Vous êtes sur la page 1sur 724

Check Point SmartCenter

Guide

NG FP3

For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at

http://support.checkpoint.com/kb/

Part No.: 700526


September 2002
© 2000-2002 Check Point Software Technologies Ltd. Permission to use, copy, modify, and distribute this software and its documentation for
any purpose and without fee is hereby granted, provided that the above copyright notice
All rights reserved. This product and related documentation are protected by copyright appear in all copies and that both that copyright notice and this permission notice
and distributed under licensing restricting their use, copying, distribution, and appear in supporting documentation, and that the name of CMU not be used in
decompilation. No part of this product or related documentation may be reproduced in advertising or publicity pertaining to distribution of the software without specific, written
any form or by any means without prior written authorization of Check Point. While prior permission.
every precaution has been taken in the preparation of this book, Check Point assumes CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
no responsibility for errors or omissions. This publication and features described herein INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN
are subject to change without notice. NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
RESTRICTED RIGHTS LEGEND: FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
Use, duplication, or disclosure by the government is subject to restrictions as set forth CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
at DFARS 252.227-7013 and FAR 52.227-19. The following statements refer to those portions of the software copyrighted by The
Open Group.
TRADEMARKS: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
FireWall-1 GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR
FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, Open Security ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
Extension, OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView
The following statements refer to those portions of the software copyrighted by The
Reporter, SmartView Status, SmartView Tracker, SVN, UAM, User-to-Address Mapping,
OpenSSL Project.
UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Appliance, VPN-1 Certificate
Manager, VPN-1 Gateway, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 This product includes software developed by the OpenSSL Project for use in the
SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer VPN-1 SmallOffice and VPN1 OpenSSL Toolkit (http://www.openssl.org/).*
VSX are trademarks or registered trademarks of Check Point Software Technologies THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *
Ltd. or its affiliates. All other product names mentioned herein are trademarks or EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
registered trademarks of their respective owners. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
The products described in this document are protected by U.S. Patent No. 5,606,668, PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
5,699,431 and 5,835,726 and may be protected by other U.S. Patents, foreign patents, ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
or pending applications. SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
THIRD PARTIES: USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
other countries. Entrust’s logos and Entrust product and service names are also OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly SUCH DAMAGE.
owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate The following statements refer to those portions of the software copyrighted by Eric
certificate management technology from Entrust. Young.
Verisign is a trademark of Verisign Inc. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR
The following statements refer to those portions of the software copyrighted by IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
University of Michigan. WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
Portions of the software copyright © 1992-1996 Regents of the University of Michigan. PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
All rights reserved. Redistribution and use in source and binary forms are permitted CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
provided that this notice is preserved and that due credit is given to the University of EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
Michigan at Ann Arbor. The name of the University may not be used to endorse or TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
promote products derived from this software without specific prior written permission. DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
This software is provided “as is” without express or implied warranty. ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
Copyright © Sax Software (terminal emulation only). TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
The following statements refer to those portions of the software copyrighted by THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
Carnegie Mellon University. DAMAGE.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Copyright © 1998 The Open Group.

Check Point Software Technologies Ltd.


International Headquarters: U.S. Headquarters:
3A Jabotinsky Street Three Lagoon Drive, Suite 400
Ramat Gan 52520, Israel Redwood City, CA 94065
Tel: 972-3-753 4555 Tel: 800-429-4391; (650) 628-2000
Fax: 972-3-575 9256 Fax: (650) 654-4233
September 2002

e-mail: info@CheckPoint.com http://www.checkpoint.com

Please direct all comments regarding this publication to techwriters@checkpoint.com.


Table Of Contents

Preface Who Should Use this User Guide 19


Summary of Contents 19
Check Point Documentation 20
What Typographic Changes Mean 22
Shell Prompts in Command Examples 24
Network Topology Examples 24

Chapter 1 Configuring
VPN-1/FireWall-1
Configuring Check Point Products 25
Licenses 26
The Trial Period 27
Administrators 30
SMART Clients 36
PKCS#11 Token 37
Key Hit Session/Random Pool 38
Certificate Authority 39
Secure Internal Communication 40
Fingerprint 43
High Availability 45
Interfaces 45
VPN-1 Accelerator Driver 45
SNMP Extension (Unix only) 45
Automatic Start of Check Point Modules (Unix only) 46
Secure Internal Communications for Distributed Configurations 46
Communicating Components 46
Security Benefits 46
Administrative Benefits 46
SIC Certificates 46
Communications between the SmartCenter Server(s) and Modules 48
Communications Between the SmartCenter Server and the SMART Client 48
Enabling Communication between Modules 49
Resetting the Trust State of the Module 54
SIC Automatic Renewal 56
Log Viewing and Management 56
Frequently Asked Questions—Installing, Upgrading, Configuring 57
62

Chapter 2 SmartUpdate
Introduction to SmartUpdate 63
Purpose 63

Table of Contents 3
Why use SmartUpdate 63
Installing SmartUpdate 64
Supported Products and Platforms 64
How to Upgrade Remote Check Point Nodes 64
1. Prerequisites for Remote Upgrade 64
2. Upgrading or Installing the SmartCenter Server 65
3. Configuring the SmartCenter Server 65
4. Adding Products to the Product Repository 65
5. Using SmartUpdate to Upgrade Check Point Nodes 67
Starting the SmartUpdate GUI 68
Elements of the SmartUpdate GUI 69
Products and Licenses tabs 70
Product and License Repositories 71
License Type Icons 72
Operation Status 73
Docking Windows 75
Searching for Text 75
Printing Views 76
SmartUpdate Menus and Toolbar 76
Product Management 84
Introduction to Product Management 84
Managing the Product Repository 85
Installing Products—Overview 87
Upgrading All Products 88
Installing a Single Product 89
Uninstalling a Product 92
Verifying an Installation 94
Booting a Check Point Node 95
Getting Check Point Node Data 96
Stopping an Operation and Clearing Completed Operations 96
License Management 97
Introduction to License Management 98
License Types: Central, Local 98
The Trial Period 99
Version 4.1 License Support 99
Obtaining Licenses 100
License Structure and Elements 100
Installing a License for the SmartCenter Server 101
Before Using SmartUpdate License Management 101
Adding a License to the License Repository 101
Attaching a License to a Check Point Node 105
Attaching an Evaluation License to all Check Point Nodes 108
Detaching a License from a Check Point Node 109
Getting Locally Installed Licenses From a Check Point Node 111
Deleting a License from the License Repository 112
Viewing License Properties 113
Viewing Installed Products 115
Checking for Expired Licenses 115
Exporting a License to a File 117

4
Automatically Upgrading Version 4.1 Licenses 117
Licensing Glossary 119
SmartUpdate Architecture 121
SmartUpdate FAQ 122
General SmartUpdate FAQ 122
Remote Installation FAQ 123
Licensing FAQ 125

Chapter 3 Graphical User Interface


Managing VPN-1/FireWall-1 127
The Check Point SmartDashboard 128
Starting the SmartDashboard 128
Object Tree 132
Object List 134
Working with the Objects Tree and the Objects List 135
The SmartMap 136
Problems in Connecting to the SmartCenter Server 136
Tracking Revision Control 137
Displaying SmartDashboard Windows 143
Menus 144
File Menu 144
Edit Menu 145
View Menu 146
Selections Available from the Manage Menu 147
Rules Menu with Toolbar Buttons 148
Policy Menu 149
SmartMap menu 149
Search Menu 150
Window Menu 150
Help Menu 151
VPN-1/FireWall-1 Toolbars 151
Toolbar Buttons and Menu Commands 152
Help Toolbar 152
Objects Toolbar 152
Panes Toolbar 153
Policy Toolbar 153
Rules Toolbar 154
Search Toolbar 154
SmartDefense 154
Standard Toolbar 155
Communities Toolbar 155
Log Consolidator Toolbar Commands for Toolbars and menus 155
Toplogy Map Toolbar 155
SmartDefense Toolbar 155
VPN-1/FireWall-1 Status Bar 155

Chapter 4 Managing Users and Administrators


Overview 157

Table of Contents 5
VPN-1/FireWall-1 Proprietary Users 158
Defining Users and Groups 158
User Properties 162
User Groups 166
User Database 167
Database Installation 167
Generic User Profiles 168
Generic User Overview 168
Example: Defining a Generic User Profile 169
Using Generic User Profiles 169
Generic User Notes 170
Generic User Profile Properties window 170
External Users and Groups 171
Groups of RADIUS Users 171
Associating a Radius Server with a FireWall-1 Enforcement Module 171
Groups of Windows NT users 172

Chapter 5 Network Objects


Overview 173
Adding, Editing and Deleting a Network Object 174
Editing a Network Object from the Network Object Manager 175
Editing a Network Object from the Rule Base 178
Network Objects 180
Network Object Types 181
Network Object Windows 182
Check Point window — General Page 182
Check Point window — Topology Page 186
Interface Properties window — General Tab 188
Interface Properties window — Topology Tab 189
Interface Properties window — QoS (Quality of Service) Tab 192
Check Point window — NAT page 192
Check Point window — UserAuthority page 194
Check Point window — VPN page 195
Check Point window —Extranet page 195
Check Point Properties Window — Authentication page 195
Check Point window — Account Unit page 195
Check Point window — Logs and Masters page 196
Check Point window — Additional Logging Configuration page 197
Check Point window — Masters page 197
Check Point window — Log Servers page 198
Check Point window — Advanced page 199
Check Point window — Capacity Optimization page 199
Check Point window — SYNDefender page 199
Check Point window — SMTP page 200
Check Point window — SAM page 200
Check Point window — Connection Persistence page 201
SofaWare-SmartDashboard Integration 201
Networks 202

6
Network Properties Window — General Tab 202
Network Properties Window — NAT (Address Translation) Tab 203
Domains 203
Domain Properties Window 203
Open Security Devices 203
Overview 204
OSE Device Properties Window — General Tab 204
OSE Device Properties Window — Topology Tab 205
Defining Router Anti-Spoofing Properties 206
Embedded Devices 208
Overview 208
Embedded Devices window — General tab 208
Embedded Device Properties — Topology tab 209
Interface Properties Window — General Tab 209
Interface Properties Window — Topology Tab 210
Embedded Device Properties — SNMP Tab 210
Embedded Device Properties — NAT tab 211
Groups 211
Simple Group 211
Group with Exclusion 213
Viewing Groups with an Exclusion 214
Showing Group with an Exclusion Objects in the SmartMap View 214
UAS High Availability Group 215
Logical Servers 215
Address Ranges 216
Address Range Properties Window — General Tab 216
Address Range Properties Window — NAT Tab 216
Gateway Clusters 216
Dynamic Objects 216

Chapter 6 Services and Resources


Services 220
Defining Services 220
Resources 221
TCP Service Properties 221
Compound TCP Service Properties 223
FTP Service (ftp-pasv and ftp-port) 224
TCP Service Properties — ftp-pasv 224
TCP Service Properties — ftp-port 224
UDP Service Properties 224
RPC Service Properties 226
ICMP Service Properties 228
User Defined (or “Other”) Service Properties 228
User-Defined Service Properties Example 230
DCE-RPC Service Properties 230
Service Group Properties 231
Adding a Service to a Group 231
Deleting a Service from a Group 232

Table of Contents 7
Resources 232
Overview 232
Wild Cards 233
URI Resources 233
URI Definition window — General tab 234
URI Definition window — Match tab (wild cards specification) 235
URI Definition window — Match tab (file specification) 239
URI Definition window — Match tab (UFP) 240
URI Definition window — Action tab 241
URI Definition window — CVP tab 243
URI Definition window — SOAP tab 243
URI for QoS Definition window 244
SMTP Resources 245
SMTP Security Server 245
FTP Resources 250
FTP Definition window — General tab 250
FTP Definition window — Match tab 251
FTP Definition window — CVP tab 251
TCP Resources 252
TCP Resource Properties 252
CIFS Resources 255
CIFS Overview 255
Support of the CIFS protocol 255
Configuring CIFS Stateful Inspection 255
Specifying the allowed disk/print shares 256
Logging 256
Known limitations 256
List Of Supported Services 257
List of Supported TCP Services 257
List of Supported UDP Services 265
List of Supported RPC Services 269
List of Supported ICMP Services 271
List of Supported Other IP Protocol Services 272
Notes for Services 272

Chapter 7 Global Properties


FireWall-1 Implied Rules 276
Track 278
Security Server 278
VoIP (Voice over IP) 279
NAT (Network Address Translation) 279
Automatic NAT rules 279
IP Pool NAT 280
Private Address Ranges 280
Authentication 280
Failed Authentication Attempts 280
Authentication of Users with certificates 281
Earlier Verisons Compatibility 281

8
VPN-1 Pro 282
VPN-1 Early Versions Compatibility 282
VPN-1 Advanced 282
VPN-1 Net 282
Remote Access — VPN SecuRemote/SecureClient 282
Remote Access — VPN 282
Remote Access — Secure Configuration Verification 282
Remote Access — Early Versions Compatibility 282
FloodGate-1 Properties 282
Bandwidth Control 282
SmartMap 283
Management High Availability 283
LDAP (Account Management) 283
Connect Control 285
Servers Availability 285
Servers Persistency 285
Server Load Balancing 285
Open Security Extension (OSE) Access List 286
Stateful Inspection 287
Log and Alert 289
Track Options 289
Logging Modifiers 290
Time Settings 290
Alert Commands 291
On Which Machine Are the Alert Scripts Executed? 292
Extranet Management Interface 292
SmartDashboard Customization 293

Chapter 8 Security Policy Rule Base


What is a Policy Package? 295
Rule Base — Basic Concepts 295
Editing a Policy Package 297
Opening a Policy Package 297
Creating a New Policy Package 297
Deleting a Policy Package 299
Saving a Policy Package 299
Adding a Rule 300
Rule menu 301
Modifying a Rule 301
Masking Rules 318
Hiding Rules 318
Viewing Hidden Rules 319
Unhiding Hidden Rules 319
Managing Hidden Rules 320
Querying the Rule Base 321
Example 321
Refining the Query 324
Rule Base Queries window 327

Table of Contents 9
Rule Base Query window 328
Rule Base Query Clause window 329
Disabling Rules 330
Searching the Rule Base 330
Installing and Uninstalling Policies 331
Installing Security Policies 331
Installing Access Lists 331
Installing Other Policies 332
Installing the Security Policy 333
Uninstalling the Security Policy 338
Connection Persistence during a new Policy installation 339
Installing a VPN-1\FireWall-1 From a Previous Database Version 340
Notes on Installing and Uninstalling Policies 340
Viewing the Inspection Script 341
Inspection Code Loading 341
Installing Access Lists 342
Importing Access Lists 342
Managing Imported Access Lists in the Rule Base 343
Verifying and Viewing Access Lists 344
Installing Access Lists 345
Boot Security 345
Auxiliary Connections 345
When a Security Policy is Installed 346

Chapter 9 Time and Scheduled Event Objects


Overview 347
Time Objects 349
Time Object Properties Window — General Tab 349
Time Object Properties Window — Days Tab 350
Scheduled Events 351
Scheduled Event Properties Window — General Page 352
Scheduled Event Properties Window — Days Page 353
Groups 353

Chapter 10 Server Objects and OPSEC Applications


Server Objects 357
Defining Server Objects 359
RADIUS Servers 360
RADIUS Server Properties Window — General Tab 360
RADIUS Server Groups 361
Creating a RADIUS Server Group 361
Adding a Server to a RADIUS Server Group 361
Deleting a Server from a RADIUS Server Group 362
TACACS Servers 362
TACACS Server Properties Window — General Tab 362
AXENT Pathways Defender Servers 363
Defender Server Properties Windows — General Tab 363
ACE (SecurID) Servers 363

10
Configuring ACE (SecurID) Servers 363
ACE and DES 364
ACE and the Rule Base 364
LDAP (Lightweight Directory Access Protocol) Account Units 364
LDAP Account Unit Properties Window — General Tab 365
LDAP Account Unit Properties Window — Users Tab 366
LDAP Account Unit Properties Window — Encryption Tab 367
Certificate Authority 368
Certificate Authority Properties Window — General Tab 368
Certificate Authority Properties Window — VPN-1 CM Tab 369
Certificate Authority Properties Window — Advanced Tab 370
SecuRemote DNS 370
SecuRemote DNS General Tab 370
OPSEC Servers and Clients 371
Defining OPSEC Applications 373
OPSEC Application Properties Window — General Tab 373
Managing OPSEC Products From the SmartDashboard 377
Communication Window 381
Definition Window — CVP Options Tab 382
OPSEC Definition Window — UFP Options Tab 383
OPSEC Definition Window— AMON Options Tab 384
OPSEC Definition Window— CPMI Permissions 384
OPSEC UFP and CVP Groups 384
OPSEC SIC Configuration 386

Chapter 11 SmartView Tracker


388
Overview 388
Tracking Network Traffic 388
Controlling the Display of the SmartView Tracker Content 388
Starting the SmartView Tracker 389
Viewing the Log Files in Different Modes 392
Log Mode 392
Active Mode 398
Audit Mode 398
SmartView Tracker Main Screen 399
Query Tree Pane 399
Query Properties Pane 402
Records Pane 403
Finding a Specific Record 406
Filtering 406
Filter fields 407
Resolving Addresses 415
Resolving Services 416
Showing Null Matches 416
Updating the Log File 416
Find 416
Saving a Query Under a New Name 417

Table of Contents 11
Navigating Through the Log File 418
Log File Management 418
Opening a Different Log File 418
Saving the Currently Displayed Log Entries 418
Starting A New Log File 419
Deleting the Contents of the Active Log File 420
Blocking Connections 420
Viewing a Previous Database Version 421
Fetching Log Files From a Remote Machine 421
Displaying Specified Log Files of a Specific Node 424
Redirecting Logging to Another Master 424
Installing the User Database on a CLM 425
Exporting Log Data to Another Application 425
Menus 426
Log File Menu 426
View Menu 427
Query Menu 427
Tools Menu 428
Window Menu 428
Help Menu 429
SmartView Tracker Toolbar 429
SmartView Tracker Toolbar Buttons and Their Corresponding Menu Commands 430
Query Properties Toolbar 430
Toolbar Buttons For the Query Properties Toolbar 431

Chapter 12 SmartView Status


Monitoring and Managing System Status 433
Starting Check Point SmartView Status 434
System Status 436
Using the Modules Pane 437
Understanding Module Statuses 438
Using the Product Details Window 440
Using the Details Pane 444
Details Window — Network Objects 445
Details Window — Clusters 445
Details Window — SVN Foundation 445
Details Window — FireWall-1 446
Details Window — VPN-1 447
Details Window — FloodGate-1 451
Details Window — Cluster XL 452
Details Window — OPSEC 453
Details Window — Management 454
Details Window — UserAuthority WebAccess 454
Details Window — Policy Server 455
Details Window — Log Server 455
Refreshing the User Database 456
Active Update 456
The Critical Notifications Pane 456

12
Using the Critical Notifications Pane 456
Multi-View Select Synchronization 456
System Alert 457
The Modules Pane 458
The Network Object System Alert Definition Pane 458
Understanding System Alert Options 459
System Alert Monitoring Mechanism 461
Find 461
Alerts 461
Disconnecting a Client 462
Reconnecting to the Server 463
Menus 464
File Menu 464
View Menu 464
Modules Menu 465
Products Menu 465
System Alert Menu 467
Tools Menu 467
Window Menu 467
Help Menu 469
Check Point SmartView Status Toolbar 469

Chapter 13 User Monitor


Viewing SecureRemote Users 471
Starting the User Monitor 471
Using Queries 474
Defining a Query 474
Running a Query 475
Editing a Query 476
Saving a Query 476
Renaming a Query 476
Deleting a Query 476
Exporting a Query 476
Processing Query Results 477
Finding a Specific Record 477
Sorting Results 477
Viewing Policy Servers 477

Chapter 14 Dynamically Assigned IP Addresses


Overview 479
Installation and Configuration 479
DAIP Module IP Address 480
Defining a Module with a Dynamic IP Address 480
Installing a Policy 482
Configuration and Other Issues 482
Configuring a VPN 482
Control Connections Between the DAIP Module and the SmartCenter Server 483
DHCP Connections Between the DAIP Module and the DHCP Server 484

Table of Contents 13
NAT (Network Address Translation) 485
When the DAIP Module’s IP address changes ... 485
When the SmartCenter Server’s IP address changes ... 485
When the DAIP Module’s name changes ... 485

Chapter 15 Virtual Links


Overview 487
Creating a Virtual Link 487
Editing or Deleting a Virtual Link 488
Virtual Link Windows 488
Virtual Link Properties Window — General Tab 488
Virtual Link Properties Window — SLA Parameters Tab 489
Global Properties Window — Log and Alert Page 490

Chapter 16 SmartMap
Introduction to the SmartMap 491
Network Objects 492
Enabling and Disabling SmartMap 492
Docking and Undocking the SmartMap Window 492
Using the SmartMap View 493
Displaying the Network Object and Interface Information 493
Working with Network Objects 493
SmartMap View Options 494
Modes 494
Zooming and Scrolling 495
Navigator Window 497
Arrange Styles 498
Toggle the SmartMap View 499
Customization Options 499
Print out the SmartMap View 503
Exporting the Topology Map 504
Saving the SmartMap View 507
Editing Network Objects 507
Editing Object/Interface Properties 507
Adding New Objects 508
Removing Network Objects 508
Defining a New Group 509
Editing the Network Topology 509
Containing and Contained Networks 509
New Topology Object Types 511
Topology Collapsing 518
How to Collapse Locales 518
How to Collapse Other Topology Structures 519
Working with Topology Folders 519
Viewing External Objects 521
Editing External Objects 521
Viewing Gateway Clusters 522
Integration of the SmartMap View and the SmartDashboard 522

14
Paste Network Object(s) in the Rule Base 522
Dragging & Dropping 522
Show Objects 523
Showing Objects with Network Address Translation (NAT) 524
Understanding Rules Shown in the SmartMap View 524
Showing a Rule in the SmartMap View, by selecting Show from the Rule Base menu 525
Showing a Rule by dragging it from the Rule Base to the SmartMap View 526
Calculations 528
Understanding Topology Calculation 528
Calculating Topology Information 529
The SmartMap Helper 532
Solving Duplicated Networks 533
Solving Unresolved Object Interfaces 533
Menu Commands and Toolbar 534
Cursor Modes 536

Chapter 17 Management
High Availability
Overview 537
Primary vs. Secondary 537
Active vs. Standby 538
Restrictions 538
Using Management High Availability 539
Configuration and Usage 539
Synchronization 540
Properties 543
Upgrading to a New Version 545
SmartView Tracker 545

Chapter 18 Command Line Interface


Overview 547
Setup 549
cpconfig 550
cpstart 553
cpstop 553
fwstart 554
fwstop -default and fwstop -proc 554
Control 556
fwm load 556
fwm unload 558
fwm load 559
fwm fetch 560
fwm putkey 561
fwm dbload 562
rs_db_tool 563
Monitor 564
Check Point WatchDog (cpwd) 565

Table of Contents 15
cpstat 567
fwm lichosts 569
fwm ver 569
fwm sam 570
Utilities 575
fwm ctl 576
fwm gen 579
fwm kill 580
fwell 581
fwm tab 584
dynamic_objects 585
dbedit 587
queryDB_util 591
Log File Management 593
fwm log 593
fwm logswitch 596
fwm logexport 598
fwm repairlog 599
fwm mergefiles 600
fwm lslogs 601
fwm fetchlogs 603
fw lea_notify 604
log_export 604
ClusterXL: High Availability and Load Sharing 609
cphastart 609
cphastop 609
cphaprob 609
fwm hastat 614
User Database Management 615
fwm ikecrypt 615
fwm dbimport 616
fwm dbexport 618
ldapmodify 620
ldapsearch 621
License Management 624
Local Licensing Commands 624
cplic put... 624
cplic del 627
cplic print 628
cplic check 629
Remote Licensing Commands 631
cplic put <object name> ... 631
cplic del <object name> ... 633
cplic get 634
cplic upgrade 635
License Repository Commands 639
cplic db_add 639
cplic db_rm 640
cplic db_print 641

16
Product Management 643
Product Repository Management 643
cppkg Overview 643
cppkg add 643
cppkg del 645
cppkg print (search) 648
cppkg setroot 649
cppkg getroot 650
Remote installation 651
cprinstall Overview 651
cprinstall upgrade 651
cprinstall verify_upgrade 652
cprinstall install 653
cprinstall uninstall 654
cprinstall get 656
cprinstall verify 657
cprinstall boot 658
cprinstall stop 659
cprinstall (cpstart/cpstop) 660
VPN-1 Accelerator Card 661
vpn accel 661
lunadiag 661
VPN Commands 662
vpn ver 662
vpn debug 662
vpn drv 663
vpn intelrng 663
Daemons 664
Check Point Remote Installation Daemon (cprid) 664
CPsyslogD 664
FloodGate-1 666
SmartView Monitor 666
rtmstart 666
rtmstop 666
rtm d 667
rtm debug 667
rtm drv 667
rtm ver 668
rtm stat 668
rtm monitor — Interface Monitoring 668
rtm monitor — Virtual Link Monitoring 671
Options Reporting Tool Commands 671
Starting the Reporting Tool 671
Scheduling and Distributing Reports and Replacing the Management 672
Generating Reports 678
Reporting Server Commands 679
Upgrading FWR, RPF and DEF Files 679
Log Consolidation Engine Commands 680
log_consolidator 680

Table of Contents 17
686
OPSEC 686
upgrade_fwopsec 686

Glossary 689

Index 713

18
Preface

Who Should Use this User Guide


This User Guide is written for system administrators who are responsible for
maintaining network security. It assumes you have a basic understanding and a working
knowledge of:
• system administration
• the Unix or Windows operating system
• the Windows GUI
• Internet protocols (IP, TCP, UDP etc.)

Summary of Contents
Chapter 1, “Configuring VPN-1/FireWall-1” describes how to configure Check Point
VPN-1/FireWall-1.
Chapter 2, “SmartUpdate” describes how to use Check Point SmartUpdate.
Chapter 3, “Graphical User Interface,” describes how to use the Check Point Graphical
User Interface (GUI).
Chapter 4, “Managing Users and Administrators,” describes how to define and manage
users, including users defined on an LDAP Server.
Chapter 5, “Network Objects,” describes how to define network objects (gateways,
hosts, routers, switches, and others).
Chapter 6, “Services and Resources,” describes how to define network services.
Chapter 7, “Global Properties,” describes how to define VPN-1/FireWall-1 properties.
Chapter 8, “Security Policy Rule Base,” describes how to define and enforce a Security
Policy’s rules.

19
Chapter 9, “Time and Scheduled Event Objects,” describes how to define the time
objects used in rules.
Chapter 10, “Server Objects and OPSEC Applications,” describes how to define Server
objects.
Chapter 11, “SmartView Tracker,” describes the SmartView Tracker.
Chapter 12, “SmartView Status,” describes the SmartView Status.
Chapter 13, “User Monitor,” describes the management of SecuRemote users.
Chapter 14, “Dynamically Assigned IP Addresses,” describes how to define and
configure Modules whose IP addresses are not fixed, but dynamically assigned.
Chapter 15, “Virtual Links,” describes how to define and monitor virtual links.
Chapter 16, “SmartMap” describes how to use SmartMap.
Chapter 17, “Management High Availability,” describes how to use Management High
Availability.
Glossary, is a glossary of terms sometimes encountered in discussions of IP networks.

Check Point Documentation


User Guides are available for each product in Portable Document Format (PDF) in the
Check Point Enterprise Suite. The Adobe Acrobat Reader is required to view PDF
files and is also available on the Check Point Enterprise Suite CD-ROM. Alternatively,
you can download the Acrobat Reader from the Adobe Web site
(http://www.adobe.com).
The following User Guides are available for Check Point Enterprise Suite products.
1) Check Point Getting Started Guide — This book is an introduction to Check Point
products.
2) Check Point SmartCenter Guide — This book describes the Check Point
Management GUI, which is used to manage VPN-1/FireWall-1 and other Check
Point products.
3) Check Point FireWall-1 Guide — This book describes Check Point
VPN-1/FireWall-1.
4) Check Point Virtual Private Networks Guide — This book describes the Check Point
VPN-1/FireWall-1 encryption features.
5) Check Point Desktop Security Guide — This book describes Check Point security as
implemented by SecuRemote and SecureClient.

20 Check Point SmartCenter Guide • September 17, 2002


6) Check Point FloodGate-1 Guide — This book describes Check Point FloodGate-1,
which enables administrators to manage the quality of service on their networks.
7) Check Point SmartView Monitor User Guide — This book describes the Check Point
Real Time Monitor, which enables administrators to monitor quality of service on
their network links, as well as Service Level Agreement compliance.
8) Check Point Provider-1/SiteManager-1 Guide — This book describes Check Point
Provider-1/SiteManager-1, which enables service providers and managers of large
networks to provide Check Point products-based services to large numbers of
subscribers.
9) Check Point SmartView Reporter Guide — This book describes the Check Point
Reporting Module, which enables administrators to manage databases of Check
Point log-based information.
10) Check Point UserAuthority User Guide — This book describes Check Point
UserAuthority, which enables third-party and Web applications to leverage Check
Point’s sophisticated authentication and authorization technologies.
11) Check Point User Management Guide — This book describes Check Point
LDAP-based user management.

Note - For additional technical information about Check Point products, consult Check
Point’s SecureKnowledge database at http://support.checkpoint.com/kb/

21
What Typographic Changes Mean
The following table describes the typographic changes used in this book.
TABLE P-1 Typographic Conventions

Typeface Meaning Example


or Symbol
AaBbCc123 The names of commands, Edit your .login file.
files, and directories; Use ls -a to list all files.
on-screen computer output machine_name% You have mail.

AaBbCc123 What you type, when machine_name% su


Password:
contrasted with on-screen
computer output
AaBbCc123 Command-line To delete a file, type rm filename.
placeholder:
replace with a real name or
value
AaBbCc123 Book titles, new words or Read Chapter 6 in User’s Guide.
terms, or words to be These are called class options.
emphasized You must be root to do this.
Save Text that appears on an Click the Save button.
object in a window

22 Check Point SmartCenter Guide • September 17, 2002


TABLE P-2 Command-line Usage Conventions

Symbol Meaning Example


[] Optional variable fw ver [-k] [-f
filename]
Use either or both of the -k and
the -f filename options.
<> Compulsory variable fw converthosts <input_file>
[output_file]
input_file is compulsory.
output_file is optional
| Use one of the alternatives cplic import <Module IP | object
name>
Use either the Module IP or the
object name option

Note - This note draws the reader’s attention to important information.

Warning - This warning cautions the reader about an important point.

Tip - This is a helpful suggestion.

23
Shell Prompts in Command Examples
The following table shows the default system prompt and superuser prompt for the C
shell, Bourne shell, Korn shell and DOS.
TABLE P-3 Shell Prompts

Shell Prompt
C shell prompt machine_name%
C shell superuser prompt machine_name#
Bourne shell and Korn $
shell prompt
Bourne shell and Korn #
shell superuser prompt
DOS current-directory>

Network Topology Examples


Network topology examples usually show a gateway’s name as a city name (for
example, Paris or London) and the names of hosts behind each gateway as names of
popular sites in those cities (for example, Eiffel and BigBen).

24 Check Point SmartCenter Guide • September 17, 2002


CHAPTER 1

Configuring
VPN-1/FireWall-1

In This Chapter

Configuring Check Point Products page 25


Secure Internal Communications for Distributed Configurations page 46
Frequently Asked Questions—Installing, Upgrading, Configuring page 57

Configuring Check Point Products


• Configuring a New or Upgrade Installation — The configuration starts
automatically after the Check Point product is installed or upgraded. The
configuration options appear consecutively. Configure each option and then
proceed to the next window.
After configuration, you must reboot.
• Configuring Installed Products — Check Point products are configured by
running the Check Point configuration application (cpconfig). When you do so,
the different configuration options can be chosen from a menu (on UNIX
platforms) or appear as individual tabs in the Configuration window (on Windows).
To run the configuration application:
• Type cpconfig at the command prompt, or

• Windows platforms — go to Start>Programs>Check Point SMART Clients>Check


Point Configuration NG

The Configuration program is part of the SVN Foundation.


The windows or menus displayed depend on the components installed on the machine. You will
not necessarily see all the windows or menu items described here during your configuration
process.

25
Configuring Check Point Products

The following configuration options are available:

Licenses page 26
The Trial Period page 27
Administrators page 30
SMART Clients page 36
PKCS#11 Token page 37
Key Hit Session/Random Pool page 38
Certificate Authority page 39
Secure Internal Communication page 40
Fingerprint page 43
High Availability page 45
Interfaces page 45
VPN-1 Accelerator Driver page 45
SNMP Extension (Unix only) page 45
Automatic Start of Check Point Modules (Unix only) page 46
Automatic Start of Check Point Modules (Unix only) page 46

Licenses
Use this option to:
• view license details
• add required licenses for the host
• delete licenses from the host (Windows only). On Unix, to delete or overwrite a
license use the cplic del command (see “cplic del” on page 820).
You do not need a license to run the SMART Client.
Use the cpconfig Licenses option to manage Local licenses only. Central licenses are managed
via SmartUpdate. For details about the differences between Local and Central Licenses, and for
information about centrally managing licenses on remote hosts, see Chapter 2 “Smart Update”
on page 67 of the Check Point SmartCenter Guide.

Note - For a DAIP Module, do not use cpconfig to installing a license. A DAIP Modules can
use only a Central license, which must be installed using the cplic put command.

26 Check Point SmartCenter Guide • September 2002


The Trial Period

FIGURE 1-1 Licenses window (Windows)

Understanding License Details


The Licenses window shows the following information for each license:
IP Address — the IP address of the machine for which the license is intended
Expiration Date — the license expiration date
SKU/Features — a string composed of four groups of 9 nine characters listing the features
included in the license

Obtaining Licenses
If you have not yet obtained your license(s), see “Obtaining Licenses” on page 127 of the Check
Point Getting Started Guide. You can add licenses after completing the other cpconfig
configuration options.

The Trial Period


All purchased Check Point products have a 15 day trial period. During this period the software
is fully functional and all features are available without a license. After that period, a permanent
license must be installed in order to continue using the software. Alternatively, an evaluation
license must be obtained.
The 15 day trial period on an Enforcement Module starts when Secure Internal
Communication is initialized with the SmartCenter Server. On a SmartCenter Server, the trial
period starts when the Certificate Authority is initialized during cpconfig configuration.
If a license is installed during the 15 day trial period, the effective license will be the installed
license.

Chapter 1 Configuring VPN-1/FireWall-1 27


Configuring Check Point Products

If all installed licenses are removed during the 15 day trial periods, the product will regain full
functionality until the end of trial period.
If no licenses are installed, the remaining trial period is displayed when starting SmartUpdate
and any of the other Check Point SMART Clients.
To see the remaining trial period, perform the Get Check Point Node Licenses operation in
SmartUpdate, or open the cpconfig Licenses tab on the Enforcement Module, or run the
command cplic print locally on the Enforcement Module.

To Fetch One or More Licenses from a File


After installing the license, you should import the licenses to the Smart Update License
Repository. On Windows platforms, to import one or more licenses from a license file, proceed
as follows:
1 Click on Fetch from File.
FIGURE 1-2 Open License File window

2 Browse to the license file, select it, and click Open.

The license(s) that belong to this host are added. After installing the license, you should import
the licenses to the Smart Update License Repository (see “Adding a License to the License
Repository” on page 114).

To Add a License Manually


On Unix platforms, type the details of the license. The license email received from the User
Center contains the license string and an attached license file. On Windows, proceed as follows:
1 Click on Add to add a license.
The Add License window is displayed.

28 Check Point SmartCenter Guide • September 2002


The Trial Period

FIGURE 1-3 Add License window

2 The User Center results page and the license email received from the User Center
contains the license installation instructions. To enter the license data, either:
• Copy the license string to the clipboard. Copy the string that starts with cplic
put... and ends with the last SKU/Feature, then click Paste License, or

• Type in the information.

3 Click Calculate, and make sure the result matches the validation code received from
the User Center.
4 Click OK.

To Delete a License
1 In the Licenses window, select the license to be deleted.
2 Click Delete, or press the Delete key on the keyboard.

Chapter 1 Configuring VPN-1/FireWall-1 29


Configuring Check Point Products

Administrators
FIGURE 1-4 Administrators window

Use this option to:


• add administrators who are permitted on the SMART Client side, that is, the
administrators who will be allowed to use a SMART Client to connect to the
SmartCenter Server installed on this machine
• modify Administrator permissions
• delete Administrators
The availability of permissions depends on the installed products.
Whenever an administrator logs in, all actions are recorded on the SmartCenter Server in a file
called $FWDIR/log/fw.adtlog which is viewed using the Log Viewer. Administrator actions are
also logged to a text file called $FWDIR/log/cpmi_audit.txt.

In This Section

To Add an Administrator page 24


To Modify Administrator Permissions page 26
To Delete an Administrator page 27
Concurrent Sessions page 43
Read Only Sessions page 44
Authenticating VPN-1/FireWall-1 Administrators page 44

30 Check Point SmartCenter Guide • September 2002


Administrators

To Add an Administrator
You must define at least one administrator, otherwise no one will be able to use the
SmartCenter Server you have just installed.
The administrator password should be at least four characters long, with no spaces.
1 Click Add to specify an administrator. The Add Administrator window is displayed.
FIGURE 1-5 Add Administrator window

2 Enter the Administrator Name.

3 Enter the Password.


The password should be at least four characters long, with no spaces.
You must enter the password twice in order to confirm it.

Chapter 1 Configuring VPN-1/FireWall-1 31


Configuring Check Point Products

4 Specify the Administrator’s Permissions. The following table shows the available
administrator permissions options.
TABLE 1-1 Add and Edit Administrator Permission Options

Selecting this …gives these permissions


option…
Read/Write All Allows full access to all Check Point products.
Read Only All Allows read-only access to all Check Point products.
Customized Allows user-defined access to Check Point products.
Smart Update Note — Choosing Read/Write permissions automatically
gives Read/Write permissions for all other options.
• Read/Write permission allows Check Point product
installations on Managed modules to be centrally
managed.
• Read Only permission allows viewing the status of
installations of Check Point products on managed
Modules.
Objects Database Note — These permissions cannot be selected. They are
automatically assigned based on choices made in other
options.
• Read/Write permission indicates that the administrator
can add, remove and modify objects, in addition to
being able to edit the Policy properties.
• Read Only permission means that the administrator can
see the objects but cannot modify them.
Check Point • Read/Write Allows the administrator to define, remove
Users Database
and modify users or templates, as well as insert and
remove users to/from groups.
• Read Only permission allows the administrator to view
users, templates, and groups but not modify them.
LDAP Users • Read/Write permission allows the administrator to
Database
define, remove and modify LDAP users and groups.
• Read Only permission allows the administrator to view
LDAP users and groups but not modify them.
For more information on LDAP Users Database
administrators, see “LDAP Administrators” on page 21 of
Check Point User Management.

32 Check Point SmartCenter Guide • September 2002


Administrators

TABLE 1-1 Add and Edit Administrator Permission Options

Selecting this …gives these permissions


option…
Security Policy • Read/Write allows the administrator to manage
Security Policies and rules within the Policies. The
administrator can install and uninstall Security Policies.
• Read Only allows the administrator to open and view
Security Policies but not to modify them.
QoS Policy • Read/Write allows the administrator to manage QoS
policies and rules within the policies. The
administrators can install and uninstall QoS Policies.
• Read Only allows the administrator to open and view
QoS Policies but not to modify them.
Log Consolidator • Read/Write allows the administrator to manage Log
Policy
Consolidator policies and rules within the policies. the
administrator can install and uninstall Log Consolidator
Policies.
• Read Only allows opening and viewing Log
Consolidator policies but not to modifying them.
Reporting Tool • Read/Write allows the administrator to create and
manage report definitions.
• Read Only permission allows the administrator to
process reports and change Runtime parameters, but
not to create or modify report definitions.
Monitoring • Read/Write permission allows the administrator full
access to the Log Viewer, System Status and Traffic
Monitoring.
• Read Only permission prevents the administrator
interrupting connections.

To Modify Administrator Permissions


1 Select the Administrator to be edited.
2 Click on Edit in the Administrators window.
The Edit Administrator window will open (very similar to “Add Administrator window,
FIGURE 21-5 on page 24).
3 Specify the Administrator’s Permissions. TABLE 21-1 on page 25 explains the
available administrator permissions options.

Chapter 1 Configuring VPN-1/FireWall-1 33


Configuring Check Point Products

To Delete an Administrator
1 Select the Administrator to be deleted.
2 Click Delete in the Administrators window.

Concurrent Sessions
In order to prevent more than one administrator from modifying a Security Policy at the same
time, VPN-1/FireWall-1 implements a locking mechanism.
Any number of administrators can view a Security Policy at the same time, but only one of
them can have write permission at any given moment. Upon opening a Security Policy, an
administrator is granted write permission only if both of the following conditions are true
• The administrator has been assigned Read/Write or User Edit privileges.
• No other administrator currently has write permission for the Security Policy at
this time.
For example, suppose Bob and Alice are both administrators. Bob has Read/Write privileges
and Alice has User Edit privileges. Suppose no one has the Security SmartDashboard open. If
Alice opens the Security SmartDashboard, she will be granted User Edit permission. If Bob
opens the same Security Policy before Alice closes it on her workstation, then Bob will not be
granted Read/Write permission. Instead, he will be asked whether he wishes to quit or to open
the Security Policy with Read Only permission.

Read Only Sessions


An administrator with Read/Write or User Edit privileges can open a Read Only session by
checking the Read Only checkbox in the Check Point SmartDashboard Login window
FIGURE 1-6 Login window

During the Read Only session, another administrator with Read/Write privileges can log in and
be granted write permission.

34 Check Point SmartCenter Guide • September 2002


Administrators

Authenticating VPN-1/FireWall-1 Administrators


You may wish to authenticate VPN-1/FireWall-1 administrators, even if they are defined as
administrators and connecting from authorized SMART Clients.

Note - VPN-1/FireWall-1 administrators are always authenticated. This section describes


how to implement additional authentication mechanisms.

To authenticate VPN-1/FireWall-1 administrators, proceed as follows:


1 Configure your SmartCenter Server so that it is protected by a VPN/FireWall
Module.
The VPN/FireWall Module can be on the same machine as the SmartCenter Server
or on a different machine.
2 In the FireWall-1 Implied Rules page of the Global Properties window, disable Accept
VPN-1 & FireWall-1 Control Connections.

3 Add a rule to the Rule Base specifying Client Authentication or Client Encryption
as the Action, for example, the rule shown below:
TABLE 1-2 Rule Base Example

Source Destination Services Action Track Install On

FW1Admin@Any MgmtStation FW1_mgmt Client Log the


Encryptio VPN/FireW
n all Module
that protects
the
SmartCenter
Server

The FW1_mgmt service is a TCP service on port 258.


4 Add rules to the Rule Base that allow the other control connections you need,
(since you disabled them in step 2).

Chapter 1 Configuring VPN-1/FireWall-1 35


Configuring Check Point Products

SMART Clients
FIGURE 1-7 SMART Clients window

Specify the SMART Clients, that is, the remote computers from which administrators will be
allowed to connect to the SmartCenter Server.
There is no need to define a SMART clients that is on the same machine as the SmartCenter
Server. If no SMART clients are defined, you will be able to manage the SmartCenter Server
you have just installed only from a SMART clients running on the same machine.

To Add a SMART clients


Enter the SMART clients’s name and click on Add to add it to the list of allowed SMART
clients. You can add SMART clients using any of the following formats
• IP address (For example 1.2.3.4).
• Machine name (For example Alice, or Alice.checkpoint.com).
• Any (Any IP without restriction).

• IP1-IP2 (A range of addresses. For example 1.2.3.4-1.2.3.40).


• Wild cards (For example 192.140.150.* or *.checkpoint.com).
Note - When specifying SMART clients using any formats OTHER THAN the IP address, you
must add an explicit rule in the Rule Base allowing the SMART clients to connect to the
SmartCenter Server. For example:
Source— Network Address Range, Destination—SmartCenter Server, Service—CPMI,
Action—Accept.
If specifying a SMART clients using a single IP address or machine name, an explicit rule
is not required.

36 Check Point SmartCenter Guide • September 2002


PKCS#11 Token

The connection between the SMART clients and the SmartCenter Server is enabled in
SmartCenter by checking the Accept VPN-1 & FireWall-1 control connections property in the
FireWall-1 Implied Rules page of the Global Properties window.

If the connection between the SMART clients and the SmartCenter Server passes through a
VPN/FireWall Module, then the Security Policy must be re-installed on the VPN/FireWall
Module so that the newly added SMART clients can connect to the SmartCenter Server.

To Remove a SMART clients


To remove a SMART clients from the allowed list, select it and click on Remove.

PKCS#11 Token
FIGURE 1-8 PKCS#11 Token window

Use this window to register a cryptographic token for use by VPN-1/FireWall-1, to see details
of the token, and to test its functionality.
For configuration details, see the “PKCS#11 Token” on page 58 of Check Point Virtual Private
Networks.

Chapter 1 Configuring VPN-1/FireWall-1 37


Configuring Check Point Products

Key Hit Session/Random Pool


FIGURE 1-9 Key Hit Session window

You are asked to enter random keystrokes. The random data collected in this session is used in
various cryptographic operations.
Enter random characters containing at least six different characters. Do not type the same
character twice in succession, and try to vary the delay between the characters. Keystrokes that
are too fast or too similar to preceding keystrokes are ignored.
Keep typing until you hear a beep and the bar is full.

38 Check Point SmartCenter Guide • September 2002


Certificate Authority

Certificate Authority
FIGURE 1-10Certificate Authority window

Certificate Authority
This option allows you to create an Internal Certificate Authority (ICA) on SmartCenter Server,
and create a Secure Internal Communication (SIC) certificate for the SmartCenter Server.
SIC certificates are used to authenticate communication between Check Point communicating
components, or between Check Point communicating components and OPSEC Applications.

Management FQDN
cpconfig tries to resolve the FQDN (fully qualified domain name) of the SmartCenter Server
and supplies this as a default. If this is not the correct FQDN, change the contents of the
Management FQDN field. This may be useful if there is a problem resolving the FQDN of the
SmartCenter Server.
Specifying the correct FQDN ensures that the Certificate Revocation List (CRL) can be reliably
retrieved by a communicating component, so that it can properly authenticate a certificate.
A fully qualified domain name consists of a host name and a domain name. For example,
www.checkpoint.com is a fully qualified domain name.
The ICA needs the FQDN in order to insert the CRL Distribution Point correctly in every
certificate it issues. Communicating components retrieve the CRL by reading the certificate and
looking for the CRL Distribution Point. The location of the CRL distribution point is an
HTTP address in the form http://FQDN/<CRL_filename>.
To see the location of the CRL applicable for a certificate, in SmartDashboard, edit the
SmartCenter Server object, and in the VPN page, select the certificate and click Edit > View.
The CRL Distribution Point is one of the fields in the certificate.

Chapter 1 Configuring VPN-1/FireWall-1 39


Configuring Check Point Products

Secure Internal Communication


FIGURE 1-11Secure Internal Communication window

The Secure Internal Communication window is used to establish trust between this machine
and the Primary SmartCenter Server. Once trust is established this machine can communicate
with other Check Point communicating components. Trust is established by creating a certificate
on the SmartCenter Server and delivering it to this machine.
Where this is a machine with a dynamically assigned IP address (DAIP Module), the
SmartCenter Server can push a certificate to the DAIP Module if the current IP address of the
DAIP module is known when initializing SIC (in SmartDashboard, in the Communications
window of the DAIP object).
For information about communications in a distributed environment, see “Secure Internal
Communications for Distributed Configurations” on page 160 of the Check Point Getting Started
Guide or page 48 of the Check Point SmartCenter Guide.

To Initialize a Module for Communication


1 To enable communication, enter here the same Activation Key as in
SmartDashboard, in the Check Point Gateway- General page of the Module.
Confirm this Activation Key in the Confirm Password field.

40 Check Point SmartCenter Guide • September 2002


Secure Internal Communication

2 At a SMART Client, connect to the SmartCenter Server and open


SmartDashboard. (In a Management High Availability configuration, connect to the
Primary SmartCenter Server).
3 In SmartDashboard, create an object for the Module, and give it a name and an IP
address.

Note - If the Module has dynamic IP address, see “Defining a Module with a Dynamic IP
Address” on page 480 of the Check Point SmartCenter Guide.

The following explanation matches the Classic Mode of creating an object:


a Choose Network Objects from the Manage menu, and click on New > Check
Point Gateway...

b In the Check Point Gateway — General Properties page fill in the Module name
and IP address.
c Check the appropriate product.

4 Initialize the Module:


a In the Check Point Gateway — General Propeties page, click Communication...
FIGURE 1-12Communication Window

b In the Communication window, enter the Activation Key — the SAME


Activation Key as you entered when configuring the Module.

Chapter 1 Configuring VPN-1/FireWall-1 41


Configuring Check Point Products

Confirm this Activation Key in the Confirm Activation Key field.

Note - For the next step to work, the SVN Foundation and the VPN-1/FireWall-1 services
must be running on the Module, and there must be IP connectivity from the Management
Server to the Module.

c Click to start the Module initialization process.


Initialize

At this point a certificate is issued to the Module. It is signed, and securely


transferred to the Module.
The Module status is reported in the Trust State field.
Trust state—Trust is established only after a certificate has been issued by the Internal
Certificate Authority on the SmartCenter Server, and delivered to the Module.
If a Module is Initialized or Reset, the Trust state of the Module as reported in cpconfig may
be different than the Trust state reported at the SmartDashboard.
Note the difference between the Trust state and the output of the Test SIC Status button in
the SmartDashboard Communication window of the Module: The Trust state reflects the
situation after Module initialization, that is, when an activation key is exchanged and certificate
is sent to the Module. In contrast, Test SIC Status reflects the SIC status after the Module has
the certificate.
The Trust State as reported in cpconfig in the Secure Internal Communication and in the
SmartDashboard in the Communication window can be in one of three states:
• Uninitialized —The Module is not initialized and therefore cannot communicate
because it has not received a certificate from the Internal Certificate Authority on
the SmartCenter Server.
• Initialized but trust not established —

At the Module, in cpconfig, in the Secure Internal Communication window, this


means that a one-time password has been typed in but the Module has not yet
received a certificate from the Internal Certificate Authority on the SmartCenter
Server.
In the SmartDashboard in the Communication window, this means that a certificate
has been issued to this Module but has not been delivered, so trust (secure
communication) cannot yet be established.
• Trust established — The trust between the Module and the SmartCenter Server
has been established. The Module can communicate securely.

42 Check Point SmartCenter Guide • September 2002


Fingerprint

Trust will be established and the Module will be able to communicate when the
certificate is successfully delivered to the Module, the Trust State is Trust
established, and the SIC name (or DN) of the Module is reported in the General
page of the Workstation Properties window.

Note - The setting up of SIC communication can be tracked by viewing the


$CPDIR\log\cpd.elg log file on the Module.

5 Install the Security Policy on the Module.


Upon successful initialization the newly defined Module can securely communicate with any
other certificate owner Module

To Reset the Trust State of a Module


1 In the Secure Internal Communication window/menu, click or select Reset.

2 For the other half of this procedure, see “How to Reset the Trust State of the
Module” on page 169.

Fingerprint
FIGURE 1-13Fingerprint window

Chapter 1 Configuring VPN-1/FireWall-1 43


Configuring Check Point Products

The Fingerprint window shows the fingerprint of the SmartCenter Server. The fingerprint is
text string derived from the certificate of the SmartCenter Server. It is used to verify the identity
of the SmartCenter Server being accessed via the SMART clients. You should compare this
fingerprint to the fingerprint displayed in SmartCenter the first time a SMART clients connects
to this SmartCenter Server.
Note - In a Management High Availability configuration, you can view and save the
Fingerprint. For the...
• primary SmartCenter Server — in the Fingerprint window once the ICA Initialization
has succeeded (see FIGURE 21-13).
• secondary SmartCenter Server — in the Secure Internal Communication tab, if the
Trust Status is Trust Established.

How to Use the Fingerprint to Confirm the Identity of the


SmartCenter Server
1 In the Fingerprint window, click Export to file and save the file.
2 Take the file over to the SMART clients via some non-network means such as a
diskette, or confirm the fingerprint of the SmartCenter Server by fax or telephone.
3 From a SMART clients, make a first time connection to SmartCenter Server. The
Fingerprint of a SmartCenter Server is displayed (see FIGURE 21-14).
FIGURE 1-14Fingerprint of a SmartCenter Server as displayed at the SMART clients

4 Make sure the fingerprint of the SmartCenter Server is identical to the fingerprint
displayed in the SMART clients.

Note - You should not make a first-time connection to a SmartCenter Server from a SMART
clients, unless you have the SmartCenter Server fingerprint to hand, and are able to
confirm it is the same as the fingerprint displayed in the SMART clients.

44 Check Point SmartCenter Guide • September 2002


High Availability

High Availability
FIGURE 1-15High Availability window

Turn on the State Synchronization and the ClusterXL High Availability and Load sharing
capability.
See Chapter 3, “ClusterXL in the Check Point FireWall-1 Guide for information on how to
configure a High Availability environment.

Interfaces
A ROBO Gateway is an object which inherits most of its properties and its policy from the
Profile object to which it is mapped. Each ROBO gateway represents a large number of
gateways, which subsequently inherit the properties stipulated by the Profile object.
Select the IP addresses that represent the interfaces defined for each object from the drop down
list.

VPN-1 Accelerator Driver


This option turns on the VPN-1 Accelerator Driver. The VPN-1 Accelerator Driver is available
on multiple CPU machines.
Changes to this setting only take effect after booting the machine.

SNMP Extension (Unix only)


Use this option to configure the SNMP daemon. The SNMP daemon enables the
VPN/FireWall Module to export its status to external network management tools.

Chapter 1 Configuring VPN-1/FireWall-1 45


Secure Internal Communications for Distributed Configurations

Automatic Start of Check Point Modules (Unix only)


Specify whether the VPN/FireWall Module will start automatically at boot time.

Secure Internal Communications for Distributed


Configurations
Communicating Components
In a distributed configuration, communicating components such as the SmartCenter Server and
the Modules are deployed on different computers.
Secure Internal Communication (SIC) secures communication between
• Check Point SVN components (such as SmartCenter Servers, SMART clients,
VPN/FireWall Modules, Customer Log Modules, SecureConnect Modules, Policy
Servers), and between
• Check Point SVN components and OPSEC applications.

Security Benefits
Securing communication allows you to be absolutely sure that
• a SMART Client is connecting to a SmartCenter Server to which it is authorized
to connect,
• the Security Policy loaded on a VPN/FireWall Module came from the SmartCenter
Server, rather than a machine pretending to be the SmartCenter Server.
• data privacy and integrity have been maintained

Administrative Benefits
As well as enhancing security, SIC substantially eases the administration of large installations by
reducing the number of configuration actions. It is no longer necessary to perform fw putkey
operations between pairs of communicating components. Instead, it is simply a matter of
performing a simple initialization procedure for each component from the SmartDashboard.

SIC Certificates
Secure Internal Communication for Check Point SVN components uses:
• Certificates for authentication, and
• Standards-based SSL for encryption.

46 Check Point SmartCenter Guide • September 2002


SIC Certificates

SIC Certificates uniquely identify Check Point-enabled machines or OPSEC applications across
the VPN-1/FireWall-1 system. For example, a computer may have one certificate for Check
Point products and a certificate for each OPSEC application. Certificates are created by the
Internal Certificate Authority (ICA) on the SmartCenter Server for communicating components
managed by the SmartCenter Server.
For information about certificates and their benefits, see “Certificates” on page 23 of Check
Point Virtual Private Networks.
Note - VPN certificates (those used for IKE for example), and SIC certificates are used for
different purposes and are managed differently.
• VPN certificates are managed from the VPN page of the VPN-1 installed object (see
“Workstation Encryption Properties” on page 94 of Check Point Virtual Private
Networks)
• SIC certificates are managed from the Communication window on the General page
of any Check Point installed object (see “Enabling Communication between Modules” on
page 22).

Consider the distributed VPN-1/FireWall-1 configuration depicted in FIGURE 0-1.


