If you only have a hard-copy printout, continue from step 2.
2 Select Licenses> New License> Add Manually, or select on the toolbar,
or
Select Licenses> View Repository, then right click in the Licenses Repository, and
choose New License> Add Manually...
The Add License window opens.
FIGURE 2-20The Add License window
3 If you copied the license to the clipboard, click Paste License. The fields will be populated
with the license details.
Otherwise, enter the license details from a hard-copy printout.
4 Click Calculate, and make sure the result matches the validation code received from the
User Center.
5 Optionally, choose a name for the license. If you leave the Name field empty, the license
will get a default name of the format SKU@ time date. The name of the license can be
changed at a later time (see “Viewing License Properties” on page 113).
6 Click OK.
Note - Local licenses issued with a hostid can be installed on their target machine only
locally, via the cplic command or the cpconfig Configuration Tool.
There are a number of different ways to attach a license to a Check Point Node. In all cases,
follow the status of the procedure in the Operation Status window.
2 Drag and drop one or more unattached Central licenses in the License Repository onto a
Check Point Node in the Licenses tab.
When done, the license icon(s) in the Repository will change and the license(s) will appear
under the Check Point Node in the Licenses tab.
4 Follow the status of the procedure in the Operation Status window (see “Operation
Status” on page 73).
When done, the license icon will change and the license will appear under the Check Point
Node in the Licenses tab.
2 Select a Check Point Node to which the license(s) is (are) to be attached, and click Next.
The window shows the available unattached licenses in the Licenses Repository.
3 Select the license that you wish to attach. Either Select All, or Ctrl click to select more than
one license.
4 Click Attach.
5 Follow the status of the procedure in the Operation Status window (see “Operation
Status” on page 73).
When done, the license icon will change and the license will appear under the Check Point
Node in the Licenses tab.
The Attach Licenses window opens. This window contains all the available, unattached licenses.
3 Select the licenses that you wish to attach. Either Select All, or Ctrl click to select more
than one license.
4 Click Attach.
5 Follow the status of the procedure in the Operation Status window (see “Operation
Status” on page 73).
When done, the license icon will change and the license will appear under the Check Point
Node in the Licenses tab.
2 Drag and drop an evaluation licenses in the License Repository onto the root of the Check
Point Nodes tree in the Licenses tab.
When done, the evaluation license icon will appear under the every Check Point Node in
the Licenses tab.
There are a number of different ways to detach a license from a Check Point Node using
SmartUpdate. In all cases, follow the status of the procedure in the Operation Status window.
2 Select the Check Point Node from which you wish to detach the license and press Next.
The Detach Licenses window shows the licenses attached to the Check Point Node.
3 Select the license that you wish to Detach. Either Select All or Ctrl click to select more
than one license.
4 Click Finish.
Note - Only version 4.1 SP1 and higher licenses can be retrieved into the License
Repository.
It is possible to retrieve (“get”) all licenses in the managed network, or only the licenses from a
single Check Point Node. It is recommended to retrieve the SmartCenter Server license(s) so
that it (they) will appear in the License Repository.
To update the License Repository, proceed as follows:
or select Get Check Point Node Licenses from the Licenses menu.
3 Follow the status of the procedure in the Operation Status window. Retrieved Local
licenses will appear in the License Repository and in the Products tab with the icon.
Note - Once the license has been deleted from the License Repository, it can no longer be
used. To re-use it, add it to the License Repository (see “Adding a License to the License
Repository” on page 101).
SmartUpdate will automatically give a warning before attaching an expired license to a remote
Node.
The expiration date of the Trial Period of products within their 15 day trial period are shown in
the Expiration Date column, if no licenses are installed. For more information, see “The Trial
Period” on page 99.
2 To delete an unattached license from the License Repository, select the license(s) and click
Delete. If it is attached, you must detach it before deleting it (see “Detaching a License
from a Check Point Node” on page 109).
3 To view the properties of the license, double click the license, or select the license and click
Properties.
4 Choose the Options for future searches. Click Apply to run the search immediately.
In addition, in the Licenses tab and the License Repository you can check for soon-to-expired
licenses by sorting by expiration date. Click
3 In the Choose File to Export License(s) To window, name the file (or select an existing
file), and browse to the desired location. Click Save.
All selected licenses will be exported. If the file already exists, the new licenses are added to the
file.
The license upgrade can be performed either before or after upgrading the version 4.1 Check
Point Nodes to the latest version of VPN-1/FireWall-1 NG.
Note - After upgrading the licenses,
• cplic print in the remote Check Point Node will not show the old 4.1 licenses.
• if the products on the remote Check Point Nodes are downgraded to version 4.1, the
old licenses will reappear in the Check Point Nodes. cplic print will show the old 4.1
licenses, and they can be retrieved to the License Repository using the cplic get
command.
3 Upgrade the version 4.1 products on the remote Check Point Nodes. (See “Upgrading a
Single Product on a Check Point Nodes” on page 103 of the Check Point SmartCenter
Guide.)
4 Using Licenses > New Licenses > Add From User Center... , view the licenses for the
products that were upgraded from version 4.1 to NG, create new upgraded licenses, and
download a file containing the upgraded NG licenses.
Note - Only download licenses for the products that were upgraded from version 4.1 to
NG.
5 If you did not import the version 4.1 licenses into the repository in step 2, import the
version 4.1 licenses now (Licenses > Get All Licenses)
6 Upgrade the licenses. Select Licenses > Upgrade... and select the downloaded license file.
• The licenses in the downloaded license file and in the license repository are compared.
• If the certificate keys and features match, the old licenses in the repository and in the
remote Check Point Nodes are updated with the new licenses.
Licensing Glossary
SmartUpdate introduces a number of new licensing concepts. The following is a brief
explanation of some licensing concepts.
SmartUpdate Architecture
FIGURE 2-37SmartUpdate Architecture
Check Point CD
Licenses
Download Center
Packages
SecureUpdate
Check Point
Database SVN
Foundation
Packages cpd
Licenses
SIC CPD
CPRID CPRID
SIC
GUI Client
Management Server
command line
cplic (remote and local) Check Point Nodes
cprinstall
cppkg
• Licenses and products are managed using the SmartUpdate GUI. Command lines are also
available.
• The Check Point SmartCenter Server includes the SmartUpdate License and Product
Management components.
• The License Repository ($FWDIR/conf/licenses.C) is part of the Check Point database.
• The default Product (Package) Repository location on Windows machines is C:\SUroot.
On UNIX it is /var/SUroot. The Product Repository ($FWDIR/conf/packages.C) is part
of the Check Point database
• Communication between the Management Client, the SmartCenter Server and the SVN
Foundation on remote Check Point Nodes uses Secure Internal Communication (SIC):
• Product Management uses a CPRID (Check Point Remote Installation Daemon) client on
the SmartCenter Server, and a CPRID server on remote Check Point Nodes.
• License Management uses the cpd daemon.
• The CPRID Server and cpd are components of the SVN Foundation installed on the Check
Point Nodes.
• A log file of SmartUpdate product operations is generated in the file $SUROOT\log\<Check
Point Node name>_SecureUpdate.elg.
• An audit log of SmartUpdate operations can be viewed in the SmartView Tracker Audit
View.
SmartUpdate FAQ
In This Section
SmartUpdate is silently installed together with the VPN-1/FireWall-1 SmartCenter Server. The
SmartUpdate Management (GUI) Client is installed by default at the same time as the other
Management Clients.
Question: What is the Trial Period, and how is it different from an evaluation license?
• In addition, log information is displayed in the Operation Status view and in the
Operation Details window
“Upgrade All Products” is the recommended method. See “How to Upgrade Remote Check
Point Nodes” on page 64.
Question: How do I upgrade the OS on the Check Point Node via SmartUpdate?
In NG FP3, its is possible to use SmartUpdate to upgrade the operating system on a Nokia
Appliance and on SecurePlatform NG. First, upgrade the OS and boot the machine, as
described in “Installing a Single Product” on page 89, and then upgrade all the other products
to the latest version, and reboot.
Question: What products can I install and where can I get them from?
As of SmartUpdate NG FP2, there is only one kind of product package for both local and
remote installations. Packages can be obtained from the Check Point NG FP2 CD or the Check
Point Download Center http://www.checkpoint.com/techsupport/downloads/downloads.html).
Add packages to the Product Repository using the SmartUpdate GUI. Use the menu items
Product > New Products > Add From User Center... or Add From CD... or Import File.
Question: What should a Check Point Node include (installations, versions) in order to
be remotely installable?
To use SmartUpdate to upgrade a product on a remote Check Point Node, the product must be
of version 4.1 SP2 or higher, or version NG.
If you have VPN-1/FireWall-1 version 4.1 SP2 or higher on the Check Point Node, you can
use SmartUpdate to remotely install the SVN Foundation components from scratch. To do so,
you must first install and configure the CPutil package (found on the Check Point 2000 CD
and on the Check Point Support download site) on every network object which will participate
in the Remote Installation. For details, see the Release Notes for these packages.
SmartUpdate Installation Management uses a CPRID (Check Point Remote Installation
Daemon) client on the SmartCenter Server, and a CPRID server on remote Check Point
Nodes. License Management uses the cpd daemon. The CPRID server and cpd are components
of the SVN Foundation on the Check Point Nodes. All these components must run in order for
the remote upgrade to succeed.
The Operation Status log shows current and past SmartUpdate operations. Each entry includes
the current status and success/Failure of the operation.
SmartUpdate can stop the remote installation of a product— even during transfer of files,
extraction and testing, though stopping an installation is not recommended. You can stop the
operation at any time up to the actual installation (see “Stopping an Operation and Clearing
Completed Operations” on page 96).
Question: What happens if the connection between the Management and the remote
Check Point Node breaks while upgrading?
If the communication break happens before or during the actual product installation, the
product upgrade fails, and SmartUpdate restores the previously installed version. If the
installation completes, the new version will be in place.
The following procedure describes how to upgrade a version 4.1 or NG gateway cluster.
If using a third party cluster, before performing the upgrade, configure the synchronization
network in the synchronization tab, and the cluster mode in the ClusterXL tab. Also, refer to the
third party documentation.
To upgrade a cluster of Check Point Gateways, proceed as follows:
1 Obtain an NG Central licenses for the cluster and install it on the SmartCenter Server.
2 On all the inactive cluster members, use SmartUpdate to remotely upgrade all products to
the latest version.
3 Reboot all the inactive members machines.
4 Update the cluster object and members in the SmartDashboard as described in chapter 5,
“ClusterXL” on page 241 of the Check Point FireWall-1 Guide.
5 When the standby machines are up again, in the SmartDashboard, uncheck the On
Gateway clusters, install on all members, If it fails do not install at all checkbox and
Install the security policy on the cluster. The policy will be successfully installed on standby
cluster members, and will fail on the active machine.
6 On the active cluster member, run the cpstop command then the cphastop command.
7 On the active cluster member, use SmartUpdate to remotely upgrade all products to the
latest version and install the Central licenses for the products (such as FireWall-1, not High
Availability licenses) installed on the cluster member.
8 When the cluster members come up, they try to fetch policy from the active member, then
from the SmartCenter Server, and then from themselves. If all this fails, install the Policy on
the cluster.
Booting the machine loads the new FireWall-1 kernel. It is required at the end of the installation
or upgrade process, after all Check Point products on the machine have been successfully
installed or upgraded to the latest version.
The machine can also be rebooted in the middle of the upgrade process, with no ill effects, even
before all products have been upgraded to the latest version, but this is unnecessary. Starting the
Check Point services (cpstart) will start only products with the same version as the installed
SVN Foundation.
Licensing FAQ
Question: How do I create the new Central licenses and how are they different from the
old ones?
To use Central licenses, you must add them to the License Repository and attach them to a
Check Point Node. Proceed as follows:
1 Install the SmartCenter Server, the product on the remote Check Point Node, and the GUI
client
2 Initialize Secure Internal Communication (SIC) between the SmartCenter Server and the
remote Check Point Node.
3 Create a Central license for the SmartCenter Server and the Check Point Nodes at the User
Center http://www.checkpoint.com/usercenter with the IP address of the SmartCenter
Server.
4 Install a license for the SmartCenter Server.
5 In the SmartUpdate GUI, select Licenses> View Repository to open the License
Repository view.
6 Add the license to License Repository (Drag-and-Drop the license file to the Repository, or
select Licenses> New License> Add manually or Import File).
The new license will appear in the License Repository.
7 Click the Licenses Tab.
8 Choose the license in the Repository, drag-and-drop it over the desired target Check Point
Node
There will be an Operation Status message, and when done, the license will be attached. The
license icon will change and the license will appear under the Check Point Node in the
Licenses tab.
Question: Do I need new licenses when changing the IP of the SmartCenter Server?
When changing IP address of the SmartCenter Server, you need to relicense all the Certificate
Keys bound to the old IP address, with the new IP of the Management.
Proceed as follows:
1 Collect all Certificate Keys bound to the old IP address of the SmartCenter Server.
2 In the User Center (http://www.checkpoint.com/usercenter), relicense those Certificate
Keys using the new IP address of the SmartCenter Server.
3 From the User Center, download the file containing the new licenses.
4 Using SmartUpdate, detach (see “Detaching a License from a Check Point Node” on page
109) and delete (see “Deleting a License from the License Repository” on page 112) the old
licenses.
5 Import the new licenses in the file into the License Repository (see “Adding a License to
the License Repository” on page 101).
6 Attach the new licenses to the Check Point Nodes (see “Attaching a License to a Check
Point Node” on page 105).
In This Chapter
Managing VPN-1/FireWall-1
The easiest way to manage VPN-1/FireWall-1 is to use the Check Point SmartDashboard. You
can use the command line interface, if you wish, instead of the SmartDashboard. For additional
information about the VPN-1/FireWall-1 command line interface, see Chapter 19, “Command
Line Interface”.
Note - The VPN-1/FireWall-1 command line interface runs only on the SmartCenter Server.
127
The Check Point SmartDashboard
Windows Action
System
Windows Double-click the SmartDashboard icon.
X/Motif Run /opt/CPclnt-50/bin/PolicyEditor.
Enter the name of the machine on which the SmartCenter Server is running. You can enter one
of the following:
• A resolvable machine name
• A dotted IP address
To work in local mode, check Demo Mode.
If you do not wish to modify a policy, check Read Only before clicking on OK.
Note - If you are not defined as a user, and therefore do not possess a user name, see “To
Add an Administrator” on page 49, for information how to define users on the
SmartCenter Server.
To compress the connection to the SmartCenter Server, check Use compressed connection.
Enter the text describing why the administrator wants to make a change in the security policy
in Session ID (optional). The text appears as a log entry in the SmartView Tracker in the
Session ID column (in Audit mode only). If the Session ID column does not appear in the
SmartView Tracker, use the Query Properties pane to display it. For more information on the
SmartView Tracker, see the chapter called SmartView Tracker in the Check Point SmartCenter
Guide.
To hide the Certificate Management, Connection Optimizations and Advanced options,
click Less Options <<.
Warning - Do not make a first-time connection to a SmartCenter Server from a GUI client,
unless you have the SmartCenter Server fingerprint, and are able to confirm it is the same
as the fingerprint displayed in the GUI client.
After a brief delay, during which the VPN/FireWall-1 database is loaded, the VPN-1/FireWall-1
Smart Editor window is displayed.
toolbars
SmartMap
Details of the objects
selected in the
Objects Tree...
...are displayed in
the Objects List
The SmartDashboard window’s title shows the name of the Policy currently displayed.
Depending on your license (the VPN-1/FireWall-1 features your SmartCenter Server is licensed
to implement), you will see some or all of the following tabs in the SmartDashboard window.
• Security Policy
The Security Policy Rule Base is described in Chapter 8, “Security Policy Rule Base.”
• Address Translation
The Address Translation Rule Base is described in Chapter 2, “Network Address Translation
(NAT)” in Check Point FireWall-1.
• VPN Manager
The VPN Manager tab is described in the book Check Point Virtual Private Networks.
• Desktop Security Policy
The SecureClient Policy is described in the book Check Point SecureClient User Guide.
• WebAccess
The Web Access tab is described in the book Check Point UserAuthority.
Object Tree
The Objects Tree consists of eight tabs. These tabs provide access to eight object types. Within
each tab, a different object type is represented in its own tree. You can change the display of
information by collapsing or expanding the object tree using the and buttons,
respectively. Within these tabs you can create and modify selected objects.
FIGURE 3-4 Object Tree Tabs — select the tab of your choice
1 2 3 4 5
1 7 8 9
Figure A. Figure B.
3 Select New Object Type from the displayed menu. For example, in the Network Objects tab,
if you select the Network object icon in the Objects Tree, the menu will display New
Network (FIGURE 3-5 — Figure A). However, if you select the primary object type (the
first object in the tree, for which the tab is named), you will have to select New and then to
select the object type from the displayed sub-menu (FIGURE 3-5 — Figure B).
The Object Properties window is displayed.
Where Used
1 Right-click on an Object in the Objects Tree.
A menu is displayed.
2 Select Where Used... from the displayed menu.
In the displayed window you can see where the selected object is used in the Rule Base. If
the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any. For more information, see “Object
Occurrences window” on page 137.
Object List
The Objects List displays all Object types in a detailed table. This table includes Object
configuration information and details, as specified in the Object’s Properties window.
The SmartMap
Check Point’s SmartMap provides a topological view of the objects in the SmartDashboard. The
SmartMap View is a mapped visual representation of the network objects defined in the
SmartDashboard and the relationship between these network objects. For more information
about the SmartMap, see Chapter 17, “SmartMap.”
In this case, an error message “No Response from Server” will be displayed.
By default the GUI waits 15 seconds for the SmartCenter Server to respond to requests. In
certain cases the server may be very loaded and certain operations (queries for example) may
take longer than 15 seconds. If this happens, you can change the default 15 second timeout
as follows:
• Windows NT
If your SmartCenter Server is running under Windows NT, you can add or delete GUI Clients
using the VPN-1/FireWall-1 Configuration application. See Chapter 4, “Installing and
Configuring VPN-1/FireWall-1,” for information about the VPN-1/FireWall-1 Configuration
application.
If your SmartCenter Server is running under Unix, then you can add or delete GUI Clients by
using any text editor to modify the file
$FWDIR/conf/gui-clients directly. The file consists of IP addresses or resolvable names, one
per line.
4 You are not one of the allowed administrators.
Use the Check Point configuration application to manage administrators.
5 The versions of the GUI Client and SmartCenter Server are incompatible.
This can happen when mixing encryption and non-encryption versions.
6 A rule or property disallows the connection between the GUI Client and SmartCenter
Server.
See “Accept VPN-1 & FireWall-1 control connections” on page 290 for more information.
Note - To use the Database Revision Control feature, you must have the appropriate
license.
To view the list of database versions, choose Database Revision Control from the File menu or
click in the toolbar. The following window appears (see FIGURE 3-8).
This window displays a list of all the database versions in the version repository.
The Database Revision Control window contains the following columns:
Version ID — the sequence number of the database version in the version repository. The value
is automatically maintained by the Check Point Editor Policy.
Name — the name of the database version. This field may be empty because when you create a
new database version, giving it a name is optional. For more information, see “Creating a New
Database Version” on page 141.
Creation Date — the day, date, and time the database version was created
Major Version — the (major) version of the product used to create the database version
Minor Version — the (minor) version of the product used to create the database version
Administrator — the administrator name used to log into the Editor Policy (see “Starting the
SmartDashboard” on page 130)
Comment — a comment added about the database version
2 Enter the name of the new database version in the Name box.
3 Enter a comment about the new database version in the Comment box.
Note - Step 2 and Step 3 are both optional since Check Point SmartDashboard uniquely
identifies each new version with a sequence number and a creation date.
4 Click OK. The newly-created version is added to the list and to the version repository.
Deleting a Version
In the Database Revision Control window, select the version you want to delete and click
Delete.
Note - For information on how to install a previous Firewall-1 Security Policy version on a
Module without changing the definition of the currently-active database policy on the
SmartCenter Server, see page 575” in Chapter 19, “Command Line Interface.
Note - Take into account that retaining the current user database might create a conflict,
preventing the successful restoration of the version.
3 You can optionally click View Version to open another SmartDashboard application
displaying the version you want to restore in read-only mode.
4 Click Next. A verification process is initiated checking out all the problems or conflicts that
may have occurred due to certain inconsistencies between the different databases.
If there are no inconsistencies detected, the database is successfully restored and the
following window appears.
If inconsistencies are detected, errors or warnings are displayed with explanations of why
restoration of the database version failed. For example, let’s consider the following scenarios.
Scenario 1
In the current database, you added a new object (tac1) to the database and you defined a
user (u2) to use the newly-added object (tac1). If you want to restore a previous database
but want to retain the users you have defined for the current database version (by choosing
the option Apply the current user database onto the restored version, an inconsistency
will be detected and the restoration process will fail because the object (tac1) did not exist
in the previous version. In this case, the following window appears:
Click the Verification Problems button for details about why the restoration process failed.
The following window appears.
FIGURE 3-11 Restore database troubleshooting
Correct the problem and try to restore the database version again.
Scenario 2
In the current database, you created a certificate for the following Gateways:
• bono
• rossini
If you revert to another database version, the certificates you created will no longer be valid
and you will get the following warning:
Menus
Note - The majority of SmartDashboard menus are common to both the Standard and the
Log Consolidator products. The word “Policy” refers to either the Security Policy or the
Consolidation Policy, depending on the product viewed through the Products sub-menu
of the View menu.
For more information on Log Consolidator-specific menus, see Getting Started with the
Check Point Reporting Module.
File Menu
TABLE 3-4 The File Menu options
Edit Menu
TABLE 3-5 The Edit menu options
View Menu
TABLE 3-6 The View menu options
Rule Base Toggle the display of the “Object Tree” on page 134
SmartDashboard Rule Base.
Objects Toggle the display of the Objects List. “Object List” on page 136
List
Topology Toggle the display of the SmartMap. “The SmartMap” on page
Map 139
Reset none Set the Rule Base columns to their
Column default width.
Width
Sort Tree Sort the Objects Tree by the object “Sorting the Objects Tree”
name, type or color. on page 135
Implied none Toggle the display of the implied rules “Implied Rules” on page
Rules (the rules derived from the Global 332
Properties window).
The SmartDashboard consists of several toolbars. These toolbars are displayed below the menu.
To decide which toolbars are displayed, select the requested menu options from the Toolbars
option in the View menu. For more about toolbars, see “VPN-1/FireWall-1 Toolbars” on page
154. The SmartDashboard Status Bar (see page 158) is displayed at the bottom of the
SmartDashboard window.
Policy Menu
TABLE 3-9 The Policy menu options
SmartMap menu
For more information, refer to “The SmartMap Helper in Chapter 17, “SmartMap”.
Search Menu
TABLE 3-10 The Search menu options
Window Menu
TABLE 3-11 The Window menu options
Help Menu
TABLE 3-12 The Help menu options
VPN-1/FireWall-1 Toolbars
To select the toolbars that you would like to display, select the requested menu options from
Toolbars in the View menu.
Help Toolbar
Objects Toolbar
Panes Toolbar
Policy Toolbar
Rules Toolbar
TABLE 3-18 The Rules toolbar button
Rules > Add Rule > Before Rules > Add Rule > After
Search Toolbar
TABLE 3-19 The Search toolbar buttons
SmartDefense
The Check Point SmartDefense provides a unified security framework for various components
that identify and prevent cyber attacks. In addition to the security enforcement policy, defined in
the rule base, SmartDefense unobtrusively analyzes activity across your network, tracking
potentially threatening events and optionally sending notification.
SmartDefense includes the following features:
• successive events — a mechanism for detecting malicious or suspicious successive events and
notifying the system administrator;
• stateless packet validation — a comprehensive sequence of IP, ICMP, UDP and TCP tests;
• sequence verifier — a mechanism matching the current TCP packet’s sequence number
against a TCP connection state. Packets that match the connection in terms of the TCP
session but have incorrect sequence numbers are either dropped or stripped of data;
• SYN Attack — a module designed to prevent attacks in which TCP connection initiation
packets are sent to the server in an attempt to cause Denial of Service;
• fragment sanity check — a feature that generates logs when detecting packets, purposefully
fragmented for a FireWall bypassing or Denial of Service attack;
• general HTTP worm catcher — a mechanism for detecting and blocking HTTP-based
worms, e.g., CodeRed and Nimda.
• FTP malformed packet logs — an FTP protocol enforcement foiling any attempt to use an
FTP server as an agent for a malicious operation. Optionally, log events will be forwarded
to the VPN-1/FireWall-1 log database.
• DNS malformed packet logs — a DNS protocol enforcement that inspects each packet to
make sure it conforms to the DNS query (or answer) standard. In addition, certain
restrictions are imposed on the type of data allowed in queries and answers.
implicit security servers activation — a feature allowing to implicitly activate the
security servers on all traffic of a certain type, regardless of the Rule Base.
Standard Toolbar
TABLE 3-20 The Standard toolbar buttons
Communities Toolbar
TABLE 3-21 The Communities toolbar buttons
SmartDefense Toolbar
For more information, refer to “SmartDefense” on page 157.
The VPN-1/FireWall-1 Status Bar, displayed at the bottom of the VPN-1/FireWall-1 window,
shows information on the state of VPN-1/FireWall-1, as well as explanations of menu items and
toolbar buttons.
In This Chapter
Overview
When you define users, administrators and groups for VPN-1/FireWall-1, then:
• You are then able to use those user groups as the Source in rules which specify
Authentication (User, Client, or Session) as the Action
• The administrators can use the Check Point Management GUI Clients to administer Check
Point products.
The user’s or administrator’s properties (for example, those defined in the Location and Time
tabs of the User Properties window) are then applied. In this way, you can specify, for example,
that users in one group can connect only during the day, while users in another group can
connect only at night.
There are two ways to define users in VPN-1/FireWall-1:
• using the VPN-1/FireWall-1 proprietary user database — see “VPN-1/FireWall-1
Proprietary Users” on page 158
• using an LDAP directory — see “External Users and Groups” on page 171
157
VPN-1/FireWall-1 Proprietary Users
Note - If you have chosen User by Template or Administrator by Template, you must
first choose a template from the menu .
The User Templates already defined are listed in the bottom part of the menu.
Modifying a User
To modify an existing user, select the user in the Users window and click on Edit.
Deleting a User
To delete an existing user, select the user in the Users window and click on Remove.
Creating a Group
To create a new group, choose Group from the New User Object menu. The Group Properties
window is then displayed.
To add users or groups to a group, follow the instructions in “User Groups” on page 166.
Creating a Template
To create a new template, choose Template from the New User Object menu. The User
Definition Template window is displayed.
The User Definition Template window is identical to the User Properties window and has
the same tabs (except for the Certificates tab). Enter the data (properties) for the template in
the same way you enter data for a user (see “User Properties” on page 162).
Once you have created a template, any user you create based on the template will inherit all of
the template’s properties, including membership in groups.
If you modify a template’s properties, the change will affect all users created from the template
in the future. Users already created from the template will not be affected.
Note - In contrast to VPN-1/FireWall-1 templates, LDAP templates are live links. Changes
to an LDAP template change the properties of all users linked to the template.
The other tabs are identical to the corresponding tabs in the User Properties window (“User
Properties” on page 162).
Note -
• The Admin Auth tab of the Administrator Properties window corresponds to the
Authentication tab of the User Properties window.
• The Admin Certificates tab of the Administrator Properties window corresponds to
the Certificates tab of the User Properties window.
Click View Permissions Profile to view the profile (the set of permissions) assigned to the
Administrator.
To define a new Permissions Profile, click New in the General tab of the Administrator
Properties window. In the General tab of the Permissions Profile Properties window, specify
the profile’s name.
In the Permissions tab, specify the profile’s permissions.
General Tab
Name — the administrator’s name
Comment — descriptive text
Color — the color of the administrator’s icon
Select the desired color from the drop-down list.
Permissions Tab
In the Permissions tab, specify the permissions to be granted to an administrator who is
assigned this Permissions Profile.
TABLE 4-2 shows the available Permission Profile options.
User Properties
To display the User Properties windows, double-click on a user name in the Users window
and then select the appropriate tab.
In This Section
authentication scheme
Undefined No authentication scheme is defined for this user in
the VPN-1/FireWall-1 user database, though one may
be defined on an LDAP Server.
S/Key See “S/Key Authentication” on page 164.
SecurID There are no scheme-specific parameters for the
SecurID authentication scheme. The FireWall-1
enforcement module acts as an ACE/Agent 5.0. For
agent configuration see ACE/Server documentation.
VPN-1 & FireWall-1 See “VPN-1 & FireWall-1 Password Authentication”
on page 165.
OS Password There are no scheme-specific parameters for the OS
Password authentication scheme.
RADIUS See “RADIUS Authentication” on page 165.
AXENT Pathways Defender There are no scheme-specific parameters for the
AXENT Pathways Defender authentication scheme.
TACACS See “TACACS Authentication” on page 165.
S/Key Authentication
Seed — an arbitrary number
Secret Key — chosen by the user
Secret Key should be at least 10 characters long.
Length — number of passwords in the chain
Password — password for the user
Generate Button — generates a password after a gateway has been selected
Installed On — the gateway that will perform the authentication
Method — the hashing method
Print Chain — print the password chain.
This option is available only immediately after generating a new chain.
There are several options for using the S/Key Authentication settings, as follows:
• To generate and save a sequence of one-time passwords, proceed as follows:
1 Enter Seed, Secret Key and Length.
Secret Key should be at least 10 characters long.
2 Click on Generate.
• If the user has already generated a sequence of one-time passwords, proceed as follows:
1 Enter Seed, Length (the number of the last password used), and the last-used Password.
2 Click on OK.
The S/Key password is saved. If Seed and Length are not entered, the user is prompted for
them.
To generate new S/Key for a users who have forgotten passwords, proceed as follows:
1 In the user’s User Properties window, enter a new Secret Key (or leave it blank and let
one be chosen randomly).
2 Enter a Length.
3 Click on Generate.
2 In the Change Password window, enter the password twice: once in Password and a
second time in Confirm Password.
Note - OS Password and VPN-1 & FireWall-1 Password are the Authentication
Methods defined in the Authentication tab of the Workstation Properties window.
RADIUS Authentication
Select a RADIUS Server or group of RADIUS Servers from the menu. For information on
how to define RADIUS Servers, see “RADIUS Servers” on page 360.
TACACS Authentication
Select a TACACS Server from the menu. For information on how to define TACACS Servers,
see “TACACS Servers” on page 362.
For information on how to override this field for a specific rule, see Chapter 3,
“Authentication” in Check Point FireWall-1 Guide.
Destination — the user will be allowed access only to the listed network objects.
• To add a network object, select the object from the left list box (labeled Network
Objects), and then click on the Add button to the left of the Destination list box.
• To delete a network object, select the object in the Destination list box and click on
the Delete button to the left of the Destination list box.
For information on how to override this field for a specific rule, see Chapter 3,
“Authentication” in Check Point FireWall-1 Guide.
User Groups
To display and update a group’s members, double-click on the group’s name in the Users
window. The Group Properties window is then displayed
Name — the group’s name
Comment — optional descriptive text
Color — Select the desired color from the drop-down list.
You can filter the items displayed in the left listbox using View.
In the left list box (labeled Not in Group), select the users or groups you wish to include in the
group and click on Add.
Note - To define a new user directly from this window, click New. A menu will be displayed
from which you can select they type of user to create. When you finish defining the user, you
will return to this window.
If you nest groups, you can see a nested group’s members by selecting the group in the right
listbox (labeled In Group) and clicking View expanded group.
User Database
The VPN-1/FireWall-1 User database contains information about each user defined in
VPN-1/FireWall-1, including authentication schemes and encryption keys. The User Database
resides on the SmartCenter Server and on the FireWalled machines (enforcement points).
The VPN-1/FireWall-1 User Database does not contain information about users defined
externally to VPN-1/FireWall-1, for example, users in external groups (see “External Users and
Groups” on page 171), but it does contain information about the external group (for example,
on which Account Unit the external group is defined). For this reason, changes to external
groups take effect only after the Security Policy is installed or the User Database is downloaded.
When the properties of a user defined in the VPN-1/FireWall-1 User Database change, the
change does not take effect immediately. The VPN/FireWall modules on which the Security
Policy is installed must be notified of the change, in one of three ways:
1 Install the User Database by choosing Install Objects Database from the Policy menu.
2 Install the User Database by clicking on Install in the Users window.
3 Install the Security Policy by choosing Install from the Policy menu.
This installs the Security Policy in addition to updating the User Database.
Database Installation
When you install the User Database from the GUI (by choosing Install Objects Database from
the Policy menu or clicking on Install in the Users window), VPN-1/FireWall-1 runs the fw
command with the dbload argument (see “fwm dbload” on page 562).
You can modify this behavior so that VPN-1/FireWall-1 runs a program or shell script (batch
file) of your choice instead of fw dbload. For example, to run bigapple, add the following
statement to the setup.C file:
dbload_program (“bigapple”)
bigapple will be run with the same argument list that fw would have received (where the
first argument is dbload). It is then your responsibility to ensure that bigapple correctly
processes its arguments and installs the Database. Of course, bigapple can also perform any
other functions you wish.
Note - The implicit installation of the User Database that occurs when a Security Policy is
installed is not affected by the dbload_program parameter.
Note - The above rule will not be applied to users who are defined in the VPN-1/FireWall-1
User Database, only to users who are not defined in the VPN-1/FireWall-1 User Database.
Be careful about checking Omit Domain Name before applying authentication method. If
checked, the authentication server is unable to verify the validity of the domain typed by the
user.
2 Make sure that for each RADIUS server user has a profile that contains the attribute “Class”
(or “Filter-Id” or any other RFC reply string attribute). The value of the attribute is the
group which the user belongs to.
In order to change “Class” to another attribute, modify the value of the
firewall_properties attribute radius_groups_attr.
3 In the SmartDashboard, create a user group with the name “RAD_<group which the
RADIUS users belong to>”. The group may be empty.
4 Define a generic* user that uses this server for RADIUS authentication.
It is also possible to associate a FireWall-1 enforcement module with a Radius server, such that
this overrides the User to Radius server association. This is done by directly editing the
FireWall-1 database using a dbedit command.
To associate one or more Radius servers to a FireWall-1 enforcement module, use the dbedit
command:
It is possible to switch off the Radius to FireWall-1 association on a per user basis, so that the
user will always authenticate to the Radius server specified in the User Properties
Authentication tab. Do this by switching off another attribute in the FireWall-1 database, using
the dbedit command:
Network Objects
In This Chapter
Overview
Network objects include gateways, hosts, gateways, routers, networks, switches, Logical Servers,
gateway clusters, domains and others. Before you can include a network object in a rule, you
must define it and its properties.
Network objects can be organized in hierarchical groups to form higher-level objects and easier
to read rules.
You do not have to define every object in your networks to VPN-1/FireWall-1 — only those
objects that are used in the Rule Base. For example, if a rule refers to a network, you must
define the network, but it’s not necessary to define every host in the network.
173
Overview
toolbars
SmartMap
Details of the objects
selected in the
Objects Tree...
...are displayed in
the Objects List
Note - If you choose Show from the Network Objects menu while an object in the tree is
selected, the SmartMap will be scrolled so that the object is visible.
To edit or delete an existing object, right click the object in the tree and choose Edit or
Delete from the menu, as appropriate.
Choose a type from the displayed menu. A window is displayed prompting you to enter the
properties of the selected object type.
Note - If you opened the Network Objects window from the Rule Base, then the Add
Network Object menu displays the valid choices for the column from which it was
opened. These vary from column to column. For example, Logical Servers is a valid
choice under Destination but not under Source. On the other hand, if you opened the
Network Objects window from the menu or from the toolbar, then all the possible
choices are displayed in the Add Network Object menu.
Editing an Object
To edit an object, select the object and click Edit, or double-click the object.
You can also edit an object from the SmartDashboard (see “Editing a Network Object from the
Rule Base” on page 178).
If the IP addresses of network objects have been modified or new ones added since the GUI was
invoked, restart the GUI to refresh the GUI’s internal cache of addresses. Network objects that
have already been defined are not affected. If their properties have been edited, however,
updated data will be retrieved.
Deleting an Object
To delete an object, select the object and click Remove.
Note - The Reference window is non-modal; that is, you can leave it open while you
continue to work with the SmartDashboard. If you make changes that affect the Reference
window, you can update the display to reflect the changes by clicking Refresh.
When the results of your filter are displayed, you can group them by checking Define query
results as group.
For information about users, see Chapter 4, “Managing Users and Administrators.”
Edit — Open the appropriate Edit Object window for this object.
Delete — Delete the object(s) from the rule.
Negate — Negate the object(s) in the rule.
For example, if a rule’s Source is a host network object named monk, then the rule applies
when the communication’s Source is monk. However, if you negate monk, then the rule
applies when the communication’s Source is not monk.
You cannot negate individual objects. For example, if two hosts are given as a rule’s
Source, then you can negate both of them or none of them, but not just one of them.
Cut — Delete the object(s) from the rule and put the object on the clipboard.
Copy — Copy the object(s) to the clipboard.
Paste — Paste the object(s) on the Clipboard into the rule at this point.
The objects displayed depend on what you have selected from the Show drop-down list.
Note - Click More >> to display the Refined Filter section of the Network Objects
window, in which you can specify criteria for searching the defined network objects. For
more information, see “Filtering Network Objects” on page 177.
To add an existing network object to a rule, select the object from the list box and click OK.
The selected object is added to the rule and the Network Objects window is closed.
To create a new object and add that object to the rule, click New.
Network Objects
In This Section
Note - The example windows in this section are those of a Check Point gateway object. The
windows for other types of objects are similar except for the title and the name of the
window.
Note - Not all conversions are possible. For example,it is not possible to convert an
externally managed gateway to an internally managed gateway.
The name given here should be identical to the resolvable name (hostname) that appears in the
OS environment, as given in TABLE 5-5. If you use a non-resolvable name, then Get address
may not work.
In Windows NT and 2000, you can determine the hostname’s IP address as follows:
• In the Control Panel, click Network > Bindings and select all protocols. The first
protocol listed in the binding order determines the hostname’s IP address. The order for
TCP/IP and WINS should be consistent.
• The first entry in the output of the ipconfig command shows the hostname’s IP
address.
If NIS is being used, VPN-1/FireWall-1 automatically retrieves the information from the NIS.
If the network object is one that can respond to a Unix hostname command, use the name
returned by that command. The IP address is the one shown by the command grep hostname
/etc/hosts.
Get address— Click this button to resolve the object’s name to an IP address, using the files
in TABLE 5-5 on page 183.
Dynamic Address — Specifies that the network object’s IP address is dynamically assigned (for
example, for gateways with dial-up connections).
A SmartCenter Server cannot install a Policy on a Module with a dynamic IP address, because
the SmartCenter Server cannot “find” the Module. For the same reason, the Module cannot
terminate a VPN tunnel.
If you check Dynamic Address for an existing network object, the following message will be
displayed:
If Dynamic Address is checked, you must specify how frequently a Policy should be fetched
from the SmartCenter Server in the Masters page of the Check Point Properties window
(see “Check Point window — Masters page” on page 197).
Comment — Enter a descriptive comment to be displayed when this object is selected in the
Object list and in the Network Objects window.
Color — Select the color in which this object will be displayed in the GUI.
Check Point Products — Specifies the Check Point products installed on this network object,
and their version numbers.
The SmartDashboard installs a Policy on a network object compatible with the Module
version on the network object.
Depending on the products installed, different pages become available in the Check Point
Properties window.
Communication Window
FIGURE 5-4 Communication window
At the Module, in cpconfig, in the Secure Internal Communication window, this means
that a one-time password has been typed in but the Module has not yet received a certificate
from the Internal Certificate Authority on the SmartCenter Server.
In the SmartDashboard in the Communication window, this means that a certificate has
been issued to this Module but has not been delivered, so trust (secure communication)
cannot yet be established.
• Trust established — The trust between the Module and the SmartCenter Server has been
established. The Module can communicate securely.
Initialize — For an uninitialized Module, create a certificate and send it to the Module. If
successful, the Module state will change to Trust established.
For an initialized Module, send the certificate to the Module. If successful, the Module state will
change to Trust established.
For details, see “Enabling Communication between Modules” on page 99 of the Check Point
Getting Started Guide or page 49 of the Check Point SmartCenter Guide.
Test SIC Status — opens a SIC connection with the Module, and reports on the current
communication status of the Module, after trust has been established for the first time with the
SmartCenter Server. The SIC Status can be either: Communicating, Unknown (when there's no
connection to peer) or Not Communicating (when there's a SIC problem). If the SIC Status is
Not Communicating an error message will give a reason for the failure and may suggest a
remedy.
Reset — Reset the Module back to the uninitialized state by revoking its certificate and
deleting its DN (or “SIC name”).
For more information, see “Secure Internal Communications for Distributed Configurations”
on page 46 of the Check Point SmartCenter Guide.
Close — Close the window.
If you click Get Topology, VPN-1/FireWall-1 automatically calculates the network object’s
topology based on its routing tables and displays the results in the Get Toplogy Results window
(FIGURE 5-5).
You should confirm that the information displayed in the Get Toplogy Results window is
correct.
Some of the objects displayed in the Get Toplogy Results window are network objects already
defined in the VPN-1/FireWall-1 database, but others may not already be defined (for example,
networks; see the diagram in FIGURE 5-5). These are identified by their colors in the diagram.
Refer to the legend in the bottom left corner of the Get Toplogy Results Topology window.
If you click Accept, then VPN-1/FireWall-1 will:
• automatically define network objects that are not yet defined in the VPN-1/FireWall-1
database, and
• define the network object’s topology as displayed in the Get Topology Results window
• overwrite any topology information already defined for the network object that is different
from the information in the Get Topology Results Topology window (but existing
information that is consistent with or complements the information in the Get Topology
Results Topology window will not be overwritten).
Warning - If the VPN/FireWall Module has the capability of automatically sensing that a
new interface has been installed, then the new interface will not have a Security Policy
installed on it (including anti-spoofing). To prevent this from happening, you must first
define the interface for the object in the SmartDashboard, including its anti-spoofing
properties, install the Security Policy and only then install the physical interface.
Name — name of the network interface as specified in the interface configuration scheme of the
host, gateway, or router; for example, lo0 for loopback; le0 for Ethernet interface; sl0 for serial
interface 0, etc.
Windows 2000 • Use the command ipconfig /all to obtain the IP address
and MAC address of the interface, then
• Use the command route print to obtain the name and MAC
Address of the interface.
Warning - If you do not specify the exact interface names as given in the OS, anti-
spoofing will not function properly.
External (leads out to the Internet) — Check this box if the interface connects the network
object to the Internet.
Internal (leads to the local network) — Check this box if the interface connects the network
object to the internal (local) network.
IP addresses behind this interface — Specify the IP addresses behind this interface, as
follows:
Not Defined — If you choose this option, then:
• There will be no anti-spoofing defined for this interface.
• This interface and the IP addresses behind it (if any) will not be included in this
object’s VPN domain.
This option is not recommended.
Based on interface’s IP address and Net Mask — VPN-1/FireWall-1 will calculate the
topology based on IP address and Network mask defined for the interface.
Specific — Specify the object(s), usually a network or a group, behind this interface.
For information about anti-spoofing, see “Anti-Spoofing” on page 190.
Perform Anti-Spoofing based on interface topology — VPN-1/FireWall-1 will perform anti-
spoofing based on the interface’s topology as defined in the Topology tab (FIGURE 5-7 on
page 189).
If IP addresses behind this interface is set to Not Defined, then no anti-spoofing will be
performed. For information about anti-spoofing, see “Anti-Spoofing” on page 190.
Note - Do not define anti-spoofing for virtual interfaces, because anti-spoofing has no
meaning in that context.
Spoof Tracking — Spoofed packets are always dropped, but you can specify an additional
action to be taken by selecting one of the following options:
None — No additional action is taken.
Log —The spoofing attempt is logged.
Alert — The action specified for popup alerts in the Alert Commands page of the Global
Properties window is taken (see Chapter 7, “Global Properties”).
Anti-Spoofing
By implementing anti-spoofing, you can defend your network against these attacks by defining
the addresses that are considered valid on each interface.
When anti-spoofing is specified, an implicit anti-spoof rule is generated, which comes first in
the Security Policy Rule Base (even before properties specified as First in the FireWall-1
Implied Rules page of the Global Properties window).
Anti-spoofing examines the source IP address for incoming packets (entering a gateway) and
determines whether the IP address is valid for that interface.
An interface’s “valid addresses” are the IP addresses behind the interface, as defined in the
Topology tab (FIGURE 5-7 on page 189):
• A packet whose source IP address is a valid address is allowed to enter the network object
through the interface.
• A packet whose source IP address is not a valid address is not allowed to enter the network
object through the interface.
Anti-Spoofing Example
DMZ
(HTTP, FTP, etc.)
For information about automatically generated Address Translation rules, see “Generating
Address Translation Rules Automatically” on page 87 of Check Point FireWall-1 Guide.
IP Pools
Use IP Pool NAT for SecuRemote/SecureClient connections — Use IP Pools for
SecureRemote/SecureClient connections.
Use IP Pool NAT for gateway to gateway connections — Use IP Pools for gateway to
gateway connections.
Allocate IP Pool Addresses from — Select the network object (an Address Range, network or
a group of one of these objects) whose IP addresses will serve as the IP Pool’s IP addresses.
Return unused IP addresses to Pool after — Set the time period during which an IP Pool
address will remain assigned to even after all open connections have ended.
For information about IP pools, see “Multiple Entry Point (MEP) Example Configuration” on
page 169 of Check Point Virtual Private Networks.
For information about hiding behind IP address 0.0.0.0, see “Hiding Behind 0.0.0.0” on page
75 of Check Point FireWall-1 Guide.
Classic Mode
In classic mode (when VPN Communities are not used), IP Pools will be used only if both of
the following conditions are true:
• The rule specifies that IP Pools are to be used.
• The connection matches the checked Use IP Pool NAT parameter above.
For example, if the rule describes a SecuRemote/SecureClient connection and Use IP Pool
NAT for SecuRemote/SecureClient connections is checked, the IP Pools will be used. If
Use IP Pool NAT for SecuRemote/SecureClient connections is not checked, then IP
Pools will not be used.
Communities
In VPN Communities, there are no encryption rules, so only the parameters in the window are
relevant.
Office Mode
This feature allows the organization to assign IP addresses used in its operational network to
SecuRemote/SecureClient users. The mechanism is based on an IKE protocol extension that
enables sending IP addresses during the IKE negotiation.
Never offer Office Mode — The gateway’s IKE negotiation with a SecuRemote/SecureClient
user will not include the offer to use Office Mode.
Offer Office Mode to group — The gateway will offer Office Mode only to members of the
group selected from the drop-down list.
Always offer Office Mode — Office Mode will be offered to any SecuRemote/SecureClient
user that initiates the IKE negotiation with the gateway.
Case Sensitivity: Case sensitive naming conventions for URLs - check to allow for the use of
case sensitive naming conventions for URLs.
Note - Before adding certificates, you must first create a CA (Certificate Authority) Server
object (see Chapter 3, “Certificate Authorities” of Check Point Virtual Private Networks).
Selected Account Unit’s list (order implies priority) — If checked, a list box with Available
AUs will appear.