FIGURE 1-16Distributed VPN-1/FireWall-1 configuration, showing the components with
certificates. Certificates are created by the ICA on the SmartCenter Server

1 The ICA on this


GUI Management Server ...
Client

Management
Server

Internet
router
Intranet FireWalled
Gateway
router

2 ... delivers certificates to


FireWalled
Gateway
Internal the Check Point Modules
FireWall

The ICA creates a certificate for the SmartCenter Server machine during the SmartCenter
Server installation. The ICA itself is created automatically during the installation procedure (see
“Installing VPN-1/FireWall-1 (Windows)” on page 115 or “Installing VPN-1/FireWall-1
(UNIX)” on page 123 of the Check Point Getting Started Guide)

Chapter 1 Configuring VPN-1/FireWall-1 47


Secure Internal Communications for Distributed Configurations

Certificates for the VPN/FireWall Modules and any other communicating component are
created via a simple initialization from the SmartDashboard (see “Enabling Communication
between Modules” on page 22). Upon initialization, the ICA creates, signs, and delivers a
certificate to the communicating component. Every Module can verify the certificate for
authenticity.

Communications between the SmartCenter Server(s) and


Modules
Communications between a SmartCenter Server and its Modules are authenticated using their
certificates, and according to a policy specified in a policy file on each machine.
Communication using certificates will take place provided that the communicating components
• are of the appropriate version
• agree on the authentication method
• agree on the encryption method
The SmartCenter Server and the Modules are identified by their SIC name (also known as the
DN).
Full backward compatibility allows a SmartCenter Server to communicate with a VPN/FireWall
Module of version 4.1 or earlier using the legacy shared secret (fw putkey) method. The two
communicating components use the password to create a shared key which they exchange and
use to set up an encrypted secure link between them.

Communications Between the SmartCenter Server and the


SMART Client
On the SmartCenter Server, the SMART client must be defined as being authorized to connect
to the SmartCenter Server.
For information on how to do this, see “Administrators” on page 136 (for Windows) or
“Administrators” on page 154 (for Unix) of the Check Point Getting Started Guide.
When invoking the SmartDashboard on the SMART client, the VPN-1/FireWall-1
administrator is asked to identify himself and to specify the IP address of the SmartCenter
Server.
The SMART client initiates an SSL based connection with the SmartCenter Server. The
SmartCenter Server verifies that the Client’s IP address belongs to an authorized SMART client,
and sends back its certificate.
Upon authenticating the SmartCenter Server's certificate, the administrator is asked to verify
that the right SmartCenter Server is connected. Verification is done using the SmartCenter
Server fingerprint (see the Check Point Getting Started Guide “How to Use the Fingerprint to
Confirm the Identity of the SmartCenter Server” on page 151). The fingerprint is a text string
that represents a certain hash value computed from the SmartCenter Server certificate.

48 Check Point SmartCenter Guide • September 2002


Enabling Communication between Modules

Once the administrator approves the identity of the SmartCenter Server, the administrator’s
name and password are securely sent to the SmartCenter Server.
The administrator’s name and password are used to authenticate the user as a Policy Management
authorized user.

Enabling Communication between Modules


Note - Where a reference is made to a Module, it applies equally to all communicating
components (see “Communicating Components” on page 19), including VPN/FireWall
Modules and OPSEC applications.

Enabling Communication — New Module Registration


After installing a new Module, proceed as follows:
1 At the Module machine, use cpconfig to initialize the Module:
In the Secure Internal Communication tab (for Windows, see FIGURE 0-2) or
option (for Unix) of the cpconfig configuration utility of the Module, enter and
confirm the one-time password.
FIGURE 1-17cpconfig Secure Internal Communication window (for Windows)

Chapter 1 Configuring VPN-1/FireWall-1 49


Secure Internal Communications for Distributed Configurations

2 At a SMART Client, connect to the SmartCenter Server and open


SmartDashboard. (In a Management High Availability configuration, connect to the
Primary SmartCenter Server).
3 In SmartDashboard, create an object for the Module, and give it a name and an IP
address.

Note - If the Module has dynamic IP address, see “Defining a Module with a Dynamic IP
Address” on page 480 of the Check Point SmartCenter Guide.

The following explanation matches the Classic Mode of creating an object:


a Choose Network Objects from the Manage menu, and click on New > Check
Point Gateway...

b In the Check Point Gateway — General Properties page fill in the Module name
and IP address.
c Check the appropriate product.

4 Initialize the Module:


a In the Check Point Gateway — General Propeties page, click Communication...
FIGURE 1-18Communication Window

b In the Communication window, enter the Activation Key — the SAME


Activation Key as you entered when configuring the Module.

50 Check Point SmartCenter Guide • September 2002


Enabling Communication between Modules

Confirm this Activation Key in the Confirm Activation Key field.

Note - For the next step to work, the SVN Foundation and the VPN-1/FireWall-1 services
must be running on the Module, and there must be IP connectivity from the Management
Server to the Module.

c Click to start the Module initialization process.


Initialize

At this point a certificate is issued to the Module. It is signed, and securely


transferred to the Module.
The Module status is reported in the Trust State field.
Trust state—Trust is established only after a certificate has been issued by the Internal
Certificate Authority on the SmartCenter Server, and delivered to the Module.
If a Module is Initialized or Reset, the Trust state of the Module as reported in cpconfig may
be different than the Trust state reported at the SmartDashboard.
Note the difference between the Trust state and the output of the Test SIC Status button in
the SmartDashboard Communication window of the Module: The Trust state reflects the
situation after Module initialization, that is, when an activation key is exchanged and certificate
is sent to the Module. In contrast, Test SIC Status reflects the SIC status after the Module has
the certificate.
The Trust State as reported in cpconfig in the Secure Internal Communication and in the
SmartDashboard in the Communication window can be in one of three states:
• Uninitialized —The Module is not initialized and therefore cannot communicate
because it has not received a certificate from the Internal Certificate Authority on
the SmartCenter Server.
• Initialized but trust not established —

At the Module, in cpconfig, in the Secure Internal Communication window, this


means that a one-time password has been typed in but the Module has not yet
received a certificate from the Internal Certificate Authority on the SmartCenter
Server.
In the SmartDashboard in the Communication window, this means that a certificate
has been issued to this Module but has not been delivered, so trust (secure
communication) cannot yet be established.
• Trust established — The trust between the Module and the SmartCenter Server
has been established. The Module can communicate securely.

Chapter 1 Configuring VPN-1/FireWall-1 51


Secure Internal Communications for Distributed Configurations

Trust will be established and the Module will be able to communicate when the
certificate is successfully delivered to the Module, the Trust State is Trust
established, and the SIC name (or DN) of the Module is reported in the General
page of the Workstation Properties window.

Note - The setting up of SIC communication can be tracked by viewing the


$CPDIR\log\cpd.elg log file on the Module.

5 Install the Security Policy on the Module.


Upon successful initialization the newly defined Module can securely communicate with any
other certificate owner Module

Enabling Communication — Upgrading 4.1 Modules


Start or continue from Step 1 or Step 2, as appropriate:
Note -
• You can upgrade to NG only from version 4.1 and higher.
• The version of the SmartCenter Server must always be at least the version of the
VPN/FireWall Module with the highest version.
• The trust relationship between the management and module is maintained at all stages
of the upgrade. The old trust relationship, based on a shared secret is converted to one
based on proving identity using certificates.

1 SmartCenter Server Version: 4.1 to NG


Module Version: 4.1
Upgrade the SmartCenter Server version to NG. For details, see “Installing
VPN-1/FireWall-1 (Windows)” on page 115 or “Installing VPN-1/FireWall-1
(UNIX)” on page 123 of the Check Point Getting Started Guide.
The SmartCenter Server can manage version 4.1 Modules. At this point the trust
relationship between the Management and Modules is based on the shared secret
generated prior to the SmartCenter Server upgrade.
2 SmartCenter Server Version: NG
Module Version: Upgrade from 4.1 to NG
Upgrade the Module version to NG. For details, see “Installing VPN-1/FireWall-1
(Windows)” on page 115 or “Installing VPN-1/FireWall-1 (UNIX)” on page 123
of the Check Point Getting Started Guide.
It is perfectly possible for a SmartCenter Server to manage both version 4.1 and
NG Modules. The Modules can be upgraded whenever convenient.

52 Check Point SmartCenter Guide • September 2002


Enabling Communication between Modules

3 From the SmartDashboard, open the General page of the Check Point Gateway
window of the Module (FIGURE 0-4) and change the Version to NG.
FIGURE 1-19Gateway Properties window — General page

At this point a certificate is issued to the Module. It is signed, and securely


transferred to the Module. The Module status is reported in the Trust State field.
Trust state—Trust is established only after a certificate has been issued by the Internal
Certificate Authority on the SmartCenter Server, and delivered to the Module.
If a Module is Initialized or Reset, the Trust state of the Module as reported in cpconfig may
be different than the Trust state reported at the SmartDashboard.
Note the difference between the Trust state and the output of the Test SIC Status button in
the SmartDashboard Communication window of the Module: The Trust state reflects the
situation after Module initialization, that is, when an activation key is exchanged and certificate
is sent to the Module. In contrast, Test SIC Status reflects the SIC status after the Module has
the certificate.

Chapter 1 Configuring VPN-1/FireWall-1 53


Secure Internal Communications for Distributed Configurations

The Trust State as reported in cpconfig in the Secure Internal Communication and in the
SmartDashboard in the Communication window can be in one of three states:
• Uninitialized —The Module is not initialized and therefore cannot communicate
because it has not received a certificate from the Internal Certificate Authority on
the SmartCenter Server.
• Initialized but trust not established —

At the Module, in cpconfig, in the Secure Internal Communication window, this


means that a one-time password has been typed in but the Module has not yet
received a certificate from the Internal Certificate Authority on the SmartCenter
Server.
In the SmartDashboard in the Communication window, this means that a certificate
has been issued to this Module but has not been delivered, so trust (secure
communication) cannot yet be established.
• Trust established — The trust between the Module and the SmartCenter Server
has been established. The Module can communicate securely.
The Module will be able to communicate when the Trust State is Trust Established.
The SIC name (or DN) of the Module is reported in the General page of the Check
Point Gateway window.

This sends the certificate to the Module, and completes the SIC configuration of
the Module.
4 Reinstall the Security Policy on the Module.

Resetting the Trust State of the Module


During the operational lifetime of VPN-1/FireWall-1, it may be required to revoke a Module's
certificate by resetting the Module trust state. This is needed when the security of the Module
has been breached, and it is suspected that its private key has been stolen. It is also needed when
a decision has been taken to cease the operation of a Module. Whatever the reason, in such a
case all other Modules must be notified that the Module's certificate is no longer valid.
Modules are informed of Modules with invalid certificates through a certificate revocation list
(CRL) that is issued and signed by the Internal Certificate Authority (ICA) on the SmartCenter
Server. A CRL is a file containing the serial numbers of all revoked certificates. Every Module
caches a CRL so that it can deny connection from an imposter if the latter uses an old certificate
already listed in its CRL.
As a result of the revocation, the ICA issues a new CRL with the serial number of the revoked
Module's certificate added. The new CRL bears a new date and time of issue. The SIC protocol
ensures fast propagation to all Modules. Part of the protocol negotiation between any two
Modules is CRL checking. If one side of the connecting parties holds a newer CRL, then the
other side replaces its own CRL with the newer one.

54 Check Point SmartCenter Guide • September 2002


Resetting the Trust State of the Module

To allow a Module that has been reset to communicate, the Module must be re-initialized.

How to Reset the Trust State of the Module


To Reset the trust state of a Module, proceed as follows:
Warning -
• For the reset operation to be complete, you must reset the trust state of a Module both
in the SmartDashboard and in the Modules’s cpconfig configuration utility.
• Modules other than the SmartCenter Server will receive the new CRL the next time
a SIC connection is made (such as when the Security Policy is installed on the
Modules).

1 Reset the Trust State in the SmartDashboard:


a At a SMART client, connect to the SmartCenter Server and open the
SmartDashboard.
b In the SmartDashboard, open the Module’s Gateway Properties page, and click
Communication...

c In the Communication window, click Reset.

You can also Reset a Module by deleting the Module object from the
SmartDashboard. Proceed as follows:
a In the SmartDashboard, choose Network Objects from the Manage menu.
b Select the Module object, and click Remove.

2 Reset the Trust State at the Module machine:


a At the Module machine, open the cpconfig configuration utility of the
Module.
b In the Secure Internal Communication tab click Reset.

3 Install the Security Policy on all Modules. This also deploys the new CRL to all
Modules.

How to Re-establish Trust for the Module


1 Reset the Module (see How to Reset the Trust State of the Module). If you deleted the
Module object from the SmartDashboard:
At a SMART client, connect to the SmartCenter Server and open SmartDashboard.
(In a Management High Availability configuration, connect to the Active
SmartCenter Server.)

Chapter 1 Configuring VPN-1/FireWall-1 55


Log Viewing and Management

2 Continue from “Enabling Communication — New Module Registration, step a on


page 23

SIC Automatic Renewal


SIC certificates are issued by default for five years from the date of issue. Prior to
NG FP3, when SIC certificate expired, SIC for the Module had to be manually
reset. As of NG FP3, SIC certificates are renewed automatically after 75% of the life
of the certificate.
When the cpd process on the Module starts, it schedules a time when the certificate
is to be renewed. When this time arrives, cpd requests a new certificate from the
Internal Certificate Authority (ICA). When the new certificate is received, the
Module moves the current SIC certificate to $CPDIR/conf/old_sic_cert.p12,
renames the new certificate as $CPDIR/conf/sic_cert.p12, and resets SIC on the
Module.
When the ICA gets a request to renew a SIC certificate, it issues the certificate and
then schedules an event to revoke the old SIC certificate after seven days. This is
done in case the Module did not successfully complete the renew operation, and
gives the Module seven days to complete the operation.

Log Viewing and Management


You can view logs maintained by the Customer Log Module using the SmartView Tracker on a
Check Point GUI Client.
For information on installing the Check Point GUI Client, see “Configuring Check Point
Products” in this book.
For information on using the VPN-1/FireWall-1 SmartView Tracker, see Chapter 11,
“SmartView Tracker” in this book.
You can also use standard VPN-1/FireWall-1 log commands for log management. For more
information, see Chapter 18, “Command Line Interface”.
To access Logs using the SmartView Tracker, you must define the GUI Clients and
VPN-1/FireWall-1 Administrators that can connect to the Customer Log Module. GUI Clients
and Administrators are defined during the installation of the VPN-1/FireWall-1 Smart Center
Server that functions as the Customer Log Module.
For more information, see “Configuring Check Point Products” in this book.
After installation, you can add VPN-1/FireWall-1 Administrators and GUI Clients in the
following ways:

56 Check Point SmartCenter Guide • September 2002


SIC Automatic Renewal

Administrators
Add or delete administrators using the Check Point Configuration application on a
VPN-1/FireWall-1 GUI Client. On Windows, go to Start > Programs > Check Point
Management Clients > Check Point Configuration NG FP3. If your logging station is running
under Unix, then you can add or delete administrators using the cpconfig command. See
“Configuring Check Point Products” in this book.

GUI Clients
Add or delete GUI Clients using the Check Point Configuration application. If your logging
station is running under Unix, then you can add or delete GUI Clients by using the cpconfig
command. See “Configuring Check Point Products” on page 25”.

Frequently Asked Questions—Installing, Upgrading,


Configuring
Question: How do I move VPN-1/FireWall-1 to another machine?

First of all, you must ensure that you have a valid license for the new machine. Once the license
issue is resolved, the simplest procedure is as follows:
1 Install VPN-1/FireWall-1 on the new machine.
If your SmartCenter Server manages VPN/FireWall Modules on other machines, you
must repeat the fwm putkey procedure for all the machines (see “Secure Internal
Communications for Distributed Configurations).
2 Make a copy of the Security Policy files from the old machine.
For information on which files to backup, see “How do I back up my Security
Policy?” on page 58.
3 Restore the Security Policy backup files (see step 2 above) to the new machine.
4 Start the GUI on the new machine to confirm that the Security Policy was
successfully transferred.
5 If the new machine is the FireWalled gateway, then define the new machine as a
gateway.
In the new machine’s Workstation Properties window, check the Gateway flag.
6 Delete the old machine from the Network Object Manager.
Alternatively, you can leave the old machine, but uncheck the VPN-1 & FireWall-1
Installed flag in its Workstation Properties window.

7 Install the Security Policy.

Chapter 1 Configuring VPN-1/FireWall-1 57


Frequently Asked Questions—Installing, Upgrading, Configuring

The above procedure describes the simplest case: where the SmartCenter Server and
VPN/FireWall Modules are on one machine, and the Security Policy is installed on gateways. If
your configuration is more complicated, you will have to modify the procedure accordingly.

Question: How do I back up my Security Policy?

To back up your Security Policy, make copies of the following files:

TABLE 1-3 Backing Up a Security Policy

to back up make a copy of these files


network objects $FWDIR/conf/objects_5_0.C (on the SmartCenter Server)
Rule Base • $FWDIR/conf/*.W
• $FWDIR/conf/rulebases.fws

user database $FWDIR/database/fwauth.NDB*

Question: What Objects are Carried Over from the Previous Version?

When you upgrade to a new version of VPN-1/FireWall-1, the installation procedure carries
the following elements over to the new version:
• VPN-1/FireWall-1 database (users and network • Properties
objects)
• Key database • Encryption Parameters
• Rule Base
VPN-1/FireWall-1 attempts to merge your database with its own new database. For example,
you will have the benefit of services defined in the new version and you will retain the services
you defined in the previous version. In the case of a name conflict, the old objects (the ones you
defined) will be retained.

Question: What files are modified during re-configuration?

The following files are created modified during reconfiguration:


• control.map • fwauthd.conf
• masters • cp.license
• fwauth.keys • external.if (for VPN-1/FireWall-1/25,
VPN-1/FireWall-1/50, etc.)
You must create and modify the loggers file manually.

Question: Must I re-install the Security Policy after upgrading?

After upgrading, VPN-1/FireWall-1 loses its state, so you must start the GUI and install the
Security Policy.

Question: If I change the IP address of a network object, when does the change take
effect?

You must re-install the Security Policy for the change to take effect.

58 Check Point SmartCenter Guide • September 2002


SIC Automatic Renewal

When you re-install a Security Policy, VPN-1/FireWall-1 internal state tables are cleared, so
there is the possibility that some connections may be lost, as follows:
• FTP data connections
If you have an open FTP connection and the Security Policy is re-installed before
the FTP server attempts to open the back connection, then the back connection
will be rejected.
• UDP connections

• TCP connections, in very rare circumstances

• An open encrypted session will be dropped if the newly installed Security Policy
allows the session to be unencrypted.
If you are concerned about losing these connections, then you should take care to re-install your
Security Policy during off-peak hours.

Question: If I have an NG management and a 4.1 or 4.0 Module, how do I re-establish


communication between them?

Version 4.0 and 4.1 VPN/FireWall Modules on hosts and gateways managed by an NG
SmartCenter Server, validate communication between them using an authentication password
that is used to set up a secure link.
For this to work, you must have installed the SmartCenter Server with backward compatibility.
If you have a NG management and a 4.1 or 4.0 Module, and you need to re-establish
communication between them (e.g after installing a new 4.1 Module or adding a log server to a
Module) you need to use the fwm putkey authentication password (the “old way”). This is done
using either
• the cpconfig configuration utility and SmartDashboard, or
• the command line

Using cpconfig and SmartDashboard

1 In the cpconfig configuration utility of the Version 4.x VPN/FireWall Module, go


to the Masters Configuration tab and specify an authentication password.
2 Stop (fwstop) and start (fwstart) the Module.
3 In SmartDashboard, define the 4.x Module object and enter the same password in
the Communication window of the Module object.

Chapter 1 Configuring VPN-1/FireWall-1 59


Frequently Asked Questions—Installing, Upgrading, Configuring

Using fwm putkey from the command line


For the configuration depicted in FIGURE 2-1 on page 46 of the Check Point Getting Started
Guide in which BigBen is an NG SmartCenter Server, and Chelsea London and Paris are 4.0 or
4.1 hosts, you must provide the authentication passwords for three control links by performing
fwm putkey as follows:

TABLE 1-4 VPN-1/FireWall-1 distributed configuration - fwm putkey

from to and conversely, to


from
BigBen Chelsea Chelsea BigBen
BigBen London London BigBen
BigBen Paris Paris BigBen
To do this (using the same password for all hosts), proceed as follows:
1 Login to BigBen (the SmartCenter Server) and enter the following command:
fwm putkey -p <password> Chelsea London Paris

If you do not enter the password in the command line (using the -p <password>
syntax), you will be prompted for the password twice, as follows:
fwm putkey Chelsea London Paris
Enter secret key: <password>
Again secret key: <password>

2 Login to Chelsea and enter the following command:


fwm putkey -p <password> BigBen

3 Stop (fwstop) and start (fwstart) the Module.


4 Login to London and enter the following command:
fwm putkey -p <password> BigBen

5 Stop (fwstop) and start (fwstart) the Module.


6 Login to Paris and enter the following command:
fwm putkey -p <password> BigBen

7 Stop (fwstop) and start (fwstart) the Module.

60 Check Point SmartCenter Guide • September 2002


SIC Automatic Renewal

Alternatively, you can use a different password for every host pair, as follows:
1 Login to BigBen and enter the following commands:
fwm putkey -p <password1> Chelsea
fwm putkey -p <password2> London
fwm putkey -p <password3> Paris

2 Login to Chelsea and enter the following command:


fwm putkey -p <password1> BigBen

3 Stop (fwstop) and start (fwstart) the Module.


4 Login to London and enter the following command:
fwm putkey -p <password2> BigBen

5 Stop (fwstop) and start (fwstart) the Module.


6 Login to Paris and enter the following command:
fwm putkey -p <password3> BigBen

7 Stop (fwstop) and start (fwstart) the Module.


Only after you have done this will the four machines be able to communicate on the secure
links.
Note - If you specify names (rather than IP addresses), all machines must have the same
name resolution for the other side. In this example, all machines must resolve BigBen in
the same way (to the same interface). You can use the -n parameter for the fwm putkey
command on the SmartCenter Server to ensure this. Alternatively, instead of a machine’s
name, you can specify its IP address (or a comma-separated list of the IP addresses of its
different interfaces).

Question: Is SIC tolerant of Network Address Translation (NAT)? If there is a NAT device
between the SmartCenter Server and the Module, will communication be
affected?

SIC is completely tolerant of NAT because the SIC protocol is based on certificates and “SIC
Names” and not on IP addresses. A NAT device between the SmartCenter Server and the
Module will not have any effect on their ability to communicate using SIC.

Question: How do I prevent the fingerprint of a SmartCenter Server appearing the first
time a SMART client connects to it?

1 On the SMART client machine, open the Registry Editor (on Windows machines,
use Regedit).
2 Go to the Registry entry;
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Connection\5.0\

Chapter 1 Configuring VPN-1/FireWall-1 61


3 Add a new DWORD Value with Name NewServerOK and the Value 1.

Question: How do I prevent the SMART client recognizing a SmartCenter Server to which
it has already connected?

1 On the SMART client machine, open the Registry Editor (on Windows machines,
use Regedit).
2 Go to the Registry entry;
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Connection\5.0\Known Servers
This entry contains the Names and fingerprints of SmartCenter Servers that the
SMART client recognizes.
3 Select the Name of the SmartCenter Server that the SMART client should no longer
recognize.
4 Click Delete.

Question:

62 Check Point SmartCenter Guide • September 2002


CHAPTER 2

SmartUpdate

In This Chapter

Introduction to SmartUpdate page 63


How to Upgrade Remote Check Point Nodes page 64
The SmartUpdate GUI page 68
Product Management page 84
License Management page 97
SmartUpdate Architecture page 121
SmartUpdate FAQ page 122

Introduction to SmartUpdate

Purpose
SmartUpdate is used to centrally manage remote software installations and licensing of Check
Point products.

Why use SmartUpdate


SmartUpdate makes it possible to:
• Track Check Point software installations throughout the organizations of any size.
• Upgrade frequently, to maintain network security.
• Upgrade all products on a Check Point Node with a single click.
• Upgrade the Operating System of the Check Point Node
• Upgrade a number of Check Point Nodes simultaneously.
• View and manage licenses on all managed Check Point Nodes.
• Change Enforcement Point IP address without needing to install a new license.

63
How to Upgrade Remote Check Point Nodes

Installing SmartUpdate
SmartUpdate is silently installed together with the VPN-1/FireWall-1 SmartCenter Server. The
Product Management component of SmartUpdate requires a separate license, in addition to the
Management license (see “Introduction to Product Management” on page 84).
The SmartUpdate Management (GUI) Client is installed by default with the other Management
Clients.

Supported Products and Platforms


SmartUpdate supports remote upgrade of Check Point products on Check Point Nodes that
have either
• SVN Foundation NG, or
• VPN-1/FireWall-1 4.1 SP2 and above, and CPutil Check Point Remote Installation utility.
For a list of supported Check Point products, see the release notes.
The IPSO on Nokia Appliances and SecurePlatform NG operating systems can also be remotely
upgraded.
SmartUpdate allows you to upgrade product versions, or to add additional products to a Check
Point Node which already has VPN-1/FireWall-1 installed.
Supported platforms for the SmartUpdate SmartCenter Server and Management Client and the
managed Check Point Nodes are the same as for VPN-1/FireWall-1. See the Release Notes for
current information.

How to Upgrade Remote Check Point Nodes


This procedure explains how to use SmartUpdate to upgrade remote Check Point Nodes
(enforcement points) to NG. It assumes previous knowledge of installing and configuring Check
Point products. The stages of the procedure are:
1. Prerequisites for Remote Upgrade
2. Upgrading or Installing the SmartCenter Server
3. Configuring the SmartCenter Server
4. Adding Products to the Product Repository
5. Using SecureUpdate to Upgrade Check Point Nodes

1. Prerequisites for Remote Upgrade


For the Check Point Nodes and the SmartCenter Server, obtain licenses from the User Center
at http://www.checkpoint.com/usercenter. Existing version NG Check Point Nodes and an NG
SmartCenter Server do not require new licenses.

Requirements for Upgrading Remote Nodes from Version 4.1


• VPN-1/FireWall-1 4.1 SP2 (or higher).

64 Check Point SmartCenter Guide • September 2002


2. Upgrading or Installing the SmartCenter Server

• fw putkey connection between the SmartCenter Server and version 4.1 remote Check
Point Nodes.
• CPutil installed and configured. This is required for CPRID, which is needed for all
remote product operations.
The CPutil package and associated Release Notes are available on the Check Point 2000
CD and from http://www.checkpoint.com/techsupport/installation/ng/index.html

Requirements for Upgrading Remote Nodes from NG


Ensure that there is Secure Internal Communication between the SmartCenter Server and the
Check Point Nodes to be upgraded.

2. Upgrading or Installing the SmartCenter Server


1 Upgrade the SmartCenter Server to the latest version, or install a new SmartCenter Server.
2 Reboot the SmartCenter Server.

3. Configuring the SmartCenter Server


1 Install the latest version of the Management Clients, including SmartUpdate.
2 For a new SmartCenter Server installation, install on the SmartCenter Server the NG
Management license and the SmartUpdate license, using the cpconfig configuration tool,
or the cplic put command. The SmartUpdate license is needed for Product Management
capabilities.
3 For a new SmartCenter Server installation, define the remote Check Point Nodes in
SmartDashboard.
4 Make sure that the Administrator SmartUpdate permissions (as defined in the cpconfig
configuration tool) are Read/Write. Alternatively, log in as root.
5 To upgrade version 4.1 Check Point Nodes, ensure that in the SmartDashboard, in the
Policy Global Properties window FireWall-1 Implied Rules page, Accept CPRID Connections (SmartUpdate) is
checked. By default, it is checked.

4. Adding Products to the Product Repository


Use SmartUpdate to add products to and delete products from the Product Repository.
Products can be added to the Repository
• directly from the Check Point Download Center web site,
• by adding them from the Check Point CD, and
• by importing a file.
When adding the product to the Product Repository, The product file is transferred to the
SmartCenter Server. The Operation Status window opens. Use it to verify the success of the
file transfer. The Product Repository is then updated to show the new product object.

Chapter 2 SmartUpdate 65
How to Upgrade Remote Check Point Nodes

Adding Products to the Repository from the Download Center


1 Select Products> New Product> Add From Download Center... If you accept the License
Agreement, the Download Products window opens.
2 Enter your username and password to gain access to the Download Center.

Note - The user name and the password are transmitted using SSL secured communication.

3 Select the product(s) to download. You can view a filtered list of products (for example,
view only the product upgrade packages for installed products), and the the Release Notes.
4 Click Download. The product(s) are downloaded and added to the Product Repository.
The packages are downloaded to a temporary directory on the GUI Client machine and
then transferred to the SmartCenter Server, under the $SUROOT directory.
The Check Point Download Center web site can also be accessed manually at
http://www.checkpoint.com/techsupport/downloads/downloads.html

Adding Products to the Repository from the Check Point CD


1 Insert the Check Point CD into the SmartUpdate Client machine.
2 Open SmartUpdate and select Product> New Product> Add From CD…
The Browse to Folder window opens.
3 Browse for the location of the CD drive, and click OK.
The Add Product From CD window opens, showing the available products on the CD.
4 Select the product(s) to be added to the repository (Ctrl-select for more than one product),
and click OK.

Adding A Product to the Repository by Importing a File


Use this procedure for adding OPSEC packages and Hotfixes to the Product Repository.
1 Download the product files from the Download Center at
http://www.checkpoint.com/techsupport/downloads/downloads.html and save them to the
local disk.
2 Open SmartUpdate
3 Either,
a select Products> New Product> Import File…
The Add Product window opens.

66 Check Point SmartCenter Guide • September 2002


5. Using SmartUpdate to Upgrade Check Point Nodes

b Navigate to the desired .tgz file on the local disk and click Open.
Or,
Drag and drop the product package .tgz file into the Product Repository window.

5. Using SmartUpdate to Upgrade Check Point Nodes


All Check Point products on a Check Point Node can be remotely updated to the latest version
in a single operation. Use this procedure to upgrade version NG products.

Upgrading All Products on Remote Check Point Nodes


4 In SmartUpdate, select Products > Upgrade All Products and select one or more Check
Point Nodes.
The requested operation is verified by checking the following:
• The required products of the latest version are in the Product Repository.
• All Check Point products installed on the remote Check Point Nodes are of the same
NG version.
• Installation logic, disc space, and a cprid (Check Point Remote Installation Daemon)
connection to the Check Point Node.
5 If verification is successful, the Upgrade All Products window opens showing the currently
installed products and the products to be installed on the chosen Check Point Nodes.
If one or more of the required products are missing from the Product Repository,
SmartUpdate will open the Download Products window. You can then download the
required product directly to the Product Repository.
Note that the Reboot Check Point Node After Installation option (checked by default) is
required in order to activate the newly installed product.
6 Click Upgrade.
The Operation Status window opens and shows the progress of the operation. Each
operation is represented by a single entry. Double click the entry to open the Operation
Details window which shows the operation history.

Upgrading a Single Product on a Check Point Nodes


Use this procedure to upgrade the operating system on a Nokia Appliance and on
SecurePlatform NG, and to upgrade version 4.1 products.
1 Drag and drop the latest version of SVN Foundation from the Product Repository over the
Check Point Node object in the Products tab.
Follow the progress of the operation in the Operation Status window
2 Drag and drop the latest version of each of the desired Check Point products, one at a time,
from the Product Repository over the Check Point Node object in the Products tab.
Follow the progress of the operation in the Operation Status window.

Chapter 2 SmartUpdate 67
How to Upgrade Remote Check Point Nodes

The SmartUpdate GUI

In This Section

Starting the SmartUpdate GUI page 68


Elements of the SmartUpdate GUI page 69
Products and Licenses tabs page 70
Product and License Repositories page 71
License Type Icons page 72
Operation Status page 73
Docking Windows page 75
Searching for Text page 75
Printing Views page 76
SmartUpdate Menus and Toolbar page 76

Starting the SmartUpdate GUI


1 To start SmartUpdate, proceed as follows:

TABLE 2-1 Starting the SmartUpdate GUI

Windows Action
System
Windows Select Start>Programs>Check Point Management
Clients>SmartUpdate NG FP3.

X/Motif Run /opt/CPclnt-50/bin/SmartUpdate

The SmartUpdate login window (FIGURE 2-1) is displayed.


FIGURE 2-1 Check Point SmartUpdate login window

68 Check Point SmartCenter Guide • September 2002


Elements of the SmartUpdate GUI

1 Log in using either your user name and password or a certificate


2 Enter the name of the machine on which the SmartCenter Server is running. Enter either a
resolvable machine name or an IP address. To define a new user on the SmartCenter Server,
see “To Add an Administrator” on page 31.
3 For advanced Certificate Management, Compression Optimization and Advanced Options,
click More Options >> .
4 To work in demonstration mode, check Demo Mode.

Elements of the SmartUpdate GUI


After logging in and clicking OK, there is a brief delay, during which the
VPN-1/FireWall-1 database is loaded, the SmartUpdate GUI opens.
FIGURE 2-2 shows the elements of the SmartUpdate GUI.
FIGURE 2-2 The SmartUpdate GUI

Licenses tab

Management Server

Gateway

Product Repository
This window is
Attached License in floating
the Licenses tab...

...and in the
License Repository

License Repository

This window is
docked
Operation Status entry:
Double click
to see Operation Details Management Server
to which GUI is connected

User permissions

Chapter 2 SmartUpdate 69
How to Upgrade Remote Check Point Nodes

Products and Licenses tabs


The SmartUpdate GUI main window contains the:
• Products tab — showing the products and Operating Systems installed on the Check Point
Nodes managed by the SmartUpdate SmartCenter Server. Operations that relate to products
can only be done in the Products tab.
• Licenses tab — showing the attached licenses on the managed Check Point Nodes.
Operations that relate to licenses can only be done in the Licenses tab.
To sort the licenses or products in ascending or descending order, click a column title.

The Check Point Node Tree


The managed Check Point Nodes tree in the Products and Licenses tabs show the products
installed and licenses attached to Check Point Nodes that are managed by the SmartCenter
Server.
A Managed Check Point Node is a Gateway or host with a Check Point product installed in the
General page of the object’s Check Point Gateway Properties in the SmartDashboard. The
minimal Check Point product is the SVN Foundation.
FIGURE 2-3 Managed Check Point Nodes tree in the Products tab (left), and in the Licenses
tab (right)

The tree has three levels:


• Root—Name of the SmartCenter Server to which the GUI is connected.
• Second level—Names of the Check Point Nodes configured in the SmartDashboard.
• Third level— Check Point products (in the Products tab) or installed licenses (in the
Licenses tab) on the Check Point Nodes

70 Check Point SmartCenter Guide • September 2002


Product and License Repositories

The Managed Check Point Nodes tree structure can be expanded or collapsed to display all or
hide all the installed products or licenses. To expand or collapse the tree, right click on the tree
root and choose Expand/Collapse or use the button or the button on the toolbar.

Product and License Repositories


The Product Repository and the License Repository windows can be opened in both the
Licenses tab and the Products tab.
• The Product Repository shows all the products available for installation (Click on the
toolbar, or Products> View Repository in the menu).
Double click a product in the repository to start the Installation wizard for a single product
installation.
FIGURE 2-4 Product Repository

• The License Repository shows all attached and unattached licenses (Click on the
toolbar, or Licenses> View Repository in the menu).
FIGURE 2-5 License Repository

To sort the licenses or products in ascending or descending order, click a column title.

Changing Repository View options


To change the Product or License Repository view options, right click (FIGURE 2-6) on a
blank row or column in the Repository window.

Chapter 2 SmartUpdate 71
How to Upgrade Remote Check Point Nodes

FIGURE 2-6 Product and License Repository View Options

Select one of the following options:


• Details
• Small Icons
• List

Select or deselect Show Grid, as preferred.

License Type Icons


Licenses icons appear in the License Repository and in the Licenses tab of the SmartUpdate
GUI.

TABLE 2-2 License Type Icons

Icon Meaning

Attached Central License— this license has been added to the License
Repository and attached to (installed on) a Check Point Node.
Unattached Central License— this license has been added to the License
Repository and is available for attachment to a Check Point Node.
Attached Local License— This icon (colored yellow) represents both NG
Local and 4.1 Local Licenses. This license has been
• installed locally and retrieved into the License Repository, or
• added to Repository and automatically attached to the remote Check
Point Node.
Evaluation License— A “floating”, limited evaluation license that is not
associated with a specific IP address. It can be attached to any Check Point
Node, and to more than one Check Point Node at a time.

For more information about License Types, see “License Types: Central, Local” on page 98.
To view only one type of license, right click (FIGURE 2-7) in the License Repository window.

72 Check Point SmartCenter Guide • September 2002


Operation Status

FIGURE 2-7 License Repository View Options (when no license is selected)

Select one of the following options:


• View All Licenses
• View Unattached Licenses
• View Attached Licenses

Operation Status
The Operation Status window shows current and past SmartUpdate operations.
FIGURE 2-8 Operation Status window

Each entry contains


Column Contains
Operation Status Icon and Operation description.
Example descriptions are: Installing product <X> on Check Point Node
<Y>, or Attaching license <L> to Check Point Node <Y>. For the
meaning of the status icons, see Operation Status Icons page 74.
Status Current status.
The stage of the operation (applicable command line) and Success/Failure for
each stage and for the whole operation.
Progress Whether in progress or done.
Time Operation time.
When the operation is complete this changes from start time to finish time.

Note -
1. A log file of SmartUpdate remote product operations is generated in the $SUROOT\log
directory. The filename is <Check Point Node name>_SmartUpdate.elg.
2. An audit log of SmartUpdate Operations is available in the SmartView Tracker.

Chapter 2 SmartUpdate 73
How to Upgrade Remote Check Point Nodes

Operation Status Icons


The following list shows the possible Status messages and their related icons that can appear in
the second column of the Operation Status window. Error messages appear in red:
Icon Status Message (and meaning)
Operation started or in progress.

Operation completed.

A warning.

Operation failed, stopped by user, or timed out.

Viewing Operation Details


To view operation details, in the Operation Status window, double click the operation entry, or
click the Enter key, or right click and select Operation Details (FIGURE 2-9).
FIGURE 2-9 Viewing Operation Details

The Operation Details window shows the operation description, start and finish times, and
progress history. The window is resizable. An example is shown in FIGURE 2-10.
Status lines can be copied to the clipboard. Select the line, right click and choose Copy.
FIGURE 2-10Operation Details window

Description — a description of the operation.


Started at/Finished at — The date (dd/mm/yy) and time when the operation started. If the
operation has finished, the finish date and time is shown.

74 Check Point SmartCenter Guide • September 2002


Docking Windows

Operation History — The History of the operation, dynamically updated as the operation
progresses.

Stopping an Operation and Clearing Completed Operations


An installation related operation can be stopped when in progress, and completed operations can
be cleared from the Operation Status window.
For more information see “Stopping an Operation and Clearing Completed Operations” on
page 96.

Docking Windows
• The Product and License Repository windows, and the Operation Status window can be
either docked or floating.
• When SmartUpdate is opened, the Product and License Repository windows are docked in
the lower part of the SmartUpdate main window, and the Operation status view is hidden.
The Operation Status window appears when the first remote operation is performed.
• To toggle between a floating and a docked window, double click the window title, or drag
and drop the window.
• To close or open a window use the toolbar button or the menu item of the window.
• A reopened window opens in its previous size and position (docked or floating).

Searching for Text


To search for any text string, proceed as follows:
1 On the toolbar click , or from the Tools menu, select Find.
The Find window is displayed, see FIGURE 2-11.
FIGURE 2-11The Find window

2 Enter the string for which you would like to search in the Find what field.
Select where you would like to search:
• License Management
• Product Management
• License Repository

Chapter 2 SmartUpdate 75
How to Upgrade Remote Check Point Nodes

• Product Repository
Check Match whole word only to find the sting in the exact manner that it is specified in
the Find window
Check Match case to make your search case sensitive.
Use the Up and Down buttons to choose the direction of your search.
Use the Find next button to continue your search.

Printing Views
To print a view, proceed as follows:
1 From the File menu, select Print.
The window Choose Window is displayed. See FIGURE 2-12.
FIGURE 2-12The Choose Window window

2 Select the window to print


• Operation Status
• License Management
• Product Management
• Product Repository
• License Repository

To preview before printing, select Print Preview.

To adjust the print setup, select Print Setup… .

SmartUpdate Menus and Toolbar

In This Section

SmartUpdate Menu page 77


SmartUpdate Toolbar page 82

76 Check Point SmartCenter Guide • September 2002


SmartUpdate Menus and Toolbar

SmartUpdate Menu

File Menu

TABLE 2-3 File Menu Commands

Menu Description See Toolbar


Command Button
Print Print the Product or “Printing Views” on page 76 none
License tab, the License or
Product Repository, or the
Operation Status window.
Print Preview Preview before printing one “Printing Views” on page 76 none
of the printable window
Print Setup... Set up the printer “Printing Views” on page 76 none
Exit Exit SmartUpdate. “Printing Views” on page 76 none

View Menu

TABLE 2-4 View Menu Commands

Menu Description See Toolbar


Command Button
Toolbar Show the toolbar. “SmartUpdate Toolbar” on none
page 82
Status Bar Show the status bar (at the “Elements of the SmartUpdate none
bottom of the SmartUpdate GUI” on page 81
window).

Tree Menu

TABLE 2-5 Tree Menu Commands

Menu Command Description See Toolbar


Button
Expand All Expand all the objects in “The Check Point Node
the Check Point Nodes Tree” on page 70
Tree.
Collapse All Collapse all the objects in “The Check Point Node
the Check Point Nodes Tree” on page 70
Tree.

Chapter 2 SmartUpdate 77
How to Upgrade Remote Check Point Nodes

Products Menu

TABLE 2-6 Products Menu Commands

Menu Command Description See Toolbar


Button
Upgrade All Products Upgrade All Products on “Upgrading All Products”
the selected Check Point on page 88
Node.
Install... Install a product on one or “Installing a Single
more remote Check Point Product” on page 89
Nodes.
Uninstall... Remotely uninstall a “Uninstalling a Product”
product from one or more on page 92
remote Check Point Nodes.
Verify Installation... Test whether the product “Verifying an Installation”
can be installed on the on page 94
remote Check Point Node.
Get Data From All Update the Product “To Get Data From All None
Repository with the Check Point Nodes” on
installed products and OS of page 96
all Check Point Nodes.
Get Check Point Node Update the Product “To Get Check Point
Data Repository with the Node Data” on page 96
installed products and OS of
the selected Check Point
Node.
Reboot Check Point Boot the remote computer. “Booting a Check Point
Node Node” on page 95
New Product> Add Add product(s) to the “Managing the Product
From Download Product Repository directly Repository” on page 85
Center...
from the Check Point
Download Center web site
New Product> Add Add a product to the “Managing the Product
From CD... Product Repository from Repository” on page 85
the Check Point CD

78 Check Point SmartCenter Guide • September 2002


SmartUpdate Menus and Toolbar

TABLE 2-6 Products Menu Commands

Menu Command Description See Toolbar


Button
New Product> Import Add a product to the “Managing the Product
File... Product Repository by Repository” on page 85
importing a product file
downloaded from the
Check Point Download site.
Delete Product Delete the selected products “Managing the Product None
from the Product Repository” on page 85
Repository.
View Repository Show or close the Product “Product and License
Repository, which shows all Repositories” on page 71
the products available for
installation.

Licenses Menu

TABLE 2-7 Licenses Menu Commands

Menu Command Description See Toolbar


Button
Attach... Install the license on the “Attaching a License to a
remote Check Point Node, Check Point Node” on
and associate the license in page 105
the License Repository
with the Check Point Node
object.
Detach... Uninstall the license from “Detaching a License from
the remote Check Point a Check Point Node” on
Node, and make the license page 109
in the License Repository
available to any Check
Point Node.
Upgrade... Upgrade all version 4.1 “Automatically Upgrading
licenses on Check Point Version 4.1 Licenses” on
Nodes and in the License page 117
Repository with new NG
licenses.

Chapter 2 SmartUpdate 79
How to Upgrade Remote Check Point Nodes

TABLE 2-7 Licenses Menu Commands

Menu Command Description See Toolbar


Button
Get Check Point Node Retrieve locally installed “Getting Locally Installed none
Licenses
license(s) from one Check Licenses From a Check
Point Node into the License Point Node” on page 111
Repository, and delete from
the Repository locally
deleted licenses.
Get All Licenses Retrieve locally installed “Getting Locally Installed none
license(s) in all managed Licenses From a Check
Check Point Nodes into Point Node” on page 111
the Repository, and delete
from the Repository all
locally deleted licenses.
New License> Add Add license to the License “Downloading a License
From User Center...
Repository by downloading File From the User
it from the User Center. Center” on page 102
New License> Add Add license to the License “Adding a License to the
Manually...
Repository by copying License Repository” on
license details. page 101
New License> Import Add license(s) to the “Adding a License to the
File...
License Repository by License Repository” on
importing from a file. page 101
Delete License Delete unattached licenses “Deleting a License from none
from the License the License Repository”
Repository. on page 112
Show Expired Licenses Check for expired licenses. “Checking for Expired none
Licenses” on page 115
View Repository Show or close the License “Product and License
Repository, containing all Repositories” on page 71
attached and unattached
licenses.

80 Check Point SmartCenter Guide • September 2002


SmartUpdate Menus and Toolbar

Status Menu

TABLE 2-8 Status Menu Commands

Menu Command Description See Toolbar


Button
Clear All Completed Clear all completed “Operation Status” on none
Operations operations from the page 73
Operation Status view.
View Operation Show the Operation Status “Operation Status” on
Status window. page 73

Tools Menu

TABLE 2-9 Tools Menu Commands

Menu Command Description See Toolbar


Button
Find... Find a specified text in the “Searching for Text” on
SmartUpdate Products tab, page 75
Licenses tab, License
Repository or Product
Repository.

Window Menu

TABLE 2-10 Window Menu Commands

Menu Command Description See Toolbar


Button
SmartDashboard Run the SmartDashboard. Chapter 3, “Graphical none
User Interface
SmartView Tracker Run the SmartView Tracker, Chapter 11, “SmartView none
Tracker
SmartView Status Run the SmartView Status. Chapter 12, “SmartView none
Status
SmartView Monitor Run the SmartView Monitor. Check Point SmartView none
Monitor Guide
SecureClient Run the SecureClient Check Point Virtual Private none
Packaging Tool Packaging Tool. Networks Guide Chapter 5,
“Customizing Client
Packages
User Monitor Run the User Monitor. Check Point SmartCenter none
Guide

Chapter 2 SmartUpdate 81
How to Upgrade Remote Check Point Nodes

Help Menu

TABLE 2-11 Help Menu Commands

Menu Command Description See Toolbar


Button
Help Topics Open the on-line Help none
Upgrade Guide On-line Acrobat PDF document “How to
explaining how to remotely upgrade to Upgrade
the latest Check Point NG Feature Remote Check
Pack. Point Nodes”
on page 64
Check Point NG Document explaining the licensing
License Guide requirements for Check Point
products.
https://usercenter.checkpoint.com/ucd
ocs/SummaryLicensing.htm
Check Point http://www.checkpoint.com/techsupp “cppkg add” none
Download Center ort/downloads/downloads.html. on page 643
Check Point User http://www.checkpoint.com/UserCen “Obtaining none
Center ter Licenses” on
page 100
Check For Latest https://support.checkpoint.com/downl none
Updates oads/bin/autoupdate/su/ng/fp3/fp3su
_updateinfo.txt
Online Software http://www.checkpoint.com/techsupp none
Updates ort/ng/fp2_updates.html
What’s New In Check http://www.checkpoint.com/techsupp none
Point Software ort/ng/fp2_whatsnew.html
About Check Point Display build number and copyright. none
SmartUpdate

SmartUpdate Toolbar
The SmartUpdate Toolbar provides shortcuts for some menu commands.

82 Check Point SmartCenter Guide • September 2002


SmartUpdate Menus and Toolbar

FIGURE 2-13SmartUpdate Toolbar

TABLE 2-12 Toolbar Buttons and Corresponding Menu Commands

Toolbar Menu Command See


Button
Check Point Nodes > Expand all the objects in the Check Point Nodes
Expand All Tree.
Check Point Nodes > Collapse all the objects within their respective Check
Collapse All Point Nodes in the Check Point Nodes Tree.
“Upgrading All Products” on page 88

Products> Upgrade All


Products
Products> Install... “Installing a Single Product” on page 89

Products> Uninstall... “Uninstalling a Product” on page 92

Products> Verify “Verifying an Installation” on page 94


Installation...

Products> Add Products “Adding Products to the Repository from the


From Download Center... Download Center” on page 62
Products> Add Products “Adding Products to the Repository from the Check
From CD... Point CD” on page 62
Products> Import Product “Adding A Product to the Repository by Importing
From File... a File” on page 63
Product> Get Check Point “Getting Check Point Node Data” on page 96
Node data

Products> Reboot Check “Booting a Check Point Node” on page 95


Point Node

Licenses> Attach “Attaching a License to a Check Point Node” on


page 105
Licenses> Detach “Detaching a License from a Check Point Node” on
page 109
Licenses> New License> “Downloading a license file directly from the User
Add From User Center... Center” on page 102

Chapter 2 SmartUpdate 83
Product Management

TABLE 2-12 Toolbar Buttons and Corresponding Menu Commands

Toolbar Menu Command See


Button
Licenses> New License> “Adding a License to the License Repository” on
Add Manually... page 101
Licenses> New License> “Adding a License to the License Repository” on
Import File... page 101
Products> View “Product and License Repositories” on page 71
Repository

Licenses> View “Product and License Repositories” on page 71


Repository

Status> View Operation “Operation Status” on page 73.


Status

Tools> Find “Searching for Text” on page 75

Help> Upgrade Guide “How to Upgrade Remote Check Point Nodes” on


page 64
Help> Help Topics Activate context sensitive help for SmartUpdate
windows, toolbar icons and menu commands

Product Management

In This Section

Introduction to Product Management page 84


Managing the Product Repository page 85
Installing Products — Overview page 87
Upgrading All Products page 88
Installing a Single Product page 89
Uninstalling a Product page 92
Verifying an Installation page 94
Booting a Check Point Node page 95
Getting Check Point Node Data page 96
Stopping an Operation and Clearing Completed Operations page 96

Introduction to Product Management


SmartUpdate allows you to centrally manage Check Point product installations on Check Point
Nodes throughout the organization.

84 Check Point SmartCenter Guide • September 2002


Managing the Product Repository

SmartUpdate provides a central view of available and installed products. The administrator can:
• Upgrade all NG products and the Operating System on a Check Point Node to the latest
version in one click (page 67)
• Upgrade major and minor versions (page 64).
• Uninstall major and minor versions (page 92).
• Manage the Product Repository (page 85).
• View remote operation progress status (page 73).
• Verify an installation (page 94),
• Remotely boot a Check Point Node (page 95),
• Get Check Point Node data (page 96),
• Stop a remote operation (page 96).
SmartUpdate Product Management requires a separate license, in addition to the License for the
SmartCenter Server. Install a license with one of the following SKUs:
CPMP-SUP-1-NG for managing one remote Check Point Node
CPMP-SUP-U-NG for managing an unlimited number of remote Check Point Nodes

Managing the Product Repository


Use SmartUpdate to add products to and delete products from the Product Repository.
Products can be added to the Repository
• directly from the Check Point Download Center web site,
• by adding them from the Check Point CD, and
• by importing a file.
When adding the product to the Product Repository, The product file is transferred to the
SmartCenter Server. The Operation Status window opens. Use it to verify the success of the
file transfer. The Product Repository is then updated to show the new product object.

Adding Products to the Repository from the Download Center


1 Select Products> New Product> Add From Download Center... If you accept the License
Agreement, the Download Products window opens.
2 Enter your username and password to gain access to the Download Center.

Note - The user name and the password are transmitted using SSL secured communication.

3 Select the product(s) to download. You can view a filtered list of products (for example,
view only the product upgrade packages for installed products), and the the Release Notes.

Chapter 2 SmartUpdate 85
Product Management

4 Click Download. The product(s) are downloaded and added to the Product Repository.
The packages are downloaded to a temporary directory on the GUI Client machine and
then transferred to the SmartCenter Server, under the $SUROOT directory.
The Check Point Download Center web site can also be accessed manually at
http://www.checkpoint.com/techsupport/downloads/downloads.html

Adding Products to the Repository from the Check Point CD


1 Insert the Check Point CD into the SmartUpdate Client machine.
2 Open SmartUpdate and select Product> New Product> Add From CD…
The Browse to Folder window opens.
3 Browse for the location of the CD drive, and click OK.
The Add Product From CD window opens, showing the available products on the CD.
4 Select the product(s) to be added to the repository (Ctrl-select for more than one product),
and click OK.

Adding A Product to the Repository by Importing a File


Use this procedure for adding OPSEC packages and Hotfixes to the Product Repository.
1 Download the product files from the Download Center at
http://www.checkpoint.com/techsupport/downloads/downloads.html and save them to the
local disk.
2 Open SmartUpdate
3 Either,
a select Products> New Product> Import File…
The Add Product window opens.
b Navigate to the desired .tgz file on the local disk and click Open.
Or,
Drag and drop the product package .tgz file into the Product Repository window.

Deleting Products from the Product Repository

Note - This action cannot be undone

1 In the Product Repository, select a product, or Ctrl-select multiple products.

86 Check Point SmartCenter Guide • September 2002


Installing Products—Overview

2 From the menu, select Products> Delete Product, or


In the Product Repository, right click and select Delete Product., or
Press the Delete key.
The product is deleted from the Repository, and the Product Repository window is updated.

Command line: cppkg


To manage the product repository via the command line, see “Product Repository
Management” on page 643.

Installing Products — Overview


SmartUpdate allows all products on a Check Point Node to be updated to the latest version in
a single operation (see “Upgrading All Products” on page 88). It is possible to upgrade products
on a machine, one at a time (see “Installing a Single Product” on page 89).
On a Nokia Appliance and on SecurePlatform NG FP3 SmartUpdate make it possible to
upgrade both the OS and all installed products. First, upgrade the OS and boot the machine, as
described in “Installing a Single Product” on page 89, and then upgrade all the other products
to the latest version.

Note - To upgrade a Check Point HA Cluster, see the FAQ: “How do I upgrade a Check
Point ClusterXL gateway cluster?” on page 124

For updates from version 4.1 to NG FP1, Secure Internal Communication (SIC) is automatically
upgraded.
SmartUpdate product packages (NG FP2 and higher) are the same as ordinary installation
packages.
Before the installation begins SmartUpdate makes sure that the installation will succeed. It
checks that the remote Check Point Node can be reached, that the package to be installed is
valid for the remote Check Point Node — including product dependencies and prerequisites —
and that there is enough disk space. This can also be done separately (see “Verifying an
Installation” on page 94).
If the product upgrade fails, SmartUpdate restores the previously installed version. The
installation can be stopped at any time up until the actual installation (see “Stopping an
Operation and Clearing Completed Operations” on page 96).
The following is an overview of the installation process:
1 Review “How to Upgrade Remote Check Point Nodes” on page 64.
2 Update the Check Point Node OS and product data. (See “Getting Check Point Node
Data” on page 96).
3 Add any required packages to the Product Repository (see “Managing the Product
Repository” on page 85).

Chapter 2 SmartUpdate 87
Product Management

4 Install with the boot option checked.


After installing the product:
1 Install the license on the remote Check Point Node.
See “License Management” on page 97.
2 Install the Policy on the remote Check Point Node.

Upgrading All Products


All Check Point products on a Check Point Node can be remotely updated to the latest version
in a single operation. Use this procedure to upgrade version NG products.
Version 4.1 products must be upgraded individually, as described in “Installing a Single Product”
on page 89. Upgrading a single NG product is not recommended because of the various product
and version dependencies.
Note -
1. It is highly recommended to use the boot option when installing. For VPN-1/FireWall-1
installations, boot is required to switch the kernel and to make Secure Internal
Communication work.
2. The remote installation may take some time, depending on the network load and the
package size. View operation progress using the Operation Status window (see page 73)

Upgrading All Products on a Check Point Node


1 Add the product packages to the repository. Do this by downloading the required product
packages from the Check Point Download Center or the Check Point NG FP2 (or higher)
CD. See “Managing the Product Repository” on page 85.
2 In SmartUpdate, select Products > Upgrade All Products and select one or more Check
Point Nodes.
The requested operation is verified by checking the following:
• The required products of the latest version are in the Product Repository.
• All Check Point products installed on the remote Check Point Nodes are of the same
NG version.
• Installation logic, disc space, and a cprid (Check Point Remote Installation Daemon)
connection to the Check Point Node.
3 If verification is successful, the Upgrade All Products window opens showing the currently
installed products and the products to be installed on the chosen Check Point Nodes.
If one or more of the required products are missing from the Product Repository,
SmartUpdate will open the Download Products window. You can then download the
required product directly to the Product Repository.
Note that the Reboot Check Point Node After Installation option (checked by default) is
required in order to activate the newly installed product.