Choose the Account Units to be queried and add them to the Selected AUs list box by
selecting an Account unit and clicking the Add button. To remove an Account Unit from the
list, select the Account Unit and click Remove.
The following options will appear only if Selected AU list is selected.
Available AU’s — displays the list of available Account Units that will not be queried.
Selected AU’s — displays the list of Account Units that will be queried.
Query servers sequentially (by Account Unit’s priorities) — If checked, VPN-1/FireWall-1
will query the LDAP servers in the sequence of their priorities.
Advanced Settings
Alert when free disk space is below — Issue an alert when the available disk space falls below
the number specified in the corresponding field.
Alert type — Select the type of alert to issue in the corresponding field.
Stop logging when free disk space is below — Stop saving log records on the local machine
when the available disk space falls below the specified number. Log records are saved locally
when the connection to the SmartCenter Server is unavailable.
Reject all connections when logs are not saved — If enabled, then connections are rejected
if they cannot be logged.
Advanced Settings
Update Account Log every — The frequency at which the Accounting log is updated.
Accounting updates are sent while a connection is open. The counters (packets, bytes, etc.) are
reset when the update is sent, so each update includes the differences (delta) since the last
update.
Turn on QoS logging — Log QoS related events.
See Check Point FloodGate-1 Guide for information about QoS (Quality of Service).
Manually — Fetch this DAIP Module’s Policy manually (see “Installing a Policy” on page 482).
Scheduled Event — Fetch this DAIP Module’s Policy on a pre-determined schedule, according
to the selected time object (scheduled event).
See “Scheduled Events” on page 351 for information about scheduled events.
It is recommended that you install a DAIP Module’s first Policy manually, even if you plan to
automatically update it using a scheduled event.
To delete a logging server from the list, select the server in the Log Servers page of the
Check Point Properties window and click Remove.
When a Log Server is unreachable, send logs to — If one of theLog Servers listed above is
unreachable (that is, the network object cannot connect to the Log Server), then send logs to
the first server in this list that is reachable.
To add a Log Server to the list, click Add and add the log server in the Add Logging Servers
window.
To delete a Log Server from the list, select the Master and click Remove.
Capacity Optimization
These setting enable you to optimize resource usage on the FireWall Module. It is
recommended that you do not alter these settings from their defaults, unless there is some
specific issue you need to address. Keep in mind that resources can be allocated to one task only
at some cost to other tasks.
Maximum concurrent connections — The maximum number of concurrent connections the
FireWall Module will support.
Calculate connections hash table size and memory pool — Choose either Automatically
(recommended) or Manually.
If you choose Manually, then you can specify the following options:
Connections hash table size — the size of the connections hash table
A larger table reduces collisions, but uses more memory.
Memory pool size — the initial size of the memory pool
Maximum memory pool size — the maximum size of teh memory pool
Restore defaults — Click to reset the above values to their defaults.
If you choose this option, your network will not be protected from SYN attacks.
• SYN Relay — Deploy the SYN Relay method.
• Passive SYN Gateway — Deploy the Passive SYN Gateway method.
Timeout for SYN attack identification — Specifies how long SYNDefender waits for an
acknowledgment before concluding that the connection is a SYN attack.
Maximum Sessions — Specifies the maximum number of protected sessions.
This parameter is relevant only if Passive SYN Gateway is selected under Method. If SYN
Relay is selected, all sessions are protected.
This parameter specifies the number of entries in an internal connection table maintained by
SYNDefender. If the table is full, SYNDefender will not examine new connections.
If you change this value, the new value will take effect as follows:
• IBM AIX — The new value takes effect after you install the Security Policy, stop and
restart the FireWall/VPN Module.
• on all other platforms — The new value takes effect after you install the Security Policy
and reboot.
Display Warning Messages — If set, SYNDefender will print console messages regarding its
status.
If the SAM proxy server is of version 4.1 or lower, and this Module is upgraded to NG, the
configuration will be done automatically as follows:
• the configuration parameters will be taken from the fwopsec.conf file (present on this
Module prior to the upgrade) and
• the appropriate backward compatibility mode will be selected.
If both, the SAM proxy server and this Module are of version NG, do not check this option.
Purge SAM file when it reaches KBytes — Limits the size of the SAM log file on the Module.
The minimum size is 50 KB. The SAM file includes all requests sent to the Module including
obsolete requests. Purging these obsolete requests from the file restores disk space.
Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page.
SofaWare-SmartDashboard Integration
SofaWare devices can now be integrated and easily managed via SmartDashboard:
Sofaware gateways can be managed by SmartCenter Management.
• Manage SofaWare devices in Enterprise environments by creating SofaWare Profiles and
adding them to your Security Policy and/or to your VPN.
• Manage SofaWare devices in ISP environments by configuring security levels and assigning
the proper level for Sofaware Device in runtime, with no need to reinstall the policy.
From Network Objects select a gateway. Select Robo gateway profile and double click
Sofaware.
Name- the name of the sofaware gateway profile.
Comment - include free text
Networks
In This Section
Domains
In This Section
Overview
A VPN-1/FireWall-1 enforcement point is a machine or device that enforces at least some part
of the Security Policy. An enforcement point can be a Check Point object (see “Network
Objects” on page 180), router, switch or any machine that can be managed by a SmartCenter
Server by installing a Security Policy or Access List.
VPN-1/FireWall-1 includes the following types of enforcement points:
• Open Security Extension Devices (OSE)
• Embedded Devices
Note - It is recommended that you list OSE device objects in your hosts (Unix) and
lmhosts (Windows) files in addition to defining them in the VPN-1/FireWall-1 database.
Comment — This text is displayed on the bottom of the Network Object window when this
object is selected.
Color — Select a color from the drop-down list. The OSE device will be represented in the
color selected, throughout the SmartMap for easier user tracking and management.
Type — choose one of the following from the drop-down menu:
• Cisco Systems
• Nortel
• 3Com
Note - At least one interface must be defined in the Topology tab or Install Policy will fail.
Show all IPs behind gateway — Show all IP Addresses behind the device in the SmartMap
View.
To add an interface, click Add. The Interface Properties window (FIGURE 5-6 on page 188)
is displayed.
To edit an interface, select the interface and click Edit, or double-click the interface. The
Interface Properties window (FIGURE 5-12 on page 210) is displayed.
The manner in which names are specified for OSE device interfaces is different from the manner
in which they are specified for interfaces of other network objects.
Name — name of the network interface as specified in the router’s interface configuration
scheme
This name does not include a trailing number.
For information regarding the other fields in the Interface Properties window for routers, see
“Interface Properties Window” on page 188.
IP Address — the device’s IP address
See “IP Address” on page 183.
Net Mask — see “Net Mask” on page 189.
Exportable for SecuRemote/SecureClient — Specifies whether information about this object
can be made available to SecuRemote/SecureClient machines.
For information about SecuRemote, see Chapter 1, “VPN-1 SecuRemote Server,” of Check
Point Desktop Security Guide.
Note - Logging for spoofing attempts is available for external interfaces only.
Anti-spoofing Parameters and OSE Devices Setup (Cisco, Nortel and 3Com)
For Cisco (Version 10.x and higher) Nortel and 3Com OSE devices, you must specify the
direction of the filter rules generated from anti-spoofing parameters. The direction of
enforcement is specified in the Setup tab of each router.
For Cisco routers, the direction of enforcement is defined by the Spoof Rules Interface
Direction property.
OSE Device Interface Direction — Installed rules are enforced on data packets traveling in this
direction on all interfaces.
Spoof Rules Interface Direction — The spoof tracking rules are enforced on data packets
traveling in this direction on all interfaces.
Security —The security administrator must select either none, Wellfleet or Other from the
drop-down list.
Password — the password to access the OSE device
Additional Managers — additional managers as defined in the Bay Site Manager software
Volume — the volume on the OSE device
Config File — name of the config file on the OSE device
Version — the version of the OSE device (7.x, 8.x, 9.x, 10.x, 11.x, or 12.x)
For 3Com routers, the direction of enforcement is defined by the Interface Direction: Spoof
Rules property.
Rules — the direction in which the rules are enforced on the OSE device interfaces
Spoof Rules — the direction in which spoof rules are enforced on each OSE device interface
Service Independent Filters — Service independent filters are 3Com specific filters
implemented by 3Com routers. The OSE device simply activates or deactivates these filters.
Refer to the specific 3Com router documentation for complete information for these service
independent filters.
To activate these filters, you must select any of the following:
Deny Route Recording — Specifies whether or not the received packet should be dropped if
the record-route option is present in the IP header.
Deny Src Routing — Specifies whether or not the received packet should be dropped if the
source-route option is present in the IP header.
Deny Tiny Fragments — Specifies whether tiny TCP fragment checks (RFC1858) are
performed.
Deny Time Stamping — Specifies whether or not the received packet should be dropped if
the time-stamp option is present in the IP header.
Deny IP — Specifies whether or not IP tunnel packets are allowed. IP tunnel packets are IP-
over-IP encapsulation.
Deny SrcSpoofing (3Com) — Specifies whether packets are subject to source-spoofing checks.
Generate ICMP Errors — For denied packets, this option specifies whether or not the OSE
Device should generate ICMP destination administratively unreachable messages (ICMP type
13).
Embedded Devices
In This Section
Overview
Embedded devices include machines or hardware devices on which a VPN/FireWall Module or
an Inspection Module is installed.
VPN-1/FireWall-1 supports the following platforms and VPN-1/FireWall-1 features, as shown
in TABLE 5-8 below:
Name — name of the network interface as specified in the interface configuration scheme of the
device
Warning - If you do not specify the exact interface name, anti-spoofing will not function
properly.
External (leads out to the Internet) — Anti-spoofing will be enabled based on the interface
topology and the security administrator must select one of the Spoof Tracking options as
defined in “Spoof Tracking “on page 163.
Internal (leads into the local network) — Anti-spoofing will be enabled based on the interface
topology and the security administrator must select one of the Spoof Tracking options as
defined in “Spoof Tracking “on page 163 only if This Network or Specific is selected.
IPs Addresses behind Internal Interfaces:
Not Defined — IP addresses are not defined behind the internal interface and anti-spoofing is
not enabled.
Based on interface’s IP address and Net Mask — IP addresses are defined based on the IP
address and Net Mask of the interface.
Specific — Specifies a specific IP address behind internal interface from the drop-down menu.
For information regarding anti-spoofing configuration, see “Check Point window — Topology
Page” on page 186.
Groups
You can simplify the Rule Base by defining a group of network objects and using the group in
rules. To create a new group, proceed as follows:
1 In the Network Objects window, click New.
Simple Group
Add objects to a simple group using the Group Properties window (FIGURE 5-13 on
page 212).
Note - To define a new object directly from this window, click New. A menu will be
displayed from which you can select they type of object to create. When you finish defining
the object, you will return to this window.
If you nest groups, you can see a nested group’s members by selecting the group in the right
listbox (labeled In Group) and clicking View expanded group (FIGURE 5-15).
A
B
1 Select Group with Exclusion from the Group Objects menu, (see “Networks” on page
202).
The Group with Exclusion window is displayed.
2 Define the outer group, as well as the inner group to be excluded.
FIGURE 5-17Specifying a group with an exclusion
• the outer group (selected from the drop-down list) can be a group or ANY,
• the inner group (selected from the drop-down list)
Logical Servers
A Logical Server is a group of machines that provide the same services, and which are treated as
a group among whose members a workload is distributed.
FIGURE 5-20Logical Server Properties window
Address Ranges
Gateway Clusters
A gateway cluster is a group of VPN/FireWall Module machines configured to provide failover
services.
Gateway clusters are configured in the Gateway Cluster Properties window.
The VPN, Authentication, Masters and Log Servers pages of the Gateway Cluster Properties
window are identical to the corresponding pages in the Check Point Properties window. For
information on these pages, see “Network Objects” on page 180.
The General Properties, Cluster Members, Topology, ClusterXL and Synchronization pages
of the Gateway Cluster Properties window are used in enabling Gateway High Availability.
For information on these pages, see Chapter 5, “ClusterXL” of Check Point FireWall-1 Guide.
Gateway clusters can also be used in setting up extranets. For information about the Extranet
page of the Gateway Cluster Properties window, see Chapter 13, “Extranet Management” of
Check Point Virtual Private Networks.
Dynamic Objects
A dynamic object is a “logical” object that will be resolved to an IP address differently on each
VPN/FireWall Module. A rule that uses this object will then be enforced on each
VPN/FireWall Module on different objects.
For example, an enterprise with several mail servers, each one in a different network and
protected by a different VPN/FireWall Module, can define a dynamic objects called
“local_mailserver” and write a rule that refers to this object.
On each VPN/FireWall Module, the system administrator must run the dynamic_objects
command (see “dynamic_objects” on page 585) to specify the IP address to which the
“local_mailserver” object will be resolved on that VPN/FireWall Module.
FIGURE 5-21Dynamic Object window — General Tab
In This Chapter
219
Services
Services
VPN-1/FireWall-1 allows you to control access to a host, not only based on the source and
destination of each communication, but also according to the service requested. Services include
those based on TCP, UDP, RPC, and other protocols. Before you can use a service in a Rule
Base, you must first define its properties.
Defining Services
Services are defined in the Services window. To define a service,
• choose Services from the Manage menu
The list box displays all currently defined services of the type in the Show box.
To view the properties defined for any existing service, double-click on its icon or name in the
list box, or select the service and click on Edit.
Deleting a Service
Select the service in the Show box and click on Remove.
Modifying a Service
To modify an existing service, double-click on its icon or name in the list box, or select the
service and click on Edit.
Resources
FIGURE 6-1 depicts the relationship between services, protocol types and resources.
FIGURE 6-1 Services, Protocol Types and Resources
pre-defined and
user-defined services
service service service service service service
(FTP, HTTP etc.)
the Security
Server that provides
Authentication and/or protocol protocol
Content Security
for the service type type
(SMTP, HTTP etc.)
user-defined
resources resource resource resource resource resource resource
Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).
Get — provides port resolving by retrieving the port number on the SmartCenter Server
Click Advanced in the TCP Service Properties window to display the Advanced TCP Services
Properties window (FIGURE 6-2).
FIGURE 6-2 TCP Services Properties windows
Source port: — You can specify the port number(s) available on the client side of the service.
See TABLE 6-3.
If specified, only those source port numbers will be Accepted, Dropped, or Rejected when
inspecting packets of this service. Otherwise, source port number is not inspected.
Protocol Type — Specifies the protocol type associated with the service, and by implication, the
Security Server that enforces Content Security and Authentication for the service.
Enable for TCP resource — The TCP resource allows the screening of URLs using a UFP
Server. If enabled, the UFP Server can perform URL checking without using a security server.
For complete instructions, see “TCP Resources” on page 252.
Match for ‘Any’ — If there are two services using the same port number and a rule that
defines the SERVICE as ‘Any”, then Match for ‘Any’ enables the service defined in the TCP
Service Properties window to be the service associated with this rule.
Session Timeout — Specifies the number of seconds until the session times out.You must
either select the Default TCP time-out as defined in the Stateful Inspection page in the
Global Properties Setup window, or select Other and specify the number of seconds. For TCP
services, a session is defined by the TCP protocol.
Synchronize on cluster — In a state-synchronized High Availability or Load Sharing gateway
cluster, of the services allowed by the rule base, only those with Synchronize on cluster will be
synchronized. By default, all new and existing services are synchronized.
Note - Compound services are not available in Security and Address Translation policies.
Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).
Click Advanced to display the Advanced UDP Service Properties window (FIGURE 6-3).
FIGURE 6-3 Advanced UDP Services Properties window
Source Port — You can specify the port number(s) available on the client side of the service.
See TABLE 6-4.
Protocol Type — Specifies the protocol type associated with the service.
Accept Replies — Specifies if UDP replies are to be accepted.
To specify that no UDP replies will be accepted, that is, to define a “one-way” UDP service,
uncheck Accept Replies.
If Accept Replies is checked, then Accept UDP Replies from any port specifies from which
ports to accept UDP replies.
Accept Replies from any port — If checked, UDP replies will be accepted from any port.
Otherwise, UDP replies will be accepted only from the port to which the original
communication was sent.
For example, the TFTP service (UDP) starts with the client connecting to port 69 on the
server, which replies to the client from a random port. From that point on, the client
communicates with the same random port on the server. So, Accept UDP Replies from any
port must be enabled TFTP.
Note - Accept Replies and Accept UDP Replies from any port correspond to Accept
stateful UDP replies for unknown services and Accept stateful UDP replies from
any port for unknown services in the Stateful Inspection page of the Global
Properties window ( on page 287). The properties in the Stateful Inspection page of
the Global Properties window apply to UDP services that are not defined in the Check
Point Services Manager.
Match for ‘Any’ — If there are two services using the same port number and a rule that
defines the SERVICE as ‘Any”, then Match for ‘Any’ enables the service defined in the UDP
Service Properties window to be the service associated with this rule.
Virtual Session Timeout — Specifies the number of seconds until the session times out. You
must either select the Default time-out, which is defined in Global Properties, or select Other
to override the default time-out.
For UDP services, “session” is defined by VPN-1/FireWall-1, not the protocol itself. This is
why it is called Virtual Session Timeout.
Synchronize on cluster — In a state-synchronized High Availability or Load Sharing gateway
cluster, of the services allowed by the rule base, only those with Synchronize on cluster will be
synchronized. By default, all new and existing services are synchronized.
1 The client issues a portmapper query to the server (on port 111), asking for the port
number associated with the program.
If the query is UDP, VPN-1/FireWall-1 examines the program number, and allows only
those programs allowed by the Security Policy (in the Services column).
If the query is TCP, VPN-1/FireWall-1 drops the query, unless TCP on port 111 is
explicitly allowed by the Security Policy.
Warning - Allowing TCP on port 111 is considered insecure, because the client can then
run any available RPC program through this port.
Example
Suppose the Security Policy allows RPC as follows:
TABLE 6-5
• If RPC_Client issues a portmapper query on TCP port 111, VPN-1/FireWall-1 drops the
query packet.
• If RPC_Client issues a portmapper query on UDP port 111, VPN-1/FireWall-1 allows the
query only if the program number is 100003, as specified in the RPC Service Properties
window for the nfsprog service. Moreover, VPN-1/FireWall-1 monitors the reply and then
allows the nfsprog service only on the port specified in the reply.
• If RPC_Client does not issue a portmapper query, but proceeds to directly communicate on
the nfsprog port (100003, as specified in the RPC Service Properties window for the
nfsprog service), VPN-1/FireWall-1 queries portmapper and allows the connection only if
the port number (in the portmapper reply) is also 100003.
Name — the service’s name
Comment — descriptive text
This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
Select the desired color from the drop-down list.
Program Number — number of the RPC program to be accessed
Get — For standard services, you can retrieve the program number from the RPC database.
Protocol Type — Specifies the protocol type associated with the service.
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.
Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).
Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).
This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
Select the desired color from the drop-down list.
IP Protocol— Specify the IP protocol number associated with the service. (for example, 17 for
TCP, 6 for UDP).
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.
Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).
To specify that no Other Service replies will be accepted, that is, to define a “one-way” Other
Service, uncheck Accept Replies.
Virtual Session Timeout — specifies the number of seconds until the session times out. You
must either select the Defaulttime-out or select Other to define the number of seconds.
For all User Defined Service protocols, “session” is defined by the VPN/FireWall software, not
the protocol itself. This is the reason why it is designated as a “virtual session time-out”.
Synchronize on cluster — In a state-synchronized High Availability or Load Sharing gateway
cluster, of the services allowed by the rule base, only those with Synchronize on cluster will be
synchronized. By default, all new and existing services are synchronized.
To understand the meaning of the Match field, consider the relevant definitions in
$FWDIR/lib/base.def:
Suppose you wish to pass IP protocol number 53, similar to ospf, egp, and bgp. Then define a
user-defined service whose IP Protocol is 53.
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.
Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).
Note - To define a new service directly from this window, click New. A menu will be
displayed from which you can select they type of service to create. When you finish defining
the service, you will return to this window.
Resources
Overview
Content Security is enabled by a VPN-1/FireWall-1 object of type Resource. A
VPN-1/FireWall-1 Resource specification defines a set of entities which can be accessed by a
specific protocol. You can define a VPN-1/FireWall-1 Resource based on HTTP, FTP and
SMTP.
VPN-1/FireWall-1 provides content security for HTTP, FTP and SMTP connections, using the
VPN-1/FireWall-1 Security Servers. For each connection established through the
VPN-1/FireWall-1 Security Servers, the Security Administrator is able to control specific access
according to fields that belong to the specific service: URLs, file names, FTP PUT/GET
commands, type of requests and more.
For detailed information about VPN-1/FireWall-1’s Content Security feature, see Chapter 4,
“Security Servers and Content Security “in the book Check Point FireWall-1 Guide.
Resource Windows
You can define resources and groups of resources in the Resources window.
To display the Resources window,
• select Resources from the Manage menu, or
Modifying a Resource
To modify an existing resource, select it in the Resources window and click on Edit.
Deleting a Resource
To delete an existing resource, select it in the Resources window and click on Remove.
Wild Cards
You can use the following wild card characters when entering data in many of the fields in the
Resource Definition windows.
URI Resources
A URI is a Uniform Resource Identifier, of which the familiar URL (Uniform Resource
Locator) is a specific case. URI Resources can define schemes (HTTP, FTP, GOPHER, etc.),
methods, (GET, POST, etc.), hosts (for example “*.com”), paths and queries. In addition, the
Security Administrator can define how to handle responses to allowed resources.
Select one of the following functions of the URI resource you are defining.
Optimize URL logging — if selected, the URI resource will be used for URL logging. The
URL will be logged for HTTP connections and all other fields and tabs of the URI resource
will be disabled. Once the property is selected, the URI resource must then be added to the
Rule Base. The Security Policy is enforced when URL logging is integrated with UFP
caching. URL logging uses Check Point’s TCP streaming technology, which enables the
VPN/FireWall Module to take over some of the Security Servers’ function.
Enforce URI capabilities — If selected, the URI resource will enable all other functionality
of the URI resource, e.g. CVP checking. All basic parameters, defining schemes, hosts, paths
and methods, will apply and the URL is checked by a security server.
Enforce URL Blocking — Enforce URL Blocking- If selected, the URI resource will be used
to check and (if necessary) drop URL requests containing patterns that match the signature of
the Code Red virus. This capability is integral to the VPN-1/FireWall-1 kernel, and does not
require a Security Server. However, a Security Server will give better protection against this
kind of threat.
When selected all selection options and tabs in this window become unavailable.
To obtain protection against viruses other than Code Red, it is possible to edit the :url
filtering section of the FireWall-1 objects database using the dbedit utility. When a new
virus appears, Check Point will give detailed instructions on countering it.
Connection Methods — check any combination of the following:
• Transparent — match all connections that are not in proxy mode.
This option is relevant only if a proxy to the Web browser is not defined.
• Proxy — match connections in proxy mode
This option is relevant only if the HTTP Security Server is defined as the proxy to the Web
browser.
The CONNECT method only specifies the hostname and port number to connect to. When
Tunneling is specified, FireWall-1 does not examine the content of the request, not even the
URL — only the hostname and port number are checked. Therefore, if Tunneling is
specified, all Content Security options in the URI specification are disabled.
Exception Track — This option determines if an action specified in the Action tab (FIGURE
6-8 on page 242) that is taken as a result of a resource definition is to be logged.
For example, if the user attempts to use an unsupported scheme or method, then the tracking
specified here is performed.
Select one of the following:
• None — no logging or alerting
• Log — log the event
• Alert — issue an alert
• Other — Specify another scheme here. You may use wild card characters in the
specification (see “Wild Cards” on “Wild Cards” on page 233.)
This field is relevant only when the HTTP Security Server is defined as a proxy to the
browser.
Methods — the HTTP method, as defined in the Hypertext Transfer Protocol. A brief
explanation of each of these methods is given here.
Select one or more of the following:
GET — The GET method means retrieve whatever information (in the form of an entity) is
identified by the URI. If the URI refers to a data-producing process, it is the produced data
which is returned as the entity in the response and not the source text of the process, unless
that text happens to be the output of the process.
POST — The POST method is used to request that the destination server accept the entity
enclosed in the request as a new subordinate of the resource identified by the URI in the
Request-Line. POST is usually used to provide a block of data, such as the result of
submitting a form, to a data-handling process. The actual function performed by the POST
method is determined by the server and is usually dependent on the URI.
HEAD — The HEAD method is identical to GET except that the server does not return
any Entity-Body in the response. This method is often used for testing hypertext links for
validity, accessibility, and recent modification.
PUT — The PUT method requests that the enclosed entity be stored under the supplied
URI.
Other — Enter one of the following:
* — If you type *, this means all of the following: GET, POST, HEAD and PUT.
OPTIONS — The OPTIONS method represents a request for information about the
communication options available on the request/response chain identified by the URI.
This method allows the client to determine the options and/or requirements associated
with a resource, or the capabilities of a server, without implying a resource action or
initiating a resource retrieval.
PATCH — The PATCH method is similar to PUT except that the entity contains a list of
differences between the original version of the resource identified by the URI and the
desired content of the resource after the PATCH action has been applied.
COPY — The COPY method requests that the resource identified by the URI be copied
to the location(s) given in the request’s URI header field.
DELETE — The DELETE method requests that the origin server delete the resource
identified by the URI.
MOVE — The MOVE method requests that the resource identified by the URI be moved
to the location(s) given in the request’s URI header field. This method is equivalent to a
COPY immediately followed by a DELETE, but enables both to occur within a single
transaction.
LINK — The LINK method establishes one or more Link relationships between the
existing resource identified by the URI and other existing resources.
UNLINK — The UNLINK method removes one or more Link relationships from the
existing resource identified by the URI. These relationships may have been established
using the LINK method or by any other method supporting the Link header.
TRACE — The TRACE method requests that the server identified by the URI reflect
whatever is received back to the client as the entity body of the response. In this way, the
client can see what is being received at the other end of the request chain, and may use
this data for testing or diagnostic information.
Other — Specify another method here. You may use wild card characters in the
specification (see “Wild Cards” on page 233).
Host — the URI’s host name
You may use wild card characters in specifying the host name (see “Wild Cards” on page 233).
Functionality is dependent on the DNS setup of the addressed server.
The following restrictions apply when using wildcard characters in URI Host names:
1 Only the IP address or the full DNS name should be used.
(For example: 191.81.23.* or server.{paris,london}.com, but not {paris,london})
2 For expressions using a host name and port number, the port number must be
explicitly specified.
For example, the expression paris* matches requests on any port. It is recommended to
restrict requests to a known HTTP server (for example, *.paris:80, or paris:80).
Path — the URI’s path name
You may use wild card characters in specifying the path name (see “Wild Cards” on page 233).
Path name matching is based on appending the file name in the request to the current working
directory (unless the file name is already a full path name) and comparing the result to the path
specified in the Resource definition.
The file path name must include the directory separator
character /. For example, the request “/myfile” is matched to
“/<current directory>/myfile”. If the Resource path name specifies only “myfile”, then
the request will not be matched.
Path includes the file name (which can include wildcard characters). For example
• “/boys/bigboy/*” includes all the files in the /boys/bigboy/ directory.
• “/boys/bigboy/” does not include any of the files in the /boys/bigboy/ directory.
Example
For the URI shown in FIGURE 6-5, the components are listed in TABLE 6-9.
FIGURE 6-5 URI components
host path
http://www.elvis.com/alive/qc.html?seenon=Mars
query
TABLE 6-9 URI components and values
component value
host www.elvis.com
path /alive/qc.html
query seenon=Mars
HTTP User
(client) direct Gateway
connection
Browser
folded into
the Security Server
by Transparent
Internet
Authentication
Browser
FireWall-1
Proxy
HTTP
Security Server
You will be asked to specify a file name under which the file will be saved.
A URI Specification file is an ASCII file of records separated by \n, where each record consists
of three fields, as described in TABLE 6-11. There should be no white space between the
category and the \n. The last line in the file must also end in \n.
A UFP server maintains a list of URLs and their categories. VPN-1/FireWall-1 checks Web
connection attempts using the URL list on the UFP server.
UFP caching control — Specifies whether there is caching control.
UFP caching reduces the number of requests sent to the UFP Server, thereby optimizing
performance
Categories — Check the categories you wish to include in the resource definition.
Based on these categories, the HTTP Security Server allows or disallows the connection. A
UFP Server must first be defined in order for the Dictionary of Categories to be displayed.
Once the UFP server is selected from the drop-down list, the Dictionary of category selections
becomes available.
Note - For complete instructions on how to define a UFP Server, see “OPSEC Definition
Window — UFP Options Tab” on page 383.
Ignore UFP Server after connection failure — This check box specifies what the FireWall
should do when connection to the UFP server is lost. You must first define the following:
• Number of failures before ignoring the UFP server — number of times the FireWall
will attempt to contact the UFP server before ignoring it
• Timeout before reconnect to UFP server — defines the time interval for the FireWall
to ignore the UFP server
By checking this option, the system administrator can allow the FireWall to ignore the UFP
server, in other words, skip the match process with the UFP server and allow http
connections to pass. This will only occur if the rule defining the URI Resource’s Action is
accept and all other rule parameters match the connection.
Replacement URI — If the Action in a rule, which uses this resource, is Drop or Reject, then
this URI is displayed instead of the one the user requested in the Match tab. If a UFP server,
defined on this URI resource, sends a URL for redirection, it will override this replacement
URI.
HTML Weeding — Check one of the options below to strip the specified code from the HTML
page containing the reference to JAVA, JAVA Script or ActiveX code. In this way, the user will
not be aware that the JAVA or ActiveX is available from the HTML page being viewed. JAVA
applets already in the cache are not affected by this parameter.
Select any number of the following:
• Strip Script Tags — Strip JAVA Script tags from HTML code.
• Strip Applet Tags — Strip JAVA Applet tags from HTML code.
• Strip ActiveX Tags — Strip ActiveX tags from HTML code.
• Strip FTP Links — Strip FTP links from HTML code
• Strip Port Strings — Strip port strings from HTML code
Built in protocol support allows for the chunking of data for outgoing HTTP data packets.
The chunking of data occurs in the application layer of the TCP/IP Protocol Stack on the
packet stream. Data is chunked by adding header and title information to the data packets
which indicate the size of the data chunk. After the data chunk is processed, or rather, tested
for total packet size, it is dechunked (the header and title are removed). It is then treated as a
single packet and released back into the packet stream to proceed to its destination.
Reply Order — designates when data is to be returned to the user. You must select one of the
following choices;
• Return data after content is approved— data is returned after content has been
checked
• Return data before content is approved — data is returned to the user before content
is checked
• Controlled by CVP server - The file is inspected by the CVP Server. If the CVP Server
rejects the file, it is not retrieved
For complete configuration information on configuring CVP as a Security Server, see “Server
Objects” on page 357.
The way that FireWall-1 treats SOAP packets is defined in a URI resource that uses HTTP.
The SOAP processing defined in the URI resource is performed only if the HTTP connection
carying the SOAP message was already Accepted by the rule in which the URI resource is used.
In other words, the connection must match the rule, and the rule Action cannot be Reject or
Drop.
In the URI Resource Properties window, check HTTP in the Match tab. The SOAP tab appears,
and in it define the SOAP Inspection behavior: Either Allow All SOAP Requests, or Allow
only SOAP requests specified in the Following File, and select the file.
The namespace and Method name of the XML Methods being passed can be viewed in the
SmartView Tracker by setting the Track option in the URI Resource Properties, SOAP tab. You
will see that the namespace and the name are concatenated in the log file.
http://tempuri.org/message/ EchoString
http://tempuri.org/message/ SubtractNumbers
The file must be defined very precisely. It is best to copy and paste the namespace and method
name from the log file. If there is a syntax error, the SOAP packets will be dropped.
The Security Administrator can classify Internet resources, namely URL designators, as part of
an appropriate QoS policy in accordance with enterprise priorities.
Name — the resource’s name
Search for URL — Specifies the URL string to be searched for http connections.
A URL string is a character string that contains wild cards which describe the URL that is to
be matched to an http connection within the FloodGate-1 rule. You must enter one of the
following:
• a site with a wild card, for example, www.checkpoint.com/*
For more information on wild cards, see “Wild Cards” on page 233.
• a specific file name, or
• *.gif, which is any gif from any site
SMTP Resources
Warning - The objects.C file should not be edited directly. Instead, use dbedit (see
“dbedit” on page 587) to edit the objects_5_0.C file on the SmartCenter Server.
• source routing
If the envelope SMTP MAIL or RCPT commands contain source routing symbols, the SMTP
Security Server replies with an error code.
All the resource actions, e.g. header rewriting and CVP, will be decided according to the last
rule matched. The new resolved IP will be fetched from the MX record resolving or from the
server IP.
If multiple servers are defined, then they are tried one after the other until successful.
If this field is empty, mail is forwarded to the server specified under default_server in
$FWDIR/conf/smtp.conf . If this too is empty, then mail is forwarded to its original destination.
Deliver messages using DNS/MX records—if selected, MX record resolving will be used to
set the source IP of the connection which will be used to send the error message
Check Rule Base with new Error Destination—if selected, the Rule Base will be rechecked
with the new resolved IP for the error mail.
All resource actions will be decided according to the last rule matched. The new resolved IP will
be fetched from the mx record resolving or from the server IP.
Exception Tracking — This option determines if an action (specified in the Action2 tab) taken
as a result of a resource definition is logged.
Select one of the following:
• None — no logging or alerting
• Log — log the event
• Alert — issue an alert
For example, if a virus is detected and CVP in the Action2 tab (FIGURE 6-9) is not set to
None, or if the user attempts to send a message that is too long, the tracking specified here is
taken.
Notify Sender on Error — Notify the sender if the message was not delivered.
Note - For mail delivery within an organization using an SMTP Security Server, it is
recommended to use static mail server configuration, by configuring “server” or “error
server in the SMTP resource, rather than using the MX resolving option.
Action 1 Tab
This tab defines transformations to be performed on the given fields. The data in the field is
modified in accordance with the defined transformation. The left part of the transformation is a
match field (see “Wild Cards” on page 247). The right part specifies the form of the new
transformed data. For information on specifying multiple names in some of these fields, see
“Specifying Multiple Names” on page 249.
Sender — the ‘From’ field in the header
You can also use the “&” wildcard character in specifying a field. For more information, see
“Wild Cards” on page 247.
Note - Stripping fields such as ‘From’ and ‘To’ is discouraged, since it makes it impossible
to deliver the mail message.
Action 2 Tab
Strip MIME of Type — MIME attachments of the specified type will be stripped from the
message.
1) Allowed types are (as defined in RFC 1521):
• text • audio
• multipart • video
• message • application
• image
Note - If you strip MIME of type text, the text in the body of the message is not stripped.
Strip file by name — strip file attachments with the name specified in this field
This field enables the user to strip UU-ENCODE and MIME file attachments whose names
match any of the defined expressions.
Consider the following expressions:(+love*, *.pic, a*+, ). In the following examples,
the defined file attachments will be stripped.
Don’t Accept Mail Larger Than — Mail messages larger than this size will not be allowed to
pass.
Allowed Characters — Select one of the following:
• 8 bit — Allow 8 bit ASCII.
• 7 bit — Allow only 7 bit ASCII (but no control characters).
Weeding — Check any of the options below to strip header and mail content containing the
reference to JAVA, JAVA Script, ActiveX code, FTP links and port strings. JAVA applets already
in the cache are not affected by this parameter.
Select any number of the following:
• Strip Script Tags — Strip JAVA Script tags.
• Strip Applet Tags — Strip JAVA Applet tags.
• Strip ActiveX Tags — Strip ActiveX tags.
• Strip FTP Links — Strip FTP links.
• Strip Port Strings — Strip port strings.
Notes:
and not:
{hostname1,hostname2}@domainname1
4) When rewriting, the number of names on the left side should be the same as the number of
names on the right side. Rewrite:
{name1,name2} to {newname1,newname2}
However, if all the names of right side are to be rewritten to the same name on the left side,
you can rewrite:
{name1,name2} to newname1
CVP Server allowed to modify content — Enables the designated CVP Server to modify
content.
Send SMTP headers to CVP Server — Enables the SMTP mail headers to be forwarded to the
CVP server for CVP content checking.
Reply Order — Designates when data is to be returned to the user. You must select one of the
following choices:
• Return data after content is approved — The CVP Server first receives all the data from
the security server. After it has received and inspected all the data it then returns the data to
the security server.
• Return data before content is approved — The CVP Server inspects each data packet
received from the security server and returns it back to the security server before approving
the content. For instance, if the CVP Server found a virus in the data packet, the CVP
Server may replace the data within the packet before returning it to the CVP Server for
content checking.
• Controlled by CVP server — The file is inspected by the CVP Server. If the CVP Server
rejects the file, it is not retrieved.
For complete configuration information on configuring CVP as a Security Server, see “Server
Objects” on page 357.
FTP Resources
For example, if a virus is detected and Use CVP (Content Vectoring Protocol) in the CVP tab
is not enabled, then the tracking specified here is taken.
Reply Order field — designates when data is to be returned to the user. You must select one of
the following choices;
• Return data after content is approved — The CVP Server first receives all the data from
the security server. After it has received and inspected all the data it then returns the data to
the security server.
• Return data before content is approved— The CVP Server inspects each data packet
received from the security server and returns it back to the security server before approving
the content. For instance, if the CVP Server found a virus in the data packet, the CVP
Server may replace the data within the packet before returning it to the CVP Server for
content checking.
• Controlled by CVP server - The file is inspected by the CVP Server. If the CVP Server
rejects the file, it is not retrieved.
For complete configuration information on configuring CVP as a Security Server, “Server
Objects” on page 357.
TCP Resources
The TCP resource supports all TCP services and can be used for two different features. The
TCP resource can be used to support the genericid. This is a generic daemon which is not the
HTTP Security Server but rather receives data packets and sends them to a CVP Server, as
defined by the TCP resource.
The TCP resource also allows the screening of URLs using a UFP Server without using the
security server. If enabled, the UFP Server can perform URL checking without using a security
server. The URL received by the UFP Server is not a full URL but rather IP-based only. Before
using the TCP resource, the security administrator must verify that the UFP Server supports IP-
based URLs and can categorize specific protocols for which the TCP resource is to be
implemented.
The UFP server maintains a list of URLs and their categories. VPN-1/FireWall-1 checks
connection attempts using the URL list on the UFP server
When a user requests a URL, VPN-1/FireWall-1 determines if the UFP server must be used
and handles the request without using a security server. If the UFP Server is used, the
connection packet is temporarily held, until VPN-1/FireWall determines if the connection is
permitted.
UFP Caching Control — specifies how caching is to be enabled
The Security Administrator can choose no caching, caching on the UFP server, or caching 1
or 2 requests on VPN-1/FireWall-1 from the drop-down menu.
Categories — check the categories you wish to include in the resource definition
4 Click OK. The service appears in the Service with Resource menu.
Click on the service and then select the Resource to be used from the drop-down list and
click OK.
5 The service with the TCP enabled resource appears in the Service column of the associated
rule and can be implemented in the Rule Base.
6 You must then edit $FWDIR/conf/fwauthd.conf and add a line where <port> is the tcp
service’s port number. For example:
<port> fwssd in.genericd wait 0
CIFS Resources
CIFS Overview
CIFS (Common Internet File System) is a protocol used to request file and print services from
server systems over a network.
The protocol is an extension of the Server Message Block (SMB) protocol.
The protocol is often implemented over the NETBIOS session service over TCP using port
139.
Microsoft also use CIFS over the Microsoft-DS protocol (port 445) for networking and file
sharing.
In a typical configuration each CIFS client maintains a TCP connection with every CIFS server
to which it is it is connected.
The client and server exchange CIFS-requests and CIFS-responses messages over this
connection.
More information on CIFS can be found under:
http://www.microsoft.com/mind/defaulttop.asp?page=/mind/1196/cifs.htm&nav=/mind/1196
/inthisissuecolumns1196.htm
http://samba.org/cifs/
http://samba.org/samba/about.html
Note that in addition to the actual disk share, many CIFS client implementation also try to map
a psuedo share called
"\\ServerName\IPC$"
In order to allow access to the desired “ShareName” as well as IPC$, the regular expression
should therefore take the following form:
^\\\\ServerName\\(ShareName|IPC\$)$
Logging
Logging of each share map attempt can be enabled by checking Log mapped shares in the
CIFS Resource Properties window.
In order to log attempts to access restricted shares as well as any protocol violation performed by
the client check Log access violation in the CIFS Resource Properties window.
Known limitations
1) In a High Availability configuration, CIFS statefully inspected connections are not expected
to survive failover.
2) A Disk/Print share whose name is not a legal ASCII string is not supported. An attempt to
connect to these shares will be rejected.
3) CIFS connections will not survive a Policy installation.
CIFS resources are supported with Accept, Client authentication, Session authentication and
Client Encrypt rules. Drop, Reject and User authentication are not allowed.
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
DNS 53 Domain Name System — a Yes This is also a UDP service. TCP
distributed database used to DNS is used for Domain Name
map host names to IP Download, while UDP DNS is
addresses used for Domain Name Queries.
echo 7 An echo server sends the Yes This is also a UDP service.
client whatever the client sent
the server.
exec 512 invokes an executable Yes
finger 79 a protocol that provides Yes
information about users on a
specified host
ftp 21 File Transfer Protocol — a Yes To enable auxiliary data
protocol for copying files connections, check Enable FTP
between hosts PORT Data Connections in the
Services tab of the Properties
Setup window.
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
Vosaic 1235 audio and video based on Yes also uses UDP ports 61801-
VDP (Video Datagram 61821
Protocol)
VDO-Live 7000 a protocol for the Yes To enable auxiliary (back) data
transmission of high quality connections for this service, you
video on the Internet must specifically list this service
under Services in the Rule Base.
wais 210 Wide Area Information Yes
Servers — a tool for keyword
searches, based on database
content, of databases on the
Internet
Webtheatre 12468 live audio & video streaming Yes To enable auxiliary data
connections for this service, you
must specifically list this service
under Services in the Rule Base.
• Client opens TCP port 12468
by default for control. For
each media stream request
there is a port command from
client to server including the
RTP (UDP) port the client is
waiting on. The audio passes
on the RTP port and the
control on the RTCP port
(RTCP port = RTP port +1).
• NAT support
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
time 37 a service that returns the time Yes This is also a TCP service.
of day as a binary number
traceroute >33000 a debugging application that Yes
shows the route followed by
IP packets
who 513 a service that provides Yes
information on who is logged
on to the local network
in VPN-1/FireWall-1
Name m
numbe
r
pre–defined
DCE-RPC a protocol similar to Sun RPC Yes Experimental
Portmapper support for use with
Microsoft
Exchange.
lockmanager 100021 a protocol used for the transmission of Yes as nlockmgr
lock requests
mountd 100005 a protocol used for the transmission of Yes belongs to the NFS
file mount requests group
NFS Network File System — a protocol that Yes a group that
provides transparent file access over a includes all the
network services that are
required for NFS.
nfsprog 100003 Yes belongs to the NFS
group
NIS Network Information System — a Yes NIS is a group that
protocol that provides a network includes all the
accessible system administration services that are
database, widely known as Yellow Pages required for NIS.
nisplus 100300 Yes
pcnfsd 150001 Yes belongs to the NFS
group
rstat 100001 a protocol used to obtain performance Yes
data from a remote kernel
rwall 100008 a protocol used to write to all users in a Yes
network
pbind 100007 Yes belongs to the NIS
group
in VPN-1/FireWall-1
Name m
numbe
r
pre–defined
yppasswd 100009 Yes belongs to the NIS
group
ypserv 100004 Yes belongs to the NIS
group
ypupdated 100028 Yes belongs to the NIS
group
ypxfrd 100069 Yes belongs to the NIS
group
in VPN-1/FireWall-1
Name
pre–defined
dest-unreach an ICMP message indicating that the destination is Yes
unreachable
source-quench an ICMP message indicating that the system cannot Yes
process datagrams at the rate at which they are being
received
info-req an obsolete ICMP message Yes
info-reply an obsolete ICMP message Yes
mask-request an ICMP message requesting a diskless system’s subnet Yes
mask
mask-reply an ICMP message in reply to a mask-request message Yes
param-prblm an ICMP message indicating invalid data in an earlier Yes
message
ping: The ping program tests whether another host is Yes
echo-request, available, and measures the time between the request
echo-reply (echo-request) and the reply (echo-reply).
redirect an ICMP error message sent by a router in response to Yes
a misdirected datagram
time-exceeded an ICMP error message indicating routing loops or Yes
reassembly failure
timestamp ICMP messages (request and reply) enabling systems to Yes
(request, reply) query each other for the current time
traceroute a debugging application that shows the route followed Yes
by IP packets
in VPN-1/FireWall-1
Name
pre–defined
IP protocol
number
Note - For NT clients, you can also enable traceroute by checking Accept ICMP in the
Security Policy tab of the Properties Setup window. However, this enables all ICMP
services, and not just the ones required for traceroute.
Global Properties
In This Chapter
FireWall-1 Implied Rules page 276 Remote Access — Secure Configuration Verification
page 282
Security Server page 278 Remote Access — Early Versions Compatibilitypage 282
VoIP (Voice over IP) page 279 FloodGate-1 Properties page 282
NAT (Network Address Translation) page 279 SmartMap page 283
Authentication page 280 Management High Availability page 283
VPN-1 Pro page 282 LDAP (Account Management) page 283
VPN-1 Early Versions Compatibility page 282 Connect Control page 285
VPN-1 Advanced page 282 Open Security Extension (OSE) Access Listpage 286
VPN-1 Net page 282 Stateful Inspection page 287
Remote Access — VPN Log and Alert page 289
SecuRemote/SecureClient page 282
Remote Access — VPN page 282 SmartDashboard Customization page 293
A Security Policy is defined not only by the Rule Base, but also by the properties specified in
the various pages of the Global Properties window. These properties enable the user to control
all aspects of a communication’s inspection, while at the same time freeing the user of the need
to specify repetitive detail in the Rule Base.
To display the Global Properties window, choose Properties from the Policy menu, or click
in the toolbar.
275
FireWall-1 Implied Rules
For information about the interaction between Properties and the Rule Base, see “Interaction
between Rule Base and Implied Rules (Properties)” on page 317.”
Note - There is no longer a Services tab. The options that (in previous versions) were in
that tab (listed below) are enabled by default. They can be changed by editing
objects_5_0.C using dbedit (see Chapter 18, “Command Line Interface”).
• Enable FTP PORT data connections
• Enable FTP PASV data connections
• Enable RSH/REXEC reverse stderr connections
• Enable RPC control
TABLE 7-1 lists the services enabled by Accept VPN-1 & FireWall-1 Control Connections.
“all VPN/FireWall Modules” means all VPN/FireWall Modules managed by this SmartCenter
Server. You can view the implied rules generated by this property by choosing Implied Rules
from the View menu (see “Implied Rules” on page 318 for more information).
Enabling Accept VPN-1 & FireWall-1 Control Connections opens the VPN-1/FireWall-1
application port and the SmartCenter Server port, allowing VPN-1/FireWall-1 GUI Clients to
communicate with the SmartCenter Server. If you disable Accept VPN-1 & FireWall-1 Control
Connections and you want VPN-1/FireWall-1 applications to communicate with each other,
you must explicitly allow these connections in the Rule Base.