88 Check Point SmartCenter Guide • September 2002


Installing a Single Product

4 Click Upgrade.
The Operation Status window opens and shows the progress of the operation. Each
operation is represented by a single entry. Double click the entry to open the Operation
Details window which shows the operation history.

Installing a Single Product


Version 4.1 products on a Check Point Node must be upgraded one at a time. The
products must be of version 4.1 SP2 or higher with CPutil installed and a CPRID
connection established
Upgrading a single NG product at a time is not recommended because of the various product
and version dependencies.
One product can be installed on a number of different Check Point Nodes. The installations
proceed simultaneously. Each installation has its own Operation Status entry (see “Operation
Status” on page 73).
Note -

1. It is highly recommended to use the boot option when installing. For VPN-1/FireWall-1
installations, boot is required to switch the kernel and to make Secure internal
communication work. However, boot ONLY after all installed products are of the same
version.

2. The remote installation may take some time, depending on the network load and the
package size. View operation progress using the Operation Status window (see page 73)

The maximum number of simultaneous installations is limited to 10 at a time. Any installations


above that number are held in a queue, and a new installation will begin as soon as one
completes.

Installing to a Single Check Point Node Using Drag-and-Drop


1 Open the Product Repository by clicking on the toolbar, or select Products> View
Repository in the menu.

2 Drag and drop a product from the Product Repository onto the Check Point Node in the
Products tab. Make sure the product Operating System matches the destination Check
Point Node OS.
3 Follow the progress of the installation in the Operation Status window (see “Operation
Status” on page 73).

Note - The Check Point Node will boot after installation.

Chapter 2 SmartUpdate 89
Product Management

Installing to a Single Check Point Node Using the Products tab


1 From the Products tab, select the Check Point Node.
2 Right click, and select Install Product... (as shown in FIGURE 2-14).
FIGURE 2-14Install Product right click menu

The Install Product window opens. This window contains all the products that can be
installed on the selected Check Point Node.
FIGURE 2-15Install Product window

3 Select the product that you wish to install. Be sure to check Reboot Check Point Node(s)
only if all products will be of the same version after installation. This will reboot the Check
Point Node following installation.
4 Click Install.

5 Follow the progress of the installation in the Operation Status window (see “Operation
Status” on page 73).

Installing to Multiple Check Point Nodes Using the Wizard


1 Select from the Products menu, or click
Install... on the toolbar. The Install
Product window (FIGURE 2-16) opens.

90 Check Point SmartCenter Guide • September 2002


Installing a Single Product

FIGURE 2-16Install Product wizard — Select a Check Point Node

2 Select the Check Point Nodes on which to install the product. Make sure that they all have
the same OS. Either Select All Check Point Nodes, or Ctrl click to select more than one
Check Point Node. Be sure to check Reboot Check Point Node(s) only if all products will
be of the same version after installation. This will reboot the Check Point Nodes following
installation. Click Next.
The window shows the available products in the Repository for the selected Check Point
Nodes.
FIGURE 2-17Install Product wizard — Select a Product

3 Select the product that you wish to install. Make sure the product Operating System
matches the destination Check Point Node OS. Click Finish.
4 Follow the progress of the installation in the Operation Status window. If the product is
installed to more than one Check Point Node, each installation has its own Operation
Status entry (see “Operation Status” on page 73).

Chapter 2 SmartUpdate 91
Product Management

Installing to Multiple Check Point Nodes Using the Product Repository


1 Open the Product Repository by clicking on the toolbar, or select Products> View
Repository in the menu.

2 From the Product Repository, select a product.


3 Right click, and select Install Product... (as shown in FIGURE 2-18).
FIGURE 2-18Install Product from Repository right click menus

The Install Product window opens (see FIGURE 2-19).


FIGURE 2-19Install Product window — Select a Check Point Node

4 Select a Check Point Node on which to install the product. Make sure the product
Operating System matches the destination OS. Either Select All Check Point Nodes, or
Ctrl click to select more than one Check Point Node. Be sure to check Reboot Check
Point Node(s) only if all products will be of the same version after installation.

5 Click Install.

6 Follow the progress of the installation in the Operation Status window (see “Operation
Status” on page 73).

Command line: cprinstall install


To install via the command line, see “cprinstall install” on page 653

Uninstalling a Product
Products can be uninstalled remotely using SmartUpdate. Uninstalling VPN-1/FireWall-1, SVN
Foundation and FloodGate-1 restores the previously installed version.

92 Check Point SmartCenter Guide • September 2002


Uninstalling a Product

It is highly recommended to boot the remote Check Point Node after uninstalling.
Before the uninstallation begins, SmartUpdate makes sure that the remote Check Point Node
can be reached, and that the product is installed on the remote Check Point Node.
After uninstalling a product, get the Check Point Node data (see “Getting Check Point Node
Data” on page 96).
When downgrading an NG product to version 4.1, if the product had licenses installed on it
remotely from the SmartCenter Server, the licenses will still exist in the License Repository. You
should therefore update the License Repository (see “Getting Check Point Node Licenses into
the License Repository” on page 150).
Alternatively, if you delete the Check Point Node object of the uninstalled product from the c
GUI, the licenses will be detached from this object in the License Repository.

Uninstalling From a Single Check Point Node


1 From the Products tab, select the Check Point Node.
2 Right click, and select Uninstall Product... The Uninstall Product window opens. This
window contains all the products that can be uninstalled from the selected Check Point
Node.
3 Select the product that you wish to uninstall. To reboot the Check Point Node following
uninstallation (recommended), check Reboot Check Point Node(s).
4 Click Uninstall.

5 Follow the progress of the uninstallation in the Operation Status window (see “Operation
Status” on page 73).
6 After uninstalling, get the Check Point Node data (see “Getting Check Point Node Data”
on page 96) and if the Check Point Node had remotely installed licenses, get the licenses
(see “Getting Check Point Node Licenses into the License Repository” on page 150).

Uninstalling From Multiple Check Point Nodes Using the Wizard


1 Select from the
Uninstall... Products menu, or click on the toolbar. The Uninstall
Product window opens.
2 Select the Check Point Nodes from which to uninstall the product. Make sure they are of
the same OS. Either Select All Check Point Nodes, or Ctrl click to select more than one
Check Point Node. To reboot the Check Point Node following uninstallation
(recommended), check Reboot Check Point Node(s). Click Next.
The window shows the products common to all selected Check Point Nodes, that can be
uninstalled.
3 Select the product that you wish to uninstall, and click Finish.

Chapter 2 SmartUpdate 93
Product Management

4 Follow the progress of the uninstallation in the Operation Status window. If the product is
uninstalled from more than one Check Point Node, each uninstallation has its own
Operation Status entry (see “Operation Status” on page 73).

5 After uninstalling, get the Check Point Node data (see “Getting Check Point Node Data”
on page 96), and if the Check Point Node had remotely installed licenses, get the licenses
(see “Getting Check Point Node Licenses into the License Repository” on page 150).

Command line: cprinstall uninstall


To uninstall via the command line, see “cprinstall uninstall” on page 654.

Verifying an Installation
Before installing a product it is possible to test whether the product can be installed on the
remote Check Point Node. The test verifies that
• the Operating System and currently installed products are appropriate for the product to be
installed,
• there is a CPRID connection to the remote machine,
• there is sufficient disk space,
• the product is not already installed, and that
• the product dependencies are fulfilled.
SmartUpdate automatically performs this test before a remote installation begins.

Verifying an Installation to a Single Check Point Node


1 From the Products tab, select the Check Point Node.
2 Right click, and select Verify installation...
The Verify installation window opens. This window contains all the products that can be
installed on the selected Check Point Node.
3 Select the product that you wish to install and click Verify.

4 Follow the progress of the verification in the Operation Status window (see “Operation
Status” on page 73).

Verifying an Installation to Multiple Check Point Nodes Using the


Wizard
1 From the Products menu, select Verify Installation... or click on the toolbar.
The Verify installation window opens.
2 Select a Check Point Node. Ctrl click to select more than one Check Point Node. Click
Next.

3 The window shows the available products in the Repository.


Select the product, and click Finish.

94 Check Point SmartCenter Guide • September 2002


Booting a Check Point Node

4 Follow the progress of the verification in the Operation Status window. If the verification
is to more than one Check Point Node, each installation verification has its own Operation
Status entry (see “Operation Status” on page 73).

Verifying an Installation to Multiple Check Point Nodes Using the


Product Repository
1 From the Product Repository, select a product.
2 Right click, and select Verify Installation...
The Verify Installation window opens.
3 Select a Check Point Node on which to verify the product installation. Ctrl click to select
more than one Check Point Node.
4 Click Verify.

5 Follow the progress of the verification in the Operation Status window (see “Operation
Status” on page 73).

Command line: cprinstall verify


To verify an installation via the command line, see “cprinstall verify” on page 657.

Booting a Check Point Node


SmartUpdate can be used to boot a remote computer.

To Boot a Check Point Node


1 From the Products tab, select the Check Point Node.
2 Right click, and select Reboot Check Point Node, or
from the Products menu, select Reboot Check Point Node, or
click on the toolbar.
3 Follow the progress of the reboot in the Operation Status window (see “Operation Status”
on page 73).

Note - Boot ONLY when all installed products are of the same version.

Command line: cprinstall boot


To boot a Check Point Node via the command line, see “cprinstall boot” on page 658.

Chapter 2 SmartUpdate 95
Product Management

Getting Check Point Node Data


The information about the Check Point Nodes in the Products tab can be updated with the
details of the products and the Operating System installed on the specified Check Point Node or
on all Check Point Nodes.

Tip - Use this operation to test the cprid connection.

To Get Check Point Node Data


1 From the Products tab, select the Check Point Node.
2 Right click, and select Get Check Point Node Data, or
from the Products menu, select Get Check Point Node Data, or
click on the toolbar.
3 Follow the progress of the operation in the Operation Status window (see “Operation
Status” on page 73).
The information in the Products tab will be updated.

To Get Data From All Check Point Nodes


1 From the Products menu, select Get Data From All.

2 Follow the progress of the operation in the Operation Status window (see “Operation
Status” on page 73).

Command line: cprinstall get


To obtain details of the products and the Operating System installed on a Check Point Node, via
the command line, see “cprinstall get” on page 656.

Stopping an Operation and Clearing Completed Operations


SmartUpdate can be used to stop the operation of installation related operations. This command
will stop the remote installation or uninstallation of a product — even during transfer of files,
extraction and testing, though stopping an installation is not recommended. You can stop the
operation at any time up to the actual installation. License related operations are too quick to be
stopped.

Warning - Do not stop the Installation of SVN Foundation. Doing so will require extensive
manual cleanup at the Check Point Node.

96 Check Point SmartCenter Guide • September 2002


Stopping an Operation and Clearing Completed Operations

To Stop an Operation
1 From the Operation Status window, select the in-progress operation.
2 From the Status menu, select Stop Operation or
Right click, and select Stop Operation
3 Check the Operation status in the Operation Status window (see “Operation Status” on
page 73).

Command line: cprinstall stop


To stop the operation of installation related operations on a Check Point Node via the
command line, see “cprinstall stop” on page 659.

Clearing Completed Operations


To clear a single operation, select the line in the Operation Status window and press the click
Delete key, or right click and select Clear.
To clear multiple completed operations, Ctrl Click to select multiple lines, and press the Delete
key.
To clear all completed operations from the Operation Status window, select Status>
Clear all completed operations.

License Management

In This Section

Introduction to License Management page 98


License Types: Central, Local page 98
The Trial Period page 99
Version 4.1 License Support page 99
Obtaining Licenses page 100
License Structure and Elements page 100
Installing a License for the SmartCenter Server page 101
Before Using SmartUpdate License Management page 101
Adding a License to the License Repository page 101
Attaching a License to a Check Point Node page 105
Detaching a License from a Check Point Node page 109
Getting Locally Installed Licenses From a Check Point Node page 111
Deleting a License from the License Repository page 112
Viewing License Properties page 113

Chapter 2 SmartUpdate 97
License Management

Viewing Installed Products page 115


Checking for Expired Licenses page 115
Exporting a License to a File page 117
Automatically Upgrading Version 4.1 Licenses page 117

Introduction to License Management


Using SmartUpdate, Licenses for Check Point products on Check Point Nodes throughout the
organization can be centrally managed from the SmartCenter Server.
SmartUpdate provides both a central view of available and installed licenses, and flexibility in
attaching licenses to Check Point Nodes. The administrator can:
• add one or more licenses to the License Repository (page 101).
• attach one or more licenses to a remote Check Point Node (page 105).
• change the Check Point Node IP address without needing to reapply a new license.
• detach one or more licenses from a remote Check Point Node (page 109).
• delete one or more licenses from the License Repository (page 112).
• get Check Point Node Licenses into the License Repository (page 150).
• view all licenses and their attachment status (page 113).
• sort the licenses (page 71).
• view license properties (page 113).
• check for expired licenses (page 115).
• Export licenses to a file (page 117)
• Upgrade version 4.1 licenses (page 117)

License Types: Central, Local


There are two types of license: Central and Local. The license type is chosen when the license is
generated in the User Center.

Central Licenses
Check Point NG introduced a new licensing scheme in which the product license is tied to the
IP address of the SmartCenter Server, rather than to the IP address of the Check Point Node. A
license of this kind is called a Central license. The benefits are:
• The new license remains valid when changing the IP address of the Check Point Node.
There is no need to create and install a new license.
• Only one IP address is needed for all licenses.
• A license can be taken from one Check Point Node and given to another.
A Central license is an NG license that has the IP address of the SmartCenter Server.

98 Check Point SmartCenter Guide • September 2002


The Trial Period

Local Licenses
A Local license is tied to the IP address of the specific Check Point Node, and can only be used
for a Check Point Node or a SmartCenter Server with that IP address.
Prior to Check Point NG, only Local licenses existed.
Local licenses can be added to the License Repository and automatically attached to a Check
Point Node. Only Local NG licenses can be detached from a remote Check Point Node.

The Trial Period


All purchased Check Point products have a 15 day trial period. During this period the software
is fully functional and all features are available without a license. After that period, a permanent
license must be installed in order to continue using the software. Alternatively, an evaluation
license must be obtained.
The 15 day trial period on an Enforcement Module starts when Secure Internal
Communication is initialized with the SmartCenter Server. On a SmartCenter Server, the trial
period starts when the Certificate Authority is initialized during cpconfig configuration.
If a license is installed during the 15 day trial period, the effective license will be the installed
license.
If all installed licenses are removed during the 15 day trial periods, the product will regain full
functionality until the end of trial period.
If no licenses are installed, the remaining trial period is displayed when starting SmartUpdate
and any of the other Check Point SMART Clients.
To see the remaining trial period, perform the Get Check Point Node Licenses operation in
SmartUpdate, or open the cpconfig Licenses tab on the Enforcement Module, or run the
command cplic print locally on the Enforcement Module.

Version 4.1 License Support


SmartUpdate supports both NG and Version 4.1 licenses.
Version 4.1 licenses are always Local licenses. They:
• are attached automatically to their target Check Point Node when they are added to the
license repository
• can be retrieved into the SmartUpdate License Repository (see “Getting Check Point
Node Licenses into the License Repository” on page 150)
• cannot be deleted (detached) via SmartUpdate.
If a product is upgraded from version 4.1 to NG, the license must be upgraded as well. You
should upgrade to a Central license (obtained from the User Center) in order to gain the
manageability benefits. However a local license can still be used for an NG product. All version
4.1 licenses can be automatically upgraded. See also
• “Automatically Upgrading Version 4.1 Licenses” on page 117.
• “How to Upgrade Remote Check Point Nodes” on page 64.

Chapter 2 SmartUpdate 99
License Management

Obtaining Licenses
Obtain licenses from the User Center at http://www.checkpoint.com/usercenter using
SmartUpdate via the License > New License > Add From User Center... menu item (see
“Downloading a License File From the User Center” on page 102). If you need more than one
license, you can download a license file containing multiple licenses from the User Center, and
import all the licenses into the SmartUpdate License Repository.
Before using SmartUpdate, you must install a license for the SmartCenter Server at the
SmartCenter Server machine (see “Installing a License for the SmartCenter Server” on page
101).

Note - Local licenses issued with a hostid can be installed on their target machine
only via the cplic command or cpconfig Configuration Tool.

Tip - Licensing Management High Availability Configurations:


The Central license for a Secondary SmartCenter Server should have the IP address of the
Secondary SmartCenter Server. All other Central licenses for remote Check Point Nodes
can have an IP address belonging to any of the Management High Availability members.

Once you have obtained license(s), add them to the License Repository (see “Adding a License
to the License Repository” on page 101).

Certificate Key
The certificate key is a string of 12 alphanumeric characters. The string is unique to each
product, and also identifies the license. For an evaluation license your certificate key can be
found inside the mini pack. For a permanent license you should receive your certificate key
from your reseller.

Note - Any characters in the Certificate Key that may look like 'O' or 'I' are most likely '0'
or '1'

License Structure and Elements


The following is an example of a license received from the User Center, showing the various
elements. Note that:
• The Certificate Key is part of the licence SKU.
• The IP Address for a Central license is the IP Address of the SmartCenter Server, The IP
Address of a Local license is the IP address of the Check Point Node.

100 Check Point SmartCenter Guide • September 2002


Installing a License for the SmartCenter Server

• The signature is unique to the license, and identifies it

Request Details
---------------
Certificate Key: 1BED 4054 433R
Product: CPMP-EVAL-BETA-DES-VNG
Version: NG

Customer Name: Acme Ltd.

Details of Issued License


-------------------------
Expiration Date: 01Dec2002
IP Address: 198.243.45.87
SKU/Features: cpsuite-eval-3des-vNG CK-1BED4054433R
Signature: aScPeamAc-GabqVzrvn-JZRGmSLq2-nYFDmwnPVum (Validation code:
lfkjRW)

Installing a License for the SmartCenter Server


Before using SmartUpdate, you must install a license for the SmartCenter Server. Install the
license at the SmartCenter Server machine using the
• cpconfig configuration application (see “Licenses” on page 26), or
• cplic put command line (follow the instructions received from the User Center. See also
“cplic put <object name> ...” on page 631.

Note - In order to show the locally installed SmartCenter Server licenses in the
SmartUpdate GUI, you must first retrieve them into the License repository (see “Getting
Check Point Node Licenses into the License Repository” on page 150).

Before Using SmartUpdate License Management


• Install a license for the SmartCenter Server. The SmartUpdate GUI cannot be used unless
the SmartCenter Server is licensed.
• Define the remote Check Point Node objects in the SmartDashboard (see “Adding, Editing
and Deleting a Network Object” on page 174.
• Ensure there is IP connectivity from the SmartCenter Server to the Check Point Node.
• SVN Foundation components (cpd) and the FireWall-1 services must run on the
SmartCenter Server and on the Check Point Node.
• The Check Point Nodes must be initialized for SIC before they can be managed using
SmartUpdate (see “Enabling Communication between Modules” on page 49).

Adding a License to the License Repository


Licenses can be added to the License repository

Chapter 2 SmartUpdate 101


License Management

• By downloading a license file directly from User Center. A license file can contain multiple
licenses.
• By importing a license file received from the User Center.
• Manually (by copying the license details).
Adding a Central license to the License Repository does not install it on any Check Point
Node.
After adding a Central license to the Repository, you can Attach (install) it to a Check Point
Node.
If a Local license is added to the Repository, the license is automatically installed on the Check
Point Node for which it is intended.

Downloading a License File From the User Center


The Licenses> New License> Add From User Center... option opens a browser window
showing the User Center. After logging in to the User Center, it is possible to
• Generate a new license
• Change the IP address of an existing License (“Move IP”)
• Change the license from Local to Central
• Upgrade the license from version 4.1 to NG
This generates a license file that is downloaded to the SmartUpdate GUI Client machine.
SmartUpdate looks for identical licenses in the Repository, an identical license being one with
the same Certificate Key (CK).
For a new license — If there are no identical licenses, the license is added to the License
Repository. A Local license is added to the Repository and attached if there is a Check Point
Node with the same IP address. If there is no suitable Check Point Node, the Local license is
discarded.
For a “Move IP”— The “Move IP” operation allows a Check Point Node whose IP address
has changed to be easily relicensed. If the Check Point Node has an NG license installed it is
replaced by another NG license with the new IP address.
Changing a Local license to a Central license— a license can also be changed from Central
to Local.
For a license upgrade from version 4.1 to NG —If a license with the same CK exists, the
new license is attached and the old license is detached and deleted from the License Repository.

Downloading a license file directly from the User Center


1 Select Licenses> New License> Add From User Center...

102 Check Point SmartCenter Guide • September 2002


Adding a License to the License Repository

2 Log in to the User Center, and perform the required operation.

Note - The user name and the password are transmitted using SSL secured communication.

3 The generated license file is downloaded to the SmartUpdate GUI Client machine. It is
added to the License Repository. If upgrading, “moving IP” or a converting between Local
and Central License, the license is attached to the appropriate Check Point Node.

Adding Licenses From a File Using Drag-and-Drop


License files can contain one or more licenses. Add licenses from a file as follows:
1 Select Licenses> View Repository or click to open the License Repository.
2 Drag and drop the License file from the file system into the License Repository.
The new unattached Central licenses will appear in the Licenses Repository. Local licenses will
be automatically attached to their Check Point Node. If the Attach operation fails, the Local
licenses will be deleted from the Repository.

Importing Licenses From a File


License files can contain one or more licenses. Add licenses from a file as follows:
1 From the SmartUpdate menu, select Licenses> New License> Import File... or click
on the toolbar,

or
Select Licenses> View Repository or click to open the License Repository, then
right click in the Licenses Repository, and choose New License> Import File...
2 Browse to the location of the license file, select it, and click Open.

The new unattached Central licenses will appear in the Licenses repository. Local licenses will be
automatically attached to their Check Point Node. The license will get a default name of the
format SKU@ time date. The name of the license can be changed at a later time (see “Viewing
License Properties” on page 113). If the Attach operation fails, the Local licenses will be deleted
from the Repository.

Adding a License Manually


To manually add a single license to the repository, proceed as follows:

Chapter 2 SmartUpdate 103


License Management

1 The User Center results page and the license email received from the User Center contains
the license installation instructions. From these instructions, copy the license to the
clipboard. You need to copy the string that starts with cplic putlic... and ends with the
last SKU/Feature. For example
cplic putlic 1.1.1.1 06Dec2002 dw59Ufa2-eLLQ9NB-gPuyHzvQ-WKreSo4Zx CPSUITE-
EVAL-3DES-NG CK-1234567890
If you only have a hard-copy printout, continue from step 2.
2 Select Licenses> New License> Add Manually, or select on the toolbar,
or
Select Licenses> View Repository, then right click in the Licenses Repository, and
choose New License> Add Manually...
The Add License window opens.
FIGURE 2-20The Add License window

3 If you copied the license to the clipboard, click Paste License. The fields will be populated
with the license details.
Otherwise, enter the license details from a hard-copy printout.
4 Click Calculate, and make sure the result matches the validation code received from the
User Center.
5 Optionally, choose a name for the license. If you leave the Name field empty, the license
will get a default name of the format SKU@ time date. The name of the license can be
changed at a later time (see “Viewing License Properties” on page 113).
6 Click OK.

7 Follow the status of the procedure in the Operation Status window.

104 Check Point SmartCenter Guide • September 2002


Attaching a License to a Check Point Node

Command line: cplic db_add


To add a license to the License Repository via the command line, see “cplic db_add” on page
639.

Attaching a License to a Check Point Node


Use SmartUpdate to attach one or more licenses to a Check Point Node with installed NG FP2
product.
Attaching a license to a remote Check Point Node means installing the license on the remote
Check Point Node, and associating the license with the Check Point Node in the License
Repository.
A Central license must be added to the License Repository before it can be attached to a Check
Point Node (see “Adding a License to the License Repository” on page 101).
An NG Local License has the IP address of the Check Point Node. It can therefore be installed
only on a Check Point Node object with the same IP address. If an NG Local license is added
to the Repository, SmartUpdate will immediately attempt to install it on the appropriate Check
Point Node. If the installation does not succeed, the license will be deleted from the
Repository.

Note - Local licenses issued with a hostid can be installed on their target machine only
locally, via the cplic command or the cpconfig Configuration Tool.

There are a number of different ways to attach a license to a Check Point Node. In all cases,
follow the status of the procedure in the Operation Status window.

Attaching One or More Licenses using Drag-and-Drop


1 Select Licenses> View Repository

2 Drag and drop one or more unattached Central licenses in the License Repository onto a
Check Point Node in the Licenses tab.
When done, the license icon(s) in the Repository will change and the license(s) will appear
under the Check Point Node in the Licenses tab.

Attaching one or more Licenses using the Licenses


Repository
1 From the License Repository, select one or more unattached licenses.
2 Right click, and select Attach... (as shown in FIGURE 2-24).

Chapter 2 SmartUpdate 105


License Management

FIGURE 2-21Attach Licenses right click menus

The Attach Licenses window opens.


3 Select a Check Point Node, and click Attach

4 Follow the status of the procedure in the Operation Status window (see “Operation
Status” on page 73).
When done, the license icon will change and the license will appear under the Check Point
Node in the Licenses tab.

Attaching One or More Licenses Using the Wizard


1 Select Attach... from the Licenses menu, or select on the toolbar.
The Attach Licenses window opens.
FIGURE 2-22Attach Licenses window- Select a Check Point Node

2 Select a Check Point Node to which the license(s) is (are) to be attached, and click Next.
The window shows the available unattached licenses in the Licenses Repository.

106 Check Point SmartCenter Guide • September 2002


Attaching a License to a Check Point Node

FIGURE 2-23Attach License window- Select a License

3 Select the license that you wish to attach. Either Select All, or Ctrl click to select more than
one license.
4 Click Attach.

5 Follow the status of the procedure in the Operation Status window (see “Operation
Status” on page 73).
When done, the license icon will change and the license will appear under the Check Point
Node in the Licenses tab.

Attaching One or More Licenses using the Licenses tab


1 From the License tab, select the Check Point Node.
2 Right click, and select Attach Licenses...(as shown in FIGURE 2-24).
FIGURE 2-24Attach License right click menus

The Attach Licenses window opens. This window contains all the available, unattached licenses.

Chapter 2 SmartUpdate 107


License Management

FIGURE 2-25Attach Licenses window

3 Select the licenses that you wish to attach. Either Select All, or Ctrl click to select more
than one license.
4 Click Attach.

5 Follow the status of the procedure in the Operation Status window (see “Operation
Status” on page 73).
When done, the license icon will change and the license will appear under the Check Point
Node in the Licenses tab.

Command line: cplic put


To attach licenses via the command line, see “cplic put <object name> ...” on page 631.

Attaching an Evaluation License to all Check Point Nodes


An Evaluation License is A “floating”, limited evaluation license that is not associated with a
specific IP address. It can be attached to any Check Point Node in the same way as an ordinary
Central license, and to more than one Check Point Node at a time.

To Attach an Evaluation License to all Check Point Nodes


1 Select Licenses> View Repository

2 Drag and drop an evaluation licenses in the License Repository onto the root of the Check
Point Nodes tree in the Licenses tab.

When done, the evaluation license icon will appear under the every Check Point Node in
the Licenses tab.

108 Check Point SmartCenter Guide • September 2002


Detaching a License from a Check Point Node

Detaching a License from a Check Point Node


Detaching a license involves deleting a single license from a remote Check Point Node and
marking it as unattached in the License Repository on the SmartCenter Server. The license is
then available for attachment to any Check Point Node.
Detaching a local NG license from a Check Point Node will also delete the license from the
Repository.
Version 4.1 Local licenses cannot be detached from a Check Point Node. They must be deleted
locally.
Note - If the remote Check Point Node is unreachable (if the product has been uninstalled
or the machine crashed for example), the license cannot be detached via SmartUpdate. In
this case, unattach the attached license by deleting the Check Point Node's network
object in the SmartDashboard.

There are a number of different ways to detach a license from a Check Point Node using
SmartUpdate. In all cases, follow the status of the procedure in the Operation Status window.

Detaching One or More Licenses Using the Wizard


1 Select Detach... from the Licenses menu or select on the toolbar.
The Detach Licenses window opens (as shown in FIGURE 2-26).
FIGURE 2-26Detach Licenses window- Select a Check Point Node

2 Select the Check Point Node from which you wish to detach the license and press Next.
The Detach Licenses window shows the licenses attached to the Check Point Node.

Chapter 2 SmartUpdate 109


License Management

FIGURE 2-27Detach Licenses window- Select a License

3 Select the license that you wish to Detach. Either Select All or Ctrl click to select more
than one license.
4 Click Finish.

Detaching One or More Licenses Using the Licenses tab


1 In the Licences tab, select the license to be detached. To detach all the licenses on the
Check Point Node, select the Check Point Node.
2 Right click, and select Detach License (if a single license was selected, as shown in
FIGURE 2-28), or Detach All Licenses (if the Check Point Node was selected. This
option is disabled if there are both Central and Local licenses).
FIGURE 2-28Detach License right click menus

Detaching a Single License Using the Licenses Repository


1 From the License Repository, select an attached license.
2 Right click, and select Detach... (as shown in FIGURE 2-29).

110 Check Point SmartCenter Guide • September 2002


Getting Locally Installed Licenses From a Check Point Node

FIGURE 2-29Detach License right click menus

Command line: cplic del


To detach a license via the command line, see “cplic del <object name> ...” on page 633.

Getting Locally Installed Licenses From a Check Point Node


NG and Version 4.1 Local licenses that are installed locally on a Check Point Node (using the
cpconfig configuration tool or cplic put) will not exist in the SmartUpdate License
Repository. Locally deleted licenses will still appear in the Repository.
In order to update the License Repository, retrieve (“get”) NG FP2 Local and version 4.1
licenses from a Check Point Node into the Repository. Getting a licence:
• Retrieves to the Repository licenses that were installed locally (at the machine)
• Deletes from the Repository licenses that were deleted locally.

Note - Only version 4.1 SP1 and higher licenses can be retrieved into the License
Repository.

It is possible to retrieve (“get”) all licenses in the managed network, or only the licenses from a
single Check Point Node. It is recommended to retrieve the SmartCenter Server license(s) so
that it (they) will appear in the License Repository.
To update the License Repository, proceed as follows:

To Get Check Point Node Licenses from a Check Point Node


1 From the Licenses tab, select the Check Point Node.
2 Right click, and select Get Check Point Node Licenses.

Chapter 2 SmartUpdate 111


License Management

FIGURE 2-30Get License right click menu

or select Get Check Point Node Licenses from the Licenses menu.
3 Follow the status of the procedure in the Operation Status window. Retrieved Local
licenses will appear in the License Repository and in the Products tab with the icon.

To Retrieve all Licenses in the Managed Network


1 Select Get All Licenses from the Licenses menu.
2 Follow the status of the procedure in the Operation Status window. Retrieved Local
licenses will appear in the License Repository and in the Products tab with the icon.

Command line: cplic get


To get Check Point Node licenses via the command line, see “cplic get” on page 634.

Deleting a License from the License Repository


Licenses that are not attached to any Check Point Node and are no longer needed, can be
deleted from the License Repository.
To check for expired licenses, see “Checking for Expired Licenses” on page 115
A license can be deleted from the License Repository only after it has been detached from the
Check Point Node (see “Detaching a License from a Check Point Node” on page 109).

Note - Once the license has been deleted from the License Repository, it can no longer be
used. To re-use it, add it to the License Repository (see “Adding a License to the License
Repository” on page 101).

To delete a license from the License Repository, proceed as follows:


1 Select View Repository from the Licenses menu.
To show only the unattached licenses, right click and select View Unattached licenses.

2 Select the unattached license(s) to be deleted, and


• click the Delete key, or
• right click, and select Delete License, or

112 Check Point SmartCenter Guide • September 2002


Viewing License Properties

FIGURE 2-31Delete License right click menu

• select Delete Licenses from the Licenses menu.

Command line: cplic db_rm


To delete a license from the License Repository via the command line, see “cplic db_rm” on
page 640.

Viewing License Properties


License properties for each license are shown in the Licenses tab. License properties can also be
conveniently viewed using the License Properties window, as follows:
• In the Licenses tab,
• double click the license, or
• select the license, and from the License menu, select Properties... or
• right click and from the menu, select License> Properties
• In the License Repository,
• select the license and click Enter, or
• double click the license.

The License Properties window opens (FIGURE 2-32):

Chapter 2 SmartUpdate 113


License Management

FIGURE 2-32License Properties window

Name — The editable name of the license.


IP Address — The IP address of the machine with which the license is issued.
Expiration Date — The date on which the licenses expires, or never. After a license has
expired, the functionality of the Check Point product may be impaired.
SKU/Features — SKU stands for Stock Keeping Unit. The SKU, also called the license
features, is a character string that identifies an individual product.
License For — Use this description to verify that the license is appropriate for the installed
product. This description is provided for NG and higher licenses.
Signature Key — The individual license identification code.
Certificate Key — The certificate key is a string of 12 alphanumeric characters. The string is
unique to each product
Type — Central or Local. A Central license is tied to the IP address of the SmartCenter Server.
A Local license is tied to the IP address of a specific Check Point Node, and can only be used
for a Check Point Node with that IP address.
Attached To — The Check Point Node on which the license is installed, and with which it is
associated in the License Repository.
Validation Code — Should be the same as the Validation Code received from Check Point.

Command line: cplic db_print


To view the properties of a license via the command line, see “cplic db_print” on page 641.

114 Check Point SmartCenter Guide • September 2002


Viewing Installed Products

Viewing Installed Products


To see which products are installed on a Check Point Node shown in the License tab, proceed
as follows:
1 In the License tab, select the Check Point Node
2 Right click, and select Installed Products... (FIGURE 2-33)
FIGURE 2-33Installed Products right click menu

The Installed Products window appears (FIGURE 2-33)


FIGURE 2-34Installed Products window

The Installed Products window shows


• The name of the Check Point Node, as defined in the SmartDashboard.
• The operating system of the Check Point Node.
• The name, vendor, version, and service pack of the products installed on the Check Point
Node.

Checking for Expired Licenses


Licenses expire on a particular date, or never. After a license has expired, the functionality of the
Check Point product will be impaired. In the License Expiration window it is possible to
• See a list of attached and unattached expired licenses.
• Delete expired Licenses
• View the properties of the expired license
The following configurable options are available:
• View licenses that will expire in expire within a selected number of days.
• Check for expired licenses when SmartUpdate is started.
• Highlight expired licenses in the License Repository by marking them in red.

Chapter 2 SmartUpdate 115


License Management

SmartUpdate will automatically give a warning before attaching an expired license to a remote
Node.
The expiration date of the Trial Period of products within their 15 day trial period are shown in
the Expiration Date column, if no licenses are installed. For more information, see “The Trial
Period” on page 99.

To Check for Expired Licenses


1 Select Show Expired Licenses
• either from the License menu,
• or in the License Repository, from the right click menu.
The License Expiration window opens.
FIGURE 2-35License Expiration window

2 To delete an unattached license from the License Repository, select the license(s) and click
Delete. If it is attached, you must detach it before deleting it (see “Detaching a License
from a Check Point Node” on page 109).
3 To view the properties of the license, double click the license, or select the license and click
Properties.

4 Choose the Options for future searches. Click Apply to run the search immediately.
In addition, in the Licenses tab and the License Repository you can check for soon-to-expired
licenses by sorting by expiration date. Click

116 Check Point SmartCenter Guide • September 2002


Exporting a License to a File

Exporting a License to a File


Licenses can be exported to a file. The file can later be imported to the License Repository.
This can be useful for administrative or for Support purposes.
All selected licenses will be exported. If the file already exists, the new licenses are added to the
file.

To Export one or more Licenses to a File


1 From the SmartUpdate menu, Select Licenses> View Repository to open the License
Repository,
or
Select the License tab.
2 Select one or more license, right click (FIGURE 2-36), and from the menu select Export
to File...
FIGURE 2-36Export License to File right click menus

3 In the Choose File to Export License(s) To window, name the file (or select an existing
file), and browse to the desired location. Click Save.
All selected licenses will be exported. If the file already exists, the new licenses are added to the
file.

Automatically Upgrading Version 4.1 Licenses


When upgrading Check Point products on remote Check Point Nodes to the latest NG version,
all version 4.1 licenses on those Check Point Nodes and in the License Repository can be
automatically replaced with new NG licenses.

Chapter 2 SmartUpdate 117


License Management

The license upgrade can be performed either before or after upgrading the version 4.1 Check
Point Nodes to the latest version of VPN-1/FireWall-1 NG.
Note - After upgrading the licenses,
• cplic print in the remote Check Point Node will not show the old 4.1 licenses.
• if the products on the remote Check Point Nodes are downgraded to version 4.1, the
old licenses will reappear in the Check Point Nodes. cplic print will show the old 4.1
licenses, and they can be retrieved to the License Repository using the cplic get
command.

To Automatically Upgrade version 4.1 Licenses


1 Upgrade the SmartCenter Server to the latest version (see “How to Upgrade Remote
Check Point Nodes” on page 64 of the Check Point SmartCenter Guide).
Ensure that there is connectivity between the SmartCenter Server and the remote Check
Point Nodes with the version 4.1 products.
2 Import all licenses into the License Repository (Licenses > Get All Licenses). This can
also be done after upgrading the products on the remote Check Point Nodes to NG (at step
5). To see all the licenses in the repository, open the Product Repository (Licenses > View
Repository).

3 Upgrade the version 4.1 products on the remote Check Point Nodes. (See “Upgrading a
Single Product on a Check Point Nodes” on page 103 of the Check Point SmartCenter
Guide.)
4 Using Licenses > New Licenses > Add From User Center... , view the licenses for the
products that were upgraded from version 4.1 to NG, create new upgraded licenses, and
download a file containing the upgraded NG licenses.

Note - Only download licenses for the products that were upgraded from version 4.1 to
NG.

5 If you did not import the version 4.1 licenses into the repository in step 2, import the
version 4.1 licenses now (Licenses > Get All Licenses)
6 Upgrade the licenses. Select Licenses > Upgrade... and select the downloaded license file.
• The licenses in the downloaded license file and in the license repository are compared.
• If the certificate keys and features match, the old licenses in the repository and in the
remote Check Point Nodes are updated with the new licenses.

118 Check Point SmartCenter Guide • September 2002


Licensing Glossary

Licensing Glossary
SmartUpdate introduces a number of new licensing concepts. The following is a brief
explanation of some licensing concepts.

TABLE 2-13 Licensing Terms and Concepts

Licensing Term Explanation


or Concept
Add Licenses received from the User Center should first be added to
the SmartUpdate License Repository (see page 101). Adding a
Local license to the Repository also Attaches it on the Check
Point Node. The licenses can be
• Imported from a file, or
• Added Manually by pasting or typing the license details.

Attach Licenses are Attached to a Check Point Node via SmartUpdate.


(see page 105). Attaching a license involves;
• installing the license on the remote Check Point Node, and
• associating the license and the Check Point Node in the
License Repository.
Central License A Central license is tied to the IP address of the SmartCenter
Server (see “Central Licenses” on page 98).
Certificate Key See “Certificate Key” on page 100
Cplic Command line for managing Local and Central licenses.
Provides the functionality of SmartUpdate License Manager
from the command line. See “Local Licensing Commands” on
page 624 and “Remote Licensing Commands” on page 631.
Detach Licenses are Detached from a Check Point Node via
SmartUpdate (see page 109). Detaching a license involves;
• uninstalling the license from the remote Check Point Node,
and
• making the license in the License Repository available to
any Check Point Node.
Get Locally installed licenses can be retrieved into the License
Repository, in order to update the repository with all licenses
across the installation (see page 150). The Get operation is a
two-way process. It:
• retrieves to the Repository all locally installed licenses, and
• removes from the Repository all locally deleted licenses.

Chapter 2 SmartUpdate 119


License Management

TABLE 2-13 Licensing Terms and Concepts

Licensing Term Explanation


or Concept
License Expiration Licenses expire on a particular date, or never. After a license has
expired, the functionality of the Check Point product may be
impaired. See “Checking for Expired Licenses” on page 115
Local License A Local license is tied to the IP address of a specific Check
Point Node, and can only be used for a Check Point Node
with that IP address (see “Local Licenses” on page 99).
Multi-license file Licenses can be conveniently Added by importing a file to the
license repository via a file, rather than by typing long text
strings. Multi-license files contain more than one license, and can
be downloaded from the User Center:
http://www.checkpoint.com/usercenter.
In the command-line, Multi-license files are supported by the
cplic put, and cplic db_add commands. See “License
Management” on page 624.
Delete Licenses that are not attached to any Check Point Node and are
no longer needed, can be deleted from the License Repository
(see page 112).
SKU SKU stands for Stock Keeping Unit. The SKU is a character
string that identifies an individual product.

120 Check Point SmartCenter Guide • September 2002


Licensing Glossary

SmartUpdate Architecture
FIGURE 2-37SmartUpdate Architecture

Check Point CD

Licenses
Download Center

Packages

SecureUpdate
Check Point
Database SVN
Foundation
Packages cpd
Licenses
SIC CPD
CPRID CPRID

SIC
GUI Client
Management Server
command line
cplic (remote and local) Check Point Nodes
cprinstall
cppkg

• Licenses and products are managed using the SmartUpdate GUI. Command lines are also
available.
• The Check Point SmartCenter Server includes the SmartUpdate License and Product
Management components.
• The License Repository ($FWDIR/conf/licenses.C) is part of the Check Point database.
• The default Product (Package) Repository location on Windows machines is C:\SUroot.
On UNIX it is /var/SUroot. The Product Repository ($FWDIR/conf/packages.C) is part
of the Check Point database
• Communication between the Management Client, the SmartCenter Server and the SVN
Foundation on remote Check Point Nodes uses Secure Internal Communication (SIC):
• Product Management uses a CPRID (Check Point Remote Installation Daemon) client on
the SmartCenter Server, and a CPRID server on remote Check Point Nodes.
• License Management uses the cpd daemon.
• The CPRID Server and cpd are components of the SVN Foundation installed on the Check
Point Nodes.
• A log file of SmartUpdate product operations is generated in the file $SUROOT\log\<Check
Point Node name>_SecureUpdate.elg.
• An audit log of SmartUpdate operations can be viewed in the SmartView Tracker Audit
View.

Chapter 2 SmartUpdate 121


SmartUpdate FAQ

SmartUpdate FAQ

In This Section

General SmartUpdate Questions


How do I install SmartUpdate? page 122
What is the Trial Period, and how is it different from an evaluation license? page 122
Where are the SmartUpdate logs? page 122
Remote Installation Questions
How do I upgrade a remote Check Point Node to Check Point NG FP3? page 123
How do I upgrade the OS on the Check Point Node via SmartUpdate? page 123
What products can I install and where can I get them from? page 123
What should a Check Point Node include (installations, versions) in order to be remotely
installable? page 123
How do I know if an installation succeeded? can I cancel it? roll back/backout?page 123
How do I upgrade a Check Point ClusterXL gateway cluster? page 124
When does the Check Point Node need to be rebooted?page 124
Licensing Questions
How do I create the new Central licenses and how are they different from the old ones?
page 125
How do I use Central Licenses? page 125
How can I view/manage version 4.1 licenses in SmartUpdate GUI? page 126
Do I need new licenses when changing the IP of the SmartCenter Server? page 126

General SmartUpdate FAQ


Question: How do I install SmartUpdate?

SmartUpdate is silently installed together with the VPN-1/FireWall-1 SmartCenter Server. The
SmartUpdate Management (GUI) Client is installed by default at the same time as the other
Management Clients.

Question: What is the Trial Period, and how is it different from an evaluation license?

See “The Trial Period” on page 99.


Question: Where are the SmartUpdate logs?
• A log file of SmartUpdate product operations is generated in the file $SUROOT\log\<Check
Point Node name>_SecureUpdate.elg.
• An audit log of SmartUpdate operations can be viewed in the SmartView Tracker Audit
View.

122 Check Point SmartCenter Guide • September 2002


Remote Installation FAQ

• In addition, log information is displayed in the Operation Status view and in the
Operation Details window

Remote Installation FAQ


Question: How do I upgrade a remote Check Point Node to Check Point NG FP3?

“Upgrade All Products” is the recommended method. See “How to Upgrade Remote Check
Point Nodes” on page 64.

Question: How do I upgrade the OS on the Check Point Node via SmartUpdate?

In NG FP3, its is possible to use SmartUpdate to upgrade the operating system on a Nokia
Appliance and on SecurePlatform NG. First, upgrade the OS and boot the machine, as
described in “Installing a Single Product” on page 89, and then upgrade all the other products
to the latest version, and reboot.

Question: What products can I install and where can I get them from?

As of SmartUpdate NG FP2, there is only one kind of product package for both local and
remote installations. Packages can be obtained from the Check Point NG FP2 CD or the Check
Point Download Center http://www.checkpoint.com/techsupport/downloads/downloads.html).
Add packages to the Product Repository using the SmartUpdate GUI. Use the menu items
Product > New Products > Add From User Center... or Add From CD... or Import File.

Question: What should a Check Point Node include (installations, versions) in order to
be remotely installable?

To use SmartUpdate to upgrade a product on a remote Check Point Node, the product must be
of version 4.1 SP2 or higher, or version NG.
If you have VPN-1/FireWall-1 version 4.1 SP2 or higher on the Check Point Node, you can
use SmartUpdate to remotely install the SVN Foundation components from scratch. To do so,
you must first install and configure the CPutil package (found on the Check Point 2000 CD
and on the Check Point Support download site) on every network object which will participate
in the Remote Installation. For details, see the Release Notes for these packages.
SmartUpdate Installation Management uses a CPRID (Check Point Remote Installation
Daemon) client on the SmartCenter Server, and a CPRID server on remote Check Point
Nodes. License Management uses the cpd daemon. The CPRID server and cpd are components
of the SVN Foundation on the Check Point Nodes. All these components must run in order for
the remote upgrade to succeed.

Question: How do I know if an installation succeeded? can I cancel it? roll


back/backout?

The Operation Status log shows current and past SmartUpdate operations. Each entry includes
the current status and success/Failure of the operation.

Chapter 2 SmartUpdate 123


SmartUpdate FAQ

SmartUpdate can stop the remote installation of a product— even during transfer of files,
extraction and testing, though stopping an installation is not recommended. You can stop the
operation at any time up to the actual installation (see “Stopping an Operation and Clearing
Completed Operations” on page 96).

Question: What happens if the connection between the Management and the remote
Check Point Node breaks while upgrading?

If the communication break happens before or during the actual product installation, the
product upgrade fails, and SmartUpdate restores the previously installed version. If the
installation completes, the new version will be in place.

Question: How do I upgrade a Check Point ClusterXL gateway cluster?

The following procedure describes how to upgrade a version 4.1 or NG gateway cluster.
If using a third party cluster, before performing the upgrade, configure the synchronization
network in the synchronization tab, and the cluster mode in the ClusterXL tab. Also, refer to the
third party documentation.
To upgrade a cluster of Check Point Gateways, proceed as follows:
1 Obtain an NG Central licenses for the cluster and install it on the SmartCenter Server.
2 On all the inactive cluster members, use SmartUpdate to remotely upgrade all products to
the latest version.
3 Reboot all the inactive members machines.
4 Update the cluster object and members in the SmartDashboard as described in chapter 5,
“ClusterXL” on page 241 of the Check Point FireWall-1 Guide.
5 When the standby machines are up again, in the SmartDashboard, uncheck the On
Gateway clusters, install on all members, If it fails do not install at all checkbox and
Install the security policy on the cluster. The policy will be successfully installed on standby
cluster members, and will fail on the active machine.
6 On the active cluster member, run the cpstop command then the cphastop command.
7 On the active cluster member, use SmartUpdate to remotely upgrade all products to the
latest version and install the Central licenses for the products (such as FireWall-1, not High
Availability licenses) installed on the cluster member.
8 When the cluster members come up, they try to fetch policy from the active member, then
from the SmartCenter Server, and then from themselves. If all this fails, install the Policy on
the cluster.

Question: When does the Check Point Node need to be rebooted?

Booting the machine loads the new FireWall-1 kernel. It is required at the end of the installation
or upgrade process, after all Check Point products on the machine have been successfully
installed or upgraded to the latest version.

124 Check Point SmartCenter Guide • September 2002


Licensing FAQ

The machine can also be rebooted in the middle of the upgrade process, with no ill effects, even
before all products have been upgraded to the latest version, but this is unnecessary. Starting the
Check Point services (cpstart) will start only products with the same version as the installed
SVN Foundation.

Licensing FAQ
Question: How do I create the new Central licenses and how are they different from the
old ones?

Create new licenses at the User Center. at http://www.checkpoint.com/usercenter. Choose the


default 'Central licenses' option.
A Central license has the IP address of the SmartCenter Server and can be used for all managed
Check Point Nodes.
A Local license has the IP address of the SmartCenter Server Check Point Node, or of the
remote Check Point Node, and can only be used for a Check Point Node with that IP address.

Question: How do I use Central Licenses?

To use Central licenses, you must add them to the License Repository and attach them to a
Check Point Node. Proceed as follows:
1 Install the SmartCenter Server, the product on the remote Check Point Node, and the GUI
client
2 Initialize Secure Internal Communication (SIC) between the SmartCenter Server and the
remote Check Point Node.
3 Create a Central license for the SmartCenter Server and the Check Point Nodes at the User
Center http://www.checkpoint.com/usercenter with the IP address of the SmartCenter
Server.
4 Install a license for the SmartCenter Server.
5 In the SmartUpdate GUI, select Licenses> View Repository to open the License
Repository view.
6 Add the license to License Repository (Drag-and-Drop the license file to the Repository, or
select Licenses> New License> Add manually or Import File).
The new license will appear in the License Repository.
7 Click the Licenses Tab.
8 Choose the license in the Repository, drag-and-drop it over the desired target Check Point
Node
There will be an Operation Status message, and when done, the license will be attached. The
license icon will change and the license will appear under the Check Point Node in the
Licenses tab.

Chapter 2 SmartUpdate 125


SmartUpdate FAQ

Question: How can I view/manage version 4.1 licenses in SmartUpdate GUI?

Version 4.1 licenses are Local licenses. Version 4.1 licenses...


• CAN be retrieved into the SmartUpdate License Repository (see “Getting Check Point
Node Licenses into the License Repository” on page 150)
• CANNOT be deleted (detached) via SmartUpdate.
If a product on a Check Point Node is upgraded from version 4.1 to the latest NG version, the
license must be upgraded as well. You should obtain a Central license (see “Obtaining Licenses”
on page 100) in order to gain the manageability benefits. However a Local license can still be
used. All version 4.1 licenses can be automatically upgraded (see “Automatically Upgrading
Version 4.1 Licenses” on page 117).

Question: Do I need new licenses when changing the IP of the SmartCenter Server?

When changing IP address of the SmartCenter Server, you need to relicense all the Certificate
Keys bound to the old IP address, with the new IP of the Management.
Proceed as follows:
1 Collect all Certificate Keys bound to the old IP address of the SmartCenter Server.
2 In the User Center (http://www.checkpoint.com/usercenter), relicense those Certificate
Keys using the new IP address of the SmartCenter Server.
3 From the User Center, download the file containing the new licenses.
4 Using SmartUpdate, detach (see “Detaching a License from a Check Point Node” on page
109) and delete (see “Deleting a License from the License Repository” on page 112) the old
licenses.
5 Import the new licenses in the file into the License Repository (see “Adding a License to
the License Repository” on page 101).
6 Attach the new licenses to the Check Point Nodes (see “Attaching a License to a Check
Point Node” on page 105).

Question: How do I upgrade a version 4.1 License to an NG License

See “Automatically Upgrading Version 4.1 Licenses” on page 117.

126 Check Point SmartCenter Guide • September 2002


CHAPTER 3

Graphical User Interface

In This Chapter

Managing VPN-1/FireWall-1 page 129


The Check Point SmartDashboard page 130
Displaying SmartDashboard Windows page 146
Menus page 147
VPN-1/FireWall-1 Toolbars page 154
VPN-1/FireWall-1 Status Bar page 158

Managing VPN-1/FireWall-1
The easiest way to manage VPN-1/FireWall-1 is to use the Check Point SmartDashboard. You
can use the command line interface, if you wish, instead of the SmartDashboard. For additional
information about the VPN-1/FireWall-1 command line interface, see Chapter 19, “Command
Line Interface”.

Note - The VPN-1/FireWall-1 command line interface runs only on the SmartCenter Server.

For information about the FireWall-1 Client/Server model, see “VPN-1/FireWall-1


Client/Server Model” on page 12.

127
The Check Point SmartDashboard

The Check Point SmartDashboard

Starting the SmartDashboard


To start the Check Point SmartDashboard, proceed as follows:

TABLE 3-1 Starting the Check Point SmartDashboard

Windows Action
System
Windows Double-click the SmartDashboard icon.
X/Motif Run /opt/CPclnt-50/bin/PolicyEditor.

The SmartDashboard Login window (FIGURE 3-1) is then displayed.


FIGURE 3-1 SmartDashboard login window

You can log in using either your:


• user name and password
1 Select User Name.

2 Enter your user name and password.


3 Click OK.
• certificate
1 Select Certificate.

2 Enter the name of your PKCS#12 certificate file.


You can browse for the file using by clicking .
3 Enter the password you used to create the certificate.
4 Click OK.

128 Check Point SmartCenter Guide • September 2002


Starting the SmartDashboard

Enter the name of the machine on which the SmartCenter Server is running. You can enter one
of the following:
• A resolvable machine name
• A dotted IP address
To work in local mode, check Demo Mode.

If you do not wish to modify a policy, check Read Only before clicking on OK.

Note - If you are not defined as a user, and therefore do not possess a user name, see “To
Add an Administrator” on page 49, for information how to define users on the
SmartCenter Server.

Certificate Management, Compression Optimization and Advanced


Options
In the SmartDashboard Login window (FIGURE 3-1), click More Options >> to display the
Certificate Management, Connection Optimizations and Advanced options (FIGURE 3-2).
FIGURE 3-2 SmartDashboard login window — More Options

To change the certificate password, click Change Password.

To compress the connection to the SmartCenter Server, check Use compressed connection.

Enter the text describing why the administrator wants to make a change in the security policy
in Session ID (optional). The text appears as a log entry in the SmartView Tracker in the
Session ID column (in Audit mode only). If the Session ID column does not appear in the

Chapter 3 Graphical User Interface 129


The Check Point SmartDashboard

SmartView Tracker, use the Query Properties pane to display it. For more information on the
SmartView Tracker, see the chapter called SmartView Tracker in the Check Point SmartCenter
Guide.
To hide the Certificate Management, Connection Optimizations and Advanced options,
click Less Options <<.

Verifying the Connection to the SmartCenter Server


The first time you log in to the SmartCenter Server from a GUI client, a window showing the
fingerprint of the SmartCenter Server will be displayed. To ensure that you are connecting to
the actual SmartCenter Server rather than to an imposter, be sure to compare this fingerprint
with the actual fingerprint of the SmartCenter Server. See “Communications Between the
SmartCenter Server and the GUI Client” on page 21 for details.

Warning - Do not make a first-time connection to a SmartCenter Server from a GUI client,
unless you have the SmartCenter Server fingerprint, and are able to confirm it is the same
as the fingerprint displayed in the GUI client.

After a brief delay, during which the VPN/FireWall-1 database is loaded, the VPN-1/FireWall-1
Smart Editor window is displayed.

130 Check Point SmartCenter Guide • September 2002


Starting the SmartDashboard

The SmartDashboard Window


FIGURE 3-3 VPN-1/FireWall-1 SmartDashboard

toolbars

Security Policy Desktop Security


Address Translation WebAccess
Rule Base Policy tab
Policy tab Policy tab

VPN Manager tab


Quality of Service
Policy tab

SmartMap
Details of the objects
selected in the
Objects Tree...

...are displayed in
the Objects List

The SmartDashboard window’s title shows the name of the Policy currently displayed.
Depending on your license (the VPN-1/FireWall-1 features your SmartCenter Server is licensed
to implement), you will see some or all of the following tabs in the SmartDashboard window.
• Security Policy

The Security Policy Rule Base is described in Chapter 8, “Security Policy Rule Base.”
• Address Translation

The Address Translation Rule Base is described in Chapter 2, “Network Address Translation
(NAT)” in Check Point FireWall-1.
• VPN Manager

The VPN Manager tab is described in the book Check Point Virtual Private Networks.
• Desktop Security Policy

The SecureClient Policy is described in the book Check Point SecureClient User Guide.
• WebAccess

Chapter 3 Graphical User Interface 131


The Check Point SmartDashboard

The Web Access tab is described in the book Check Point UserAuthority.

Object Tree
The Objects Tree consists of eight tabs. These tabs provide access to eight object types. Within
each tab, a different object type is represented in its own tree. You can change the display of
information by collapsing or expanding the object tree using the and buttons,
respectively. Within these tabs you can create and modify selected objects.
FIGURE 3-4 Object Tree Tabs — select the tab of your choice
1 2 3 4 5
1 7 8 9

To display the Objects Tree


Check Objects Tree in the View menu to display the Objects Tree.

TABLE 3-2 Object Tree Tabs

No. Tab Also Accessible Through...

Toolbar Icon Menu Command

1 Network Objects Manage > Network Objects

2 Services Manage > Services

3 Resources Manage > Resources

4 OPSEC Manage > OPSEC Application


Applications
5 Servers Manage > Servers

6 Users Manage > Users

7 Time Objects none Manage > Time

8 Virtual Links Manage > Virtual Links

9 VPN Communities none Manage > Communities

Creating New Objects in the Objects Tree


1 Open the Object tab by selecting the Object icon of your choice (see FIGURE 3-4).

132 Check Point SmartCenter Guide • September 2002


Object Tree

2 Right-click on an object in the Objects Tree.


A menu is displayed, depending on the object that you selected in the Objects Tree.
FIGURE 3-5 Creating a New Object in the Objects Tree

Figure A. Figure B.

3 Select New Object Type from the displayed menu. For example, in the Network Objects tab,
if you select the Network object icon in the Objects Tree, the menu will display New
Network (FIGURE 3-5 — Figure A). However, if you select the primary object type (the
first object in the tree, for which the tab is named), you will have to select New and then to
select the object type from the displayed sub-menu (FIGURE 3-5 — Figure B).
The Object Properties window is displayed.

Sorting the Objects Tree


1 Right-click anywhere on the Objects Tree.
A menu is displayed.
2 Select one of the following:
• Sort by Type — Arrange the Objects Tree by Object types.
• Sort by Name — Arrange the Objects Tree by alphabetical order.
• Sort by Color — Arrange the Objects Tree by the specified object color.

The Objects Tree is sorted.

Modifying Objects in the Objects Tree


1 Right-click on an Object in the Objects Tree.
A menu is displayed.
2 Select Edit from the displayed menu.
The object’s Properties window is displayed. You can now modify the object properties.

Chapter 3 Graphical User Interface 133


The Check Point SmartDashboard

Removing Objects from the Objects Tree


1 Right-click on an Object in the Objects Tree.
A menu is displayed
2 Select Delete from the displayed menu.
A prompt is displayed.
3 Confirm that you would like to delete the selected object.
The object is deleted.

Where Used
1 Right-click on an Object in the Objects Tree.
A menu is displayed.
2 Select Where Used... from the displayed menu.
In the displayed window you can see where the selected object is used in the Rule Base. If
the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any. For more information, see “Object
Occurrences window” on page 137.

Showing Objects in the SmartMap View


1 Right-click on an Object in the Objects Tree.
A menu is displayed.
2 Select Show from the displayed menu.
The object is highlighted in the SmartMap View.

Object List
The Objects List displays all Object types in a detailed table. This table includes Object
configuration information and details, as specified in the Object’s Properties window.

To display the Objects List


Check Objects List in the View menu to display the Objects List

Modifying Objects in the Objects List


1 Right-click on an Object in the Objects List.
A menu is displayed.
2 Select Edit from the displayed menu.
The object’s Properties window is displayed. You can now modify the object properties.

134 Check Point SmartCenter Guide • September 2002


Working with the Objects Tree and the Objects List

Removing Objects from the Objects List


1 Right-click on an Object in the Objects List.
A menu is displayed
2 Select Delete from the displayed menu.
A prompt is displayed.
3 Confirm that you would like to delete the selected object.
The object is deleted.

Showing Objects in the SmartMap View


1 Right-click on an Object in the Objects List.
A menu is displayed.
2 Select Show from the displayed menu.
The object is highlighted in the SmartMap View.

Object References window


The Object References window is accessed by clicking Where used on the right-click menu at
various places in the Rule Base, Objects Tree and Objects List. In this window you can learn
where the selected object is used in the Security Policy.
This window is divided into several tabs (Objects, Rulebases and Queries) and in each tab you
can learn more information about the selected object. Some of the data that you can learn is:
Object Name — the name of the specified object
Occurrence in Rule Base:the specified object may be present in one or more places in any of
the SmartDashboard Rule Bases
Last In Cell?— if the specified object is the only object in one or more cells in the Rule Base,
removing this object will change the value of the cell to Any
Rule Base — the name of the Rule Base in which the specified object occurs
Tab — the name of the tab in which Rule Base is saved
Occurrence in Other Objects: the specified object may be present in a constellation of different
objects
Type — the object type in which the specified object occurs
Name — the name of the object in which the specified object occurs

Working with the Objects Tree and the Objects List


The Objects Tree and the Objects List are meant to be used simultaneously. When an object is
selected in the Objects Tree, the Objects List automatically displays the details of the selected
object.

Chapter 3 Graphical User Interface 135


The Check Point SmartDashboard

The SmartMap
Check Point’s SmartMap provides a topological view of the objects in the SmartDashboard. The
SmartMap View is a mapped visual representation of the network objects defined in the
SmartDashboard and the relationship between these network objects. For more information
about the SmartMap, see Chapter 17, “SmartMap.”

Problems in Connecting to the SmartCenter Server


If the VPN-1/FireWall-1 GUI cannot connect to the SmartCenter Server, an error message
window like the one shown in FIGURE 3-7 is displayed.
FIGURE 3-6 Error message window

When this happens, the problem is usually one of the following:


1 The specified SmartCenter Server is inaccessible for one of the following reasons:
• There may be no such server.
• The specified SmartCenter Server may be inaccessible or down at the moment.
• The request may have timed out.

In this case, an error message “No Response from Server” will be displayed.
By default the GUI waits 15 seconds for the SmartCenter Server to respond to requests. In
certain cases the server may be very loaded and certain operations (queries for example) may
take longer than 15 seconds. If this happens, you can change the default 15 second timeout
as follows:
• Windows NT

Set a registry DWORD value named ServerTimeout under the key


HKEY_LOCAL_MACHINE\Software\CheckPoint\Policy Editor\5.0 to the desired timeout
in seconds.
• X/Motif

Set an environment parameter named SERVER_TIMEOUT to the desired timeout in seconds.


• The specified SmartCenter Server’s name is not being correctly resolved, perhaps
because you misspelled it.
• The Caps Lock key is down.

2 You did not enter your password correctly.


Re-enter your password and try again.
3 The machine you are working on is not one of the GUI Clients permitted by the server.

136 Check Point SmartCenter Guide • September 2002


Tracking Revision Control

If your SmartCenter Server is running under Windows NT, you can add or delete GUI Clients
using the VPN-1/FireWall-1 Configuration application. See Chapter 4, “Installing and
Configuring VPN-1/FireWall-1,” for information about the VPN-1/FireWall-1 Configuration
application.
If your SmartCenter Server is running under Unix, then you can add or delete GUI Clients by
using any text editor to modify the file
$FWDIR/conf/gui-clients directly. The file consists of IP addresses or resolvable names, one
per line.
4 You are not one of the allowed administrators.
Use the Check Point configuration application to manage administrators.
5 The versions of the GUI Client and SmartCenter Server are incompatible.
This can happen when mixing encryption and non-encryption versions.
6 A rule or property disallows the connection between the GUI Client and SmartCenter
Server.
See “Accept VPN-1 & FireWall-1 control connections” on page 290 for more information.

Tracking Revision Control


Check Point SmartDashboard allows you to create backup versions of the database. This allows
the database administrator, if needed, to go back to a previous state of the database. The backup
versions are stored on the SmartCenter Server.
Check Point SmartDashboard allows you to view different database versions stored in the
database version repository. You can create a new database version or delete an existing one.

Note - To use the Database Revision Control feature, you must have the appropriate
license.

To view the list of database versions, choose Database Revision Control from the File menu or
click in the toolbar. The following window appears (see FIGURE 3-8).

Chapter 3 Graphical User Interface 137


The Check Point SmartDashboard

FIGURE 3-7 Revision Control window

This window displays a list of all the database versions in the version repository.
The Database Revision Control window contains the following columns:
Version ID — the sequence number of the database version in the version repository. The value
is automatically maintained by the Check Point Editor Policy.
Name — the name of the database version. This field may be empty because when you create a
new database version, giving it a name is optional. For more information, see “Creating a New
Database Version” on page 141.
Creation Date — the day, date, and time the database version was created
Major Version — the (major) version of the product used to create the database version
Minor Version — the (minor) version of the product used to create the database version
Administrator — the administrator name used to log into the Editor Policy (see “Starting the
SmartDashboard” on page 130)
Comment — a comment added about the database version

Creating a New Database Version


You can create a new database version in the version repository.

To create a new database version


1 Click Create in the Database Revision Control window (see FIGURE 3-8). The
following window appears (see FIGURE 3-9).

138 Check Point SmartCenter Guide • September 2002


Tracking Revision Control

FIGURE 3-8 Create New Version window

2 Enter the name of the new database version in the Name box.
3 Enter a comment about the new database version in the Comment box.

Note - Step 2 and Step 3 are both optional since Check Point SmartDashboard uniquely
identifies each new version with a sequence number and a creation date.

4 Click OK. The newly-created version is added to the list and to the version repository.

Modifying Version Properties


You can modify the properties of an existing database version.

To modify the properties of an existing database version


1 In the Database Revision Control window, select the version whose properties you want
to modify and click Properties. The Database Version Properties window appears. For a
description of the fields in this window, see page 141. Only the Name and Comments fields
can be edited.
2 Make the desired changes and click OK. The changes you made appear in the Database
Revision Control window.

Deleting a Version
In the Database Revision Control window, select the version you want to delete and click
Delete.

Chapter 3 Graphical User Interface 139


The Check Point SmartDashboard

Viewing a Previous Database Version


In the Database Revision Control window (FIGURE 3-8), select the version you want to
view and click View Version. A SmartDashboard window opens in read-only mode. It displays
the rules that were defined for that version. The title bar contains the name of the version you
selected to view.

Note - For information on how to install a previous Firewall-1 Security Policy version on a
Module without changing the definition of the currently-active database policy on the
SmartCenter Server, see page 575” in Chapter 19, “Command Line Interface.

Reverting to a Previous Database Version


You can restore the content of a previous database version. The files in the database of the server
are replaced with the files of the database version to which you reverted.
1 In the Database Revision Control window, select the version you want to open and click
Restore Version. The Restore Database Verification window appears.
2 Do one of the following:
• If you want to retain the users you have defined for the current database version, select
Apply the current user database onto the restored version.
• If you want to revert to the users defined for the database version to be restored, select
Restore the entire database.

Note - Take into account that retaining the current user database might create a conflict,
preventing the successful restoration of the version.

3 You can optionally click View Version to open another SmartDashboard application
displaying the version you want to restore in read-only mode.
4 Click Next. A verification process is initiated checking out all the problems or conflicts that
may have occurred due to certain inconsistencies between the different databases.
If there are no inconsistencies detected, the database is successfully restored and the
following window appears.

140 Check Point SmartCenter Guide • September 2002


Tracking Revision Control

FIGURE 3-9 Database restored successfully

If inconsistencies are detected, errors or warnings are displayed with explanations of why
restoration of the database version failed. For example, let’s consider the following scenarios.
Scenario 1
In the current database, you added a new object (tac1) to the database and you defined a
user (u2) to use the newly-added object (tac1). If you want to restore a previous database
but want to retain the users you have defined for the current database version (by choosing
the option Apply the current user database onto the restored version, an inconsistency
will be detected and the restoration process will fail because the object (tac1) did not exist
in the previous version. In this case, the following window appears:

Chapter 3 Graphical User Interface 141


The Check Point SmartDashboard

FIGURE 3-10Restoration process failed

Click the Verification Problems button for details about why the restoration process failed.
The following window appears.
FIGURE 3-11 Restore database troubleshooting

Correct the problem and try to restore the database version again.
Scenario 2
In the current database, you created a certificate for the following Gateways:
• bono
• rossini
If you revert to another database version, the certificates you created will no longer be valid
and you will get the following warning:

142 Check Point SmartCenter Guide • September 2002


Tracking Revision Control

FIGURE 3-12Invalidating Gateway Certificates

If you click Next, the Gateways will lose the certificates.


5 Once the verification process is completed successfully, click Restore. The SmartDashboard
closes and then reopens after a few seconds with the restored database.

Displaying SmartDashboard Windows


TABLE 3-3 shows how to display each of the more important SmartDashboard windows.

TABLE 3-3 Displaying SmartDashboard windows

To display this In the SmartDashboard window In the


window toolbar
Network Objects Choose Network Objects from the Manage menu or right-click
on a rule’s Source or Destination (see Chapter 5, “Network
Objects”).
Users Choose Users from the Manage menu or right click on a rule’s
Source (see Chapter 4, “Managing Users and Administrators”).
Services Choose Services from the Manage menu or right-click on a rule’s
Services (see Chapter 6, “Services and Resources”).
Resources Choose Resources from the Manage menu (see Chapter 6,
“Services and Resources”).
Servers Choose Servers from the Manage menu (see Chapter 10, “Server
Objects and OPSEC Applications”).

Chapter 3 Graphical User Interface 143


Menus

TABLE 3-3 Displaying SmartDashboard windows

To display this In the SmartDashboard window In the


window toolbar
OPSEC Applications Choose OPSEC Application Properties from the Manage menu
(see Chapter 10, “Server Objects and OPSEC Applications”).
Virtual Links Choose SmartView Monitor >Virtual Links from the Manage
Manager
menu (see Chapter 16, “Virtual Links”).
VPN Communities Choose VPN Communities from the Manage menu. none
Properties Setup Choose Global Properties from the Policy menu (see Chapter 7,
“Global Properties”).
SmartView Status Double-click on the SmartView Status icon on the desktop, or none
choose SmartView Status from the Window menu.
SmartView Tracker Double-click on the SmartView Tracker icon on the desktop or none
choose SmartView Tracker from the Window menu.

Menus

Note - The majority of SmartDashboard menus are common to both the Standard and the
Log Consolidator products. The word “Policy” refers to either the Security Policy or the
Consolidation Policy, depending on the product viewed through the Products sub-menu
of the View menu.
For more information on Log Consolidator-specific menus, see Getting Started with the
Check Point Reporting Module.

File Menu
TABLE 3-4 The File Menu options

Menu Toolbar Description See


Entry Button
New none Create a new Policy Package. “Creating a New Policy Package”
on page 311
Open none Open an existing Policy Package. “Opening a Policy Package” on
page 311
Installed none View a policy installed on a Chapter 8, “Security Policy Rule
Policies VPN/FireWall Module managed Base”
by this SmartCenter Server.

144 Check Point SmartCenter Guide • September 2002


Edit Menu

Menu Toolbar Description See


Entry Button
Refresh Refresh the Policy from the
SmartCenter Server.
Save Save the current Policy Package “Saving a Policy Package” on page
and all system objects. 313
Save As none Save the current Policy Package “Saving a Policy Package” on page
and all system objects. 313
Delete none Delete a Policy Package “Deleting a Policy Package” on
page 313
Database Open the Database Revision “Tracking Revision Control” on
Revision ControlWindow. page 140
Control
Print none Print the current Rule Base or Chapter 8, “Security Policy Rule
the topology map. Base”
Print none Print preview of the current
Preview Policy.
Print none Open the standard Print Setup
Setup window.
Exit none Exit the application.

Edit Menu
TABLE 3-5 The Edit menu options

Menu Toolbar Description See


Entry Button
Cut Delete the selected rule (or rules) and “Copying, Cutting and
copy to the Clipboard. Pasting Rules” on page 327
Copy Copy the selected rule (or rules) to the “Copying, Cutting and
Clipboard. Pasting Rules” on page 327
Paste Paste the rule that is in the Clipboard. “Copying, Cutting and
Pasting Rules” on page 327

Chapter 3 Graphical User Interface 145


Menus

View Menu
TABLE 3-6 The View menu options

Menu Toolbar Description See


Entry Button
Products none Toggle between the SmartDashboard and
the Log Consolidator
Toolbars none Toggle the display of the “VPN-1/FireWall-1
SmartDashboard toolbars. Toolbars” on page 154
Status Bar none Toggle the display of the “VPN-1/FireWall-1 Status
VPN-1/FireWall-1 Status Bar. Bar” on page 158
Objects Toggle the display of the Objects Tree.
Tree

Rule Base Toggle the display of the “Object Tree” on page 134
SmartDashboard Rule Base.
Objects Toggle the display of the Objects List. “Object List” on page 136
List
Topology Toggle the display of the SmartMap. “The SmartMap” on page
Map 139
Reset none Set the Rule Base columns to their
Column default width.
Width
Sort Tree Sort the Objects Tree by the object “Sorting the Objects Tree”
name, type or color. on page 135
Implied none Toggle the display of the implied rules “Implied Rules” on page
Rules (the rules derived from the Global 332
Properties window).

The SmartDashboard consists of several toolbars. These toolbars are displayed below the menu.
To decide which toolbars are displayed, select the requested menu options from the Toolbars
option in the View menu. For more about toolbars, see “VPN-1/FireWall-1 Toolbars” on page
154. The SmartDashboard Status Bar (see page 158) is displayed at the bottom of the
SmartDashboard window.

146 Check Point SmartCenter Guide • September 2002


Selections Available from the Manage Menu

Selections Available from the Manage Menu


TABLE 3-7 The Manage menu options

Menu Entry Toolbar Description See


Button
Network Objects Manage Network Objects. Chapter 5, “Network
Objects”
Services Manage Services. Chapter 6, “Services and
Resources”
Resources Manage Resources. Chapter 6, “Services and
Resources”
OPSEC Manage OPSEC Applications. See http://www.opsec.com
Applications
Servers Manage Servers. Chapter 10, “Server Objects
and OPSEC Applications”
Users and Manage Users. Chapter 4, “Managing Users
Administrators and Administrators”
Permission
Profiles
Time none Manage Time Objects. Chapter 9, “Time and
Scheduled Event Objects”
VPN none Manage Intranet and Extranet Chapter 10, “Extranet
Communities Communities. Management” of Check Point
Virtual Private Networks Guide.
QoS > QoS none Manage QoS Classes. “Diffserv” in Chapter 2,
Classes “QoS Policy Management”
of Check Point FloodGate-1
Guide
Credential none Manage User Authentication for “Server Chapter” of the
Manager> UA credentials management. “UserAuthority User Guide”
Authentication
Domains
SmartView Manage Virtual Links. Chapter 16, “Virtual Links
Monitor >
Virtual Links
Web Access > none Manage Method Objects.
Methods

Chapter 3 Graphical User Interface 147


Menus

Menu Entry Toolbar Description See


Button
Web Access > none Manage Trust Objects.
Trusts
Accountings... Manage Accounting Schemes “Defining Accounting
(Log Consolidator only). Schemes” in Chapter 11,
“Log Consolidation”
Customer... Manage Customers (Log “Defining Customers” in
Consolidator only). Chapter 11, “Log
Consolidation”

Rules Menu with Toolbar Buttons


TABLE 3-8 The Rules menu options

Menu Toolbar Description See


Entry Button
Add Rule none Add a rule to the Rule Base. “Adding a Rule” on page
314
Add Sub- Add a sub-rule to the QoS rule
Rule

Delete Delete the selected rule. “Deleting a Rule” on page


327
Disable none Disable the selected rule. “Disabling Rules” on page
Rule 344
Add QoS none Add a QoS Class above or below the “Diffserv” on page 50 of
Class rule. Check Point FloodGate-1
Administration Guide
Select All none Select all rules in the Rule Base
Hide none Hide or unhide the current rule. “Hiding Rules” on page 332

148 Check Point SmartCenter Guide • September 2002


Policy Menu

Policy Menu
TABLE 3-9 The Policy menu options

Menu Toolbar Description See


Entry Button
Verify Verify the Policy. “Verifying and Viewing the
Security Policy” on page 327
Install Install the Policy on the targets. “Installing the Security
Policy” on page 347
Uninstall Remove the Policy from the “Uninstalling the Security
targets. Policy” on page 352
View none View the Inspection Script. “Viewing the Inspection
Script” on page 355
Access Lists none Display the Router Access Lists “Installing Access Lists” on
Operations window. page 356
Install Users none Install the Database to selected “Database Installation” on
Database FireWalled network objects. page 171
Policy
Installation
Targets
Management none Implement Check Point “Management High
High Management High Availability. Availability” on page 553
Availability
Global Display the Global Properties Chapter 7, “Global
Properties window. Properties”
Install and Install and start the Consolidation “Installing the Consolidation
Start Policy (Log Consolidator only) Policy” in Chapter 11, “Log
Consolidation”

SmartMap menu
For more information, refer to “The SmartMap Helper in Chapter 17, “SmartMap”.

Chapter 3 Graphical User Interface 149


Menus

Search Menu
TABLE 3-10 The Search menu options

Menu Toolbar Description See


Entry Button
Query “Querying the Rule Base”
Rules on page 335
Clear none Clear the defined query. “To Clear a Query” on page
Rules 344
Query
Query Filter the selected network object “Filtering Network Objects”
Network on page 181
Objects
Query
LDAP
Objects
Find in Find the specified text in the Rule “Searching the Rule Base”
Rule Base Base. on page 344

Window Menu
TABLE 3-11 The Window menu options

Menu Entry Toolbar Description See


Button
SmartView none Open the SmartView Tracker Chapter 13, “SmartView
Tracker Tracker
SmartView none Open SmartView Status Chapter 11, “SmartView
Status Status”
SmartView none Open the SmartView Monitor Check Point SmartView
Monitor Monitor Guide
SmartUpdate none Open the SmartUpdate Chapter 2, “SmartUpdate”
User Monitor none Open the Users’ Monitor application Chapter 14, “User Monitor”

150 Check Point SmartCenter Guide • September 2002


Help Menu

Help Menu
TABLE 3-12 The Help menu options

Menu Entry Toolbar Description


Button
Help Topics none Display Help.
What’s new in none Open the Check Point web page containing new features in
Check Point Check Point software.
Software
Online Software none Open the Check Point web page containing Check Point
Updates software updates.
About Check Point none Display the About SmartDashboard window.
SmartDashboard

VPN-1/FireWall-1 Toolbars
To select the toolbars that you would like to display, select the requested menu options from
Toolbars in the View menu.

VPN-1/FireWall-1 consists of the following toolbars:


• Global Properties — Configure the VPN-1/FireWall-1 Global Properties.
• Help — Activate context sensitive help for toolbar icons and menu commands.
• Objects — Display the Network Objects toolbar.
• Panes — Toggle the various panes (see “Panes Toolbar” on page 156).
• Log Consolidator — See the Check Point Reporting Module Guide
• Policy — Work with policies (see “Policy Toolbar” on page 156).
• Rules — Work with rules (see “Rules Toolbar” on page 157).
• Search — Use searches and queries (see “Search Toolbar” on page 157).
• SmartDefense — activate Check Point SmartDefense (see “SmartDefense” on page 157)
• Standard — Use standard editing tools (see “Standard Toolbar” on page 158).
• Topology Map — Work with the topology map (see “Toplogy Map Toolbar” on page 158).
• VPN Communities — See the Check Point Virtual Private Networks Guide.

The toolbar buttons are shortcuts for menu commands.

Chapter 3 Graphical User Interface 151


Toolbar Buttons and Menu Commands

Toolbar Buttons and Menu Commands


TABLE 3-13 The Global Properties button

Toolbar Menu Command


Button
Policy > Global Properties

Help Toolbar

Toolbar Buttons and Menu Commands

TABLE 3-14 The Help button

Toolbar Menu Command


Button
none

Objects Toolbar

Toolbar Buttons and Menu Commands

TABLE 3-15 The Objects toolbar buttons

Toolbar Menu Command Toolbar Menu Command


Button Button
Manage > Network Objects Manage > Services

Manage > Resources Manage > OPSEC


Applications

Manage > Servers Manage > Users and


Administrators
Manage > SmartView Monitor >
Virtual Links

152 Check Point SmartCenter Guide • September 2002


Panes Toolbar

Panes Toolbar

Toolbar Buttons and Menu Command

TABLE 3-16 The Panes toolbar buttons

Toolbar Menu Command Toolbar Menu Command


Button Button
View > Objects Tree View > Sort by Name

View > Rule Base View > Sort by Type

View > Objects List None View > Sort by Color

View > Topology Map

Policy Toolbar

Toolbar Buttons and Menu Commands

TABLE 3-17 The Policy toolbar buttons

Toolbar Menu Command Toolbar Menu Command


Button Button
Policy > Verify Policy > Install

Policy > Uninstall File >Revision Control

Chapter 3 Graphical User Interface 153


Toolbar Buttons and Menu Commands

Rules Toolbar
TABLE 3-18 The Rules toolbar button

Toolbar Menu Command Toolbar Menu Command


Button Button
Rules > Add Rule > Bottom Rules > Add Rule > Top

Rules > Add Rule > Before Rules > Add Rule > After

Rules > Add Subrule Rules >


Delete Rule

Search Toolbar
TABLE 3-19 The Search toolbar buttons

Toolbar Menu Command Toolbar Menu Command


Button Button
Search > Query Rules Search > Query Network
Objects

Search > Query LDAP Objects Search > Find

SmartDefense
The Check Point SmartDefense provides a unified security framework for various components
that identify and prevent cyber attacks. In addition to the security enforcement policy, defined in
the rule base, SmartDefense unobtrusively analyzes activity across your network, tracking
potentially threatening events and optionally sending notification.
SmartDefense includes the following features:
• successive events — a mechanism for detecting malicious or suspicious successive events and
notifying the system administrator;
• stateless packet validation — a comprehensive sequence of IP, ICMP, UDP and TCP tests;
• sequence verifier — a mechanism matching the current TCP packet’s sequence number
against a TCP connection state. Packets that match the connection in terms of the TCP
session but have incorrect sequence numbers are either dropped or stripped of data;
• SYN Attack — a module designed to prevent attacks in which TCP connection initiation
packets are sent to the server in an attempt to cause Denial of Service;
• fragment sanity check — a feature that generates logs when detecting packets, purposefully
fragmented for a FireWall bypassing or Denial of Service attack;
• general HTTP worm catcher — a mechanism for detecting and blocking HTTP-based
worms, e.g., CodeRed and Nimda.

154 Check Point SmartCenter Guide • September 2002


Standard Toolbar

• FTP malformed packet logs — an FTP protocol enforcement foiling any attempt to use an
FTP server as an agent for a malicious operation. Optionally, log events will be forwarded
to the VPN-1/FireWall-1 log database.
• DNS malformed packet logs — a DNS protocol enforcement that inspects each packet to
make sure it conforms to the DNS query (or answer) standard. In addition, certain
restrictions are imposed on the type of data allowed in queries and answers.
implicit security servers activation — a feature allowing to implicitly activate the
security servers on all traffic of a certain type, regardless of the Rule Base.

Standard Toolbar
TABLE 3-20 The Standard toolbar buttons

Toolbar Menu Toolbar Menu Toolbar Menu


Button Command Button Command Button Command
File > Save File > Refresh Edit > Cut

Edit > Copy Edit > Paste

Communities Toolbar
TABLE 3-21 The Communities toolbar buttons

Toolbar Menu Command Toolbar Menu Command


Button Button
Manage > VPN Manage > VPN
Communities Communities

Log Consolidator Toolbar Commands for Toolbars and menus


For more information on Log Consolidator toolbars and menus, refer to Check Point Reporting
Module Guide.

Toplogy Map Toolbar


For more information, refer to “Menu Commands and Toolbar in Chapter 17, “SmartMap”.

SmartDefense Toolbar
For more information, refer to “SmartDefense” on page 157.

VPN-1/FireWall-1 Status Bar


FIGURE 3-13VPN-1/FireWall-1 Status Bar

Chapter 3 Graphical User Interface 155


VPN-1/FireWall-1 Status Bar

The VPN-1/FireWall-1 Status Bar, displayed at the bottom of the VPN-1/FireWall-1 window,
shows information on the state of VPN-1/FireWall-1, as well as explanations of menu items and
toolbar buttons.

156 Check Point SmartCenter Guide • September 2002


CHAPTER 4

Managing Users and


Administrators

In This Chapter

Overview page 157


VPN-1/FireWall-1 Proprietary Users page 158
User Database page 167
Generic User Profiles page 168
External Users and Groups page 171
Groups of RADIUS Users page 171
Associating a Radius Server with a FireWall-1 Enforcement Module page 171
Groups of Windows NT users page 172

Overview
When you define users, administrators and groups for VPN-1/FireWall-1, then:
• You are then able to use those user groups as the Source in rules which specify
Authentication (User, Client, or Session) as the Action
• The administrators can use the Check Point Management GUI Clients to administer Check
Point products.
The user’s or administrator’s properties (for example, those defined in the Location and Time
tabs of the User Properties window) are then applied. In this way, you can specify, for example,
that users in one group can connect only during the day, while users in another group can
connect only at night.
There are two ways to define users in VPN-1/FireWall-1:
• using the VPN-1/FireWall-1 proprietary user database — see “VPN-1/FireWall-1
Proprietary Users” on page 158
• using an LDAP directory — see “External Users and Groups” on page 171

157
VPN-1/FireWall-1 Proprietary Users

VPN-1/FireWall-1 Proprietary Users

Defining Users and Groups


You can define users, administrators and groups in the Users window. In addition, you can
define templates upon which future user definitions will be based.
To display the Users window,
• choose Users from the Manage menu
Click on Install to install the User Database to the VPN/FireWall modules on which the
Security Policy is installed. To view specific types of users, select the desired type from the Show
drop-down list.

Creating a New Object (User, Administrator, Group or Template)


To create a new object (User, Administrator, Group or Template), proceed as follows:
1 Click on New.
The New User Object menu is displayed, listing the types of objects you can create.
2 Select User by Template or Administrator by Template from the menu.
A window is displayed prompting you to enter the properties of the selected object type.

Note - If you have chosen User by Template or Administrator by Template, you must
first choose a template from the menu .

The User Templates already defined are listed in the bottom part of the menu.

TABLE 4-1 User types

to create an object of see


type
Group “Creating a Group” on page 159
External Group “External Users and Groups” on page 171
Template “Creating a Template” on page 159
User “Creating a New User” on page 159
Administrator “Creating a New Administrator” on page 159

Modifying a User
To modify an existing user, select the user in the Users window and click on Edit.

Deleting a User
To delete an existing user, select the user in the Users window and click on Remove.

158 Check Point SmartCenter Guide • September 2002


Defining Users and Groups

Creating a Group
To create a new group, choose Group from the New User Object menu. The Group Properties
window is then displayed.
To add users or groups to a group, follow the instructions in “User Groups” on page 166.

Creating a Template
To create a new template, choose Template from the New User Object menu. The User
Definition Template window is displayed.

The User Definition Template window is identical to the User Properties window and has
the same tabs (except for the Certificates tab). Enter the data (properties) for the template in
the same way you enter data for a user (see “User Properties” on page 162).
Once you have created a template, any user you create based on the template will inherit all of
the template’s properties, including membership in groups.
If you modify a template’s properties, the change will affect all users created from the template
in the future. Users already created from the template will not be affected.

Note - In contrast to VPN-1/FireWall-1 templates, LDAP templates are live links. Changes
to an LDAP template change the properties of all users linked to the template.

Creating a New User


To create a new user, choose the template on which the new user’s properties will be based from
the New User Object menu. The User Properties window is then displayed.
Enter the data for the user (see “User Properties” on page 162). For any user, you can freely
change the properties that user inherited from the template, but they will be changed for the
user only. The template remains unchanged.

Creating a New Administrator


Check Point Administrators (that is, people who are authorized to use the Check Point
SmartDashboard) are now defined from the SmartDashboard GUI, by selecting New >
Administrator from the Users window.

The other tabs are identical to the corresponding tabs in the User Properties window (“User
Properties” on page 162).
Note -
• The Admin Auth tab of the Administrator Properties window corresponds to the
Authentication tab of the User Properties window.
• The Admin Certificates tab of the Administrator Properties window corresponds to
the Certificates tab of the User Properties window.

Click View Permissions Profile to view the profile (the set of permissions) assigned to the
Administrator.

Chapter 4 Managing Users and Administrators 159


VPN-1/FireWall-1 Proprietary Users

To define a new Permissions Profile, click New in the General tab of the Administrator
Properties window. In the General tab of the Permissions Profile Properties window, specify
the profile’s name.
In the Permissions tab, specify the profile’s permissions.

Permissions Profile Properties window

General Tab
Name — the administrator’s name
Comment — descriptive text
Color — the color of the administrator’s icon
Select the desired color from the drop-down list.

Permissions Tab
In the Permissions tab, specify the permissions to be granted to an administrator who is
assigned this Permissions Profile.
TABLE 4-2 shows the available Permission Profile options.

TABLE 4-2 Add and Edit Permission Profile Options

Selecting this …gives these permissions


option…
None Allows no access to any Check Point products.
Read/Write All Allows full access to all Check Point products.
Read Only All Allows read-only access to all Check Point products.
Customized Allows user-defined access to Check Point products.
SmartUpdate Note— Choosing Read/Write permissions automatically gives
Read/Write permissions for all other options.
• Read/Write permission allows Check Point product
installations on Managed modules to be centrally managed.
• Read Only permission allows viewing the status of
installations of Check Point products on managed
Modules.
Objects Database Note — These permissions cannot be selected. They are
automatically assigned based on choices made in other options.
• Read/Write permission indicates that the administrator can
add, remove and modify objects, in addition to being able to
edit the Policy properties.
• Read Only permission means that the administrator can
see the objects but cannot modify them.

160 Check Point SmartCenter Guide • September 2002


Defining Users and Groups

TABLE 4-2 Add and Edit Permission Profile Options

Selecting this …gives these permissions


option…
Check Point • Read/Write Allows the administrator to define, remove and
Users Database modify users or templates, as well as insert and remove users
to/from groups.
• Read Only permission allows the administrator to view
users, templates, and groups but not modify them.
LDAP Users • Read/Write permission allows the administrator to define,
Database remove and modify LDAP users and groups.
• Read Only permission allows the administrator to view
LDAP users and groups but not modify them.
For more information on LDAP Users Database administrators,
see “LDAP Administrators” on page 21 of Check Point User
SmartCenter Guide.
Security Policy • Read/Write allows the administrator to manage Security
Policies and rules within the Policies. The administrator can
install and uninstall Security Policies.
• Read Only allows the administrator to open and view
Security Policies but not to modify them.
QoS Policy • Read/Write allows the administrator to manage QoS policies
and rules within the policies. The administrators can install
and uninstall QoS Policies.
• Read Only allows the administrator to open and view
QoS Policies but not to modify them.
Log Consolidator • Read/Write allows the administrator to manage Log
Policy Consolidator policies and rules within the policies. the
administrator can install and uninstall Log Consolidator
Policies.
• Read Only allows opening and viewing Log Consolidator
policies but not to modifying them.

Chapter 4 Managing Users and Administrators 161


VPN-1/FireWall-1 Proprietary Users

TABLE 4-2 Add and Edit Permission Profile Options

Selecting this …gives these permissions


option…
Reporting Tool • Read/Write allows the administrator to create and manage
report definitions.
• Read Only permission allows the administrator to process
reports and change Runtime parameters, but not to
create or modify report definitions.
Monitoring • Read/Write permission allows the administrator full access
to the Log Viewer, System Status and SmartView Monitor.
• Read Only permission prevents the administrator
interrupting connections.
Web Policy • Read/Write permission allows the administrator full access
to the WebAccess functionality.

User Properties
To display the User Properties windows, double-click on a user name in the Users window
and then select the appropriate tab.

In This Section

User Properties Window — General tab page 162


User Properties Window — Personal tab page 162
User Properties Window — Groups tab page 163
User Properties Window — Authentication tab page 163
User Properties Window — Location tab page 165
User Properties Window — Time tab page 166
User Properties Window — Encryption tab page 166
User Properties Window — Certificates tab page 166

User Properties Window — General tab


Login Name — the user’s name

User Properties Window — Personal tab


Expiration Date — date after which the user will be denied access
Date format is dd-mmm-yyyy, where:
• mmm is one of the following: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec
• yyyy — must be four digits for example, “2031”

162 Check Point SmartCenter Guide • September 2002


User Properties

Comment — descriptive text


This text is displayed on the bottom of the Users window when this user is selected.
Color — the color of the user’s icon
Select the desired color from the drop-down list.

User Properties Window — Groups tab

Adding the User to a Group


To add the user to a group, select the groups in the left listbox (labeled Available Groups) to
which you wish to add this user, and then click on Add.

Deleting the User from a Group


To delete the user from a group, select the groups in the right listbox (labeled Belongs to
Groups) from which you wish to delete this user, and then click on Delete.

User Properties Window — Authentication tab


Authentication Scheme — the scheme used to authenticate this user
Select a scheme from the list. The Settings group shows the fields relevant to the selected
scheme. For information about Authentication schemes, see “Authentication Schemes” on
page 125 of Check Point FireWall-1 Guide.

TABLE 4-3 Authentication Schemes and windows

authentication scheme
Undefined No authentication scheme is defined for this user in
the VPN-1/FireWall-1 user database, though one may
be defined on an LDAP Server.
S/Key See “S/Key Authentication” on page 164.
SecurID There are no scheme-specific parameters for the
SecurID authentication scheme. The FireWall-1
enforcement module acts as an ACE/Agent 5.0. For
agent configuration see ACE/Server documentation.
VPN-1 & FireWall-1 See “VPN-1 & FireWall-1 Password Authentication”
on page 165.
OS Password There are no scheme-specific parameters for the OS
Password authentication scheme.
RADIUS See “RADIUS Authentication” on page 165.
AXENT Pathways Defender There are no scheme-specific parameters for the
AXENT Pathways Defender authentication scheme.
TACACS See “TACACS Authentication” on page 165.

Chapter 4 Managing Users and Administrators 163


VPN-1/FireWall-1 Proprietary Users

S/Key Authentication
Seed — an arbitrary number
Secret Key — chosen by the user
Secret Key should be at least 10 characters long.
Length — number of passwords in the chain
Password — password for the user
Generate Button — generates a password after a gateway has been selected
Installed On — the gateway that will perform the authentication
Method — the hashing method
Print Chain — print the password chain.
This option is available only immediately after generating a new chain.

There are several options for using the S/Key Authentication settings, as follows:
• To generate and save a sequence of one-time passwords, proceed as follows:
1 Enter Seed, Secret Key and Length.
Secret Key should be at least 10 characters long.
2 Click on Generate.
• If the user has already generated a sequence of one-time passwords, proceed as follows:

1 Enter Seed, Length (the number of the last password used), and the last-used Password.

2 Click on OK.

Warning - Do not click on Generate.

The S/Key password is saved. If Seed and Length are not entered, the user is prompted for
them.

To generate new S/Key for a users who have forgotten passwords, proceed as follows:

1 In the user’s User Properties window, enter a new Secret Key (or leave it blank and let
one be chosen randomly).
2 Enter a Length.

3 Click on Generate.

The keys are then generated and saved to a file.


4 Download the User Database by choosing Policy > Install Objects Database on the menu
or by clicking on Install in the Users window.

164 Check Point SmartCenter Guide • September 2002


User Properties

For more information, see “Database Installation” on page 167.


The former “forgotten” keys are no longer valid, and the new keys will be used for all
future authentication.

VPN-1 & FireWall-1 Password Authentication


To enter a password for the user, proceed as follows:
1 Click Change Password.

2 In the Change Password window, enter the password twice: once in Password and a
second time in Confirm Password.

The password can be up to eight characters in length.

Note - OS Password and VPN-1 & FireWall-1 Password are the Authentication
Methods defined in the Authentication tab of the Workstation Properties window.

RADIUS Authentication
Select a RADIUS Server or group of RADIUS Servers from the menu. For information on
how to define RADIUS Servers, see “RADIUS Servers” on page 360.

TACACS Authentication
Select a TACACS Server from the menu. For information on how to define TACACS Servers,
see “TACACS Servers” on page 362.

User Properties Window — Location tab


Source — the user will be allowed access only from the listed network objects.
• To add a network object, select the object from the left list box (labeled Network
Objects), and then click on the Add button to the left of the Source list box.
• To delete a network object, select the object in the Source list box and click on the
Delete button to the left of the Source list box.

For information on how to override this field for a specific rule, see Chapter 3,
“Authentication” in Check Point FireWall-1 Guide.
Destination — the user will be allowed access only to the listed network objects.
• To add a network object, select the object from the left list box (labeled Network
Objects), and then click on the Add button to the left of the Destination list box.
• To delete a network object, select the object in the Destination list box and click on
the Delete button to the left of the Destination list box.
For information on how to override this field for a specific rule, see Chapter 3,
“Authentication” in Check Point FireWall-1 Guide.

Chapter 4 Managing Users and Administrators 165


VPN-1/FireWall-1 Proprietary Users

User Properties Window — Time tab


Day in Week — days on which the user will be allowed access
Time of Day: From and To — hours between which the user will be allowed access

User Properties Window — Encryption tab


The Encryption tab enables you to specify parameters relating to the user’s SecuRemote
encryption.
For information about encryption, see Check Point Virtual Private Networks Guide.

User Properties Window — Certificates tab


Certificate State — the status of this user’s certificates
Generate — Click to generate a certificate for this user from the Internal Certificate Authority.
Revoke — Click to revoke an existing certificate.

User Groups
To display and update a group’s members, double-click on the group’s name in the Users
window. The Group Properties window is then displayed
Name — the group’s name
Comment — optional descriptive text
Color — Select the desired color from the drop-down list.
You can filter the items displayed in the left listbox using View.

In the left list box (labeled Not in Group), select the users or groups you wish to include in the
group and click on Add.

Note - To define a new user directly from this window, click New. A menu will be displayed
from which you can select they type of user to create. When you finish defining the user, you
will return to this window.

You can add a group to another group in one of two ways:


1) You can individually add all the users in one group to another group, without nesting
groups within groups. Click on Yes in reply to the question in the window (FIGURE 4-1).
2) You can nest groups inside groups to create a group hierarchy of any desired complexity.
Click on No in reply to the question in the window.
FIGURE 4-1 Adding a Group to a Group

166 Check Point SmartCenter Guide • September 2002


Database Installation

If you nest groups, you can see a nested group’s members by selecting the group in the right
listbox (labeled In Group) and clicking View expanded group.

Deleting a User or Group from a Group


To delete a user or group from a group, double-click on the group’s name in the Users window.
The Group Properties window is then displayed. Select the users or groups to be deleted from
the right list box (labeled In Group), and then click on Remove.

User Database
The VPN-1/FireWall-1 User database contains information about each user defined in
VPN-1/FireWall-1, including authentication schemes and encryption keys. The User Database
resides on the SmartCenter Server and on the FireWalled machines (enforcement points).
The VPN-1/FireWall-1 User Database does not contain information about users defined
externally to VPN-1/FireWall-1, for example, users in external groups (see “External Users and
Groups” on page 171), but it does contain information about the external group (for example,
on which Account Unit the external group is defined). For this reason, changes to external
groups take effect only after the Security Policy is installed or the User Database is downloaded.
When the properties of a user defined in the VPN-1/FireWall-1 User Database change, the
change does not take effect immediately. The VPN/FireWall modules on which the Security
Policy is installed must be notified of the change, in one of three ways:
1 Install the User Database by choosing Install Objects Database from the Policy menu.
2 Install the User Database by clicking on Install in the Users window.
3 Install the Security Policy by choosing Install from the Policy menu.
This installs the Security Policy in addition to updating the User Database.

Database Installation
When you install the User Database from the GUI (by choosing Install Objects Database from
the Policy menu or clicking on Install in the Users window), VPN-1/FireWall-1 runs the fw
command with the dbload argument (see “fwm dbload” on page 562).
You can modify this behavior so that VPN-1/FireWall-1 runs a program or shell script (batch
file) of your choice instead of fw dbload. For example, to run bigapple, add the following
statement to the setup.C file:

dbload_program (“bigapple”)

Chapter 4 Managing Users and Administrators 167


Generic User Profiles

bigapple will be run with the same argument list that fw would have received (where the
first argument is dbload). It is then your responsibility to ensure that bigapple correctly
processes its arguments and installs the Database. Of course, bigapple can also perform any
other functions you wish.

Note - The implicit installation of the User Database that occurs when a Security Policy is
installed is not affected by the dbload_program parameter.

Generic User Profiles

Generic User Overview


Generic User Profiles replace and enhance the generic* use definition. Generic User Profiles
apply to externally defined users, that is, users not defined in the FireWall-1 database or on an
LDAP server.
FireWall-1 users can be defined in the FireWall-1 database or on an LDAP database. If a large
number of users have previously been defined in an external, non-LDAP database, you can
define these users in VPN-1/FireWall-1 either by entering them manually or by importing them
using the fwm dbimport command. In either case, all the users will be defined and maintained
in both databases.
You can avoid the burden of maintaining multiple user databases by defining a Generic User
Profile for all users that are not defined on FireWall-1 or on an LDAP server. Their
authentication is performed as specified in the Authentication tab.
Multiple Generic User Profiles can be defined that can be applied to different groups of
unknown users.
There are two kinds of Generic User Profiles.
The Match all users profile, with the Generic User Profile name generic*, is limited to only
one property set. VPN-1/FireWall-1 applies the restrictions specified for an ordinary user in
the User Properties tabs (for example, Groups). For authentication purposes, it uses the name
typed in by the user instead of generic*. In this way, the external authentication server "sees"
the user's real name and authenticates him or her accordingly.
The Match by domain profiles allow for more granularity in the user definition than is
available with generic*. They are differentiated by their domain name. The user types a
domain name as well as the username. Alternatively, any domain name can be allowed.
It is possible to define all the kinds of users and user Generic User Profiles. FireWall-1 first looks
for an internally defined or LDAP user. If that is not matched, General User Profiles with
domains are searched, followed by General User Profiles with any domain, and then the
generic* profile.

168 Check Point SmartCenter Guide • September 2002


Example: Defining a Generic User Profile

Example: Defining a Generic User Profile


For example, suppose you have already defined a large number of users to the Security
Dynamics database and they are all authenticating themselves with their SecurID cards. Now,
you want to integrate this authentication with VPN-1/FireWall-1 without having to redefine all
SecurID users in the VPN-1/FireWall-1 User Database.
You can use the generic user feature as follows:
1 Define a user group named SecurIDUsers (for example).
2 Define a user named generic* as a member of SecurIDUsers.

3 Specify SecurID as the Authentication Scheme for generic*.

4 Add a rule to the Rule Base similar to this:

TABLE 4-4 Rule for Generic User

Source Destination Services Action Track Install


On

SecurIDUsers@Any tower telnet UserAuth Log Gateways

5 Install the Security Policy.

Note - The above rule will not be applied to users who are defined in the VPN-1/FireWall-1
User Database, only to users who are not defined in the VPN-1/FireWall-1 User Database.

Using Generic User Profiles


Suppose that Alice is a SecurID user, but she is not defined in the VPN-1/FireWall-1 User
Database. When she TELNETs to tower (and the above rule is applied), the following sequence
of events takes place:
1 VPN-1/FireWall-1 prompts Alice for her username.
2 Alice enters her name.
3 VPN-1/FireWall-1 determines that Alice is an unknown user, that is, that she is not defined
in the VPN-1/FireWall-1 User Database (or in any LDAP directory accessed by
VPN-1/FireWall-1).
4 VPN-1/FireWall-1 determines that there is a user named generic* defined in the User
Database, whose Authentication Method is SecurID.
If there is no user named generic*, VPN-1/FireWall-1 issues the “illegal user name” error
message and disallows the connection.
5 VPN-1/FireWall-1 prompts Alice to enter her SecurID password.

Chapter 4 Managing Users and Administrators 169


Generic User Profiles

6 Alice enters her SecurID password.


7 VPN-1/FireWall-1 contacts the SecurID server and asks to authenticate user Alice,
supplying the password Alice entered.
8 The SecurID server notifies VPN-1/FireWall-1 whether Alice was successfully
authenticated.
9 VPN-1/FireWall-1 either allows or disallows the connection, depending on whether Alice
was successfully authenticated.

Generic User Notes


1) By using this feature with an external server, you disable VPN-1/FireWall-1’s ability to
detect invalid user names.
The responsibility of authenticating the user is passed to the external server. You will only
get an alert or log if the authentication fails on the external server. Without this option, it
is possible to get an alert or log when an invalid user name is entered.
2) When setting the Match all users profile, by default all the users defined in the external
server are allowed access.
There is no way to treat the users differently (but see item 3 below). The System
Administrator should carefully consider the implications of allowing this blanket access.
3) If you wish to deny access to a specific user, define that user in the VPN-1/FireWall-1 User
Database and set the user’s Authentication Scheme to Undefined.
4) generic* cannot be used as the name of a real user.

Generic User Profile Properties window


Generic User Profile name - Choose a name for the Generic User Profile
Domain Name Matching Definitions

DN format.The Domain Name can be in DN format. For example,


SecuRemote/SecureClient users have certificates that contain a domain name in a DN format..
Free Format- Freely specify the Domain Name Format
Any domain Name is acceptable - The user can type any domain name and it will be
accepted. To allow a totally unknown user, use the Match all users Generic User Profile instead.
Domain Name - Specify a Domain Name, Separator character(s) between the Domain Name
and the Username, and whether the Domain Name must be typed before or after the user name.
Omit Domain Name before applying authentication method - Use if the authentication
server does not recognize the Domain Name. After the user is matched to the correct profile,
the Domain Name is dropped and only the username is sent to the Authentication server.

170 Check Point SmartCenter Guide • September 2002


Generic User Profile Properties window

Be careful about checking Omit Domain Name before applying authentication method. If
checked, the authentication server is unable to verify the validity of the domain typed by the
user.

External Users and Groups


An external group is a user group whose members are defined in an external LDAP directory
server. The LDAP directory can be managed independently of VPN-1/FireWall-1.
An external group can be used in a Security Policy in the same way that a VPN-1/FireWall-1
group can be used. The only difference between them is where the users are defined.
For information on managing external groups and users, see Chapter 6, “Managing LDAP
Objects” of Check Point SmratCenter Guide.

Groups of RADIUS Users


To create policy rules for groups of users which are not defined on the SmartCenter Server but
are defined on a RADIUS server (including any RADIUS-compliant server like SecurId
ACE/Server), proceed as follows:
1 Enable the feature by changing the value of the attribute add_radius_groups to true. This
attribute is located under the firewall_properties object in the properties table.
Note - The objects.C file should not be edited directly. Instead, use dbedit (see
Chapter 18, “Command Line Interface” of Check Point SmartCenter Guide) to edit the
objects_5_0.C file on the SmartCenter Server. Make sure to restart VPN-1/FireWall-1 after
using dbedit.

2 Make sure that for each RADIUS server user has a profile that contains the attribute “Class”
(or “Filter-Id” or any other RFC reply string attribute). The value of the attribute is the
group which the user belongs to.
In order to change “Class” to another attribute, modify the value of the
firewall_properties attribute radius_groups_attr.

3 In the SmartDashboard, create a user group with the name “RAD_<group which the
RADIUS users belong to>”. The group may be empty.
4 Define a generic* user that uses this server for RADIUS authentication.

Associating a Radius Server with a FireWall-1 Enforcement Module


A user can be associated with the Radius authentication server via the User Properties
Authentication tab.

It is also possible to associate a FireWall-1 enforcement module with a Radius server, such that
this overrides the User to Radius server association. This is done by directly editing the
FireWall-1 database using a dbedit command.

Chapter 4 Managing Users and Administrators 171


Groups of Windows NT users

To associate one or more Radius servers to a FireWall-1 enforcement module, use the dbedit
command:

modify network_objects <gw obj> radius_server servers:<radius obj>

It is possible to switch off the Radius to FireWall-1 association on a per user basis, so that the
user will always authenticate to the Radius server specified in the User Properties
Authentication tab. Do this by switching off another attribute in the FireWall-1 database, using
the dbedit command:

modify users <user obj> use_fw_radius_if_exist false

Groups of Windows NT users


To create policy rules for groups of users which are not defined on the SmartCenter Server but
are defined either on the VPN/FireWall Module’s host which is a Windows NT machine or in
the Windows NT machine’s trusted domain, proceed as follows:
1 Enable the feature by changing the value of the attribute add_nt_groups to true. This
attribute is located under the firewall_properties object in the properties table.
Note - The objects.C file should not be edited directly. Instead, use dbedit (see
Chapter 18, “Command Line Interface” of Check Point SmartCenter Guide) to edit the
objects_5_0.C file on the SmartCenter Server. Make sure to restart VPN-1/FireWall-1 after
using dbedit.

2 Make sure that the user belongs to an NT user group.


3 In the SmartDashboard, create a user group with the name “NT_<NT user group which
the user belongs to>”. The group may be empty.
4 Define a Generic User Profile for a user that uses OS password as the authentication
scheme.

172 Check Point SmartCenter Guide • September 2002


CHAPTER 5

Network Objects

In This Chapter

Overview page 173


Network Objects page 180
Networks page 202
Domains page 203
Open Security Devices page 203
Embedded Devices page 208
Groups page 211
Logical Servers page 215
Address Ranges page 216
Gateway Clusters page 216
Dynamic Objects page 216

Overview
Network objects include gateways, hosts, gateways, routers, networks, switches, Logical Servers,
gateway clusters, domains and others. Before you can include a network object in a rule, you
must define it and its properties.
Network objects can be organized in hierarchical groups to form higher-level objects and easier
to read rules.
You do not have to define every object in your networks to VPN-1/FireWall-1 — only those
objects that are used in the Rule Base. For example, if a rule refers to a network, you must
define the network, but it’s not necessary to define every host in the network.

173
Overview

Adding, Editing and Deleting a Network Object


There are several methods of adding, editing or deleting a network object. Whichever method
you use, if you are creating or editing a network object, then the appropriate window for that
object will be displayed, for example, the Check Point Properties window ( on page 182) or
the Network Properties window, etc.
FIGURE 5-1 VPN-1/FireWall-1 SmartDashboard window

toolbars

Security Policy Desktop Security


Address Translation WebAccess
Rule Base Policy tab
Policy tab Policy tab

VPN Manager tab


Quality of Service
Policy tab

SmartMap
Details of the objects
selected in the
Objects Tree...

...are displayed in
the Objects List

These methods are:


• from the objects tree (see “From the Objects Tree” on page 175”)
• from the objects list (see “From the Objects List” on page 175”)
• from the Rule Base (see “From the Rule Base” on page 175”)
• from the menu (see “From the Menu” on page 175”)
• from the toolbar (see “From the Toolbar” on page 175”)
• from the SmartMap (see Chapter 16, “SmartMap)

174 Check Point SmartCenter Guide • September 2002


Editing a Network Object from the Network Object Manager

From the Objects Tree


To create a new network object from the objects tree (see FIGURE 5-1), right click in the
tree, choose New in the menu and select the type of object to create (see TABLE 5-1 on
page 176 for a list of objects).
Alternatively, you can right click any object in the tree and the menu will display an New
entry appropriate to that object type, for example New Gateway.

Note - If you choose Show from the Network Objects menu while an object in the tree is
selected, the SmartMap will be scrolled so that the object is visible.

To edit or delete an existing object, right click the object in the tree and choose Edit or
Delete from the menu, as appropriate.

From the Objects List


To edit or delete an existing object, right click the object in the list (see FIGURE 5-1 on
page 174) and choose Edit or Delete from the menu, as desired.

From the Rule Base


See “Editing a Network Object from the Rule Base” on page 178 for more information.

From the Menu


Choose Network Objects from the Manage menu. See “Editing a Network Object from the
Network Object Manager” on page 175 for more information.

From the Toolbar


Select from the toolbar. See “Editing a Network Object from the Network Object
Manager” on page 175 for more information.

Editing a Network Object from the Network Object Manager


To define a network object from the Network Object Manager, open the Network Objects
window by:
• choosing Network Objects from the Manage menu, or
• selecting from the toolbar.

Creating a New Object


To create a new object, click New. A menu is displayed that lists the types of objects you can
create.

Chapter 5 Network Objects 175


Overview

Choose a type from the displayed menu. A window is displayed prompting you to enter the
properties of the selected object type.
Note - If you opened the Network Objects window from the Rule Base, then the Add
Network Object menu displays the valid choices for the column from which it was
opened. These vary from column to column. For example, Logical Servers is a valid
choice under Destination but not under Source. On the other hand, if you opened the
Network Objects window from the menu or from the toolbar, then all the possible
choices are displayed in the Add Network Object menu.

TABLE 5-1 summarizes the available options.