Accept Outgoing Packets Originating from Gateway— Accept all outgoing packets
originating on the gateway (the VPN/FireWall Module machine).
Accept Outgoing Packets Originating from Gateway is set to Before Last to enable the user
to define more detailed rules relating to these packets that will be enforced before this
property. If this property were First, then there would be no opportunity for the user to relate
to these in the Rule Base. If it were Last, then it would be enforced after the last rule (which
typically rejects all packets) and would thus have no effect.
Accept RIP — Accept Routing Information Protocol used by the routed application.
RIP maintains information about reachable systems and the routes to those systems.
Accept Domain Name Over UDP (Queries) — Accept Domain Name Queries used by named.
named resolves names by associating them with their IP address. If named does not know the
IP address associated with a particular host name, it issues a query to the name server on the
Internet.
Accept Domain Name Over TCP (Zone Transfer) — Allow uploading of domain name-
resolving tables.
Tables of Internet host names and their associated IP addresses and other data can be uploaded
from designated servers on the Internet.
Accept ICMP requests— Accept Internet Control Messages.
ICMP (Internet Control Message Protocol) is used by IP for control messages (for example,
destination unreachable, source quench, route change) between systems.
Accept ICMP requests is set to Before Last to enable the user to define more detailed ICMP
related rules that will be enforced before this property. If this property were First, then there
would be no opportunity for the user to relate to ICMP in the Rule Base. If it were Last,
then it would be enforced after the last rule (which typically rejects all packets) and would thus
have no effect.
Enabling Accept ICMP does not enable ICMP Redirect. If you wish to enable ICMP
Redirect, you must explicitly do so.
Accept CPRID connections — Accept SmartUpdate connections.
Accept dynamic address gateways’ DHCP traffic — Accept DHCP traffic for DAIP
(Dynamically Assigned IP Address) Modules.
See Chapter 14, “Dynamically Assigned IP Addresses” for more information about DAIP
Modules.
Track
Log Implied Rules — Log the connections to which implied rules (the rules shown when
Implied Rules has been selected in the View menu) are applied.
These rule number of these log entries is 0 (zero).
See “Interaction between Rule Base and Implied Rules (Properties)” on page 317 for more
information.
Security Server
For information about Security Servers, see “Security Servers” on page 205 of Check Point
FireWall-1 Guide.
The NAT rules are the ones in the Address Translation Rule Base. The additional rule is the
rule that matches the automatic translation performed on the second object in bi-directional
NAT.
If Automatic rules intersection is checked, then both rules will be applied and both source
and destination addresses will be translated. If it is not checked, only one of these objects will
be translated, because only one of the automatically generated NAT rules is applied.
Translate destination on client side — Static Destination Mode NAT is performed on the
Client side.
In VPN-1/FireWall-1 prior to Version NG, Static Destination Mode NAT was performed on
the server side of the gateway, which required special handling for anti-spoofing and internal
routing.
For new installations, Perform destination translation on the client side is enabled by
default. For upgrades, Perform destination translation on the client side is disabled, in
order to maintain compatibility with earlier versions.
For additional information, see “Ensuring That the Gateway Forwards the Packet to the
Correct Host” on page 84 and “Static Destination Mode” on page 77 of Check Point
FireWall-1 Guide.
Automatic ARP configuration — ARP tables on the VPN/FireWall Module machine (gateway)
performing NAT will be automatically configured so that ARP requests for a translated (NATed)
machine, network or address range are answered by the gateway.
This option removes the requirement (present in VPN-1/FireWall-1 prior to Version NG) for
manual ARP configuration (using the arp command in Unix or the local.arp file in NT).
The command fw ctl arp displays the VPN-1/FireWall-1 Module’s ARP proxy table on
Windows NT and Windows 2000 VPN/FireWall Modules (see “fwm ctl” on page 576). On
Unix, use the arp -a command.
For additional information, see “Ensuring That the Gateway Forwards the Packet to the
Correct Host” on page 84 of Check Point FireWall-1 Guide.
IP Pool NAT
For information about IP Pools, see “IP Pools” on page 176 of Check Point Virtual Private
Networks Guide for information about these parameters.
Authentication
User Authentication Session timeout (minutes) - The session will time out if there is no
activity for this time period. This applies to FTP, telnet, and the rlogin Security Servers.
For HTTP, this field has a different meaning: The HTTP Security Server extends the validity of
a one-time password for this time period, so users with one-time passwords will not have to
reauthenticate for each connection during this time period.
Enable wait mode for Client Authentication — This option applies only when a user initiates
Client Authentication through a telnet session to port 259 on the gateway.
If Enable wait mode is checked, the initial telnet session remains open. The Client
Authentication session is closed when the telnet session is closed, either by the user or by
other means. VPN-1/FireWall-1 pings the client at regular intervals during the authorization
period. If the client machine has stopped running (for example, due to a power failure) VPN-
1/FireWall-1 closes the telnet session and Client Authentication privileges to the IP address are
withdrawn. When the Client Authentication session has been closed, it cannot initiate any
new authenticated connections; however, all existing authenticated connections remain open.
If Enable wait mode is not checked, the initial telnet session is closed when the user chooses
the Standard Sign On or Specific Sign On options. The user must initiate another telnet
session on the gateway in order to sign off the Client Authentication session.
Authentication Failure Track — specifies the action to take if Authentication fails (applies to
all authentication rules)
• None — no tracking
• Log — Create a log of the authentication action.
• Popup Alert — Run the Run popup alert script in the Log and Alert page of the
Global Properties window (FIGURE 7-23 on page 413).
For information about authentication, see Chapter 3, “Authentication” of Check Point FireWall-1
Guide.
VPN-1 Pro
For information about encryption, see Check Point Virtual Private Networks Guide.
VPN-1 Advanced
For information about the VPN-1 Advanced page, see Check Point Virtual Private Networks
VPN-1 Net
For information about the VPN-1 Net page, see Check Point Virtual Private Networks.
FloodGate-1 Properties
Bandwidth Control
Weight
Maximum weight of rule — the maximum rate that can be assigned to a rule
Default weight of rule — the default rate assigned to a new rule and to Default rules
Rate
Default interface Rate — the default bandwidth capacity for interfaces
Unit of measure — the unit specified by default for transmission rates
SmartMap
The SmartMap page enables or disables the SmartMap View of SmartMap.
For more information, see Chapter 16, “SmartMap.”
After this period has passed, the user must define a new password.
Note - This field does not apply to IKE pre-shared secrets and certificates, which do not
expire.
If a user’s password is modified using a tool other than the Check Point Account Management
Client, fw1pwdLastMod attribute is not updated, and the new password will expire on the day
the old one would have expired.
To specify that a password never expires, set Password Expires After to 0 (zero) days.
Example
Suppose that for user Alice, Days before Password Expires is 15. On January 1st, Alice
modifies her password using the Check Point Account Management Client. fw1pwdLastMod
is set to January 1st, so her password will expire on January 16th.
Suppose that on January 10th, Alice modifies her password again.
• If she uses the Check Point Account Management Client to modify her password, then:
• fw1pwdLastMod is changed to January 10th.
• Her new password is valid for 15 days from January 10th, and will expire on January
26th.
• If she uses a different LDAP Client to modify her password, then:
• fw1pwdLastMod is not changed, and is still January 1st.
• Her new password is valid for 15 days from January 1st, and will expire on January
16th.
When a user defined on an LDAP Account Unit enters a password, VPN-1/FireWall-1 checks
whether the password has expired. If the password has expired, the user is prompted to enter a
new password.
The new password must be different from the old one, and must also satisfy the following
conditions:
• minimum length
• minimum number of lowercase letters (a-z)
• minimum number of uppercase letters (A-Z)
• minimum number of symbols (non-letters and non-numbers)
• minimum number of digits (0-9)
The default values for these conditions are given in the objects.C file by the following
parameters (the default setting is in parenthesis):
:props (
:psswd_min_length (0)
:psswd_min_num_of_lowercase (0)
:psswd_min_num_of_uppercase (0)
:psswd_min_num_of_symbols (0)
:psswd_min_num_of_numbers (0)
Allow Account Unit to Return — This field specifies the number of users that the Account
Unit may return in response to a single query.
Display user’s DN at login — If checked, then when an LDAP user logs in, his or her DN will
be displayed before he or she is prompted for a password.
This property is a useful diagnostic tool when there is more than one user with the same name
in an Account Unit. In this case, the first one is chosen and any others are ignored. If this
property is enabled, the user can verify that the correct entry is being used.
Note - A user can log in either with a user name or with a DN.
Connect Control
Servers Availability
Server availability check interval — The interval (in seconds) at which the VPN/FireWall
Module will ping a physical server to determine if it is available.
Server check retries — The number of consecutive times the server availability check must fail
in order that the VPN/FireWall Module will consider the physical server to be unavailable (and
will no longer direct connections to it).
Servers Persistency
Persistent server timeout — The length of time during which connections will be redirected
to the same physical server when Persistent server mode is enabled for a Logical Server in the
Logical Server Properties window (FIGURE 9-2 on page 323 of Check Point FireWall-1
Guide).
For more information about these parameters, see “How Server Load Balancing Works” on page
320 of Check Point FireWall-1 Guide.
Stateful Inspection
Note - The term “Stateful Inspection” means that packets are inspected in the context of
connections. The initial packet of a connection is inspected against the Rule Base. If the
connection is allowed, then the connection is added to an internal connection table, and
subsequent packets are checked against the connection table. A connection is removed
from the connection table when it terminates or times out. The use of the connection
table significantly speeds up packet processing.
TCP session timeout —A The length of time an idle conection will remain in the
VPN-1/FireWall-1 connections table.
See “When a Security Policy is Installed” on page 346.
TCP end timeout — A TCP connection will be terminated only TCP end timeout seconds
after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST
packet.
This means that after a TCP connection has ended (has seen FIN packets or has been reset)
the VPN/FireWall Module will keep the connection in the connections table another TCP
end timeout seconds, to allow for any stray ACKs belonging to the connection that might
arrive late.
ICMP virtual session timeout — An ICMP virtual session will be considered to have timed out
after this time period.
Other IP Protocols virtual session timeout — A virtual session of services (which are not one
of the following: TCP, UDP, ICMP) will be considered to have timed out after this time period.
Stateful UDP
These properties define the defaults for UDP services that are not defined in the Services
Manager. For UDP services defined in the Services Manager, the properties are defined on a
per-service basis in the Advanced UDP Service Properties window (FIGURE 6-3 on
page 225).
Accept stateful UDP replies for unknown services — Specifies if UDP replies are to be
accepted.
To specify that no UDP replies will be accepted, uncheck Accept stateful UDP replies for
unknown services.
If Accept stateful UDP replies for unknown services is checked, then Accept stateful UDP
replies from any port for unknown services specifies from which ports to accept UDP
replies.
Accept stateful UDP replies from any port for unknown services — If checked, UDP
replies will be accepted from any port. Otherwise, UDP replies will be accepted only from the
port to which the original communication was sent.
Stateful ICMP
Stateful Inspection is always applied to ICMP packets, that is, an ICMP packet must be in the
context of an ICMP “virtual session,” or statefully matched to another TCP/UDP connection
(for example, ICMP errors). These properties relate to ICMP packets which refer to another
non-ICMP connection, (for example, to an ongoing TCP or UDP connection) that is allowed
by the Rule Base. In other words, these ICMP packets can be considered to be in the context
of the other connection.
Replies — Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.
Errors — Accept ICMP error packets which refer to another non-ICMP connection (for
example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.
This property does not include ICMP_redirect.
Note - The stateful ICMP mechanism will not allow ICMP error messages (such as Port
Unreachable, TTL expired in transit) resulting from unidirectional ICMP and “other”
services (services that are defined with Accept Replies disabled in the Advanced
window). To allow such ICMP errors, Accept Replies must be enabled.
Drop out of state UDP packets — Drop UDP packets which are not in the context of a
“virtual session” (see “Virtual Sessions” on page 287).
Log on drop — Generate a log entry when these packets are dropped.
Drop out of state ICMP packets — Drop ICMP packets which are not in the context of a
“virtual session” (see “Virtual Sessions” on page 287).
This parameter is always enabled.
Log on drop — Generate a log entry when these packets are dropped.
Note - This setting is a useful method of detecting whether such routing configuration
errors are present.
Anomalous — Log only those out of sequence packets that can rarely occur in a valid
connection.
Every — Log all out of sequence packets.
Every includes Suspicious and Anomalous, as well as some harmless out of sequence
packets (for example, some retransmitted packets, which are accepted after their payload has
been cleared).
Track Options
VPN successful key exchange — Specifies the action to be taken when VPN keys are
successfully exchanged.
VPN packet handling errors — Specifies the action to be taken when encryption or
decryption errors occurs.
A log entry contains the action performed (Drop or Reject) and a short description of the
error cause, for example, scheme or method mismatch.
VPN configuration and key exchange errors — Specifies the action to be taken when VPN
configuration or key exchange errors occur, for example, when attempting to establish
encrypted communication with a network object inside the same encryption domain.
IP Options drop — Specifies the action to take when a packet with IP Options is encountered.
VPN-1/FireWall-1 always drops these packets, but you can log them or issue an alert.
Adminstrative notifications — Specifies the action to be taken when an administrative event
(for example, when a certificate is about to expire) occurs.
SLA violation — Specifies the action to be taken when an SLA violation occurs, as defined in
the window (see SmartView Monitor User Guide.)
Virtual Links
Connection matched by SAM — Specifies the action to take be taken when a connection is
blocked by SAM (Suspicious Activities Monitoring).
For information about SAM, see http://www.opsec.com.
Dynamic object resolution failure — Specifies the action to be taken when a dynamic object
cannot be resolved (see “dynamic_objects” on page 789).
Logging Modifiers
Log Established TCP packets — This option controls logging TCP packets for previously
established TCP connections, or packets whose connections have timed out (see “TCP session
timeout” on page 394).
Log every authenticated HTTP connection — Specifies that a log entry should be generated
for every authenticated HTTP connection.
Unify FTP Control and Data logs — Specifies that log entries for the control and data
connections of an FTP session should be unified.
Time Settings
Excessive log grace period — Specifies the minimum amount of time between consecutive
logs of similar packets.
Two packets are considered similar if they have the same source address, source port,
destination address, and destination port; and the same protocol was used. After the first
packet, similar packets encountered within the grace period will be acted upon according to
the Security Policy, but only the first packet generates a log entry or an alert.
Log Manager resolving timeout — After this amount of time, display the log page without
resolving names and show only IP addresses.
Virtual Link statistics interval — Specify the frequency with which Virtual Link statistics will
be logged.
This parameter is relevant only for Virtual Links defined with Log E2E statistics enabled in the
SLA Parameters tab of the Virtual Link window (see the SmartView Monitor User Guide.
Status Fetching Interval — Specifies the frequency at which the SmartCenter Server queries
the VPN/FireWall, FloodGate and other Modules it manages for status information. Any value
from 30 to 900 seconds can be entered in this field.
Community default rule — Specifies whether connections between VPN Community
members, which are accepted by default, are to be logged.
Alert Commands
Send popup alert to System Status — Specifies that when an alert is issued, it is also sent to
System Status.
Run popup alert script — Specifies the OS script to be executed when an alert is issued.
It is recommended not to change this command, otherwise you may not become aware of the
condition that caused the alert.
See “On Which Machine Are the Alert Scripts Executed?” on page 292 for more information.
Send mail alert to System Status — Specifies that when a mail alert is issued, it is also sent to
System Status.
Mail alert script — Specifies the OS script to be executed when Mail is specified as the Track
in a rule.
The default is internal_send_mail, which is not a script but an internal VPN-1/FireWall-1
command. Its syntax is described below.
parameter meaning
-s subject The subject of the mail message is specified by subject.
You can specify commands other than the default. See “On Which Machine Are the Alert
Scripts Executed?” on page 292 for more information.
Send SNMP trap alert to System Status — Specifies that when an SNMP trap alert is issued, it
is also sent to System Status.
SNMP trap alert command — Specifies the OS script to be executed when SNMP Trap is
specified as the Track in a rule.
The default is internal_snmp_trap, which is not a script but an internal VPN-1/FireWall-1
command.
You can specify commands other than the default. See “On Which Machine Are the Alert
Scripts Executed?” on page 292 for more information.
Send user defined alert no. 1 to System Status — Specifies that when an alert is issued, it is
also sent to System Status.
Run user defined alert script no. 1— Specifies the OS script to be executed when User-
Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as one
of the Track Options below.
Send User defined alert no. 2 to System Status — Specifies that when a user defined alert no.
2 is issued, it is also sent to System Status.
Run user defined alert script no. 2 — Specifies the OS script to be executed when User
Defined Alert no. 2 is selected as one of the Track Options below.
Send User defined alert no. 3 to System Status — Specifies that when a user defined alert no.
3 is issued, it is also sent to System Status.
Run user defined alert script no. 3 — Specifies the OS script to be executed when User
Defined Alert no. 3 is selected as one of the Track Options below.
See “On Which Machine Are the Alert Scripts Executed?” on page 292 for more information.
Send 4.x alert to System Status — Specifies that when an alert is issued on a Version 4.x
Module, it is also sent to System Status.
Run 4.x alert no. 3 script— Specifies the OS script to be executed when when an alert is
issued on a Version 4.x Module.
For information about extranets, see Check Point Virtual Private Networks.
SmartDashboard Customization
Create Check Point installed Gateways using — Select the mode to use when you define a
new gateway.
Select either simple mode (the gateway wizard will be used) or classic mode (specify all the
parameters in the different pages of the gateway's Properties window.
VPN Topological view
Specify the number of Community members from which the VPN Topological view should
display an icon instead of a full mesh — When a large number of community members are
displayed in a full mesh view, it can be difficult to understand the diagram. In this case, you may
prefer to display an icon instead.
Policy Installation
When installing a Policy or Users Database, you can choose whether All Modules or None of
the Modules are checked by default in the Install On window.
Revision Control
Create new version upon Policy Installation — Create a new version of the Policy whenever
the Policy is installed.
In This Chapter
295
Rule Base — Basic Concepts
Each rule in a Rule Base defines the packets that match the rule (based on Source, Destination
and Service and the Time at which the packet is inspected by the FireWall or Inspection
Module enforcing the rule). The first rule that matches a packet is applied, and the specified
Action is taken. The communication may be logged or an alert may be issued, depending on the
value of the Track field.
VPN-1/FireWall-1 follows the principle “That Which Is Not Expressly Permitted is
Prohibited.” To enforce this principle, VPN-1/FireWall-1 implicitly adds a rule at the end of the
Rule Base that drops all communication attempts not described by the other rules.
FIGURE 8-1 SmartDashboard window with Rule Base
The SmartDashboard window’s title shows the name of the Security Policy currently displayed.
Depending on your license (the VPN-1/FireWall-1 features your SmartCenter Server is licensed
to implement), you may see a number of tabs in the SmartDashboard window:
• Security
The Security Policy Rule Base is described in this chapter.
• Address Translation — The Address Translation Rule Base is described in Chapter 2,
“Network Address Translation (NAT)” of Check Point FireWall-1 Guide.
• QoS — The Quality of Service Policy is described in the book Check Point FloodGate-1
Administration.
• Desktop Security — The Desktop Security Policy is described in the book Check Point
Virtual Private Networks Guide.
Because rules are examined sequentially for each packet, only packets not described by the
earlier rules are examined by the implicit rule. However, if you rely on the implicit rule to drop
these packets, there is no way to log them. To log these packets, you must explicitly define a
“none of the above” rule, as follows:
FIGURE 8-2 “None of the Above” Rule
If you do not explicitly define such a rule, VPN-1/FireWall-1 will implicitly define one for you,
and the packets will be dropped. In no case will VPN-1/FireWall-1 allow these packets to pass.
The advantage of defining such a rule explicitly is that you can then specify logging for these
packets.
Note - It’s best to organize lists of objects (sources, destinations, or services) in groups
rather than in long lists. Using groups will give you a better overview of your Security
Policy and will lead to a more readable Rule Base. In addition, objects added to groups
will be automatically included in the rules.
Logged events are recorded in the Log File. For information about the Log File, see Chapter 11,
“SmartView Tracker.” Alerts and important system events are automatically recorded in the Log
File, even when not explicitly requested by the user.
2 Select the desired policy package and click Open. The Editor Policy opens displaying the
Policy Package you selected.
If you selected Traditional or Simplified mode per new Security Policy, the following
window appears (FIGURE 8-5).
FIGURE 8-5 Use either Simplified or Traditional mode
2 Enter the name of the Policy Package. The Policy Package name cannot:
• contain any reserved words
• contain any spaces
• contain numbers at the beginning
• contain any of the following characters:
.w, .pf, .W
3 Select the policy types you want included in the Policy Package.
If you selected Traditional or Simplified mode per new Security Policy, on the VPN-1
page in the Global Properties window, you can choose which VNP configuration mode
you want to use (see FIGURE 8-5). For a description of Traditional and Simplified modes,
see Chapter 7, “VPN Communities in the Check Point Virtual Private Networks.
4 Click OK to select the installation target and the modules you want added to the Policy
Package.
5 Select the Modules you want to add to the Policy Package. You can either:
• Select All internal modules to add all the internal Modules to the Policy Package.
• Select Specific modules to add specific modules to the Policy Package. Select the
desired modules by using the Add and Remove buttons to move them between the two
lists. You can also move multiple fields by making multiple selections.
6 Click OK to create the Policy Package. The number of tabs that appear in the
SmartDashboard depends on the number of policy types you chose to include in the Policy
Package.
4 Click OK. A new Policy Package containing only the selected Rule Base is created.
Adding a Rule
You can add a rule at any point in the Rule Base.
before the first rule Rules > Add Rule > Top
after the current rule Rules > Add Rule > After
before the current rule Rules > Add Rule > Before
to the current rule (for QoS policies Rules > Add Sub-Rule
only!)
Note - The current rule is the one that is highlighted. To select a rule, click its number.
A new rule will be added to the Rule Base, and default values will appear in all the data fields.
You can modify the default values as needed.
Alternatively, right-click the rule’s number to display the Rule menu.
Rule menu
TABLE 8-2 Rule menu items SmartDashboard
Modifying a Rule
To modify a rule, add, modify, or delete data field values until the rule is as desired.
Right-click in the data field to open the SmartDashboard Object menu.
The choices displayed in the menu depend on the field in which you right-clicked.
Note - You can view the properties of a network object or service object by double-
clicking on its icon.
Source
Add — The Network Objects window is displayed, from which you can select network objects
to add to the rule’s Source.
You can define any number of items in Source.
Add Users Access—The Users Access window (FIGURE 8-6) is displayed, from which you
can select user group(s) to add to the rule’s Source.
FIGURE 8-6 User Access window
You must choose Add Users Access for a rule whose Action is one of the following:
If you check No Restriction, then there will be no restriction on the source of the users.
For example, if you choose AllUsers and check No Restriction, then AllUsers@Any will
be inserted under Source in the rule.
If you check Restrict To, then the source will be restricted to the network object you select
in the list box. For example, in FIGURE 8-6, the source object in the rule will be
AllUsers@Area_Servers.
3 Click OK.
For information about Extranet groups, see Chapter 13, “Extranet Management” of Check
Point Virtual Private Networks Guide.
Edit — Edit the selected object.
You must first select one of the objects already defined under Source. The appropriate
window is opened (depending on the type of the selected object), and you can change the
object’s properties.
Alternatively, you can double-click an object to edit it.
Delete — Delete the selected object.
You must first select one of the objects already defined under Source.
Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Negate Cell — Negate the selected object.
All the objects defined under Source will be negated. Negation means that the rule applies
when the communication’s Source is not one of the Source objects in the rule.
When more than one object is listed under Source, it is not possible to negate some but not
others. Either all are negated or none are negated.
Select All —
Destination
Add — The Object Manager window is displayed, from which you can select network objects
to add to the rule’s Destination.
You can define any number of items in Destination.
For information about Extranet groups, see Chapter 13, “Extranet Management” of Check
Point Virtual Private Networks Guide.
Edit — Edit the selected object.
You must first select one of the objects already defined under Destination. The appropriate
window is opened (depending on the type of the selected object), and you can change the
object’s properties.
Alternatively, you can double-click an object to edit it.
Delete — Delete the selected object.
You must first select one of the objects already defined under Destination.
Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Negate Cell — Negate the selected object.
All the objects defined under Destination will be negated. Negation means that the rule
applies when the communication’s Destination is not one of the Destination objects in the
rule.
When more than one object is listed under Destination, it is not possible to negate some but
not others. Either all are negated or none are negated.
Select All —
Service
Add — The Add Object window is displayed, from which you can select services to add to the
rule’s Services.
You can define any number of items in Services in the rule.
Note - Some services must be explicitly defined in the rule, otherwise they will not
function properly. For more information, see “Auxiliary Connections” on page 345.
For additional information about resources, see “Content Security” on page 227 of Check
Point FireWall-1 Guide.
Edit — Edit the selected object.
You must first select one of the objects already defined under Service. The appropriate
window is opened (depending on the type of the selected object), and you can change the
object’s properties.
Alternatively, you can double-click an object to edit it.
Delete — Delete the selected object.
You must first select one of the objects already defined under Service.
Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Negate Cell— Negate the selected object.
All the objects defined under Service will be negated. Negation means that the rule applies
when the communication’s Service is not one of the services in the rule.
When more than one object is listed under Service, it is not possible to negate some but not
others. Either all are negated or none are negated.
Select All —
Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.
Action
You can only select one Action.
This choice is available for a rule whose existing Action is User Authentication, Client or
Session Authentication, and opens the appropriate Authentication Action Properties window
(see Chapter 3, “Authentication” of Check Point FireWall-1 Guide).
If you wish to modify the Encryption parameters of a rule to which Encryption has been
added, select Edit Encryption from the menu rather than Edit Properties.
Add Encryption — Add Encryption to the Action for this rule.
This choice is available for a rule whose existing Action is User Authentication, Client or
Session Authentication, and to which Encryption has not already been added. An envelope
icon ( ) is superimposed on the existing Action icon in the rule.
You can modify the Encryption parameters by displaying the menu again and selecting Edit
Encryption.
For additional information about VPN-1/FireWall-1’s encryption features, see Check Point
Virtual Private Networks Guide.
Remove Encryption — Remove Encryption from the Action for this rule.
This choice is available for a rule whose existing Action is User Authentication, Client or
Session Authentication, and to which Encryption has already been added. The envelope icon
( ) is removed from the existing Action icon in the rule.
Edit Encryption — Edit this rule’s Encryption parameters.
This choice is available for a rule whose existing Action is Encrypt, and for a rule whose
existing Action is User Authentication, or Session Client Authentication, and to which
Encryption has already been added. The Encryption Properties window is displayed.
For additional information about the Encryption Properties window, see “Rule Encryption
Properties” on page 101 of Check Point Virtual Private Networks Guide.
TABLE 8-4 lists the choices available from the Action menu.
When a Drop action is taken, the sender is not notified. TABLE 8-5 describes what happens
when a Reject action is taken.
service Reject
TCP The sender is notified.
UDP Sends an ICMP port unreachable error to the sender.
other Same as Drop.
Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.
Track
Track Meaning
None — no logging or alerting for this connection
Alert — Issue an alert (as defined in the PopUp Alert Command field
in the Log and Alert page of the Global Properties window — see
Chapter 7, “Global Properties”).
Mail — Send a mail alert (as defined in the Mail Alert Command
field in the Log and Alert page of the Global Properties window —
see Chapter 7, “Global Properties”).
SNMP Trap — Issue an SNMP trap (as defined in the Snmp Trap
Alert Command field in the Log and Alert page of the Global
Properties window — see Chapter 7, “Global Properties”).
User Defined — Issue a User Defined Alert (as defined in the User
Defined Alert Command field in the Log and Alert page of the
Global Properties window — see Chapter 7, “Global Properties”).
Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.
Install On
Add— The Install On field specifies which objects will enforce the rule. You can select any
number of Install On objects.
Delete — Delete the selected object.
Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Show — Show the selected item in the SmartMap.
Viable Install On Targets — Open the Viable Install On Targets window, in which you can
select the target machines on which to enforce this rule.
Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.
Note - The entire Policy is installed on all of the Install On objects, but each object
enforces only that part of the Policy which is relevant to it.
Warning - For a Security Policy, if an Install On object does not enforce at least one rule,
then the only rule it enforces is the default rule, which rejects all communications.
Install On Meaning
Gateway — Enforce on all network objects defined as gateways.
Install On Meaning
Destination — Enforce in the inbound direction on the FireWalled
network objects defined as Destination (typically servers) in this
rule.
Source — Enforce in the outbound direction on the FireWalled
network objects defined as Source (typically clients —initiators of
traffic) in this rule.
OSE Devices — Enforce on all OSE devices.
Note - Any object or group of objects selected in the Viable Install On Targets window
to be shown in the SmartMap View, will only be displayed if it is an Install On object or
from an Install On group.
Select a target and click OK to add the target to the Install On column.
Gateways
If you specify Gateways, the rule is enforced on all the hosts that are defined as gateways (on
the General page of the network object’s Properties window). The rule is enforced in both the
inbound and outbound directions.
Source
If you specify Source, the rule is enforced on the FireWalled network objects specified under
Source in that rule. The icon for Source shows arrows pointing away from the object, to
indicate that the rule is enforced for outgoing communications only.
For example, consider the following rule:
The rule is enforced only on london, because mailsrvr is not FireWalled. However, the rule is
applied to communications originating either on mailsrvr or london.
Destination
If you specify Destination, the rule is enforced on the FireWalled network objects specified
under Destination in that rule. The icon for Destination shows arrows pointing to the object,
to indicate that the rule is enforced for incoming communications only.
Routers
If you specify OSE Devices, the rule is enforced on the appropriate interfaces on all routers,
using VPN-1/FireWall-1’s auto-scoping feature. For example, a rule specifying Source as
localnet is enforced on the device’s localnet interface. VPN-1/FireWall-1 generates an Access
List for the router (except for Nortel Networks routers on which VPN/FireWall Module is
installed, in which case a Security Policy is installed). It should be noted that with Access Lists
only a subset of VPN/FireWall Module functionality can be implemented. For example, it is not
possible to secure FTP back connections.
Targets
If you specify an object by name, then the rule is enforced for both incoming and outgoing
communications (either bound).
Time
Add — The Time Objects window is displayed, from which you can select time objects to add
to the rule’s Time.
You can define any number of items in Time.
Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.
Comments
To add a comment to a rule, double-click the Comment field to open the Comment window.
Type any text you wish in the text box and click OK.
Note - In this window, a carriage return is not interpreted as clicking on OK, so there can
be more than one line in a comment.
If you choose Paste, then the Paste menu will be opened. You must then select Above, Below,
Top, or Bottom to specify where in the Rule Base to paste the rule.
Deleting a Rule
1 To delete a rule, select a rule or rules by selecting their numbers.
2 Right-click the desired Rule base and click Delete.
The Install On window specifies the network object on which the Security Policy is installed.
In contrast, the Install On column in the SmartDashboard specifies the network object that is to
enforce a specific rule.
In principle, the Security Policy should be installed on all the network objects which are to
enforce it. However, VPN-1/FireWall-1 will allow you to not install the Security Policy on one
or more of the objects that are to enforce it. This capability is useful for debugging purposes,
but in all other cases you should take care to correctly deploy your Security Policy.
If you fail to install a Security Policy on a network object on which it should be installed, the
VPN/FireWall Module will improperly monitor traffic through that object. If you install a
Security Policy on a network object that does not enforce any part of that policy, the
VPN/FireWall Module will block all traffic through that object (because only the implicit drop
rule will be applied). See “Rule Base — Basic Concepts” on page 295.
Management Server
Inspection Text
Script Editor
INSPECT
Compiler
VPN/FireWall Module
Inspection Inspection
Module Code
VPN-1/FireWall-1 daemons
When a Security Policy is installed on a network object, the object receives the entire Inspection
Code but executes only those rules with matching scope. If there are no rules with matching
scope, the VPN/FireWall Module will drop all traffic, by the default rule (“That Which Is Not
Expressly Permitted is Prohibited”). Installing what is essentially an empty Security Policy (no
rules with matching scope) effectively bars all traffic.
To display the Authenticate Action Properties window, right-click the Action field in the rule
and choose Edit Properties from the menu.
FIGURE 8-9 Authenticate Action Properties window for a User Authentication Rule
Encryption Properties
If Encrypt is specified as a rule's Action, the Encryption Properties window (FIGURE 8-10)
defines the rule’s encryption properties.
To display the Encryption Properties window, double click the rule’s Encrypt action.
For information about the Encryption Properties window, see “Rule Encryption Properties”
on page 101 of Check Point Virtual Private Networks Guide.
The settings in the FireWall-1 Implied Rules page of the Global Properties window are
translated into macros and compiled in the Inspection Code.
Implied Rules
You can see how the properties and rules interact by checking Implied Rules in the View menu.
The explicit rules (those you have defined) will be displayed together with the implicit rules
(those derived from the properties) in the correct sequence (see FIGURE 8-11).
FIGURE 8-11SmartDashboard showing implied rules
The numbered rules are those you have explicitly defined. The implicit rules are not numbered.
For additional information about Properties, see Chapter 7, “Global Properties.”
Masking Rules
You can view only part of the Rule Base by hiding rules you do not want to see. This feature is
useful when you have a large complex Rule Base and you want to view only a few of the rules
without being distracted by other rules. Hidden rules remain part of the Rule Base and are
installed when the Security Policy is installed.
Hiding Rules
To hide a rule, proceed as follows:
1 Select the rule by clicking on its number.
The rule is now hidden, but it is still part of the Rule Base and will be installed when the
Security Policy is installed.
Alternatively, right-click the rule number to open the Rule menu and select Hide Rule.
In FIGURE 8-12, there is a hidden rule between rules 2 and 4. The gap in the numbering
indicates how many rules are hidden.
Whether they are displayed or not, hidden rules are installed when the Security Policy is
installed.
Defining a Mask
Consider the Rule Base in FIGURE 8-13 below.
FIGURE 8-13Rule Base before defining masks
Suppose that you want to hide all the FTP rules. You can do this as follows:
1 Select the first FTP rule (rule 3).
2 Hide the selected rule as described in “Hiding Rules” on page 318.
3 Select the second FTP rule (rule 5).
4 Hide this rule as well.
The Rule Base now looks like this (FIGURE 8-14):
FIGURE 8-14Rule Base with FTP rules (rules 3 and 5) hidden
6 Select Manage Hidden from the Hide submenu. The Manage Hidden Rules window is
displayed.
7 Click Store As. The Store Mask As window is displayed.
8 Enter a name for the mask.
9 Select Hide from the Rules menu.
10 Select Unhide All from the Hide submenu.
The hidden rules are unhidden and the Rule Base once again is displayed as in FIGURE 8-13
on page 320.
Reapplying a Mask
You can now reapply the FTPRules mask and in one action hide all the FTP rules as follows:
1 Select Hide from the Rules menu.
2 Select Manage Hidden from the Hide submenu.
The Manage Hidden Rules window is displayed.
3 Select the umnasked rules group.
4 Click Fetch.
Applying Masks
You can apply masks one after another using the Fetch command in the Manage Hidden Rules
window. When you apply a mask, any other mask that is currently applied is first “unapplied”.
So, for example, if you apply the FTPRules mask, the FTP rules are hidden. If you then apply
the HTTPRules mask, the FTP rules are unhidden and the HTTP rules are hidden.
Example
Consider once again the Rule Base depicted in FIGURE 8-13 on page 320. Suppose that you
want to display only rules whose Source includes localnet.
1 From the Search menu, select Query Rules.
The Rule Base Queries window is displayed, showing all the defined queries (in this case
there are none).
For a detailed explanation of the Rule Base Queries window, see “Rule Base Queries
window” on page 327.
2 Click New. The Rule Base Query window (FIGURE 8-15) is displayed.
FIGURE 8-15Rule Base Query window
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
3 Enter a name for the query in Name.
4 Click New.
For a detailed explanation of the Rule Base Query Clause window, see “Rule Base Query
Clause window” on page 329.
5 Check Explicit.
This specifies that only rules in which localnet explicitly appears (in contrast to rules where
localnet is a member of a group explicitly appearing in the rule) will be considered as satisfying
the query.
6 In Column, select source.
The Rule Base Query window (FIGURE 8-17 on page 323) is displayed, and the query clause
just defined is listed.
FIGURE 8-17Rule Base Query window showing one query clause
10 Click OK.
The Rule Base Queries window (FIGURE 8-18) is displayed, and the query just defined is
listed.
11 Click Apply.
The query is used as a mask for hiding the rules that do not satisfy the query criteria. The
Rule Base is displayed as in FIGURE 8-19.
FIGURE 8-19Rule Base after being masked by the query
The only rules that are displayed (that is, the only rules that are not hidden), are those whose
Source includes localnet.
Note that the Rule Base Queries window is still open, allowing you to continue to define or
use additional queries.
12 Click Close to close the Rule Base Queries window.
The Rule Base Query window (FIGURE 8-20) is displayed, and both query clauses are listed.
FIGURE 8-20Rule Base Query window showing two query clauses
9 Click OK.
The modified query is used as a mask for hiding the rules that do not satisfy the query criteria.
The Rule Base is displayed as in FIGURE 8-21.
FIGURE 8-21Rule Base after being masked by the modified query
2 In the Rule Base Query window (FIGURE 8-17), enter a name for the query in Name.
3 Click New.
7 Click OK.
9 In the Rule Base Queries window, select the query just defined.
10 Click And.
The newly defined query is applied in addition to the previous query, and the result is shown
in FIGURE 8-21 on page 326.
The Rule Base Query Clause window (FIGURE 8-25 on page 329) is displayed.
Remove — Delete the currently selected query clause.
To remove an object from the query clause, click the object in the In List box, and then click
Remove.
Negate — If you check this box, then the criteria specified in the query clause are negated.
For example, if the query clause specifies Service is FTP, then if you check Negate, the clause
is taken to specify “NOT (Service is FTP)”.
Explicit — If checked, only rules that explicitly include the object satisfy the criteria.
If the rule includes a group of which the object is a member, then the rule does not satisfy the
criteria. Also, if the rule includes an object which is a member of a group specified in the
criteria, then the rule does not satisfy the criteria.
For example, the standard VPN-1/FireWall-1 service definitions include a group named
“Authenticated”, of which FTP and HTTP are members. If Explicit is checked, then a rule
does not satisfy the criteria in the following two cases:
• The query clause specifies Authenticated and the rule includes FTP.
• The query clause specifies FTP and the rule includes Authenticated.
To Clear a Query
1 Select Clear Query from the Search menu.
You are prompted to Unhide all Hidden Rules.
2 Click Yes to proceed.
The Query is cleared.
Disabling Rules
When you disable a rule, the rule is no longer part of the Rule Base and is not installed when
the Security Policy is installed. However, the rule is still displayed in the Rule Base, and you can
re-enable it at any time.
This feature is useful for experimenting with the Rule Base. For example, you can disable a rule
(or rules), install the Security Policy, analyze the effects of the new Security Policy and then re-
enable the rule without having to re-enter it.
To disable a rule, select the rule by clicking on its number and then select Disable Rule from
the Edit menu.
When a rule is disabled, a large red cross is drawn over its rule number.
To enable a disabled rule, select the rule and then select Disable Rule from the Edit menu.
Alternatively, right-click the rule number to open the Rule menu ( on page 301) and select
Disable Rule.
FIGURE 8-26 shows a Rule Base with two rules (rule 1 and rule 3) disabled.
FIGURE 8-26Rule Base with rule 1 and rule 3 disabled
2 Enter the string for which you would like to search in the Find what field.
Check Match whole word only to find the sting in the exact manner that it is specified in
the Find window
Check Match case to make your search case sensitive.
Use the Up and Down buttons to choose the direction of your search.
Use the Find next button to continue your search of the Rule Base.
When enabled, the OSE device creates all Access Lists statements on a TFTP server, and then
downloads the entire Access List to the router.
2) For Unix platforms, perform the following:
a. Uncomment the tftpd declaration in /etc/inetd.conf
c. Create an /tftpboot directory as the TFTP root directory on the partition fw1 is
installed on.
3 For Windows NT platform, perform the following:
Create an /tftpboot directory as TFTP root directory on the partition fw1 is installed on.
Note - There is no standard TFTP server. Refer to your Windows NT TFTP Server manual for
complete instructions.
A TFTP server installation and configuration is not part of fw1 install, but rather must be done
separately by the user. The TFTP server must reside on the SmartCenter Server. Any standard TFTP
server will support an ACL download.
Warning - TFTP does not include login or access control mechanisms. Security
considerations must be taken into account when granting rights to a TFTP server process
in order to prevent violation of the security of the server’s host file system. TFTP is often
installed whereby only files that have public read access are available via TFTP and write
access to files via TFTP is not allowed. The VPN-1/Firewall-1 Security Policy must be
defined to allow TFTP connectivity between the SmartCenter Server and router only.
See the documentation for your router on how to define the appropriate permissions.
A NAT Policy is installed together with the Security Policy. QoS and Desktop Security Policies
can be installed independently.
You can select the elements of the Policy to be installed in the Install Policy window (FIGURE
8-28).
2 Select the objects on which to install the Policy, and the elements of the Policy (Security,
QoS, Desktop Security) to install.
Note - The NAT Policy is installed together with the Security Policy.
3 Select the Modules you want to add to the Policy Package. You can either:
• Select All internal modules to add all the internal Modules to the Policy Package.
-or-
• Select Specific modules to add specific modules to the Policy Package. Select the
desired modules by using the Add and Remove buttons to move them between the two
lists. You can also move multiple fields by making multiple selections.
4 Select an installation mode. The SmartCenter Server will attempt to install the Security
Policy on all the selected Modules. This option enables you to specify what to do if the
Security Policy installation is unsuccessful for one or more of the selected Modules. Choose
one of the following:
Install on each selected Module independently — Failure to successfully install the
Security Policy on one or more of the Modules has no effect on the other Modules. If you
choose this option, then it is possible that different Policies will be enforced on different
Modules.
Install on all selected Modules — The Policy will either be installed on all the selected
Modules, or it will be installed on none of them. If you choose this option, then all
Modules will be enforcing the same Policy (either the new Policy or the old Policy).
Note - Policy installation on pre-Version NG Modules is independent of installation on
Version NG and later Modules, and vice versa. For example, if Install on all selected
Modules is checked, then a Policy installation failure on a pre-NG Module will not affect
Policy installation on NG Modules, but the Policy will not be installed on other pre-NG
Modules.
Install on all the members of the selected Gateway Clusters — This option is similar to
Install on all selected Modules, but relates to each selected Gateway Cluster.
5 Click OK to install the Security Policy on all Modules. A window showing installation
progress is displayed.
FIGURE 8-30Installation Process window
The installation process has two stages, as shown in the Progress bar:
• Verification
• Installation
See the following table for a description of the fields in this window:
Field Description
Installation Targets The Module on which you want to install the
policy
Version The Module version
Security The element of the Policy (Security, QoS, Desktop
Security) you chose to install in the Install Policy
window (see FIGURE 8-28). A column will appear
for each element you chose.
Once the installation process is finished, the Progress bar turns into a final status display.
The available final installation statuses are:
• Installation completed successfully — The installation was successfully completed.
• Installation ended with errors — The installation of at least one of the Policy
elements failed.
• Installation completed with warnings — The installation was completed successfully
but contains warnings that should be checked out.
• Installation aborted — The Abort button was clicked during an installation and
therefore the installation was not completed.
Note - Click the Abort button to stop an installation that is in progress. The Abort button
only appears during the installation process.
Note - The Show Errors/Warnings button only appears if the installation ended with
errors or warnings. If the installation was completed successfully, the button does not
appear at all.
Note - This window can be opened from the beginning of the installation process
enabling you to see any errors/warnings that might occur throughout the process.
In this window, you can view the errors that occurred during the verification and installation
process. See the following table for a description of the fields in this window:
Field Description
Verification and Policy The element of the Policy
Compilation Errors (Security, QoS, Desktop Security)
you chose to install in the Install
Policy window.
Status Status of the verification process at
any given time. Click Legend for a
description of the available statuses,
Details Reason why the verification
process failed or ended with
warnings.
Installation Errors Installation Targets The Module on which you
installed the policy.
Policy The element of the Policy
(Security, QoS, Desktop Security)
you chose to install in the Install
Policy window.
Details Reason why the installation failed
or ended with warnings.
2 Double-click a row
-or-
Highlight the desired row and click View Details.
A window appears enabling you to conveniently view all the details of that row in a more
readable form.
Data connections
Data connections are connections that are dynamically created within an existing control
connection, for example FTP. The initial control connection is used only for sending
commands; actual file transfers are done by new connections.
These auxiliary connections will be accepted and connectivity will not be affected. Data
connections cannot usually be inferred from the Policy, as they are created according to the flow
of the control protocol.
By default, when loading a new Policy, FireWall-1 deletes all the data connections entries from
the table as they are likely to get the wrong results if a Policy match for a data connection packet
is attempted.
It is possible to modify this default behavior and treat data connections like regular ones as there
are cases where the regular and control distinction is not needed (for example with a "ANY
ANY ANY accept") Policy.
It is also possible to define that all data connections will be kept without the "old" flag - this
posses a clear connectivity advantage but also some security risk.
Security Servers
Connection that are passed through the Security Servers continue and are not matched against
the new Policy.
IP Pool NAT
If the new Policy contains a new IP pool with different source or destination addresses than the
old one, any connections that were NATed using the old IP pool will be deleted.
Retrieving a Policy
To retrieve a policy installed on another VPN/FireWall Module, select the VPN/FireWall
Module from the list in Security Policies on Targets. The policy (including all the objects
defined at the time the policy was installed) will be retrieved, and you will be able to view the
policy in read-only mode. You will not be able to modify the policy.
load_program (“bigapple”)
bigapple will be run with the same parameters that fw would have received (where the first
argument is either load or unload; see “When fwm load and fwm unload are Run From the
GUI” on page 557). It is then your responsibility to ensure that bigapple correctly processes its
arguments and installs or uninstalls the Security Policy. Of course, bigapple can also perform
any other functions you wish.
Note - The OSE Device properties are not part of an imported policy.
Each filter rule is displayed as a rule in the Rule Base. The Rule Base specifies the Source,
Destination and Service for each imported filter rule. The Install On field displays the router
interface and direction to which each rule applies, using the following format:
<inbound/outbound/eitherbound>.<interface name>@<router name>
The Rule Base Comment displays additional filter information.
To verify Access Lists, check Verify and select the appropriate router from the drop-down list.
To view Access Lists, check View and select the appropriate router from the drop-down list.
VPN-1/FireWall-1 verifies the Access List before displaying it.
Boot Security
During the boot process, there is a short period of time (measured in seconds) between the
point when VPN/FireWall Module machine becomes able to communicate and the point when
the Security Policy is loaded and is enforced. During this time, VPN-1/FireWall-1 Boot
Security protects both the internal networks behind the VPN/FireWall Module machine, and
the machine itself. Boot Security is provided by a number of elements working together:
• Control of IP Forwarding on boot
• The Default Filter (improved in NG)
• The Initial Policy (new in NG)
In addition, the fwstop -proc and fwstop-default commands allow the FireWall-1 processes
to be stopped for maintenance while at the same time protecting the Firewalled Gateway
machine and the internal network.
For more information about Boot Security, see Check Point FireWall-1 Guide.