TABLE 5-1 Object Types

to create an object of ... see


type...
Check Point “Network Objects” on page 180
Node “Network Objects” on page 180
Interoperable Device “Network Objects” on page 180
Network “Networks” on page 202
Domain “Domains” on page 203
OSE Device “Open Security Devices” on page 203
Embedded Device “Embedded Devices” on page 208
Group “Groups” on page 211
Logical server “Logical Servers” on page 215
Address range “Address Ranges” on page 216
Dynamic object “Dynamic Objects” on page 216
VoIP Domain Chapter 6, “VoIP (Voice Over IP)” of
Check Point FireWall-1 Guide

Editing an Object
To edit an object, select the object and click Edit, or double-click the object.
You can also edit an object from the SmartDashboard (see “Editing a Network Object from the
Rule Base” on page 178).
If the IP addresses of network objects have been modified or new ones added since the GUI was
invoked, restart the GUI to refresh the GUI’s internal cache of addresses. Network objects that
have already been defined are not affected. If their properties have been edited, however,
updated data will be retrieved.

Deleting an Object
To delete an object, select the object and click Remove.

176 Check Point SmartCenter Guide • September 2002


Editing a Network Object from the Network Object Manager

Finding Where an Object is Used


To display where an object is used in the Security Policy, proceed as follows:
1 Right-click the object in the tree.
2 Select Where Used ...
The Objects tab of the References window is displayed.
An object (for example, My Intranet) is not removable (that is, it cannot be deleted) if it is pre-
defined.
The Objects tab shows where the selected object is used in or by other objects.
The Rulebases tab shows in which Rule Bases the object is used.
The Queries tab shows the queries in which this object is a parameter.

Note - The Reference window is non-modal; that is, you can leave it open while you
continue to work with the SmartDashboard. If you make changes that affect the Reference
window, you can update the display to reflect the changes by clicking Refresh.

Filtering Network Objects


To filter the network objects (that is, to specify criteria for searching the defined network
objects), click More >> (to the right of the Show drop-down menu). The Refined Filter section
of the Network Objects window is displayed.
FIGURE 5-2 Add Object Refined Filter Options

Chapter 5 Network Objects 177


Overview

TABLE 5-2 summarizes the available options.

TABLE 5-2 Refined Filter Options

create a filter of type... ... to get the following results


Any (no filter) All network objects will be shown in the left
pane.
Duplicates Show objects that have the same IP address.
IP / interface mismatch Show gateways whose main IP does not
match the interfaces defined in the Topology
page (see “Check Point window — Topology
Page”).
Search by IP Show network objects matching specific IP
addresses using * as a wildcard (199.*.*.*).
Search by Name Show network objects matching a specific
string using * as a wildcard (johnnyBG***).
Search network Show network objects matching specific IP
addresses and netmask addresses using * as a
wildcard (199.123.*.* and 255.*.*.*).
Sub networks Show network identifications according to
inclusion relations.
Unused objects Show objects created but not referenced
anywhere.
To close the Refined Filter section of the Network Objects window, click << Less.

When the results of your filter are displayed, you can group them by checking Define query
results as group.

Editing a Network Object from the Rule Base


To edit a network object from the Rule Base, proceed as follows:
1 Right click a rule’s Source or Destination in the SmartDashboard.
The Object menu is displayed.
The items that appear in the Object menu depend on whether you right clicked in the Source
or Destination column.
2 Choose one of the menu items.
Add — Open the Network Objects window.
You can either select an existing network object, or create a new network object by
clicking on New.
Add User Access — Open the User Access window.

178 Check Point SmartCenter Guide • September 2002


Editing a Network Object from the Rule Base

For information about users, see Chapter 4, “Managing Users and Administrators.”
Edit — Open the appropriate Edit Object window for this object.
Delete — Delete the object(s) from the rule.
Negate — Negate the object(s) in the rule.
For example, if a rule’s Source is a host network object named monk, then the rule applies
when the communication’s Source is monk. However, if you negate monk, then the rule
applies when the communication’s Source is not monk.
You cannot negate individual objects. For example, if two hosts are given as a rule’s
Source, then you can negate both of them or none of them, but not just one of them.

Cut — Delete the object(s) from the rule and put the object on the clipboard.
Copy — Copy the object(s) to the clipboard.
Paste — Paste the object(s) on the Clipboard into the rule at this point.
The objects displayed depend on what you have selected from the Show drop-down list.

Note - Click More >> to display the Refined Filter section of the Network Objects
window, in which you can specify criteria for searching the defined network objects. For
more information, see “Filtering Network Objects” on page 177.

To add an existing network object to a rule, select the object from the list box and click OK.
The selected object is added to the rule and the Network Objects window is closed.
To create a new object and add that object to the rule, click New.

TABLE 5-3 Network Object Actions

for a description of how to... ... see


create a network object “Creating a New Object” on page 175
edit a network object “Editing an Object” on page 176
delete a network object “Deleting an Object” on page 176
build view filters on network object “Filtering Network Objects” on page
177
The new network object is added to the rule in which you began this procedure. For example,
if you right clicked in a rule’s Destination, then the new object is added to the rule’s
Destination.

Chapter 5 Network Objects 179


Network Objects

Network Objects

In This Section

Network Object Types page 181


Check Point window — General Page page 182
Communication window page 185
Check Point window — Topology Page page 186
Interface Properties Window page 188
Check Point window — NAT page page 192
Check Point window — VPN page page 195
Check Point window —Extranet page page 195
Check Point window — Account Unit page page 195
Check Point window — Additional Logging Configuration page page 197
Check Point window — Masters page page 197
Check Point window — Log Servers page page 198
Check Point window — Advanced page page 199
Check Point window — Capacity Optimization page page 199
Check Point window — SYNDefender page page 199
Check Point window — SMTP page page 200
Check Point window — SAM page page 200
Check Point window — Connection Persistence page page 201

180 Check Point SmartCenter Guide • September 2002


Network Object Types

Network Object Types


There are three types of network objects, summarized in TABLE 5-4.

TABLE 5-4 Network Object Types

type sub-types explanation see ...


Check Points — have Gateway a gateway managed by “Network Object
Check Point software the SmartCenter Windows” on page
installed Server on which you 182
are now working
Host host managed by the
SmartCenter Server on
which you are now
working
Gateway Cluster a group of “Gateway Clusters” on
VPN/FireWall Module page 216
machines configured to
provide failover
services
Embedded Device for example, a switch “Network Object
Externally Managed a gateway not managed Windows” on page
Gateway by the SmartCenter 182
Server on which you
are now working, but
by another
SmartCenter Server
Externally Managed a host not managed by
Host the SmartCenter
Server on which you
are now working, but
by another
SmartCenter Server

Chapter 5 Network Objects 181


Network Objects

TABLE 5-4 Network Object Types

type sub-types explanation see ...


Nodes — no Check Gateway a gateway managed by “Network Object
Point software installed the SmartCenter Windows” on page
Server on which you 182
are now working
Host host managed by the
SmartCenter Server on
which you are now
working
Interoperable Devices participate in VPNs “Network Object
— have no Check with Check Point Windows” on page
Point software is objects 182
installed on them

Note - The example windows in this section are those of a Check Point gateway object. The
windows for other types of objects are similar except for the title and the name of the
window.

Changing a Network Object’s Type


To change a network object’s type (for example, from a gateway to a host) right-click the object
in the tree and select the Convert option from the menu.
The Convert option’s name changes in accordance with the selected object and the possibilities.

Note - Not all conversions are possible. For example,it is not possible to convert an
externally managed gateway to an internally managed gateway.

Network Object Windows


The windows shown in the following sections are used for different network object types. As
such, the different versions have different names as well as different trees in the left pane. The
meaning of the fields is the same in all versions of these windows, except if noted otherwise in
the detailed descriptions that follow.

Check Point window — General Page


Name — the Check Point object’s name

182 Check Point SmartCenter Guide • September 2002


Check Point window — General Page

The name given here should be identical to the resolvable name (hostname) that appears in the
OS environment, as given in TABLE 5-5. If you use a non-resolvable name, then Get address
may not work.

TABLE 5-5 Default File Locations and Names

Unix Windows NT and 2000


/etc/hosts %SYSTEMDIR%\system32\drivers\etc\hosts
/etc/networks %SYSTEMDIR%\system32\drivers\etc\networks

In Windows NT and 2000, you can determine the hostname’s IP address as follows:
• In the Control Panel, click Network > Bindings and select all protocols. The first
protocol listed in the binding order determines the hostname’s IP address. The order for
TCP/IP and WINS should be consistent.
• The first entry in the output of the ipconfig command shows the hostname’s IP
address.
If NIS is being used, VPN-1/FireWall-1 automatically retrieves the information from the NIS.
If the network object is one that can respond to a Unix hostname command, use the name
returned by that command. The IP address is the one shown by the command grep hostname
/etc/hosts.

IP Address — the object’s IP address


You can get the IP address of previously defined network objects from the database of
network objects by clicking on Get address.
Note -
• The IP address can be dynamically assigned (for example, for gateways with dial-up
connections). See Dynamic Address below.
• For a gateway, the IP Address field in the Check Point window (see ) must specify the
gateway’s external interface. If you fail to do so, IKE encryption will not function
properly.
• It is recommended that you list network objects in the hosts files in addition to
defining them in the VPN-1/FireWall-1 database.

Get address— Click this button to resolve the object’s name to an IP address, using the files
in TABLE 5-5 on page 183.
Dynamic Address — Specifies that the network object’s IP address is dynamically assigned (for
example, for gateways with dial-up connections).
A SmartCenter Server cannot install a Policy on a Module with a dynamic IP address, because
the SmartCenter Server cannot “find” the Module. For the same reason, the Module cannot
terminate a VPN tunnel.
If you check Dynamic Address for an existing network object, the following message will be
displayed:

Chapter 5 Network Objects 183


Network Objects

FIGURE 5-3 Warning Message

If Dynamic Address is checked, you must specify how frequently a Policy should be fetched
from the SmartCenter Server in the Masters page of the Check Point Properties window
(see “Check Point window — Masters page” on page 197).
Comment — Enter a descriptive comment to be displayed when this object is selected in the
Object list and in the Network Objects window.
Color — Select the color in which this object will be displayed in the GUI.
Check Point Products — Specifies the Check Point products installed on this network object,
and their version numbers.
The SmartDashboard installs a Policy on a network object compatible with the Module
version on the network object.
Depending on the products installed, different pages become available in the Check Point
Properties window.

Secure Internal Communication — Available if a Check Point Module is installed on the


network object. A Check Point Module will only be able to communicate with the
SmartCenter Server or with other Check Point Modules when Secure Internal Communication
has been successfully configured on both the SmartCenter Server and on the Module.
Communication — Configure the Check Point Module object on the SmartCenter Server for
Secure Internal Communication. Click this button to open the Communication window
(FIGURE 5-4 on page 185).
DN — The Distinguished Name (or “SIC name”) of the Module. The DN represents the
identity of the Module, and is an internal, read-only value. It exists when a certificate has been
issued for this Module.

184 Check Point SmartCenter Guide • September 2002


Check Point window — General Page

Communication Window
FIGURE 5-4 Communication window

The Communication window is used to:


• initialize secure communication between the SmartCenter Server and the Check Point
Module machine
• test SIC Status
• reset the Trust State of the Module
Activation Key— Enter the same Activation Key as is used in the Module configuration. This
is a one-time password whose only purpose is to set up a secure link which is used to deliver a
certificate to the Module.
Trust state—Trust is established only after a certificate has been issued by the Internal
Certificate Authority on the SmartCenter Server, and delivered to the Module.
If a Module is Initialized or Reset, the Trust state of the Module as reported in cpconfig may
be different than the Trust state reported at the SmartDashboard.
Note the difference between the Trust state and the output of the Test SIC Status button in
the SmartDashboard Communication window of the Module: The Trust state reflects the
situation after Module initialization, that is, when an activation key is exchanged and certificate
is sent to the Module. In contrast, Test SIC Status reflects the SIC status after the Module has
the certificate.
The Trust State as reported in cpconfig in the Secure Internal Communication and in the
SmartDashboard in the Communication window can be in one of three states:
• Uninitialized —The Module is not initialized and therefore cannot communicate because it
has not received a certificate from the Internal Certificate Authority on the SmartCenter
Server.
• Initialized but trust not established —

Chapter 5 Network Objects 185


Network Objects

At the Module, in cpconfig, in the Secure Internal Communication window, this means
that a one-time password has been typed in but the Module has not yet received a certificate
from the Internal Certificate Authority on the SmartCenter Server.
In the SmartDashboard in the Communication window, this means that a certificate has
been issued to this Module but has not been delivered, so trust (secure communication)
cannot yet be established.
• Trust established — The trust between the Module and the SmartCenter Server has been
established. The Module can communicate securely.
Initialize — For an uninitialized Module, create a certificate and send it to the Module. If
successful, the Module state will change to Trust established.
For an initialized Module, send the certificate to the Module. If successful, the Module state will
change to Trust established.
For details, see “Enabling Communication between Modules” on page 99 of the Check Point
Getting Started Guide or page 49 of the Check Point SmartCenter Guide.
Test SIC Status — opens a SIC connection with the Module, and reports on the current
communication status of the Module, after trust has been established for the first time with the
SmartCenter Server. The SIC Status can be either: Communicating, Unknown (when there's no
connection to peer) or Not Communicating (when there's a SIC problem). If the SIC Status is
Not Communicating an error message will give a reason for the failure and may suggest a
remedy.
Reset — Reset the Module back to the uninitialized state by revoking its certificate and
deleting its DN (or “SIC name”).
For more information, see “Secure Internal Communications for Distributed Configurations”
on page 46 of the Check Point SmartCenter Guide.
Close — Close the window.

Check Point window — Topology Page

Automatic Topology Discovery and Definition


Get Topology — Retrieve the network interfaces information for this network object and
display it in this window.
The Get Topology button is the recommended way to define interfaces.
Warning - If you do not define all of the object’s interfaces, or if you define them
incorrectly, anti-spoofing may not be properly defined, the Security Policy may be
incorrectly enforced, and communication with the module may be disabled. Using Get
Topology will help you ensure that the topology is correctly defined, but you must
confirm the results of the topology discovery process.

If you click Get Topology, VPN-1/FireWall-1 automatically calculates the network object’s
topology based on its routing tables and displays the results in the Get Toplogy Results window
(FIGURE 5-5).

186 Check Point SmartCenter Guide • September 2002


Check Point window — Topology Page

FIGURE 5-5 Get Toplogy Results Topology window

You should confirm that the information displayed in the Get Toplogy Results window is
correct.
Some of the objects displayed in the Get Toplogy Results window are network objects already
defined in the VPN-1/FireWall-1 database, but others may not already be defined (for example,
networks; see the diagram in FIGURE 5-5). These are identified by their colors in the diagram.
Refer to the legend in the bottom left corner of the Get Toplogy Results Topology window.
If you click Accept, then VPN-1/FireWall-1 will:
• automatically define network objects that are not yet defined in the VPN-1/FireWall-1
database, and
• define the network object’s topology as displayed in the Get Topology Results window
• overwrite any topology information already defined for the network object that is different
from the information in the Get Topology Results Topology window (but existing
information that is consistent with or complements the information in the Get Topology
Results Topology window will not be overwritten).

Manual Topology Definition


To add an interface, click Add. The Interface Properties window (FIGURE 5-6) is displayed.
To edit an interface, select the interface and click Edit or double-click the interface. The
Interface Properties window (FIGURE 5-6) is displayed.

To delete an interface, select the interface and click Remove.

Chapter 5 Network Objects 187


Network Objects

Interface Properties Window


The Interface Properties window (FIGURE 5-6) enables you to provide information about
additional connections to a network object. It is essential to understand the difference between
a network object and its interfaces.
A single network object can have many network interfaces; that is, one network object may be
connected to numerous networks. Each interface has its own IP address and net mask.
You can use the Calculate Topology button (in the Topology page of the Check Point
Properties window) to fetch interface data automatically.

Warning - If the VPN/FireWall Module has the capability of automatically sensing that a
new interface has been installed, then the new interface will not have a Security Policy
installed on it (including anti-spoofing). To prevent this from happening, you must first
define the interface for the object in the SmartDashboard, including its anti-spoofing
properties, install the Security Policy and only then install the physical interface.

Interface Properties window — General Tab


FIGURE 5-6 General tab — Interface Properties window

188 Check Point SmartCenter Guide • September 2002


Interface Properties window — Topology Tab

Name — name of the network interface as specified in the interface configuration scheme of the
host, gateway, or router; for example, lo0 for loopback; le0 for Ethernet interface; sl0 for serial
interface 0, etc.

To obtain the correct name and IP address of the interface:


platform command
UNIX ifconfig –a

Windows NT ipconfig /all

Windows 2000 • Use the command ipconfig /all to obtain the IP address
and MAC address of the interface, then
• Use the command route print to obtain the name and MAC
Address of the interface.

Warning - If you do not specify the exact interface names as given in the OS, anti-
spoofing will not function properly.

IP Address — the interface’s IP address


See “IP Address” on page 183.

Net Mask — Specify the interface’s net mask.

Interface Properties window — Topology Tab


FIGURE 5-7 Topology tab — Interface Properties window

Chapter 5 Network Objects 189


Network Objects

External (leads out to the Internet) — Check this box if the interface connects the network
object to the Internet.
Internal (leads to the local network) — Check this box if the interface connects the network
object to the internal (local) network.
IP addresses behind this interface — Specify the IP addresses behind this interface, as
follows:
Not Defined — If you choose this option, then:
• There will be no anti-spoofing defined for this interface.
• This interface and the IP addresses behind it (if any) will not be included in this
object’s VPN domain.
This option is not recommended.
Based on interface’s IP address and Net Mask — VPN-1/FireWall-1 will calculate the
topology based on IP address and Network mask defined for the interface.
Specific — Specify the object(s), usually a network or a group, behind this interface.
For information about anti-spoofing, see “Anti-Spoofing” on page 190.
Perform Anti-Spoofing based on interface topology — VPN-1/FireWall-1 will perform anti-
spoofing based on the interface’s topology as defined in the Topology tab (FIGURE 5-7 on
page 189).
If IP addresses behind this interface is set to Not Defined, then no anti-spoofing will be
performed. For information about anti-spoofing, see “Anti-Spoofing” on page 190.

Note - Do not define anti-spoofing for virtual interfaces, because anti-spoofing has no
meaning in that context.

Spoof Tracking — Spoofed packets are always dropped, but you can specify an additional
action to be taken by selecting one of the following options:
None — No additional action is taken.
Log —The spoofing attempt is logged.
Alert — The action specified for popup alerts in the Alert Commands page of the Global
Properties window is taken (see Chapter 7, “Global Properties”).

Anti-Spoofing

Spoofing is a technique where an intruder attempts to gain unauthorized access by altering a


packet’s IP address to make it appear as though the packet originated in a part of the network
with higher access privileges. For example, a packet originating on the Internet may be disguised
as a local packet. If undetected, this packet might then have unrestricted access to internal
networks.

190 Check Point SmartCenter Guide • September 2002


Interface Properties window — Topology Tab

By implementing anti-spoofing, you can defend your network against these attacks by defining
the addresses that are considered valid on each interface.
When anti-spoofing is specified, an implicit anti-spoof rule is generated, which comes first in
the Security Policy Rule Base (even before properties specified as First in the FireWall-1
Implied Rules page of the Global Properties window).

Anti-spoofing examines the source IP address for incoming packets (entering a gateway) and
determines whether the IP address is valid for that interface.

Note - In versions of VPN-1/FireWall-1 prior to Version NG FP2, anti-spoofing also


examined the destination IP address for outgoing packets (leaving a gateway).

An interface’s “valid addresses” are the IP addresses behind the interface, as defined in the
Topology tab (FIGURE 5-7 on page 189):
• A packet whose source IP address is a valid address is allowed to enter the network object
through the interface.
• A packet whose source IP address is not a valid address is not allowed to enter the network
object through the interface.

Anti-Spoofing Example

Consider the network depicted in FIGURE 5-8.


FIGURE 5-8 Anti-Spoof Example Configuration
Private Public
localnet
le2 le0
Internet
Gateway router
le1

DMZ
(HTTP, FTP, etc.)

Chapter 5 Network Objects 191


Network Objects

The valid addresses for each of the interfaces are as follows:

TABLE 5-6 Valid Addresses for each interface

interface valid addresses


le2 Only IP addresses in localnet are valid (that is, any packets
entering the network object through this interface must have
source addresses in localnet). A packet with any other source IP
address is spoofed.
le1 Only IP addresses in DMZ are valid (that is, any packets entering
the network object through this interface must have source
addresses in DMZ). A packet with any other source IP address is
spoofed.
le0 This interface faces the Internet, so all IP addresses (except the valid
addresses of the other interfaces) are valid source addresses. A packet
with a source IP address belonging to DMZ or to localnet is
spoofed.

Interface Properties window — QoS (Quality of Service) Tab


FIGURE 5-9 Qos (Quality of Service) tab — Interface Properties window

See FloodGate-1 Administration Guide for information about this tab.

Check Point window — NAT page


This page specifies the parameters for automatically generated Address Translation rules for the
network object.

192 Check Point SmartCenter Guide • September 2002


Check Point window — NAT page

For information about automatically generated Address Translation rules, see “Generating
Address Translation Rules Automatically” on page 87 of Check Point FireWall-1 Guide.

IP Pools
Use IP Pool NAT for SecuRemote/SecureClient connections — Use IP Pools for
SecureRemote/SecureClient connections.
Use IP Pool NAT for gateway to gateway connections — Use IP Pools for gateway to
gateway connections.
Allocate IP Pool Addresses from — Select the network object (an Address Range, network or
a group of one of these objects) whose IP addresses will serve as the IP Pool’s IP addresses.
Return unused IP addresses to Pool after — Set the time period during which an IP Pool
address will remain assigned to even after all open connections have ended.
For information about IP pools, see “Multiple Entry Point (MEP) Example Configuration” on
page 169 of Check Point Virtual Private Networks.
For information about hiding behind IP address 0.0.0.0, see “Hiding Behind 0.0.0.0” on page
75 of Check Point FireWall-1 Guide.

Classic Mode
In classic mode (when VPN Communities are not used), IP Pools will be used only if both of
the following conditions are true:
• The rule specifies that IP Pools are to be used.
• The connection matches the checked Use IP Pool NAT parameter above.
For example, if the rule describes a SecuRemote/SecureClient connection and Use IP Pool
NAT for SecuRemote/SecureClient connections is checked, the IP Pools will be used. If
Use IP Pool NAT for SecuRemote/SecureClient connections is not checked, then IP
Pools will not be used.

Communities
In VPN Communities, there are no encryption rules, so only the parameters in the window are
relevant.

Office Mode
This feature allows the organization to assign IP addresses used in its operational network to
SecuRemote/SecureClient users. The mechanism is based on an IKE protocol extension that
enables sending IP addresses during the IKE negotiation.
Never offer Office Mode — The gateway’s IKE negotiation with a SecuRemote/SecureClient
user will not include the offer to use Office Mode.
Offer Office Mode to group — The gateway will offer Office Mode only to members of the
group selected from the drop-down list.

Chapter 5 Network Objects 193


Network Objects

Always offer Office Mode — Office Mode will be offered to any SecuRemote/SecureClient
user that initiates the IKE negotiation with the gateway.

Check Point window — UserAuthority page


UserAuthority Network Object — enter the Network Object which has UA installed on it
UserAuthority Service — default is 19191
UserAuthority server authentication type — default is sslca meaning each side has a
certificate, none means no certificate is required.
Action taken for URL external — default is reject
If the URL entering your site doesn’t belong to any of your websites, what should be done with
it? The default is to reject the URL. Selecting accept lets the URL pass to the Webserver.
Selecting redirect enables the Redirect URL to window.
Redirect URL to — define the location to direct external URLs which do not meet your the
condition you specify.
Advanced — clicking the advanced button opens the Advanced window.
Limits and Timeouts - general limits and timeouts for UA WebAccess: buffer size, server
timeout and session timeout
Maximal client request buffer size - default is 128 kilobytes, minimum is 0 there is no
maximum.
Sets how much information flows in at a time. It is added to minimize the possibility of
overflow.
Communication to UserAuthority Server timeout — default is 5000 miliseconds (5 seconds).
Sets how to wait for an answer from the UserAuthority Server.
HTTP session timeout — default is 900 seconds (15 minutes). Sets how long information is
kept on a cookie before it is deleted
SSL: this section defines how to treat secure socket layers (SSL)
SSL redirection methodology— redirect to original URL via HTTPS (default) or to another
URL.
Selecting redirect to page enables the Redirect to window.
Redirect to — define the location to direct SSL URLs
Windows Groups — allows for the use and definition of Windows groups
Get Windows group data for Windows users — if selected, group names will be obtained
from Windows
Windows domain controller — select a UA Server on a domain controller

194 Check Point SmartCenter Guide • September 2002


Check Point window — VPN page

Case Sensitivity: Case sensitive naming conventions for URLs - check to allow for the use of
case sensitive naming conventions for URLs.

Check Point window — VPN page


This window specifies a network object’s VPN parameters. For additional information regarding
VPN-1/FireWall-1’s VPN feature, see Check Point Virtual Private Networks.
To add a certificate for the network object, click Add.

Note - Before adding certificates, you must first create a CA (Certificate Authority) Server
object (see Chapter 3, “Certificate Authorities” of Check Point Virtual Private Networks).

Check Point window —Extranet page


For additional information regarding Extranets, see Check Point Virtual Private Networks.

Check Point Properties Window — Authentication page


The Authentication page is available only when VPN-1 & FireWall-1 Installed is checked on
the General page (FIGURE 5-6 on page 188).
Check the authentication schemes that are enforced on this gateway. A user for whom another
authentication scheme is defined will not be allowed access through this gateway.
For additional information regarding VPN-1/FireWall-1’s Authentication features, see
Chapter 3, “Authentication” of Check Point FireWall-1 Guide.

Check Point window — Account Unit page


The Account Unit page is available only when both of the following conditions are true:
• VPN-1 & FireWall-1 Installed is checked in the General page of the Check Point
Properties window ( on page 182).
• Use LDAP account management is checked in the LDAP page of the Global Properties
window ( on page 283).
For information about Account Units, see Chapter 10, “Server Objects and OPSEC
Applications.”
Display list of Distinguished Names (DNs) for matching UIDs on login — If this option is
checked, when logging in the user can choose the User ID that matches his/her distinguished
name. This is useful in cases where there are multiple users with the same User ID.
Timeout on LDAP requests — The LDAP query request will be dropped after the amount of
time determined (cannot exceed the TCP session timeout).
All (default priorities located in the Account Unit’s General tab) — If checked, VPN-
1/FireWall-1 queries all LDAP servers.

Chapter 5 Network Objects 195


Network Objects

Selected Account Unit’s list (order implies priority) — If checked, a list box with Available
AUs will appear.
Choose the Account Units to be queried and add them to the Selected AUs list box by
selecting an Account unit and clicking the Add button. To remove an Account Unit from the
list, select the Account Unit and click Remove.
The following options will appear only if Selected AU list is selected.
Available AU’s — displays the list of available Account Units that will not be queried.
Selected AU’s — displays the list of Account Units that will be queried.
Query servers sequentially (by Account Unit’s priorities) — If checked, VPN-1/FireWall-1
will query the LDAP servers in the sequence of their priorities.

Check Point window — Logs and Masters page

Local Log Files


Log switch when file is — Switch logs (that is, close the current log file and start a new one)
when the current log file reaches the size specified in the corresponding field.
Schedule log switch to — Switch logs on a pre-determined schedule, according to the selected
time object specified in the corresponding field.

Disk Space Management


Measure free disk space in — select how you want to measure free disk. The options are:
• MBytes
• Percent
Required free disk space — the amount of free disk space that is required on the machine
Do not delete log files from the last — If the machine has run out of disk space, and log files
need to be deleted to restore the necessary disk space, do not delete log files from the last
number of days specified.

Advanced Settings
Alert when free disk space is below — Issue an alert when the available disk space falls below
the number specified in the corresponding field.
Alert type — Select the type of alert to issue in the corresponding field.
Stop logging when free disk space is below — Stop saving log records on the local machine
when the available disk space falls below the specified number. Log records are saved locally
when the connection to the SmartCenter Server is unavailable.
Reject all connections when logs are not saved — If enabled, then connections are rejected
if they cannot be logged.

196 Check Point SmartCenter Guide • September 2002


Check Point window — Additional Logging Configuration page

Check Point window — Additional Logging Configuration page

Log Forwarding Settings


Forward log files to SmartCenter Server — Select the SmartCenter Server to which to
forward local log files.
Log files are written locally when the connections to all the Log Servers defined in the Log
Servers page of the Check Point Properties window are unavailable. The local log file is
then forwarded to the specified SmartCenter Server according to Log forwarding schedule.
Log forwarding scheduler — Forward local log files to the SmartCenter Server specified in
Forward log files to SmartCenter Server on according to the pre-determined schedule
specified by the selected time object (scheduled event).
See “Scheduled Events” on page 351 for information about scheduled events.
Perform log switch before log forwarding — Switch logs (that is, close the current log file
and start a new one) before forwarding local log files to the SmartCenter Server.

Advanced Settings
Update Account Log every — The frequency at which the Accounting log is updated.
Accounting updates are sent while a connection is open. The counters (packets, bytes, etc.) are
reset when the update is sent, so each update includes the differences (delta) since the last
update.
Turn on QoS logging — Log QoS related events.
See Check Point FloodGate-1 Guide for information about QoS (Quality of Service).

Check Point window — Masters page


A Module’s Master is a SmartCenter Server authorized to download a Policy to the Module.
For example, a VPN/FireWall Module’s Master is the SmartCenter Server authorized to
download a Security Policy to the VPN/FireWall Module.
To add a Master to the list, click Add and add the Master in the Add Masters window.
To delete a logging server from the list, select the Master and click Remove.

To change the sequence, use the Up and Down buttons.


If a Module must fetch a Policy, for example, after a reboot, it attempts to fetch the Policy
from the Masters in the list one after the other, until it succeeds.
Dynamic Address Node Fetch Policy — This field applies to DAIP (Dynamically Assigned IP
Address) Modules, and specifies how the DAIP Module fetches its Policy from the SmartCenter
Server.
For information about DAIP Modules, see Chapter 14, “Dynamically Assigned IP Addresses.”
Select one of the following:

Chapter 5 Network Objects 197


Network Objects

Manually — Fetch this DAIP Module’s Policy manually (see “Installing a Policy” on page 482).
Scheduled Event — Fetch this DAIP Module’s Policy on a pre-determined schedule, according
to the selected time object (scheduled event).
See “Scheduled Events” on page 351 for information about scheduled events.
It is recommended that you install a DAIP Module’s first Policy manually, even if you plan to
automatically update it using a scheduled event.

Check Point window — Log Servers page


Use local definitions for Log Servers — This network object will send logs to the Log
Servers specified in its local MASTERS file rather than those specified in this window.
Select this option for backwards - compatibility with previous versions of VPN-1/FireWall-1.
Define Log Servers — This network object will send logs to the Log Servers specified below.
Send logs to this node — If checked, this network object will send log records to itself (that
is, it will log locally) in addition to any Log Servers specified below.
Always send logs to — Specify the Log Servers to which this network object will send logs or
alerts.
Check Logs and/or Alerts to specify what to send to the selected Log Server.
To add a server to the list, click Add and add the log server to the Selected Log Servers list in
the Add Logging Servers window (FIGURE 5-10).
FIGURE 5-10Add Logging Servers window

To delete a logging server from the list, select the server in the Log Servers page of the
Check Point Properties window and click Remove.

When a Log Server is unreachable, send logs to — If one of theLog Servers listed above is
unreachable (that is, the network object cannot connect to the Log Server), then send logs to
the first server in this list that is reachable.
To add a Log Server to the list, click Add and add the log server in the Add Logging Servers
window.

198 Check Point SmartCenter Guide • September 2002


Check Point window — Advanced page

To delete a Log Server from the list, select the Master and click Remove.

To change the sequence, use the Up and Down buttons.

Check Point window — Advanced page


sysName — the object’s name
sysLocation — the object’s location
sysContact —the name of a contact person
Get — You can use this button to retrieve information about this network object and display it
in this window.
Set — Set the object’s properties to those shown in this window.
Read Community — the community with read permission for this object
Write Community — the community with write permission for this object

Check Point window — Capacity Optimization page

Capacity Optimization
These setting enable you to optimize resource usage on the FireWall Module. It is
recommended that you do not alter these settings from their defaults, unless there is some
specific issue you need to address. Keep in mind that resources can be allocated to one task only
at some cost to other tasks.
Maximum concurrent connections — The maximum number of concurrent connections the
FireWall Module will support.
Calculate connections hash table size and memory pool — Choose either Automatically
(recommended) or Manually.

If you choose Manually, then you can specify the following options:
Connections hash table size — the size of the connections hash table
A larger table reduces collisions, but uses more memory.
Memory pool size — the initial size of the memory pool
Maximum memory pool size — the maximum size of teh memory pool
Restore defaults — Click to reset the above values to their defaults.

Check Point window — SYNDefender page


The SYNDefender page defines the parameters of the VPN-1/FireWall-1 SYNDefender feature,
which protects against SYN attacks.
For information about SYNDefender, including guidelines for its deployment, see the Check
Point FireWall-1 Guide.

Chapter 5 Network Objects 199


Network Objects

Method — Choose one of the following:


• — SYNDefender is not deployed.
None

If you choose this option, your network will not be protected from SYN attacks.
• SYN Relay — Deploy the SYN Relay method.
• Passive SYN Gateway — Deploy the Passive SYN Gateway method.

Timeout for SYN attack identification — Specifies how long SYNDefender waits for an
acknowledgment before concluding that the connection is a SYN attack.
Maximum Sessions — Specifies the maximum number of protected sessions.
This parameter is relevant only if Passive SYN Gateway is selected under Method. If SYN
Relay is selected, all sessions are protected.

This parameter specifies the number of entries in an internal connection table maintained by
SYNDefender. If the table is full, SYNDefender will not examine new connections.
If you change this value, the new value will take effect as follows:
• IBM AIX — The new value takes effect after you install the Security Policy, stop and
restart the FireWall/VPN Module.
• on all other platforms — The new value takes effect after you install the Security Policy
and reboot.
Display Warning Messages — If set, SYNDefender will print console messages regarding its
status.

Check Point window — SMTP page


These properties must be set if this network object uses the SMTP Security Server (that is, if
this network object enforces a Security Policy rule that uses an SMTP Resource).
For information about the fields in this window, see TABLE 4-4 on page 216 of Check Point
FireWall-1 Guide.

Check Point window — SAM page


Forward SAM clients’ requests to other SAM Servers — Use this option to change the mode
of the SAM Server on this Check Point Gateway from agent to proxy. A SAM proxy forwards
SAM requests from a SAM client to other SAM Servers on other Check Point Gateways. A
SmartCenter Server is always a proxy.
If there are DAIP Modules in the network, it is not recommended to configure a Check Point
Gateway as a SAM Proxy.
Use backwards compatibility mode — to configure the communication between a SAM
proxy server (typically the connecting management), and this VPN-1/FireWall-1 Module.
If both the SAM proxy server and the VPN-1/FireWall-1 Module are of version 4.1 or lower,
check this box, and choose the authentication (or encryption and authentication) method.

200 Check Point SmartCenter Guide • September 2002


Check Point window — Connection Persistence page

If the SAM proxy server is of version 4.1 or lower, and this Module is upgraded to NG, the
configuration will be done automatically as follows:
• the configuration parameters will be taken from the fwopsec.conf file (present on this
Module prior to the upgrade) and
• the appropriate backward compatibility mode will be selected.
If both, the SAM proxy server and this Module are of version NG, do not check this option.
Purge SAM file when it reaches KBytes — Limits the size of the SAM log file on the Module.
The minimum size is 50 KB. The SAM file includes all requests sent to the Module including
obsolete requests. Purging these obsolete requests from the file restores disk space.

Check Point window — Connection Persistence page


Define what to do with connections that are open when a Policy is installed. For details of how
FireWall-1 handles existing connections, see “Connection Persistence during a new Policy
installation” on page 339.
Keep all connections — Keep all control and data connections open until the connections have
ended. The newly installed Policy will be enforced only for new connections.
Keep Data Connections — Keep all data connections open until the connections have ended.
Control connections that are not allowed under the new Policy will be terminated.
Rematch Policy — All connections not allowed under the new Policy will be terminated, unless
the Keep connections open after policy has been installed is enabled in the service’s
Properties window (see, for example, FIGURE 6-2 on page 222).

Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page.

SofaWare-SmartDashboard Integration
SofaWare devices can now be integrated and easily managed via SmartDashboard:
Sofaware gateways can be managed by SmartCenter Management.
• Manage SofaWare devices in Enterprise environments by creating SofaWare Profiles and
adding them to your Security Policy and/or to your VPN.
• Manage SofaWare devices in ISP environments by configuring security levels and assigning
the proper level for Sofaware Device in runtime, with no need to reinstall the policy.
From Network Objects select a gateway. Select Robo gateway profile and double click
Sofaware.
Name- the name of the sofaware gateway profile.
Comment - include free text

From Network objects select a gateway. Select Safe@Gateway.

Chapter 5 Network Objects 201


Networks

Name - the name of the Sofaware gateway.


IP Address - type a specific IP Address or check dynamic address
IP Address complies with the rule base on the SmartDashboard and with VPN.
Comment - include free text
Type - hardware device of the sofaware
Sofaware profile - choose the a sofaware gateway profile
Password - can be generated
Product key - the license of the product
MAC Address - the address of the data link layer of the sofaware hardware
VPN Enabled - if checked enables VPN operation
Externally managed gateway - an external management for sofaware gateways

Networks

In This Section

Network Properties Window — General Tab page 202


Network Properties Window — NAT (Address Translation) Tab page 203

Network Properties Window — General Tab


Name — the network’s name
IP Address — the network’s IP address
For networks, the host portion of the IP address is ignored, so it is best to enter the network
address as x.y.z.0 (for a class C network).
See “IP Address” on page 183.
Net Mask — see “Net Mask” on page 189.
Comment — This text is displayed on the bottom of the Network Object window when this
object is selected.
Color — Select a color from the drop-down list.
Broadcasts Address — Specifies whether to consider the network’s broadcast IP address as
being in the network.
If this is set to Included, then in rules which allow access (that is, rules whose Action is
neither Reject nor Drop) and in which this network object is either the Source or the
Destination, the last address in the network is considered to be part of the network.

202 Check Point SmartCenter Guide • September 2002


Network Properties Window — NAT (Address Translation) Tab

Network Properties Window — NAT (Address Translation) Tab


This window specifies the parameters for automatically generated Address Translation rules for
the network object.
For information about automatically generated Address Translation rules, see “Generating
Address Translation Rules Automatically” on page 87.

Domains

Domain Properties Window


Name — the domain’s name
Domain names begin with a period (“.”). For example, “.moon.com” is a domain name.
Comment — This text is displayed on the bottom of the Network Object window when this
object is selected.
Color — Select a color from the drop-down list.

Using Domain Objects in a Rule


When a domain object is used in a rule’s Source or Destination, the VPN-1/FireWall-1
Inspection Module must determine whether the packet’s IP address belongs to the domain by
reverse resolving the address. VPN-1/FireWall-1 then confirms the reverse resolution by
resolving the domain name.
The first time a rule containing a domain object is applied to a specific IP address, there is a
slight delay while the Inspection Module reverse resolves the IP address. The resolved address is
then stored in a local cache, so the delay occurs only once per IP address.
In order to minimize these delays, it is recommended that rules containing domain objects
should be positioned as far down as possible in the Rule Base.
Note - VPN-1/FireWall-1 reverse resolves the IP address using DNS. Because
VPN-1/FireWall-1’s decision on whether to allow a communication depends on the
information received from the DNS, it is imperative that you ensure you are using a
trusted DNS.

Open Security Devices

In This Section

Overview page 204


OSE Device Properties Window — General Tab page 204
OSE Device Properties Window — Topology Tab page 205
Defining Router Anti-Spoofing Properties page 206

Chapter 5 Network Objects 203


Open Security Devices

Overview
A VPN-1/FireWall-1 enforcement point is a machine or device that enforces at least some part
of the Security Policy. An enforcement point can be a Check Point object (see “Network
Objects” on page 180), router, switch or any machine that can be managed by a SmartCenter
Server by installing a Security Policy or Access List.
VPN-1/FireWall-1 includes the following types of enforcement points:
• Open Security Extension Devices (OSE)
• Embedded Devices

Open Security Extension (OSE) Devices


The Open Security Extension features enables VPN-1/FireWall-1 to manage third-party open
security extension devices (OSE). The number of managed devices depends on your license.
Devices include hardware and software packet filters. VPN-1/FireWall-1 also supports hardware
security devices which provide routing and additional security features, such as Network Address
Translation and Authentication. Security devices are managed in the Security Policy as
Embedded Devices. The SmartCenter Server generates Access Lists from the Security Policy and
downloads them to selected routers and open security device. VPN-1/FireWall-1 supports the
following devices, as shown in TABLE 5-7:

TABLE 5-7 VPN-1/FireWall-1 Supported OSE Devices

OSE Device Supported Versions

Cisco Systems 9.x, 10.x, 11.x, 12.x


Bay RS 7.x, 8.x, 9.x, 10.x, 11.x, 12.x
3Com 9.x, 10.x, 11.x

OSE Device Properties Window — General Tab


Name — the name of the OSE device
The name given here should be identical to the name as it appears in the system database on
the server.
IP Address — the device’s IP address
Get Address — click this button to resolve the name to an address

Note - It is recommended that you list OSE device objects in your hosts (Unix) and
lmhosts (Windows) files in addition to defining them in the VPN-1/FireWall-1 database.

Comment — This text is displayed on the bottom of the Network Object window when this
object is selected.

204 Check Point SmartCenter Guide • September 2002


OSE Device Properties Window — Topology Tab

Color — Select a color from the drop-down list. The OSE device will be represented in the
color selected, throughout the SmartMap for easier user tracking and management.
Type — choose one of the following from the drop-down menu:
• Cisco Systems
• Nortel
• 3Com

OSE Device Properties Window — Topology Tab


OSE devices report their network interfaces and setup at boot time. Each OSE device has a
different command for listing its configuration.

Note - At least one interface must be defined in the Topology tab or Install Policy will fail.

Show all IPs behind gateway — Show all IP Addresses behind the device in the SmartMap
View.
To add an interface, click Add. The Interface Properties window (FIGURE 5-6 on page 188)
is displayed.
To edit an interface, select the interface and click Edit, or double-click the interface. The
Interface Properties window (FIGURE 5-12 on page 210) is displayed.

To delete an interface, select the interface and click Remove.

The manner in which names are specified for OSE device interfaces is different from the manner
in which they are specified for interfaces of other network objects.
Name — name of the network interface as specified in the router’s interface configuration
scheme
This name does not include a trailing number.
For information regarding the other fields in the Interface Properties window for routers, see
“Interface Properties Window” on page 188.
IP Address — the device’s IP address
See “IP Address” on page 183.
Net Mask — see “Net Mask” on page 189.
Exportable for SecuRemote/SecureClient — Specifies whether information about this object
can be made available to SecuRemote/SecureClient machines.
For information about SecuRemote, see Chapter 1, “VPN-1 SecuRemote Server,” of Check
Point Desktop Security Guide.

Chapter 5 Network Objects 205


Open Security Devices

Defining Router Anti-Spoofing Properties


The Interface Properties window allows you to define router anti-spoofing parameters when
installing Access Lists on routers. The Interface Properties window is almost identical to the
Interface Properties window for network objects (FIGURE 5-6 on page 188). For more
information on spoofing, see “Anti-Spoofing” on page 190.
Note - To implement anti-spoofing for 3Com and Cisco (version 10.x and higher), you
must define additional properties in the Setup tab of each router after you define the
Valid Addresses in the Interfaces Properties window. For more information, see “Anti-
spoofing Parameters and OSE Devices Setup (Cisco, Nortel and 3Com)” on page 206.

Note - Logging for spoofing attempts is available for external interfaces only.

Anti-spoofing Parameters and OSE Devices Setup (Cisco, Nortel and 3Com)
For Cisco (Version 10.x and higher) Nortel and 3Com OSE devices, you must specify the
direction of the filter rules generated from anti-spoofing parameters. The direction of
enforcement is specified in the Setup tab of each router.
For Cisco routers, the direction of enforcement is defined by the Spoof Rules Interface
Direction property.

Access List No — the number of Cisco access lists enforced


Cisco routers Version 12x and below support an ACL number range from 101-200. Cisco
routers Version 12x and above support an ACL range number from 101-200 and also an ACL
number range from 2000-2699. Inputting this ACL number range enables the support of more
interfaces.
Username — the name required to logon to the OSE device
Password — the Administrator password (Read only) as defined on the router
Enable Username — the user name required to install Access Lists
Enable Password — the password required to install Access Lists
The security administrator must select one of the following options from the drop-down list
for the above Username and Password fields (this includes the Enable fields):
None — Indicates the parameter is not needed.
Known — the value of the parameter must be entered
Prompt — Indicates that the security administrator will be prompted for this parameter.
Version — the Cisco OSE device version (9.x, 10.x, 11.x, 12,x)

206 Check Point SmartCenter Guide • September 2002


Defining Router Anti-Spoofing Properties

OSE Device Interface Direction — Installed rules are enforced on data packets traveling in this
direction on all interfaces.
Spoof Rules Interface Direction — The spoof tracking rules are enforced on data packets
traveling in this direction on all interfaces.
Security —The security administrator must select either none, Wellfleet or Other from the
drop-down list.
Password — the password to access the OSE device
Additional Managers — additional managers as defined in the Bay Site Manager software
Volume — the volume on the OSE device
Config File — name of the config file on the OSE device
Version — the version of the OSE device (7.x, 8.x, 9.x, 10.x, 11.x, or 12.x)
For 3Com routers, the direction of enforcement is defined by the Interface Direction: Spoof
Rules property.

OSE Device Access

Username — the name required to logon to the OSE device


Password — the password to access the OSE device
Manager Password — password required to connect to the OSE device
Interface Directions

Rules — the direction in which the rules are enforced on the OSE device interfaces
Spoof Rules — the direction in which spoof rules are enforced on each OSE device interface
Service Independent Filters — Service independent filters are 3Com specific filters
implemented by 3Com routers. The OSE device simply activates or deactivates these filters.
Refer to the specific 3Com router documentation for complete information for these service
independent filters.
To activate these filters, you must select any of the following:
Deny Route Recording — Specifies whether or not the received packet should be dropped if
the record-route option is present in the IP header.
Deny Src Routing — Specifies whether or not the received packet should be dropped if the
source-route option is present in the IP header.
Deny Tiny Fragments — Specifies whether tiny TCP fragment checks (RFC1858) are
performed.
Deny Time Stamping — Specifies whether or not the received packet should be dropped if
the time-stamp option is present in the IP header.
Deny IP — Specifies whether or not IP tunnel packets are allowed. IP tunnel packets are IP-
over-IP encapsulation.

Chapter 5 Network Objects 207


Embedded Devices

Deny SrcSpoofing (3Com) — Specifies whether packets are subject to source-spoofing checks.
Generate ICMP Errors — For denied packets, this option specifies whether or not the OSE
Device should generate ICMP destination administratively unreachable messages (ICMP type
13).

Embedded Devices

In This Section

Overview page 208


Embedded Devices window — General tab page 208
Embedded Device Properties — Topology tab page 209
Interface Properties Window — Topology Tab page 210
Embedded Device Properties — NAT tab page 211

Overview
Embedded devices include machines or hardware devices on which a VPN/FireWall Module or
an Inspection Module is installed.
VPN-1/FireWall-1 supports the following platforms and VPN-1/FireWall-1 features, as shown
in TABLE 5-8 below:

TABLE 5-8 Supported Embedded Devices

Embedded VPN-1/FireWall-1 features supported


Device Platform
Ramp Anti-spoofing, Logs and Alerts, Time Objects
Xylan Anti-spoofing, Logs and Alerts, Time Objects

Embedded Devices window — General tab


Name — the name of the Embedded Device
IP Address — the device’s IP address
Comment — This text is displayed on the bottom of the Network Object window when this
object is selected.
Color — Select a color from the drop-down list.
Type — choose one of the following vendors from the drop-down list:
• Nokia IP5x
• Xylan

208 Check Point SmartCenter Guide • September 2002


Embedded Device Properties — Topology tab

VPN-1 & FireWall-1 Installed — whether a VPN/FireWall Module or Inspection Module is


loaded on this object and select the Version from the drop-down list or click the Get button to
fetch the correct version number
Licensing — Select the Licensing Type from the drop-down list.
External Interface — This field applies to Xylan only.
Define the interface that leads out to the Internet.

Embedded Device Properties — Topology tab


For complete topology configuration information, see “Interface Properties Window —
Topology tab” on page 134.
For both the Nolkia IP5x and Xylan platforms, topology Interface Properties must be defined.
Otherwise, Install Policy will fail.

Interface Properties Window — General Tab


FIGURE 5-11Interface Properties — General tab

Name — name of the network interface as specified in the interface configuration scheme of the
device

Warning - If you do not specify the exact interface name, anti-spoofing will not function
properly.

IP Address — the interface’s IP address

Chapter 5 Network Objects 209


Embedded Devices

See “IP Address” on page 183.

Net Mask — Specify the interface’s net mask.

Interface Properties Window — Topology Tab


FIGURE 5-12Interface Properties — Topology tab

External (leads out to the Internet) — Anti-spoofing will be enabled based on the interface
topology and the security administrator must select one of the Spoof Tracking options as
defined in “Spoof Tracking “on page 163.
Internal (leads into the local network) — Anti-spoofing will be enabled based on the interface
topology and the security administrator must select one of the Spoof Tracking options as
defined in “Spoof Tracking “on page 163 only if This Network or Specific is selected.
IPs Addresses behind Internal Interfaces:

Not Defined — IP addresses are not defined behind the internal interface and anti-spoofing is
not enabled.
Based on interface’s IP address and Net Mask — IP addresses are defined based on the IP
address and Net Mask of the interface.
Specific — Specifies a specific IP address behind internal interface from the drop-down menu.
For information regarding anti-spoofing configuration, see “Check Point window — Topology
Page” on page 186.

Embedded Device Properties — SNMP Tab


sysName — the device’s name

210 Check Point SmartCenter Guide • September 2002


Embedded Device Properties — NAT tab

sysLocation — the device’s location


sysContact —the name of a contact person
Get — You can use this button to retrieve information about this device and display it in this
window.
Set — Set the device’s properties to those shown in this window.
Read Community — the community with read permission for this device
Write Community — the community with write permission for this device

Embedded Device Properties — NAT tab


For information on NAT configuration, see Chapter 2, “Network Address Translation (NAT) of
Check Point FireWall-1 Guide.

Groups
You can simplify the Rule Base by defining a group of network objects and using the group in
rules. To create a new group, proceed as follows:
1 In the Network Objects window, click New.

2 From the menu, select Group.

3 From the sub menu, select the type of group to create.


There are three types of groups:
• Simple Group — see “Simple Group” on page 211
• Group with Exclusion — see “Group with Exclusion” on page 213
• UAS High Availability Group — see “UAS High Availability Group” on page 215

Simple Group
Add objects to a simple group using the Group Properties window (FIGURE 5-13 on
page 212).

Chapter 5 Network Objects 211


Groups

FIGURE 5-13Group Properties window

Adding an Object to a Simple Group


In the left listbox (labeled Not in Group), select the objects you wish to include in the group.
Use the Add button to add individual objects and to add groups to the group.

Note - To define a new object directly from this window, click New. A menu will be
displayed from which you can select they type of object to create. When you finish defining
the object, you will return to this window.

You add a group to another group in one of two ways:


1) You can individually add all the objects in one group to another group, without nesting.
Click Yes in reply to the question in the window (FIGURE 5-14).
2) You can nest groups inside groups to create a group hierarchy of any desired complexity.
Click No in reply to the question in the window (FIGURE 5-14).
FIGURE 5-14Adding a Group to a Group

If you nest groups, you can see a nested group’s members by selecting the group in the right
listbox (labeled In Group) and clicking View expanded group (FIGURE 5-15).

212 Check Point SmartCenter Guide • September 2002


Group with Exclusion

FIGURE 5-15Viewing an Expanded Group

Deleting an Object from a Simple Group


Select the objects to be deleted from the right listbox (labeled In Group), and then click
Remove.

Group with Exclusion

Creating a Group with an Exclusion


Topology may be structured in such a manner that one network seems to be entirely within
another network. For example, in FIGURE 5-16 B is entirely contained within A. It is possible
to define a group that consists of all the objects in a network, except for certain objects, that is,
to define a group “A minus B”, where A and B are networks. This group can be used to define
encryption domains.
FIGURE 5-16Group with exclusion

A
B

To create a Group with Exclusion object, proceed as follows:

Chapter 5 Network Objects 213


Groups

1 Select Group with Exclusion from the Group Objects menu, (see “Networks” on page
202).
The Group with Exclusion window is displayed.
2 Define the outer group, as well as the inner group to be excluded.
FIGURE 5-17Specifying a group with an exclusion

• the outer group (selected from the drop-down list) can be a group or ANY,
• the inner group (selected from the drop-down list)

Viewing Groups with an Exclusion


Select View in the Group with an Exclusion window to display the contents of each selected
group within the Group with an Exclusion objects. For example, in FIGURE 5-18 group A_1
consists of Net and Net.
FIGURE 5-18View Groups window

Showing Group with an Exclusion Objects in the SmartMap View


For SmartMap!
By selecting Show in the Group with an Exclusion window, you can display either of the
selected groups (see FIGURE 5-17) in the SmartMap View.
Objects shown in the SmartMap View are highlighted in red.

214 Check Point SmartCenter Guide • September 2002


UAS High Availability Group

UAS High Availability Group


FIGURE 5-19UAS High Availability Group window

Logical Servers
A Logical Server is a group of machines that provide the same services, and which are treated as
a group among whose members a workload is distributed.
FIGURE 5-20Logical Server Properties window

Chapter 5 Network Objects 215


Address Ranges

Address Ranges

Address Range Properties Window — General Tab


An Address Range object is a range of IP Addresses.
Name — the Address Range’s name
First IP address— the first (low) IP address in the range
Last IP address— the last (high) IP address in the range
Comment — Enter a descriptive comment to be displayed when this Address Range is selected
in the Object list and in the Network Objects window.
Color — Select the color in which this Address Range will be displayed in the GUI.

Address Range Properties Window — NAT Tab


This window specifies the parameters for automatically generated NAT (Network Address
Translation) rules for the Address Range.
For information about automatically generated NAT rules, see “Generating Address Translation
Rules Automatically” on page 87 of Check Point FireWall-1 Guide.

Gateway Clusters
A gateway cluster is a group of VPN/FireWall Module machines configured to provide failover
services.
Gateway clusters are configured in the Gateway Cluster Properties window.
The VPN, Authentication, Masters and Log Servers pages of the Gateway Cluster Properties
window are identical to the corresponding pages in the Check Point Properties window. For
information on these pages, see “Network Objects” on page 180.
The General Properties, Cluster Members, Topology, ClusterXL and Synchronization pages
of the Gateway Cluster Properties window are used in enabling Gateway High Availability.
For information on these pages, see Chapter 5, “ClusterXL” of Check Point FireWall-1 Guide.
Gateway clusters can also be used in setting up extranets. For information about the Extranet
page of the Gateway Cluster Properties window, see Chapter 13, “Extranet Management” of
Check Point Virtual Private Networks.

Dynamic Objects
A dynamic object is a “logical” object that will be resolved to an IP address differently on each
VPN/FireWall Module. A rule that uses this object will then be enforced on each
VPN/FireWall Module on different objects.
For example, an enterprise with several mail servers, each one in a different network and
protected by a different VPN/FireWall Module, can define a dynamic objects called
“local_mailserver” and write a rule that refers to this object.

216 Check Point SmartCenter Guide • September 2002


Address Range Properties Window — NAT Tab

On each VPN/FireWall Module, the system administrator must run the dynamic_objects
command (see “dynamic_objects” on page 585) to specify the IP address to which the
“local_mailserver” object will be resolved on that VPN/FireWall Module.
FIGURE 5-21Dynamic Object window — General Tab

Name — the dynamic object’s name


Comment — This text is displayed on the bottom of the Network Object window when this
object is selected.
Color — Select a color from the drop-down list.
Resolution Failure Tracking — Specify the action to be taken if the Module fails to resolve
the dynamic object.
None — No additional action is taken.
Log —The resolution failure is logged.
Alert — The action specified for popup alerts in the Alert Commands page of the Global
Properties window is taken (see Chapter 7, “Global Properties”).

Chapter 5 Network Objects 217


Dynamic Objects

218 Check Point SmartCenter Guide • September 2002


CHAPTER 6

Services and Resources

In This Chapter

Defining Services page 220


TCP Service Properties page 221
Compound TCP Service Properties page 223
FTP Service (ftp-pasv and ftp-port) page 224
UDP Service Properties page 224
RPC Service Properties page 226
ICMP Service Properties page 228
User Defined (or “Other”) Service Properties page 228
DCE-RPC Service Properties page 230
Service Group Properties page 231
Resources page 232
URI Resources page 233
URI for QoS Definition window page 244
SMTP Resources page 245
FTP Resources page 250
TCP Resources page 252
CIFS Resources page 255

219
Services

Services
VPN-1/FireWall-1 allows you to control access to a host, not only based on the source and
destination of each communication, but also according to the service requested. Services include
those based on TCP, UDP, RPC, and other protocols. Before you can use a service in a Rule
Base, you must first define its properties.

Note - For a list of services supported out-of-the-box by VPN-1/FireWall-1, see “List of


Supported TCP Services” on page 257.

Defining Services
Services are defined in the Services window. To define a service,
• choose Services from the Manage menu
The list box displays all currently defined services of the type in the Show box.
To view the properties defined for any existing service, double-click on its icon or name in the
list box, or select the service and click on Edit.

Creating a New Service


To create a new service, click on New. A menu appears, listing the types of services you can
create:
Choose a service type from the menu. A window appears prompting you to enter the properties
of the selected service type.

TABLE 6-1 Service Object Types

to create an object of type …. see


TCP “TCP Service Properties“
Compound TCP “Compound TCP Service Properties“
UDP “UDP Service Properties“
RPC “RPC Service Properties“
ICMP “ICMP Service Properties”
Other “Other Service Properties”
DCE-RPC “DCE-RPC Service Properties”
Group “Group Service Properties”

Deleting a Service
Select the service in the Show box and click on Remove.

220 Check Point SmartCenter Guide • September 2002


Resources

Modifying a Service
To modify an existing service, double-click on its icon or name in the list box, or select the
service and click on Edit.

Resources
FIGURE 6-1 depicts the relationship between services, protocol types and resources.
FIGURE 6-1 Services, Protocol Types and Resources
pre-defined and
user-defined services
service service service service service service
(FTP, HTTP etc.)

the Security
Server that provides
Authentication and/or protocol protocol
Content Security
for the service type type
(SMTP, HTTP etc.)

user-defined
resources resource resource resource resource resource resource

TCP Service Properties


Name — the service’s name
Comment — descriptive text
This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
Select the desired color from the drop-down list.
Port — number of the destination port used to provide this service
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.

Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).

Chapter 6 Services and Resources 221


TCP Service Properties

TABLE 6-2 Specifying a Port Number

to specify... ... type example


a port number the port number 805
a range of port numbers the lower and upper limits, 800-899
separated by a hyphen
all port numbers greater > followed by the largest port > 799
than a given number number not included
all port numbers smaller < followed by the smallest port < 800
than a given number number not included

Get — provides port resolving by retrieving the port number on the SmartCenter Server
Click Advanced in the TCP Service Properties window to display the Advanced TCP Services
Properties window (FIGURE 6-2).
FIGURE 6-2 TCP Services Properties windows

222 Check Point SmartCenter Guide • September 2002


Resources

Source port: — You can specify the port number(s) available on the client side of the service.
See TABLE 6-3.

TABLE 6-3 Specifying a Port Number - TCP

to specify... ... type example


a port number the port number 805
a range of port numbers the lower and upper limits, 800-899
separated by a hyphen
all port numbers greater > followed by the largest port > 799
than a given number number not included
all port numbers smaller < followed by the smallest port < 800
than a given number number not included

If specified, only those source port numbers will be Accepted, Dropped, or Rejected when
inspecting packets of this service. Otherwise, source port number is not inspected.
Protocol Type — Specifies the protocol type associated with the service, and by implication, the
Security Server that enforces Content Security and Authentication for the service.
Enable for TCP resource — The TCP resource allows the screening of URLs using a UFP
Server. If enabled, the UFP Server can perform URL checking without using a security server.
For complete instructions, see “TCP Resources” on page 252.
Match for ‘Any’ — If there are two services using the same port number and a rule that
defines the SERVICE as ‘Any”, then Match for ‘Any’ enables the service defined in the TCP
Service Properties window to be the service associated with this rule.

Session Timeout — Specifies the number of seconds until the session times out.You must
either select the Default TCP time-out as defined in the Stateful Inspection page in the
Global Properties Setup window, or select Other and specify the number of seconds. For TCP
services, a session is defined by the TCP protocol.
Synchronize on cluster — In a state-synchronized High Availability or Load Sharing gateway
cluster, of the services allowed by the rule base, only those with Synchronize on cluster will be
synchronized. By default, all new and existing services are synchronized.

Compound TCP Service Properties


Name — the service’s name
Comment — descriptive text
This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
Select the desired color from the drop-down list.
Port — the service’s port number

Chapter 6 Services and Resources 223


FTP Service (ftp-pasv and ftp-port)

This is read only, as the port number is always 80.


Compound Service —Specifies the predefined service from the services drop-down list.
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.

Note - Compound services are not available in Security and Address Translation policies.

FTP Service (ftp-pasv and ftp-port)

TCP Service Properties — ftp-pasv


In addition, two other types of TCP services can be defined: ftp-pasv and ftp-port. Defining the
TCP service to enable only one of PORT/PASV commands. The Security Administrator
maintains control over pasv FTP connections that pass through VPN-1/FireWall-1. The FTP
ports and FTP service rules can be defined to allow only pasv commands while disallowing port
commands on a port/rule that is defined as pasv, as shown in (FIGURE 6-2 on page 236). The
same is true for an FTP rule that is defined to allow only port commands.
For information on the Advanced button, see “Advanced UDP Services Properties window” on
page 225.

TCP Service Properties — ftp-port


For information on the Advanced button, see “Advanced UDP Services Properties window” on
page 225.

UDP Service Properties


Name — the service’s name
Comment — descriptive text
This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
Select the desired color from the drop-down list.

224 Check Point SmartCenter Guide • September 2002


TCP Service Properties — ftp-port

Port — number of the destination port used to provide this service

TABLE 6-4 Specifying a Port Number - UDP

to specify... ... type example


a port number the port number 805
a range of port numbers the lower and upper limits, 800-899
separated by a hyphen
all port numbers greater > followed by the largest port > 799
than a given number number not included
all port numbers smaller < followed by the smallest port < 800
than a given number number not included
Get — Provide port resolving by retrieving the port number on the SmartCenter Server.
For example, if the designated service is CU-SeeMe, then the selecting the Get button will
retrieve the port number on the SmartCenter Server.
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.

Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).

Click Advanced to display the Advanced UDP Service Properties window (FIGURE 6-3).
FIGURE 6-3 Advanced UDP Services Properties window

Chapter 6 Services and Resources 225


RPC Service Properties

Source Port — You can specify the port number(s) available on the client side of the service.
See TABLE 6-4.
Protocol Type — Specifies the protocol type associated with the service.
Accept Replies — Specifies if UDP replies are to be accepted.
To specify that no UDP replies will be accepted, that is, to define a “one-way” UDP service,
uncheck Accept Replies.
If Accept Replies is checked, then Accept UDP Replies from any port specifies from which
ports to accept UDP replies.
Accept Replies from any port — If checked, UDP replies will be accepted from any port.
Otherwise, UDP replies will be accepted only from the port to which the original
communication was sent.

For example, the TFTP service (UDP) starts with the client connecting to port 69 on the
server, which replies to the client from a random port. From that point on, the client
communicates with the same random port on the server. So, Accept UDP Replies from any
port must be enabled TFTP.

Note - Accept Replies and Accept UDP Replies from any port correspond to Accept
stateful UDP replies for unknown services and Accept stateful UDP replies from
any port for unknown services in the Stateful Inspection page of the Global
Properties window ( on page 287). The properties in the Stateful Inspection page of
the Global Properties window apply to UDP services that are not defined in the Check
Point Services Manager.

Match for ‘Any’ — If there are two services using the same port number and a rule that
defines the SERVICE as ‘Any”, then Match for ‘Any’ enables the service defined in the UDP
Service Properties window to be the service associated with this rule.

Virtual Session Timeout — Specifies the number of seconds until the session times out. You
must either select the Default time-out, which is defined in Global Properties, or select Other
to override the default time-out.
For UDP services, “session” is defined by VPN-1/FireWall-1, not the protocol itself. This is
why it is called Virtual Session Timeout.
Synchronize on cluster — In a state-synchronized High Availability or Load Sharing gateway
cluster, of the services allowed by the rule base, only those with Synchronize on cluster will be
synchronized. By default, all new and existing services are synchronized.

RPC Service Properties


RPC-based services do not use pre-defined port numbers, but program numbers instead. An
RPC “connection” is structured as follows:

226 Check Point SmartCenter Guide • September 2002


TCP Service Properties — ftp-port

1 The client issues a portmapper query to the server (on port 111), asking for the port
number associated with the program.
If the query is UDP, VPN-1/FireWall-1 examines the program number, and allows only
those programs allowed by the Security Policy (in the Services column).
If the query is TCP, VPN-1/FireWall-1 drops the query, unless TCP on port 111 is
explicitly allowed by the Security Policy.

Warning - Allowing TCP on port 111 is considered insecure, because the client can then
run any available RPC program through this port.

2 The server (portmapper) replies with the port number.


VPN-1/FireWall-1 monitors the reply and opens only the specified port for the RPC
traffic.
3 The client connects to that port and the RPC “connection” continues.

Example
Suppose the Security Policy allows RPC as follows:

TABLE 6-5

Source Destination Service Action

RPC_Client RPC_Server nfsprog Accept

• If RPC_Client issues a portmapper query on TCP port 111, VPN-1/FireWall-1 drops the
query packet.
• If RPC_Client issues a portmapper query on UDP port 111, VPN-1/FireWall-1 allows the
query only if the program number is 100003, as specified in the RPC Service Properties
window for the nfsprog service. Moreover, VPN-1/FireWall-1 monitors the reply and then
allows the nfsprog service only on the port specified in the reply.
• If RPC_Client does not issue a portmapper query, but proceeds to directly communicate on
the nfsprog port (100003, as specified in the RPC Service Properties window for the
nfsprog service), VPN-1/FireWall-1 queries portmapper and allows the connection only if
the port number (in the portmapper reply) is also 100003.
Name — the service’s name
Comment — descriptive text
This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
Select the desired color from the drop-down list.
Program Number — number of the RPC program to be accessed

Chapter 6 Services and Resources 227


ICMP Service Properties

Get — For standard services, you can retrieve the program number from the RPC database.
Protocol Type — Specifies the protocol type associated with the service.
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.

Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).

ICMP Service Properties


Name — the service’s name
Comment — descriptive text
This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
Select the desired color from the drop-down list.
Type — Enter the ICMP type number which determines whether the packet belongs to this
service. The file tcpip.def lists some predefined components that can be used in expressions
Code — Enter the ICMP code number which determines whether the packet belongs to this
service. The file tcpip.def lists some predefined components that can be used in expressions.
For an example of how to use the Code field, see “User-Defined Service Properties Example”
on page 230.
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.

Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).

User Defined (or “Other”) Service Properties


The User Defined Service Properties window allows you to create a service other than TCP,
UDP, ICMP or RPC.
Name — the service’s name
Comment — descriptive text

228 Check Point SmartCenter Guide • September 2002


TCP Service Properties — ftp-port

This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
Select the desired color from the drop-down list.
IP Protocol— Specify the IP protocol number associated with the service. (for example, 17 for
TCP, 6 for UDP).
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.

Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).

Click Advanced to display the Advanced Other Service Properties window.


Match — Enter the INSPECT code string which determines whether the packet belongs to this
service (for example, dport = telnet). This should match together with the IP protocol
number defined in the User Defined Service Properties window.
The file tcpip.def lists some predefined components that can be used in expressions.
Protocol Type — Specifies the protocol type associated with the service.
Accept Replies — Specifies if Other Service replies are to be accepted.
Note - Accept Replies corresponds to Accept stateful Other IP Protocol replies for
unknown services in the Stateful Inspection page of the Global Properties window (
on page 287). The property in the Stateful Inspection page of the Global Properties
window applies to Other services that are not defined in the Check Point Services
Manager.

To specify that no Other Service replies will be accepted, that is, to define a “one-way” Other
Service, uncheck Accept Replies.
Virtual Session Timeout — specifies the number of seconds until the session times out. You
must either select the Defaulttime-out or select Other to define the number of seconds.
For all User Defined Service protocols, “session” is defined by the VPN/FireWall software, not
the protocol itself. This is the reason why it is designated as a “virtual session time-out”.
Synchronize on cluster — In a state-synchronized High Availability or Load Sharing gateway
cluster, of the services allowed by the rule base, only those with Synchronize on cluster will be
synchronized. By default, all new and existing services are synchronized.

Chapter 6 Services and Resources 229


DCE-RPC Service Properties

User-Defined Service Properties Example


If you wish to define a user-defined service, you must enter INSPECT code in the Match field,
so you must have at least a basic familiarity with INSPECT. For information about INSPECT,
see the SecureKnowledge database at
http://support.checkpoint.com/kb/.
Suppose IP Protocol has a value of 17 (UDP protocol) and the Match field has the following
value:

uh_dport > 33000, ip_ttl < 30

To understand the meaning of the Match field, consider the relevant definitions in
$FWDIR/lib/base.def:

TABLE 6-6 Definitions in $FWDIR/lib/base.def

Name Definition Meaning


uh_dport [22 : 2, b] the UDP destination port
p_ttl [8 : 1] IP Time To Live
Since the comma operand in INSPECT means “and” the meaning of Match is:
• AND the destination port is greater than 33000
• AND the packet’s time to live is less than 30

Suppose you wish to pass IP protocol number 53, similar to ospf, egp, and bgp. Then define a
user-defined service whose IP Protocol is 53.

DCE-RPC Service Properties


VPN-1/FireWall-1 dynamically and transparently tracks DCE-RPC port numbers using the port
mappers in the system. The application information is extracted from the packet in order to
identify the program used. A cache is maintained, mapping DCE-RPC program numbers to
their associated port numbers in a fashion similar to that described for RPC. The following
fields may be defined:
Name — the service’s name
Comment — descriptive text
This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
The service’s icon will be represented by this color in the SmartMap.
Interface UUID — identifies the Universal Unique Identifier (UUID) to which the requested
service belongs
An interface is a set of remotely callable operations offered by a server and invokable by clients.
Protocol Type — specifies the protocol type associated with the service.

230 Check Point SmartCenter Guide • September 2002


Adding a Service to a Group

Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.

Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page (see “Check Point window — Connection Persistence page” on page 201).

Service Group Properties


If you choose Group, the Group Properties window is displayed.
Name — the group’s name
Comment — descriptive text
This text is displayed on the bottom of the Services window when this group is selected.
Color — the color of the user’s icon
Select the desired color from the drop-down list.

Adding a Service to a Group


In the left list box (labeled Not in Group), select the users or groups you wish to include in the
group and click on Add.

Note - To define a new service directly from this window, click New. A menu will be
displayed from which you can select they type of service to create. When you finish defining
the service, you will return to this window.

You can add a group to another group in one of two ways:


1) You can individually add all the users in one group to another group, without nesting. Click
on Yes in reply to the question in the window (FIGURE 6-4).
2) You can nest groups inside groups to create a group hierarchy of any desired complexity.
Click on No in reply to the question in the window.
If you nest groups, you can see a nested group’s members by selecting the group in the right
listbox (labeled In Group) and clicking View expanded group.
FIGURE 6-4 Adding a Group to a Group

Chapter 6 Services and Resources 231


Resources

Deleting a Service from a Group


Select the service to be removed from the right list box (labeled In Group), and then click on
Remove.

Resources

Overview
Content Security is enabled by a VPN-1/FireWall-1 object of type Resource. A
VPN-1/FireWall-1 Resource specification defines a set of entities which can be accessed by a
specific protocol. You can define a VPN-1/FireWall-1 Resource based on HTTP, FTP and
SMTP.
VPN-1/FireWall-1 provides content security for HTTP, FTP and SMTP connections, using the
VPN-1/FireWall-1 Security Servers. For each connection established through the
VPN-1/FireWall-1 Security Servers, the Security Administrator is able to control specific access
according to fields that belong to the specific service: URLs, file names, FTP PUT/GET
commands, type of requests and more.
For detailed information about VPN-1/FireWall-1’s Content Security feature, see Chapter 4,
“Security Servers and Content Security “in the book Check Point FireWall-1 Guide.

Resource Windows
You can define resources and groups of resources in the Resources window.
To display the Resources window,
• select Resources from the Manage menu, or

Creating a New Resource


To create a new resource, click on New. A menu is displayed, from which you must select the
type of resource you wish to create.

TABLE 6-7 Resource Types

to create a resource of see...


type...
URI “URI Resources” on page 247
URI for QoS “URI for QoS Definition window” on page
244
SMTP “SMTP Resources” on page 259
FTP “FTP Resources” on page 267
TCP “Resource Groups” on page 270

232 Check Point SmartCenter Guide • September 2002


Wild Cards

Modifying a Resource
To modify an existing resource, select it in the Resources window and click on Edit.

Deleting a Resource
To delete an existing resource, select it in the Resources window and click on Remove.

Wild Cards
You can use the following wild card characters when entering data in many of the fields in the
Resource Definition windows.

TABLE 6-8 Wild Card Usage

character matches example


* any string of any length *@elvis.com matches lisa@elvis.com and
priscilla@elvis.com.
lisa*@elvis.com matches
lisamarie@elvis.com and lisa@elvis.com.
For file names, /elvis/*/*.c matches
/elvis/marie/*.c and /elvis/lisa/*.c
+ any single character mar+@elvis.com matches mary@elvis.com
but not marie@elvis.com.
For file names, /elvis/mar+/*.c matches
/elvis/mary/*.c and /elvis/mark/*.c, but
not /elvis/marie/*.c
& (SMTP The & character is used only If the untranslated part is *@elvis.com and
only) in the translated part of a the translated part is &@buddy.com, then
pair, and means use whatever jerrylee@elvis.com becomes
text matched the wild card jerrylee@buddy.com.
characters (*,+) in the
untranslated part of the pair.
{,} any of the listed characters {a,b,c} matches a or b or c.
lisamarie@{elvis,michael}.com matches
lisamarie@elvis.com and
lisamarie@michael.com.

URI Resources
A URI is a Uniform Resource Identifier, of which the familiar URL (Uniform Resource
Locator) is a specific case. URI Resources can define schemes (HTTP, FTP, GOPHER, etc.),
methods, (GET, POST, etc.), hosts (for example “*.com”), paths and queries. In addition, the
Security Administrator can define how to handle responses to allowed resources.

Chapter 6 Services and Resources 233


URI Resources

URI Definition window — General tab


The General tab of the URI Definition window specifies the basic parameters of a URI
resource.
Name — the resource’s name
Comment — descriptive text
This text is displayed on the bottom of the Resources window when this resource is selected.
Color — the color of the resource’s icon
Select the desired color from the drop-down list.
Use this resource to:

Select one of the following functions of the URI resource you are defining.
Optimize URL logging — if selected, the URI resource will be used for URL logging. The
URL will be logged for HTTP connections and all other fields and tabs of the URI resource
will be disabled. Once the property is selected, the URI resource must then be added to the
Rule Base. The Security Policy is enforced when URL logging is integrated with UFP
caching. URL logging uses Check Point’s TCP streaming technology, which enables the
VPN/FireWall Module to take over some of the Security Servers’ function.
Enforce URI capabilities — If selected, the URI resource will enable all other functionality
of the URI resource, e.g. CVP checking. All basic parameters, defining schemes, hosts, paths
and methods, will apply and the URL is checked by a security server.
Enforce URL Blocking — Enforce URL Blocking- If selected, the URI resource will be used
to check and (if necessary) drop URL requests containing patterns that match the signature of
the Code Red virus. This capability is integral to the VPN-1/FireWall-1 kernel, and does not
require a Security Server. However, a Security Server will give better protection against this
kind of threat.
When selected all selection options and tabs in this window become unavailable.
To obtain protection against viruses other than Code Red, it is possible to edit the :url
filtering section of the FireWall-1 objects database using the dbedit utility. When a new
virus appears, Check Point will give detailed instructions on countering it.
Connection Methods — check any combination of the following:
• Transparent — match all connections that are not in proxy mode.
This option is relevant only if a proxy to the Web browser is not defined.
• Proxy — match connections in proxy mode

This option is relevant only if a proxy to the Web browser is defined.


• Tunneling — match connections using the HTTP “CONNECT” method.

This option is relevant only if the HTTP Security Server is defined as the proxy to the Web
browser.

234 Check Point SmartCenter Guide • September 2002


URI Definition window — Match tab (wild cards specification)

The CONNECT method only specifies the hostname and port number to connect to. When
Tunneling is specified, FireWall-1 does not examine the content of the request, not even the
URL — only the hostname and port number are checked. Therefore, if Tunneling is
specified, all Content Security options in the URI specification are disabled.
Exception Track — This option determines if an action specified in the Action tab (FIGURE
6-8 on page 242) that is taken as a result of a resource definition is to be logged.
For example, if the user attempts to use an unsupported scheme or method, then the tracking
specified here is performed.
Select one of the following:
• None — no logging or alerting
• Log — log the event
• Alert — issue an alert

URI Match Specification Type — Select one of the following:


• Wild Cards —The URIs are described on the Match tab of the Resource window.
Under this method, many URIs are described by a single wild card. For example, the wild
card www.elvis* describes a large number of URIs. The URIs will be allowed or disallowed,
depending on the Action in the rule that uses the resource.
• File — The URIs are listed by name in the file specified the Match tab of the Resource
window.
Under this method, each URI is individually listed in the given file. The URIs will be allowed
or disallowed, depending on the Action in the rule that uses the resource.
• UFP — A list of URIs in selected categories is provided by the server specified in the Match
tab of the Resource window.
For more information on UFP, see “OPSEC Applications” in the Security Servers and
OPSEC Applications” Chapter.

URI Definition window — Match tab (wild cards specification)


The Match tab of the URI Definition window (wild cards specification) specifies the parameters
defining a Wild Card URI resource (see ““URI Definition window — General tab” on page
234).
Schemes — the URI schemes to which this VPN-1/FireWall-1 resource applies
Select one or more of the following:
• http — Hypertext Transfer Protocol
• ftp — File Transfer Protocol
• gopher — Gopher
• mailto — SMTP
• news — NNTP
• wais — Wide Area Information Service

Chapter 6 Services and Resources 235


URI Resources

• Other — Specify another scheme here. You may use wild card characters in the
specification (see “Wild Cards” on “Wild Cards” on page 233.)
This field is relevant only when the HTTP Security Server is defined as a proxy to the
browser.
Methods — the HTTP method, as defined in the Hypertext Transfer Protocol. A brief
explanation of each of these methods is given here.
Select one or more of the following:
GET — The GET method means retrieve whatever information (in the form of an entity) is
identified by the URI. If the URI refers to a data-producing process, it is the produced data
which is returned as the entity in the response and not the source text of the process, unless
that text happens to be the output of the process.
POST — The POST method is used to request that the destination server accept the entity
enclosed in the request as a new subordinate of the resource identified by the URI in the
Request-Line. POST is usually used to provide a block of data, such as the result of
submitting a form, to a data-handling process. The actual function performed by the POST
method is determined by the server and is usually dependent on the URI.
HEAD — The HEAD method is identical to GET except that the server does not return
any Entity-Body in the response. This method is often used for testing hypertext links for
validity, accessibility, and recent modification.
PUT — The PUT method requests that the enclosed entity be stored under the supplied
URI.
Other — Enter one of the following:
* — If you type *, this means all of the following: GET, POST, HEAD and PUT.

OPTIONS — The OPTIONS method represents a request for information about the
communication options available on the request/response chain identified by the URI.
This method allows the client to determine the options and/or requirements associated
with a resource, or the capabilities of a server, without implying a resource action or
initiating a resource retrieval.
PATCH — The PATCH method is similar to PUT except that the entity contains a list of
differences between the original version of the resource identified by the URI and the
desired content of the resource after the PATCH action has been applied.
COPY — The COPY method requests that the resource identified by the URI be copied
to the location(s) given in the request’s URI header field.
DELETE — The DELETE method requests that the origin server delete the resource
identified by the URI.

236 Check Point SmartCenter Guide • September 2002


URI Definition window — Match tab (wild cards specification)

MOVE — The MOVE method requests that the resource identified by the URI be moved
to the location(s) given in the request’s URI header field. This method is equivalent to a
COPY immediately followed by a DELETE, but enables both to occur within a single
transaction.
LINK — The LINK method establishes one or more Link relationships between the
existing resource identified by the URI and other existing resources.
UNLINK — The UNLINK method removes one or more Link relationships from the
existing resource identified by the URI. These relationships may have been established
using the LINK method or by any other method supporting the Link header.
TRACE — The TRACE method requests that the server identified by the URI reflect
whatever is received back to the client as the entity body of the response. In this way, the
client can see what is being received at the other end of the request chain, and may use
this data for testing or diagnostic information.
Other — Specify another method here. You may use wild card characters in the
specification (see “Wild Cards” on page 233).
Host — the URI’s host name
You may use wild card characters in specifying the host name (see “Wild Cards” on page 233).
Functionality is dependent on the DNS setup of the addressed server.
The following restrictions apply when using wildcard characters in URI Host names:
1 Only the IP address or the full DNS name should be used.
(For example: 191.81.23.* or server.{paris,london}.com, but not {paris,london})

2 For expressions using a host name and port number, the port number must be
explicitly specified.
For example, the expression paris* matches requests on any port. It is recommended to
restrict requests to a known HTTP server (for example, *.paris:80, or paris:80).
Path — the URI’s path name
You may use wild card characters in specifying the path name (see “Wild Cards” on page 233).
Path name matching is based on appending the file name in the request to the current working
directory (unless the file name is already a full path name) and comparing the result to the path
specified in the Resource definition.
The file path name must include the directory separator
character /. For example, the request “/myfile” is matched to
“/<current directory>/myfile”. If the Resource path name specifies only “myfile”, then
the request will not be matched.
Path includes the file name (which can include wildcard characters). For example
• “/boys/bigboy/*” includes all the files in the /boys/bigboy/ directory.
• “/boys/bigboy/” does not include any of the files in the /boys/bigboy/ directory.

Chapter 6 Services and Resources 237


URI Resources

• If /boys/bigboy were a file, it would be included in “/boys/bigboy/”.


When using wildcard characters, you must also specify either the full path name, or use the
directory separator in the wildcard expression. For example, the path name “*/myfile” will
match “myfile” in all possible directories.
Note - Sometimes, the HTTP Security Server sees IP addresses instead of host names. In
this case, the HTTP Security Server will attempt to reverse resolve the IP address to a host
name, using reverse DNS. If the reverse DNS does not resolve correctly, the URI Resource
will not match.

Query — the text following the? symbol, if any


These are the parameters that are sent to the URI when it is accessed. You may use wild card
characters in specifying the query text (see “Wild Cards” on page 233).

Example

For the URI shown in FIGURE 6-5, the components are listed in TABLE 6-9.
FIGURE 6-5 URI components

host path
http://www.elvis.com/alive/qc.html?seenon=Mars

query
TABLE 6-9 URI components and values

component value
host www.elvis.com
path /alive/qc.html
query seenon=Mars

When Schemes Are Applied


The schemes checked in the Schemes field in the Match tab of the URI Definition window are
not always applied.
FIGURE 6-6 shows three different ways that an HTTP browser can connect to the Internet
through a VPN/FireWall Module.

238 Check Point SmartCenter Guide • September 2002


URI Definition window — Match tab (file specification)

FIGURE 6-6 HTTP Browser connecting through FireWalled Gateway

HTTP User
(client) direct Gateway
connection
Browser
folded into
the Security Server
by Transparent
Internet
Authentication

Browser
FireWall-1
Proxy
HTTP
Security Server

TABLE 6-10 When Schemes Are Applied

connection type schemes comments


applied
directly, without the none The schemes are not applied because
VPN-1/FireWall-1 HTTP Security the connection is not mediated by
Server the VPN-1/FireWall-1 HTTP
Security Server.
through the VPN-1/FireWall-1 HTTP all checked The schemes are applied because the
Security Server, when the schemes connection is mediated by the
VPN-1/FireWall-1 HTTP Security VPN-1/FireWall-1 HTTP Security
Server is defined as the Proxy to the Server.
browser
through the VPN-1/FireWall-1 HTTP HTTP only The schemes are applied because the
Security Server, when the connection is mediated by the
VPN-1/FireWall-1 HTTP Security VPN-1/FireWall-1 HTTP Security
Server is not defined as the Proxy to the Server.
browser, but the connection is folded
into the VPN-1/FireWall-1 HTTP
Security Server by the Transparent
Authentication feature

URI Definition window — Match tab (file specification)


The Match tab of the URI Definition window (file specification) specifies additional parameters
defining a URI resource.
Click on Import to import a URI Specification file (a list of URIs to which access will be
denied or allowed, depending on the Action in the rule).
You will be asked to specify the file name.
Click on Export to export a previously imported URI Specification file.

Chapter 6 Services and Resources 239


URI Resources

You will be asked to specify a file name under which the file will be saved.

URI Specification File Format

A URI Specification file is an ASCII file of records separated by \n, where each record consists
of three fields, as described in TABLE 6-11. There should be no white space between the
category and the \n. The last line in the file must also end in \n.

TABLE 6-11 URI Specification File Format

field explanation example


IP address the URI’s IP address 192.34.56.78

path the URI’s path /icecream (so it is possible to


define a resource as
everything under /icecream
at 192.34.56.78)
category (in hex) not currently used, but may not 1
be blank, so enter “1” in all
lines
Note - A URI specification file should contain no more than a thousand records.

URI Definition window — Match tab (UFP)


The Match tab of the URI Definition window (UFP specification) specifies additional
parameters defining a URI resource.
FIGURE 6-7 URI Definition window — Match tab (UFP specifications) with Ignore UFP server
after connection failure unchecked and checked

UFP Server — Select the UFP server from the menu.

240 Check Point SmartCenter Guide • September 2002


URI Definition window — Action tab

A UFP server maintains a list of URLs and their categories. VPN-1/FireWall-1 checks Web
connection attempts using the URL list on the UFP server.
UFP caching control — Specifies whether there is caching control.
UFP caching reduces the number of requests sent to the UFP Server, thereby optimizing
performance
Categories — Check the categories you wish to include in the resource definition.
Based on these categories, the HTTP Security Server allows or disallows the connection. A
UFP Server must first be defined in order for the Dictionary of Categories to be displayed.
Once the UFP server is selected from the drop-down list, the Dictionary of category selections
becomes available.

Note - For complete instructions on how to define a UFP Server, see “OPSEC Definition
Window — UFP Options Tab” on page 383.

Ignore UFP Server after connection failure — This check box specifies what the FireWall
should do when connection to the UFP server is lost. You must first define the following:
• Number of failures before ignoring the UFP server — number of times the FireWall
will attempt to contact the UFP server before ignoring it
• Timeout before reconnect to UFP server — defines the time interval for the FireWall
to ignore the UFP server
By checking this option, the system administrator can allow the FireWall to ignore the UFP
server, in other words, skip the match process with the UFP server and allow http
connections to pass. This will only occur if the rule defining the URI Resource’s Action is
accept and all other rule parameters match the connection.

URI Definition window — Action tab


The Action tab of the URI Definition window specifies JAVA, ActiveX, Script, Applets, FTP
links and port string actions for a URI resource.

Chapter 6 Services and Resources 241


URI Resources

FIGURE 6-8 URI Definition window — Action tab

Replacement URI — If the Action in a rule, which uses this resource, is Drop or Reject, then
this URI is displayed instead of the one the user requested in the Match tab. If a UFP server,
defined on this URI resource, sends a URL for redirection, it will override this replacement
URI.
HTML Weeding — Check one of the options below to strip the specified code from the HTML
page containing the reference to JAVA, JAVA Script or ActiveX code. In this way, the user will
not be aware that the JAVA or ActiveX is available from the HTML page being viewed. JAVA
applets already in the cache are not affected by this parameter.
Select any number of the following:
• Strip Script Tags — Strip JAVA Script tags from HTML code.
• Strip Applet Tags — Strip JAVA Applet tags from HTML code.
• Strip ActiveX Tags — Strip ActiveX tags from HTML code.
• Strip FTP Links — Strip FTP links from HTML code
• Strip Port Strings — Strip port strings from HTML code

Response Scanning — Specifies if JAVA code is to be blocked.


Block JAVA Code — If checked, JAVA applets are blocked by stripping JAVA code from
incoming HTTP. JAVA applets already in the cache are not affected by this parameter.
When the HTTP Security Server encounters JAVA code in incoming HTTP, it strips the code
and does not allow it to reach the browser. The user will see a message indicating that the
applet cannot start (when the JAVA code is incorporated in an HTML document), or a
message indicating that the document contains no data (if the JAVA code is directly fetched,
that is, the link points to the class).

242 Check Point SmartCenter Guide • September 2002


URI Definition window — CVP tab

URI Definition window — CVP tab


In the CVP tab of the URI Definition window, the user must define the following.
Use CVP (Content Vectoring Protocol) — specify whether CVP is to be used
CVP Server — Specifies the CVP Server from the drop-down menu.
If CVP is to be used, the user must then define whether or not the CVP server is allowed to
modify content and whether to send HTTP Headers and HTTP requests to the CVP server.
The following must be defined:
• CVP Server is allowed to modify content — send HTTP requests to CVP server is a
new feature which tells VPN-1/FireWall-1 to pass data outbound through the CVP
Server by enabling the following:
• Send HTTP Headers to CVP server — send all HTTP Header to the CVP server
• Send HTTP requests to CVP server— send all HTTP request to the CVP server

Built in protocol support allows for the chunking of data for outgoing HTTP data packets.
The chunking of data occurs in the application layer of the TCP/IP Protocol Stack on the
packet stream. Data is chunked by adding header and title information to the data packets
which indicate the size of the data chunk. After the data chunk is processed, or rather, tested
for total packet size, it is dechunked (the header and title are removed). It is then treated as a
single packet and released back into the packet stream to proceed to its destination.
Reply Order — designates when data is to be returned to the user. You must select one of the
following choices;
• Return data after content is approved— data is returned after content has been
checked
• Return data before content is approved — data is returned to the user before content
is checked
• Controlled by CVP server - The file is inspected by the CVP Server. If the CVP Server
rejects the file, it is not retrieved
For complete configuration information on configuring CVP as a Security Server, see “Server
Objects” on page 357.

URI Definition window — SOAP tab


The Simple Object Access Protocol (SOAP) provides a way for applications to communicate
with each other over the Internet, independent of platform. SOAP relies on XML to define the
format of the information and then adds the necessary HTTP headers to send it.
XML passes information using commands called Methods that are intended to run on the
destination computer.
FireWall-1 uses a Security Server to check the methods being passed in the SOAP packet.
When FireWall-1 detects SOAP packets, they can either be always Accepted, or only the
Methods specified in a predefined file will be Accepted.

Chapter 6 Services and Resources 243


URI Resources

The way that FireWall-1 treats SOAP packets is defined in a URI resource that uses HTTP.
The SOAP processing defined in the URI resource is performed only if the HTTP connection
carying the SOAP message was already Accepted by the rule in which the URI resource is used.
In other words, the connection must match the rule, and the rule Action cannot be Reject or
Drop.
In the URI Resource Properties window, check HTTP in the Match tab. The SOAP tab appears,
and in it define the SOAP Inspection behavior: Either Allow All SOAP Requests, or Allow
only SOAP requests specified in the Following File, and select the file.

The namespace and Method name of the XML Methods being passed can be viewed in the
SmartView Tracker by setting the Track option in the URI Resource Properties, SOAP tab. You
will see that the namespace and the name are concatenated in the log file.

Defining the Allowed SOAP Methods file


The name of the SOAP file must be one of a predefined list of 10 files, from scheme1 to
scheme10. The file must reside in $FWDIR\conf\XML directory in the SmartCenter Server. If
Management High Availability is used, the same file should be duplicated on both SmartCenter
Servers.
The file must contains a two column list separated by a space:
namespace method
For example…

http://tempuri.org/message/ EchoString
http://tempuri.org/message/ SubtractNumbers

The file must be defined very precisely. It is best to copy and paste the namespace and method
name from the log file. If there is a syntax error, the SOAP packets will be dropped.

URI for QoS Definition window


Resources can also be used in the FloodGate-1 Rule Base if they are of type URI for QoS.

The Security Administrator can classify Internet resources, namely URL designators, as part of
an appropriate QoS policy in accordance with enterprise priorities.
Name — the resource’s name
Search for URL — Specifies the URL string to be searched for http connections.
A URL string is a character string that contains wild cards which describe the URL that is to
be matched to an http connection within the FloodGate-1 rule. You must enter one of the
following:
• a site with a wild card, for example, www.checkpoint.com/*

For more information on wild cards, see “Wild Cards” on page 233.
• a specific file name, or
• *.gif, which is any gif from any site

244 Check Point SmartCenter Guide • September 2002


SMTP Security Server

Comment — descriptive text


This text is displayed on the bottom of the Resources window when this resource is selected.
Color — the color of the resource’s icon
Select the desired color from the drop-down list.

SMTP Resources

SMTP Security Server


The SMTP Security Server deals with the following conditions:
• badly formed header or pipe (send to program)
The mail is allowed but the offending field is stripped (if smtp_rfc822 (true) is defined
under :props in objects.C — this is the default) and a warning message is sent to asmtp.log.
If smtp_rfc822 (false) is defined under :props in objects.C, the line is preserved as it is
and not rewritten. A warning message is sent to asmtp.log.

Warning - The objects.C file should not be edited directly. Instead, use dbedit (see
“dbedit” on page 587) to edit the objects_5_0.C file on the SmartCenter Server.

• source routing
If the envelope SMTP MAIL or RCPT commands contain source routing symbols, the SMTP
Security Server replies with an error code.

SMTP Definition window — General tab


The General tab of the SMTP Definition window specifies the basic parameters of an SMTP
resource.
Name — the resource’s name
Comment — descriptive text
This text is displayed on the bottom of the Resources window when this resource is selected.
Color — the color of the resource’s icon
Select the desired color from the drop-down list.
Server — Mail is forwarded to this server
Deliver messages using DNS/MX records — if selected, MX record resolving will be used
to set the destination IP of the connection. When the IP address is resolved, the message will
then be sent.
Check Rule Base with new Destination — if selected, the Rule Base will be rechecked with
the new resolved IP

Chapter 6 Services and Resources 245


SMTP Resources

All the resource actions, e.g. header rewriting and CVP, will be decided according to the last
rule matched. The new resolved IP will be fetched from the MX record resolving or from the
server IP.
If multiple servers are defined, then they are tried one after the other until successful.
If this field is empty, mail is forwarded to the server specified under default_server in
$FWDIR/conf/smtp.conf . If this too is empty, then mail is forwarded to its original destination.

Notify Sender on Error—

If Notify Sender on Error is not checked, then no error notification is generated.


If Notify Sender on Error is checked, then:
• If the Server field is empty, the error notification is sent to the server specified under
default_server in $FWDIR/conf/smtp.conf .
• If default_server in $FWDIR/conf/smtp.conf is not specified, then the error
notification is sent to the originator of the mail.
If multiple servers are defined (see “Specifying Multiple Names” on page 249), then they are
tried one after the other until successful.

Server—error mail is forwarded to this server

Deliver messages using DNS/MX records—if selected, MX record resolving will be used to
set the source IP of the connection which will be used to send the error message

Check Rule Base with new Error Destination—if selected, the Rule Base will be rechecked
with the new resolved IP for the error mail.
All resource actions will be decided according to the last rule matched. The new resolved IP will
be fetched from the mx record resolving or from the server IP.
Exception Tracking — This option determines if an action (specified in the Action2 tab) taken
as a result of a resource definition is logged.
Select one of the following:
• None — no logging or alerting
• Log — log the event
• Alert — issue an alert

For example, if a virus is detected and CVP in the Action2 tab (FIGURE 6-9) is not set to
None, or if the user attempts to send a message that is too long, the tracking specified here is
taken.
Notify Sender on Error — Notify the sender if the message was not delivered.

Note - For mail delivery within an organization using an SMTP Security Server, it is
recommended to use static mail server configuration, by configuring “server” or “error
server in the SMTP resource, rather than using the MX resolving option.

246 Check Point SmartCenter Guide • September 2002


SMTP Security Server

SMTP Definition window — Match tab


The Match tab of the SMTP Definition window specifies additional parameters defining an
SMTP resource.
Sender — the ‘From’ field in the envelope
Recipient — the ‘To’ field in the envelope
You may use wild card characters in specifying these fields (see “Wild Cards” on page 247).

SMTP Definition window — Action tabs


The Action tabs of the SMTP Definition window specify additional parameters of an SMTP
resource.

FIGURE 6-9 SMTP Definition window — Action tabs

Action 1 Tab
This tab defines transformations to be performed on the given fields. The data in the field is
modified in accordance with the defined transformation. The left part of the transformation is a
match field (see “Wild Cards” on page 247). The right part specifies the form of the new
transformed data. For information on specifying multiple names in some of these fields, see
“Specifying Multiple Names” on page 249.
Sender — the ‘From’ field in the header
You can also use the “&” wildcard character in specifying a field. For more information, see
“Wild Cards” on page 247.

Chapter 6 Services and Resources 247


SMTP Resources

Recipient — the ‘To’ field in the header


It’s recommended that the transformed data not include embedded spaces.
You can also use the “&” wildcard character in specifying a field. For more information, see
“Wild Cards” on page 247.
Field — the name of a field in the SMTP header (for example, ‘cc’ or ‘subject’)
Contents — the contents of the specified field

Note - Stripping fields such as ‘From’ and ‘To’ is discouraged, since it makes it impossible
to deliver the mail message.

Action 2 Tab
Strip MIME of Type — MIME attachments of the specified type will be stripped from the
message.
1) Allowed types are (as defined in RFC 1521):

• text • audio
• multipart • video
• message • application
• image

Note - If you strip MIME of type text, the text in the body of the message is not stripped.

Strip file by name — strip file attachments with the name specified in this field
This field enables the user to strip UU-ENCODE and MIME file attachments whose names
match any of the defined expressions.
Consider the following expressions:(+love*, *.pic, a*+, ). In the following examples,
the defined file attachments will be stripped.

TABLE 6-12 Stripped File Attachment Example

Expression +love* *.pic a*.+


Example ILoveYou!, XLoveY a.pic,abc.pic ab.2, a.1, aa.1

248 Check Point SmartCenter Guide • September 2002


SMTP Security Server

Don’t Accept Mail Larger Than — Mail messages larger than this size will not be allowed to
pass.
Allowed Characters — Select one of the following:
• 8 bit — Allow 8 bit ASCII.
• 7 bit — Allow only 7 bit ASCII (but no control characters).
Weeding — Check any of the options below to strip header and mail content containing the
reference to JAVA, JAVA Script, ActiveX code, FTP links and port strings. JAVA applets already
in the cache are not affected by this parameter.
Select any number of the following:
• Strip Script Tags — Strip JAVA Script tags.
• Strip Applet Tags — Strip JAVA Applet tags.
• Strip ActiveX Tags — Strip ActiveX tags.
• Strip FTP Links — Strip FTP links.
• Strip Port Strings — Strip port strings.

Specifying Multiple Names


In some fields, you can specify a list of names using the following syntax:
{name1,name2}

Notes:

1) These rules apply to the following fields:

• Server field in ‘Mail Delivery’ • Strip file by name


• Server field in ‘Error Mail Delivery’ • Recipient
• Sender • Field
• Strip MIME of Type • Contents

2) There should be no whitespace before or after the names.


3) Write:
{hostname1@domainname1,hostname2@domainname1}

and not:
{hostname1,hostname2}@domainname1

4) When rewriting, the number of names on the left side should be the same as the number of
names on the right side. Rewrite:
{name1,name2} to {newname1,newname2}

However, if all the names of right side are to be rewritten to the same name on the left side,
you can rewrite:

Chapter 6 Services and Resources 249


FTP Resources

{name1,name2} to newname1

SMTP Definition window — CVP tab


In the CVP tab of the SMTP Definition window, the user must define the following:
Use CVP (Content Vectoring Protocol) — Specifies whether CVP is to be used.
CVP Server — Specifies the CVP Server from the drop-down menu.

CVP Server allowed to modify content — Enables the designated CVP Server to modify
content.
Send SMTP headers to CVP Server — Enables the SMTP mail headers to be forwarded to the
CVP server for CVP content checking.
Reply Order — Designates when data is to be returned to the user. You must select one of the
following choices:
• Return data after content is approved — The CVP Server first receives all the data from
the security server. After it has received and inspected all the data it then returns the data to
the security server.
• Return data before content is approved — The CVP Server inspects each data packet
received from the security server and returns it back to the security server before approving
the content. For instance, if the CVP Server found a virus in the data packet, the CVP
Server may replace the data within the packet before returning it to the CVP Server for
content checking.
• Controlled by CVP server — The file is inspected by the CVP Server. If the CVP Server
rejects the file, it is not retrieved.
For complete configuration information on configuring CVP as a Security Server, see “Server
Objects” on page 357.

FTP Resources

FTP Definition window — General tab


The General tab of the FTP Definition window specifies the basic parameters of an FTP
resource.
Name — the resource’s name
Comment — descriptive text
This text is displayed on the bottom of the Resources window when this resource is selected.
Color — the color of the resource’s icon
Select the desired color from the drop-down list.
Exception Track — This option determines if an action (specified in the Action tab) taken as a
result of a resource definition is logged.
Select one of the following:

250 Check Point SmartCenter Guide • September 2002


FTP Definition window — Match tab

• None — no logging or alerting


• Log — log the event
• Alert — issue an alert

For example, if a virus is detected and Use CVP (Content Vectoring Protocol) in the CVP tab
is not enabled, then the tracking specified here is taken.

FTP Definition window — Match tab


The Match tab of the FTP Definition window specifies additional parameters defining an FTP
resource.
Path — the full path name of the file
File name matching is based on appending the file name in the command to the current
working directory (unless the file name is already a full path name) and comparing the result
to the path specified in the Resource definition.
The file path name must include the directory separator character /.
For example, the FTP command “GET myfile” is matched to
“/<current directory>/myfile”. If the Resource path name specifies only “myfile”, then
the command “GET myfile” will not match this path.
Path includes the file name (which can include wildcard characters). For example
• “/boys/bigboy/*” includes all the files in the /boys/bigboy/ directory.
• “/boys/bigboy/” does not include any of the files in the /boys/bigboy/ directory.
• If /boys/bigboy were a file, it would be included in “/boys/bigboy/”.
You may also use wildcard characters in Path. When using wildcard characters, you must also
specify either the full path name, or use the directory separator in the wildcard expression. For
example, the path name “*/myfile” will match “myfile” in all possible directories.
For more information on FTP file names, see Chapter 10, “Security Servers and Content
Security.”
Methods — Select one of the following:
• GET — getting a file from the server to the client
• PUT — sending a file from the client to the server

FTP Definition window — CVP tab


The CVP tab of the FTP Definition window specifies additional parameters of an FTP resource.
In the CVP tab of the FTP Definition window, the user must define the following.
Use of CVP (Content Vectoring Protocol) — specifies whether CVP is to be used.
CVP Server — specifies the CVP Server from the drop-down menu
CVP Server allowed to modify content — when selected, allows the CVP Server to modify
content

Chapter 6 Services and Resources 251


TCP Resources

Reply Order field — designates when data is to be returned to the user. You must select one of
the following choices;
• Return data after content is approved — The CVP Server first receives all the data from
the security server. After it has received and inspected all the data it then returns the data to
the security server.
• Return data before content is approved— The CVP Server inspects each data packet
received from the security server and returns it back to the security server before approving
the content. For instance, if the CVP Server found a virus in the data packet, the CVP
Server may replace the data within the packet before returning it to the CVP Server for
content checking.
• Controlled by CVP server - The file is inspected by the CVP Server. If the CVP Server
rejects the file, it is not retrieved.
For complete configuration information on configuring CVP as a Security Server, “Server
Objects” on page 357.

TCP Resources
The TCP resource supports all TCP services and can be used for two different features. The
TCP resource can be used to support the genericid. This is a generic daemon which is not the
HTTP Security Server but rather receives data packets and sends them to a CVP Server, as
defined by the TCP resource.
The TCP resource also allows the screening of URLs using a UFP Server without using the
security server. If enabled, the UFP Server can perform URL checking without using a security
server. The URL received by the UFP Server is not a full URL but rather IP-based only. Before
using the TCP resource, the security administrator must verify that the UFP Server supports IP-
based URLs and can categorize specific protocols for which the TCP resource is to be
implemented.

TCP Resource Properties


Name — the resource’s name
Comment — descriptive text
This text is displayed on the bottom of the Resources window when this resource is selected.
Color — the color of the resource’s icon
Select the desired color from the drop-down list.
Type — Select the type of server to be used in the TCP resource.
UFP — when selected, a UFP Server must be defined in the UFP tab.
CVP — when selected, a CVP Server must be defined and CVP settings configured in the CVP
tab.
Exception Track — This option determines if an action (specified in the Action tab) taken as a
result of a resource definition is logged.

252 Check Point SmartCenter Guide • September 2002


TCP Resource Properties

Select one of the following:


• None — no logging or alerting
• Log — log the event
• Alert — issue an alert

TCP Definition window — UFP tab


UFP Server — the UFP Server’s name as selected from the drop-down list

The UFP server maintains a list of URLs and their categories. VPN-1/FireWall-1 checks
connection attempts using the URL list on the UFP server
When a user requests a URL, VPN-1/FireWall-1 determines if the UFP server must be used
and handles the request without using a security server. If the UFP Server is used, the
connection packet is temporarily held, until VPN-1/FireWall determines if the connection is
permitted.
UFP Caching Control — specifies how caching is to be enabled
The Security Administrator can choose no caching, caching on the UFP server, or caching 1
or 2 requests on VPN-1/FireWall-1 from the drop-down menu.
Categories — check the categories you wish to include in the resource definition

TCP Definition window — CVP tab


In the CVP tab of the TCP Definition window, the user must define the following:
CVP Server — select the CVP Server from the drop-down list
CVP Server allowed to modify content — when selected, allows the CVP Server to modify
content of the message string
Reply Order — Designates when data is to be returned to the user. You must select one of the
following choices;
• Return data after content is approved — The CVP Server first receives all the data from
the security server. After it has received and inspected all the data it then returns the data to
the security server.
• Return data before content is approved — The CVP Server inspects each data packet
received from the security server and returns it back to the security server before approving
the content. For instance, if the CVP Server found a virus in the data packet, the CVP
Server may replace the data within the packet before returning it to the CVP Server for
content checking.
• Controlled by CVP server - The file is inspected by the CVP Server. If the CVP Server
rejects the file, it is not retrieved.
For complete configuration information on configuring CVP as a Security Server, see “Server
Objects” on page 357.

Chapter 6 Services and Resources 253


TCP Resources

Enabling for TCP Resource


To enable a TCP resource, proceed as follows:
1 Select the service that you wish to implement within a rule. You can either
• choose Services from the Manage menu, or
• click on in the toolbar.
2 The TCP Service Properties window is displayed
3 Click the Advanced tab to display the Advanced TCP Service Properties window.
FIGURE 6-10Advanced TCP Service Properties window

4 Click OK. The service appears in the Service with Resource menu.
Click on the service and then select the Resource to be used from the drop-down list and
click OK.
5 The service with the TCP enabled resource appears in the Service column of the associated
rule and can be implemented in the Rule Base.

6 You must then edit $FWDIR/conf/fwauthd.conf and add a line where <port> is the tcp
service’s port number. For example:
<port> fwssd in.genericd wait 0

The TCP Resource will now be implemented.

254 Check Point SmartCenter Guide • September 2002


CIFS Overview

CIFS Resources

CIFS Overview
CIFS (Common Internet File System) is a protocol used to request file and print services from
server systems over a network.
The protocol is an extension of the Server Message Block (SMB) protocol.
The protocol is often implemented over the NETBIOS session service over TCP using port
139.
Microsoft also use CIFS over the Microsoft-DS protocol (port 445) for networking and file
sharing.
In a typical configuration each CIFS client maintains a TCP connection with every CIFS server
to which it is it is connected.
The client and server exchange CIFS-requests and CIFS-responses messages over this
connection.
More information on CIFS can be found under:
http://www.microsoft.com/mind/defaulttop.asp?page=/mind/1196/cifs.htm&nav=/mind/1196
/inthisissuecolumns1196.htm
http://samba.org/cifs/
http://samba.org/samba/about.html

Support of the CIFS protocol


Starting from NG FP3, CIFS connections can be statefully inspected.
If configured, Firewall-1 can enforce the following security checks on CIFS connections:
1) Correctness of the protocol, preventing CIFS and NETBIOS messages issued by the client
from pointing to beyond message boundaries.
2) Allowing access to different disk shares for different groups of users and hosts.
3) Logging disk share access.

Configuring CIFS Stateful Inspection


1 Define a new CIFS resource.
2 In the security policy tab, add a new rule. The rule's Service should be nbsession or
Microsoft-DS together with the configured resource.
3 Install the Policy.

Chapter 6 Services and Resources 255


CIFS Resources

Specifying the allowed disk/print shares


Connections matched to a CIFS rule are checked that all disk/print shares accessed by the
clients are in accordance to the Allowed Disk/Print Shares property of the rule's resource.
This property is in the form of a regular expression.
Disk shares accessed by CIFS clients usually take the following form:
"\\ServerName\ShareName"

Note that in addition to the actual disk share, many CIFS client implementation also try to map
a psuedo share called
"\\ServerName\IPC$"

In order to allow access to the desired “ShareName” as well as IPC$, the regular expression
should therefore take the following form:
^\\\\ServerName\\(ShareName|IPC\$)$

Logging
Logging of each share map attempt can be enabled by checking Log mapped shares in the
CIFS Resource Properties window.

In order to log attempts to access restricted shares as well as any protocol violation performed by
the client check Log access violation in the CIFS Resource Properties window.

Known limitations
1) In a High Availability configuration, CIFS statefully inspected connections are not expected
to survive failover.
2) A Disk/Print share whose name is not a legal ASCII string is not supported. An attempt to
connect to these shares will be rejected.
3) CIFS connections will not survive a Policy installation.
CIFS resources are supported with Accept, Client authentication, Session authentication and
Client Encrypt rules. Drop, Reject and User authentication are not allowed.

256 Check Point SmartCenter Guide • September 2002


List of Supported TCP Services

List Of Supported Services

List of Supported TCP Services


TABLE 6-13 TCP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

AOL (America 5190 protocol used by AOL clients Yes


OnLine) to connect to AOL through a
network connection, as
opposed to a dial-up
connection
chargen 19 A TCP chargen server sends No This is also a UDP service.
an unending stream of
characters until the client
terminates the connection.
Connected 16384 PC agents that wake up Yes
OnLine occasionally and back up
Backup their encrypted data to the
Connected backup server
across the Internet.
Cooltalk 6499, a voice communication Yes To enable auxiliary (back) data
6500 protocol connections for this service, you
must specifically list this service
under Services in the Rule Base.
UDP is used for the voice
connection.
daytime 13 A daytime server returns date Yes This is also a UDP service.
and time of day in text
format.
discard 9 A discard server discards Yes This is also a UDP service.
whatever it is sent by a client.

Chapter 6 Services and Resources 257


List Of Supported Services

TABLE 6-13 TCP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

DNS 53 Domain Name System — a Yes This is also a UDP service. TCP
distributed database used to DNS is used for Domain Name
map host names to IP Download, while UDP DNS is
addresses used for Domain Name Queries.
echo 7 An echo server sends the Yes This is also a UDP service.
client whatever the client sent
the server.
exec 512 invokes an executable Yes
finger 79 a protocol that provides Yes
information about users on a
specified host
ftp 21 File Transfer Protocol — a Yes To enable auxiliary data
protocol for copying files connections, check Enable FTP
between hosts PORT Data Connections in the
Services tab of the Properties
Setup window.

gopher 70 a menu driven front end to Yes


other Internet services, such
as Archie, anonymous FTP
and WAIS
http 80 HyperText Transfer Protocol Yes
— a protocol used to
implement the World Wide
Web
https 443 a version of HTTP that uses Yes
SSL for encryption

258 Check Point SmartCenter Guide • September 2002


List of Supported TCP Services

TABLE 6-13 TCP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

H.323 1720 client-to-client audio-visual Yes When managing a Version 4.1


application Module with an NG
SmartCenter Server, the NG
H.323 code is run by default. To
run the Version 4.1 H.323 code,
modify the
lib/h323.def file in the
backward compatibility directory
on the SmartCenter Server as
follows and then re-install the
Policy:
Replace the following line:
#define FWH323_USE_NEW 1
by:
//#define FWH323_USE_NEW 1
ident 113 a protocol used for user Yes
identification
imap 143 Internet Mail Access Protocol Yes
irc 6670, Internet Relay Chat — a Yes
6680 protocol for on-line “chat”
conversations over the
Internet
kerberos 750 an authentication service Yes as kerberos
This is also a UDP service.
The Kerberos authentication
scheme is not supported by
VPN-1/FireWall-1.
ldap 389 Lightweight Directory Access Yes
Protocol (simple X500
protocol).
ldap-ssl 636 Lightweight Directory Access Yes
Protocol over SSL.