Note - If you stop VPN-1/FireWall-1 (fwstop) while the Default Filter is active, then no
Security Policy will be enforced until you start VPN-1/FireWall-1 again (fwstart).
Auxiliary Connections
A number of services establish auxiliary connections that require special handling by
VPN-1/FireWall-1. For example, an FTP data (auxiliary) connection from the FTP server to the
client is automatically allowed.
TABLE 8-11
If the auxiliary connection is from the client to the server (as with FTP PASV), the auxiliary
connection may be improperly handled in some cases (for example, if the server’s IP address is
translated).
Before a back connection is opened (for example, for FTP), the back connection’s destination
port is checked against a list of known TCP and UDP services. If the requested port “belongs”
to a well known service, the back connection is rejected.
Services that open back connections fall into two categories in VPN-1/FireWall-1 (assuming
that there is a rule that allows the initial connection):
• VPN-1/FireWall-1 allows auxiliary connections only if the appropriate property is enabled.
These services are:
• FTP PORT • FTP PASV
• RSH/REXEC • RPC Control
• VPN-1/FireWall-1 allows auxiliary connections only if the service is specifically listed under
Services in the rule that allows the initial connection. These services are:
• VDOLive • WebTheatre
• H.323 • CoolTalk
• BackWeb • RealAudio
• FreeTel • MS Exchange services (requires DCE-RPC)
• NetShow • sqlnet2
In This Chapter
Overview
Time objects are used to specify time periods during which rules are in effect.
Note - If two Modules are in different time zones, then some problems may arise. For
example, suppose a rule specifies encryption from 09:00 to 17:00 between two
enforcement Modules separated by five hours. It can happen that the Module initiating the
connection will encrypt, but the peer will not be expecting the connection to be
encrypted. If Enable decryption on accept in the VPN-1 page of the Global Properties
window is not enabled, then the peer will not decrypt the packets and the connection will
fail.
To define a time object, open the Time Objects window (FIGURE 9-1 on page 348) by
choosing Time from the Manage menu. The Time Objects window appears (FIGURE 9-1 on
page 348).
347
Overview
The objects displayed depend on what you have selected from the Show drop-down list.
A window appears prompting you to enter the properties of the selected object type.
Time Objects
Month — The times of day specified in the General tab of the Time Object Properties
window apply only during the month specified. This field is enabled only if Days Specification
is Days in Month.
FIGURE 9-5 Time Object window — Days tab (Days in Week)
Week — The times of day specified in the General tab of the Time Object Properties window
apply only during the week specified. This field is enabled only if Days Specification is Days
in week.
Scheduled Events
Scheduled events are used to trigger processes, for example, in the Management High
Availability page of the Global Properties window or in the Logging Policy page of the
network object’s Properties window.
Enter a time of day in 24–hour notation. When this is checked, the Days page (FIGURE
9-7) becomes available.
• Every — Specify how frequently the event occurs.
This page is available when Time of Event in the General page (FIGURE 9-6) is checked.
Days Specification — Choose one of the following:
Daily— The time of day specified in the General page of the Scheduled Event Properties
window apply on all days.
Day in Month — The time of day specified in the General page of the Scheduled Event
Properties window apply only on the days of the month checked under Days in Month.
Day in Week — The time of day specified in the General page of the Scheduled Event
Properties window apply on the days of the month checked under Days in Week.
Groups
You can simplify the Rule Base by defining a group of time objects and using the group in rules.
Creating a Group
To create a group, create an object of type Group using the Time Object Manager (see
“Creating a New Time Object” on page 348). Next, add objects to the group using the Group
Properties window (FIGURE 9-8 on page 354).
To display the Group Properties window, double-click on the group’s name in the Time Object
Manager window.
Note - To define a new object directly from this window, click New. A menu will be
displayed from which you can select they type of object to create. When you finish defining
the object, you will return to this window.
In This Chapter
Server Objects
A server object represents a server running on a specific host. The available server objects are:
1 RADIUS
A RADIUS Server is used to provide authentication services. For information about defining
an Authentication scheme for a user, see “User Properties Window — Authentication tab” on
page 163.
2 RADIUS Server group
A RADIUS Server group consists of RADIUS Servers.
3 TACACS
357
Server Objects
A TACACS Server is used to provide authentication services. For information about defining
an Authentication scheme for a user, see “User Properties Window — Authentication tab” on
page 163.
4 AXENT Defender
An AXENT Defender Server is used to provide authentication services. For information about
defining an Authentication scheme for a user, see “User Properties Window — Authentication
tab” on page 163.
5 ACE (SecurID) Server
ACE Servers are used for authenticating SecurID users. For information about defining an
Authentication scheme for a user, see “User Properties Window — Authentication tab” on
page 163 of Check Point SmartCenter Guide.
6 LDAP Account Unit
The VPN-1/FireWall-1 Account Management system is an independent module that enables
the Security Manager to integrate an LDAP-compliant user database with VPN-1/FireWall-1
User Authentication. An LDAP Server can contain multiple branches (for example,
“o=University of Michigan,c=UK”). An LDAP Server and a subset of its branches constitute
a VPN-1/FireWall-1 Account Unit.
For information about Account Units, see “LDAP (Lightweight Directory Access Protocol)
Account Units” on page 364.
7 Certificate Authority
A Certificate Authority (CA) issues certificates to entities (users or computers) which then
use the certificates to identify themselves and provide verifiable information about
themselves.
For information about Certificate Authorities, see Chapter 3, “Certificate Authorities” of
Check Point Virtual Private Networks Guide.
8 SecurRemote DNS
The SecuRemote DNS GUI lets administrators configure DNS redirection and encryption.
For information about SecuRemote DNS, see “SecuRemote DNS” on page 370.
OPSEC Servers
See “Implementing CVP Inspection” on page 234 of Check Point FireWall-1 Guide for
information about the CVP protocol.
11 Application Monitoring (AMON)
An AMON server enables network applications to report their status to Check Point
management.
See “OPSEC Definition Window— AMON Options Tab” on page 384, for information
about the AMON server.
Removing a Server
To delete a server, select the server and click Remove.
Editing a Server
To edit or modify a server, select the server and click Edit, or double-click the server.
RADIUS Servers
RADIUS servers are used for authenticating users. For information about defining an
Authentication scheme for a user, see “User Properties Window — Authentication tab” on page
163 of Check Point SmartCenter Guide.
For information about Authentication schemes in general, see “Authentication Schemes” on
page 125.
When more than one RADIUS server is contacted (that is, when a group of RADIUS servers
or Any is specified for a RADIUS user) then they are contacted in the sequence defined by
their priorities, where a lower number specifies a higher priority.
Host — Select the host on which the server is running.
The host should have already been defined as a network object (see “Overview” on page 173).
Shared Secret — Enter a string of up to 15 nonspace characters.
The shared secret is a key that authenticates communication between the FireWalled machine
and the RADIUS server. You must use the same shared secret you defined in the clients
file on the RADIUS server.
Service — Select the service for communication with the server.
For RADIUS servers, the service is RADIUS.
Version — Select the version from the drop-down list.
The items in the list are given under radius_versions in the file
$FWDIR/lib/setup.C.
To display the Group Properties window, double-click the group’s name in the Server Object
Manager window.
Note - All the servers in a server group must be of the same type.
If you nest groups, you can see a nested group’s members by selecting the group in the right
listbox (labeled In Group) and clicking View expanded group.
TACACS Servers
Secret Key — For more information on this field, see the TACACS server documentation.
Service — From the menu, select the service for communication with the
server Type.
Note - The VPN-1/FireWall-11 Security Servers support the SecureNet Keys (SNK)
authentication scheme.
You will need an ACE Server somewhere in your network. The ACE Server does not have to
reside on the VPN/FireWall Module machine. For information about how to install and
configure your ACE server, refer to the SecurID documentation.
2 In VPN-1/FireWall-1, create a user whose authentication scheme is SecurID.
3 Configure your VPN/FireWall Module machine as an ACE Client.
VPN-1/FireWall-1 uses the standard client library of the ACE/Server. This means that you
don't have to do anything special in order to integrate the software. All you have to do is to
prepare the VPN/FireWall Module machine as an ACE Client.
For information about how to install and configure an ACE Client, refer to the SecurID
documentation.
VPN-1/FireWall-1 reads the sdconf.rec file to determine the ACE Server and other
parameters involving ACE Client-Server communications, so you must copy sdconf.rec from
the ACE Server to the ACE Client.
sdconf.rec directory
Unix /var/ace
Windows NT WINNT/SYSTEM32
Note - If you make any changes to sdconf.rec, stop and restart the VPN/FireWall Module
(using the cpstop and cpstart commands).
Enter the branch and click OK. The branch is added to the listbox in the General tab of the
Account Unit Properties window.
Changing a Branch
To change a branch definition, select the branch and click Edit.
Deleting a Branch
To delete a branch from the list, select the branch and click Delete.
TABLE 10-4 lists the methods used for each Strength. Note that Strong in the GUI
corresponds to Very Strong in the table.
Strong (this cannot be RSA (1024 bit) • RC4 (64 bit) and MD5, or
specified in • DES (40 bit) and MD5 or SHA-
VPN-1/FireWall-1 but 1, depending on the other side
can be negotiated)
Very Strong (this is RSA (1024 bit) • RC4 (128 bit) and MD5 or SHA-1,
indicated in depending on the other side, or
VPN-1/FireWall-1 by • 3DES and MD5 or SHA-1,
Strong) depending on the other side
Authentication — the weakest method
Export— the strongest exportable method
Strong — the strongest method
IKE Key — the key with which users’ IKE pre-shared secrets are encrypted on the Account Unit
Certificate Authority
A Certificate Authority (CA) issues certificates to entities (users or computers) which then use
the certificates to identify themselves and provide verifiable information about themselves. After
two entities exchange and validate each others’ certificates, they can begin encrypting
communications between them using the public keys in the certificates. There are two kinds of
entities that can identify themselves using certificates:
• encrypting gateways (network objects), when encrypting with other (peer) encrypting
gateways or with SecuRemote Clients
• people (using SecuRemote Clients) — the SecuRemote Client and the site confirm each
others’ identities with certificates
Fore more information see “Certificate Authorities” on page 40 of Check Point Virtual Private
Networks Guide.
Certificate— Before you can validate certificates issued by the CA you have just defined, you
must obtain the CA’s own certificate.
• If a SmartCenter Server will be generating certificates on this CA (see “Certificate
Authority” on page 368), then the CA sends the SmartCenter Server its own certificate
together with the network object’s certificate. In this case, there is no need to explicitly
obtain the CA’s own certificate — it is obtained as a by-product of generating other
certificates.
• If a SmartCenter Server will not be generating certificates on the CA but only validating
them, then you must explicitly obtain the CA’s own certificate by clicking on Get (see
below).
• Get — get the CA’s certificate from a file that contains the CA’s certificate.
For more information on Certificate Authorites and creating Certificates, see Chapter 3,
“Certificate Authorities” of Check Point Virtual Private Networks Guide.
Allow only certificates from the listed branches — When validating certificates, only
certificates that belong to the specified branches are accepted as valid. Branches are designated
by combination of various DN fields (for example, “ou”).
Add — Add a new DN or branch.
When a Certificate Authority is selected, you must then enter the DN for the branch you
want to add by clicking Add.
Edit — Edit the selected DN or branch.
Remove — Remove the selected branch.
SecuRemote DNS
The SecuRemote DNS Server is an internal server that can resolve internal names with
unregistered, (RFC 1981-style) IP addresses. It is best to encrypt the DNS resolution of these
internal names. Not all DNS traffic should be encrypted, as this would mean that every DNS
resolution would require authentication.
Select the desired color from the drop-down list. The SecuRemote DNS Server will be then
be represented by this color throughout the SmartMap.
Host — You must select the host on which the SecuRemote DNS Server is running from the
drop-down menu. The host must be defined as a network object.
SecuRemote DNS Properties Window — Domains Tab
Name — the name of the domain for which the DNS Server resolves names, e.g.
checkpoint.com.
Maximum Prefix Label Count — the maximum number of labels to resolve (for example, three
(3) for xxx.hello.com) that may precede the domain.
For example, if the domain name is “checkpoint.com” and the maximum prefix label count is
“1” then the SecuRemote DNS Server will try to resolve and encrypt
“www.checkpoint.com” or “whatever.checkpoint.com” but not
“www.internal.checkpoint.com.”
To add a new Domain, click the Add button.
FIGURE 10-3SecuRemote DNS Server Domain window
Domain Suffix: — the domain suffix for which the DNS Server resolves names
Match only *.suffix — If this option is selected, the maximum number of labels resolved will be
1.
Match up to...labels preceding the suffix — Select the maximum number of labels to
Domains can also be edited or deleted by selecting either the Edit or Remove button.
In This Section
Open Platform for Security (OPSEC) is the industry standard for integrated internet security.
An OPSEC application is an application developed by a third party which provides additional
functionality to VPN-1/FireWall-1. This section explains the OPSEC server applications.
OPSEC Server applications provides added functionality for scanning the content of data
streamed through the VPN-1/FireWall-1, disallowing connections to selected URL’s based on
third party software definitions, and enabling third party applications to export their status to
VPN-1/FireWall-1.
OPSEC continually delivers the broadest range of integrated security solutions for a variety of
deployment platforms. For more information on OPSEC products see:
http://www.checkpoint.com/opsec/.
An OPSEC session is a dialog between two OPSEC entities (example: a Client and a Server).
Use the General tab to define an OPSEC application.
When a Check Point Module or SmartCenter Server is upgraded to Next Generation, the
information in the fwopsec.conf file about the associated OPSEC application is used to update
the objects.C file. The OPSEC object in the OPSEC Definition window is automatically
defined, and all the parameters are set.
Note - The objects.C file should not be edited directly. Instead, use dbedit (see
“dbedit” on page 587) to edit the objects_5_0.C file on the SmartCenter Server.
FIGURE 10-4 shows the interplay between the OPSEC Environment, entities and sessions.
FIGURE 10-4OPSEC Environment, Entity and Session
m achine B
process
O PSEC
environm ent
m achine C
O PSEC process
entity
LE A S erver O PSEC
environm ent
m achine A
O PSEC
process entity
O PSEC LE A S erv er
environm ent O PSEC
session
O PSEC process
entity
O PSEC O PSEC
LE A C lient session environm ent
O PSEC O PSEC
entity entity
Note - Both CVP and UFP Groups enable Load Sharing. CVP groups also enable chaining.
For information about creating CVP or UFP Groups see “Implementation of Chaining and
Load Sharing” on page 386.
Note - The host should have already been defined as a network object (see “Network
Objects” on page 180).
Application properties — There are two ways to define OPSEC application objects. One is by
manually defining OPSEC properties; the other is by referencing predefined OPSEC product
objects.
• Manually Defining an OPSEC Application Object
Choose User Defined as the Vendor (this is the default). Manually choose the applicable server
and client entities by checking the relevant boxes.
• Referencing an OPSEC Product Object
Choose the vendor, product and version from the predefined list. All server and client entities
will be chosen for you and you cannot change them. If you want to add to the predefined
OPSEC Product Object list, see the RA documentation. (Check Point Roaming Administrator
Utility NG FP2).
Vendor — Select a vendor.
Product — Selecting a product will automatically select the appropriate entities.
Version — When applicable, a choice of product version numbers will appear.
Activate — Specific products include certain actions
For more information, see “Selecting an OPSEC Command” on page 377.
OPSEC Services Server and Client Entities — An OPSEC application can contain both client
and server entities.
Communication — Configure the OPSEC application object on the SmartCenter Server for
Secure Internal Communication. Click to open the Communication window (see page 381).
DN — The Distinguished Name (also known as the “SIC name”) of the OPSEC application.
The DN represents the identity of the OPSEC application, and is a read-only value. It exists
when a certificate has been issued for this OPSEC application (see “Communication
Window” on page 381).
For further details about the OPSEC product you have selected, see the specific OPSEC
product manual.
The command’s status appears at the bottom of the window. The possible status options are:
• Status: Action success!
• Status: Action fail!
The following schema in an OPSEC product defines one action supported by the OPSEC
application.
: 0 (
: command_name ()
: component (GUI,| MGM,| HOST)
: platform (
: NT (
: command_line ()
: command_params ()
)
: Solaris (
: command_line ()
: command_params ()
)
: Linux (
: command_line ()
: command_params ()
)
: IPSO (
: command_line ()
: command_params ()
)
)
)
)
Command Syntax
Following is the argument that can be used for command_line.
argument description
launch An action that ends by the launching of a
new process. For example,
fwPolicy.exe.
This argument must come as a prefix to
the command line.
For more information on the launch argument, see the (Check Point Roaming Administrator
Utility NG) document at
http://www.checkpoint.com/_rnd/docs/techpubs/OPSEC_SDK/NG%20FP1/RA_NG_FP1.pdf.
argument description
%IP The IP address of the OPSEC host
application.
%USER_NAME The administrator user name used to
connect to the SmartDashboard.
%PATH_DIR The root directory containing the
command arguments used for running the
command (retrieved from the Registry
file.
TIMEOUT Action timeout (in seconds).
Examples
Following is a Check Point Product OPSEC product definition that enables you to execute the
following command.
:0 (
:AdminInfo (
:chkpf_uid ("{0BFE28A2-63D0-11D5-A421-000629F56A03}")
:ClassName (multi_platform_command)
)
:command_name ("My server")
:component (HOST)
:platform (
:AdminInfo (
:chkpf_uid ("{0BFE28A2-63D0-11D5-A421-000629F56A03}")
:ClassName (platforms)
)
:NT (
:command_line ("launch my_server.exe")
:command_params ("%TIMEOUT 60")
)
:Solaris (
:command_line ("launch my_server")
:command_params ("%TIMEOUT 60")
)
)
) )
)
my_server.exe is the server program that will be run on the host selected upon executing this
command.
Communication Window
Note - This window is only relevant for OPSEC NG based SDK applications.
Getting here- Click Communication in the General tab of the OPSEC Definition
window.
• Trust established — The trust between the OPSEC application and the SmartCenter
Server has been established. The OPSEC application is able to communicate securely.
This state can only exist where certificate-based communication is used.
Initialize — For an uninitialized OPSEC application, create a DN and a certificate (the
certificate is only used where certificate-based communication has been configured). If
successful, the OPSEC application state will change to Initialized but trust not established.
Test SIC Status — Not available for OPSEC applications.
Reset — This field is only relevant where certificate-based communication is used.
Reset the OPSEC application back to the Uninitialized state by revoking its certificate. Its DN
remains valid.
Close — Close the window.
Definition of CVP
CVP is used to enable the VPN-1/FireWall-1 to transfer data (file, E-mail, web pages) to a
third-party application, and allow it to analyze the file. Normally CVP is used by Anti-virus
servers (or content security in general), but it may also be used to secure other needs such as
authentication accounting. For information about setting up CVP groups for load sharing or
chaining see “Implementation of Chaining and Load Sharing” on page 386.
Service — Select the Service for communication with the server from the drop-down list. The
service is the port number to which the server listens. For CVP servers, the service is FW1_cvp.
Backwards Compatibility
Use backwards compatibility mode — If the OPSEC application server uses OPSEC SDK
Version 4.1 or earlier, and the VPN/FireWall Module is Version 4.1 or lower, check this box,
and choose the authentication (or encryption and authentication) method used in
communication between the OPSEC server and VPN-1/FireWall-1.
Configure the backwards compatibility mode as instructed by your OPSEC application vendor.
If instructed to edit the fwopsec.conf file (which does not exist in VPN-1/FireWall-1 NG),
instead select the mode which corresponds to the keyword (such as auth_opsec) in the
fwopsec.conf file.
If the OPSEC server or application uses OPSEC SDK Version 4.1 or earlier, and the
VPN/FireWall Module is upgraded to NG, the OPSEC object will be automatically created.
The information in the window will be taken from the fwopsec.conf file which existed prior
to the upgrade, and the appropriate backward compatibility mode will be selected.
If the OPSEC server or application uses OPSEC SDK NG, do not check this option.
The CVP tab of an OPSEC application object refers to connections that are made from peer
clients to this server. For example:
• In the CVP Options tab of the OPSEC Definition dialog box if the Use backwards
compatibility mode check box is checked and the OPSEC Authentication (auth_opsec)
method is selected, then the CVP clients should use the auth_opsec method when
connecting to this CVP server application.
Backwards Compatibility
Use backwards compatibility mode — If the OPSEC application server uses OPSEC SDK
Version 4.1 or earlier, and the VPN/FireWall Module is Version 4.1 or lower, check this box,
and choose the authentication (or encryption and authentication) method used in
communication between the OPSEC server and VPN-1/FireWall-1.
Configure the backwards compatibility mode as instructed by your OPSEC application vendor.
If instructed to edit the fwopsec.conf file (which does not exist in VPN-1/FireWall-1 NG),
instead select the mode which corresponds to the keyword (such as auth_opsec) in the
fwopsec.conf file.
If the OPSEC server or application uses OPSEC SDK Version 4.1 or earlier, and the
VPN/FireWall Module is upgraded to NG, the OPSEC object will be automatically created.
The information in the window will be taken from the fwopsec.conf file which existed prior
to the upgrade, and the appropriate backward compatibility mode will be selected.
If the OPSEC server or application uses OPSEC SDK NG, do not check this option.
The UFP tab of an OPSEC application object refers to connections that are made from peer
clients to this server. For example:
• In the UFP Options tab of the OPSEC Definition dialog box if the Use backwards
compatibility mode check box is checked and the OPSEC Authentication (auth_opsec)
method is selected, then the UFP clients should use the auth_opsec method when
connecting to this UFP server application.
When attempting to add a CVP load sharing group to a CVP chaining group (see “CVP Load
Sharing and Chaining” on page 236 of Check Point FireWall-1 Guide) you will be prompted to
select between adding the group as a whole adding each server separately. This feature is not
available for load sharing since load sharing between chaining groups is not supported.
Up Down — You can move the order of the groups or servers included in In group. To move
the order highlight a member in the right listbox and use the Up or Down button to until your
server or group is in the position you want. For example perhaps the first server in the list is a
caching server and the second server is an anti-virus server. It would be logical to switch the
order these two servers process data in this group.
Work distribution method — Decide whether your group will be defined as load sharing or
chaining see “CVP Load Sharing and Chaining” on page 236 of Check Point FireWall-1 Guide.
Load Sharing — Select this radio button if your group will have load sharing.
Chaining — Select this radio button if your group will have chaining.
Abort chaining upon Unsafe reply — Use this feature if chaining is selected as your work
distribution method and you wish to guarantee that if a virus is detected all chaining of this
group will stop.
Load sharing method — Select round robin if you wish to go in a specific order or random if
you wish to have the Server decide which Servers are available
Load sharing suspend time-out — Set the time you wish to wait when one server fails before
trying to use it again. The maximum time is 10,000 minutes.
In order to avoid this problem, configure the OPSEC applications to work with the default SIC
(or backward compatibility authenticated communication) settings.
SmartView Tracker
387
Overview
The SmartView Tracker allows you to view entries in the Log File. Each entry in the Log File
is a record of an event that, according to the Rule Base or the Properties, is to be logged. In
addition, every event which caused an alert, as well as, certain important system events (such as
a Security Policy being installed or uninstalled on a host), is also logged. The format of log
entries requested by a rule is determined by the log type specified in the rule.
Note - The SmartCenter Server reads the Log File and sends the data to the SmartView
Tracker GUI Client for display. The SmartView Tracker GUI Client merely displays the data.
Windows Action
System
Windows Double-click the SmartView Tracker icon, or choose
SmartView Tracker from the Window menu in the
SmartDashboard window.
• certificate
1 Select Certificate.
Enter the name of the machine on which the SmartCenter Server is running. You can enter one
of the following:
• A resolvable machine name
• A dotted IP address
To work in local mode, check Demo Mode.
If you do not wish to modify a policy, check Read Only before clicking on OK.
Note - If you are not defined as a user, and therefore do not possess a user name, see “To
Add an Administrator” on page 49, for information how to define users on the
SmartCenter Server.
To compress the connection to the SmartCenter Server, check Use compressed connection.
Enter the text describing why the administrator wants to make a change in the security policy
in Session ID (optional). The text appears as a log entry in the SmartView Tracker in the
Session ID column (in Audit mode only). If the Session ID column does not appear in the
SmartView Tracker, use the Query Properties pane to display it. For more information on the
SmartView Tracker, see the chapter called SmartView Tracker in the Check Point SmartCenter
Guide.
To hide the Certificate Management, Connection Optimizations and Advanced options,
click Less Options <<.
When you switch from one mode to another, SmartView Tracker remembers the last opened
query in that mode and displays it.
Log Mode
Log mode is the default mode. It displays entries for security-related events for different Check
Point products as well as Check Point’s OPSEC partners.
In Log mode, the following predefined queries are available:
• All Records — Contains log data which are typically common to most Check Point
products.
• Product —specific queries which contain entries relevant to that product only. They
include:
• Account ( ) — displays Accounting details
• FireWall-1 GX( ) — displays Firewall - GX details
• FloodGate-1 ( ) — displays FloodGate-1 details
• FireWall-1 ( ) — displays FireWall-1 details
• Virtual Link Monitoring ( ) — displays Virtual Link Monitoring details
• SecureClient ( ) — displays SecureClient details
• UA WebAccess ( ) — displays UA WebAccess details
• UA Server( ) — displays UA Server details
• VPN-1 ( ) — displays VPN-1 details
• SmartDefense ( ) — displays SmartDefense details
• Voice over IP ( ) — displays Voice over IP details
The fields that appear in each entry are by default the relevant fields for that entry. For example,
the fields Source and Origin are not predefined to display for UA WebAccess because they are
not relevant to that product.
All Records
When an active window is open, double-click ( ) to display the default log query in the
Records pane.
FireWall-1 Entries
When an active window is open, double-click ( ) to display Firewall-1 details in the
Records pane.
Accounting Entries
When an active window is open, double-click ( ) to display Accounting details in the
Records pane.
The Accounting Log shows the following Account-specific data (including FireWall-1 specific
data):
• Elapsed — the duration of the connection. Elapsed is calculated to the time of the last
byte transferred
• Bytes — the number of bytes transferred
• Start Time — the date on which the connection began
Firewall-1 GX Entries
When an active window is open, double-click ( ) to display FireWall-1 GX details in the
Records pane.
FloodGate-1
When an active window is open, double-click ( ) to display FloodGate-1 details in the
Records pane.
• Client Out rule match — the rule matched to the connection of the client interface in the
outbound direction
• Client Packets In — the number of inbound Client Packets
• Client Packets Out — the number of outbound Client Packets
• Client DiffServ In — the color of the Inbound DiffServ Client
• Client DiffServ Out — the color of the Outbound DiffServ Client
• Server DiffServ In — the color of the Inbound DiffServ Server
• Server DiffServ Out — the color of the Outbound DiffServ Server
• Server Bytes In — the number of inbound Server Bytes
• Server Bytes Out — the number of outbound Server Bytes
• Server Interface In— the name of the inbound Server Interface
• Server Interface Out — the name of the outbound Server Interface
• Server In rule match — the rule matched to the connection of the server interface in the
inbound direction
• Client Out rule match — the rule matched to the connection of the server interface in the
outbound direction
• Server Packets In — the number of the inbound Server Packets
• Server Packets Out— the number of the outbound Server Packets
• Sub Service — the name of the sub service
• RTT Threshold, ms — the threshold for the Round Trip Time set by the user
• Sample ID — the name of the query
• SLA Violation — SLA parameter violation
• SRC Gateway — the Source Gateway. This Gateway also acts as a Reporting Module
• Virtual Link — the name of the Virtual Link
• Wire Byte/sec In — the rate of inbound information in bytes coming from the Gateway
• Wire Byte/sec Out — the rate of outbound information in bytes sent from the Gateway
• Wire Packet/sec In — the rate of inbound information in packets from the Gateway
• Wire Packet/sec Out — the rate of outbound information in packets from the Gateway
SecureClient Entries
When an active window is open, double-click to display SecureClient details in the
Records pane.
UA WebAccess Entries
When an active window is open, double-click to display UA WebAccess details in the
Records pane. The UA WebAccess Log shows the following UA WebAccess-specific data (in
addition to the data displayed in the Security Log):
• Application Name — the name of the accessed application
• Auth Domain — the authentication domain
• Destination Port — the port number of the destination
• Display Name — the full user name
• Domain Username — user name that is used for a specific authentication domain
• Enc Type — the encryption type, whether VPN or SSL
• End2EndEnc — a boolean value, the connection encrypted from source to destination
• ID source — the tool used to identify the user
• Headers inserted/removed — HTTP headers that were inserted/removed using UA
WebAccess
• Operation — the User Authority operation describing the intention of a certain request
such as read, write and delete.
• Redirect URL — whether or not the URL is redirected
• Requested Method — the HTTP Method (GET,POST, etc.)
UA Server Entries
When an active window is open, double-click ( ) to display UA Server details in the
Records pane.
VPN-1 Entries
When an active window is open, double-click to display VPN-1 details in the Records
pane. The VPN-1 Log shows the following VPN-1-specific data (including FireWall-1 specific
data):
• DstKeyID — display the IPSec SPI used in ESP or AH
• Encryption Methods — the type of encryption algorithm, hash algorithm and
authentication method (for example, MD5)
• Encryption Scheme — the type of encryption being used
• IKE Initiator Cookie — signifies the initiation of Phase 1 of IKE negotiation
• IKE Phase 2 MsgID — signifies that Phase 2 of IKE Negotiation is taking place
• IKE Responder Cookie — signifies the response to Phase 1 of IKE negotiation
• Partner — the name of the Partner
• SRCKeyID — display the IPSec SPI used in ESP or AH
• VPN Peer Gateway — the peer Gateway of the Gateway undergoing negotiation
SmartDefense Entries
When an active window is open, double-click ( ) to display SmartDefense details in the
Records pane.
Voice over IP shows the following Voice over IP-specific data (including FireWall-1 specific
data):
• Destination IP Phone — the IP address at which the phone call was received
• Media Type — the type of call being made
• Registered IP Phones — a request to register your phone at a specific IP address
• Source IP Phone — the IP address at which the phone call originated
Active Mode
To show active connections in the SmartView Tracker (FIGURE 11-3), that is, connections
currently open through any of the VPN/FireWall Modules that are logging to the currently
active Log File, open a new window and click the Active tab. The Active mode’s All Records
Query is displayed.
In addition to the data displayed in the Security Log, Active mode displays the following Active
mode-specific data:
• Connection ID — the connection ID, a fixed number (in contrast to the No field which
changes dynamically).
• Bytes —a number of bytes transfered
• Elapsted —a duration of the connection
Audit Mode
To show audit entries in the SmartView Tracker, open a new window and click the Audit tab.
The Audit’s All Records Query is displayed. This mode enables you to track changes made to
objects in the Rule Base, as well as general SmartDashboard usage.
The Audit window displays the following Audit mode-specific data:
• Administrator — the administrator of the object
• Application — the name of the application
• Object table — the table in which the object is categorized
• Changes — changes made to the fields of the object (for example, the object is assigned a
new IP address, then the IP Address field of the object is modified), or changes made to the
Rule Base, (for example the adding of a new rule will change the Rule Base)
• Client — the machine from which the administrator logged in
• Object Name — the name of the object
• UID — the User ID of the object, this ID is unique string
• Operation — the operations performed on the object 9see TABLE 11-2 for more details)
If the status of the object is unknown, then the SmartView Tracker will display Unknown in
the Operation column
Operation Description
creating creating a new object
updating updating an existing object
deleting deleting an object
logging in logging in to an object
login failed login to an object failed
Install policy policy installed on an object
Uninstall Policy policy on object uninstalled
The Query Properties pane contains four columns. See the following table (TABLE 11-3) for a
description of the columns.
Column Description
Column The name of the column
Show Check to display the corresponding column in the Records pane.
Clear the check box to conceal the corresponding column.
Width The specified width of the corresponding column in the Records
pane in pixels.
Filter The items contained in this column are the filtering criteria used to
display specific log data.
Records Pane
The Records pane displays the list of records in the Log File. The columns that appear depend
on which Query is open. If a column is not wide enough to see all the field’s information, you
can use the tooltip to enable you to see display everything that is hidden. The tooltip appears
only where the cell is not wide enough to display all the information in it.
Showing/Hiding a Column
You can show/hide a column:
• Using the Query Properties pane
• Using the Records pane
2 Edit the width value and press Enter. The corresponding column in the Records pane is
widened/narrowed accordingly.
To set the column width by dragging its border in the Records pane
1 Place the cursor on the column’s right border in the header. The cursor changes to the
column resize cursor.
2 Click on the left mouse button without releasing it.
3 Move the column border to the desired position while keeping the left mouse button down.
4 Release the left mouse button. The value in the column’s corresponding Width field in the
Query Properties pane is automatically modified accordingly.
This window contains all the record’s fields and their values. The fields in the Record Detail
window always appear in the same order as they do in the Records pane. Fields that have been
defined as hidden for that record, do not appear in the Record Detail window.
All field values appear in their entirety, as can be seen in the tooltip.
Viewing a rule
You can view the rule that created the log
To view a rule
1 Right- click on the desired record.
2 Select View Rule in SmartDashboard.
3 In the SmartDashboard view the rules in the Database Revision Control icon or in the
Global Properties mark the check box Create new version upon installed Policy
Operation
Filtering
You can use SmartView Tracker’s filtering mechanism to include only the log entries you would
like to display.
To display only entries of interest in the SmartView Tracker and to hide other entries, you can
specify the criteria you want to use in filtering the Log File. Once you have applied the filtering
criteria, only entries matching the criteria you have selected will be displayed. For more
information on how to apply filtering criteria.
Note - In Local mode, you can display filtering criteria, but you cannot change selection
specification. In other words, you cannot apply or remove filtering criteria.
1 In the Query Properties pane, right-click the desired field in the Filter column, or in the
Records pane, right-click anywhere in the desired field.
Note - Filtering criteria will only take effect if the Apply Filter button is activated. For
more information.
Filter fields
Numeric field
Right-click in the desired field and choose Edit Filter from the displayed menu.
Note - If you choose to filter the Number field, choose Go to Record and specify the
desired number.
Note -
• The title that appears in the window depends on which field you are filtering.
• The default is to include the specified items in the filtering. To exclude the
specified items, select Not.
Field Description
Field The available options are:
• Is equal to — Include/Exclude all entries whose value
is equal to the specified value.
• Is less than — Include/Exclude all entries whose value
is less than the specified value.
• is greater than — Include/Exclude all entries whose
value is greater than the specified value.
• Is one of — Include/Exclude all entries whose value is
equal to the specified value/s.
• Is in range — Include/Exclude all entries whose value
is within the specified range. Specify the range by
entering From and To criteria.
Not Exclude the log entries, that is, to display only log entries
that are not in the specified range. Not is only available if
you select the is in range operator.
Value Specify the desired criterion value.
6 Click OK and then the Apply Filter button ( ) if it is not yet clicked to apply the
specified criteria. The criterion is displayed in the Filter column of the specified field in the
Query Properties pane.
7 Right-click the Filter column of the specified field and select Clear Filter to remove the
specified criteria. The criterion is no longer displayed in the Filter column.
Field Description
Field The available options are:
• Is after — Include/Exclude all entries occurring after
the specific date/time.
• Is before — Include/Exclude all entries occurring
before after the specific date/time.
• Is in range — Include/Exclude all entries occurring
within the specified range. Specify the range by entering
From and To criteria.
Not Exclude the log entries, that is, to display only log entries
that are not in the specified range. Not is only available if
you select the is in is in range operator.
After Specify the desired criterion value.
3 Click OK and then the Apply Filter button ( ) if it is not yet clicked to apply the
specified criteria. The criterion is displayed in the Filter column of the specified field in the
Query Properties pane.
4 Right-click the Filter column of the specified field and select Clear Filter to remove the
specified criteria. The criterion is no longer displayed in the Filter column.
Interface field
You can filter the Log File by specifying one or more interfaces to be included in (or excluded
from) the filtering criteria.
1 Right-click in the Interface field, and choose Edit Filter in the menu that displays. The
Interface Filter window is displayed.
2 In the editable field (to the left of the Add>> button), type the interface you want to
include/exclude in the filtering criteria (for example, sl0, le0, all) and click Add. The
interface appears in the box below the Add>> button.
3 Select the Not check box if you want to exclude the log entries, that is, to display only log
entries that do not match the specified criteria.
4 Select one or both of the following packet types:
• Inbound — packets going in the inbound direction
• Outbound — packets going in the outbound direction
5 Click OK and then the Apply Filter button ( ) if it is not yet clicked to apply the
specified criteria. The criterion is displayed in the Filter column of the specified field in the
Query Properties pane.
6 Right-click the Filter column of the specified field and select Clear Filter to remove the
specified criteria. The criterion is no longer displayed in the Filter column.
Note -
• The title that appears in the window depends on which field you are filtering.
• The default is to include the specified items in the filtering. To exclude the
specified items, select Not.
2 In the left list box, select the items you wish to include/exclude in the filtering criteria.
Click the Add> button to add it to the list of items you wish to use as the filtering criteria.
Click the <Remove button to remove it. You can also move multiple items by making
multiple selections.
You can also manually add an item by entering the item name in the editable field (on top
of the left list box). When filtering the Log File by product, you can include any OPSEC
product or third party vendor product. This allows you, for example, to add external Source
or Destination hosts which do not appear in the list box. You may specify a host by
entering its name or by entering its address in conventional IP dot notation.
Note - Origin is the origin of the log entry, that is, the host that generated the log entry
and on which the rule is enforced. Origin can only be an internal object. Source and
Destination are the source and destination of the packet, either of which may be internal
or external.
The items you want to add/exclude are in the right list box. These elements are the
filtering criteria.
3 Click OK and then the Apply Filter button ( ) if it is not yet clicked to apply the
specified criteria. The criterion is displayed in the Filter column of the specified field in the
Query Properties pane.
4 Right-click the Filter column of the specified field and select Clear Filter to remove the
specified criteria. The criterion is no longer displayed in the Filter column.
Predefined field
1 Right-click in the desired field, and choose Edit Filter in the menu that displays. The
appropriate Filter window is displayed.
icon meaning
Alert — An event that generated an alert. Available only in Log and
Active modes.
Log — An event that was logged as specified by the Security Policy.
Available only in Log and Active modes.
Control — An event that was logged automatically (for example,
installing a Security Policy). Available only in Log and Active
modes.
Account — An event that generated an Account log.
The following table gives a description of the different types in the SSO Type Filter window
(TABLE 11-8)
icon meaning
Basic — Single Sign On for Basic authentication
The following table gives a description of the different types in the Type Filter window
(TABLE 11-6).
icon meaning
Unknown — unknown encryption type
The following table gives a description of the different types in the Type Filter window
(TABLE 11-7)
icon meaning
Unknown — there is no information on encryption
False — No encryption
True — encryption
The following table gives a description of the different types in the Request Result Filter
window (TABLE 11-8)
icon meaning
su Success — Request result has been successful
fa Failed — Request result has failed.
ti TimedOut — Request result has been timed out.
re Redirected — Request result has been redirected according to the
Security Policy.
The following table gives a description of the different types in the UA Auth Result Filter
window (TABLE 11-9).
icon meaning
Accept — HTTP request was accepted.
3 The following table gives a description of the different types in the Action Filter window
(TABLE 11-10).
4 Select the Not check box if you want to exclude the log entries, that is, to display only log
entries that do not match the specified criteria.
5 Click OK and then the Apply Filter button ( ) if it is not yet clicked to apply the
specified criteria. The criterion is displayed in the Filter column of the specified field in the
Query Properties pane.
6 Right-click the Filter column of the specified field and select Clear Filter to remove the
specified criteria. The criterion is no longer displayed in the Filter column.
Note - The title that appears in the window depends on which field you are filtering.
Field Description
Field The available options are:
• is equal — Include/Exclude all entries containing text
that equals the specified pattern.
• contains — Include/Exclude all entries with text that
contains the specified pattern.
Not Exclude the specified items. The default is to include the
specified items in the filtering.
Text Specify the text string you want to include/exclude.
Match Case To find or ignore an item with specific capitalization, select
or clear the Match case check box.
3 Click OK and then the Apply Filter button ( ) if it is not yet clicked to apply the
specified criteria. The criterion is displayed in the Filter column of the specified field in the
Query Properties pane.
4 To remove all the filters in the Log File by clicking the Clear All Filters button ( ) in
the Query pane toolbar to remove the specified criteria. The criterion is no longer
displayed in the Filter column.
Resolving Addresses
You can control the display of source and destination host names in the Log File.
Click the button to toggle between:
Resolving Services
Each port number is mapped to the type of service it uses. You can control the display of the
destination port in the Log File.
Click the button to toggle between:
• Displaying the destination port number
• Displaying the type of service the port uses
Note - If you have the clicked the Resolving Services button to display the type of
service the port uses, and the port number appears, it means that a service has not been
previously defined for this port. A port number can be mapped to a service either in the
Objects database using the Object Manager (see the Check Point SmartCenter Guide) or in
the Services Configuration file.
Note - This option is only relevant if the current active Log File is displayed in the
SmartView Tracker.
Find
You can search for an item in all columns, rather than just in a specific column in the Log File.
2 Configure the Find in all columns window according to the following table:
Field Description
Pattern Specify the pattern string you want to include in your
search.
Match whole word only To match only a complete word, select Match whole word
only.
Match Case To find or ignore an item with specific capitalization, select
or clear the Match case check box.
Direction Select the desired search direction.
Click the Find (F3 to Next) button. The log entry matching the specified pattern is highlighted.
The current log entries will be written to file. Only the records that match the filtering criteria
will be saved to the file (both those that are visible in the window and those that are not).
Note - This operation actually performs a Log File switch (see “fwm logswitch” on page
596).
Blocking Connections
You can terminate an active connection and block further connections from and to specific IP
addresses.
Note - The termination and blocking of active connections can only be performed in
Active mode.
Note - A Log Server is a machine to which log events are sent by one or more
VPN/FireWall Modules. One of these VPN/FireWall Modules may be running on the Log
Server. For more information, see “Redirecting Logging to Another Master” on page 424.
6 Click OK.
To clear blocked connections choose Clear Blocking from the Tools menu. For
information how to block connections.
This window displays the list of Check Point Modules from which you can fetch Log Files.
Note - To close the currently active Log File and create an acitve file on the selected
Module, click Log Switch and specify the Log File Name.
2 Select the desired Node and click Get File List. The following window appears.
FIGURE 11-20Files Found in Selected Node Window
This window displays the list of files found in the Check Point Node you selected (see
FIGURE 11-19), including the active files. It contains three columns:
• File Name — displays the name of the file
• Date — displays the date the file was created
Note - You can sort each column by clicking the column header.
Note - You cannot fetch an active Log File. If you want to fetch an active file, you must
first close the currently active file and open a new one. See (see “fwm logswitch” on page
596).
4 Click Fetch Files. The Files Fetch Progress window appears showing the progress of the
file transfer operation.
FIGURE 11-21Viewing the Progress of the File Transfer Operation
Note - You can also open the Files Fetch Progress window by clicking in the
toolbar. This button is enabled only when the file transfer operation is in progress. The
file transfer operation will continue even if the Files Fetch Progress window is closed. It
is interrupted only if you click the Abort button.
Hobbit_ _2001-07-10_022001.log
Note - You can sort each column by clicking the column header.
Menus
View Menu
TABLE 11-12View menu commands
Query Menu
TABLE 11-13Query Menu Commands
Tools Menu
TABLE 11-14Tools Menu Commands
Window Menu
TABLE 11-15Window Menu Commands
Help Menu
TABLE 11-16Help Menu Commands
Update the Log File to display all new log “Showing Null Matches” on page 416
entries and place them at the end of the
Log File.
Delete all filtering criteria in the Log File.
SmartView Status
In This Chapter
433
Monitoring and Managing System Status
Windows Action
System
Windows Double-click on the SmartView Status icon, or choose
SmartView Status from the Window menu in the
SmartDashboard window.
Enter the name of the machine on which the SmartCenter Server is running. You can enter one
of the following:
• A resolvable machine name
• A dotted IP address
To work in local mode, check Demo Mode.
If you do not wish to modify a policy, check Read Only before clicking on OK.
Note - If you are not defined as a user, and therefore do not possess a user name, see “To
Add an Administrator” on page 49, for information how to define users on the
SmartCenter Server.
To compress the connection to the SmartCenter Server, check Use compressed connection.
Enter the text describing why the administrator wants to make a change in the security policy
in Session ID (optional). The text appears as a log entry in the SmartView Tracker in the
Session ID column (in Audit mode only). If the Session ID column does not appear in the
SmartView Tracker, use the Query Properties pane to display it. For more information on the
SmartView Tracker, see the chapter called SmartView Tracker in the Check Point SmartCenter
Guide.
To hide the Certificate Management, Connection Optimizations and Advanced options,
click Less Options <<.
System Status
The System Status tab is divided into several sections:
• Modules Pane — view all modules and their statuses in an hierarchical tree structure.
Workstations are displayed above the modules that they manage.
• Details Pane — view the details of a selected module
• Critical Notifications — view all problematic modules
Resizing Columns
To change a column’s width in the Modules pane, drag the column’s right border in the header,
as follows:
1 Move the cursor to the column’s right border in the header.
2 Click on the left mouse button without releasing it.
3 Move the column border without releasing it.
4 Release the left mouse button.
Sorting Modules
The software components installed on a Check Point Module can be sorted in the Modules
pane. To do so, click on the column heading Module. The Modules will be resorted.
Note - The hierarchical tree structure of the Modules pane is not broken when the
modules are sorted, only the modules themselves are reordered. The Workstations do not
change places.
Icon Description
Waiting... — from the time that the SmartView Status starts to run
until the time that the first status message is received. This should take
no more than thirty seconds.
Icon Description
Connected — the Module has been reached.
Icon Description
Waiting… — This is displayed from the time that the SmartView
Status starts to run until the time that the first status message is
received. This takes no more than thirty seconds.
Unknown — The machine cannot be reached or there is no Check
Point agent installed on it.
Untrusted — Secure Internal Communication failed. The machine is
connected, but the SmartCenter Server is not the Master of the
Module installed on the machine. Read more about Masters on
page 627.
No Response — There is no module installed on this machine, or the
module is installed, but it is corrupted.
OK — A Module is installed on this object and is responding to status
update requests from the SmartCenter Server
Attention — The Module is active even though each cluster member
has a problem. Despite this, the gateway with the fewest problems and
the next highest priority level is active and working as a backup until
the highest priority level gateway is restored.
Problem — A Module is installed and responding to status checks,
but its status is problematic. These problems may vary from product to
product, For example, a typical status problem message for FireWall-1
may be: “policy not installed”.
Note - The other fields that appear depend on the options you select from the Subject
and Parameter Type boxes.
Note - For information on the options in the Subject box, see “Details Window — VPN-1”
on page 447.
In the Parameter Type box, select the paramater type details you want to see. The options are:
• Current
• High Watermark
• Accumulative
Note - For information on the options in the Parameter Type box, see “Details Window
— VPN-1” on page 447.
Started — Yes, if the Module is active; No, if the Module is not active
Running Mode — the running mode of the Cluster XL Module. The possible statuses are:
• Active — the Module is running and active
• Ready — the Module is running but not active
• Standby — the Module is running and ready to become active
Note - For more about Management ClusterXL, see the Chapter 17, “Management High
Availability in the Check Point SmartCenter Guide.