Chapter 6 Services and Resources 259


List Of Supported Services

TABLE 6-13 TCP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

LiveLan 1720 H.323 based applications such Yes


as LiveLAN
login 513 procedure used to get access Yes
to an OS or an application
Lotus Notes 1352 a proprietary Lotus protocol Yes
Microsoft a voice conferencing and Yes
Conferencing remote application sharing
protocol
Microsoft messaging center (mail, news, Yes To enable auxiliary data
Exchange users directory) connections for this service, you
must specifically list this service
under Services in the Rule Base.
• The client requests service on
DCE-RPC mapper (port
135), then initiates TCP
connection to port it received
from mapper.
• experimental support
• You must specifically
allow DCE-RPC under
Services in the Rule
Base.
Microsoft 1503 voice communication (one to Yes Uses H.323.
NetMeeting one or conference) and
application

260 Check Point SmartCenter Guide • September 2002


List of Supported TCP Services

TABLE 6-13 TCP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

Microsoft 1755 streaming client–server Yes To enable auxiliary data


NetShow multimedia connections for this service, you
may specifically list this service
under Services in the Rule Base.
• The client sends port
command to server, and the
server starts UDP on that port
to the client.
• NAT support

Microsoft 1433 a data replication server Yes


SQL Server
6.0
Mosaic a web browsing application Yes a group consisting of archie, ftp,
gopher and http
nbsession 139 netBIOS used over a WAN Yes belongs to the NBT group
NBT A NetBIOS extension Yes
defining an expanded
application interface
netstat 15 Yes
nntp 119 a protocol used to transmit Yes
news
ntp 123 time protocol with Yes This is also a UDP service.
synchronization — a protocol
providing access over to
Internet to systems with
precise clocks
Open 2000 Yes
Windows
PointCast 80 a protocol for viewing news No
in TV like fashion

Chapter 6 Services and Resources 261


List Of Supported Services

TABLE 6-13 TCP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

pop2 109 Post Office Protocol — a Yes


mail protocol that allows a
remote mail client to read
mail from a server
pop3 110 Post Office Protocol — a Yes
modified version of pop2
RAS Remote Access Service Yes
RealAudio 7070 a protocol for the Yes To enable auxiliary (back) data
transmission of high quality connections for this service, you
sound on the Internet must specifically list this service
under Services in the Rule Base.
rexec 512 a protocol that provides Yes as exec
remote execution facilities To enable stderr, check Enable
with authentication RSH/REXEC Reverse stderr
Connections in the Services tab
of the Properties Setup window.
rlogin 513 remote login — a protocol Yes as login
that enables remote login To enable stderr, check Enable
between hosts RSH/REXEC Reverse stderr
Connections in the Services tab
of the Properties Setup window.
rsh 514 remote shell — a protocol Yes as shell
that allows commands to be To enable stderr, check Enable
executed on another system RSH/REXEC Reverse stderr
Connections in the Services tab
of the Properties Setup window.
SecurID a protocol used by an Yes SecurID is a group consisting of
authentication service the services required to
product of Security Dynamics implement SecurId.
Technologies, Inc.
securidprop 5510 a SecurID service Yes

262 Check Point SmartCenter Guide • September 2002


List of Supported TCP Services

TABLE 6-13 TCP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

smtp 25 Simple Mail Transfer Protocol Yes


— a protocol widely used for
the transmission of e-mail
SQLNet 1521, an Oracle protocol for Yes To enable auxiliary data
1525 transmission of SQL queries connections for this service, you
must specifically list this service
under Services in the Rule Base.
This service can work in two
modes:
• In the first, the client
connects to the server using
TCP port 1521.
• In the second, the client
connects to a manager
server on TCP 1521 or
1525. This server sends
the client a new server IP
and port, then the client
connects to the new
server.
Sybase SQL > 1024 client–server database No uses a static TCP port (defined in
the Sybase setup) above 1024
TACACS+ 49 an authentication protocol Yes as TACACSplus
telnet 23 Telecommunications Yes
Network Protocol — a
remote terminal protocol
enabling any terminal to
login to any host
time 37 a service that returns the time Yes This is also a UDP service.
of day as a binary number
uucp 540 Unix to Unix Copy Yes

Chapter 6 Services and Resources 263


List Of Supported Services

TABLE 6-13 TCP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

Vosaic 1235 audio and video based on Yes also uses UDP ports 61801-
VDP (Video Datagram 61821
Protocol)
VDO-Live 7000 a protocol for the Yes To enable auxiliary (back) data
transmission of high quality connections for this service, you
video on the Internet must specifically list this service
under Services in the Rule Base.
wais 210 Wide Area Information Yes
Servers — a tool for keyword
searches, based on database
content, of databases on the
Internet
Webtheatre 12468 live audio & video streaming Yes To enable auxiliary data
connections for this service, you
must specifically list this service
under Services in the Rule Base.
• Client opens TCP port 12468
by default for control. For
each media stream request
there is a port command from
client to server including the
RTP (UDP) port the client is
waiting on. The audio passes
on the RTP port and the
control on the RTCP port
(RTCP port = RTP port +1).
• NAT support

WinFrame 1494 remote LAN access Yes


X11 6000 – a windowing system protocol Yes
6063

264 Check Point SmartCenter Guide • September 2002


List of Supported UDP Services

List of Supported UDP Services


TABLE 6-14 UDP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

archie 1525 a tool for keyword searches, Yes


based on file names, of files on
the Internet available through
FTP
BackWeb 370 a UDP service similar to Yes source port 371
PointCast To enable auxiliary data
connections for this service,
you must specifically list this
service under Services in the
Rule Base.
biff 512 file format Yes
bootp 67 Bootstrap Protocol — a Yes
protocol for booting diskless
systems
chargen 19 A UPD chargen server sends a No This is also a TCP service.
datagram containing a random
number of characters in
response to each datagram
sent by a client.
CU-SeeMe 7648 – video, audio and chat (client Yes
7652 to client); needs video camera
daytime 13 A daytime server returns date Yes This is also a TCP service.
and time of day in text
format.
discard 9 A discard server discards Yes This is also a TCP service.
whatever it is sent by a client.

Chapter 6 Services and Resources 265


List Of Supported Services

TABLE 6-14 UDP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

dns 53 Domain Name System — a Yes This is also a TCP service.


distributed database used to TCP DNS is used for
map host names to IP addresses Domain Name Download,
while UDP DNS is used for
Domain Name Queries.
echo 7 An echo server sends the Yes This is also a TCP service.
client whatever the client sent
the server.
FreeTel 21300, a voice communication Yes To enable auxiliary data
21301 protocol connections for this service,
you must specifically list this
service under Services in the
Rule Base.
InternetPhone 22555 a protocol for the transmission Yes
of voice quality sound over
the Internet
ISAKMP 500 an encryption protocol Yes
kerberos 750 an authentication service Yes This is also a TCP service.
The Kerberos authentication
scheme is not supported by
VPN-1/FireWall-1.
name 42 Host Name Server Yes
nbdatagram 138 NetBios Datagram Service Yes belongs to the NBT group
nbname 137 NetBios Name Service Yes belongs to the NBT group
nfsd 2049 Network File System - Sun Yes belongs to the NFS group
Microsystems
ntp 123 time protocol with Yes This is also a TCP service.
synchronization — a protocol
providing access over to
Internet to systems with
precise clocks

266 Check Point SmartCenter Guide • September 2002


List of Supported UDP Services

TABLE 6-14 UDP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

OnTime 1622 client/server calendar services Yes


RADIUS 1645 an authentication protocol Yes
RAS Remote Access Service Yes
RDP 259 an internal VPN-1/FireWall-1 Yes
protocol used for establishing
encrypted sessions
rip 520 Routing Information Protocol Yes
— a protocol used to
implement dynamic routing
SecurID a protocol used by an Yes SecurID is a group consisting
authentication service product of the services required to
of Security Dynamics implement SecurId.
Technologies, Inc.
securid-udp 5510 a SecurID service Yes
snmp 161 a protocol used for managing Yes
network resources
snmp-read 161 read only snmp Yes
snmp-trap 162 a notification to the manager Yes
by SNMP of some event of
interest
StreamWorks 1558 a protocol for the transmission Yes
of high quality video (Xing)
syslog 514 a protocol that allows a Yes
computer to send logs to
other computer
TACACS 49 an authentication protocol Yes
TFTP 69 Trivial File Transfer Protocol Yes
— a small, simple file transfer
protocol used primarily in
booting diskless systems

Chapter 6 Services and Resources 267


List Of Supported Services

TABLE 6-14 UDP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name
normal port

pre–defined
number

time 37 a service that returns the time Yes This is also a TCP service.
of day as a binary number
traceroute >33000 a debugging application that Yes
shows the route followed by
IP packets
who 513 a service that provides Yes
information on who is logged
on to the local network

268 Check Point SmartCenter Guide • September 2002


List of Supported RPC Services

List of Supported RPC Services


TABLE 6-15 RPC Services SmartDashboard

Service progra Description Comments

in VPN-1/FireWall-1
Name m
numbe
r

pre–defined
DCE-RPC a protocol similar to Sun RPC Yes Experimental
Portmapper support for use with
Microsoft
Exchange.
lockmanager 100021 a protocol used for the transmission of Yes as nlockmgr
lock requests
mountd 100005 a protocol used for the transmission of Yes belongs to the NFS
file mount requests group
NFS Network File System — a protocol that Yes a group that
provides transparent file access over a includes all the
network services that are
required for NFS.
nfsprog 100003 Yes belongs to the NFS
group
NIS Network Information System — a Yes NIS is a group that
protocol that provides a network includes all the
accessible system administration services that are
database, widely known as Yellow Pages required for NIS.
nisplus 100300 Yes
pcnfsd 150001 Yes belongs to the NFS
group
rstat 100001 a protocol used to obtain performance Yes
data from a remote kernel
rwall 100008 a protocol used to write to all users in a Yes
network
pbind 100007 Yes belongs to the NIS
group

Chapter 6 Services and Resources 269


List Of Supported Services

TABLE 6-15 RPC Services SmartDashboard

Service progra Description Comments

in VPN-1/FireWall-1
Name m
numbe
r

pre–defined
yppasswd 100009 Yes belongs to the NIS
group
ypserv 100004 Yes belongs to the NIS
group
ypupdated 100028 Yes belongs to the NIS
group
ypxfrd 100069 Yes belongs to the NIS
group

270 Check Point SmartCenter Guide • September 2002


List of Supported ICMP Services

List of Supported ICMP Services


TABLE 6-16 ICMP Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name

pre–defined
dest-unreach an ICMP message indicating that the destination is Yes
unreachable
source-quench an ICMP message indicating that the system cannot Yes
process datagrams at the rate at which they are being
received
info-req an obsolete ICMP message Yes
info-reply an obsolete ICMP message Yes
mask-request an ICMP message requesting a diskless system’s subnet Yes
mask
mask-reply an ICMP message in reply to a mask-request message Yes
param-prblm an ICMP message indicating invalid data in an earlier Yes
message
ping: The ping program tests whether another host is Yes
echo-request, available, and measures the time between the request
echo-reply (echo-request) and the reply (echo-reply).
redirect an ICMP error message sent by a router in response to Yes
a misdirected datagram
time-exceeded an ICMP error message indicating routing loops or Yes
reassembly failure
timestamp ICMP messages (request and reply) enabling systems to Yes
(request, reply) query each other for the current time
traceroute a debugging application that shows the route followed Yes
by IP packets

Chapter 6 Services and Resources 271


Notes for Services

List of Supported Other IP Protocol Services


TABLE 6-17 Other IP Protocol Services SmartDashboard

Service Description Comments

in VPN-1/FireWall-1
Name

pre–defined
IP protocol
number

egp 8 a protocol used to implement dynamic Yes


routing
ggp 3 a protocol used to implement dynamic Yes
routing
igrp 9 a protocol used to implement dynamic Yes
routing
ospf 89 a protocol used to implement dynamic Yes
routing

Notes for Services


traceroute
traceroute is a UDP service in Unix and an ICMP service in NT. Replies (for example,
time-exceeded) are ICMP in both Unix and NT. To enable traceroute, you must enable both
traceroute packets leaving the client and the UDP reply packets returning to the client, as listed
in TABLE 6-18.

TABLE 6-18 traceroute services

NT traceroute client Unix traceroute client


packets leaving the Enable the echo-request Enable the traceroute service
Client
service in a rule. in a rule.
packets returning to Enable the echo-reply and Enable the dest-unreach and
the Client
time-exceeded services in a time-exceeded services in a
rule. rule.

Note - For NT clients, you can also enable traceroute by checking Accept ICMP in the
Security Policy tab of the Properties Setup window. However, this enables all ICMP
services, and not just the ones required for traceroute.

272 Check Point SmartCenter Guide • September 2002


List of Supported Other IP Protocol Services

Chapter 6 Services and Resources 273


Notes for Services

274 Check Point SmartCenter Guide • September 2002


CHAPTER 7

Global Properties

In This Chapter

FireWall-1 Implied Rules page 276 Remote Access — Secure Configuration Verification
page 282
Security Server page 278 Remote Access — Early Versions Compatibilitypage 282
VoIP (Voice over IP) page 279 FloodGate-1 Properties page 282
NAT (Network Address Translation) page 279 SmartMap page 283
Authentication page 280 Management High Availability page 283
VPN-1 Pro page 282 LDAP (Account Management) page 283
VPN-1 Early Versions Compatibility page 282 Connect Control page 285
VPN-1 Advanced page 282 Open Security Extension (OSE) Access Listpage 286
VPN-1 Net page 282 Stateful Inspection page 287
Remote Access — VPN Log and Alert page 289
SecuRemote/SecureClient page 282
Remote Access — VPN page 282 SmartDashboard Customization page 293

A Security Policy is defined not only by the Rule Base, but also by the properties specified in
the various pages of the Global Properties window. These properties enable the user to control
all aspects of a communication’s inspection, while at the same time freeing the user of the need
to specify repetitive detail in the Rule Base.
To display the Global Properties window, choose Properties from the Policy menu, or click
in the toolbar.

275
FireWall-1 Implied Rules

For information about the interaction between Properties and the Rule Base, see “Interaction
between Rule Base and Implied Rules (Properties)” on page 317.”
Note - There is no longer a Services tab. The options that (in previous versions) were in
that tab (listed below) are enabled by default. They can be changed by editing
objects_5_0.C using dbedit (see Chapter 18, “Command Line Interface”).
• Enable FTP PORT data connections
• Enable FTP PASV data connections
• Enable RSH/REXEC reverse stderr connections
• Enable RPC control

FireWall-1 Implied Rules


Accept VPN-1 & FireWall-1 control connections—VPN-1/FireWall-1 uses these connections
for communications between Check Point applications on different machines, and for
connecting to external servers such as RADIUS, TACACS, etc.
If you check this property, each VPN/FireWall Module managed by this SmartCenter Server
will allow the fw1_service service between all VPN/FireWall Modules (managed by this
SmartCenter Server) on which VPN-1 & FireWall-1 is checked (under Check Point products
in the General page of the network object’s Properties window — see “Check Point window
— General Page” on page 182).
Note - NG control connections are different from pre-NG control connections, so pre-NG
Modules will not recognize NG control connections. Therefore, if a pre-NG FireWall Module is
located between an NG Module and its NG SmartCenter Server, control connections between
the NG machines will be blocked by the pre-NG FireWall Module.

TABLE 7-1 lists the services enabled by Accept VPN-1 & FireWall-1 Control Connections.
“all VPN/FireWall Modules” means all VPN/FireWall Modules managed by this SmartCenter
Server. You can view the implied rules generated by this property by choosing Implied Rules
from the View menu (see “Implied Rules” on page 318 for more information).

TABLE 7-1 Accept VPN-1 & FireWall-1 control connections

service group Source Destination


FW1 all VPN/FireWall Modules all VPN/FireWall Modules
FW1_log all VPN/FireWall Modules all VPN/FireWall Modules
FW1_cpd all VPN/FireWall Modules all VPN/FireWall Modules
FW1_cpmi GUI Clients SmartCenter Server
FW1_topo Any all VPN/FireWall Modules
FW1_key Any all VPN/FireWall Modules
IKE Any all VPN/FireWall Modules
IKE all VPN/FireWall Modules Any
FW1_ica_pull all VPN/FireWall Modules SmartCenter Server

276 Check Point SmartCenter Guide • September 2002


TABLE 7-1 Accept VPN-1 & FireWall-1 control connections

service group Source Destination


FW1_ica_pull all VPN/FireWall Modules SmartCenter Server
RDP Any Any
FW1_cvp all VPN/FireWall Modules CVP Servers
FW1_ufp all VPN/FireWall Modules UFP Servers
RADIUS all VPN/FireWall Modules RADIUS Servers
TACACS all VPN/FireWall Modules TACACS Servers
ldap all VPN/FireWall Modules LDAP Servers
FW1_load_agent all VPN/FireWall Modules Logical Servers
You can uncheck Accept VPN-1 & FireWall-1 Control Connections if all the following
conditions are true:
• The VPN/FireWall Module, the SmartCenter Server and the GUI Client are all running
on the same machine.
• There are no external servers (for example, OPSEC, RADIUS etc.).
• There are no SecuRemote/SecureClient users.
• There is only one SmartCenter Server (that is, configuration does not include
Management High Availability.
Note - In VPN-1/FireWall-1 Version 4.1 SP1 and earlier, checking Accept VPN-1 &
FireWall-1 control connections would allow the fw1_service between all network
objects defined on the SmartCenter Server. The current meaning of Accept VPN-1 &
FireWall-1 control connections excludes, for example, an OPSEC server running on a
machine on which VPN-1/FireWall-1 is not installed, and the opsec_putkey command
would fail. To enable the fw1_service for machines excluded by the new meaning, you
must explicitly define a rule allowing the service.

Enabling Accept VPN-1 & FireWall-1 Control Connections opens the VPN-1/FireWall-1
application port and the SmartCenter Server port, allowing VPN-1/FireWall-1 GUI Clients to
communicate with the SmartCenter Server. If you disable Accept VPN-1 & FireWall-1 Control
Connections and you want VPN-1/FireWall-1 applications to communicate with each other,
you must explicitly allow these connections in the Rule Base.

Accept Outgoing Packets Originating from Gateway— Accept all outgoing packets
originating on the gateway (the VPN/FireWall Module machine).
Accept Outgoing Packets Originating from Gateway is set to Before Last to enable the user
to define more detailed rules relating to these packets that will be enforced before this
property. If this property were First, then there would be no opportunity for the user to relate
to these in the Rule Base. If it were Last, then it would be enforced after the last rule (which
typically rejects all packets) and would thus have no effect.
Accept RIP — Accept Routing Information Protocol used by the routed application.

Chapter 7 Global Properties 277


Security Server

RIP maintains information about reachable systems and the routes to those systems.
Accept Domain Name Over UDP (Queries) — Accept Domain Name Queries used by named.

named resolves names by associating them with their IP address. If named does not know the
IP address associated with a particular host name, it issues a query to the name server on the
Internet.
Accept Domain Name Over TCP (Zone Transfer) — Allow uploading of domain name-
resolving tables.
Tables of Internet host names and their associated IP addresses and other data can be uploaded
from designated servers on the Internet.
Accept ICMP requests— Accept Internet Control Messages.
ICMP (Internet Control Message Protocol) is used by IP for control messages (for example,
destination unreachable, source quench, route change) between systems.
Accept ICMP requests is set to Before Last to enable the user to define more detailed ICMP
related rules that will be enforced before this property. If this property were First, then there
would be no opportunity for the user to relate to ICMP in the Rule Base. If it were Last,
then it would be enforced after the last rule (which typically rejects all packets) and would thus
have no effect.
Enabling Accept ICMP does not enable ICMP Redirect. If you wish to enable ICMP
Redirect, you must explicitly do so.
Accept CPRID connections — Accept SmartUpdate connections.
Accept dynamic address gateways’ DHCP traffic — Accept DHCP traffic for DAIP
(Dynamically Assigned IP Address) Modules.
See Chapter 14, “Dynamically Assigned IP Addresses” for more information about DAIP
Modules.

Track
Log Implied Rules — Log the connections to which implied rules (the rules shown when
Implied Rules has been selected in the View menu) are applied.
These rule number of these log entries is 0 (zero).
See “Interaction between Rule Base and Implied Rules (Properties)” on page 317 for more
information.

Security Server
For information about Security Servers, see “Security Servers” on page 205 of Check Point
FireWall-1 Guide.

278 Check Point SmartCenter Guide • September 2002


Automatic NAT rules

VoIP (Voice over IP)


Log VoIP connection — If checked, additional log entries will be generated for every VoIP
connection.
For information about the H.323 parameters in this page, see “Global Properties — H.323” in
Chapter 6, “VoIP (Voice Over IP)” of Check Point FireWall-1 Guide.
For information about the SIP parameters in this page, see “Global Properties — SIP” in
Chapter 6, “VoIP (Voice Over IP)” of Check Point FireWall-1 Guide.

NAT (Network Address Translation)


For information about Network Address Translation, see Chapter 2, “Network Address
Translation (NAT)” of Check Point FireWall-1 Guide.

Automatic NAT rules


Allow bidirectional NAT— If more than one automatic NAT rule matches a connection, then
both rules are matched.
When NAT is defined for a network object, an automatic NAT rule is generated which
performs the required translation. If there are two such objects and one is the source of a
connection and the other the destination, then without bi-directional NAT, only one of these
objects will be translated, because only one of the automatically generated NAT rules will be
applied. With Bi-directional NAT, both automatic NAT rules are applied, and both objects
will be translated.
The operation of bi-directional NAT can be tracked using the Log Viewer, using the fields
• NAT Rule Number
• NAT Additional Rule Number

The NAT rules are the ones in the Address Translation Rule Base. The additional rule is the
rule that matches the automatic translation performed on the second object in bi-directional
NAT.
If Automatic rules intersection is checked, then both rules will be applied and both source
and destination addresses will be translated. If it is not checked, only one of these objects will
be translated, because only one of the automatically generated NAT rules is applied.
Translate destination on client side — Static Destination Mode NAT is performed on the
Client side.
In VPN-1/FireWall-1 prior to Version NG, Static Destination Mode NAT was performed on
the server side of the gateway, which required special handling for anti-spoofing and internal
routing.
For new installations, Perform destination translation on the client side is enabled by
default. For upgrades, Perform destination translation on the client side is disabled, in
order to maintain compatibility with earlier versions.

Chapter 7 Global Properties 279


Authentication

For additional information, see “Ensuring That the Gateway Forwards the Packet to the
Correct Host” on page 84 and “Static Destination Mode” on page 77 of Check Point
FireWall-1 Guide.
Automatic ARP configuration — ARP tables on the VPN/FireWall Module machine (gateway)
performing NAT will be automatically configured so that ARP requests for a translated (NATed)
machine, network or address range are answered by the gateway.
This option removes the requirement (present in VPN-1/FireWall-1 prior to Version NG) for
manual ARP configuration (using the arp command in Unix or the local.arp file in NT).
The command fw ctl arp displays the VPN-1/FireWall-1 Module’s ARP proxy table on
Windows NT and Windows 2000 VPN/FireWall Modules (see “fwm ctl” on page 576). On
Unix, use the arp -a command.
For additional information, see “Ensuring That the Gateway Forwards the Packet to the
Correct Host” on page 84 of Check Point FireWall-1 Guide.

IP Pool NAT
For information about IP Pools, see “IP Pools” on page 176 of Check Point Virtual Private
Networks Guide for information about these parameters.

Private Address Ranges


IP addresses in the specified ranges are considered as public addresses by the SmartMap and by
the automatic topology discovery feature (see “Automatic Topology Discovery and Definition”
on page 186).
The default addresses are those defined by RFC 1918.
• To add a new range, click Add.
• To edit an existing range, select the range and click Edit.
• To remove a range, select it and click Remove.

Authentication

Failed Authentication Attempts


Define the number of failed authentication attempts before terminating the connection for the
following services:
• rlogin connection
• telnet connection
• Client Authentication connection
• Session Authentication connection

280 Check Point SmartCenter Guide • September 2002


Authentication of Users with certificates

Authentication of Users with certificates


Authenticate internal users with this suffix only — This feature is enabled by default, and is
relevant for users (not administrators) defined in the internal DB using PKI authentication only.
This feature when checked, enforces a specific suffix to users DN, to make sure that only
certificates with a specified suffix in their DN are accepted. The suffix is set by default to the
suffix of the ICA's DN in order to enable authentication of user certificates issued by the ICA
(user certificates issued by the ICA is a new feature in FP1.)

Earlier Verisons Compatibility


Note - For VPN-1/FireWall-1 NG and higher, these settings should be defined in the network
object’s Properties window.
For earlier versions, these settings should be defined in the Authentication page of the
Global Properties window.

User Authentication Session timeout (minutes) - The session will time out if there is no
activity for this time period. This applies to FTP, telnet, and the rlogin Security Servers.
For HTTP, this field has a different meaning: The HTTP Security Server extends the validity of
a one-time password for this time period, so users with one-time passwords will not have to
reauthenticate for each connection during this time period.
Enable wait mode for Client Authentication — This option applies only when a user initiates
Client Authentication through a telnet session to port 259 on the gateway.
If Enable wait mode is checked, the initial telnet session remains open. The Client
Authentication session is closed when the telnet session is closed, either by the user or by
other means. VPN-1/FireWall-1 pings the client at regular intervals during the authorization
period. If the client machine has stopped running (for example, due to a power failure) VPN-
1/FireWall-1 closes the telnet session and Client Authentication privileges to the IP address are
withdrawn. When the Client Authentication session has been closed, it cannot initiate any
new authenticated connections; however, all existing authenticated connections remain open.
If Enable wait mode is not checked, the initial telnet session is closed when the user chooses
the Standard Sign On or Specific Sign On options. The user must initiate another telnet
session on the gateway in order to sign off the Client Authentication session.
Authentication Failure Track — specifies the action to take if Authentication fails (applies to
all authentication rules)
• None — no tracking
• Log — Create a log of the authentication action.
• Popup Alert — Run the Run popup alert script in the Log and Alert page of the
Global Properties window (FIGURE 7-23 on page 413).

For information about authentication, see Chapter 3, “Authentication” of Check Point FireWall-1
Guide.

Chapter 7 Global Properties 281


VPN-1 Pro

VPN-1 Pro
For information about encryption, see Check Point Virtual Private Networks Guide.

VPN-1 Early Versions Compatibility


For information about this page, see Check Point Virtual Private Networks Guide.

VPN-1 Advanced
For information about the VPN-1 Advanced page, see Check Point Virtual Private Networks

VPN-1 Net
For information about the VPN-1 Net page, see Check Point Virtual Private Networks.

Remote Access — VPN SecuRemote/SecureClient


For information about the Remote Access page, the Check Point Desktop Security Guide.

Remote Access — VPN


For information about the Remote Access page, see the Check Point Desktop Security Guide.

Remote Access — Secure Configuration Verification


For information, see Check Point Virtual Private Networks.

Remote Access — Early Versions Compatibility


For information, see Check Point Virtual Private Networks.

FloodGate-1 Properties

Bandwidth Control

Weight
Maximum weight of rule — the maximum rate that can be assigned to a rule
Default weight of rule — the default rate assigned to a new rule and to Default rules

Rate
Default interface Rate — the default bandwidth capacity for interfaces
Unit of measure — the unit specified by default for transmission rates

282 Check Point SmartCenter Guide • September 2002


Bandwidth Control

Authentication Timeout for QoS


Authenticated IP expires after — If a user has previously been authenticated, all connections
opened within the specified time will receive the guaranteed bandwidth connection. Any
connection opened after the specified time will require re-authentication.
Non authenticated IP expires after — If a user has previously tried and failed to be
authenticated, all connections that are opened within the specified time will not receive the
guaranteed bandwidth connection.
Unresponded queried IP expires after — UserAuthority is queried to see if a user’s IP address
has been previously authenticated using Client Authentication or SSL. If the query is not
answered within the specified time, the connection will be classified under the default rule.
Set Default — Restore the default settings of the Authentication timeout for QoS parameters.

SmartMap
The SmartMap page enables or disables the SmartMap View of SmartMap.
For more information, see Chapter 16, “SmartMap.”

Management High Availability


The Management High Availability page specifies how redundant SmartCenter Servers
synchronize their databases.
For more information, see Chapter 17, “Management High Availability.”

LDAP (Account Management)


The LDAP page defines the properties related to communications with LDAP Servers (see “User
Database” on page 167).
Use LDAP Account Management — Check this field if User Authentication will use LDAP
Account Units, in addition to the VPN-1/FireWall-1 internal User Database.
• If this field is checked, the other fields in the window are enabled.
• If this field is not checked, User Authentication will use only the VPN-1/FireWall-1
internal User Database.
Time-out on LDAP Requests — An LDAP request will be considered to have timed out after
this period (specified in seconds).
Time-out on Cached Users — A cached user will be considered to be out-of-date after this
period (specified in seconds), and will be fetched again from the LDAP Server.
Cache Size (Users) — This field specifies the number of users that will be cached.
The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user
is deleted to make room for the new user. VPN-1/FireWall-1 does not query the LDAP
Server for users already in the cache, unless the cache has timed out.
Password Expires After — The number of days for which a user’s password is valid.

Chapter 7 Global Properties 283


LDAP (Account Management)

After this period has passed, the user must define a new password.

Note - This field does not apply to IKE pre-shared secrets and certificates, which do not
expire.

If a user’s password is modified using a tool other than the Check Point Account Management
Client, fw1pwdLastMod attribute is not updated, and the new password will expire on the day
the old one would have expired.
To specify that a password never expires, set Password Expires After to 0 (zero) days.

Example
Suppose that for user Alice, Days before Password Expires is 15. On January 1st, Alice
modifies her password using the Check Point Account Management Client. fw1pwdLastMod
is set to January 1st, so her password will expire on January 16th.
Suppose that on January 10th, Alice modifies her password again.
• If she uses the Check Point Account Management Client to modify her password, then:
• fw1pwdLastMod is changed to January 10th.
• Her new password is valid for 15 days from January 10th, and will expire on January
26th.
• If she uses a different LDAP Client to modify her password, then:
• fw1pwdLastMod is not changed, and is still January 1st.
• Her new password is valid for 15 days from January 1st, and will expire on January
16th.
When a user defined on an LDAP Account Unit enters a password, VPN-1/FireWall-1 checks
whether the password has expired. If the password has expired, the user is prompted to enter a
new password.
The new password must be different from the old one, and must also satisfy the following
conditions:
• minimum length
• minimum number of lowercase letters (a-z)
• minimum number of uppercase letters (A-Z)
• minimum number of symbols (non-letters and non-numbers)
• minimum number of digits (0-9)

284 Check Point SmartCenter Guide • September 2002


Servers Availability

The default values for these conditions are given in the objects.C file by the following
parameters (the default setting is in parenthesis):

:props (
:psswd_min_length (0)
:psswd_min_num_of_lowercase (0)
:psswd_min_num_of_uppercase (0)
:psswd_min_num_of_symbols (0)
:psswd_min_num_of_numbers (0)

Allow Account Unit to Return — This field specifies the number of users that the Account
Unit may return in response to a single query.
Display user’s DN at login — If checked, then when an LDAP user logs in, his or her DN will
be displayed before he or she is prompted for a password.
This property is a useful diagnostic tool when there is more than one user with the same name
in an Account Unit. In this case, the first one is chosen and any others are ignored. If this
property is enabled, the user can verify that the correct entry is being used.

Note - A user can log in either with a user name or with a DN.

Connect Control

Servers Availability
Server availability check interval — The interval (in seconds) at which the VPN/FireWall
Module will ping a physical server to determine if it is available.
Server check retries — The number of consecutive times the server availability check must fail
in order that the VPN/FireWall Module will consider the physical server to be unavailable (and
will no longer direct connections to it).

Servers Persistency
Persistent server timeout — The length of time during which connections will be redirected
to the same physical server when Persistent server mode is enabled for a Logical Server in the
Logical Server Properties window (FIGURE 9-2 on page 323 of Check Point FireWall-1
Guide).

Server Load Balancing


Load Agents Port — the port on which the Load Measurement Agent communicates
The load agent uses UDP port 18212 by default.
Load Measurement Interval — the intervals at which the Load Measuring Agent measures the
load

Chapter 7 Global Properties 285


Open Security Extension (OSE) Access List

For more information about these parameters, see “How Server Load Balancing Works” on page
320 of Check Point FireWall-1 Guide.

Open Security Extension (OSE) Access List


The OSE Access Lists page of the Global Properties window is similar to the Implied Rules
page (see “FireWall-1 Implied Rules” on page 276), but only options relevant for routers are
enabled.
Accept RIP — Accept Routing Information Protocol used by the routed application.
RIP maintains information about reachable systems and the routes to those systems.
Accept Domain Name Over UDP (Queries) — Accept Domain Name Queries used by named.
named resolves names by associating them with their IP address. If named does not know the
IP address associated with a particular host name, it issues a query to the name server on the
Internet. Enable UDP Replies must be enabled to receive the reply. Domain Name Queries
are issued as needed. Make sure this property is not overridden by rules in the Rule Base.
Accept Domain Name Over TCP (Zone Transfer) — Allow uploading of domain name-
resolving tables.
Tables of Internet host names and their associated IP addresses and other data can be uploaded
from designated servers on the Internet.
Accept ICMP requests— Accept Internet Control Messages.
ICMP (Internet Control Message Protocol) is used by IP for control messages (for example,
destination unreachable, source quench, route change) between systems.
The Accept ICMP requests property is set to Before Last to enable the user to define more
detailed ICMP related rules that will be enforced before this property. If this property were
First, then there would be no opportunity for the user to relate to ICMP in the Rule Base. If
it were Last, then it would be enforced after the last rule (which typically rejects all packets)
and would thus have no effect.
VPN-1/FireWall-1 maintains state information for ICMP. If Accept ICMP is enabled,
VPN-1/FireWall-1 does not allow ICMP replies after one minute has passed since the
corresponding ICMP request.
Enabling Accept ICMP does not enable ICMP Redirect. If you wish to enable ICMP Redirect,
you must do so in the Rule Base.

286 Check Point SmartCenter Guide • September 2002


Server Load Balancing

Stateful Inspection

Note - The term “Stateful Inspection” means that packets are inspected in the context of
connections. The initial packet of a connection is inspected against the Rule Base. If the
connection is allowed, then the connection is added to an internal connection table, and
subsequent packets are checked against the connection table. A connection is removed
from the connection table when it terminates or times out. The use of the connection
table significantly speeds up packet processing.

Default Session Time-outs


TCP start timeout — A TCP connection will be timed out if the interval between the arrival
of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP
start timeout seconds.

TCP session timeout —A The length of time an idle conection will remain in the
VPN-1/FireWall-1 connections table.
See “When a Security Policy is Installed” on page 346.
TCP end timeout — A TCP connection will be terminated only TCP end timeout seconds
after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST
packet.
This means that after a TCP connection has ended (has seen FIN packets or has been reset)
the VPN/FireWall Module will keep the connection in the connections table another TCP
end timeout seconds, to allow for any stray ACKs belonging to the connection that might
arrive late.

Virtual Session Time-outs

Virtual Sessions— VPN-1/FireWall-1 secures connectionless services using the concept of a


“virtual session,” creating a connection context for these services. Once the specified time has
elapsed, the communication is assumed to have ended and the reply channel is closed.
UDP virtual session timeout — Specifies the amount of time a UDP reply channel may
remain open without any packets being returned.

ICMP virtual session timeout — An ICMP virtual session will be considered to have timed out
after this time period.
Other IP Protocols virtual session timeout — A virtual session of services (which are not one
of the following: TCP, UDP, ICMP) will be considered to have timed out after this time period.

Stateful UDP
These properties define the defaults for UDP services that are not defined in the Services
Manager. For UDP services defined in the Services Manager, the properties are defined on a
per-service basis in the Advanced UDP Service Properties window (FIGURE 6-3 on
page 225).

Chapter 7 Global Properties 287


Stateful Inspection

Accept stateful UDP replies for unknown services — Specifies if UDP replies are to be
accepted.
To specify that no UDP replies will be accepted, uncheck Accept stateful UDP replies for
unknown services.

If Accept stateful UDP replies for unknown services is checked, then Accept stateful UDP
replies from any port for unknown services specifies from which ports to accept UDP
replies.
Accept stateful UDP replies from any port for unknown services — If checked, UDP
replies will be accepted from any port. Otherwise, UDP replies will be accepted only from the
port to which the original communication was sent.

Stateful ICMP
Stateful Inspection is always applied to ICMP packets, that is, an ICMP packet must be in the
context of an ICMP “virtual session,” or statefully matched to another TCP/UDP connection
(for example, ICMP errors). These properties relate to ICMP packets which refer to another
non-ICMP connection, (for example, to an ongoing TCP or UDP connection) that is allowed
by the Rule Base. In other words, these ICMP packets can be considered to be in the context
of the other connection.
Replies — Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.
Errors — Accept ICMP error packets which refer to another non-ICMP connection (for
example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.
This property does not include ICMP_redirect.
Note - The stateful ICMP mechanism will not allow ICMP error messages (such as Port
Unreachable, TTL expired in transit) resulting from unidirectional ICMP and “other”
services (services that are defined with Accept Replies disabled in the Advanced
window). To allow such ICMP errors, Accept Replies must be enabled.

Stateful Other IP Protocols


This property defines the default for Other Services (that is, services which are not one of the
following: TCP, UDP, ICMP) that are not defined in the Check Point Services Manager. For
Other Services services defined in the Services Manager, the property are defined on a per-
service basis in the Advanced Other Services Properties window.
Accept stateful Other IP Protocol replies for unknown services — Accept reply packets for
other undefined services.

Out of State Packets


Drop out of state TCP packets — Drop TCP packets which are not consistent with the
currrent state of the TCP connection.
Log on drop — Generate a log entry when these packets are dropped.

288 Check Point SmartCenter Guide • September 2002


Track Options

Drop out of state UDP packets — Drop UDP packets which are not in the context of a
“virtual session” (see “Virtual Sessions” on page 287).
Log on drop — Generate a log entry when these packets are dropped.
Drop out of state ICMP packets — Drop ICMP packets which are not in the context of a
“virtual session” (see “Virtual Sessions” on page 287).
This parameter is always enabled.
Log on drop — Generate a log entry when these packets are dropped.

TCP Sequence Verifier


Drop out of sequence packets — Drop out-of-window TCP packets (that is, whose ACK or
SEQ numbers are out of sequence).
In a TCP connection, each side uses ACK and SEQ numbers to monitor a “sliding window,”
that is, data has received and sent. Out of sequence ACK or SEQ numbers may, in some cases,
be evidence of an attack.
Log ... out of state packets — Select one of the following:
Suspicious — Log only those out of sequence packets that indicate either:
• an attack
• an asymmetric routing configuration error where some packets are not being routed
through the VPN/FireWall Module

Note - This setting is a useful method of detecting whether such routing configuration
errors are present.

Anomalous — Log only those out of sequence packets that can rarely occur in a valid
connection.
Every — Log all out of sequence packets.
Every includes Suspicious and Anomalous, as well as some harmless out of sequence
packets (for example, some retransmitted packets, which are accepted after their payload has
been cleared).

Log and Alert

Track Options
VPN successful key exchange — Specifies the action to be taken when VPN keys are
successfully exchanged.
VPN packet handling errors — Specifies the action to be taken when encryption or
decryption errors occurs.

Chapter 7 Global Properties 289


Log and Alert

A log entry contains the action performed (Drop or Reject) and a short description of the
error cause, for example, scheme or method mismatch.
VPN configuration and key exchange errors — Specifies the action to be taken when VPN
configuration or key exchange errors occur, for example, when attempting to establish
encrypted communication with a network object inside the same encryption domain.
IP Options drop — Specifies the action to take when a packet with IP Options is encountered.
VPN-1/FireWall-1 always drops these packets, but you can log them or issue an alert.
Adminstrative notifications — Specifies the action to be taken when an administrative event
(for example, when a certificate is about to expire) occurs.
SLA violation — Specifies the action to be taken when an SLA violation occurs, as defined in
the window (see SmartView Monitor User Guide.)
Virtual Links

Connection matched by SAM — Specifies the action to take be taken when a connection is
blocked by SAM (Suspicious Activities Monitoring).
For information about SAM, see http://www.opsec.com.
Dynamic object resolution failure — Specifies the action to be taken when a dynamic object
cannot be resolved (see “dynamic_objects” on page 789).

Logging Modifiers
Log Established TCP packets — This option controls logging TCP packets for previously
established TCP connections, or packets whose connections have timed out (see “TCP session
timeout” on page 394).
Log every authenticated HTTP connection — Specifies that a log entry should be generated
for every authenticated HTTP connection.
Unify FTP Control and Data logs — Specifies that log entries for the control and data
connections of an FTP session should be unified.

Time Settings
Excessive log grace period — Specifies the minimum amount of time between consecutive
logs of similar packets.
Two packets are considered similar if they have the same source address, source port,
destination address, and destination port; and the same protocol was used. After the first
packet, similar packets encountered within the grace period will be acted upon according to
the Security Policy, but only the first packet generates a log entry or an alert.
Log Manager resolving timeout — After this amount of time, display the log page without
resolving names and show only IP addresses.
Virtual Link statistics interval — Specify the frequency with which Virtual Link statistics will
be logged.

290 Check Point SmartCenter Guide • September 2002


Time Settings

This parameter is relevant only for Virtual Links defined with Log E2E statistics enabled in the
SLA Parameters tab of the Virtual Link window (see the SmartView Monitor User Guide.

Status Fetching Interval — Specifies the frequency at which the SmartCenter Server queries
the VPN/FireWall, FloodGate and other Modules it manages for status information. Any value
from 30 to 900 seconds can be entered in this field.
Community default rule — Specifies whether connections between VPN Community
members, which are accepted by default, are to be logged.

Alert Commands
Send popup alert to System Status — Specifies that when an alert is issued, it is also sent to
System Status.
Run popup alert script — Specifies the OS script to be executed when an alert is issued.
It is recommended not to change this command, otherwise you may not become aware of the
condition that caused the alert.
See “On Which Machine Are the Alert Scripts Executed?” on page 292 for more information.
Send mail alert to System Status — Specifies that when a mail alert is issued, it is also sent to
System Status.
Mail alert script — Specifies the OS script to be executed when Mail is specified as the Track
in a rule.
The default is internal_send_mail, which is not a script but an internal VPN-1/FireWall-1
command. Its syntax is described below.

internal_send_mail [-s subject] -t mailserver


[-f sender_email] recipient_email [recipient_email ...]

internal_send_mail cannot be run from the OS command line.


Its options are listed in TABLE 7-2.

TABLE 7-2 internal_send_mail options

parameter meaning
-s subject The subject of the mail message is specified by subject.

-t mailserver mailserver is the system mail server.


-f sender_email The email address of the sender.
recipient_email The email address of the recipient. At least one recipient
must be specified.

You can specify commands other than the default. See “On Which Machine Are the Alert
Scripts Executed?” on page 292 for more information.

Chapter 7 Global Properties 291


Extranet Management Interface

Send SNMP trap alert to System Status — Specifies that when an SNMP trap alert is issued, it
is also sent to System Status.
SNMP trap alert command — Specifies the OS script to be executed when SNMP Trap is
specified as the Track in a rule.
The default is internal_snmp_trap, which is not a script but an internal VPN-1/FireWall-1
command.
You can specify commands other than the default. See “On Which Machine Are the Alert
Scripts Executed?” on page 292 for more information.
Send user defined alert no. 1 to System Status — Specifies that when an alert is issued, it is
also sent to System Status.
Run user defined alert script no. 1— Specifies the OS script to be executed when User-
Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as one
of the Track Options below.
Send User defined alert no. 2 to System Status — Specifies that when a user defined alert no.
2 is issued, it is also sent to System Status.
Run user defined alert script no. 2 — Specifies the OS script to be executed when User
Defined Alert no. 2 is selected as one of the Track Options below.
Send User defined alert no. 3 to System Status — Specifies that when a user defined alert no.
3 is issued, it is also sent to System Status.
Run user defined alert script no. 3 — Specifies the OS script to be executed when User
Defined Alert no. 3 is selected as one of the Track Options below.
See “On Which Machine Are the Alert Scripts Executed?” on page 292 for more information.
Send 4.x alert to System Status — Specifies that when an alert is issued on a Version 4.x
Module, it is also sent to System Status.
Run 4.x alert no. 3 script— Specifies the OS script to be executed when when an alert is
issued on a Version 4.x Module.

On Which Machine Are the Alert Scripts Executed?


Alert scripts are executed by the alertd process running on the machine on which the Log File
is written. The default is the Management Server, but logs can be directed to other machines.
If logs are being sent to more than one machine, then each alertd process will execute the alert
command. So, for example, two SNMP traps may be executed for the same log entry.
A message describing the event that triggered the alert is available in the command’s stdin for
all the alert commands.

Extranet Management Interface


FIGURE 7-1 Extranet Management Interface page — Global Properties window

292 Check Point SmartCenter Guide • September 2002


On Which Machine Are the Alert Scripts Executed?

For information about extranets, see Check Point Virtual Private Networks.

SmartDashboard Customization
Create Check Point installed Gateways using — Select the mode to use when you define a
new gateway.
Select either simple mode (the gateway wizard will be used) or classic mode (specify all the
parameters in the different pages of the gateway's Properties window.
VPN Topological view

Specify the number of Community members from which the VPN Topological view should
display an icon instead of a full mesh — When a large number of community members are
displayed in a full mesh view, it can be difficult to understand the diagram. In this case, you may
prefer to display an icon instead.
Policy Installation

When installing a Policy or Users Database, you can choose whether All Modules or None of
the Modules are checked by default in the Install On window.

Revision Control

Create new version upon Policy Installation — Create a new version of the Policy whenever
the Policy is installed.

Chapter 7 Global Properties 293


SmartDashboard Customization

294 Check Point SmartCenter Guide • September 2002


CHAPTER 8

Security Policy Rule


Base

In This Chapter

What is a Policy Package? page 295


Rule Base — Basic Concepts page 295
Editing a Policy Package page 297
Masking Rules page 318
Querying the Rule Base page 321
Disabling Rules page 330
Installing and Uninstalling Policies page 331
Installing Access Lists page 342
Boot Security page 345
Auxiliary Connections page 345
When a Security Policy is Installed page 346

What is a Policy Package?


A Policy Package is a set of policies that you install on the SmartDashboard. For more
information on what a policy consists of, see “Rule Base — Basic Concepts” on page 295.
For information on how to define a Policy Package, see “Editing a Policy Package” on page
297.

Rule Base — Basic Concepts


A VPN-1/FireWall-1 Policy consists of network objects, users, services, properties and a Rule
Base.

295
Rule Base — Basic Concepts

Each rule in a Rule Base defines the packets that match the rule (based on Source, Destination
and Service and the Time at which the packet is inspected by the FireWall or Inspection
Module enforcing the rule). The first rule that matches a packet is applied, and the specified
Action is taken. The communication may be logged or an alert may be issued, depending on the
value of the Track field.
VPN-1/FireWall-1 follows the principle “That Which Is Not Expressly Permitted is
Prohibited.” To enforce this principle, VPN-1/FireWall-1 implicitly adds a rule at the end of the
Rule Base that drops all communication attempts not described by the other rules.
FIGURE 8-1 SmartDashboard window with Rule Base

The SmartDashboard window’s title shows the name of the Security Policy currently displayed.
Depending on your license (the VPN-1/FireWall-1 features your SmartCenter Server is licensed
to implement), you may see a number of tabs in the SmartDashboard window:
• Security
The Security Policy Rule Base is described in this chapter.
• Address Translation — The Address Translation Rule Base is described in Chapter 2,
“Network Address Translation (NAT)” of Check Point FireWall-1 Guide.
• QoS — The Quality of Service Policy is described in the book Check Point FloodGate-1
Administration.
• Desktop Security — The Desktop Security Policy is described in the book Check Point
Virtual Private Networks Guide.
Because rules are examined sequentially for each packet, only packets not described by the
earlier rules are examined by the implicit rule. However, if you rely on the implicit rule to drop
these packets, there is no way to log them. To log these packets, you must explicitly define a
“none of the above” rule, as follows:
FIGURE 8-2 “None of the Above” Rule

296 Check Point SmartCenter Guide • September 2002


Opening a Policy Package

If you do not explicitly define such a rule, VPN-1/FireWall-1 will implicitly define one for you,
and the packets will be dropped. In no case will VPN-1/FireWall-1 allow these packets to pass.
The advantage of defining such a rule explicitly is that you can then specify logging for these
packets.
Note - It’s best to organize lists of objects (sources, destinations, or services) in groups
rather than in long lists. Using groups will give you a better overview of your Security
Policy and will lead to a more readable Rule Base. In addition, objects added to groups
will be automatically included in the rules.

Logged events are recorded in the Log File. For information about the Log File, see Chapter 11,
“SmartView Tracker.” Alerts and important system events are automatically recorded in the Log
File, even when not explicitly requested by the user.

Editing a Policy Package

Opening a Policy Package


1 If the policy package you wish to open is not the one currently displayed, choose Open
from the File menu. The following window appears (see FIGURE 8-3).
FIGURE 8-3 Open Policy Package window

2 Select the desired policy package and click Open. The Editor Policy opens displaying the
Policy Package you selected.

Creating a New Policy Package


1 To create a new policy package, choose New from the File menu. The window that appears
depends on the VPN configuration mode you selected on the VPN-1 page in the Global
Properties window (see “Global Properties” on page 275).

If you selected or Traditional


Simplified mode to all new Security Policies mode to all
new Security Policies, the following window appears (FIGURE 8-4).

Chapter 8 Security Policy Rule Base 297


Editing a Policy Package

FIGURE 8-4 Create a new Policy Package

If you selected Traditional or Simplified mode per new Security Policy, the following
window appears (FIGURE 8-5).
FIGURE 8-5 Use either Simplified or Traditional mode

2 Enter the name of the Policy Package. The Policy Package name cannot:
• contain any reserved words
• contain any spaces
• contain numbers at the beginning
• contain any of the following characters:

%, #, ‘. &. *, !, @, ?, <, >, /, \, :


• end with any of the following suffixes:

.w, .pf, .W

298 Check Point SmartCenter Guide • September 2002


Deleting a Policy Package

3 Select the policy types you want included in the Policy Package.
If you selected Traditional or Simplified mode per new Security Policy, on the VPN-1
page in the Global Properties window, you can choose which VNP configuration mode
you want to use (see FIGURE 8-5). For a description of Traditional and Simplified modes,
see Chapter 7, “VPN Communities in the Check Point Virtual Private Networks.
4 Click OK to select the installation target and the modules you want added to the Policy
Package.
5 Select the Modules you want to add to the Policy Package. You can either:
• Select All internal modules to add all the internal Modules to the Policy Package.
• Select Specific modules to add specific modules to the Policy Package. Select the
desired modules by using the Add and Remove buttons to move them between the two
lists. You can also move multiple fields by making multiple selections.
6 Click OK to create the Policy Package. The number of tabs that appear in the
SmartDashboard depends on the number of policy types you chose to include in the Policy
Package.

Deleting a Policy Package


You can either choose to delete an entire Policy Package, that is, all the policies included in the
Policy Package or only specific policies.
1 To delete a Policy Package, choose Delete from the File menu.
Entire policy package named: — Delete a Policy Package and all its policies. Select the
Policy Package that you would like to delete from the drop-down list.
The following policies from the current Policy Package — Delete specific policies from
the current Policy Package.
2 Click OK to delete the Policy Package.

Saving a Policy Package


When you save a Policy Package (by choosing Save from the File menu), you save all the
changes you made in the active Policy Package.
When you choose Save As from the File menu, you save the selected Rule Base from the active
Policy Package as a new Policy Package.

To save the selected Rule Base as a new Policy Package, proceed as


follows:
1 Select the Rule Base you want to save as a new Policy Package.
2 Choose Save As from the File menu. The following window appears.
The title bar displays the Rule Base you chose to save as a new Policy Package.
3 Enter the name of the new Policy Package.

Chapter 8 Security Policy Rule Base 299


Editing a Policy Package

4 Click OK. A new Policy Package containing only the selected Rule Base is created.

Adding a Rule
You can add a rule at any point in the Rule Base.

TABLE 8-1 Adding a Rule

To add a rule Select from menu Toolbar


Button
after the last rule Rules > Add Rule > Bottom

before the first rule Rules > Add Rule > Top

after the current rule Rules > Add Rule > After

before the current rule Rules > Add Rule > Before

to the current rule (for QoS policies Rules > Add Sub-Rule
only!)

Note - The current rule is the one that is highlighted. To select a rule, click its number.

A new rule will be added to the Rule Base, and default values will appear in all the data fields.
You can modify the default values as needed.
Alternatively, right-click the rule’s number to display the Rule menu.

300 Check Point SmartCenter Guide • September 2002


Rule menu

Rule menu
TABLE 8-2 Rule menu items SmartDashboard

Menu Item Action


Insert Rule Above Insert a rule above the current rule.
Add Rule Below Add a rule below the current rule.
Delete Rule Delete the current rule.
Copy Rule Copy the current rule to the clipboard.
Cut Rule Delete the current rule and put it on the clipboard.
Paste Rule Paste the rule on the clipboard (a menu will be displayed
where you can specify whether to paste the rule before or
after the current rule).
Hide Rule Hide the current rule (see “Masking Rules” on page
318).
Disable Rule Disable the current rule (see “Disabling Rules” on page
330).
Select All Rules

Show Show the selected item in the SmartMap.


Query Column Open the Rule Base Query Clause window (FIGURE
8-16 on page 322).
Clear Query Unhide all rules (see “Masking Rules” on page 318).

Modifying a Rule
To modify a rule, add, modify, or delete data field values until the rule is as desired.
Right-click in the data field to open the SmartDashboard Object menu.
The choices displayed in the menu depend on the field in which you right-clicked.

TABLE 8-3 Modifying Network Objects

for a description of how to ... see


modify...
Source “Source” on page 302
Destination “Destination” on page 304
Service “Service” on page 305
Action “Action” on page 306
Track “Track” on page 308

Chapter 8 Security Policy Rule Base 301


Editing a Policy Package

TABLE 8-3 Modifying Network Objects

for a description of how to ... see


modify...
Install On “Install On” on page 309
Time “Time” on page 312
Comments “Comments” on page 312
Items in the Source, Destination, Services, Install On and Time data fields are not exclusive.
When you select one of these items, open the menu of that option. Choose the desired option:
Add, Delete, Negate (Negate is not available for Install On).

Note - You can view the properties of a network object or service object by double-
clicking on its icon.

Source
Add — The Network Objects window is displayed, from which you can select network objects
to add to the rule’s Source.
You can define any number of items in Source.

Add Users Access—The Users Access window (FIGURE 8-6) is displayed, from which you
can select user group(s) to add to the rule’s Source.
FIGURE 8-6 User Access window

302 Check Point SmartCenter Guide • September 2002


Modifying a Rule

You must choose Add Users Access for a rule whose Action is one of the following:

• Client Authentication • Session Authentication


• User Authentication • Client Encryption (SecuRemote)

1 Choose one of the user groups.


2 Make the appropriate choice under Location.

If you check No Restriction, then there will be no restriction on the source of the users.
For example, if you choose AllUsers and check No Restriction, then AllUsers@Any will
be inserted under Source in the rule.
If you check Restrict To, then the source will be restricted to the network object you select
in the list box. For example, in FIGURE 8-6, the source object in the rule will be
AllUsers@Area_Servers.

3 Click OK.

Add Extranet Groups — Add an Extranet group or groups to the Source.

For information about Extranet groups, see Chapter 13, “Extranet Management” of Check
Point Virtual Private Networks Guide.
Edit — Edit the selected object.
You must first select one of the objects already defined under Source. The appropriate
window is opened (depending on the type of the selected object), and you can change the
object’s properties.
Alternatively, you can double-click an object to edit it.
Delete — Delete the selected object.
You must first select one of the objects already defined under Source.

Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Negate Cell — Negate the selected object.
All the objects defined under Source will be negated. Negation means that the rule applies
when the communication’s Source is not one of the Source objects in the rule.
When more than one object is listed under Source, it is not possible to negate some but not
others. Either all are negated or none are negated.
Select All —

Cut — Delete the selected object and put it on the clipboard.


You must first select one of the objects already defined under Source.

Chapter 8 Security Policy Rule Base 303


Editing a Policy Package

Copy — Copy the selected object to the clipboard.