Active status — whether the selected Management is the Active SmartCenter Server or the
Standby SmartCenter Server
Connected clients — the number of clients connected to the SmartCenter Server
Name — the name of the machine on which the UA WebAccess Module is installed
IP Address — the IP address of the machine on which the UA WebAccess Module is installed
Comment — descriptive text
Status — the status of the machine on which the UA WebAccess Module is installed (see
TABLE 12-3 on page 439 for more on status types)
WAM Name — the name of the UA WebAccess Module
UAG IP Address — the IP address of the UA Server
Open sessions counter — the number of sessions which are currently open
Detailed information can be displayed for each Check Point product installed on the machine.
This includes information for:
• Network Objects — see “Details Window — Network Objects” on page 445
• Clusters — see “Details Window — Clusters” on page 445
• SVN Foundation — see “Details Window — SVN Foundation” on page 445
• FireWall-1 — see “Details Window — FireWall-1” on page 446
• VPN-1 — see “Details Window — VPN-1” on page 447
• FloodGate-1 — see “Details Window — FloodGate-1” on page 451
• Cluster XL — see “Details Window — Cluster XL” on page 452
• OPSEC — see “Details Window — OPSEC” on page 453
• Management — see “Details Window — Management” on page 454
• UA WebAccess — see “Details Window — UserAuthority WebAccess” on page 454
• Policy Server — see “Details Window — Policy Server” on page 455
• Log Server — see “Details Window — Log Server” on page 455
Total virtual memory — the total amount of virtual memory in the system
Active virtual memory — the amount of virtual memory that is currently active
Total real memory — the total amount of real memory
Active real memory — the total amount of real memory that is currently active
Free real memory — the total amount of real memory that is currently free for use
Disk:
Hit Ratio (%) — the percentage of hits out of the total number of hits that were handled by the
cache
Connections inspected — the total number of connections passing through the UFP
Hits — the total number of hits passing through the cache
The following parameters apply to Hash Kernel Memory which provides details about the
memory managed by FireWall-1, as well as, System Kernel Memory which provides details
about the memory managed by the Operating System.
Total memory allocated — the total number of memory allocated
Total memory used — the amount of memory used out of the total number of memory
allocated
Total blocks used — the total number of memory blocks used
Allocations — the number of memory allocation operations performed
Allocation failures — the number of memory allocation operations have failed
Frees — the number of times that memory allocations have been freed up
Frees Failure — the number of times that the memory allocation freeing operation has failed
NAT Cache —
Hits —
Misses —
Active Tunnels:
• All
Current — the number of VPN peers (Gateway or client) to which there is currently an
open IPsec tunnel. Useful for tracking the proximity to a VPN-1 Net licensing and the
activity level of the VPN-1 module.
High Watermark — the maximum number of VPN peers (Gateway or client) to which
there was an open IPsec tunnel since the Module was restarted
• RemoteAccess
Current — the number of RemoteAccess VPN users with which there is currently an
open IPsec tunnel. Useful for tracking the activity level and load patterns of VPN-1
modules serving as a remote access server.
High Watermark — the maximum number of RemoteAccess VPN users with which
there was an open IPsec tunnel since the Module was restarted
Tunnels Establishment Negotiation:
• Successful
Current — the current rate of failed Phase I IKE Negotiations (measured in seconds).
Can be used for troubleshooting denial of service for heavy a load of VPN remote access
connections.
High Watermark — the highest rate of failed Phase I IKE negotiations since the Policy
was installed
Accumulative — the total number of failed Phase I IKE negotiations since the Policy was
installed
• Concurrent
Current — the current number of concurrent IKE negotiations. Useful for tracking the
behavior of VPN connection initiation, especially in large deployments of remote access
VPN scenarios.
High Watermark — the maximum number of concurrent IKE negotiations since the
Policy was installed
Encrypted Traffic:
• Encrypted throughput
High Watermark — the maximum rate of encrypted traffic (measured in Mbps) since the
Module was restarted
Accumulative — Total decrypted traffic since the Module was restarted (measured in
Mbps)
• Encrypted packets
Current — the current rate of encrypted packets (measured in packets per second).
Encrypted/decrypted packet rate is useful (in conjunction with encrypted/decrypted
throughput) for tracking VPN usage and VPN performance of the VPN-1 module.
High Watermark — the maximum rate of encrypted packets (measured in packets second)
since the Module was restarted
Accumulative — the total number of encrypted packets since the Module was restarted
• Decrypted packets
Current — the current rate of decrypted packets (measured in packets per second).
Encrypted/decrypted packet rate is useful (in conjunction with encrypted/decrypted
throughput) for tracking VPN usage and VPN performance of the VPN-1 module.
High Watermark — the maximum rate of decrypted packets (measured in packets per
second) since the Module was restarted
Accumulative — the total number of decrypted packets since the Module was restarted
• Encryption errors
Current — the current rate at which encryption errors are encountered by the VPN-1
Module (measured in errors per second). Useful for troubleshooting VPN connectivity
issues.
High Watermark — the maximum rate at which encryption errors are encountered by
the VPN-1 Module (measured in errors per second) since the Module was restarted
Accumulative — the total number of encryption errors encountered by the VPN-1
Module since the Module was restarted
• Decryption errors
Current — the current rate at which decryption errors are encountered by the VPN-1
Module (measured in errors per second). Useful for troubleshooting VPN connectivity
issues.
High Watermark — the maximum rate at which decryption errors are encountered by
the VPN-1 Module (measured in errors per second) since the Module was restarted
Accumulative — the total number of decryption errors encountered by the VPN-1
Module since the Module was restarted
Hardware:
• VPN Accelerator Status — the status of the VPN Accelerator
• VPN Accelerator Vendor — the name of the VPN Accelerator vendor
• Encrypted throughput
Current — the current rate of VPN Accelerator encrypted traffic (measured in Mbps).
Encrypted/decrypted throughput is useful (in conjunction with encrypted/decrypted
packet rate) for tracking VPN usage and VPN performance of the VPN-1 module with
VPN acceleration.
High Watermark — the maximum rate of VPN Accelerator encrypted traffic (measured
in Mbps) since the Module was restarted
Accumulative — total encrypted traffic since the Module was restarted (measured in
Mbps)
• Decrypted throughput
Current — the current rate of VPN Accelerator decrypted traffic (measured in Mbps).
Encrypted/decrypted throughput is useful (in conjunction with encrypted/decrypted
packet rate) for tracking VPN usage and VPN performance of the VPN-1 module with
VPN acceleration.
High Watermark — the maximum rate of VPN Accelerator encrypted traffic (measured
in Mbps) since the Module was restarted
Accumulative — Total decrypted traffic since the since the Module was restarted
(measured in Mbps)
• Encryption errors
Current — the current rate at which VPN Accelerator encryption errors are encountered
by the VPN-1 Module (measured in errors per second). Useful for troubleshooting VPN
connectivity issues when VPN acceleration is in use.
High Watermark — the maximum rate at which VPN Accelerator encryption errors are
encountered by the VPN-1 Module (measured in errors per second) since the since the
Module was restarted
Accumulative — the total number of VPN Accelerator encryption errors encountered by
the VPN-1 Module since the Module was restarted
• Decryption errors
Current — the current rate at which VPN Accelerator decryption errors are encountered
by the VPN-1 Module (measured in errors per second). Useful for troubleshooting VPN
connectivity issues when VPN acceleration is in use.
High Watermark — the maximum rate at which VPN Accelerator decryption errors are
encountered by the VPN-1 Module (measured in errors per second) since the since the
Module was restarted
Accumulative — the total number of VPN Accelerator decryption errors encountered by
the VPN-1 Module since the Module was restarted
• General errors
Current— the current rate at which VPN Accelerator general errors are encountered by
the VPN-1 Module (measured in errors per second)
High Watermark — the maximum rate at which VPN Accelerator general errors are
encountered by the VPN-1 Module (measured in errors per second) since the since the
Module was restarted
Accumulative — the total number of VPN Accelerator general errors encountered by the
VPN-1 Module since the Module was restarted
IP Compression:
• Compressed packets
Current — the current rate of compressed packets (measured in packets per second)
High Watermark — the maximum rate of compressed packets (measured in packets per
second) since the Module was restarted
Accumulative — the total number of compressed packets since the Module was restarted
• Decompressed packets
Current — the current rate of decompressed packets (measured in packets per second)
High Watermark — the maximum rate of decompressed packets (measured in packets per
second) since the Module was restarted
Accumulative — the total number of decompressed packets since the Module was
restarted
• Compression errors
Current — the current rate at which VPN Accelerator compression errors are
encountered by the VPN-1 Module (measured in errors per second)
High Watermark — the maximum rate at which VPN Accelerator compression errors are
encountered by the VPN-1 Module (measured in errors per second) since the since the
Module was restarted
Accumulative — the total number of VPN Accelerator compression errors encountered
by the VPN-1 Module since the Module was restarted
• Decompression errors
Current — the current rate at which VPN Accelerator decompression errors are
encountered by the VPN-1 Module (measured in errors per second)
High Watermark — the maximum rate at which VPN Accelerator decompression errors
are encountered by the VPN-1 Module (measured in errors per second) since the since
the Module was restarted
Accumulative — the total number of VPN Accelerator decompression errors
encountered by the VPN-1 Module since the Module was restarted
For more information on status types, see TABLE 12-3 on page 439.
Policy Name — the name of the QoS Policy installed
Installed At — the date and time that the QoS policy was installed
Version — the version and service pack (SP) of FloodGate-1
Number of interfaces — the number of interfaces on the FloodGate-1 module
Interface — The following fields relate to interfaces on the FloodGate-1 module. These
parameters apply to Inbound and Outbound interfaces.
Rate Limit — the maximum number of bytes that pass per second
Average Rate — the average number of bytes that pass per second
Connections — the total number of conversations
Conversations are active connections and connections that are anticipated as a result of prior
inspection. Examples are data connections in FTP, and the “second half” of UDP connections.
Pending Packets — the number of packets waiting in FloodGate-1’s queues
Pending Bytes — the number of bytes waiting in FloodGate-1’s queues
Retransmission Packets — This field is currently not implemented and its value will always
be 0.
Note - the Cluster XL options are ONLY relevant for ClusterXL, and NOT for third party
solutions.
• Active
• Stand-by
• Ready
• Down
For more information on the running mode types, see see Chapter 5, “ClusterXL” in Check
Point FireWall-1 Guide.
Interfaces — the interface(s) recognized by the FireWall module
variable (the name of the Interface)
IP — the IP address of the specified interface
Status — the status of the specified interface. The value can be Up or Down.
Verified — time (in msec) passed from the last inbound or outbound packet connection
Trusted — the interface is secured for passing internal information. The value can be Trusted,
Secured or Not Secured.
Shared — an interface whose IP address is the same for all cluster gateway members. The
value can be Unique or Shared.
Problem Notes — contains descriptions of the problem notification device
variable (the name of the Problem Note)
Status — the status of the specified problem notification. The status can be OK or Problem.
The fields mentioned above are mandatory fields that appear for every OPSEC Application
module. The OPSEC vendor may add additional fields to their OPSEC Application module’s
details.
Active status — whether the selected Management is the active or the Standby SmartCenter
Server
Connected clients — the number of connected clients on the Management
Client Name — the name of the Management Client
— the administrator who is responsible for administering the selected
Administrator
Management Client
Host — the name of the Management Client host
Database locked — the name of the database which is locked
Application type — the type of application can be any of the following: SmartDashboard,
SmartView Status, SmartView Tracker, SmartView Monitor, User Monitor, Large Scale
Manager etc.
Active Update
If you are working in active mode (i.e., you specified the name of your SmartCenter Server
when you logged in to the SmartView Status), select Update Selected from the Modules
menu, or click in the toolbar. The Update Selected operation will refresh the statuses of
the objects selected in the Modules pane. If you select an application object (such as SVN
Foundation, FireWall-1, VPN-1 etc.) only that selected object status will be refreshed. However
if you select a Gateway Cluster or a Check Point Module in the Modules pane, its status will be
refreshed as well as the status of all of its modules.
Note - It is not possible to update all of the objects in the system at once. They must be
selected one at a time and be updated in the manner described above.
• Select a module in the Modules pane and its module details are displayed in the Details
pane.
Note - If you double-click on a module in the Modules pane, its Product Details window
is displayed.
• Select a Module in the Product Details window and it is also selected in the Modules pane
and its details are displayed in the Details pane.
• Select a Module in the Critical Notifications pane and it is also selected in the Modules
pane. If relevant, its details are displayed in the Product Details window.
This synchronization allows you to keep track any object and have it displayed respective to the
different views.
System Alert
System Alert enables you to predefine the conditions for which you can get a warning or an
alert for certain critical situation updates. For example, if free disk space is less than 10%, or if a
security policy has been changed.
FIGURE 12-4The SmartView Status Main Screen — System Alert Tab
You can define system alert parameters for the following Check Point products:
• FireWall-1
• FloodGate-1
• SmartCenter Server
• SVN Foundation
Resizing Columns
For information on how to change a column’s width, see “Resizing Columns” on page 437.
Sorting Modules
For information on how to sort the modules, see “Sorting Modules” on page 438.
Free disk space less than — free disk space is lower than the specified value. Enter the desired
value.
Note - An alert can only be set if the SmartCenter Server has been configured for
ClusterXL.
3 Select the module whose system alert properties you want to custom-define. When you
select a module in the Modules pane, the corresponding tab is automatically selected in the
Network Object System Alert Definition pane.
4 Define system alert parameters as desired (see “Defining System Alert Parameters” on page
459) and click Apply.
Find
The Find window enables you to find specified text strings or IP addresses in the SmartView
Status GUI. To access the Find window, click in the toolbar, or select Find from the
Tools menu.
You can reverse the direction of the Find operations, by selecting Up or Down.
Alerts
The window applies only to VPN-1/FireWall-1. Alert commands are specified in the
Alerts
Popup Alert Command field in the Log and Alert page of the Global Properties window in
the SmartDashboard. For more information, see Chapter 7, “Global Properties.”
To view the alerts, choose Alerts from the Tools menu, or click on in the toolbar. The
Alerts window is displayed.
temp
To play a sound when an alert is received, check Play system Default beep sound.
To automatically display the Alerts window the next time an alert is received, check Display
Alerts window when an alert pops up.
To delete selected alerts, select the alert(s) and then click on Delete.
Note - Alerts are sent by VPN/FireWall Modules to the SmartCenter Server. The
SmartCenter Server then forwards these alerts to all the SmartView Status applications
connected to the SmartCenter Server at that moment.
Disconnecting a Client
The SmartView Status allows you to view the clients that are connected to the SmartCenter
Server. If you have the correct permissions, you can choose to disconnect one or more of the
connected Mangement Clients.
Field Description
Administrator the administrator who is responsible for administering the
selected Management Client
Host the name of the Management Client host
Client Name the name of the Management Client
Database Lock describes the state of the database. The two options are:
• Locked
• empty (unlocked)
2 Select the Management Client you want to delete and click Disconnect
Note - You can only delete a client if you have the proper permissions.
Menus
File Menu
TABLE 12-6 File Menu Commands
View Menu
TABLE 12-7 View Menu Commands
Modules Menu
TABLE 12-8 Modules Menu Commands
Products Menu
TABLE 12-9 Product Menu Commands
Tools Menu
TABLE 12-11Tools Menu Commands
Window Menu
TABLE 12-12Window Menu Commands
Help Menu
TABLE 12-13Help Menu Commands
Modules > Collapse All Collapse all the objects within their respective
Workstations and Clusters in the Modules
Tree.
Products > SVN Foundation Display SVN Foundation window.
System Alert > Global System Display the Global System Alert Definition
Alert window.
System Alert > Start System Alert Start the system alert monitoring mechanism.
Daemon
System Alert > Stop System Stop the system alert monitoring mechanism.
Alert Daemon
Note - The Check Point product icons are enabled only for those products you are
licensed to use.
User Monitor
In This Chapter
Windows Action
System
Windows Double-click the User Monitor icon, or choose User Monitor
from the Window menu in the SmartDashboard window.
X/Motif Run /opt/CPclnt-50/bin/UserMonitor
471
Viewing SecureRemote Users
Enter the name of the machine on which the SmartCenter Server is running. You can enter one
of the following:
• A resolvable machine name
• A dotted IP address
To work in local mode, check Demo Mode.
If you do not wish to modify a policy, check Read Only before clicking on OK.
Note - If you are not defined as a user, and therefore do not possess a user name, see “To
Add an Administrator” on page 49, for information how to define users on the
SmartCenter Server.
Using Queries
Creating a query most suitable to your requirements is crucial for obtaining relevant and precise
information. The User Monitor provides you with a comprehensive set of filters which makes
the query definition process user-friendly and highly efficient.
Defining a Query
To open the Query Editor pane, click in the toolbar or choose Query Editor from the
View menu.
3 Use Add and Remove buttons to create the list of the relevant Policy Servers in the Filtered
Policy Servers field.
Running a Query
To run a query, do one of the following:
• highlight the query and click in the toolbar, or
• highlight the query and choose Run from the Query menu, or
• right-click on the query and select Run from the menu, or
Editing a Query
To edit a query, do one of the following:
• highlight the query and click in the toolbar, or
• highlight the query and choose Edit from the Query menu, or
• right-click on the query and select Edit from the menu.
Saving a Query
To save a query, make sure it is opened and do one of the following:
• highlight the query and click in the toolbar, or
• highlight the query and choose Save from the Query menu, or
• right-click on the query and select Save from the menu.
Renaming a Query
To rename a query, do one of the following:
• highlight the query and choose Rename from the Query menu, or
• right-click on the query and select Rename from the menu, or
• left-click on the query and enter the new name.
Deleting a Query
To delete a query, do one of the following:
• highlight the query and choose Delete from the Query menu, or
• right-click on the query and select Delete from the menu, or
• highlight the query and press the Delete button.
Exporting a Query
The User Monitor allows you to export a query in text format (with the extension .xfw
compatible with MS Excel. To export a query, proceed as follows:
1 Highlight the query and choose Export from the Query menu or right-click on the query
and select Export from the menu.
The Export Data Results window is displayed.
2 Enter the exported file name.
Sorting Results
The User Monitor provides you with multiple options for sorting query results.
To sort a query results, proceed as follows:
1 Click Advanced Sort in the Query Editor to display the Dialog window.
2 Define the primary, secondary and tertiary sorting option by selecting the appropriate value
from the drop-down lists.
3 Choose the order in which the entries will be displayed by selecting Ascending or
Descending.
Dynamically Assigned
IP Addresses
In This Chapter
Overview
Both VPN/FireWall Modules and FloodGate-1 modules (both a gateway and a host) can have a
dynamic IP address (for example, its IP address can be assigned by DHCP or some other
mechanism) rather than a fixed IP address.
See also “rs_db_tool” on page 563.
Network Address Translation (NAT) can be performed on Dynamic Objects. A manual NAT
rule must be created in the NAT Rule Base, and the Dynamic Object can be used in both the
original and translated packet.
479
DAIP Module IP Address
2 Install the VPN/FireWall and/or FloodGate Module software on the DAIP machine.
See Chapter 4, “Installing and Configuring VPN-1/FireWall-1” of Check Point Getting
Started Guide for information on how to install VPN/FireWall Module software on a DAIP
machine.
Note - The following steps are all performed on the SmartCenter Server.
3 Define the DAIP Module as described below (see “Defining a Module with a Dynamic IP
Address”).
4 Generate the license for the DAIP.
In the User Center (http://www.checkpoint.com/usercenter), generate a Central license for
the DAIP Module (a Local license would become unusable when the IP address of the DAIP
Module changes). Licenses are stored centrally on the SmartCenter Server.
5 Install the DAIP Module license using Secure Update.
6 Define the Policy.
7 Install the Policy on the DAIP Module from the SmartDashboard (Policy > Install).
Alternatively, you can fetch the Policy from the DAIP Module using the fw fetch
command (see “Installing a Policy” on page 482 for more information).
Note - Before you begin this procedure, make sure the DAIP Module is accessible.
If Dynamic Address is checked, then IP address is disabled and the following are
automatically selected under Check Point Products:
The interface information will be fetched from the DAIP Module, and displayed in the
Topology page.
8 Select the interface whose IP address is dynamically assigned and click Edit.
Note - The dynamically assigned IP address usually belongs to the external interface, and
the IP addresses of the internal interfaces are fixed.
10 Specify the VPN (if needed) in the VPN page of the DAIP Module’s Gateway Properties
window.
For a Module with a dynamic IP address, the allowed parameters are:
• the IKE encryption scheme with Public Key certificates
• internal certificates
11 You can install a Policy on the DAIP Module either from the SmartCenter Server or from
the DAIP Module. For more information, see “Installing a Policy” on page 482.
If you choose to install the Policy from the DAIP Module (by fetching it from the
SmartCenter Server), specify how frequently a Policy should be fetched in the Masters page
of the Check Point window (see “Check Point window — Masters page” on page 197).
Installing a Policy
You can install a Policy on the DAIP Module in either of two ways:
• installing it from the SmartCenter Server to the DAIP Module
Select Policy > Install from the menu. VPN-1/FireWall-1 will verify, compile the Policy,
and install the Policy on DAIP Modules.
• fetching it to the DAIP Module from the SmartCenter Server
On the Module, use the fw fetch command (see “fwm fetch” on page 560).
Configuring a VPN
A DAIP Module can open a VPN tunnel to another machine (but not to another DAIP
Module. The VPN tunnel and all encrypted connections must be initiated by the DAIP
Module, not by the VPN peer.
Note - It is recommended that you use the simplified VPN mode, in order to avoid the
need to manually define VPN rules (as described here). This section describes how to
configure a VPN using the “classic” mode.
Two Encryption rules are required to define encryption between a DAIP Module and another
machine.For example, suppose London is a VPN/FireWall Module and BigBen is a DAIP
Module. Then the following two rules are needed (FIGURE 14-1).
FIGURE 14-1Encryption rules for DAIP Module
The first rule (installed on BigBen) enables encryption from London. Note that:
The source object (LocalMachine) is a dynamic object that is automatically resolved on each
DAIP Module (that is, it is not necessary to run the dynamic_object command).
Note - This is the only context in which a DAIP Module (for example, BigBen) can be used
in a rule’s Source or Destination.
Column
Source Any or a specific subnet
Use Any when you do not know the IP addresses of the DAIP
Modules. Specify a subnet when you have more specific
knowledge about the IP address of the Modules (for example, the
network from which these addresses will be allocated).
Destination The SmartCenter Server and/or the Logging Server, as relevant
Service Specify the following services:
CPD, FW1_ica_pull (pulling certificates), FW1_log (logging).
DHCP Connections Between the DAIP Module and the DHCP Server
1 To enable DHCP communications between the DAIP Module and the DHCP Server (for
example, when the DAIP Module’s lease expires), do either one of the following:
• In the Implied Rules page of the Global Properties window, check Accept dynamic
address gateways’ DHCP traffic, or
• define a rule in the SmartDashboard as shown in TABLE 14-2.
Column
Source DAIP Module and DHCP Server
Destination DAIP Module and DHCP Server
Service Specify the following services:
dhcp-req-localmodule and dhcp-rep-localmodule
Install On the DAIP Module
Note -
• There should be no other FireWall Module between the DAIP and the DHCP Server.
• The above rule does not accept DHCP services to the network behind the DAIP Module.
Virtual Links
In This Chapter
Overview
A Virtual Link is a path between two Check Point VPN/FireWall or FloodGate Modules.
Virtual Links are defined in the SmartDashboard, and can be given Service Level Agreement
(SLA) parameters. They can then be monitored using Check Point SmartView Monitor.
For information on monitoring a Virtual Link, the Check Point SmartView Monitor User Guide.
3 In the General tab of Virtual Link Properties window, define the general parameters of
the Virtual Link.
For information about the fields in the General tab, see “Virtual Link Properties Window —
General Tab” on page 488.
4 In the SLA Parameters tab of Virtual Link Properties window, define the SLA parameters
to be monitored.
487
Virtual Link Windows
For information about the fields in the SLA Parameters tab, see “Virtual Link Properties
Window — SLA Parameters Tab” on page 489.
Note - At least one SLA threshold must be defined for every Virtual Link.
5 Click OK.
The Virtual Link and its SLA Parameters have been defined.
6 Open the Global Properties window by choosing Global Properties from the Policy
menu.
7 Specify Log and Alert parameters in the Log and Alert page of the Global Properties
window.
For information about the Log and Alert page, see “Global Properties Window — Log and
Alert Page” on page 490.
8 Click OK.
To edit the selected Virtual Link, click Edit and redefine the desired parameters in the General
and SLA Parameters tabs. You may go directly to these tabs by double-clicking the name of the
Virtual Link in the SmartDashboard Objects Tree.
When you close the SmartDashboard, you will be asked if you wish to save the changes you
made.
Note - Virtual Link Monitoring is implemented using the E2ECP service, a Check Point
protocol. Make sure there is a rule on each of the Virtual Link gateways that allows the
E2ECP service between them.
Enable Virtual Link Monitoring — Specify whether or not it will be possible to monitor the
Virtual Link.
If this option is not selected, you will not be able to monitor the Virtual Link using Check
Point SmartView Monitor. The link will not appear in the Monitored Virtual Link list in the
Module Selection tab of the Session Properties window.
Note - “Inform...” in this tab refers to the SLA Violation track option specified under
Track Options in the Log and Alert page of the Global Properties window (see “Global
Properties Window — Log and Alert Page” on page 490).
Log SLA Statistics — Specify whether or not SLA discrepancies will be logged in the Check
Point SmartView Tracker.
The frequency with which SLA statistics will be logged is specified by Virtual Link statistics
logging interval in the Log and Alert page of the Global Properties window (see “Global
Properties Window — Log and Alert Page” on page 490).
For information regarding the SmartView Tracker, see Chapter 11, “SmartView Tracker”.
SmartMap
In This Chapter
491
Introduction to the SmartMap
Security Policy rules can be displayed in the SmartMap View. This rule display, is an important
tool in monitoring security since the direction (the source and destination), as well as the action
(accept, encryption, etc.) are illustrated. Showing the impact of policy rules enables the security
manager to validate the intent and integrity of the policy; it ensures that the intent of the
security manager and the actual effect of the policy are one and the same.
Network Objects
OPSEC Applications
OPSEC applications installed on a network object are indicated in the SmartMap View.
Networks
Private IP address ranges defined in the NAT page of the Global Properties window (see
“Private Address Ranges” on page 280) are identified as such in the SmartMap View.
Note - When the SmartMap View is disabled, its menus and commands are not displayed
and no topology calculations are performed.
To dock the SmartMap window, right-click inside the window and select Docked View from
the menu.
Modes
The SmartMap View consists of various working modes. These modes are task specific. The
most common mode is Select Mode. The other modes provide functionality specific to certain
tasks. Each mode has its own specific cursor. For a summary of the cursor modes, see “Cursor
Modes” on page 536.
Select Mode
Select Mode is the default mode. Select Mode enables you to select an area including any object
or group in the SmartMap View. To use the Select Mode, proceed as follows:
1 Select Select Mode from the SmartMap menu, or click in the toolbar.
Drag selected network object(s) to relocate them anywhere in the SmartMap View.
Note - You can revert to Select Mode from any other mode by clicking the Esc key.
Zoom Mode
Zoom Mode enables you to magnify the SmartMap View. To use the Zoom Mode, proceed as
follows:
1 Select Zoom Mode from the SmartMap menu, or click in the toolbar.
2 Click anywhere in the SmartMap View and drag the mouse. As you drag the mouse a
rectangular select-box is displayed. Enlarge the select-box until the area that you wish to
magnify is enclosed in the select-box.
All the nodes and edges that are cut by the select-box will be magnified in Zoom Mode.
Zoom Options
There are several Zoom options in the SmartMap View. These options are summarized in
TABLE 16-1.
Zoom In
The Zoom In command magnifies the topology map. To Zoom in, do any of the following:
• Click in the toolbar.
• Select Zoom In in the SmartMap menu.
• Press the plus sign [+] on your keyboard.
See also “IntelliMouse Support” on page 496.
Zoom Out
The Zoom Out command reduces the topology map. To Zoom Out, do any of the following:
• Click in the toolbar.
• Select Zoom Out from the SmartMap menu.
• Press the minus sign [-] on your keyboard.
See also “IntelliMouse Support” on page 496.
These options can be accessed from Topology > Zoom > any submenu:
IntelliMouse Support
Use the IntelliMouse scroll wheel to:
• scroll up or down the SmartMap View using the scroll wheel
For more advanced scrolling, click the scroll wheel once to pan the SmartMap View in all
directions.
• Zoom In or Zoom Out of the SmartMap View
Click the Ctrl key and either scroll up (to zoom in) or scroll down (to zoom out).
2 Click at the point in the SmartMap View where you would like your new network object
to be created.
The network object’s Properties window is displayed.
3 When your new network object is saved and closed, you are prompted to create another
new network object.
Navigator Window
The Navigator window is a secondary window which displays an overview of the SmartMap
View. The Navigator window consists of a moveable selection box. As you move or resize the
selection box in the Navigator window, the SmartMap View is adjusted to reflect the changing
selections. Each time the Navigator window is closed, its state (size and position) is saved, and
the next time that it is accessed it opens according to the saved coordinates.
The selection box can also be adjusted to Zoom In or Zoom Out of the SmartMap View:
• To increase the selection to include more of the SmartMap View, (in other words, to Zoom
Out to a larger selection of the SmartMap View), enlarge the selection box by dragging it
outwards by its handles.
• To decrease the selection, (in other words, to Zoom In to a more specific part of the
SmartMap View), decrease the selection box by dragging it inwards by its handles.
• To toggle the Navigator window, select Topology > View Navigator (when the SmartMap
View is the active view), or click in the SmartMap View toolbar.
When any adjustment is made to the selection box, it is immediately reflected in the SmartMap
View.
Arrange Styles
The Arrange styles determine how the network objects are placed within the SmartMap View.
The SmartMap View can be arranged in two Arrange styles; hierarchic layout and symmetric
layout.
To optimally arrange the entire topology map, with the currently selected Arrange style within
the whole SmartMap View window,
• select Arrange > Global Arrange from the SmartMap menu, or
• click in the Topology toolbar.
To arrange a selected area of the topology map, with the currently selected Arrange style, within
the whole SmartMap View window,
• select Arrange > Incremental Arrange from the SmartMap menu, or
• click in the Topology toolbar.
Symmetric Layout
Symmetric layout arranges the topology map with a loose organization of the nodes. extending
from the network objects. This type of layout of the topology map resembles star and ring
structures. To use Symmetric layout, proceed as follows:
In the SmartMap menu > Customization > Arrange Styles, select Symmetric Layout. The
topology map is arranged by the SmartMap.
Hierarchic Layout
Hierarchic layout arranges the topology map in a pseudo-hierarchical structure. In this type of
layout the topology map resembles a tree graph. To use Hierarchic layout, proceed as follows:
In the SmartMap menu > Customization > Arrange Styles, select Hierarchic Layout. The
topology map is arranged by the SmartMap.
Note - When the SmartMap View is hidden or inactive, all of its menus and commands are
disabled; however, topology calculations do continue.
Customization Options
The Customization options allow you to customize several attributes of the SmartMap View.
These include the customization of network object and selection specification, the definition of
tooltips, as well as arranging styles (whether the SmartMap View is hierarchic or symmetric).
To customize the SmartMap View attributes, select Customization from the SmartMap menu.
The Toplogy View Options window (FIGURE 16-3) is displayed.
This tab defines what happens when the topology map is redrawn as a result of changes to the
topology.
Do not rearrange any objects — Objects will not be rearranged, but edges will be redrawn
if necessary.
Rearrange only changed objects — Only changed objects will be rearranged.
Rearrange the entire map — The map will be completely redrawn, and all objects will be
rearranged as necessary.
Select the information about the network object that will be displayed when the cursor passes
over the object.
To cancel a tooltip, uncheck the specified fields, or click Clear All to uncheck all the fields.
FIGURE 16-6Tooltip customized information — example
Object Name
IP Address
Comment
Note - Use the example of the topology map next to the Arrange Styles options to help
you decide which Arrangement suits you best.
Zoom level — Scale the printout according to the specified zoom level. The default zoom level
displayed here is the zoom level currently set in the SmartMap View
Current zoom level — Scale the printout according to the zoom level currently set in the
SmartMap View.
Check any of the following options:
• Print page numbers — Include pages numbers on all pages of the topology map printout.
• Print border — Print a border around the topology map printout.
• Print crop marks — Display all crop marks on the topology map printout.
• Print caption — Include a caption on the topology map printout, enter the text in the
Caption text box.
Margins — Specify the size of the margin (from the edge of the page until the border if
specified, or until the beginning of the topology map diagram) in inches.
Export to Visio
To export the topology map to Visio, select Topology > Export > Visio. The Export to Visio
window is displayed.
FIGURE 16-8Export to Visio window
You can export any of the information in the following fields by checking Use. To display this
exported information on the exported Visio drawing check Display Label.
• Object Name
• Object IP
• Net Mask
Folder options
Export topology with all folders expanded — Expand all folders in the SmartMap View
during the export operation. All objects in the SmartMap View will be displayed.
Export every locale to a separate page — Export each locale to a separate page.
Keep current network objects arrangement — Save the current arrangement of network
objects on the topology map diagram.
Use SmartMap icons — When exporting the topology map to Microsoft Visio, use the default
Check Point Visual Policy icons.
Use Visio export stencil — Select the Visio export stencil that includes predefined Visio icons.
Edit Icons — If you would like to customize the predefined Visio icons, click Edit Icons
Use color of SmartMap objects — Keep the colors specified for the SmartMap network
objects.
Additional Information
Display date of export on the Visio drawing page(s) — Display the date of the export
operation on the image exported to Visio.
Visio page label — Specify a title or comment on the exported Visio page.
Visio export stencil file directory — Click Browse and select a directory in which the Visio
export stencil will be saved.
Image Type — Select the image type (and compression level) to be used when you export the
topology map.
Image Size
Adjust to actual size — The size of the exported image will be the size of the full topolgy
map, including the parts that are not currently displayed.
Fit to — Resize the image in the exported file while maintaining the aspect ratio.
Folder Options
Expand all folders before export — Expand all folders in the SmartMap View during the
export operation. All objects in the SmartMap View will be displayed.
Export every locale to a separate page — Export each locale to a separate page.
Additional Information
Display date of export on the image(s) — Check to display the date of the export operation
on the image file.
Image label — Specify a title or comment on the exported image file.
File name prefix — Specify a prefix that will be used for saving multiple image files. Note that
the prefix is not the name of the created file.
Image file(s) directory — Click Browse and select the directory in which the image file will
be saved.
Open exported image(s) — Open all image files, once exported (using the registered file
viewer for the image type).
Print exported image(s) — Print all exported images.
Note - A warning will be displayed if you attempt to remove an object that is part of a
Security Policy (or QoS Policy) rule. If you ignore the warning, the object will still be
removed and the SmartMap View will be adjusted accordingly.
• when network objects, OSE Devices and Embedded Devices are created and/or modified,
their edge is connected to the smallest existing network that suits their IP address and net
mask (if they are defined).
If an object is connected to a network and a smaller network is subsequently defined, the
object is relocated to the smaller network.
• larger networks are automatically connected to smaller networks, unless there is more than
one equal network to which it can be connected, or unless the network chains are
conflicted.
FIGURE 16-10Large networks are automatically connected to smaller networks
A menu is displayed
2 Select Connect > Containing Network from the displayed menu.
The Resolve by List window is displayed.
3 Select the viable containing network of your choice from the Viable Networks list
box in the Resolve by List window, and click Connect.
The contained network is reconnected to the containing network and rejoins the
containment chain.
Note - Topology objects, or objects created by the SmartMap View, such as clouds and
implied networks, etc., cannot be defined as protected objects. They cannot be included
in any group, nor can they be pasted into the SmartDashboard Rule Base.
Internet objects have no properties; therefore, they cannot be edited. The color and name of
Connectivity Clouds can be modified.
Multiple Internet and Connectivity Clouds can be defined. Multiple Internet objects are
inherently linked and inextricable from one another, even if visually they seem to be separate.
Note - You can also create a Connectivity Cloud by connecting two or more networks, for
more information, see “Connecting Multiple Networks to a Single Connectivity Cloud” on
page 513.
Creating an Internet
To create an Internet, proceed as follows, select New Internet from the SmartMap menu. The
new Internet is displayed.
Note - There will always be at least one Internet Cloud in the SmartMap View. This
Internet object cannot be removed.
If there is only one Internet in the SmartMap View and the user wants to connect a network to
the cloud, a line will automatically be drawn connected to that cloud.
Even if there is only one Connectivity Cloud in the SmartMap View, the user has to manually
connect the network to the cloud, by the process outlined in step 1-step 3 below.
More Than One Internet Object and/or Connectivity Cloud in SmartMap View
If there is more than one Internet and/or Connectivity Cloud in the SmartMap View, you can connect a
network to any of the Internet objects/clouds by declaring an edge between the network and
the Internet/cloud. To do so, proceed as follows:
1 Right-click the network that you would like to connect to an Internet object/cloud.
2 Click Connect to > Internetto connect the network to the Internet. Click Connect to >
Connectivity Cloud to connect the network to the Intranet.
3 Click the Internet object or Connectivity Cloud of your choice. A line is drawn from the
selected network to the Internet or Connectivity Cloud.
Note - You can delete the edge that has just been added between an network and a
Cloud. To do so, right click the edge and select Remove.
Implied Networks
An implied network is created when an interface of a gateway or host, or any other object, is
defined and there is no viable network to match it; in this case all the existing objects that need
a suitable network are connected to the implied network. The implied network is an
automatically generated network to which the new interface is connected. The implied network
is named by its IP address and it is marked by a network-type structure and a superimposed “i”,
see FIGURE 16-14. It is Read Only and can only be edited if it is made into a real network,
see.“Turning an Implied Network into a Real Network” on page 514.
FIGURE 16-14Implied Networks are identified by a SmartMap View-generated IP address and
a superimposed “i”.
Ambiguous Networks
When a new machine (such as network objects, routers or OSE devices), is defined, the
SmartMap assigns that object to an existing network on the SmartMap View. If there is more
than one valid network available, the SmartMap indicates this by connecting the network object
to a question mark, see FIGURE 16-16.
FIGURE 16-15The Ambiguous network
This question mark is a placeholder for the network to which the object should be connected
and it signals that you must resolve the network object with one of the existing viable networks.
The network placeholders are commonly known as “ambiguous” or “?” networks. All
ambiguous networks and objects are gathered in a folder, which is labelled “Objects to
Resolve”, see FIGURE 16-17. This folder is always displayed in the SmartMap View, even if
there are no network objects to be resolved.
Note - Gateway Cluster objects are the only objects that may be connected to an
ambiguous network, but which are not gathered in the”Objects to Resolve“folder.
The network object remains unresolved until it is matched to a viable network. For more
information on the way networks are resolved, see “Containing and Contained Networks” on
page 509
FIGURE 16-16The Ambiguous network folder, Figure A — with unresolved objects, Figure B
— empty
Figure A — Figure B —
Resolve by List
To Resolve by List, proceed as follows:
1 Double-click the ambiguous network.
The Unresolved Interface Properties window is displayed, or,
2 Right-click the unresolved network object.
A right-click menu is displayed.
3 From the right-click menu, select Resolve by List. The Unresolved Interface Properties
window is displayed.
FIGURE 16-17The Unresolved Interface Properties window
Note - The connection drawn between the selected viable network and the network object
is an editable connection and can be removed. To remove the connection, right-click it,
and select Disconnect from the displayed menu.
Resolve by Map
To resolve an unconnected network object, proceed as follows:
1 Select the ambiguous network.
2 Select Resolve by Map from the right-click menu.
The valid networks are highlighted within the SmartMap View. For enhanced visibility, the
highlighted networks may blink for a few seconds. If the viable networks are contained
within a folder, the folder will blink several times. This feature will help you to peel the
folder layers until you find the viable network.
Note - You can edit the default highlight color in the “SmartMap View Options — View
Options Tab” on page 501.
3 Select the network to which you would like to join the unresolved object.
A line will be drawn between the network object and the viable network that you have
selected.
Topology Collapsing
Topology collapsing, often referred to as folding, facilitates the use of the topology map by
expanding or collapsing topology structures. This collapsing mechanism simplifies the topology
map, by ridding it of visual clutter, but still preserving its underlying structure. The folding
mechanism allows you to collapse certain topology structure types. The folders can be created at
the following points along the topology map:
• on an edge that is an interface as well as all the object behind it.
• on any network. If there are no hosts or containing networks the network cannot be
collapsed.
• on any gateway and its locales
• on any locale
• unresolved hosts — All network objects that are ambiguous are automatically collapsed into
a special folder labelled Objects To Resolve.
• external objects — All hosts which have no networks to which they can be connected
(because they do not fit into any network’s IP address range) as well as any standalone
networks, are automatically collapsed into a special folder labelled External Objects (except
CP installed objects).
The folder can be collapsed or expanded at any of these locations, to hide or display the
underlying network structures within the crease of the fold.
In This Section
2 Select Hide Contents from the displayed menu, or double-click inside the folder.
The topology folder is collapsed and all the network objects in the folder are hidden from
sight.
Note - Topology objects, or objects created by the SmartMap View, such as clouds and
implied networks, etc., cannot be defined as protected objects. They cannot be included
in any group, nor can they be pasted into the SmartDashboard Rule Base.
2 Place the cursor in either the Source, Destination or Install On column of the
SmartDashboard.
3 Right-click in the chosen column. Select Paste from the right-click menu.
The selected object(s) are pasted into the Rules tab.
Note - Topology objects (that is objects declared by the SmartMap View; for example
clouds and implied networks, etc.) cannot be pasted into the SmartDashboard.
Note - You can also drag folders to the Rule Base and save the members of the folder as
a Group object, for more information, see “Adding the Contents of a Topology Folder to
the Rule Base” on page 521.
Show Objects
This feature enables you to track objects on the topology map. You can choose to show objects
in the topology map, from any of the following places:
• from the Rule Base
• from the Network Objects Manager
• from the Objects Tree
• from the Objects List
When you choose to show a selected object, it is displayed in the following manner:
• The selected object is highlighted in the SmartMap View.
• The highlighted object will blink for several seconds. In a very complex network topology,
this blink enhances visibility, and allows you to find the selected object with ease.
Note - If the selected object is to be found within one or more folders, the folder will
blink for several seconds. Each consecutive folder layer will blink until all the folder layers
have been peeled and you find the selected object that you chose to show.
3 Click Show.
The selected object will appear highlighted in the SmartMap View.
The colors used in the Show Rule operation are displayed in the Rule Color Legend window.
The action is represented by green arrows. These arrows also demonstrate the direction of the
rule.
Note - Only Security Policy rules, can be shown in the SmartMap View.
Rule Exceptions
The rules mentioned below are mapped and displayed in a specific manner:
• Source — Where the Source is Any, the rule is mapped out along the SmartMap View
from the Install On to the Destination.
• Destination — Where the Destination is Any, the rule is mapped out along the SmartMap
View from the Source to the Install On.
• Any — where both Source and Destination are Any, only the paths between the Install Ons
are shown.
Note - When rules are shown in the SmartMap View, the “Any” value is represented by the
icon at the base or the head of the arrow, to indicate that the Source or Destination,
respectively, is Any.
Note - You can use the Esc key, or else you can click anywhere in the SmartMap View to
clear a rule shown in the SmartMap View.
Note - The more complex the network topology, the longer the Show Rule operation may
be.
3 Additionally, an Advanced button is displayed in the upper left hand corner of the
SmartMap View. click this button to display the Show Rule Control window. In this
window you can specify how you would like the selected rule to be read.
FIGURE 16-22Show Rule Control
Show All Paths — Show all the valid paths from all the Source objects to all the Destination
objects.
Show All Paths between selected Pair — Show all the valid paths between the selected source
object and the selected destination object:
Source — Select the source object from the drop-down list.
Destination — Select the destination object from the drop-down list.
Page Between Paths — View (one at a time) all the paths between the source objects and the
destination objects where there is more than one valid path between the objects.
While you are paging between the paths, you can go to a previous path by clicking, Back, or
you can move forward to the next path by clicking Next.
Rule Analysis
If an Install On object is specified, the Rule Analysis field is marked by . In this case, the
Details window is not accessible.
If no Install On object is specified, the Rule Analysis field is marked by . Click Details to
get an in depth rule analysis explanation.
Calculations
If a host has an IP address that is not included in any of the defined networks’ IP address
ranges, the host will be added to the external objects folder.
• hosts — have a general IP address, as well as one or more defined interfaces.
Hosts with interfaces are dealt with in the same manner as gateways.
• Gateways (and hosts with interfaces) — any Gateway and host with at least one defined
interface, is connected according to its interfaces and not according to its general IP address.
Since an interface's definition includes both an IP address and a net mask, it uniquely
identifies the parameters of the network to which it should connect. If such a network is
found, the corresponding interface is connected to it. If no network with those parameters
is defined in the system, the SmartMap automatically generates such a network, for more
information see “Implied Networks” on page 514. If more than one network in the system
has those same parameters, the interface's connection is ambiguous until manually resolved,
for more information see “Ambiguous Networks” on page 515.
The SmartMap generated topology consists of two possible types of connections, fixed (non-
editable) connections and manual (editable) connections:
• Fixed connections — exist between objects whose topology can be deterministically
calculated. These connections can only be changed if the objects connected by them are
edited. A fixed connection can be made into an editable one, if other objects are added or
modified. For example, if a host is uniquely connected to a network and later an identical
network is defined, the host's connection will be changed from a fixed connection to an
editable one to allow for the host to be moved from the one network to the other.
• Editable connections — can be created automatically by the SmartMap by adding or
modifying objects, such as by modifying the connection between contained and containing
networks, or they can be defined manually by the user. For example, when ambiguous
network are resolved, or when networks are connected to the Internet, or to other
networks (either by a containment relation or using a connectivity cloud), these
connections can be disconnected by right-clicking on the connecting edge and selecting
Disconnect.
Note - A protected objects group can be defined for any of these objects. For more
information, see “How to Define Protected Objects as Group” on page 532
1 Select the object for which you would like to calculate the Topology information in any of
the following places:
• SmartMap View
• Objects Tree
• Objects List
Approve All — click Approve All to automatically approve all Topology calculation results
without comparing, contrasting and approving each result individually. (As can be done if you
click Approve).
Show Addresses — shows the selected objects which correlate to the specified interface in the
SmartMap View.
View Group — view the objects in the specified group.
The Current definition, or the currently specified Topology information is contrasted with the
Calculation result, or the modified Topology information that results from the topology
calculation. The following information is compared:
Whether the interface is External or Internal.
Note - You can define protected objects as group for any of the following objects:
Gateway Clusters, OSE Devices, Embedded Devices and Gateways (which are
FireWall-1 installed and which has two or more defined interfaces.)
The group of protected objects can be selected as the VPN Domain in the Manually
Defined field of the Topology page of the network object’s Properties window.
The Helper consists of a series of windows which guide you through the resolution of the
related connectivity task. Each connectivity task includes an introductory screen which describes
the nature of the specified task, as well as presents the manner in which the task can be solved.
To use the Helper click Back to revert to the previous step, or click Next to continue to the
following step. When you have filled out all the required information, you are required to click
Finish. To exit the Helper click Close.
If there are any connectivity tasks to be performed, appears next to the related tasks, if
there are no connectivity tasks to be performed, appears next to the related connectivity
task.
Note - Some network systems may require duplicated networks. Consider the needs of
your system before modifying duplicated networks.
To solve duplicated networks, you can modify the shared IP Addresses and Net Mask, so that
each IP Address is unique. Duplicated networks can be resolved in the SmartMap Helper —
Duplicated Networks window, see FIGURE 16-25. Alternately, you can elect to delete the
duplicated networks.
IP Addresses — duplicated IP Addresses and Net Masks are listed in the IP Addresses list box.
Existing Networks — the network objects which share the IP addresses and Net masks listed in
the IP Addresses list box, are displayed in the Existing Networks list box.
Show — to show the selected objects in the SmartMap View. In the SmartMap View, right-
click the highlighted object and click Edit from the displayed menu to give the network a new
IP Address.
If you make any changes to the topology of the duplicated networks listed in the Existing
Networks list, the refresh button is enabled. Click this button to refresh the Existing
Networks list.
Cursor Modes
TABLE 16-4 Cursor Modes
TABLE 16-5
Management
High Availability
In This Chapter
Overview
High Availability for SmartCenter Servers allows the administrator to dramatically reduce the
window for planned downtime and offers unprecedented levels of SmartCenter Server’s uptime
and access.
Implementing Management High Availability guarantees that at any given time one
SmartCenter Server is active while the others are in standby mode. Data synchronization across
all the SmartCenter Servers greatly improves fault tolerance and enables the administrator to
seamlessly activate a standby SmartCenter Server when required.
537
Restrictions
Restrictions
• Both the Primary and Secondary SmartCenter Server must be of the same operating system
(e.g either both Windows NT or Solaris).
• Management High Availability is only supported in a distributed configuration, that is the
Primary Server and a VPN/FireWall Module should not be installed on the same machine.
VPN/FireWall VPN/FireWall
Module Module
Internet
London New York
VPN/FireWall
Module
Paris
Primary
Management
Server
Eiffel
In the configuration above, BigBen is the Primary SmartCenter Server located behind London,
while Eiffel and Liberty serve as Secondary SmartCenter Servers for Paris and New York,
respectively. If BigBen fails, either Eiffel or Liberty should take over. To achieve this, proceed as
follows:
1 Install the Check Point SmartCenter Server on BigBen and configure it as the Primary
SmartCenter Server.
2 Install the Check Point SmartCenter Server on Eiffel and Liberty and configure them as
Secondary SmartCenter Servers.
Note - The Secondary SmartCenter Server are all Certificate Authorities, but not in their
own right. They are all “clones” of the Primary SmartCenter Server CA. They can all issue
certificates, but their certificates will appear to have been issued by the Primary
SmartCenter Server.
Synchronization
In the Management High Availability context, synchronization is defined by the following
characteristics:
• Only saved data is synchronized.
• Data synchronization means one database overwriting the other rather than item-by-item
conflict resolution. This approach is consistently applied in the Management High
Availability except certificate-related discrepancies. If such a conflict occurs, the problematic
certificate will be revoked.
• Synchronization details are logged and can be displayed in Log Viewer’s Audit mode.
The SmartCenter Server databases either manually or automatically. The two options are
explained in greater detail below.
Manual Synchronization
You can manually initiate synchronization of the SmartCenter Server databases, change the
status of a SmartCenter Server or login to another SmartCenter Server.
Synchronize — Synchronizes the selected standby SmartCenter Server with the active
SmartCenter Server by overwriting the standby Server’s database.
FIGURE 17-3Server Synchronization options
Change to Standby — Changes the SmartCenter Server’s status from Active to Standby. This
option will only appear when you have logged onto the Active SmartCenter Server.
Refresh — Updates the current status of the SmartCenter Servers.
The following status values are available:
• Never Synchronized — The SmartCenter Server has never been synchronized.
• Not Reachable — Communication with the SmartCenter Server has not been properly
established. To resolve the problem, perform cpstop followed by cpstart.
• Collision — Both SmartCenter Servers’ databases have progressed since the last
synchronization. This can occur, for example, when there are two active SmartCenter
Servers. In this case it is recommended you not synchronize the databases.
• Advanced — This is when the Standby SmartCenter Server’s database has progressed and
the Active SmartCenter Server has not. This can occur, for example, when the machine
that is currently Standby, was very recently Active.In this case, you will want to Change to
Standby, and then perform Synchronize Me. Once you have done this, click Change to
Active to return to Active mode.
• Lagging — This is when the Standby machine is lagging behind the Active. This is the
most common and expected occurrence. This is the ideal time to synchronize the two
databases.
• Synchronized — This is when both machines are synchronized.
Comment Bar — A light bulb indicates that there is a recommendation or error. Click on
the Details button for more information. The Details window will appear.
FIGURE 17-5Details window
Change to Active — Make the Standby SmartCenter Server Active. This option will only
appear when you have logged into the Standby SmartCenter Server in Read/Write mode.
Login in Read Only — Click on this button to switch to Read Only mode.
Refresh — Update the current Status of the SmartCenter Servers.
Synchronize Me — Synchronize the standby SmartCenter Server (the one on which you are
logged onto now) from the SmartCenter Server that is highlighted in the window.
Properties
Synchronization parameters are defined in the Management High Availability page of the
Global Properties window (FIGURE 17-7).
Note - Synchronization of an Active server will not succeed if the GUI is open with
Read/Write permissions.
• When policy is saved (only configuration files will be synchronized) — Databases will
be synchronized whenever a Security Policy is saved.
Note - If the Status column on the Standby SmartCenter Server is Collision or Advanced,
the databases will not be synchronized.
• When policy is installed — Databases and Fetch files will be synchronized whenever a
Security Policy or database is installed. This can only work if the status in the Status
column on the standby SmartCenter Server is not Collision or Advanced.
• Scheduled event — Databases will be synchronized in accordance with the selected Time
Object. For this to work, you must create a Scheduled Event, and specify the day(s) and
time you want to perform the synchronization. After you have created the Schedule Event,
you will be able to select it from the drop-down menu. For information, see “Time and
Scheduled Event Objects” on page 347 above.
Note - When working with the Automatic method, you can also synchronize manually by
going to Manage > High Availability Servers in the menu.
SmartView Tracker
All operations having to do with Management High Availability can be viewed in the Check
Point SmartView Tracker. Both the Primary and Secondary SmartCenter Servers can send logs,
which can be seen in the Oper. column in Audit mode. For more information, see “SmartView
Tracker” on page 387.
In This Chapter
Overview
The fwm and vpnprograms are used to manage VPN-1/FireWall-1. These programs control the
fwd and vpnd daemons.
547
Overview
With the exception of the setup commands cpconfig, fwstart, cpstart and cpstop (see
“Setup” on page 549), all commands have the following Usage:
option meaning
action This determines the specific command (for example,
fwm load or fwm ctl). The rest of this chapter describes
each command’s action and options. These commands are
grouped by the following categories: Control, Monitor,
Certificates, Utilities, VPN-1 Accelerator Card.
-d If this flag is the first argument to an fwm command, then
debug information is generated as the command runs.
targets Some commands can be executed on the specified targets.
See below for more information.
Targets
There are three options for specifying the targets on which a given command is to be executed
(see TABLE 18-2). If more than one option is used, the command executes on the combination
of targets. If none of these options is specified, the Inspection Code is installed on the local host.
parameter meaning
-conf conffile The command is executed on targets specified in
confile. Each line in conffile has the Usage of a
target in a target list (see “Target Usage” on page 549).
-all The command is executed on all targets specified in the
default system configuration file ($FWDIR/conf/sys.conf).
This file must be created manually. Create a simple text
file containing a list of IP addresses and/or resolvable
machine names, one per line.
target The command is executed on the specific named target.
(see “Target Usage” on page 549)
host
Where:
parameter meaning
host The name of the network object (as returned by the hostname
command) or its IP address.
all The meaning of all varies according to its placement. It may
specify: both directions, all interfaces or both directions on all
interfaces.
• The dot (.) and the at-sign (@) are part of the Usage; spaces around them are not allowed.
• If host is not specified, localhost is assumed.
• If only host is specified, all is assumed (meaning both directions on all interfaces).
Several targets may be specified in various formats. Command-line separators are subject to the
rules of the shell (spaces and tabs are the most common separators).
The format of configuration files is identical to the format of targets. In configuration files, the
following separators may be used: spaces, tabs, comma, or new line.
Examples
le0.in@host1
all@host2
host3
all.out
all.all
Setup
In This Section
cpconfig
cpconfig reconfigures an existing VPN-1/FireWall-1 installation.
Usage
cpconfig
Windows
In Windows plaforms, the reconfiguration application is a GUI application that displays all the
configuration windows from the VPN-1/FireWall-1 installation as tabs in the same window
(FIGURE 18-1).
FIGURE 18-1VPN-1/FireWall-1 Configuration window
To reconfigure an option, click on the appropriate tab and modify the fields as required. Click
on OK to apply the changes.
The tabs that appear depend on the installed configuration and product(s). The tabs and their
fields are described in Chapter 4, “Installing and Configuring VPN-1/FireWall-1 of the Check
Point Getting Started Guide and in Chapter 1, “Configuring VPN-1/FireWall-1 of the Check
Point SmartCenter Guide.
Unix
cpconfig displays a screen with the configuration options. The tabs that appear depend on the
installed configuration and product(s). The tabs and their fields are briefly described in TABLE
18-3. For a full description, see Chapter 4, “Installing and Configuring VPN-1/FireWall-1 of
the Check Point Getting Started Guide and Chapter 1, “Configuring VPN-1/FireWall-1 of the
Check Point SmartCenter Guide.
Choose the configuration options you wish to reconfigure.
(16) Exit
Note - The option shown depend on the installed configuration and product(s).
cpstart
Note - On Win32 platforms, use the Services applet in the Control Panel to stop and
start Check Point Services.
cpstart starts all the Check Point applications running on a machine (other than cprid, which
is invoked upon boot and keeps on running independently).
cpstart implicitly invokes fwstart (or any other installed Check Point product, such as fgstart,
uagstart, etc.).
Usage
cpstart
cpstop
Note - On Win32 platforms, use the Services applet in the Control Panel to stop and
start Check Point Services.
cpstop stops all the Check Point applications running on a machine (other than cprid, which
is invoked upon boot and keeps on running independently).
cpstop implicitly invokes fwstop (or any other installed Check Point product, such as fgstop,
uagstop, etc.).
Usage
cpstop
cpstop -fwflag [-proc | -default]
parameter meaning
-fwflag -proc When calling fwstop, pass it the -proc argument (see
“fwstop -default and fwstop -proc” on page 554).
-fwflag -default When calling fwstop, pass it the -default argument
(see “fwstop -default and fwstop -proc” on page 554).
fwstart
Note -
• Use fwstop and fwstart only for boot security reasons (see the Check Point FireWall-1
Guide). To stop and start Check Point processes, use cpstop and cpstart (see page 553).
• On Win32 platforms, use the Services applet in the Control Panel to stop and
start Check Point Services.
fwstart -f loads the VPN/FireWall Module and starts the following processes:
• The FireWall-1 daemon (fwd), which creates the VPN-1 daemon (vpnd).
• The SmartCenter Server (fwm).
• VPN-1/FireWall-1 SNMP daemon (snmpd).
• The authentication daemons (these are started when needed).
Usage
Options
Options Meaning
(no parameters) Kills all VPN-1/FireWall-1 processes, that is:
• FireWall-1 daemon (fwd)
• VPN-1 daemon (vpnd)
• the Management Server (fwm)
• VPN-1/FireWall-1 SNMP daemon (snmpd)
• the authentication daemons
The VPN-1/FireWall-1 Security Policy is then unloaded from
the kernel.
-default Kills VPN-1/FireWall-1 processes (fwd, fwm, vpnd, fwssd). Logs,
kernel traps, resources, and all security server connections stop
working.
The Security Policy in the kernel is replaced with the Default
Filter.
-proc Kills VPN-1/FireWall-1 processes (fwd, fwm, vpnd, fwssd). Logs,
kernel traps, resources, and all security server connections stop
working.
The Security Policy remains loaded in the kernel. Therefore rules
with generic allow/reject/drop rules, based only on service,
continue working.
Control
In This Section
fwm load
fwm load compiles and installs a Security Policy to the target’s VPN/FireWall Modules. This is
done in one of two ways:
6 fwm loadcompiles and installs an Inspection Script (*.pf) file to the designated
VPN/FireWall Modules.
7 fwm load converts a Rule Base (*.W) file created by the GUI into an Inspection Script
(*.pf) file then installs it to the designated VPN/FireWall Modules.
Note - The scope of a set of rules in a Rule Base and the targets of a Rule Base installation
are not the same. The system will install the entire Rule Base on the designated targets.
However, only the rules whose scope includes the target system will actually be enforced
on a target.
To protect a target, you must load a Policy that contains rules whose scope matches the target.
If none of the rules are enforced on the target, then all traffic through the target is blocked.
Usage
Options
parameter meaning
-all The command is to be executed on all targets specified in the
default system configuration file ($FWDIR/conf/sys.conf). This
file must be manually created. For more information, see
“Targets” on page 548.
-conf conffile The command is to be executed on the targets specified in
conffile. For more information, see “Targets” on page 548.
filter-file An Inspection Script (*.pf).
rule-base A Rule Base file (*.W) created by the GUI. The file's full
pathname must be given.
-ip IPaddress Install the Policy on the Module with the specified IP address.
This parameter is used for installing a Policy on a DAIP Module
(see Chapter 14, “Dynamically Assigned IP Addresses” of Check
Point SmartCenter Guide). Note that:
• If this parameter is used, then targets must be a DAIP
Module.
• Only one DAIP Module may be specified for each execution
of this command.
targets The command is to be executed on the designated
VPN/FireWall Modules. For more information, see “Targets” on
page 548.
When fwm load and fwm unload are Run From the GUI
The fwm load and fwm unload commands are run when the user installs or uninstalls a Policy
from the GUI (by choosing Install or Uninstall from the Policy menu). In this case, the
parameters are:
parameter meaning
load or unload
-x load or
-x unload
parameter meaning
-s<ConnectionNumber> internal parameter
policy-file For example, C:\WINNT\FW1\NG\conf\Standard.W .
targets The Module on which the Policy will be installed.
You can modify this behavior so that choosing Install or UnInstall from the Policy menu runs
a program or shell script (batch file) of your choice. For example, to run bigapple, define the
attribute :load_program(<batch file name>) at the highest level of
$FWDIR/conf/objects_5_0.C:
load_program (“bigapple”)
bigapple will be run with the parameter list above (TABLE 18-7). It is then your responsibility
to ensure that bigapple correctly processes its arguments and installs or uninstalls the Security
Policy. Of course, bigapple can also perform any other functions you wish.
Examples
fwm unload
fwm unload uninstalls the currently loaded Inspection Code from selected targets.
Usage
Options
parameter meaning
-all The command is to be executed on all targets specified in the
default system configuration file ($FWDIR/conf/sys.conf). For
more information, see “Targets” on page 548.
-conf conffile The command is to be executed on the targets specified in
conffile. For more information, see “Targets” on page 548.
targets The command is to be executed on these specified
VPN/FireWall Modules. For more information, see “Targets” on
page 548.
Examples
fwm load
The Managment Server maintains a repository of database versions. fwm load installs a VPN-
1/Firewall-1 Security Policy of a specific version on a Module without changing the definition
of the current active database version on the SmartCenter Server.
You can install a VPN-1/Firewall-1 Security Policy on a remote Module or on a Module that
resides on the same machine as the SmartCenter Server.
Note - If you are installing a specific version of a Security Policy on a remote Module, the
local user database is not installed.
Note - To use the Revision Control feature, you must have the appropriate license.
Backward Compatibility
The version repository can maintain NG FP2 and NG FP3 Security Policy versions. Currently,
only VPN-1/FireWall-1 Security Policies that were defined and saved in version NG FP3, can
be installed on Modules.
Usage
Options
parameter meaning
-v version number Retrieves the Security Policy from the version repository.
Version number is the Security Policy version number saved in
the version repository.
<rulebase> A Rule Base file (*.W) created by the GUI.
Only the file's name is given and not its full pathname.
<targets> The command is to be executed on the designated
VPN/FireWall Modules. For more information, see “Targets” on
page 548.
Example
The following command:
installs Security Policy Standard.W, version 18 in the version repository, on Module “johnny”.
fwm fetch
fwm fetch fetches the Inspection Code from the specified host and installs it to the kernel.
Usage
Options
parameter meaning
-n Fetch the Policy from the SmartCenter Server to the local
state directory, and install the Policy only if the fetched
Policy is different from the Policy already installed.
-f filename Fetch the Policy from SmartCenter Servers listed in
filename. If filename is not specified, the list in
conf/masters is used.
Examples
fwm putkey
fwm putkey installs a VPN-1/FireWall-1 authentication password on a host. This password is
used to authenticate internal communications between VPN/FireWall Modules and between a
Check Point Module and its SmartCenter Server. That is, the password is used to authenticate
the control channel the first time communication is established.
fwm putkey is required for some backward compatibility scenarios. For an example of such a
scenario, see “If I have an NG management and a 4.1 or 4.0 Module, how do I re-establish
communication between them?” on page 108 of the Check Point Getting Started Guide.
Usage
Options
parameter meaning
-no_opsec Only VPN-1/FireWall-1 control connections are enabled.
-opsec Only OPSEC control connections are enabled.
-ssl The key is used for an SSL connection.
-k num The length of the first S/Key password chain for fwa1
authentication (Check Point’s proprietary authentication
protocol). The default is 7. When fewer than 5 passwords
remain, the hosts renegotiate a chain of length 100, based on a
long random secret key. The relatively small default value
ensures that the first chain, based on a short password entered by
the user, is quickly exhausted.
-n name The IP address (in dot notation) to be used by
VPN-1/FireWall-1 when identifying this host to all other hosts,
instead of, for example, the resolution of the hostname
command.
-p password The key (password). If you do not enter the password on the
command line, you will be prompted for it.
target The IP address(es) or the resolvable name(s) of the other host(s)
on which you are installing the key (password). This should be
the IP address of the interface “closest” to the host on which the
command is run. If it is not, you will get error messages such as
the following:
“./fwd: Authentication with hostname for command sync failed”
If neither -opsec nor -no_opsec is specified, then both VPN-1/FireWall-1 and OPSEC
connections are enabled.
fwm dbload
fwm dbload downloads the user database and network objects information (for example,
encryption keys) to selected targets. If no target is specified, then the database is downloaded to
localhost.
Usage
Options
parameter meaning
-all The command is to be executed on all targets specified in
the default system configuration file
($FWDIR/conf/sys.conf). For more information, see
“Targets” on page 548.
-conf conffile The command is to be executed on the targets specified in
conffile. For more information, see “Targets” on page
548.
targets The command is executed on the designated targets. For
more information, see “Target Usage” on page 549.
rs_db_tool
rs_db_tool is used for managing DAIP Modules in a DAIP database.
Usage
rs_db_tool [-d] <-operation <add | fetch | delete | list | sync> > [arguments]
Options
parameter meaning
-d Toggle debug output on
- operation add — add entry to database (see arguments below)
fetch — get entry from database
delete — delete entry from database(see arguments
below)
list — list all the database entries
sync — synchronize the database
Monitor
In This Section
cpwd_admin Usage
cpwd_admin list
cpwd_admin config -p
cpwd_admin config -a <value to add=data value=data...>
cpwd_admin config -d <values to delete from WD configuration>
Options
parameter meaning
List Show the status of the processes for which cpwd is
responsible
Config -p Shows the cpwd parameters added using the config
-a option.
Note - The following commands have no effect if cpwd is running. They will affect
cpwd the next time it is run.
config -a Add one or more monitoring parameters to the cpwd
configuration. See Cpwd_admin config Parameters
page 566.
config -d Delete one or more parameters from the cpwd
configuration. See Cpwd_admin config Parameters
page 566.
Parameter Description
with values
Note - these parameters have no effect if cpwd is running. They will affect
cpwd the next time it is run.
timeout If rerun_mode=1, how much time from process failure
(any value in to rerun. The default is 60 seconds
seconds)
no_limit Maximum number of times that cpwd will try to restart
(any value in a process. The default is 5.
seconds)
zero_timeout After failing no_limit times to restart a process, cpwd
(any value in will wait zero_timeout seconds before retrying. The
seconds) default is 7200 seconds. Should be greater than
timeout.
sleep_mode 1 Wait the timeout. This is the default.
0 Ignore the timeout. Rerun the process immediately.
dbg_mode 1 In a debug mode a process that terminates abnormally
(with exit-code#0) should show a pop-up message
with its termination status.
Accept pop-up error messages (Windows NT only).
0 Do not receive pop-up error messages. This is useful if
pop-up error messages freeze the machine. This is the
default (Windows NT only).
rerun_mode 1 Rerun a failed process. This is the default.
0 Do not rerun a failed process. Perform only
monitoring.
Examples
The following shows a sample output of the cpwd_admin list command.
#cpwd_admin list
APP PID STAT #START START_TIME COMMAND
CPD 463 E 1 [20:56:10] 21/5/2001 cpd
FWD 440 E 1 [20:56:24] 21/5/2001 fwm fwd
FWM 467 E 1 [20:56:25] 21/5/2001 fwm fwm
• STAT — Whether the process Exists (E) or has been Terminated (T).
• #START —How many times the process has been started since cpwd took control of the
process.
• START TIME — The last time the process was run.
• COMMAND — The command that cpwd used to start the process.
# C:\>cpwd_admin config -p
WD doesn't have configuration parameters
C:\>cpwd_admin config -p
WD Configuration parameters are:
timeout : 120
no_limit : 12cpwd_admin config -a timeout=120 no_limit=10
cpstat
cpstat displays the status of Check Point applications, either on the local machine or on
another machine, in various formats.
Usage
Executing cpstat with no parameters displays a list of parameters and their meanings.
Options
parameter meaning
-h host A resolvable hostname, or a dot-notation address (for
example,192.168.33.23). The default is localhost.
-p port Port number of the AMON server. The default is the
standard AMON port (18192)
-f flavor The flavor of the output (as appears in the configuration
file). The default is to use the first flavor found in
configuration file.
entity One of:
• fwm — FireWall-1
• vpn — VPN-1
• fg — FloodGate-1
• ha — High Availability
• os — for OS Status
• mg — for Management Status
Example
> cpstat fw
Interface table
---------------------------------------------------------------
--
|Name|Dir|Total *|Accept**|Deny|Log|
---------------------------------------------------------------
--
|hme0|in |739041*|738990**|51 *|7**|
---------------------------------------------------------------
--
|hme0|out|463525*|463525**| 0 *|0**|
---------------------------------------------------------------
--
*********|1202566|1202515*|51**|7**|
fwm lichosts
fwm lichosts prints a list of hosts protected by the VPN-1/FireWall-1/n products.
The list of hosts is in the file $FWDIR/database/fwd.h.
Usage
Options
parameter meaning
-x use hexadecimal format
-l use long format
fwm ver
fwm ver displays the VPN-1/FireWall-1 major version number, the build number, and a
copyright notice. The number is the version of the VPN-1/FireWall-1 daemon and the the
compiler. The version of the GUI is displayed in the opening screen, and can be viewed at any
time from the Help menu.
Usage
Options
parameter meaning
-k Print the version name and build number of the Kernel
Module
-f filename Print the version name and build number to the file
filename
fwm sam
fwm sam inhibits (blocks) connections to and from specific IP addresses without the need to
change the Security Policy. The command is logged.
To “uninhibit” inhibited connections, execute fwm sam again with the -C or -D parameters.
It is also possible to do fwm sam monitoring on active SAM requests.
Usage
Options
parameter meaning
-v Verbose mode — writes one message (describing whether the
command was successful or not) to stderr for each
VPN/FireWall Module on which the command is enforced.
-s sam_server The IP address (in dot format) or the resolvable name of the
FireWalled host that will enforce the command. The default is
localhost. See “Configuration Files” on page 574 for more
information.
-S server_sic_name This refers to the SIC name for the SAM server to be
contacted. It is expected that the SAM server will have this SIC
name, otherwise the connection will fail. If no server SIC name
is supplied the connection will proceed without SIC names
comparison. For more information on enabling SIC refer to the
OPSECTM API Specification.
-f fwm The VPN/FireWall Modules on which to enforce the action.
Can be one of the following (default is “All”):
See “Configuration Files” on page 574 for more information.
value the action will be
enforced on...
“localhost” ...on the machine on which the
SAM server runs
the name of the ...on this object; if this object is
VPN-1/FireWall-1 object or a group, on every object in the
group group
Gateways ...on all the Firewalls (managed
by the SmartCenter Server on
or under which the SAM server
runs) which are defined as
gateways
parameter meaning
All ...on all the Firewalls managed
by the SmartCenter Server on
or under which the SAM server
runs
-t timeout The time period (in seconds) for which the action will be
enforced. The default is forever or until cancelled.
-l log The type of the log for enforced actions can be one of the
following: nolog, long_noalert, long_alert. The default is
long_alert.
-C Cancel the specified command (that is, inhibited connections
with the specified parameters will no longer be inhibited). The
parameters must match the ones in the original command
except timeout.
-D Cancel all inhibit (-i, -j,-I,-J) and notify (-n) commands.
-n Notify, that is, generate a long-format log entry and an alert
when connections that match the specified services or IP
addresses pass through the FireWall. This action does not
inhibit or close connections.
-i Inhibit the specified connections (that is, do not allow new
connections with the specified parameters). Each inhibited
connection is logged according to log type. Connections will be
rejected.
-I Inhibit the specified connections, and close all existing
connections with the specified parameters. Each inhibited
connection is logged according to the log type. Connections
will be rejected.
-j Inhibit the specified connections. Each inhibited connection is
logged according to the log type. Connections will be dropped.
-J Inhibit the specified connections, and close all existing
connections with the specified parameters. Each inhibited
connection is logged according to the log type. Connections
will be dropped.
-M Monitor the active SAM requests with the specified actions and
criteria.
Configuration Files
There are two configuration files in $FWDIR/conf that affect the functionality of the fwm sam
command:
product.conf
This file (which you should not modify) has two parameters relevant to fwm sam:
• Management
The sam_allowed_remote_requests parameter (default value “no”) determines whether the fwm
sam command on this machine can perform remote commands. To enable a VPN/FireWall
Module to inhibit connections through other FireWalled machines, set
sam_allowed_remote_requests to “yes”. Do not try to accomplish this by modifying
product.conf .
The ability to set a maximum size to the SAM history file is available. It is configured from the
fwopsec.conf file by adding the following line:
sam_server purge_file_no_of_records #
Where # is the number of records in the file. The default value of this attribute is 2000.
Examples
The command:
inhibits all connections originating on louvre for 10 minutes. Connections will be rejected.
The command:
inhibits all FTP connections from the louvre subnet to the eifel. All existing open connections
will be closed. New connection will be dropped, and a log and alert will be sent.
This command will be enforced forever or until canceled by the following command:
The command:
Monitor all active inhibit or notify SAM requests influencing lourve as the source or
destination IP address.
The command:
Utilities
In This Section
fwm ctl
fwm ctl sends control information to the VPN-1/FireWall-1 Kernel Module.
Usage
Options
parameter meaning
ip_forwarding option is one of the following:
option
value match
never VPN-1/FireWall-1 does not control
(and thus never changes) the status of
IP Forwarding.
always VPN-1/FireWall-1 controls the status
of IP Forwarding irrespective of the
state of IP forwarding in the kernel.
(see page 577).
default VPN- 1/FireWall- 1 controls the
status of IP Forwarding only if IP
Forwarding is disabled in the kernel.
Otherwise, VPN- 1/FireWall- 1 does
not control (and thus does not
For more information, see “IP Forwarding” on page 577.
pstat Display VPN-1/FireWall-1 internal statistics.
install VPN-1/FireWall-1 will intercept packets.
uninstall VPN-1/FireWall-1 will not intercept packets.
iflist Displays the IP interfaces known to the kernel by name and
internal number
arp Displays ARP proxy table, which is a mapping of IP and
MAC addresses, and utilizes local.arp file. (Relevant for
Windows platforms only.)
IP Forwarding
Consider the following command:
To turn off IP Forwarding and source routed packets, edit /etc/rc2.d/S69inet and change:
to:
For additional information, refer to the man pages for ndd(1M) and ip(7).
HP–UX 11
To turn off IP Forwarding and source routed packets, edit /etc/rc2.d/S69inet and change:
to:
Windows NT
Warning - The AIX default is for IP Forwarding to be off. If you enable IP Forwarding
while VPN-1/FireWall-1 is not running, you will be exposing your network. Make sure that
it is not turned on in one of the .rc scripts during boot. Turn it on (with the
no -o ipforwarding=1 command) in the fwstart script after VPN-1/FireWall-1 starts
enforcing a Security Policy, and turn it off (with the no -o ipforwarding=0 command) in
the fwstop script just before VPN-1/FireWall-1 stops.
no -o ipforwarding=1
no -o ipforwarding=0
fwm gen
fwm gen generates an Inspection Script (*.pf) file or a router access-list from a Rule Base (*.W)
file. Rule Base files are created by the GUI, but you may edit them and use this command to
generate Inspection Scripts (though this is not recommended).
Syntax
Options
parameter meaning
filename The Rule Base file.
Examples
fwm kill
fwm kill sends a signal to a VPN-1/FireWall-1 daemon.
Usage
Options
parameter meaning
[-t sig_no] proc-name If the file $FWDIR/tmp/proc-name.pid
exists, send signal sig_no to the pid given in the
file. If no signal is specified, signal 15 (SIGTERM)
is sent.
The VPN-1/FireWall-1 daemons and Security Servers write their pids to files in the tmp
directory upon startup. These files are named
$FWDIR/tmp/daemon_name.pid. For example, the file containing the pid of the
VPN-1/FireWall-1 snmp daemon is $FWDIR/tmp/snmpd.pid.
Note - On NT, sig_no is ignored. Only the default (fwm kill proc_name, that is, signal
15) works properly on NT.
Examples
fwell
fwell manages Access Lists for Wellfleet (Bay Networks) routers.
Usage
For UNIX systems:
Options
parameter meaning
load rulebase-file Load the Access List specified by the Rule Base file (*.W)
to the router.
interface-name Machine-dependent representation of interface (e.g. le0).
router-name The name of the router as defined in the
SmartDashboard.
targets The command is to be executed on these machines. For
more information, see “Target Usage” on page 549.
unload Unload the Access List.
-s Generate summary output.
-u A list of interfaces.
stat Show statistics.
Note - When loading a Rule Base to a router, all the router’s interfaces are first unloaded.
If the -u parameter is specified, then the virtual router’s interfaces are unloaded. If the -
u parameter is not specified, then the real router’s interfaces are unloaded.
Examples
The command:
CIRCUIT IF FILTERDATE
E21 - -
S21 192.114.50.33 d423Mar95 10:34:13
S22 - - -
Example 1
Suppose a Wellfleet router well has three interfaces: E21, S21 and S22.
The user might wish to define (manually, in objects.C) two “virtual” routers, well1 and well2,
as follows:
(well1
:ipaddr well
:if-1E21
)
(well2
:ipaddr well
:if-0S21
:if-2S22
)
Warning - The objects.C file should not be edited directly. Instead, use dbedit (see
“dbedit” on page 587) to edit the objects_5_0.C file on the SmartCenter Server.
Example 2
The command:
Example 3
The command:
Example 4
The command:
fwm tab
fwm tab displays the content of INSPECT tables on the target hosts in various formats.
For each host, the default format displays the host name and a list of all tables with their
elements.
Usage
Options
parameter meaning
-all The command is to be executed on all targets specified in the
default system configuration file ($FWDIR/conf/sys.conf).
For more information, see “Targets” on page 548.
-conf conffile The command is to be executed on the targets specified in
conffile. For more information, see “Targets” on page
548.
-a Display all tables.
-s Use short format: host name, table name, table ID, and its
number of elements.
-u Do not limit the number of displayed entries.
-m number For each table, display only its first number of elements
(default is 16).
-t tname Display only tname table.
targets The command is executed on the designated targets. For
more information, see “Target Usage” on page 549.
Examples
fwm tab
fwm tab -t hostlist1 gateway1
dynamic_objects
dynamic_objects specifies an IP address to which the dynamic object (see “Dynamic Objects”
on page 216 of Check Point SmartCenter Guide) will be resolved on this machine.
Note - This command cannot be executed when the VPN/FireWall Module is running.
Usage
Options
parameter meaning
-o object_name object name
-r [fromIP toIP] ... address ranges — one or more “from IP address to
IP address” pairs
-a [fromIP toIP] ... add ranges to object
-d [fromIP toIP] ... delete range from object
-l list dynamic objects
-n object_name create new object (if VPN/FireWall Module is not
running)
-c compare the objects in the dynamic objects file and
in object.C.
-do object_name delete object
Examples
The command:
dynamic_objects -n bigserver
creates a new dynamic object named “bigserver”.
The command:
deletes the IP address range 190.160.1.1-190.160.1.40 from the dynamic object “bigserver”.
dbedit
dbedit edits the objects file on the SmartCenter Server.
VPN-1/FireWall-1 NG handles objects files differently from earlier versions. There is no longer
an objects.C file on both the SmartCenter Server and on the Module. Instead, there is an
objects file on the Module and a new file, objects_5_0.C on the SmartCenter Server. A new
objects.C file is created on the Module (based on the objects_5_0.C on the SmartCenter
Server) whenever a Policy is installed. Editing the objects.C file on the Module is no longer
required or desirable, since it will be overwritten the next time a Policy is installed.
Two new utilities simplify working with the objects file (objects_5_0.C) on the SmartCenter
Server:
• Dbedit enables administrators to make changes to the objects file.
• queryDB_util enables searching the database according to search parameters.
Usage
Options
parameter meaning
-s server The SmartCenter Server on which the objects_5_0.C file
to be edited is located. If this is not specified in the
command line, then the user will be prompted for it.
If the server is not localhost, the user will be required to
authenticate.
-u user | The user’s name (the name used for the GUI Management
-c certificate Client) or the full path to the certificate file.
-p password The user’s password (the password used for the GUI
Management Client).
-f filename The name of the file containing the commands. If filename
is not given, then the user will be prompted for
commands.
-r db-open-reason A non-manditory flag used to open the database with a
string that states the reason. This reason will be attached to
audit logs on database operations.
-help Print usage and short explanation.
Commands
command explanation
create [object_type] Create an object with its default values. This
[object_name] command will not commit the object to the
database.
The create command may use an extended (or
“owned”) object as shown in the example.
Changes are committed to the database only by
an update or quit command.
modify [table_name] Modify fields of an object which is:
[object_name] [field_name] • stored in the database (the command will
[value]
lock the object in such case).
• newly created by dbedit
The modify command allows the use of
Extended Formats for owned objects:
For example, [field_name] = Field_A:Field_B
See the examples at the end of this section for
details.
update [table_name] Update the database with the object. This
[object_name] command will check the object validity and
will issue an error message if appropriate.
Invalid fields can be modified using the modify
command.
delete [table_name] Delete an object from the database and from
[object_name] the client implicit database.
addelement [table_name] Add an element (of type string) to a multiple
[object_name] [field_name] field.
[value]
Note - The meanings of object_type, object_name and table_name are given in the OPSEC
CPMI specification.
Examples
Create a tcp_service
Update a service
Example
Extended Format
Example
Example
Example
Replace the owned object with a new one with its default values.
Example
queryDB_util
queryDB_util enables searching the object database according to search parameters.
Usage
Options
parameter meaning
[-t <table_name>] The name of the table.
[-o <object_name>] The name of the object.
[-a] All objects.
[-mu <modified_by>] The name of the administrator who last modified the
object.
[-mh <modified_from>] The host from which the object was last modified.
[-ma <modified_after>] The date after which the object was modified
<[hh:mm:ss][ddmmmyyyy]>. Either or both options may
be used. Omitting hh:mm:ss defaults to today at midnight,
omitting ddmmmyyyyy defaults to today’s date on the
client.
[-mb <modified_before>] The date before which the object was modified
<[hh:mm:ss][ddmmmyyyy]>. Either or both options may
be used. Omitting hh:mm:ss defaults to today at midnight,
omitting ddmmmyyyyy defaults to today’s date on the
client.
[-p|m|u|h|t|f] Short print options:
• c — creation details
• m — last_modification details
• u — administrator name (create and modify)
• h — host name (create and modify)
• t — time (create and modify)
• f — field details
Examples
Object Name:internal_ca
Last Modified by:Bob
Last Modified from:london
Last Modification time:Tue Jun 20 11:32:58 2000
In This Section
fwm log
fwm log displays the content of Log Files.
Usage
fwm log [-f [t]] [-c action] [-l] [-s starttime] [-e endtime]
[-b stime etime]][-h hostname] [-n]
[-m initial | semi | raw | account] [logfile]
Options
parameter meaning
-f [t] After current display is completed, do not exit but continue to
monitor the Log file and display it while it is being written.
The t parameter indicates that the display is to begin at the end
of the file, in other words, the display will initially be empty
and only new records added later will be displayed.
-c action Display only events whose action is action, that is, accept,
drop, reject, authorize, deauthorize, encrypt
and decrypt. Control actions are always displayed.
-l Display the date for each record.
-s starttime Display only events that were logged after time. starttime
may be a date, a time, or both. If date is omitted, then today’s
date is assumed.
-e endtime Display only events that were logged before time. endtime may
be a date, a time, or both.
-b stime etime Display only events that were logged between stime and
etime, each of which may be a date, a time, or both. If date
is omitted, then today’s date is assumed.
-h hostname Display only log entries sent by the Module machine
hostname.
-n Don't perform DNS resolution of the IP addresses in the Log
File (this option significantly speeds up the processing)
parameter meaning
-m This flag specifies the unification mode.
• initial — Complete unification of log records; that is,
output one unified record for each id. This is the default.
When used together with -f, no updates will be displayed,
but only entries relating to the start of new connections. To
display updates, use the semi parameter.
• semi — Step-by-step unification, that is, for each log
record, output a record that unifies this record with all
previously-encountered records with the same id.
• raw — Output all records, with no unification.
• account — Output accounting records only.
Examples
fwm log
fwm log | more
fwm log -c reject
fwm log -s Jan1
fwm log -f -s 16:00
fwm logswitch
fwm logswitch creates a new Log File. The current Log File is closed and renamed
$FWDIR/log/date.log, and a new Log File with the default name ($FWDIR/log/fw.log) is
created. Old Log Files are located in the same directory. You must have the appropriate file
privileges to run fwm logswitch.
A SmartCenter Server can use fwm logswitch to switch a Log File on a remote machine and
transfer the Log File to the SmartCenter Server. For information on how to direct logging to a
specific machine, see “Redirecting Logging to Another Master” on page 627 of Check Point
SmartCenter Guide.
See also “How can I switch my Log File on a periodic basis?” on page 338 of Check Point
SmartCenter Guide.
Usage
Options
parameter meaning
-h target The resolvable name or IP address of the remote machine
(running either a VPN/FireWall Module or a SmartCenter
Server) on which the Log File is located. The SmartCenter
Server (on which the fw logswitch command is executed) must
be defined as one of target’s SmartCenter Servers. In addition,
you must perform fw putkey to establish a control channel
between the SmartCenter Server and target.
For information about establishing control channels, see
“Enabling Communication between Modules” on page 99 of
Check Point SmartCenter Guide.
For information on target Usage, see “Target Usage” on page
549.
When a log file is sent to the SmartCenter Server, the data is
compressed. See “Compression” on page 598 for more
information.
+ The Log File is transferred from target to the SmartCenter
Server. The transferred Log File is compressed and encrypted.
The name of the copied Log File on the SmartCenter Server is
prefixed by target (see “Targets” on page 548 for details). This
parameter is ignored if target is not specified. There should be
no white space between this parameter and the next one.
When a log file is sent to the SmartCenter Server, the data are
compressed. See “Compression” on page 598 for more
information.
- The same as +, but the Log File is deleted on target.
Compression
When log files are transmitted from one machine to another, they are compressed using the zlib
package, a standard package used in the Unix gzip command (see RFC 1950 to RFC 1952 for
details). The algorithm is a variation of LZ77 method.
The compression ratio varies with the content of the log records and is difficult to predict.
Binary data are not compressed, but string data such as user names and URLs are compressed.
Examples
The following command creates a new Log File and moves (renames) the old Log File to
old.log.
fwm logexport
fwm logexport exports the Log File to an ASCII file.
Usage
Options
parameter meaning
-d delimiter Output fields will be separated by this character
— default is semicolon (;)
-i inputfile The name of the input Log File.
-o outputfile The name of the output ASCII file.
-r record_chunk_size This determines how many records should be
read (during a single access to the Log File) into
the internal buffer for processing.
-n Do not perform DNS resolution of the IP
addresses in the Log File (this option
significantly speeds the processing).
-f Stay online and export new logs to the ASCII
output file as they occur.
-m This flag specifies the unification mode.
• initial — Complete unification of log
records; that is, output one unified record
for each id. This is the default.
• semi — Step-by-step unification, that is,
for each log record, output a record that
unifies this record with all previously-
encountered records with the same id.
• raw — Output all records, with no
unification.
• account — Output accounting records
only.
fwm repairlog
fwm repairlog rebuilds a Log file’s pointer files. The three files fw.logptr, fw.loginitial_ptr
and fw.logaccount_ptr are recreated from data in the specified Log file. The Log file itself is
modified only if the -u flag is specified.
Usage
Options
parameter meaning
-u Indicates that the unification chains in the Log file should be
rebuilt.
logfile The name of the Log file to repair.
fwm mergefiles
This command merges several Log Files into a single Log File.
The merged file can be sorted according to the creation time of the Log entries, and the times
can be “fixed” according to the time zones of the origin Log Servers.
Logs entries with the same Unique-ID are unified. If a Log switch was performed before all the
segments of a specific log were received, this command will merge the records with the same
Unique-ID from two different files, into one fully detailed record.
It is not recommended to merge the current active fw.log file with other Log Files. Instead,
run the fwm logswitch command and then run fwm mergefiles.
Usage
Options
parameter meaning
-s Sort merged file by log records time field.
-t time_conversion_file “Fix” different GMT zone log records time in the
event that the log files originated from Log Servers in
different time zone.
The time_conversion_file format is as follows:
ip-address signed_date_time_in_secoonds
ip-address signed_date_time_in_secoonds
.
.
log_file_name_n Full pathnames of the Log File(s).
output_file Full pathname of the output Log File.
fwm lslogs
This command displays a list of Log Files residing on a remote machine.
Usage
fwm lslogs [[-f file name] ...] [-e] [-s name | size | stime |
etime] [-r] [module]
Options
parameter meaning
-f filename The list of files to be displayed. The file name can
include wildcards. In Solaris, any file containing
wildcards should be enclosed in quotes.
The default parameter is *.log.
-e Display an extended file list. It includes the following
data:
• Size — The size of the file and its related pointer
files together.
• Creation Time — The time the Log File was
created.
• Closing Time — The time the Log File was
closed.
• Log File Name — The file name.
Examples
The following example shows the log data you see when you use the fwm lslogs command:
This example shows the extended file list you see when you use the fwm lslogs -e command:
fwm fetchlogs
fwm fetchlogs fetches Log Files from a remote machine.
You can use the fwm fetchlogs command to transfer Log Files to the machine on which the
fwm fetchlogs command is executed.
The Log Files are read from and written to the directory $FWDIR/log.
Note - The files transferred by the fwm lsfetchlogs command are MOVED from the
source machine to the target machine.
Usage
Options
parameter meaning
-f filename The Log Files to be transferred. The file name can
include wildcards. In Solaris, any file containing
wildcards should be enclosed in quotes.
The default parameter is *.log.
Related pointer files will automatically be fetched.
module The name of the remote machine from where you
transfer the Log Files.
The active Log File (fw.log) cannot be fetched. If you want to fetch the most recent log data,
proceed as follows:
1 Run fwm logswitch to close the currently active Log File and open a new one. For more
information on the fwm logswitch command, see “fwm logswitch” on page 596.
2 Run fwm lslogs to see the newly-generated file name (see “fwm lslogs” on page 601).
3 Run fwm fetchlogs -f filename to transfer the file to the machine on which the fwm
fetchlogscommand is executed.
The file is now available for viewing in the Log Viewer. For more information on the
SmartView Tracker, see Chapter 11, “SmartView Tracker”.
After a file has been fetched, it is renamed. The Module name and the original Log File name
are concatenated to create a new file name. The new file name consists of the module name and
the original file name separated by two (underscore) _ _ characters.
Example
The following command:
fw lea_notify
This command should be run from the SmartCenter Server. It sends a LEA_COL_LOGS event to all
connected lea clients, see the LEA Specification documentation. It should be used after new log
files have been imported (manually or automatically) to the $FWDIR/log directory in order to
avoid the scheduled update which takes 30 minutes.
log_export
log_export is a utility that allows you to transfer Log data to an external database.
This utility behaves as a LEA client. LEA (Log Export API) enables VPN-1/FireWall-1 Log data
to be exported to third-party applications. log_export receives the Logs from the SmartCenter
Server via LEA so it can be run from any host that has a SIC connection with the SmartCenter
Server and is defined as an OPSEC host.
To run log_export, you need a basic understanding and a working knowledge of:
• Oracle database administration
• LEA
For more information about LEA, see Check Point VPN-1/FireWall-1 LEA (Log Export API)
Specification at
http://cpi.checkpoint.com/__rnd/docs/techpubs/OPSEC/OPSEC_SDK/NG%20FP2/LEA_NG_FP2.pdf.
Installation Requirements
• Before you can run log_export, the Oracle client must be installed and configured. Make
sure that:
Note - The Configuration File is a Check Point Set file and should be configured according
to Set file conventions.
For more information about Configuration File parameters, see “Modifying the Configuration
File” on page 606.
Usage
Options
parameter meaning
-f conf_file The Configuration File from which log_export reads
the Log file parameters. If conf_file is not specified,
the default Configuration File log_export.conf ,
located in the current working directory.
-l The IP address of the LEA server.
-t The name of the table in the database to which the
logs will be added.
-g A comma separated list of log file names from where
the logs will be taken.
-p The database login password. If you do not want to
specify the password in the Configuration File for
security reasons, you can enter the password using the
command line where it will not be saved anywhere.
-h Display log_export usage.
-d Display debugging information.
You should be aware, though, that any parameter entered using the command line will
override the parameters in the Configuration File.
parameter meaning
db_connection_string The string that defines the Oracle database server. For example,
the name of the server.
db_table_name The name of the table in the database to which the logs will be
added.
create_db_table Following are the available options:
• 1 — create a new table in the database
• 0 — use the existing table.
:db_table_name (fw_log)
:db_connection_string (database_service_name)
:db_user_name (scott)
:db_password (tiger)
:log_server_ip_address (127.0.0.1)
:log_server_port (18184)
:create_db_table (1)
:log_file_name (fw.log)
:log_fields (
: (time
:db_field_name (log_time)
:db_field_type (DATE)
)
: (product
:db_field_name (product)
:db_field_type (STRING)
:db_field_size (25)
)
: (i/f_name
:db_field_name (interface)
:db_field_type (STRING)
:db_field_size (100)
)
: (orig
:db_field_name (origin)
:db_field_type (STRING)
:db_field_size (16)
)
: (action
:db_field_name (action)
:db_field_type (STRING)
:db_field_size (16)
)
: (service
:db_field_name (service)
:db_field_type (STRING)
:db_field_size (40)
)
cphastart
cphastart starts the High Availabilty feature on the machine. This is done when the
VPN/FireWall Module is started.
Usage
cphastart
cphastop
cphastop stops the High Availability feature on the machine.
Usage
cphastop
cphaprob
cphaprob defines “critical” processes. When a critical process fails, the machine is considered to
have failed.
Usage
parameter meaning
-d <device> Add <device> to the list of devices that must be running for the
VPN/FireWall Module to be considered active (in other words,
if <device> fails, then the VPN/FireWall Module is considered
to have failed)
-s The status to be reported — one of:
• “ok” — <device> is alive
• “init” — <device> is initializing. The machine is down.
This state prevents the machine from becoming active.
• “problem” — <device> has failed
-t <timeout> If <device> fails to contact the VPN/FireWall Module in
<timeout> seconds, <device> will be considered to have failed.
To disable this parameter, enter <0> as the timeout value.
-f <file> Insert all problem notifications into a <file> and register them
register automatically.
[-p] register Register <device> as a critical process.
[-p] unregister Unregister <device> as a critical process.
[-p] Makes these changes permanent. This means that after removing
the kernel (on linux or IPSO for example), and re-attaching it,
the pnote (problem notification) status of pnotes that where
registered with this flag will be saved.
This means that if a pnote was registered as "problem" before
removing the kernel, the pnote status will be restored after re-
installing the kernel.
state Display the state of this VPN/FireWall Module and all the other
VPN/FireWall Modules in the High Availability configuration.
-i[a] -e list Display the state of devices.
report Report the status of High Availability VPN/FireWall Modules
and their status.
if Display the state of interfaces.
savepnotes Saves the status of the currently defined pnotes (problem
notifications) to a file. The pnotes in this file are restored to
their saved statuses after a reboot or cpstop/cpstart commands.
A process specified by <device> should run cphaprob with the “-s ok” parameter to notify the
High Availability module that the process is alive. If this notification is not received in
<timeout> seconds, the process (and the machine) will be considered to have failed.
This is true only for problem notification with timeouts. If a notification is registered with the
-t 0 parameter, there will be no timeout, and until the device reports otherwise, the status is
considered to be the last reported status.
Example
This example illustrates how to manually cause a machine to fail and another machine to take
over.
1 Verify that the primary machine is currently active with the following command:
#cphaprob state
Information similar to the following should be displayed:
1 1.2.3.4 Active
2 5.6.7.8 Standby
3 9.0.1.2 Down
Example
These examples illustrate various uses of the chaprob command.
[root@tuti]/opt/CPfw1-50>cphaprob if
hme0 UP
hme1 UP
hme2 UP
[root@tuti]/opt/CPfw1-50>cphaprob -a if
Required interfaces: 4
Required secured interfaces: 1
[root@tuti]/opt/CPfw1-50/bin>cphaprob -i list
Built-in Devices:
Registered Devices:
[root@tuti]/opt/CPfw1-50/bin>cphaprob -i -e list
Registered Devices:
fwm hastat
The fwm hastat command displays information about High Availability machines and their
states.
Usage
parameter meaning
<target> A list of machines whose status will be displayed. If target is
not specified, the status of the local machine will be displayed.
In This Section
fwm ikecrypt
fwm ikecrypt command line encrypts the password of a SecuRemote user using IKE. The
resulting string must then be stored in the LDAP database.
Usage
Options
parameter meaning
shared-secret The IKE Key defined in the Encryption tab of the LDAP
Account Unit Properties window.
user-password The SecuRemote user’s password.
Examples
The command
KYTSLfvuOkzX14edJHIXcwqZsDWv
fwm dbimport
fwm dbimport imports users into the VPN-1/FireWall-1 User Database from an external file.
You can create this file yourself (see “File Format” on page 616), or use a file generated by fwm
dbexport (see “fwm dbexport” on page 618).
Usage
fwm dbimport [-m] [-s] [-v] [-r] [-k errors] [-f file] [-d delim]
Options
parameter meaning
-m If an existing user is encountered in the import file, the user’s
default values will be replaced by the values in the template
(the default template or the one given in the attribute list for
that user in the import file), and the original values will be
ignored.
If -m is not specified, then an existing user’s original values
will be not be modified.
-s Suppress the warning messages issued when an existing user’s
values are changed by values in the import file.
-v verbose mode
-r fwm dbimport will delete all existing users in the database.
-k errors Continue processing until nerror errors are encountered.
The line count in the error messages starts from 1 including
the attributes line and counting empty or commented out
lines.
-f file The name of the import file. The default import file is
$FWDIR/conf/user_def_file. Also see the
requirements listed under “File Format” on page 616.
-d delim Specifies a delimiter different from the default value (;).
To ensure that there is no dependency on the previous database values, use the -r flag together
with the -m flag.
File Format
The import file must conform to the following Usage:
1 The first line in the file is an attribute list.
The attribute list can be any partial set of the following attribute set, as long as name is
included:
6 Legal values for the authentication method are: Undefined, S/Key, SecurID, Unix Password,
VPN-1/FireWall-1 Password, RADIUS, Defender.
8 Date format is dd-mmm-yy, where mmm is one of {Jan, Feb, Mar, Apr, May, Jun, Jul, Aug,
Sep, Oct, Nov, Dec}.
9 If the S/Key authentication method is used, all the other attributes regarding this method
must be provided.
10 If the VPN-1/FireWall-1 password authentication method is used, a valid
VPN-1/FireWall-1 password should be given as well.
The password should be encrypted with the C language encrypt function.
11 Values regarding authentication methods other than the one specified are ignored.
12 The userc field specifies the parameters of the user’s SecuRemote connections, and has
three parameters, as follows:
parameter values
key encryption method DES, CLEAR, Any
data encryption method DES, CLEAR, Any
integrity method MD5,[blank] = no data integrity
“Any” means the best method available for the connection. This depends on the encryption
methods available to both sides of the connection.
Example:
userc means
{DES,DES,MD5} key encryption method is DES;
data encryption method is DES;
data integrity method is MD5
{DES,CLEAR,} key encryption method is DES;
no data encryption;
no data integrity
{Any,Any,} use “best” key encryption method;
use “best” data encryption method;
no data integrity
fwm dbexport
fwm dbexport exports the VPN-1/FireWall-1 User Database to a file. The file may be in one
of the following formats:
• the same Usage as the import file for fwm dbimport (see “fwm dbimport” on page 616)
• LDIF Usage, which can be imported into an LDAP Server using ldapmodify (see
“ldapmodify” on page 620),
Usage
• To export the User Database to a file that can be used with fwm dbimport:
Options
parameter meaning
-g group Specifies a group (group) to be exported. The users in the
group are not exported.
-u user Specifies that only one user (user) is to be exported.
-d delim Specifies a delimiter different from the default value (“;”).
-a {attrib1, attrib2, ...} Specifies the attributes to export, in the form of a comma-
separated list, between {} characters, for example,
-a {name,days}. If there is only one attribute, the {} may
be omitted.
-f file file specifies the name of the output file. The default output
file is $FWDIR/conf/user_def_file.
Warning - If you use the -a parameter to specify a list of attributes, and then import the
created file using fwm dbimport, the attributes not exported will be deleted from the user
database.
Notes
• fwm dbexport and fwm dbimport (non-LDIF Usage) cannot export and import user groups.
To export and import a user database, including groups, proceed as follows:
a Run fwm dbexport on the source SmartCenter Server.
b On the destination SmartCenter Server, create the groups manually.
c Run fwm dbimport on the destination SmartCenter Server.
The users will be added to the groups to which they belonged on the source SmartCenter
Server.
• If you wish to import different groups of users into different branches, run fwm dbexport
once for each subtree, for example:
Next, import the individual files into the LDAP server one after the other. For information on
how to do this, refer to the documentation for your LDAP server.
• The LDIF file is a text file which you may wish to edit before importing it into an LDAP
server. For example, in the VPN-1/FireWall-1 user database, user names may be what are in
effect login names (such as “maryj”) while in the LDAP server, the DN should be the user’s
full name (“Mary Jones”) and “maryj” should be the login name.
Examples
Suppose the User Database contains two users, “maryj” and “ben”.
creates a LDIF file consisting of two entries with the following DNs:
cn=ben,o=WidgetCorp,c=us
cn=maryj,o=WidgetCorp,c=us
ldapmodify
ldapmodify imports users to an LDAP server. The input file must be in the LDIF format.
You can import VPN-1/FireWall-1 User Database to an LDAP server by first generating an
LDIF file using fwm dbexport (“fwm dbexport” on page 618), and then using ldapmodify.
Before importing, prepare the LDAP directory as follows:
1 Make sure the root branch is defined as an allowed branch on your LDAP server.
2 Restart the LDAP server.
3 Create the branch into which the users will be imported, either by using Create Tree
Object in the Account Management Client or with the ldapmodify command:
Usage
Options
parameter meaning
-a Add users.
-c Continue on errors.
-h <host> LDAP Server IP address.
-p <port> LDAP Server port number.
-D <LDAPadminDN> LDAP Administrator DN.
-w <LDAPadminPassword> LDAP Administrator password.
-f <exportfilename>.ldif Specifies the name of the input file. This file must be
in the LDIF format.
Example
1 Export the users using fwm dbexport.
4 Define an Account Unit with these parameters, including hello1234 as the IKE shared
secret.
ldapsearch
ldapsearch queries an LDAP directory and returns the results.
Usage
Options
parameter meaning
options Any of the following:
option meaning
-A Retrieve attribute names only (without values).
-B Do not suppress printing of non-ASCII values.
-D bindDN The DN to be used for binding to the LDAP Server.
-F separator Print separator between attribute name and value
instead of “=”.
-h host The LDAP server identified by IP address or resolvable
name.
-l timelimit The server side time limit for search, in seconds.
-p portnum The port number. The default is standard LDAP port
389.
-S attribute Sort the results by the values of attribute.
-s scope One of the following: “base”, “one”, “sub”.
-b Base distinguished name (DN) for search.
-t Write values to files in /tmp. Each attribute-value pair is
written to a separate file, named
/tmp/ldapsearch-<attribute>-<value>.
For example, for the fw1color attribute, the file written
will be named
/tmp/ldapsearch-fw1color-a00188.
-T timeout The client side timeout (in milliseconds) for all
operations.
-u Show “user friendly” entry names in the output. For
example, show “cn=Babs Jensen, users, omi” instead
of “cn=Babs Jensen,cn=users,cn=omi”
-w password The password.
filter RFC-1558 compliant LDAP search filter. For example,
objectclass=fw1host.
attributes The list of attributes to be retrieved. If no attributes are given, all attributes
are retrieved.
Examples
This means that the LDAP directory will be queried for fw1host objects using port number
18185 with DN common name “omi”. For each object found, the value of its objectclass
attribute will be printed.
License Management
In This Section
cplic put...
The cplic put command (located in $CPDIR/bin) is used to install one or more Local licenses.
This command installs a license on a local machine — it cannot be performed remotely.
Note - For the remote command, see “cplic put <object name> ...” on page 631. Multiple
licenses can be installed using a multi-license file received from the User Center.
Use it to install a
• NG Local license for a Check Point Node on a Check Point Node
• NG Local license for a SmartCenter Server on a SmartCenter Server
Local licenses can also be installed with the cpconfig configuration tool (see “cpconfig” on page
550).
After installing a license,
1 confirm that you are using the appropriate license by printing the licenses using the cplic
print command (see “cplic print” on page 628).
2 It is recommended that you retrieve the licenses to the SmartUpdate License Repository
using the cplic get command or via the SmartUpdate GUI.
Usage
cplic put [-o overwrite] [-c check-only] [-s select] [-F <output
file>]
[-P Pre-boot] [-k kernel-only] <-l license-file | host
expiration date signature SKU/feature>
Options
parameter meaning
-overwrite On a SmartCenter Server this will erase all existing licenses
(or -o) and replace them with the new license(s). On a Check
Point Node this will erase only Local licenses but not
Central licenses, that are installed remotely.
-check-only Verify the license. Checks if the IP of the license matches
(or -c) the machine, and if the signature is valid
select Select only the Local licenses whose IP address matches
(or -s) the IP address of the machine.
-F outputfile Outputs the result of the command to the designated file
rather than to the screen.
-Preboot Use this option after upgrading to VPN-1/FireWall-1 NG
(or -P) FP2 and before rebooting the machine. Use of this option
will prevent certain error messages.
-kernel-only Push the current valid licenses to the kernel. For Support
(or -k) use only.
-l license-file Installs the license(s) in license-file, which can be a
multi-license file. The following options are NOT needed:
host expiration-date signature SKU/features
Copy/paste the following parameters from the license received from the User Center.
parameter meaning
host One of the following:
• All platforms — The IP address of the external
interface (in dot notation); last part cannot be 0 or
255.
• Sun OS4 and Solaris2 — The response to the hostid
command (beginning with 0x).
• HP-UX — The response to the uname -i
command (beginning with 0d).
• AIX — The response to the uname -l command
(beginning with 0d), or the response to the uname
-m command (beginning and ending with 00).
expiration date The license expiration date. Can be never
signature The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(Case sensitive. The hyphens are optional)
SKU/features A string listing the SKU and the Certificate Key of the
license. The SKU of the license summarizes the features
included in the license. For example:
CPMP-EVAL-1-3DES-NG CK0123456789ab
Example
This command:
cplic del
The cplic del command (located in $CPDIR/bin) deletes a single Check Point license on a
host. Use it to delete unwanted evaluation, expired, and other licenses.
Run cplic print -x to get the license signature (see “cplic print” on page 628).
Note - For the remote command, see “cplic del <object name> ...” on page 633.
Usage
parameter meaning
-File <output file> Send the output to <output file> instead of the
(or -F <output file) screen.
signature The signature string within the license. For example:
ag2e7EPPP-eZ2HfqEwe-9MDay2aw6-a5rJg8P7k.
(Case sensitive. The hyphens are optional)
The signatures of the licenses on the machine can be
viewed using the command cplic print -x (See
“cplic print” on page 628)
Example
The command
cplic print
The cplic print command (located in $CPDIR/bin) prints details of Check Point licenses on
the local machine.
On a Check Point Node, this command will print all licenses that are installed on the local
machine — both Local and Central licenses.
To print the licenses in the License Repository, see “cplic db_print” on page 641.
Usage
Options
parameter meaning
-noheader Print licenses with no header. The header is the first
(or -n) line of the output in the Example page 629 below.
-x Print licenses with their signature
-type Prints licenses showing their type: Central or Local.
(or -t)
-F <outputfile> Divert the output to outputfile.
-preatures Print licenses resolved to primitive features.
(or -p)
Example
This command
cplic print -x
cplic check
Use cplic check command (located in $CPDIR/bin) to check whether the license on the
machine will allow a given feature to be used.
This command is used mainly for Technical Support purposes.
Usage
cplic check [-p <product name>] [-v <product version>] [-c count]
[-t <date>] [-r routers] [-S SRusers] <feature>
Options
parameter meaning
-product <product-name> The product for which license information is
(or -p <product-name> requested. For example fw1, netso.
-version <product-version> The product version for which license information is
(or -v <product-version>) requested. For example 4.1, 5.0
-count Count how many licenses have this feature
(or -c)
-time date Check license status on future date. Use the format
(or -t date) ddmmmyyyy. A given feature may be valid on a given
date on one license, but invalid in another.
-routers Check how many routers are allowed. The feature
(or -r) option is not needed.
-SRusers Check how many SecuRemote users are allowed. The
(or -S) feature option is not needed
Examples
The command
cplic check fm
The command
Note - Unattached version 4.1 and NG FP2 Local licenses can ONLY be attached to the
Check Point Node with the same IP address as the license.
After installing a license, confirm that the license installation worked using the cplic db_print
command (see “cplic db_print” on page 641).
To install a license on the local machine, see “cplic put...” on page 624.
Usage
cplic put <object name> [-ip dynamic ip] [-F <output file>] < -l license-
file | host expiration-date signature SKU/features >
Options
parameter meaning
Object name The name of the Check Point Node object, as defined in
the SmartDashboard.
-ip dynamic ip Install the license on the Check Point Node with the
specified IP address. This parameter is used for installing a
license on a DAIP Check Point Node (see Chapter 14,
“Dynamically Assigned IP Addresses” of Check Point
SmartCenter Guide).
Note - If this parameter is used, then object name must
be a DAIP Check Point Node.
-F outputfile Divert the output to outputfile rather than to the screen.
-l license-file Installs the license(s) from license-file. The following
options are NOT needed:
Host Expiration-Date Signature SKU/features
Note - Copy/paste the following parameters from the license received from the User
Center. More than one license can be attached.
Host The target hostname or IP address.
Expiration-Date The license expiration date. Can be never
Signature The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(the hyphens are optional)
SKU/features A string listing the SKU and the Certificate Key of the
license. The SKU of the license summarizes the features
included in the license. For example:
CPSUITE-EVAL-3DES-vNG CK0123456789ab
Example
This command:
Usage
cplic del <Object name> [-F outputfile] [-ip dynamic ip] <Signature>
Options
parameter meaning
object name The name of the Check Point Node object, as defined
in the SmartDashboard.
-F outputfile Divert the output to outputfile rather than to the
screen.
-ip dynamic ip Delete the license on the Check Point Node with the
specified IP address. This parameter is used for deleting
a license on a DAIP Check Point Node (see
Chapter 14, “Dynamically Assigned IP Addresses” of
Check Point SmartCenter Guide).
Note - If this parameter is used, then object name
must be a DAIP Module.
Signature The signature string within the license. For example:
ag2e7EPPP-eZ2HfqEwe-9MDay2aw6-a5rJg8P7k
(the hyphens are optional)
The signatures of the licenses on the machine can be
viewed using the command cplic <object name>
print -x (see “cplic db_print” on page 641)
Example
cplic get
The cplic get command (located in $CPDIR/bin) retrieves all licenses from a Check Point
Node (or from all Check Point Nodes) into the license repository on the SmartCenter Server.
Do this to synchronize the repository with the Check Point Node(s), if NG FP2 and version 4.1
Local licenses were added (or deleted) locally, and hence do not yet (or still) exist in the license
repository. Retrieving licenses will also delete from the repository Local licenses that do not
exist on the Check Point Node. This command can be used only from the SmartCenter
Server.
Note - For 4.1 licenses, only version 4.1 SP1 and higher licenses can be retrieved.
Usage
Options
parameter meaning
ipaddr The IP address of the Check Point Node from which
licenses are to be retrieved.
hostname The name of the Check Point Node object (as defined
in the SmartDashboard) from which licenses are to be
retrieved.
-all Retrieve licenses from all Check Point Nodes in the
managed network.
-v41 Retrieve version 4.1 licenses from the NF Check Point
Node. Used to upgrade version 4.1 licenses. See “cplic
upgrade” on page 635.
Example
If the Check Point Node with the object name caruso contains four Local licenses, and the
license repository contains two other Local licenses, the command:
cplic upgrade
Use the cplic upgrade command to upgrade licenses in the license repository using licenses in
a license file obtained from the User Center.
The licenses in the downloaded license file and in the license repository are compared. If the
certificate keys and features match, the old licenses in the repository and in the remote network
objects are updated with the new licenses.
A report of the results of the license upgrade is printed.
Usage
Options
parameter meaning
inputfile Upgrades the licenses in the license repository and
Check Point Nodes to match the licenses in
<inputfile>
Example
1 Upgrade the Management Server to the latest version (see “How to Remotely Upgrade to
Check Point NG” on page 72 of the Check Point Management Guide).
Ensure that there is connectivity between the Management Server and the remote
workstations with the version 4.1 products.
2 Import all licenses into the License Repository. This can also be done after upgrading the
products on the remote workstations to NG (at step 7). Run the command
For example:
4 Upgrade the version 4.1 products on the remote workstations. (See “How to Remotely
Upgrade to Check Point NG” on page 72 of the Check Point Management Guide.)
5 In the User Center (http://www.checkpoint.com/usercenter), view the licenses for the
products that were upgraded from version 4.1 to NG and create new upgraded licenses.
6 Download a file containing the upgraded NG licenses.
Note - Only download licenses for the products that were upgraded from version 4.1 to
NG.
7 If you did not import the version 4.1 licenses into the repository in step 2, import the
version 4.1 licenses now using the command
In the following example, there are two NG licenses in the file. One does not match any
license on a remote workstation, the other matches a version 4.1 license on a remote
workstation that should be upgraded:
License: am6Hv3CUG52YbHKak3mcADM2rhNbecsm44Ma
----------------------------
Host: 212.168.8.9
Expiration Date: never
Signature: am6Hv3CUG52YbHKak3mcADM2rhNbecsm44Ma
Feature: CPFW-FIG-25-NG
Certificate Key: CK-DB4F140AD57B
Version: 5.0
Mode: local
State:
Attached to:
License: afb2rUZCHDqbEcktrjTJQGFvUekaFfH1F8Ad
----------------------------
Host: 192.168.8.11
Expiration Date: never
Signature: afb2rUZCHDqbEcktrjTJQGFvUekaFfH1F8Ad
Feature: CPFW-FIG-25-NG
Certificate Key: CK-49N3A3CC7521
Version: 5.0
Mode: central
State: installed
Attached to: golda
cplic db_add
The cplic db_add command (located in $CPDIR/bin) is used to add one or more licenses to the
license repository on the SmartCenter Server.
Adding a Central license to the License Repository does not install it on any Check Point
Node.
If a Local license is added to the Repository, SmartUpdate will install it on the Check Point
Node for which it is intended.
This command can be executed only on a SmartCenter Server.
Usage
Options
parameter meaning
-l license-file adds the license(s) from license-file. The
following options are NOT needed:
Host Expiration-Date Signature SKU/features
Note - Copy/paste the following parameters from the license received from the User
Center. More than one license can be added.
Host The target host name or IP address.
Expiration-Date The license expiration date.
Signature The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(the hyphens are optional)
SKU/Features The SKU of the license summarizes the features
included in the license. For example:
CPSUITE-EVAL-3DES-vNG
Example
If the file 192.168.5.11.lic contains one or more licenses, the command:
cplic db_rm
The cplic db_rm command (located in $CPDIR/bin) removes a license from the license
repository on the SmartCenter Server. It can be executed ONLY after the license was detached
using the cplic del command (see page 633).
Once the license has been removed from the repository, it can no longer be used. To re-use it,
use the cplic db_add (see page 639) or cplic put (see page 631) commands.
This command can be executed only on a SmartCenter Server.
Usage
Options
parameter meaning
Signature The signature string within the license. For example:
ag2e7EPPP-eZ2HfqEwe-9MDay2aw6-a5rJg8P7k
The signatures of the licenses on the machine can be
viewed using the command cplic <object name>
db_print -x (see page 641). The signature is case
sensitive.
Example
cplic db_print
The cplic db_print command (located in $CPDIR/bin) displays the details of Check Point
licenses stored in the license repository on the SmartCenter Server.
This command can be executed only on a SmartCenter Server.
Usage
Options
parameter meaning
Object name Print only the licenses attached to Object name.
Object name is the name of the Check Point Node
object, as defined in the SmartDashboard.
-all Print all the licenses in the license repository
-noheader Print licenses with no header. The header is the first
(or -n) line of the result in the Example page 642 below.
-x Print licenses with their signature
-t Print licenses with their type: Central or Local.
(or -type)
-a Show which object the license is attached to. Useful if
(or -attached) the -all option is specified.
Example
This command:
Product Management
In This Section
cppkg Overview
The Product (“package”) Repository on the VPN-1/FireWall-1 SmartCenter Server can be
managed using cppkg commands on the SmartCenter Server, as well as using SmartUpdate.
cppkg add
The cppkg add command is used to add a product package to the Product Repository. For NG
FP2, and higher there is no difference between SmartUpdate and regular installation packages.
For NG FP1 and below, only SmartUpdate packages can be added to the Product Repository.
Products can be added to the Repository as described in the following procedures, by
• adding them directly from the Check Point Download Center
• adding them from the Check Point CD.
Note - cppkg add does not overwrite existing packages. To overwrite existing
packages, you must first delete existing packages.
Usage
Options
parameter meaning
package-full-path If the package to be added to the repository is on a
local disk or network drive, type the full path to the
package.
CD drive If the package to be added to the repository is on a
CD:
For Windows machines type the CD drive letter, e.g.
d:\
For UNIX machines, type the CD root path, e.g.
/caruso/image/CPsuite-NG/FP2
Example
(e) Exit
Select OS :
------------------
(1) solaris
(2) linux
(3) win32
(e) Exit
Select SP :
------------------
(1) FCS_FP1
(2) FCS
(3) FP2
(e) Exit
cppkg del
The command is used to delete a product package from the repository. To delete a package,
• type cppkg del and follow the menu instructions (recommended), or
• type the cppkg del command with the parameters specified in TABLE 18-59 on
page 647.
For general information about cppkg commands, see “cppkg Overview” on page 643.
Usage
Options
parameter meaning
vendor Package vendor (e.g. checkpoint).
product Package name
Options are: SVNfoundation, firewall, floodgate.
version Package version (e.g. NG).
OS Package Operating System. Options are:
win32 for Windows NT and Windows 2000, solaris,
hpux, ipso, aix, linux.
SP Package service pack (e.g. fcs for NG FP2 inital
release, FP1, FP2 etc.) This parameter is optional. Its
default is fcs.
Example
Select package:
--------------------
(0) Delete all
(1) SVNfoundation solaris checkpoint NG FCS_FP1
(2) firewall solaris checkpoint NG FCS_FP1
(3) floodgate win32 checkpoint NG FP2
(4) rtm win32 checkpoint NG FP2
(5) policyserver win32 checkpoint NG FP2
(6) SVNfoundation win32 checkpoint NG FP2
(7) firewall win32 checkpoint NG FP2
(8) SVNfoundation solaris checkpoint NG FP2
(9) firewall solaris checkpoint NG FP2
(10) policyserver solaris checkpoint NG FP2
(11) floodgate solaris checkpoint NG FP2
(12) rtm solaris checkpoint NG FP2
(e) Exit
Usage
cppkg print
Example
[d:\winnt\fw1\ng\bin]cppkg print
cppkg setroot
The command is used to create a new repository root directory location, and to move existing
product packages into the new repository.
The default Product Repository location is created when the SmartCenter Server is installed.
On Windows machines the default location is C:\SUroot and on UNIX it is /var/SUroot. Use
this command to change the default location.
Note - It is important to reboot the SmartCenter Server after performing this command, in
order to set the new $SUROOT environment variable.
Usage
Options
parameter meaning
repository-root-directory-full-path The desired location for the Product
Repository.
Example
cppkg getroot
The command is used to find out the location of the Product Repository.
The default Product Repository location on Windows machines is C:\SUroot. On UNIX it is
/var/SUroot
For general information about cppkg commands, see “cppkg Overview” on page 643.
Usage
cppkg getroot
Example
# cppkg getroot
Current repository root is set to : /var/suroot/
Remote installation
cprinstall Overview
Use cprinstall commands to perform remote installation of product packages, and associated
operations.
On the SmartCenter Server, SmartUpdate cprinstall commands require:
• an NG FP1 SmartCenter Server.
• a separate license installed, in addition to the SmartCenter ServerSmartCenter Server
license. You must have one of the following SKUs:
CPMP-SUP-1-NG
CPMP-SUP-U-NG
On the remote Check Point Nodes the following are required:
• There must be Trust between the SmartCenter Server and the Check Point Node.
• cpd must run
• cprid remote installation daemon must run. cprid is available on VPN-1/FireWall-1 4.1
SP2 and higher, and as part of SVN Foundation for NG and higher.
cprinstall upgrade
Use the cprinstall upgrade command to upgrade all products on a Check point Node to the
latest version.
All products on the Check Point Node must NG FP1 or higher.
When cprinstall upgrade is run, the command verifies which products are installed on the
Check Point Node, and that there is a matching product package in the Product Repository
with the same OS.
If the verification is successful, the product package is installed on the remote Check Point
Node. Otherwise, a explanatory message give a reason for the operation failure.
Usage
Options
parameter meaning
boot Boot the remote Check Point Node after completing
the remote installation.
object name Object name of the Check Point Node, defined in the
SmartDashboard.
cprinstall verify_upgrade
Use the cprinstall verify_upgrade command to verify the success of the upgrade of all
products on a Check point Node to the latest version, before performing the upgrade.
This command is automatically performed by the cprinstall upgrade command.
All products on the Check Point Node must NG FP1 or higher.
When the command is run, the command verifies which products are installed on the Check
Point Node, and that that there is a matching product package in the Product Repository with
the same OS.
A message reports on the results of the verification.
Usage
Options
parameter meaning
object name Object name of the Check Point
Node, defined in the SmartDashboard.
cprinstall install
The cprinstall install command is used to install Check Point products on remote Check Point
Nodes.
To install a product package you must specify a number of options. Use the cppkg search
command (see “cppkg print (search)” on page 648) and copy the required options.
When running this command, it is highly recommended to boot the remote Check Point Node
by specifying the -boot option.
Before transferring any files, this command runs the cprinstall verify command to verify that the
Operating System is appropriate and that the product is compatible with previously installed
products.
For general information about cprinstall commands, see “cprinstall Overview” on page 651.
Usage
Options
parameter meaning
-boot Boot the remote computer after installing the package.
Note - Only boot after ALL products have the same
version, either NG or NG FP1. Boot will be cancelled in
certain scenarios. See the Release Notes for details.
Object name Object name of the Check Point Node defined in the
SmartDashboard.
vendor Package vendor (e.g. checkpoint)
Example
cprinstall uninstall
The cprinstall uninstall command is used to uninstall products on remote Check Point
Nodes.
To uninstall a product package you must specify a number of options. Use the cppkg search
command (see “cppkg print (search)” on page 648) and copy the required options.
When running this command, it is highly recommended to boot the remote Check Point Node
by specifying the -boot option.
Before uninstalling any files, this command runs the cprinstall verify command to verify
that the Operating System is appropriate and that the product is installed.
After uninstalling, retrieve the Check Point Node data by running cprinstall get (see
“cprinstall get” on page 656), or from the SmartUpdate GUI.
For general information about cprinstall commands, see “cprinstall Overview” on page 651.
Usage
Options
parameter meaning
-boot Boot the remote computer after installing the package.
Note - Only boot after ALL products have the same
version, either NG or NG FP1. Boot will be cancelled
in certain scenarios. See the Release Notes for details.
Object name Object name of the Check Point Node defined in the
SmartDashboard.
vendor Package vendor (e.g. checkpoint)
Example
cprinstall get
The cprinstall get command is used to obtain details of the products and the Operating
System installed on the specified Check Point Node, and to update the database.
For general information about cprinstall commands, see “cprinstall Overview” on page 651.
Usage
Options
parameter meaning
Object name The object name of the Check Point Node defined in
the SmartDashboard.
Example
cprinstall verify
The cprinstall verify command is used to verify whether a specific product can be installed
on the remote Check Point Node. It verifies that the Operating System and currently installed
products are appropriate for the package, and that there is enough disk space to install the
product, and that there is a CPRID connection.
For general information about cprinstall commands, see “cprinstall Overview” on page 651.
Usage
Options
parameter meaning
Object name Object name of the Check Point Node defined in the
SmartDashboard.
vendor Package vendor (e.g. checkpoint)
Example
The following examples show a successful and a failed verify operation:
• Verify succeeds:
• Verify fails:
cprinstall boot
The command is used to boot the remote computer. For general information about cprinstall
commands, see “cprinstall Overview” on page 651.
Usage
Options
parameter meaning
Object name Object name of the Check Point Node defined in the
SmartDashboard.
Example
cprinstall stop
The command is used to stop the operation of other cprinstall commands. In particular, this
command stops the remote installation of a product - even during transfer of files, file
extraction, and pre-installation verification. The operation can be stopped at any time up to the
actual installation.
cprinstall stop can be run from one command prompt to stop a running operation at
another command prompt.
For general information about cprinstall commands, see “cprinstall Overview” on page 651.
Usage
Options
parameter meaning
Object name Object name of the Check Point Node defined in the
SmartDashboard.
Example
cprinstall (cpstart/cpstop)
This variant of the cprinstall command does not install software, but rather enables running
the cpstop and cpstart commands remotely.
All products on the Check Point Node must NG FP1 or higher.
Usage
Options
parameter meaning
cpstart Run cpstart on the remote Check Point Node (see
“cpstart” on page 553).
cpstop <-proc | -nopolicy> Run cpstop on the remote Check Point Node. The
-proc and -nopolicy arguments have the same
meaning here as they have for the cpstop command
(see “cpstop” on page 553).
cprestart Run cpstop followed by cpstart on the remote
Check Point Node.
object name Object name of the Check Point Node, defined in the
SmartDashboard.
In This Section
vpn accel
If a VPN-1 Accelerator Card is installed, it is enabled by default when VPN-1/FireWall-1 starts.
You can also enable or disable it manually as well as obtain its status using vpn accel.
When you enable or disable the VPN-1 Accelerator Card, current connections are not dropped.
Instead, encryption continues in the hardware or software, accordingly.
Usage
Options
parameter meaning
on Enable VPN-1 Accelerator Card.
off Disable VPN-1 Accelerator Card.
stat Obtain the status of the VPN-1 Accelerator Card.
-l Report the status of the VPN-1 Accelerator Card using long
format.
lunadiag
A software diagnostics utility specific to the Luna accelerator card is available in the Luna
package. The utility is documented in the file lunadiag.txt.
The locations of these files are given in TABLE 18-71.
file location
executable • Solaris — $FWDIR/bin/lunadiag
• NT — $FWDIR\bin\lunadiag.exe
To determine the VPN-1 Accelerator Card driver version, enter the following command:
Solaris
NT
In the Explorer, right-click on C:\WINNT\system32\drivers\LunaVPN.sys. The version
number, displayed in the Properties tab, should be 3.9a.
VPN Commands
vpn command-line commands can be used to obtain information about VPN activities, and to
start specific VPN services. These commands are performed by the vpnd daemon, which is
responsible for all VPN and encryption activities.
In This Section
vpn ver
vpn ver displays the VPN-1 major version number, the build number, and a copyright notice.
Usage and options are the same as for “fwm ver” on page 569.
vpn debug
Debug the VPN-1 daemon.
Usage
Options
parameter meaning
on Start debug mode
off Stop debug mode
ikeon ikeon starts and ikeoff stops IKE logging to the
ikeoff IKE.elg file.
IKE logs are analyzed by IKEView.exe (a utility used by
Check Point Support)
vpn drv
Installs the VPN-1 kernel (vpnk) and connects to the FireWall-1 kernel (fwk).
Usage
Options
parameter meaning
on Start the VPN-1 kernel
off Stop the VPN-1 kernel
stat Status of the VPN-1 kernel. Whether it is on or off
vpn intelrng
vpn intelrng displays the status of the Intel RNG (random number generator). This command
is a Windows NT and Windows 2000 only command.
Usage
vpn intelrng
Examples
#vpn intelrng
Using Intel(R) Security Driver.
#vpn intelrng
Intel(R) Security Driver not detected.
Daemons
In This Section
Check Point Remote Installation Daemon (cprid) page 664 page 664
CPsyslogD page 664 page 664
cpridstop
To restart cprid:
cpridstart
CPsyslogD
CPsyslogD enables the Check Point logging mechanism to process syslog logs from hardware
devices whose architecture is not supported by OPSEC and can therefore not utilize ELA.
To enable CPsyslogD, check Accept Syslog messages in the Management - Logging Policy
page of the Module’s Global Properties window.
The main reason for this daemon is to allow processing of logs from hardware devices working
with architectures that OPSEC does not support. They cannot use ELA but they want to use the
Check Point logging mechanism. For example, hardware high-availability vendors must send
logs to the Check Point logging mechanism (certification requirement), but they do not have
ELA working on their architecture.
CPSyslogD
The Syslog daemon resides in every VPN/FireWall module. If enabled, it works in parallel to
the local Syslog Daemon (in Unix machines; in other machines it will be the only Syslog
Daemon). The local syslog daemon handles local logs, and the CPSyslogD handles all incoming
logs (through UDP port 514).
Syslog
Syslog is a simple standard. It defines the port and protocol of Syslog (UDP Port 514). They also
define a “Priority + Facility” number that differentiate between logs and the rest of the log is
free text.
Unix machines have a syslog daemon that processes internal logs (for example, kernel logs) and
external logs (via UDP Port 514). The syslog daemon sends these logs to different logging files
(for example, “\var\log\massages”), sends alerts to different users, etc.
TABLE 18-74syslog
Syslog Configuration
• Check Accept Syslog messages in the Management - Logging Policy page of the
Module’s Properties window.
• Define a Security Policy rule that allows UDP port 514 communication from the desired
device to the Module
Note - Syslog logs are not entirely reliable because they use UDP protocol, which does
not guarantee the delivery of the packets.
FloodGate-1
For more on FloodGate-1 commands, see the FloodGate-1 Administration Guide.
SmartView Monitor
Following are the commands that are unique to SmartView Monitor. Commands that are shared
with other Check Point products are listed elsewhere in this guide.
rtmstart
rtmstart loads the RTM kernel module and starts the RTM daemon.
Usage
rtmstart
rtmstop
rtmstop kills the RTM daemon and then unloads the RTM kernel module.
Usage
rtmstop
rtm d
rtm d starts the rtm daemon manually (this occurs automatically when you run rtmstart).
Usage
rtm d
rtm debug
rtm debug sends debug printouts to the file $FWDIR/log/rtmd.elg.
Usage
Options
parameter meaning
on Start debug mode
off Stop tdebug mode
rtm drv
rtm drv starts, stops or checks the status of the RTM kernel driver.
Usage
Options
parameter meaning
on Start the RTM kernel driver
off Stop the RTM kernel driver
stat Status of the RTM kernel driver
rtm ver
rtm ver displays the RTM version.
Usage
Options
parameter meaning
-k Also displays the RTM kernel version
rtm stat
rtm stat displays general RTM status, including the status of the daemon, driver, and active
virtual links.
Usage
rtm stat
Usage
Options
parameter meaning
module-name The name of the monitored RTM Module
interface-name The name of the monitored interface
To monitor all of the module’s interfaces, use
interface-name ‘any’.
-d Specifies one of the following monitoring directions.
• inbound — monitor in the inbound direction
• outbound — monitor in the outbound
direction
• eitherbound — monitor in both directions
The default is eitherbound.
-y Specifies one of the following measurement units.
• bytes — data transfer rate
• pkts — packets per second
• line — percent line utilization
The following measurement options work only with
the ‘top’ grouping options (see -g below):
• B — total bytes, from the beginning of the
monitoring session
• c — new connections opened per second
• C — total connections opened, from the
beginning of the monitoring session
The default is bytes.
parameter meaning
-a • aggregate — display connections of a
specific type as an aggregate
• individual — display connections of a
specific type individuallyThe default is
eitherbound.
The default is aggregate.
-g Specifies one of the following grouping options for
monitored traffic.
• svc — monitor by service
• src — monitor by network object, source only
• dst — monitor by network object, destination
only
• ip — monitor by network object, source and
destination
• fgrule — monitor by QoS Policy rule
• topsvc — monitor traffic of the top 50
services
• topsrc — monitor traffic from the top 50
sources
• topdst — monitor traffic to the top 50
destinations
• topdst — monitor traffic to or from the top
Entities
The specified entities should correspond to the specified grouping option. For example, if
monitoring is by service (svc), all the services to be monitored should be listed, separated by
single spaces.
When monitoring by QoS Policy rule (fgrule), ‘rule@@subrule’ should be used to specify a
subrule entity.
The ‘top’ grouping options do not need their entities specified, as they automatically monitor
the top 50 entities according to the specified group.
Example
The following command will display monitoring data in total bytes for the top 50 services
passed on interface hme1.
Usage
In This Section
RTClient.exe
RTClient.exe is executed from <Management Clients directory>.
Syntax
Parameters
parameter meaning
reporting server name or IP address of the Reporting Server
user name user name
password login password
Note - If the above parameters are not specified, the command starts the Reporting
Tool login window.
In This Section
Syntax
rtcommand ver
Parameters
parameter meaning
ver Print module version
Syntax
rtcommand RPF
Parameters
parameter meaning
RPF The Run Time Parameters file
Monthly Report
Syntax
Parameters
parameter meaning
RPF The Run Time Parameters file
-monthly month_day A monthly report, where month_day is the day of the
month the schedule is to be generated. month_day is a
number between 1-31. Note that the last day of the
month will be
taken for cases that the month ends before month_day.
Also note that 31 will assure that you will get the last day
of every month.
-tm hh:mm Report time: hh - 2 digits of the hour (00-23),
mm - 2 digits of the minutes (00-59)
[-n schedule_name] Associate a name with the report (Schedule name is
unique per Report Definition, while different Report
Definitions can have schedules with identical names).
[-sd mm/dd/yyyy] Start date for the schedule rule:
mm - 2 digits of the month (01-12).
dd - 2 digits of the month day (01-31).
yyyy - 4 digits of the year.
[-ed mm/dd/yyyy] End date for the schedule rule.
mm - 2 digits of the month (01-12)
dd - 2 digits of the month day (01-31)
yyyy - 4 digits of the year
Weekly Report
Syntax
Parameters
parameter meaning
RPF The Run Time Parameters file
-weekly weekday Weekly report. Weekday is a string of the weekday name.
The name is not case sensitive. Example: sun, Sun, sunday
and Sunday are all equivalent.
-tm hh:mm Report time: hh - 2 digits of the hour (00-23),
mm - 2 digits of the minutes (00-59).
[-n schedule_name] Associate a name with the report (Schedule name is
unique per Report Definition, while different Report
Definitions can have schedules with identical names).
[-sd mm/dd/yyyy] Start date for the schedule rule:
mm - 2 digits of the month (01-12).
dd - 2 digits of the month day (01-31).
yyyy - 4 digits of the year.
[-ed mm/dd/yyyy] End date for the schedule rule.
mm - 2 digits of the month (01-12)
dd - 2 digits of the month day (01-31)
yyyy - 4 digits of the year
Daily Report
Syntax
Parameters
parameter meaning
RPF The Run Time Parameters file
-daily Daily report
-tm hh:mm Report time: hh - 2 digits of the hour (00-23),
mm - 2 digits of the minutes (00-59).
parameter meaning
[-n schedule_name] Associate a name with the report (Schedule name is
unique per Report Definition, while different Report
Definitions can have schedules with identical names).
[-sd mm/dd/yyyy] Start date for the schedule rule:
mm - 2 digits of the month (01-12).
dd - 2 digits of the month day (01-31).
yyyy - 4 digits of the year.
[-ed mm/dd/yyyy] End date for the schedule rule.
mm - 2 digits of the month (01-12)
dd - 2 digits of the month day (01-31)
yyyy - 4 digits of the year
Syntax
Parameters
parameter meaning
RPF The Run Time Parameters file
-runonce A delayed report.
-tm hh:mm Report time: hh - 2 digits of the hour (00-23),
mm - 2 digits of the minutes (00-59).
-sd dd/mm/yyyy Start date for the schedule rule:
mm - 2 digits of the month (01-12).
dd - 2 digits of the month day (01-31).
yyyy - 4 digits of the year.
[-n schedule_name] Associate a name with the report (Schedule name is
unique per Report Definition, while different Report
Definitions can have schedules with identical names).
Remove Schedule
Syntax
rtcommand -r schedule_name
Parameters
parameter meaning
-r schedule_name Remove schedules which have schedule_name
(see -n option)
rtcommand -ra
Parameters
parameter meaning
-ra Remove all schedules
Syntax
Parameters
parameter meaning
-mh management_host Associate the Reporting Server with a specific
management host (IP or name).
-md Associate the Reporting Server with either the default
management machine.
Generating Reports
RTGen
RTGen was used in Reporting Module Version 4.1 to generate reports in the appropriate format
without distributing them. This command is still available to NG users, but is deprecated and
may not be supported in future Reporting Module versions. It is, therefore, highly
recommended to use rtcommand instead, which not only generates reports but also distributes
them to the specified targets. If you choose to continue using RTGen in an NG installation, the
Reporting Server service must be running.
RTGen is executed from <Reporting Server directory>.
Syntax
Parameters
parameter meaning
Run Time Parameter absolute path to the Run Time Parameter file (*.RPF).
file name Use the path name beginning with the drive letter.
output file name the absolute path to the report results file. There is no
need to specify a file extension. The report results file
automatically receives the file extension specified in the
Target tab of the Report Definition.
If the target is File, this name is only the prefix for the
name specified in the target field.
ascii delimiter a delimiter character required for ASCII output file
formats only
Example
UpgradeUtil
UpgradeUtil upgrades FWR (propietary report result file), RPF (Run Time Parameters file) and
DEF (Report Definition file) files from Version 4.1 format to NG format (the source file name
extension must be .fwr, .rpf or .def, respectively).
Usage
Options
parameter meaning
Source File The name of the original Version 4.1 format
file.
Target File The name of the NG format file. If it is not
specified, the original file will be backed up as
<Original file Name>.old.
Example
UpgradeUtil abc.def
The Version 4.1 format abc.def file is converted to an NG format file with the same name
while the original file is renamed abc.def.old.
log_consolidator
Log Consolidation Engine commands are executed from the:
<Reporting Module directory>/log_consolidator_engine/bin directory.
In This Section
Syntax
log_consolidator -V
Parameters
parameter meaning
-V Show the Log Consolidation Engine version and build
number.
Syntax
Parameters
parameter meaning
-C -m Send a command message to the Log Consolidation
Engine.
terminate Force the Log Consolidation Engine to exit. Records that
have been consolidated but not stored are not saved.
stop Stop the Log Consolidation Engine.
start Start the Log Consolidation Engine with the last installed
Consolidation Policy.
Syntax
Parameters
parameter meaning
-E Export connection tables data from the database to a
file.
-a [Table_Name | ALL] The name of the table, or “ALL” to specify all
tables.
[-b File_Name] 1. The exported table will be written to File_Name. If you
do not specify a name for the file, its default name will
consist of the table name and the date and time of
execution as the postfix (e.g.
CONNECTIONS26Jun2001-114739).
Syntax
Parameters
parameter meaning
-I Import connection table data from a file to a table in the
Reporting Database.
-a File_Name The name of the file.
[-b Table_Name] The name of the table. If Table_Name is not specified,
the file will be imported into the table it was originally
exported from. If the original table no longer exists, the
file will be imported into a new table named after the
original one.
Syntax
Parameters
parameter meaning
-A Archive records to the specified Database table.
-a Src_Table_Name The name of the source table.
-b Dest_Table_Name The name of the destination tables.
-s Save_From_Date Archive all records previous to the specified date from the
source table to the destination table.
Save_From_Date is in dd-mm-yyyy hh:mm:ss format.
Delete Records
Syntax
Parameters
parameter meaning
-T Delete all records previous to Save_From_Date from the
specified source table. Save_From_Date is in dd-mm-yyyy
hh:mm:ss format.
-a Src_Table_Name The name of the source table.
-s Save_From_Date The date up to which records will be deleted.
Parameters
parameter meaning
-O Configure the list of permitted origins.
-r Ip1,Ip2,Ip3... Remove the old origins, whose IP addresses are specified,
from the list.
-a Ip1,Ip2,Ip3... Add the new origins, whose IP addresses are specified, to
the list
-o Ip1,Ip2,Ip3... Overwrite the old origins in the list, whose IP addresses
are specified, with new ones.
-p Ip1,Ip2,Ip3... Print the current list of origins whose IP addresses are
specified.
FireWall-1 Data
Syntax
log_consolidator -G
Parameters
parameter meaning
-G Generate data on FireWall-1 object definitions.
Syntax
log_consolidator -R
Parameters
parameter meaning
-R Run the Log Consolidation Engine with the last installed
Consolidation Policy.
parameter meaning
module-name The name of the monitored RTM Module
-virtual-link-name The name of the monitored Virtual Link
-d Specifies one of the following monitoring directions.
• a2b — monitor from End Point A to End
Point B
• b2a — monitor from End Point B to End
Point A
• a2b_b2a — monitor in both directions.
The default is a2b_b2a.
-y Specifies one of the following measurement units.
Required only when the -w value is bandwidth (see
-w below).
• bytes — data transfer rate
• pkts — packets per second
The default is bytes.
-w Specifies the displayed data type.
• bandwidth — display the effective bandwidth
• loss — display the difference between the
transmission rate and the receiving rate
• rtt — display the time required to make the
round trip between the End Points
The default is bandwidth.
-t Specifies the data type.
Required only when the -w value is bandwidth (see
-w above).
• wire — show the data on the wire, after
compression or encryption
• application — show the data as the
application sees it, uncompressed and unencrypted
The default is application.
OPSEC
upgrade_fwopsec
upgrade_fwopsec upgrades OPSEC configuration information on the SmartCenter Server from
pre-NG to NG format, based on the upgraded Module information.
If you have not changed any of the defaults, then there is no need to run the upgrade_fwopsec
command. However, if you have changed the defaults, then you should run the
upgrade_fwopsec command.
To copy the configuration information from the Module to the upgraded SmartCenter Server,
use the upgrade_fwopsec command.
Note - upgrade_fwopsec should be run on the SmartCenter Server, after the Module has
been upgraded and the file fwopsec.v4x has been created. Make sure that the
SmartDashboard application is closed before running upgrade_fwopsec.
Usage
Options
parameter meaning
-mgmt mgmt_host The name of the SmartCenter Server (default is localhost).
-u user The administrator’s name. The administrator must have
write permission.
-p password The user’s password (the password used for the GUI
Management Client).
[-fwm fw_obj_name [-fetch]] fw_obj_name is the name of the Module object (as
specified in the VPN-1/FireWall-1 SmartDashboard) to
which the configuration information applies. If -fetch is
specified, then the information will be retrieved from
fwopsec_file on the Module; otherwise
upgrade_fwopsec will retrieve it from the SmartCenter
Server (the local machine on which this command is run).
-f fwopsec_file The path to the file containing the configuration
information, usually “fwopsec.v4x”. If the -fetch option
is used, then fwopsec_file specifies the file’s path relative
to the remote Module’s $FWDIR.
[-log log_file | -nolog] Log the upgrade process to log_file (default is
$FWDIR/tmp/<fw_obj_name>.upg_opsec.log). If nolog is
specified, the log will be directed to stderr. If the
upgrade is successful, the log will be appended to
$FWDIR/tmp/mgmt.upg_opsec.log.
Access Control List (ACL) A sequential list of permit and deny conditions that define the
connections permitted to pass through a device, usually a *router. ACL syntax is arcane and specific
to individual vendors, and a *security policy based on ACLs is difficult to maintain.
ActiveX A programming environment developed by Microsoft Corporation; a direct
competitor to Sun Microsystems’ *Java. ActiveX presents a security risk because its executable
ActiveX control files run on the client and can be used to gain illicit access to its files.
ActiveX Stripping The ability to prevent *ActiveX programs from being executed on the
client by removing all ActiveX programs from HTML pages as they are downloaded.
Address Resolution Protocol (ARP) The *protocol used inside networks to bind high
level *IP addresses to low-level physical hardware addresses.
Advanced Encryption Standard (AES) A replacement proposed for *DES by the US
Commerce Department’s National Institute of Standards and Technology (NIST) in 1997. The
successful candidate, the Rijndael block cipher, pronounced “raindoll”), is supported both for VPN
Modules and VPN Clients (SecuRemote/SecureClient).
AES’s advantages are:
• variable key length (from 128 to 256 bits); the DES key length is 56 bits and 3DES provides
security equivalent to 112 bit keys
• a threefold performance improvement over 3DES
anti-spoofing A method used to protect a network against *IP spoofing attacks by verifying
that a packet’s source and destination *IP addresses are appropriate to the interface through which
the packet passes, for example, that a packet entering the local network from the outside carries an
external source IP address.
A simple precaution against IP spoofing attacks is to hide internal IP addresses (using the Network
Address Translation feature) so that outside users cannot learn what they are.
anti-virus A mechanism that provides detection, inoculation, logging and alerting capabilities
to disarm *viruses on a local disk or in files as they are transferred on the network.
API see “Application Programming Interface (API)
application gateway A *firewall that uses *proxies to provide security.
Historically, application level gateways suited the Internet’s common uses and needs. However, as
the Internet has become a dynamic environment in which new protocols, services and applications
appear almost daily, proxies are no longer able to cope with the diversity of the Internet, or to fulfill
the new business needs, high bandwidth and security requirements of networks.
689
application layer The top network communication layer in a *protocol stack. The appli-
cation layer is concerned with the semantics of work, such as how to format an e-mail message for
display on the screen. A message’s routing information is processed by lower layers of the network
stack (see “layered communication model).
Application Programming Interface (API) A well-defined set of functions, syntax or
languages that enable application programs to communicate with one another and exchange data.
ARP see “Address Resolution Protocol (ARP)
Asynchronous Transfer Mode (ATM) A method for dynamically allocating
bandwidth using a fixed packet size (called a cell). These cells can carry data, voice, and video at
high speeds.
ATM see “Asynchronous Transfer Mode (ATM)
audit In network security, examining and evaluating the relative security of a network.
authentication A method of verifying that an object is really what it appears to be: that a user
or a computer is not being impersonated by another user or computer, or that a message received is
the same message that was sent (that is has not been tampered with).
Users are authenticated by a challenge-response mechanism: the user is asked to provide information
(for example, a *password or *token) presumably known to no one else. Computers may be
authenticated in a similar way. In addition, human users can be authenticated by biometric means,
such as verifying fingerprints or retinal images.
Authenticating a message verifies its integrity and verifying the sender’s identity, usually by means of
a *digital signature.
authentication algorithm An algorithm, such as MD5, used to calculate the *digital
signature by which a message’s integrity is verified.
B1, B2 level In the USA, the National Security Agency’s rating system for network security.
Ratings are certified by the National Computer Security Center. A B1 rating describes a basic level
of enterprise-wide Internet security and is equivalent to the European E3 rating (see “E3). A B2
rating describes a much higher level of security typically used to protect military systems.
bridge A device, with two interfaces connecting two networks, that replicates packets appearing
on one interface and transmits them on the other interface.
broadcast A message sent to every destination on the network, in contrast to *multicast and
*unicast.
certificate A *digital signature encrypted with the (for example, *RSA) private key of the
*Certificate Authority (CA) who sent the message that includes the certificate, intended to generate
confidence in the legitimacy of the public key contained in the message.
The recipient can verify that the message was indeed sent by the CA by computing the message’s
digital signature, decrypting the transmitted digital signature using the CA’s public key (reliably
available from an out-of-band source such as a printed directory) and comparing the two. If they are
the same, then the message was sent by someone who knows the CA’s private key; presumably this
can only be the CA.1
Certificate Authority (CA) A trusted third party from which information (for example, a
person’s public key) can be reliably obtained, even over an insecure channel.
For example, if Alice and Bob obtain each other’s public keys over an insecure channel such as the
Internet, they must be certain that the keys are genuine. Alice cannot simply ask Bob for his public
key, because there is the danger that Charlie might intercept Alice’s request and send Alice his own
key instead. Charlie would then be able to read all of Alice’s encrypted messages to Bob.
The CA certifies the information it provides by generating a *certificate. Anyone receiving the
information verifies the certificate as proof of the information’s validity.
community In SNMP, a community is a logical group of managed devices and NMSs in the
same administrative domain.
computationally unfeasible Impossible in practical terms though not theoretically so.
For example, it is computationally unfeasible to compute the private part of a *public key pair from
the public part, because the only known method — the “brute force” approach of trying all the
possibilities one after the other — would take millions of years.
connectionless communication A scheme in which communication occurs outside of
any context, that is, replies and requests are not distinguishable. Connectionless communication
avoids the overhead inherent in maintaining a connection’s context, but at the risk of allowing
transmission errors to go undetected. Streaming services usually use connectionless communication
protocols such as *UDP, because they must attain high transmission speeds and there is no
advantage in sending a retransmitted packet out of sequence.
content security The ability to specify the content of a communication as an element of a
security policy, in contrast to defining a security policy on the basis of header information only.
Effective content security requires that a firewall understand the internal details of the protocols and
services it monitors.
An example of content security is enforcing *anti-virus checking for downloaded files, disallowing
email from or to specified email addresses, or allowing access to Web pages containing certain words
only during specified time periods.
1. Purists would object to saying “encrypted with the private key” and “decrypted with the public key.” The words
“encrypted” and “decrypted” are used here in their common senses of hiding and revealing.
Chapter 691
Content Vectoring Protocol (CVP) An *OPSEC API that enables integration of third-
party content security applications such as antivirus software into VPN-1/FireWall-1. The CVP
API has been adopted by a wide variety of security vendors.
Customer log module
The Customer Log Module is a SmartCenter Server with a limited license allowing log and alerts
management only. The Customer Log Module collects logs and alerts from all VPN/FireWall
Modules in the enterprise, but it does not maintain or manage a Security Policy.
The Customer Log Module enables centralized log management in configurations with multiple
VPN/FireWall Modules. FIGURE 18-4 depicts a configuration in which centralized logging is
enabled.
FIGURE 18-2Centralized Logging Configuration
1 This Customer
Log Module ...
Internet
router
Customer Log FireWalled
Module Gateway
(Thames)
(London)
router
GUI
Client
(Tower) 2 ... collects logs from FireWalled
Internal these VPN/FireWall
Gateway
Management FireWall (Paris)
Server Modules ...
(Chelsea)
(BigBen)
The Customer Log Module on Thames collects log data from three VPN/FireWall Modules,
each of which protects a separate network. The VPN-1/FireWall-1 Log Viewer on the GUI
Client can connect to the Customer Log Module to display logged events and alerts on network
activity for all VPN/FireWall Modules.
Internet
Router
mailsrvr
London
In FIGURE 18-3, the DMZ is protected by the FireWalled gateway but is at the same time isolated
from the private network. There is no way of connecting from the DMZ to the private network
without going through the *firewall.
denial of service attack An attack with the purpose of overwhelming the target with
spurious data to the point where it is no longer able to respond to legitimate service requests, in
contrast to an attack whose purpose is to penetrate the target system. Examples of denial of service
attacks are SYN and “ping of death.”
dial-up line A telecommunication line available only after a dialling procedure, such as an
ordinary telephone line, in contrast to a *leased line.
Diffie-Hellman key exchange scheme A public key scheme, invented by Whitfield
Diffie and Martin Hellman, used for sharing a secret key without communicating any secret infor-
mation, thus avoiding the need for a secure channel. Once the correspondents have computed the
shared secret key, they can use it to encrypt communications between them.
Chapter 693
FIGURE 18-4Diffie-Hellman Key Exchange
Alice Bob
Alice Bob Alice Bob
Key Key
Calculation Calculation
Engine Engine
Secret Key
for
Alice and Bob
Under the Diffie-Hellman scheme, each correspondent has a public-private key pair. They agree on
a secret key as follows (FIGURE 18-4):
• Bob gets Alice’s public key (from a *Certificate Authority) and performs a calculation
involving his own private key and Alice’s public key.
• Alice gets Bob’s public key (from a Certificate Authority) and performs a calculation
involving her own private key and Bob’s public key.
The result of both calculations is the same, and serves as the secret key. In this way, a secret key can
be agreed on without any secret information being communicated. There is no opportunity for an
eavesdropper to determine the secret key.
An additional advantage of this scheme is that only one key pair needs to be managed for each
correspondent.
Diffserv Diffserv (Differentiated Services) is a technology in which packets are marked (in the
IP header TOS byte) inside the enterprise network as belonging to a certain class of service. These
classes are then granted priority on the public network. FloodGate-1 can mark packets, but it does
not prioritize traffic based on these markings. DiffServ markings have meaning on the public
network, not inside the enterprise network. Effective implementation of DiffServ requires that
packet markings be recognized and honored on all public network segments.
digital signature The result of a complex calculation on the contents of a message.
Changing even one bit in the message results in a completely different digital signature. Moreover,
it is *computationally unfeasible to compose a message with a given digital signature. A digital
signature is used to verify a message’s integrity, that is, to ensure that it has not been tampered with.
See also certificate.
E3 A verifiable level of security required by European governments for any Internet firewalls
employed over any of its networks. Products meeting this level of security (roughly equivalent to
the U.S. B1 “Orange Book” level) are certified by the Information Technology Security Evaluation
and Certification organization (ITSEC) in the United Kingdom and by the Logical Evaluation
Defence Signals Directorate (DSD) in Australia. See also “B1, B2 level.
“E3” also refers to a high speed transmission line in Europe equivalent to the T3 transmission line in
the United States.
encapsulated encryption An *encryption scheme in which an entire packet, including
the header, is encrypted, and a new header appended to the packet. Encapsulated encryption hides
the true source and destination but increases a packet’s length, in contrast to *in-place encryption.
encryption The transformation of a message so that the encrypted message can only be read
with the aid of some additional information (the *key) known to the sender and the intended
recipient alone.
In *secret key (symmetric) encryption, the same key is used to both encrypt a message and then to
decrypt it. In *public key (asymmetric) encryption, two mathematically-related keys are used: one
to encrypt the message and the other to decrypt it.
encryption algorithm An algorithm, such as *AES, *DES, for encrypting and decrypting
data. An encryption algorithm is one element of an *encryption scheme.
encryption domain The computers and networks on whose behalf a *gateway encrypts and
decrypts communications.
encryption scheme A mechanism for encrypting and authenticating messages as well as
managing and distributing keys, such as *IPsec, *SKIP and *IKE.
An encryption scheme consists of three elements:
• an *encryption algorithm that performs the actual encryption
• an *authentication algorithm for ensuring message integrity
• a *key management protocol for generating and exchanging keys
enforcement point A machine that enforces at least some part of a VPN-1/FireWall-1
Security Policy. An enforcement point can be a network object, router, switch or any machine that
can be managed by a SmartCenter Server by installing a Security Policy or Access List.
Chapter 695
enterprise-wide security management The consistent application and
management of a security policy in a complex, distributed network environment, usually including
corporate *intranets and *extranets.
extranet In contrast to the Internet, which provides universal access to network-based infor-
mation, and an *intranet, which is accessible only within an enterprise, an extranet enables a
company and its partners or customers to collaborate, communicate and exchange documents in a
secured network environment. extranets typically utilize virtual private networks that allow autho-
rized users to access specific information, such as technical documentation or inventory information
(see “Virtual Private Network (VPN)).
Fetch Install a pre-compiled policy from the state directory to the kernel without compilation
(see also “Load).
File Transfer Protocol (FTP) A widely-used TCP-based protocol for copying files
between hosts. In security environments, FTP commands can be controlled via *authentication
schemes, *content security schemes, file name restrictions, and *anti-virus programs.
firewall A combination of hardware and software resources positioned between the local
(trusted) network and the Internet (see FIGURE 18-5). The firewall ensures that all communication
between an organization’s network and the Internet conform to the organization's security policy.
Firewalls track and control communications, deciding whether to pass, reject, encrypt or log
communications.
FIGURE 18-5A network protected by a firewalled gateway
private FireWalled public
localnet Gateway
Internet
Router
mailsrvr
London
gateway A device positioned between two networks through which all communications
between the networks must pass. A gateway is a natural choice for enforcing a security policy and
providing encryption and authentication services.
gateway stealthing Disallowing connections that originate or terminate on a *gateway
while allowing connections to pass through the gateway, thereby making the gateway transparent
(or “invisible”) to the networks which it connects.
header The portion of a packet, preceding the actual data, containing source and destination
addresses, checksums and other fields. A header is analogous to the envelope of a letter sent by
ordinary mail. In order to deliver the message (letter), it is only necessary to act on the information
(address) in the header (envelope).
A communication can have several layers of headers. For example, a mail message includes an appli-
cation layer header specifying, the message originator, date and time. At the lower layers, the
packets in which the mail message is transmitted carry IP headers and TCP headers.
high availability A hardware and software configuration in which a device takes over the
tasks of another device that has gone down.
host A computer connected to a network.
HTTP see “Hypertext Transfer Protocol (HTTP)
hub A device that connects computers, servers and peripherals together in a local area network
(LAN). Hubs typically repeat signals from one computer to the others on the *LAN. Hubs may be
passive or intelligent and can be stacked together to form a single managed environment. See also
“switch and “router.
Hypertext Transfer Protocol (HTTP) A standard protocol for transferring files on the
World Wide Web.
Chapter 697
Information Technology Security Evaluation and Certification Scheme
(ITSEC) An organization dedicated to evaluating the security features of information
technology products and systems and to certifying the level of assurance that can be placed on them.
INSPECT Check Point’s high-level scripting language for defining a *Security Policy. An
INSPECT script is compiled into machine code and loaded into an *Inspection Module for
execution.
INSPECT Script The ASCII file generated from the *Security Policy by VPN-1/FireWall-1 is
known as an Inspection Script. An Inspection Script can also be written using a text editor.
Inspection Code Inspection Code compiled from an Inspection Script and loaded into a
VPN-1/FireWall-1 FireWall Module for enforcement.
Inspection Module A VPN-1/FireWall-1 security application embedded in the operating
system kernel, between the data link and network layers, that enforces a VPN-1/FireWall-1
*Security Policy. See also “FireWall Module.
Internet A public network connecting many thousands of computer networks in a three-level
hierarchy including backbone networks (for example, NSFNET, MILNET), mid-level networks
and stub networks. The Internet utilizes multiple communication protocols (especially TCP/IP) to
create a worldwide communications medium.
Internet Key Exchange (IKE) A standard protocol for authentication and key exchange;
part of the key management scheme used for negotiating virtual private networks (VPNs) as defined
in the IETF IPSec working group. This key management scheme is mandated for deployment in
IPv6. It was formerly known as *ISAKMP.
Internet Engineering Task Force (IETF) The principle body engaged in the devel-
opment of new Internet standard specifications. IETF identifies solutions to technical problems and
makes recommendations to the Internet Engineering Steering Group (IESG) regarding the
standardization of protocols and protocol usage in the Internet, and facilitates the transfer of
technology developed by the Internet Research Task Force (IRTF) to the wider Internet
community. IETF also provides a forum for the exchange of information between vendors, users
and researchers interested in improving various aspects of the Internet. The IETF meets three times
a year and is comprised entirely of volunteers.
Internet Protocol (IP) The network layer for the TCP/IP protocol suite. IP is a connec-
tionless, best-effort packet switching protocol designed to provide the most efficient delivery of
packets across the Internet.
Internet Protocol Security Standard (IPSec) An encryption and authentication
scheme supporting multiple encryption and authentication algorithms.
Note - Manual IPSec is no longer supported in VPN-1/FireWall-1, beginning with NG.
Internet Security Association Key Management Protocol (ISAKMP) A
standard protocol for authentication and key exchange that is now known as IKE. See “Internet Key
Exchange (IKE).
Internet Service Provider (ISP) A provider of access to the Internet. In some cases, these
providers own the network infrastructure, while other lease network capacity from a third party.
intranet An internal private network, managed according to Internet protocols, but accessible
only inside the organization.
Net ID Host ID
192.9.200.112
implies Class ID
The first bits of the Class ID specify a network’s class. Most local networks are of class C (Class ID
byte = 110XXXXX; Class ID 192 in IP dot notation). Class C networks can have up to 254
hosts. Larger networks can be either class B or Class A.
The Net ID identifies the network. Because an IP address consists of both a network identifier
(NetID) and a host identifier (HostID), it does not identify a host, but rather a network connection
(interface). If a host or gateway is connected to several networks, it will have several IP addresses.
By convention, host ID refers to the network itself; that is, a network’s address ends in zeros. This
scheme enables IP addresses to specify networks as well as hosts. A host identifier of all 1s is reserved
for broadcast.
IP spoofing A technique whereby an intruder attempts to gain access by altering a packet’s IP
address to make it appear as though the packet originated in a part of the network with higher access
privileges (for example, the IP address of a network object in the local network). This form of attack
is only possible if a network’s internal IP addresses have been exposed (see “anti-spoofing).
ISP see “Internet Service Provider (ISP)
ISAKMP see “Internet Security Association Key Management Protocol (ISAKMP)
ITSEC see “Information Technology Security Evaluation and Certification Scheme (ITSEC)
Chapter 699
K
Kerberos An authentication service developed by the Project Athena team at MIT. Kerberos
uses secret keys for encryption and authentication. Unlike a public key authentication system, it
does not produce digital signatures; Kerberos was designed to authenticate requests for network
resources rather than to authenticate authorship of documents. Thus, Kerberos does not provide for
third-party verification of documents.
key Information used to encrypt and decrypt data. There are two kinds of keys: *secret keys and
*public keys.
key management A mechanism for distributing encryption keys in a public key scheme.
Key management is performed by a *SmartCenter Server and includes key generation, certification
(although this can also be performed by an external *Certificate Authority) and key distribution.
Key management can either be manual or automated.
The TCP/IP model, consisting of four software layers and one hardware layer, is illustrated in
FIGURE 18-8.
Application
messages or data streams
Transport
transport control packets
Internet
IP datagrams
Network Interface
frames VPN-1/FireWall-1 is positioned
hardware here, between the Network
Interface and Internet layers.
leased line A dedicated telecommunications access line that is “leased” from a vendor, and
thus always available, in contrast to a *dial-up line. The physical medium may be copper or fiber
optic, providing a wide range of line speeds.
Lightweight Directory Access Protocol (LDAP) A mechanism for Internet clients
to access and manage a database of directory services over a TCP/IP connection. A simplification of
the X.500 directory access protocol, LDAP is gaining significant support from major Internet
vendors.
Load Compile a policy and then install it to the kernel (see also “Fetch).
load balancing The ability to distribute processing loads among multiple servers to improve
performance and reduce access times. Load balancing is often transparent to the user and improves
Internet security by reducing the risks associated with certain attacks and by applying greater
resources to the task of monitoring and filtering network traffic. A variety of algorithms may be used
to determine how best to distribute traffic over these servers.
Local Area Network (LAN) A data network intended to serve an area of only a few square
kilometers or less (more typically, an individual organization). LANs consist of software and
equipment such as cabling, hubs, switches and routers, enabling communication between computers
and the sharing of local resources such as printers, databases, and file and video servers.
Logging and Event API (LEA) An *OPSEC API that enables an application to securely
receive and process both real-time and historical logging and auditing events generated by
VPN-1/FireWall-1. LEA can be used by a variety of applications to complement firewall
management.
Chapter 701
Management Module The VPN-1/FireWall-1 module in which a VPN-1/FireWall-1
*Security Policy is defined.
SmartCenter Server The VPN-1/FireWall-1 application, controlled by a GUI on a client,
that manages a VPN-1/FireWall-1 *Security Policy. If the SmartCenter Server is deployed in
Client/Server mode, then the Graphical User Interface (GUI) can be run on another network
object.
Manual IPsec see “IPSec.
Master In VPN-1/FireWall-1, the station to which logs and alerts are directed.
The Master also maintains the most recent Inspection Code for each of the FireWalled systems it
controls. If a FireWalled system loses its Inspection Code for any reason, it can retrieve an up-to-
date copy from the Master. In practice, the Master and SmartCenter Server are usually on the same
system, but Failover Masters can be defined.
multicast A message sent to all the destinations in a specific group of hosts in a network, in
contrast to *broadcast and *unicast.
multi-homed host A computer with two or more physical network connections is often
referred to as a multi-homed host.
Chapter 703
protocol stack A synonym (in practice if not in theory) for the *communication layers as
supported by an operating system.
proxy An application-layer implementation of a service that provides additional functionality
(for example, security or caching) that is not part of the original service.
Application gateways use proxies to implement firewalls. A proxy’s primary advantage is its ability to
provide partial communication-derived state, full application-derived state information and partial
communication information.
The disadvantages of using proxies as firewalls are:
• limited connectivity — each service needs its own proxy, so the number of available
services and their scalability are limited, and there is usually a significant delay before a new
service can be implemented (a new proxy must be written)
• limited technology — application gateways cannot provide proxies for UDP, RPC and
other services from common protocol families
• performance — application level implementation entails a discernible performance penalty
In addition, proxies are vulnerable to OS and application level bugs, overlook information
contained in lower layers, and in the case of traditional proxies, are rarely transparent.
public key A scheme in which each correspondent has a pair of mathematically related keys: a
public key known to everyone, and a private key known only to its owner.
• The *RSA public key scheme is used for encryption as follows: if Bob wants to send Alice
an encrypted message, he encrypts the message with Alice’s public key. The encrypted
message can only be decrypted with Alice’s private key, which only Alice knows.
• The *Diffie-Hellman public key scheme is used for sharing a secret key without
communicating any secret information, thus avoiding the need for a secure channel.
The disadvantage of public key encryption is that it is much slower than *secret key encryption.
The terminology can be confusing, because “public key” is sometimes used to mean both keys
together (in the context of schemes) and sometimes to mean only the public part of the key.
Public Key Infrastructure (PKI) A set of security services, usually provided by a *Certif-
icate Authority, enabling *authentication, *encryption and certificate management using *public
key encryption technology.
public network Any computer network, such as the Internet, that offers long-distance inter-
networking using open, publicly accessible telecommunications services, in contrast to a *WAN or
*LAN.
RC2, RC4 A widely used *encryption method developed by Rivest Corporation for RSA Data
Security.
Remote Authentication Dial In Service (RADIUS) A centralized network-authen-
tication scheme developed by Livingston Enterprises and proposed as a standard to the IETF, which
… founded on … w!&84$&
this continent a h*+d(#d
nation conceived 39UBd9@3
in liberty ... *&#sHhj ...
Chapter 705
Ensuring the key’s secrecy is critical, since anyone who knows the key can decrypt and read the
message.
Secret key encryption is simple and fast, but has its disadvantages:
• A secure channel is required by which the correspondents can agree on a key before their
first encrypted communication. Direct face-to-face negotiation may be impractical or
unfeasible, and the correspondents may have to agree on a key by mail or telephone or
some other insecure means.
• The number of keys required can quickly become unmanageable, since there must be a
different key for each pair of possible correspondents.
Public (asymmetric) key systems, where each correspondent has a pair of keys, can solve both of
these problems (see “public key).
Secure Hypertext Transfer Protocol (S-HTTP) A security-enhanced version of
*HTTP providing a variety of mechanisms to enable confidentiality, *authentication and integrity.
Unlike SSL, which layers security beneath application protocols like HTTP, NNTP, and Telnet, S-
HTTP adds message-based security to HTTP. SSL and S-HTTP can co-exist by layering S-HTTP
on top of SSL.
SecuRemote Client A software component installed on a desktop or mobile computer that
enables secure encrypted communications with an enterprise network.
SecuRemote Server A FireWall Module or VPN Module with which a SecuRemote Client
conducts encrypted communications.
Secure Socket Layer (SSL) A protocol combining *RSA *public key encryption and the
services of a *Certificate Authority to provide a secure environment for electronic commerce and
communications. SSL provides three levels of security server authentication:
• verification of the identity of the server using a *certificate
• *encryption, which ensures the privacy of client-server communications by encrypting the
data stream
• integrity, which verifies that the contents of the message arrive at their destination in the
same form as they were sent.
Security Policy A Security Policy is defined in terms of firewalls, services, users, and the rules
that govern the interactions between them. Once these have been specified, an *Inspection Script is
generated and then installed on the firewalled hosts or gateways. These gateways can enforce the
Security Policy on a per-user basis, enabling verification not only of the communication’s source,
destination and service, but the authenticity of the user as well. A user-based Security Policy also
allows control based on content. For example, mail to or from certain addresses can be rejected or
redirected, access can be denied to specific URLs, and anti-virus checking of transferred files can be
performed.
S-HTTP see “Secure Hypertext Transfer Protocol (S-HTTP)
Simple Key Management for Internet Protocols (SKIP) An automated *key
management system developed by Sun Microsystems and proposed to the IETF as a standard *IPSec
key management scheme. SKIP adds key management functionality to IPSec. Several vendors have
successful implementations of SKIP, and both SKIP and *IKE can be deployed/implemented within
the IPSec framework.
Note - If you exceed the restriction on the number of protected hosts, VPN-1/FireWall-1
will display warning messages on the system console notifying you that you have violated
the terms of the VPN-1/FireWall-1 license. You should immediately upgrade to the
appropriate product in order to be in compliance with the terms of the VPN-1/FireWall-1
license. In the meantime, your security is not compromised and VPN-1/FireWall-1 will
continue to protect your network.
SKIP see “Simple Key Management for Internet Protocols (SKIP)
Chapter 707
SMTP see “Simple Mail Transfer Protocol (SMTP)
SNMP see “Simple Network Management Protocol (SNMP)
SSL see “Secure Socket Layer (SSL)
state information Information describing the context of a communication. There are two
types of state information: communication derived and application derived.
• Communication-derived state information is extracted from past communications and is
compared against current attempts to access or manipulate information. For example, an
outgoing PORT command of an *FTP session can be saved so that a later incoming FTP
data connection can be verified against it.
• Application-derived state information is extracted from other applications to verify user
access. For example, an *extranet application may be used to allow a previously
authenticated access through the firewall for authorized services only.
Stateful Inspection A technology developed and patented by Check Point that provides
the highest level of security currently available. A stateful *Inspection Module accesses and analyzes
all the data derived from all communication layers. This state and context data is stored and updated
dynamically, providing virtual session information for tracking connectionless protocols.
Cumulative data from the communication and application states, network configuration and
security rules are all used to decide on an appropriate action, either accepting, rejecting or
encrypting the communication (FIGURE 18-10).
FIGURE 18-10Stateful Inspection
VPN-1/FireWall-1 Inspection Module
Communication Layers
5 Session No
No
4 Transport Yes
No
3 Network Is There
Another Send NACK
VPN-1/FireWall-1 Inspection Module Rule?
2 Data Link
Drop the Packet END
1 HW Connection
Chapter 709
U
Virtual Private Network (VPN) A network with some public segments in which data
passing over its public segments is encrypted to achieve secure communications. A VPN is signifi-
cantly less expensive and more flexible than a dedicated private network.
virus A program that replicates itself on computer systems by incorporating itself into other
programs which are shared among computer systems. Once in the new host, a virus may damage
data in the host’s memory, display unwanted messages, crash the host or, in some cases, simply lie
dormant until a specified event occurs (for example, the turning of a new year).
VPN see “Virtual Private Network (VPN)
X.25 A widely-used set of *protocols based on the OSI model. See also “layered communication
model.
X.500 A *protocol used for communication between a user and an X.500 directory services
system. Multiple X.500 directory system agents may be responsible for the directory information for
a single organization or organizational unit.
X.509 A certification methodology providing authenticated, encrypted access to private infor-
mation, which establishes a trust model enabling certain transactions such as those involving money
or funds. For example, X.509 certificates are used in the *IKE encryption scheme to obtain public
keys and to verify the authenticity of the parties in an exchange.
Chapter 711
712 Check Point SmartCenter Guide • September 2002
Index
713
B definition of 691
compiling a Security Policy 556
cplic check 629
cplic db_print 631
compression cplic get 634
back connection of log files 598 cplic print 625, 628
requested port 346 computationally unfeasible cplic put 624
backup definition of 691 remote operation 631
backing up a Security Policy 58 conf/loggers 424 CPMI 590
backward compatibility 561 conf/masters 424, 561 cppkg add 643
BackWeb 265, 346 Configuration File 605 cppkg delete 645
before installing VPN-1/ Modifying 606 cppkg getroot 650
FireWall-1 25 Conn. ID 398 cppkg overview 643
Blackbox Properties 208 Connected OnLine Backup 257 cppkg setroot 649
Block Intruder window 420 Connecting Networks to cprestart argument 660
blocking connections 570 Clouds 512 Cprid 664
boot security connection persistence 201 cprinstall boot 658
default filter 345 connection table 287 cprinstall get 656
fwstop -proc 345 connectionless communication cprinstall overview 651
fwstop-default 345 definition of 691 cprinstall stop 659
Initial Policy 345 connections cprinstall uninstall 654
blocking 420 cprlic
IP Forwarding 345 print 114
bootp 265 inhibiting or blocking 570
cprlic, see cplic
bridge lost when Security Policy re- cpstart 553
definition of 690 installed 58 cpstart command
terminating 420 running remotely 660
connections hash table 199 cpstat 567
content security
C definition of 691
cpstop 553
cpstop command
control connection running remotely 660
CA accepting 276, 277, 483 cpwd 565
Redundant Management 539 encrypting 48 cpwd_admin 565
Calculating the Install On control information creating
column 310 sending to Kernel Module 576 database version 138
categorization Control Properties Creating Objects 512
maximum number of displaying windows 144 Critical Notifications 436
categories 383 control.map file using 456
certificate 284 modified during VPN-1/ CRL 365, 370
definition of 691 FireWall-1 Cursor Modes 536
Certificate Authority 368 reconfiguration 58 CU-SeeMe 265
definition of 691 conversion Customer Log Module
obtaining the CA’s own network object type 182 description 692
certificate 369 CoolTalk 346 Customer log module 692
certificate key 100 enabling back connections 257 Customization of Tool-tips 499
chaining servers 385 cp.license file CVP
chargen 257, 265 modified during definition of 692
CIFS 255 reconfiguration 58 CVP inspection
clearing blocked connections 421 URI resource 243
cpconfig 550
CLM 425 installing a license using 625
object.c 425 cpd 121
Clouds 511
color 184, 202, 203, 205, 208, 216,
cphaprob 609
cphastart 609 D
217, 221, 223, 224, 227, 229, 231 cphastop 609
Columns cplic 119 daemon 580
resizing 437 db_add 105 DAIP
comment 221, 223, 224, 227, 228, db_rm 113 and DHCP 484
230, 231 del 111 deleting a license 634
adding to a rule 312 installation and
import 112
community configuration 482
put 108
715
externally managed gateway FW1_log service 276 generic services
converting to an internally FW1_mgmt 35 service properties 228
managed gateway 182 fw1_service 276 ggp 272
Extranet 303, 304 FW1_topo service 276 Global Properties 459
extranet FW1_ufp service 277 Global Properties window
definition of 696 fw1pwdLastMod 284 Log and Alert page 490
fwa1 562 gopher 258
fwauth.keys file grace period
modified during VPN-1/ logging 290
F FireWall-1
reconfiguration 58
GUI windows
closing 143
Fetch command (Named Masks fwauthd.conf file displaying 143
window) 321 modified during VPN-1/
fetch interval 184, 481 FireWall-1
File Menu 144 reconfiguration 58
filtering network objects 177 FWDIR H
Find 461 definition of 696
finger 258 fwm dbexport H.323 259, 260, 346
FireWall-1 LDIF syntax 619 enabling back connections 259
reconfiguring 550 syntax 618 pre-NG version 259
FireWall-1 authentication password fwm dbimport 168, 616 HCID_RULE_COMMENT_1 312
installing 561 fwm dbload 562 header
FireWalled host fwm fetch 560 definition of 697
displaying status of 567 fwm fetchlogs 603 heuristic check of Rule Base 313
FreeTel 266, 346 fwm fetchlogs command 603 HID_MANAGE_CE_CUSTOMER
FTP 346 fwm gen 579 S 147
back connection 59 fwm hastat command 614 hidden rules 318
control connections 290 fwm ikecrypt 615 displaying 319
data connection 59 fwm kill 580 unhiding 319
data connections 290 fwm lichosts 569
fwm load 341, 556, 559 hiding rules 318
PORT command 58 fwm log 593 Hierarchical Layout 499
unifying logs for control and fwm logexport 598 high availability
data connections 290 fwm logswitch 419, 423, 596 definition of 697
ftp 258 fwm lslogs 601 upgrading a cluster of Check
FTP data connections 258 fwm mergefiles 600 Point Modules 124
FTP PASV 346 fwm printlic, see cplic print HKEY_LOCAL_MACHINESoftwa
FTP PASV data connections 276 fwm putlic 561 reCheckPointPolicy
FTP PORT data connections 276 fwm repairlog 599 Editor4.1 136
ftp-pasv 224 fwm tab 584 hostname 183
ftp-port 224 fwm unload 341, 558 IP address of 183
fw command 547 fwm ver 569 hosts
fw ctl 280, 576 fwopsec.conf file 574, 687 list of those protected by
fw kill fwopsec.v4x file 687 VPN-1/FireWall-1/n
NT restriction 580 fwstart 554, 579 product 569
fw lea_notify 604 fwstop 555, 579 hosts file 183, 204
fw lea_notify command 604 fwstop -proc 345 HTML Weeding 242, 249
fw lslogs 601 fwstop-default 345 http 258
fw putkey 60, 561 https 258
fw sam 570
fw unload 558
fw.log file 419 G
FW1 service 276
FW1_cpd service 276
I
gateway
FW1_cpmi service 276 converting type 182
FW1_cvp service 277 ICA 47
FW1_ica_pull service 276, 277 packets originating on 277 icense
FW1_key service 276 gateway stealthing overwriting 626
FW1_load_agent service 277 definition of 697 ICMP 286
717
key configure the permitted origins Log File
definition of 700 list 684 compression 598
key management DAIP Module 483 creating new 596
definition of 700 deleting 626 creating new, using command-
detaching 109, 119 line interface 596
displaying 628 deleting 420
L finding expired 115
for SmartCenter Server 101
displaying contents of 593
displaying, using command-line
glossary 119 interface 570, 593, 599
LAN installing 624 exporting 425, 598
definition of 701 installing on host 561 miscellaneous functions 424
layered communication model local 99 opening another 418
definition of 700 saving 418
log_consolidator -O 684
Layout 498 starting a new 419
LDAP 171 multi-license file 120
default user template 366, 367 printing 628 unified log 600
definition of 701 reconfiguring with Log file
cpconfig 551 repairing pointer files 599
FireWall-1-specific
removing 626 Log Files
attributes 367 fetching 389, 421
port number for SSL removing from repository 112
Repository 71 merging 601
connection 367 log grace period 290
users maintained by third-party routers 630
SecuRemote users 630 Log Server
clients 366, 367 definition of 420
LDAP Client structure 100
install the user database 425
third-party 366, 367 type icons 72
log unification 595, 599
LDAP query request viewing properties 113 rebuilding chains 600
timeout 195 licenses Log Viewer
LDAP Server Central 631 displaying 144
exporting users from 618 LiveLan 260 log_consolidator -O 684
importing users to 620 lmhosts file 204 log_export 604
LDAP server, see also Account Unit Load Agents logging
ldap service 259, 277 defining parameters 285 Access Control 30
ldapmodify command 621 load balancing QoS 197
ldapsearch 621 definition of 701
to more than one machine 292
LDAPservers load_program attribute 341, 558
loading a Security Policy 556 Logging and Alerting
defining 364 Security Policy 289
ldap-ssl 259 Local license management 624
local.arp file 280 Logging Server
LDIF file format 620 DAIP Modules 483
LDIF syntax 618 lockmanager 269
LEA log Logical Server 215
definition of 701 saving 424 login 260
scrolling 418 with DN or user name 285
leased line
definition of 701 viewing 471 Lotus Notes 260
log consolidation engine Luna card diagnostics utility 661
License Luna card software diagnostics
Local 624 configure the permitted origins
utility 661
license list 684 lunadiag 661
adding log_consolidator -O 684 LZ77 598
from a file 103 Log entries, selecting by
manually 103 destination 421
adding to Repository interface 409
definition 119 origin, source, destination, user M
attaching 105, 119 or service 421
central 98 protocol 421 MAC address
certificate key 100, 114 service 421 definition of 701
checking 629 source 421 Mail Alert Command 291
type 411 mail alert command 291
719
OPSEC session product repository management 643 reconfiguring FireWall-1 550
definition 372 product.conf file 574 Reconnecting to the Server 463
opsec_putkey command 277 prog number 228 redirect 271
ospf 272 program number 227 Redundant Management
out of sequence TCP packets 289 properties CAs 539
outgoing packets interaction with Rule Base 317 Reject
accepting 277 network object 173, 357, 359 differences from Drop 308
overlapping encryption domains of defined object, remote installation 651
definition of 703 displaying 220 using SecureUpdate Product
of network interface 188, 189 Management 84
of service object, defining 220 Remote Installation daemon 664
Removing Network Objects 508
P time object 347, 537
protocol stack Re-resolving network object
definition of 704 edges 517
package repository management, see protocol type 223, 226, 228, 230 resolution failure
product repository management proxy dynamic object 217
packet definition of 704 Resolve by Graph 517
definition of 703 public key Resolve by List 516
packet filter definition of 704 Resolve by Map 517
definition of 703 resolve name timeout
public network Log Viewer 290
installing Security Policy definition of 704
on 342 Resolving a Network Object 515
Resolving Services 416
param-prblm 271 Return unused IP addresses to Pool
password
length of 165 Q after 193
reverse DNS 238
limitation on length in Revision Control 293
Windows 31 QoS rexec 262
password expiration 283 logging 197 RFC
Paste selected Topology queryDB_util utility 587, 591, 592 definition of 705
Object(s) 522 RFC 1521 248
pcnfsd 269 RFC 1918 280
permitted origin list 684 RFC 1950 598
ping 271
PKI
R RFC 1951 598
RFC 1952 598
definition of 704 Rijndael 689
PointCast 261 RADIUS 267
defining server 360 RIP 277, 286
Policy rip 267
fetch interval 184, 481 definition of 704 RIP, enabling 277, 286
Policy Menu 149 enabling connections from rlogin 262
pop2 262 FireWall Module to router
pop3 262 server 276 definition of 705
port 111 High Availability 361 Router Access Lists
UDP and TCP 227 RADIUS chaining 361 importing 342
port 18212 285 RADIUS proxy 361 managing imported access
port number 221, 223, 225 RADIUS Servers lists 343
portmapper 227 Server Groups 372 verifying and viewing 344
pre-shared secret 284 RADIUS service 277 routers
Previous Database version radius_versions 361 anti-spoofing capabilities 206
installing 559 range of addresses 216 installing access lists on 345
Print out the Topology View 503 RAS 262, 267
Print Preview 504 RDP 267 installing Security Policy
printing RDP service 277 on 311, 331
log entries 424 Read Community 199, 211 routing configuration error 289
private IP address ranges 492 RealAudio 262, 346 Routing Information Protocol,
Product Details 440 enabling back connections 262 enabling 277, 286
Product Repository 71 re-configuration RPC
installing from 92 files modified during 58 service properties 226
RPC Control 346
721
configuring for a new Source Object Selection Criteria SYNDefender 199
Module 49 window 411 maximum number of protected
configuring for upgraded source port range 223, 225, 226 sessions 200
Modules 52 source-quench 271 when changes to Maximum
ICA 47 Specifying 222 Sessions take effect 200
spoofed packets sysContact 199, 211
overview 46 dropping 190
SecureUpdate, use in 121 sysLocation 199, 211
spoofing 190 syslog 267, 664, 665
security benefits 46 SQLNet 263
SIC certificate syslog configuration 665
sqlnet2 346 Syslog daemon 665
DAIP Module 483 SSL syslog daemon 665
SIC name 561 definition of 706 sysName 199, 210
Single Gateway Product port number for LDAP System Alert 457
description 707 connection 367 system alert monitoring
SKIP state information mechanism 461
definition of 706 definition of 708 system alert option 459
SLA 290, 487 state tables system alert parameter 460
logging statistics 489 cleared when Security Policy re- system alert parameters 459
sliding window 289 installed 58 System Status 436
Smart Map 280 stateful ICMP 288 displaying 144
docking 492 Stateful Inspection 287 toolbar 469
OPSEC applications 492 definition of 708 User Interface 436
private IP address ranges 492 IP protocols other than TCP,
Smart Map Menu and Toolbar 532 UDP and ICMP 288
Smart Map view 293
SmartCenter Server
Customer Log Module 692
stateful UDP 287
status T
of Check Point Mosules,
definition of 702 displaying 567 TACACS 267
IP address change 485 of hosts, displaying using TACACS Server
problems in connecting to 136 command-line interface 567 enabling connections from
timeout in connecting to 136 Statuses VPN/FireWall Module
SmartDefense Application 438 to 276
features overview 154 Applications 439 TACACS servers
purpose 154 Modules 438 defining 362
toolbar 155 Workstations 438 TACACS service 277
SmartUpdate stderr 276 TACACS+ 263
adding an administrator 32 rsh/rexec reverse stderr TCP
Administrator permissions 32 connections 262 definition of 709
SMTP stdin service properties 221
badly formed header 245 alert commands 292 TCP end timeout 287
definition of 707 stop updating the log entries 416 TCP port 111
pipe 245 StreamWorks 267 security issue 227
source routing 245 stub network TCP sequence verifier 289
SMTP resource definition of 709 TCP Session Timeout 287
restricting message size 249 Sub networks 178 TCP session timeout 287
smtp service 263 subnet TCP/IP
smtp.conf file 246 definition of 709 definition of 709
smtp_rfc822 property 245 sub-rule 300 tcpip.def file 229
SNMP 267 suspected intruders TELNET
definition of 707 blocking connections to and definition of 709
trap 585 from 420 telnet 263
snmp 267 TFTP 226
switch tftp 267
SNMP properties 199, 210 definition of 709
snmp service 267 time object
Sybase SQL 263 creating 348
SNMP Trap alert command 292 symmetric key
SNMP trap alert script 292 creating groups of time
definition of 709
snmp-trap 267 objects 353
Symmetrical Layout 499
723
VPN-1/FireWall-1
moving to another machine 57 Y
VPN-1/FireWall-1 daemon
stopping 555 ypbind 269
VPN-1/FireWall-1 license, see yppasswd 270
license ypserv 270
VPN-1/FireWall-1 version number ypupdated 270
displaying 569 ypxfrd 270
W Z
wais 264 Zoom Mode 495
WAN Zoom Options 495
definition of 711
WatchDog 565
Web Server
definition of 710
WebTheatre 264, 346
Wellfleet
managing Access Lists 581
What is Smart Map? 491
where used 177
who service 268
Windows
starting the System Status 434
windows
Virtual Links 487
WinFrame 264
WINS protocol 183
wnload 332
Working with Network Objects 493
Workstation Properties Window
Logging CPSyslogD Check
Point’s Syslog Daemon 196, 197
Workstation Status
Connected 439
Disconnected 439
Untrusted 439
Waiting 438
Write Community 199, 211
WWW
definition of 711
X
X/Motif
starting System Status 434
starting the GUI 128
starting the Log Viewer 68,
389, 471
X11 264
Xing 267