You must first select one of the objects already defined under Source.

Paste — Paste the object on the clipboard in the rule’s Source.

Show — Show the selected item in the SmartMap.


Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.

Destination
Add — The Object Manager window is displayed, from which you can select network objects
to add to the rule’s Destination.
You can define any number of items in Destination.

Add Extranet Groups — Add an Extranet group or groups to the Destination.

For information about Extranet groups, see Chapter 13, “Extranet Management” of Check
Point Virtual Private Networks Guide.
Edit — Edit the selected object.
You must first select one of the objects already defined under Destination. The appropriate
window is opened (depending on the type of the selected object), and you can change the
object’s properties.
Alternatively, you can double-click an object to edit it.
Delete — Delete the selected object.
You must first select one of the objects already defined under Destination.

Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Negate Cell — Negate the selected object.
All the objects defined under Destination will be negated. Negation means that the rule
applies when the communication’s Destination is not one of the Destination objects in the
rule.
When more than one object is listed under Destination, it is not possible to negate some but
not others. Either all are negated or none are negated.
Select All —

Cut — Delete the selected object and put it on the clipboard.


You must first select one of the objects already defined under Destination.

304 Check Point SmartCenter Guide • September 2002


Modifying a Rule

Copy — Copy the selected object to the clipboard.


You must first select one of the objects already defined under Destination.

Paste — Paste the object on the clipboard in the rule’s Destination.

Show — Show the selected item in the SmartMap.


Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.

Service
Add — The Add Object window is displayed, from which you can select services to add to the
rule’s Services.
You can define any number of items in Services in the rule.

Note - Some services must be explicitly defined in the rule, otherwise they will not
function properly. For more information, see “Auxiliary Connections” on page 345.

Add With Resource — Add a resource.


The Services with Resource window (FIGURE 8-7) is displayed.
FIGURE 8-7 Services with Resource window

For additional information about resources, see “Content Security” on page 227 of Check
Point FireWall-1 Guide.
Edit — Edit the selected object.

Chapter 8 Security Policy Rule Base 305


Editing a Policy Package

You must first select one of the objects already defined under Service. The appropriate
window is opened (depending on the type of the selected object), and you can change the
object’s properties.
Alternatively, you can double-click an object to edit it.
Delete — Delete the selected object.
You must first select one of the objects already defined under Service.

Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Negate Cell— Negate the selected object.
All the objects defined under Service will be negated. Negation means that the rule applies
when the communication’s Service is not one of the services in the rule.
When more than one object is listed under Service, it is not possible to negate some but not
others. Either all are negated or none are negated.
Select All —

Cut — Delete the selected object and put it on the clipboard.


You must first select one of the objects already defined under Service.

Copy — Copy the selected object to the clipboard.


You must first select one of the objects already defined under Service.

Paste — Paste the object on the clipboard in the rule’s Service.

Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.

Action
You can only select one Action.

Edit Properties — Edit the properties of the rule’s Action.

This choice is available for a rule whose existing Action is User Authentication, Client or
Session Authentication, and opens the appropriate Authentication Action Properties window
(see Chapter 3, “Authentication” of Check Point FireWall-1 Guide).
If you wish to modify the Encryption parameters of a rule to which Encryption has been
added, select Edit Encryption from the menu rather than Edit Properties.
Add Encryption — Add Encryption to the Action for this rule.

306 Check Point SmartCenter Guide • September 2002


Modifying a Rule

This choice is available for a rule whose existing Action is User Authentication, Client or
Session Authentication, and to which Encryption has not already been added. An envelope
icon ( ) is superimposed on the existing Action icon in the rule.
You can modify the Encryption parameters by displaying the menu again and selecting Edit
Encryption.

For additional information about VPN-1/FireWall-1’s encryption features, see Check Point
Virtual Private Networks Guide.
Remove Encryption — Remove Encryption from the Action for this rule.
This choice is available for a rule whose existing Action is User Authentication, Client or
Session Authentication, and to which Encryption has already been added. The envelope icon
( ) is removed from the existing Action icon in the rule.
Edit Encryption — Edit this rule’s Encryption parameters.
This choice is available for a rule whose existing Action is Encrypt, and for a rule whose
existing Action is User Authentication, or Session Client Authentication, and to which
Encryption has already been added. The Encryption Properties window is displayed.
For additional information about the Encryption Properties window, see “Rule Encryption
Properties” on page 101 of Check Point Virtual Private Networks Guide.
TABLE 8-4 lists the choices available from the Action menu.

TABLE 8-4 Action Menu

Action Meaning Action Meaning


Accept — Accept the Client Authentication —
connection. Invoke Client Authentication
for this connection.
Reject— Reject the Session Authentication —
connection. Invoke Session Authentication
for this connection.
Drop — Drop the Encrypt — Encrypt outgoing
connection; do not notify packets.
the sender. Accept incoming encrypted
packets and decrypt them
User Authentication — Client Encryption — Accept
Invoke User Authentication only SecuRemote
for this connection. communications.

Chapter 8 Security Policy Rule Base 307


Editing a Policy Package

When a Drop action is taken, the sender is not notified. TABLE 8-5 describes what happens
when a Reject action is taken.

TABLE 8-5 Difference between Reject and Drop

service Reject
TCP The sender is notified.
UDP Sends an ICMP port unreachable error to the sender.
other Same as Drop.

Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.

Track

TABLE 8-6 Track Menu

Track Meaning
None — no logging or alerting for this connection

Log — Log the connection.

Account — Log in Accounting format.

Alert — Issue an alert (as defined in the PopUp Alert Command field
in the Log and Alert page of the Global Properties window — see
Chapter 7, “Global Properties”).
Mail — Send a mail alert (as defined in the Mail Alert Command
field in the Log and Alert page of the Global Properties window —
see Chapter 7, “Global Properties”).
SNMP Trap — Issue an SNMP trap (as defined in the Snmp Trap
Alert Command field in the Log and Alert page of the Global
Properties window — see Chapter 7, “Global Properties”).
User Defined — Issue a User Defined Alert (as defined in the User
Defined Alert Command field in the Log and Alert page of the
Global Properties window — see Chapter 7, “Global Properties”).

Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.

308 Check Point SmartCenter Guide • September 2002


Modifying a Rule

Clear Query — Clear the query and display (unhide) all the rules.

Install On
Add— The Install On field specifies which objects will enforce the rule. You can select any
number of Install On objects.
Delete — Delete the selected object.
Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Show — Show the selected item in the SmartMap.
Viable Install On Targets — Open the Viable Install On Targets window, in which you can
select the target machines on which to enforce this rule.
Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.

Note - The entire Policy is installed on all of the Install On objects, but each object
enforces only that part of the Policy which is relevant to it.

Warning - For a Security Policy, if an Install On object does not enforce at least one rule,
then the only rule it enforces is the default rule, which rejects all communications.

TABLE 8-7 Install On Menu

Install On Meaning
Gateway — Enforce on all network objects defined as gateways.

Embedded Devices — Enforce on all embedded devices.

Targets — Enforce on the specified target object(s) only, in the


inbound and outbound (either bound) directions.

Chapter 8 Security Policy Rule Base 309


Editing a Policy Package

TABLE 8-7 Install On Menu

Install On Meaning
Destination — Enforce in the inbound direction on the FireWalled
network objects defined as Destination (typically servers) in this
rule.
Source — Enforce in the outbound direction on the FireWalled
network objects defined as Source (typically clients —initiators of
traffic) in this rule.
OSE Devices — Enforce on all OSE devices.

Adding Targets to the Install On Path


To add any number of Targets to the Install On column, proceed as follows:
1 Select a gateway in the Install On column.
2 Right-click the selected gateway.
A menu is displayed.
3 Select Viable Install On Targets from the right-click menu.
The Viable Install On Targets window is displayed. In this window, Install On List displays
a list of Install On targets, that is, the targets on which enforcing this rule would have
meaning.
For example, if a rule applies to traffic that does not pass through a specific Module, then
enforcing the rule on that Module would not have any effect.
Properties — Show the properties of the selected target.
The gateway’s Properties window is displayed.
Show — Show the selected target in the SmartMap View.

Note - Any object or group of objects selected in the Viable Install On Targets window
to be shown in the SmartMap View, will only be displayed if it is an Install On object or
from an Install On group.

Select a target and click OK to add the target to the Install On column.

Gateways
If you specify Gateways, the rule is enforced on all the hosts that are defined as gateways (on
the General page of the network object’s Properties window). The rule is enforced in both the
inbound and outbound directions.

310 Check Point SmartCenter Guide • September 2002


Modifying a Rule

Source
If you specify Source, the rule is enforced on the FireWalled network objects specified under
Source in that rule. The icon for Source shows arrows pointing away from the object, to
indicate that the rule is enforced for outgoing communications only.
For example, consider the following rule:

Source Destination Services Action Track Install On

mailsrvr,london Any Any Accept Log Src

The rule is enforced only on london, because mailsrvr is not FireWalled. However, the rule is
applied to communications originating either on mailsrvr or london.

Destination
If you specify Destination, the rule is enforced on the FireWalled network objects specified
under Destination in that rule. The icon for Destination shows arrows pointing to the object,
to indicate that the rule is enforced for incoming communications only.

Routers
If you specify OSE Devices, the rule is enforced on the appropriate interfaces on all routers,
using VPN-1/FireWall-1’s auto-scoping feature. For example, a rule specifying Source as
localnet is enforced on the device’s localnet interface. VPN-1/FireWall-1 generates an Access
List for the router (except for Nortel Networks routers on which VPN/FireWall Module is
installed, in which case a Security Policy is installed). It should be noted that with Access Lists
only a subset of VPN/FireWall Module functionality can be implemented. For example, it is not
possible to secure FTP back connections.

Targets
If you specify an object by name, then the rule is enforced for both incoming and outgoing
communications (either bound).

TABLE 8-8 Rule Enforcement Directions

Install On Enforced on Packets in this Direction


Gateways inbound and outbound (either bound)
Destination inbound
Source outbound
Specific Target inbound and outbound (either bound)

Chapter 8 Security Policy Rule Base 311


Editing a Policy Package

Time
Add — The Time Objects window is displayed, from which you can select time objects to add
to the rule’s Time.
You can define any number of items in Time.

Edit — Edit the selected object.


You must first select one of the objects already defined under Time. The appropriate window
is opened (depending on the type of the selected object), and you can change the object’s
properties.
Alternatively, you can double-click an object to edit it.
Delete — Delete the selected object.
You must first select one of the objects already defined under Time.

Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.

Comments
To add a comment to a rule, double-click the Comment field to open the Comment window.
Type any text you wish in the text box and click OK.

Note - In this window, a carriage return is not interpreted as clicking on OK, so there can
be more than one line in a comment.

Edit — Edit the selected comment.


Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.

312 Check Point SmartCenter Guide • September 2002


Modifying a Rule

Copying, Cutting and Pasting Rules


To copy, cut or paste, select a rule or rules by selecting their numbers.

TABLE 8-9 Copying, Cutting and Pasting Rules

Action Select from menu Toolbar


Button
Cut Edit > Cut

Copy Edit > Copy

Paste Edit > Paste

If you choose Paste, then the Paste menu will be opened. You must then select Above, Below,
Top, or Bottom to specify where in the Rule Base to paste the rule.

Deleting a Rule
1 To delete a rule, select a rule or rules by selecting their numbers.
2 Right-click the desired Rule base and click Delete.

Completing the Rule Base

Verifying and Viewing the Security Policy


When you have defined the desired rules, open the Policy menu and select Verify to perform a
heuristic check on the Rule Base. Verification will check that the rules are consistent and that
no rule is redundant. If a Rule Base fails the verification, an appropriate message will appear.
To view the INSPECT code before installing the Security Policy, open the Policy menu and
select View. Verification is automatically performed every time you view the Rule Base, and
before the Security Policy is installed.

“Silently” Dropping a Service


It is common practice for the last rule in a Rule Base to reject packets that fail to match any of
the preceding rules and to log these rejections. If you would like to “silently” drop a specific
service or group of services, add a rule (before the last rule) that drops the service(s) without
logging.

Installing and Enforcing


Installing a Security Policy consists of generating an Inspection Script from the rule base and
properties, compiling the Inspection Script to generate Inspection Code, and installing the
Inspection Code on all the network objects specified in the Install On window.

Chapter 8 Security Policy Rule Base 313


Editing a Policy Package

The Install On window specifies the network object on which the Security Policy is installed.
In contrast, the Install On column in the SmartDashboard specifies the network object that is to
enforce a specific rule.
In principle, the Security Policy should be installed on all the network objects which are to
enforce it. However, VPN-1/FireWall-1 will allow you to not install the Security Policy on one
or more of the objects that are to enforce it. This capability is useful for debugging purposes,
but in all other cases you should take care to correctly deploy your Security Policy.
If you fail to install a Security Policy on a network object on which it should be installed, the
VPN/FireWall Module will improperly monitor traffic through that object. If you install a
Security Policy on a network object that does not enforce any part of that policy, the
VPN/FireWall Module will block all traffic through that object (because only the implicit drop
rule will be applied). See “Rule Base — Basic Concepts” on page 295.

Inspection Scripts and Inspection Code


The rules that comprise a Security Policy are stored in an ASCII file named
$FWDIR/conf/rule_base.W. Manually editing this file affects the GUI representation of
rules and properties.
An Inspection Script (named $FWDIR/conf/rule_name.pf) is generated from the Security Policy
(Rule Base, objects database and Global Properties). An Inspection Script can be viewed and
even manually edited, but editing an Inspection Script does not affect the GUI representation of
rules and properties. On the other hand, it does affect the Inspection Code compiled from the
Inspection Script and thus introduces inconsistencies between the GUI representation and the
Inspection Code. For this reason, directly editing an Inspection Script should be avoided. If you
edit the $FWDIR/lib/*.def files instead, you will avoid these inconsistencies.
Inspection Code (named $FWDIR/temp/rule_base.fc) is compiled from an Inspection Script. It
is this Inspection Code that is installed on network objects and used by the VPN/FireWall
Module to enforce a Security Policy.

314 Check Point SmartCenter Guide • September 2002


Modifying a Rule

FIGURE 8-8 VPN-1/FireWall-1 Inspection Components - flow of information

Management Server

Inspection Text
Script Editor

INSPECT
Compiler

VPN-1/FireWall-1 Security Policy Inspection


Code

VPN/FireWall Module

Inspection Inspection
Module Code

VPN-1/FireWall-1 daemons

When a Security Policy is installed on a network object, the object receives the entire Inspection
Code but executes only those rules with matching scope. If there are no rules with matching
scope, the VPN/FireWall Module will drop all traffic, by the default rule (“That Which Is Not
Expressly Permitted is Prohibited”). Installing what is essentially an empty Security Policy (no
rules with matching scope) effectively bars all traffic.

Rule Authentication Properties


If User Authentication, Client Authentication, Session Authentication or Client Encryption
is specified as a rule’s Action, the rule’s properties are specified in the Authenticate Action
Properties window.

To display the Authenticate Action Properties window, right-click the Action field in the rule
and choose Edit Properties from the menu.

Chapter 8 Security Policy Rule Base 315


Editing a Policy Package

FIGURE 8-9 Authenticate Action Properties window for a User Authentication Rule

TABLE 8-10 Authenticate Action Properties window

For information about See...


the Authenticate Action
Properties window for
User Authentication rules “User Authentication” on page 126 of Check Point
FireWall-1 Guide
Session Authentication rules “Session Authentication” on page 162 of Check
Point FireWall-1 Guide
Client Authentication rules “Client Authentication” on page 173 of Check Point
FireWall-1 Guide
Client Encryption rules Chapter 1, “VPN-1 SecuRemote Server” of Check
Point Desktop Security Guide

Encryption Properties
If Encrypt is specified as a rule's Action, the Encryption Properties window (FIGURE 8-10)
defines the rule’s encryption properties.
To display the Encryption Properties window, double click the rule’s Encrypt action.

316 Check Point SmartCenter Guide • September 2002


Modifying a Rule

FIGURE 8-10Encryption Properties window

For information about the Encryption Properties window, see “Rule Encryption Properties”
on page 101 of Check Point Virtual Private Networks Guide.

Interaction between Rule Base and Implied Rules (Properties)


A Security Policy is defined not only by the Rule Base, but also by parameters specified in the
FireWall-1 Implied Rules page of the Global Properties window. These parameters enable the
user to control all aspects of a packet’s inspection, while at the same time freeing the user of the
need to specify repetitive detail in the Rule Base.
Packets are matched in the following sequential order:
1 The anti-spoofing rules are applied.
2 Checked properties in the FireWall-1 Implied Rules page of the Global Properties
window labeled First are matched first. If a property is not checked, then it is not included
in the Security Policy.
3 Rules are matched according to their order in the Rule Base, except for the last rule in the
Rule Base.
4 Properties in the FireWall-1 Implied Rules page of the Global Properties window labeled
Before Last are matched after all but the last rule in the Rule Base.

5 The last rule in the Rule Base is matched.


6 The property in the FireWall-1 Implied Rules page of the Global Properties window
labeled Last is matched.
7 The implicit drop rule is matched.
In the Rule Base, the principle of “That Which Is Not Expressly Permitted is Prohibited”
applies. For example, if the Rule Base does not expressly permit ICMP traffic, then ICMP
traffic will be dropped.
However, if Accept ICMP Requests in the FireWall-1 Implied Rules page of the Global
Properties window is checked, and Last is not selected for the property, then ICMP traffic will
be permitted.

Chapter 8 Security Policy Rule Base 317


Masking Rules

The settings in the FireWall-1 Implied Rules page of the Global Properties window are
translated into macros and compiled in the Inspection Code.

Implied Rules
You can see how the properties and rules interact by checking Implied Rules in the View menu.
The explicit rules (those you have defined) will be displayed together with the implicit rules
(those derived from the properties) in the correct sequence (see FIGURE 8-11).
FIGURE 8-11SmartDashboard showing implied rules

The numbered rules are those you have explicitly defined. The implicit rules are not numbered.
For additional information about Properties, see Chapter 7, “Global Properties.”

Masking Rules
You can view only part of the Rule Base by hiding rules you do not want to see. This feature is
useful when you have a large complex Rule Base and you want to view only a few of the rules
without being distracted by other rules. Hidden rules remain part of the Rule Base and are
installed when the Security Policy is installed.

Hiding Rules
To hide a rule, proceed as follows:
1 Select the rule by clicking on its number.

318 Check Point SmartCenter Guide • September 2002


Viewing Hidden Rules

2 Select Hide from the Rules menu.


The Hide submenu is displayed.
3 Select Hide.

The rule is now hidden, but it is still part of the Rule Base and will be installed when the
Security Policy is installed.
Alternatively, right-click the rule number to open the Rule menu and select Hide Rule.

Viewing Hidden Rules


If View Hidden in the Hide submenu is checked, then all the hidden rules are displayed in the
Rule Base together with the other rules. Hidden rules are colored differently from other rules,
making it easy to identify them so that you can unhide them.
If View Hidden is not checked, the hidden rules are not displayed. A thick colored horizontal
line indicates the presence of hidden rules.
FIGURE 8-12Rule Base with a hidden rule not displayed

indicates that there is a hidden


rule here that is not being displayed

In FIGURE 8-12, there is a hidden rule between rules 2 and 4. The gap in the numbering
indicates how many rules are hidden.
Whether they are displayed or not, hidden rules are installed when the Security Policy is
installed.

Unhiding Hidden Rules


To unhide all the hidden rules, select Unhide All from the Hide submenu.

Chapter 8 Security Policy Rule Base 319


Masking Rules

Managing Hidden Rules

Defining a Mask
Consider the Rule Base in FIGURE 8-13 below.
FIGURE 8-13Rule Base before defining masks

Suppose that you want to hide all the FTP rules. You can do this as follows:
1 Select the first FTP rule (rule 3).
2 Hide the selected rule as described in “Hiding Rules” on page 318.
3 Select the second FTP rule (rule 5).
4 Hide this rule as well.
The Rule Base now looks like this (FIGURE 8-14):
FIGURE 8-14Rule Base with FTP rules (rules 3 and 5) hidden

5 Select Hide from the Rules menu.


The Hide submenu is displayed.

320 Check Point SmartCenter Guide • September 2002


Example

6 Select Manage Hidden from the Hide submenu. The Manage Hidden Rules window is
displayed.
7 Click Store As. The Store Mask As window is displayed.
8 Enter a name for the mask.
9 Select Hide from the Rules menu.
10 Select Unhide All from the Hide submenu.
The hidden rules are unhidden and the Rule Base once again is displayed as in FIGURE 8-13
on page 320.

Reapplying a Mask
You can now reapply the FTPRules mask and in one action hide all the FTP rules as follows:
1 Select Hide from the Rules menu.
2 Select Manage Hidden from the Hide submenu.
The Manage Hidden Rules window is displayed.
3 Select the umnasked rules group.
4 Click Fetch.

The rules are once again hidden.

Applying Masks
You can apply masks one after another using the Fetch command in the Manage Hidden Rules
window. When you apply a mask, any other mask that is currently applied is first “unapplied”.
So, for example, if you apply the FTPRules mask, the FTP rules are hidden. If you then apply
the HTTPRules mask, the FTP rules are unhidden and the HTTP rules are hidden.

Querying the Rule Base


You can query the Rule Base and display only the rules that satisfy the criteria specified in the
query, hiding all the other rules.

Example
Consider once again the Rule Base depicted in FIGURE 8-13 on page 320. Suppose that you
want to display only rules whose Source includes localnet.
1 From the Search menu, select Query Rules.

The Rule Base Queries window is displayed, showing all the defined queries (in this case
there are none).
For a detailed explanation of the Rule Base Queries window, see “Rule Base Queries
window” on page 327.

Chapter 8 Security Policy Rule Base 321


Querying the Rule Base

2 Click New. The Rule Base Query window (FIGURE 8-15) is displayed.
FIGURE 8-15Rule Base Query window

For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
3 Enter a name for the query in Name.

4 Click New.

The Rule Base Query Clause window (FIGURE 8-16) is displayed.


FIGURE 8-16Rule Base Query Clause window

For a detailed explanation of the Rule Base Query Clause window, see “Rule Base Query
Clause window” on page 329.
5 Check Explicit.

322 Check Point SmartCenter Guide • September 2002


Example

This specifies that only rules in which localnet explicitly appears (in contrast to rules where
localnet is a member of a group explicitly appearing in the rule) will be considered as satisfying
the query.
6 In Column, select source.

This is the default.


7 In the Not In List box, select localnet.
8 Click Add.

localnet is moved to the In List box.


9 Click OK.

The Rule Base Query window (FIGURE 8-17 on page 323) is displayed, and the query clause
just defined is listed.
FIGURE 8-17Rule Base Query window showing one query clause

10 Click OK.

The Rule Base Queries window (FIGURE 8-18) is displayed, and the query just defined is
listed.

Chapter 8 Security Policy Rule Base 323


Querying the Rule Base

FIGURE 8-18Rule Base Queries window showing one query

11 Click Apply.

The query is used as a mask for hiding the rules that do not satisfy the query criteria. The
Rule Base is displayed as in FIGURE 8-19.
FIGURE 8-19Rule Base after being masked by the query

The only rules that are displayed (that is, the only rules that are not hidden), are those whose
Source includes localnet.

Note that the Rule Base Queries window is still open, allowing you to continue to define or
use additional queries.
12 Click Close to close the Rule Base Queries window.

Refining the Query


Suppose that you want to refine the query so that the only rules displayed are those that satisfy
the following criteria:
• Source includes localnet
• Service includes FTP

324 Check Point SmartCenter Guide • September 2002


Refining the Query

There are two ways to do this:


• Modify the query (by adding an additional clause) to specify both of the above criteria
(see “To Modify the Query below).
• Define a new query that specifies only the second criterion and apply both queries, one
after the other (see “To Define a New Query” on page 326).

To Modify the Query


1 In the Rule Base Queries window (FIGURE 8-18), select the query.
2 Click Edit.

3 In the Rule Base Query window (FIGURE 8-17), click New.

4 The Rule Base Query Clause window (FIGURE 8-16) is displayed.


5 In Column, select services.

6 In the Not In List box, select FTP.


7 Click Add.

FTP is moved to the In List box.


8 Click OK.

The Rule Base Query window (FIGURE 8-20) is displayed, and both query clauses are listed.
FIGURE 8-20Rule Base Query window showing two query clauses

9 Click OK.

The Rule Base Queries window (FIGURE 8-18) is displayed.


10 Click Apply.

Chapter 8 Security Policy Rule Base 325


Querying the Rule Base

The modified query is used as a mask for hiding the rules that do not satisfy the query criteria.
The Rule Base is displayed as in FIGURE 8-21.
FIGURE 8-21Rule Base after being masked by the modified query

To Define a New Query


1 In the Rule Base Queries window (FIGURE 8-18), click New.

2 In the Rule Base Query window (FIGURE 8-17), enter a name for the query in Name.

3 Click New.

The Rule Base Query Clause window (FIGURE 8-16) is displayed.


4 In Column, select services.

5 In the Not In List box, select FTP.


6 Click Add.

FTP is moved to the In List box.


FIGURE 8-22 shows the Rule Base Query Clause window with the FTP service selected.
FIGURE 8-22Rule Base Query Clause window showing FTP selected

7 Click OK.

8 In the Rule Base Query window, click OK.

9 In the Rule Base Queries window, select the query just defined.

326 Check Point SmartCenter Guide • September 2002


Rule Base Queries window

10 Click And.

The newly defined query is applied in addition to the previous query, and the result is shown
in FIGURE 8-21 on page 326.

Rule Base Queries window


The Rule Base Queries window lists all the defined queries, and allows you to add edit, delete,
and apply queries.
FIGURE 8-23Rule Base Queries window

New — Add a new query.


The Rule Base Query window (FIGURE 8-24 on page 328) is displayed.
Edit — Edit the selected query.
The Rule Base Query window (FIGURE 8-24 on page 328) is displayed.
Remove — Delete the selected query.
And — Apply the selected query as a mask, ANDing it with any masks currently applied.
The selected query is intersected with the current view. If another query is currently applied,
only rules that match both queries are displayed.
Or — Unify the selected query with the current view. If another query is currently applied,
rules that match either query are displayed.
Close — Close the Rule Base Queries window.
Apply — Apply the selected query.
This has the same effect as And if a query is selected. Double-clicking on a query is equivalent
to clicking on Apply.

Chapter 8 Security Policy Rule Base 327


Querying the Rule Base

Clear all — Unhide all rules.

Rule Base Query window


FIGURE 8-24Rule Base Query window

Name — Enter the query’s name.


Negate Query — The query is understood to be the negation of all its clauses.
For example, if the query specifies that Source is localnet, then the negated query specifies
that Source is not localnet.
Operation On Criteria — Select one of the choices.
• And — the query’s clauses are ANDed together
• Or — the query’s clauses are ORed together
For example, suppose one query clause specifies that Source is localnet and another query
clause specifies that Service is FTP. Then:
• If you select And, then the query specifies (Source is localnet) AND (Service is FTP).
• If you select Or, then the query specifies (Source is localnet) OR (Service is FTP).

If Negate Query is checked, then the meaning of And and Or is:


• If you select And, then the query specifies NOT ((Source is localnet) AND (Service is
FTP)).
• If you select Or, then the query specifies NOT ((Source is localnet) OR (Service is
FTP)).
New — Define a new query clause.
The Rule Base Query Clause window (FIGURE 8-25 on page 329) is displayed.
Edit — Edit the currently selected query clause.

328 Check Point SmartCenter Guide • September 2002


Rule Base Query Clause window

The Rule Base Query Clause window (FIGURE 8-25 on page 329) is displayed.
Remove — Delete the currently selected query clause.

Rule Base Query Clause window


FIGURE 8-25Rule Base Query Clause window

Column — Select a Rule Base column.


Not in List — objects not included in the query.
In List — objects included in the query clause.
To add an object to the query clause, click the object in the Not in List box, and then click
Add.

To remove an object from the query clause, click the object in the In List box, and then click
Remove.

Negate — If you check this box, then the criteria specified in the query clause are negated.
For example, if the query clause specifies Service is FTP, then if you check Negate, the clause
is taken to specify “NOT (Service is FTP)”.
Explicit — If checked, only rules that explicitly include the object satisfy the criteria.
If the rule includes a group of which the object is a member, then the rule does not satisfy the
criteria. Also, if the rule includes an object which is a member of a group specified in the
criteria, then the rule does not satisfy the criteria.
For example, the standard VPN-1/FireWall-1 service definitions include a group named
“Authenticated”, of which FTP and HTTP are members. If Explicit is checked, then a rule
does not satisfy the criteria in the following two cases:
• The query clause specifies Authenticated and the rule includes FTP.
• The query clause specifies FTP and the rule includes Authenticated.

Chapter 8 Security Policy Rule Base 329


Disabling Rules

To Clear a Query
1 Select Clear Query from the Search menu.
You are prompted to Unhide all Hidden Rules.
2 Click Yes to proceed.
The Query is cleared.

Disabling Rules
When you disable a rule, the rule is no longer part of the Rule Base and is not installed when
the Security Policy is installed. However, the rule is still displayed in the Rule Base, and you can
re-enable it at any time.
This feature is useful for experimenting with the Rule Base. For example, you can disable a rule
(or rules), install the Security Policy, analyze the effects of the new Security Policy and then re-
enable the rule without having to re-enter it.
To disable a rule, select the rule by clicking on its number and then select Disable Rule from
the Edit menu.
When a rule is disabled, a large red cross is drawn over its rule number.
To enable a disabled rule, select the rule and then select Disable Rule from the Edit menu.
Alternatively, right-click the rule number to open the Rule menu ( on page 301) and select
Disable Rule.

FIGURE 8-26 shows a Rule Base with two rules (rule 1 and rule 3) disabled.
FIGURE 8-26Rule Base with rule 1 and rule 3 disabled

Searching the Rule Base


To search for any string in the Rule Base, proceed as follows:
1 Select Find in Rule Base from the Search menu.
The Find window is displayed, see FIGURE 8-27.

330 Check Point SmartCenter Guide • September 2002


Installing Security Policies

FIGURE 8-27The Find window

2 Enter the string for which you would like to search in the Find what field.
Check Match whole word only to find the sting in the exact manner that it is specified in
the Find window
Check Match case to make your search case sensitive.
Use the Up and Down buttons to choose the direction of your search.
Use the Find next button to continue your search of the Rule Base.

Installing and Uninstalling Policies

Installing Security Policies


Installing the Security Policy does the following:
• performs heuristic verification on rules, and checks that rules are consistent and that every
rule does something
• confirms that each of the Install On objects enforces some part of the Rule Base
If an Install On object does not enforce at least one Security Policy rule, then the only rule it
enforces is the default rule, which rejects all communications.
• converts the Security Policy to an Inspection Script and compiles the Inspection Script to
generate Inspection Code
• distributes the Inspection Code to the selected targets
• distributes the User and Encryption databases to the selected target hosts
VPN-1/FireWall-1 issues a warning if there is an inconsistency in the Rule Base or if there is a
rule that does nothing.

Installing Access Lists


Installing a Security Policy means downloading it to the network objects (Check Point Modules
and routers) which will enforce it. Except in the case of routers, there must be a VPN/FireWall
Module running on the object which is receiving the Security Policy.
When installing Access Lists (ACLs) to a router, the router must be accessible and you must have
permission to install the Access List. Installing Access Lists on Cisco routers can be done as
follows:

Chapter 8 Security Policy Rule Base 331


Installing and Uninstalling Policies

Access List download by a Telnet session


By default, the Open Security Extension (OSE) devices use this supported Cisco Access List
download. Using a Telnet session, each Access List statement, or rule, is sent individually from
the VPN/FireWall to the router. This, however, can be time consuming especially for large
Access Lists which can contain potentially thousands of rules.

Access List download using a TFTP server


Using this option reduces the time necessary to install Access Lists on Cisco routers. This
method is supported by all Cisco routers that support a TFTP ACL download.
By default, it is not enabled in the VPN/FireWall module. To do so, proceed as follows:
1) Set the environment variable as follows:

ACL_TFTP_DOWNLOAD (setenv ACL_TFTP_DOWNLOAD 1)

When enabled, the OSE device creates all Access Lists statements on a TFTP server, and then
downloads the entire Access List to the router.
2) For Unix platforms, perform the following:
a. Uncomment the tftpd declaration in /etc/inetd.conf

b. Add the router IP address to /rhosts

c. Create an /tftpboot directory as the TFTP root directory on the partition fw1 is
installed on.
3 For Windows NT platform, perform the following:
Create an /tftpboot directory as TFTP root directory on the partition fw1 is installed on.
Note - There is no standard TFTP server. Refer to your Windows NT TFTP Server manual for
complete instructions.
A TFTP server installation and configuration is not part of fw1 install, but rather must be done
separately by the user. The TFTP server must reside on the SmartCenter Server. Any standard TFTP
server will support an ACL download.

Warning - TFTP does not include login or access control mechanisms. Security
considerations must be taken into account when granting rights to a TFTP server process
in order to prevent violation of the security of the server’s host file system. TFTP is often
installed whereby only files that have public read access are available via TFTP and write
access to files via TFTP is not allowed. The VPN-1/Firewall-1 Security Policy must be
defined to allow TFTP connectivity between the SmartCenter Server and router only.

See the documentation for your router on how to define the appropriate permissions.

Installing Other Policies


Other Policies are verified and then installed in the same way that a Security Policy is installed.

332 Check Point SmartCenter Guide • September 2002


Installing the Security Policy

A NAT Policy is installed together with the Security Policy. QoS and Desktop Security Policies
can be installed independently.
You can select the elements of the Policy to be installed in the Install Policy window (FIGURE
8-28).

Installing the Security Policy

To install the Policy


1 Choose Install from the Policy menu. The Install Policy window (FIGURE 8-28) is
displayed.
FIGURE 8-28Install Policy window

2 Select the objects on which to install the Policy, and the elements of the Policy (Security,
QoS, Desktop Security) to install.

Note - The NAT Policy is installed together with the Security Policy.

You can do one of the following:


• Click Clear All to uncheck all the objects in the list
• Click Select All to select all the objects in the list.
• Click Select Targets to select some of the objects in the list. The following window
appears:

Chapter 8 Security Policy Rule Base 333


Installing and Uninstalling Policies

FIGURE 8-29Select installation target for Policy Package

3 Select the Modules you want to add to the Policy Package. You can either:
• Select All internal modules to add all the internal Modules to the Policy Package.
-or-
• Select Specific modules to add specific modules to the Policy Package. Select the
desired modules by using the Add and Remove buttons to move them between the two
lists. You can also move multiple fields by making multiple selections.
4 Select an installation mode. The SmartCenter Server will attempt to install the Security
Policy on all the selected Modules. This option enables you to specify what to do if the
Security Policy installation is unsuccessful for one or more of the selected Modules. Choose
one of the following:
Install on each selected Module independently — Failure to successfully install the
Security Policy on one or more of the Modules has no effect on the other Modules. If you
choose this option, then it is possible that different Policies will be enforced on different
Modules.
Install on all selected Modules — The Policy will either be installed on all the selected
Modules, or it will be installed on none of them. If you choose this option, then all
Modules will be enforcing the same Policy (either the new Policy or the old Policy).
Note - Policy installation on pre-Version NG Modules is independent of installation on
Version NG and later Modules, and vice versa. For example, if Install on all selected
Modules is checked, then a Policy installation failure on a pre-NG Module will not affect
Policy installation on NG Modules, but the Policy will not be installed on other pre-NG
Modules.
Install on all the members of the selected Gateway Clusters — This option is similar to
Install on all selected Modules, but relates to each selected Gateway Cluster.

334 Check Point SmartCenter Guide • September 2002


Installing the Security Policy

5 Click OK to install the Security Policy on all Modules. A window showing installation
progress is displayed.
FIGURE 8-30Installation Process window

The installation process has two stages, as shown in the Progress bar:
• Verification
• Installation

See the following table for a description of the fields in this window:

Field Description
Installation Targets The Module on which you want to install the
policy
Version The Module version
Security The element of the Policy (Security, QoS, Desktop
Security) you chose to install in the Install Policy
window (see FIGURE 8-28). A column will appear
for each element you chose.

This field contains the element’s installation status at


any given moment. For a description of the available
statuses, click Legend.

Chapter 8 Security Policy Rule Base 335


Installing and Uninstalling Policies

Once the installation process is finished, the Progress bar turns into a final status display.
The available final installation statuses are:
• Installation completed successfully — The installation was successfully completed.
• Installation ended with errors — The installation of at least one of the Policy
elements failed.
• Installation completed with warnings — The installation was completed successfully
but contains warnings that should be checked out.
• Installation aborted — The Abort button was clicked during an installation and
therefore the installation was not completed.

Note - Click the Abort button to stop an installation that is in progress. The Abort button
only appears during the installation process.

Viewing Error and Warning Details


You can view the details describing the errors/warnings that occurred during the verification
and installation processes.

To view error and warning details


1 In the Installation Process window (see FIGURE 8-30), click Show Errors/Warnings.

Note - The Show Errors/Warnings button only appears if the installation ended with
errors or warnings. If the installation was completed successfully, the button does not
appear at all.

The following window appears.

336 Check Point SmartCenter Guide • September 2002


Installing the Security Policy

FIGURE 8-31Viewing verification and installation errors

Note - This window can be opened from the beginning of the installation process
enabling you to see any errors/warnings that might occur throughout the process.

Chapter 8 Security Policy Rule Base 337


Installing and Uninstalling Policies

In this window, you can view the errors that occurred during the verification and installation
process. See the following table for a description of the fields in this window:

Field Description
Verification and Policy The element of the Policy
Compilation Errors (Security, QoS, Desktop Security)
you chose to install in the Install
Policy window.
Status Status of the verification process at
any given time. Click Legend for a
description of the available statuses,
Details Reason why the verification
process failed or ended with
warnings.
Installation Errors Installation Targets The Module on which you
installed the policy.
Policy The element of the Policy
(Security, QoS, Desktop Security)
you chose to install in the Install
Policy window.
Details Reason why the installation failed
or ended with warnings.

2 Double-click a row
-or-
Highlight the desired row and click View Details.
A window appears enabling you to conveniently view all the details of that row in a more
readable form.

Updating the List of Verification and Installation Errors


When you open the Verification and Installation Errors window (see FIGURE 8-31), you see
the errors/warnings that were encountered up to that moment.
To update the list of errors/warnings as new ones are being added, click the Refresh button.

Uninstalling the Security Policy


Choose UnInstall from the Policy menu to install the Security Policy on the selected hosts. The
Install Policy window (FIGURE 8-28 on page 333) is then displayed.
When a Policy is uninstalled, the Module loses its state and existing connections may fail.

338 Check Point SmartCenter Guide • September 2002


Connection Persistence during a new Policy installation

Connection Persistence during a new Policy installation


FireWall-1 provides the best combination between security and connectivity, thereby
maintaining maximum connectivity without compromising security.
In FireWall-1 Stateful Inspection, a packet is matched against the Security Policy Rule Base only
when a new connection is established.
If the Action for a matched connection is Accept, then an entry is created in the connections
table so all future packets that belong to this connection are accepted without referring to the
Policy.
When a new Policy is installed, existing connections are marked as "old" (with a few exceptions
as described later).
When a new packet that belongs to an "old" connection is encountered, it is matched against
the Policy. If the Policy match result is Accept, the entry will revert back to a normal state and
the connection will continue uninterrupted. If the result is Drop or Reject then the packet is
dropped and the connection entry is deleted from the table.

Considerations and Restrictions

First packet direction


Each connection has two peers; the client and the server. The client initiates the connection to
the server.
When a new connection is established, the first packet is from the client to server and this is
what is matched against the Policy.
If the first packet arrives from the server side, and it does not belong to an established TCP
connection, the receiving host will silently discard this packet. UDP, ICMP and other (not TCP)
packets are dropped since there is no way to guarantee these are valid packets that belong to the
connection.

Data connections
Data connections are connections that are dynamically created within an existing control
connection, for example FTP. The initial control connection is used only for sending
commands; actual file transfers are done by new connections.
These auxiliary connections will be accepted and connectivity will not be affected. Data
connections cannot usually be inferred from the Policy, as they are created according to the flow
of the control protocol.
By default, when loading a new Policy, FireWall-1 deletes all the data connections entries from
the table as they are likely to get the wrong results if a Policy match for a data connection packet
is attempted.
It is possible to modify this default behavior and treat data connections like regular ones as there
are cases where the regular and control distinction is not needed (for example with a "ANY
ANY ANY accept") Policy.

Chapter 8 Security Policy Rule Base 339


Installing and Uninstalling Policies

It is also possible to define that all data connections will be kept without the "old" flag - this
posses a clear connectivity advantage but also some security risk.

Security Servers
Connection that are passed through the Security Servers continue and are not matched against
the new Policy.

IP Pool NAT
If the new Policy contains a new IP pool with different source or destination addresses than the
old one, any connections that were NATed using the old IP pool will be deleted.

Configuring connection Persistence


See “Check Point window — Connection Persistence page” on page 201.

Installing a VPN-1\FireWall-1 From a Previous Database Version


Use the fwm load command. For details, see chapter 18, “Command Line Interface” on
page 559.

Notes on Installing and Uninstalling Policies


The following issues relate to a configuration consisting of:
• a SmartCenter Server that is also a VPN/FireWall Module
• another VPN/FireWall Module
1) If the VPN/FireWall Module on the SmartCenter Server does not have a Policy installed,
and you install a Policy on both Modules simultaneously, the installation on the Server’s
Module may show a “session timeout” error. This can be ignored.
2) When a Policy on the remote Module is uninstalled, the connection may hang because the
Module loses its state (see “Installing the Security Policy” above). To avoid this problem,
first install the Policy on the Server’s Module and then install the Policy on the remote
Module.

Retrieving a Policy
To retrieve a policy installed on another VPN/FireWall Module, select the VPN/FireWall
Module from the list in Security Policies on Targets. The policy (including all the objects
defined at the time the policy was installed) will be retrieved, and you will be able to view the
policy in read-only mode. You will not be able to modify the policy.

340 Check Point SmartCenter Guide • September 2002


Viewing the Inspection Script

Viewing the Inspection Script


To view the Inspection Script, choose View from the Policy menu. While viewing the text of
the Inspection Script, you can save it to a file (on the server) by using the File menu. You can
then edit the file and use the command-line interface from the server to load it in the
VPN/FireWall Module. The Inspection Script is automatically verified when you load it for
viewing.
For additional information about the INSPECT language, see the SecureKnowledge database at
http://support.checkpoint.com/kb/.
FIGURE 8-32View Inspection Script Text

Inspection Code Loading


When you install or uninstall a Security Policy from the GUI (by choosing Install or UnInstall
from the Policy menu), the VPN-1/FireWall-1 SmartCenter Server runs the fw command with
the load or unload argument (see “fwm load” on page 556 of and
“fwm unload” on page 558 for more information).
You can modify this behavior so that choosing Install or UnInstall from the Policy menu runs
a program or shell script (batch file) of your choice. For example, to run bigapple, define the
attribute :load_program(<batch file name>) at the highest level of
$FWDIR/conf/objects_5_0.C:

load_program (“bigapple”)

bigapple will be run with the same parameters that fw would have received (where the first
argument is either load or unload; see “When fwm load and fwm unload are Run From the
GUI” on page 557). It is then your responsibility to ensure that bigapple correctly processes its
arguments and installs or uninstalls the Security Policy. Of course, bigapple can also perform
any other functions you wish.

Chapter 8 Security Policy Rule Base 341


Installing Access Lists

Installing Access Lists


When you install a rule on a router, VPN-1/FireWall-1 generates Access Lists and loads them to
the Open Security Extension (OSE) Device. VPN-1/FireWall-1 also allows you to import
Access Lists for Cisco, Bay RS and 3Com OSE Devices, enabling the integration of existing
filter configurations. Access Lists for OSE Devices can be viewed and verified.
When installing Access Lists to an OSE Device, the OSE Device must be accessible and you
must have permission to install the Access List. See the documentation for your router on how
to define the appropriate permissions. You must also define the correct access permissions in the
Setup tab of the OSE Device Properties window.

Importing Access Lists


The VPN-1/FireWall-1 Open Security Extension feature enables you to import existing Access
Lists from the following routers and security devices:
• Cisco routers
• 3Com routers
• Nortel
Access Lists can be imported to a Rule Base or as ASCII files. Access Lists imported to a Rule
Base are displayed in terms of source, destination, service, the router interface and direction to
which each rule applies. Imported Access Lists can be modified in the Rule Base and installed
on the appropriate router interface.
ASCII files display Access Lists as simple text files and include additional details that are not
represented in the Rule Base. You cannot modify the imported ASCII files.
Imported Access Lists can also be viewed and verified. Verification checks Access Lists for
inconsistencies and redundant rules. For more information, see “Verifying and Viewing Access
Lists” on page 344.

Note - The OSE Device properties are not part of an imported policy.

To Import Router Access Lists


1 From the Policy menu, choose Access Lists.
The OSE Device Access List Operations window (FIGURE 8-33) is displayed.

342 Check Point SmartCenter Guide • September 2002


Managing Imported Access Lists in the Rule Base

FIGURE 8-33OSE Device Access List Operations window

2 Select Import Access Lists.

The Router Access Lists Control window (FIGURE 8-34) is displayed.


FIGURE 8-34OSE Device Access List Operations with import options

3 Specify the following parameters:


OSE Device— Select a device from the drop-down list.
Interface — Select an interface.
The drop-down list displays all the interfaces available for the selected router.
Direction — Check a direction.
Display Type — Check one of the following:
• Ascii Access Lists
• Graphical Rule Base

Managing Imported Access Lists in the Rule Base


VPN-1/FireWall-1 opens a new Security Policy when you import Access Lists to the Rule Base.
The Security Policy title displays the name of the imported Rule Base in the following format:
<router name>_<inbound/outbound/eitherbound>_Imported_Policy

Chapter 8 Security Policy Rule Base 343


Installing Access Lists

Each filter rule is displayed as a rule in the Rule Base. The Rule Base specifies the Source,
Destination and Service for each imported filter rule. The Install On field displays the router
interface and direction to which each rule applies, using the following format:
<inbound/outbound/eitherbound>.<interface name>@<router name>
The Rule Base Comment displays additional filter information.

Modifying Imported Rules


You can modify an imported rule’s Source, Destination, and Service fields, but you cannot
modify the Install On field. You can delete, copy, cut, and paste imported rules. You cannot add
a new rule on a specific router interface. You must first copy and paste a rule that specifies the
router interface and direction under Install On and then modify the other data fields in that
rule.

Unknown Network Objects and Services


Unknown network objects or services indicate objects that you have not yet defined to
VPN-1/FireWall-1. You can complete the object or service definition based on properties
imported from the Access Lists, such as IP addresses or service port numbers. To view the
imported properties of an Unknown object, double-click the object to open the appropriate
Properties window.

Verifying and Viewing Access Lists


VPN-1/FireWall-1 allows you to view and verify Access Lists generated from the Rule Base.
Verification checks that the rules are consistent and that no rule is redundant. If a Rule Base fails
the verification, an appropriate message will appear. You can also view and verify imported
Access Lists.
To verify or view router Access Lists, choose Access Lists from the Policy menu. The OSE
Device Access List Operations window (FIGURE 8-33) is displayed.

To verify Access Lists, check Verify and select the appropriate router from the drop-down list.
To view Access Lists, check View and select the appropriate router from the drop-down list.
VPN-1/FireWall-1 verifies the Access List before displaying it.

344 Check Point SmartCenter Guide • September 2002


Installing Access Lists

FIGURE 8-35View of a Cisco Access List

Installing Access Lists


For instructions on installing Access Lists to routers, see “Installing the Security Policy” on page
333.

Boot Security
During the boot process, there is a short period of time (measured in seconds) between the
point when VPN/FireWall Module machine becomes able to communicate and the point when
the Security Policy is loaded and is enforced. During this time, VPN-1/FireWall-1 Boot
Security protects both the internal networks behind the VPN/FireWall Module machine, and
the machine itself. Boot Security is provided by a number of elements working together:
• Control of IP Forwarding on boot
• The Default Filter (improved in NG)
• The Initial Policy (new in NG)
In addition, the fwstop -proc and fwstop-default commands allow the FireWall-1 processes
to be stopped for maintenance while at the same time protecting the Firewalled Gateway
machine and the internal network.
For more information about Boot Security, see Check Point FireWall-1 Guide.

Note - If you stop VPN-1/FireWall-1 (fwstop) while the Default Filter is active, then no
Security Policy will be enforced until you start VPN-1/FireWall-1 again (fwstart).

Auxiliary Connections
A number of services establish auxiliary connections that require special handling by
VPN-1/FireWall-1. For example, an FTP data (auxiliary) connection from the FTP server to the
client is automatically allowed.

Chapter 8 Security Policy Rule Base 345


Auxiliary Connections

Consider the following Rule Base:

TABLE 8-11

Source Destinati Services Action Track Install


on On

FTPClient FTPServer Any Accept Gateways


Any Any Any Reject Log Gateways

If the auxiliary connection is from the client to the server (as with FTP PASV), the auxiliary
connection may be improperly handled in some cases (for example, if the server’s IP address is
translated).
Before a back connection is opened (for example, for FTP), the back connection’s destination
port is checked against a list of known TCP and UDP services. If the requested port “belongs”
to a well known service, the back connection is rejected.
Services that open back connections fall into two categories in VPN-1/FireWall-1 (assuming
that there is a rule that allows the initial connection):
• VPN-1/FireWall-1 allows auxiliary connections only if the appropriate property is enabled.
These services are:
• FTP PORT • FTP PASV
• RSH/REXEC • RPC Control
• VPN-1/FireWall-1 allows auxiliary connections only if the service is specifically listed under
Services in the rule that allows the initial connection. These services are:

• VDOLive • WebTheatre
• H.323 • CoolTalk
• BackWeb • RealAudio
• FreeTel • MS Exchange services (requires DCE-RPC)
• NetShow • sqlnet2

When a Security Policy is Installed


The connections table is cleared when a Security Policy is installed. The new Security Policy is
then enforced on existing connections and sessions.
After the Security Policy is installed, the first packet of an established connection is logged if all
the following conditions are true:
• the Security Policy Rule Base specifies that the connection is to be logged
• the packet’s direction (source and target) is the same as the original connection
In the Log Viewer, the additional log entry is unified with the original one. You can see the log
entries individually (not unified) by using the fw log command with the appropriate parameters
(see “fwm log” on page 593).

346 Check Point SmartCenter Guide • September 2002


CHAPTER 9

Time and Scheduled


Event Objects

In This Chapter

Overview page 347


Time Objects page 349
Scheduled Events page 351
Groups page 353

Overview
Time objects are used to specify time periods during which rules are in effect.
Note - If two Modules are in different time zones, then some problems may arise. For
example, suppose a rule specifies encryption from 09:00 to 17:00 between two
enforcement Modules separated by five hours. It can happen that the Module initiating the
connection will encrypt, but the peer will not be expecting the connection to be
encrypted. If Enable decryption on accept in the VPN-1 page of the Global Properties
window is not enabled, then the peer will not decrypt the packets and the connection will
fail.

To define a time object, open the Time Objects window (FIGURE 9-1 on page 348) by
choosing Time from the Manage menu. The Time Objects window appears (FIGURE 9-1 on
page 348).

347
Overview

FIGURE 9-1 Time Objects window

The objects displayed depend on what you have selected from the Show drop-down list.

TABLE 9-1 Time Object Actions

for a description of how ... see


to...
create a time object “Creating a New Time Object” on page 348
modify a time object “Modifying a New Time Object” on page 348
edit a time object “Deleting a New Time Object” on page 348

Creating a New Time Object


To create a new object, click on New. A menu appears, listing the types of objects you can
create.
Choose one of the following:
• Time — a time object (one to three periods of time, with optional daily, weekly or monthly
recurrence); see “Time Objects” on page 349.
• Scheduled Event — a scheduled event object (a point in time, with optional daily, weekly
or monthly recurrence); see “Scheduled Events” on page 351.
• Group — a group of time or scheduled events; see “Groups” on page 353.

A window appears prompting you to enter the properties of the selected object type.

Deleting a New Time Object


To delete an object, select the object and click on Remove.

Modifying a New Time Object


To modify an object, select the object and click on Edit, or double-click on the object.

348 Check Point SmartCenter Guide • September 2002


Time Object Properties Window — General Tab

Time Objects

Time Object Properties Window — General Tab


FIGURE 9-2 Time Object Properties window — General tab

Name — the object’s name


Comment — descriptive text
This text is displayed on the bottom of the Time Object window when this item is selected.
Color — the color of the object’s icon
Select the desired color from the drop-down list.
Time of Day — Enter up to three From–To pairs in 24–hour notation.
To specify all day, set From to 00:00 and To to 23:59.
A rule in which a time object is used is applied only to connections which begin during the
time period defined by the time object. If an allowed connection extends past the time period,
it will be allowed to continue.
The time on the enforcement Module (VPN/FireWall, FloodGate etc.) is compared to the time
specified in the time object, and if there is a match, the rule is applied.

Chapter 9 Time and Scheduled Event Objects 349


Time Objects

Time Object Properties Window — Days Tab


FIGURE 9-3 Time Object Properties window — Days tab

Days Specification — Choose one of the following:


None — The times of day specified in the General tab of the Time Object Properties
window apply on all days.
Day in Month— The times of day specified in the General tab of the Time Object
window apply only on the days of the month checked under Days in Month
Properties
(FIGURE 9-3).
Day in Week — The times of day specified in the General tab of the Time Object Properties
window apply on the days of the month checked under Days in Week (FIGURE 9-4 on
page 351).

350 Check Point SmartCenter Guide • September 2002


Time Object Properties Window — Days Tab

FIGURE 9-4 Time Object window — Days tab (Days in Month)

Month — The times of day specified in the General tab of the Time Object Properties
window apply only during the month specified. This field is enabled only if Days Specification
is Days in Month.
FIGURE 9-5 Time Object window — Days tab (Days in Week)

Week — The times of day specified in the General tab of the Time Object Properties window
apply only during the week specified. This field is enabled only if Days Specification is Days
in week.

Scheduled Events
Scheduled events are used to trigger processes, for example, in the Management High
Availability page of the Global Properties window or in the Logging Policy page of the
network object’s Properties window.

Chapter 9 Time and Scheduled Event Objects 351


Scheduled Events

Scheduled Event Properties Window — General Page


FIGURE 9-6 Scheduled Event Properties window — General page

Name — the object’s name


Comment — descriptive text
This text is displayed on the bottom of the Time Object window when this item is selected.
Color — the color of the object’s icon
Select the desired color from the drop-down list.
Time of Event — Choose one of the following:
• At (hh:mm) — This event happens once a day, at a specific time.

Enter a time of day in 24–hour notation. When this is checked, the Days page (FIGURE
9-7) becomes available.
• Every — Specify how frequently the event occurs.

352 Check Point SmartCenter Guide • September 2002


Scheduled Event Properties Window — Days Page

Scheduled Event Properties Window — Days Page


FIGURE 9-7 Scheduled Event Properties window — Days page

This page is available when Time of Event in the General page (FIGURE 9-6) is checked.
Days Specification — Choose one of the following:
Daily— The time of day specified in the General page of the Scheduled Event Properties
window apply on all days.
Day in Month — The time of day specified in the General page of the Scheduled Event
Properties window apply only on the days of the month checked under Days in Month.
Day in Week — The time of day specified in the General page of the Scheduled Event
Properties window apply on the days of the month checked under Days in Week.

Groups
You can simplify the Rule Base by defining a group of time objects and using the group in rules.

Creating a Group
To create a group, create an object of type Group using the Time Object Manager (see
“Creating a New Time Object” on page 348). Next, add objects to the group using the Group
Properties window (FIGURE 9-8 on page 354).

To display the Group Properties window, double-click on the group’s name in the Time Object
Manager window.

Chapter 9 Time and Scheduled Event Objects 353


Groups

FIGURE 9-8 Group Properties window

Adding an Object to a Group


In the left listbox (labeled Not in Group), select the objects you wish to include in the group.
Use the Add button to add individual objects and to add groups to the group.

Note - To define a new object directly from this window, click New. A menu will be
displayed from which you can select they type of object to create. When you finish defining
the object, you will return to this window.

To define a new time object, click New.

You can add a group to another group in one of two ways:


1) You can individually add all the objects in one group to another group, without nesting.
Click on Yes in reply to the question in the window (FIGURE 9-9).
2) You can nest groups inside groups to create a group hierarchy of any desired complexity.
Click on No in reply to the question in the window.
If you nest groups, you can see a nested group’s members by selecting the group in the right
listbox (labeled In Group) and clicking View expanded group.
FIGURE 9-9 Adding a Group to a Group

354 Check Point SmartCenter Guide • September 2002


Scheduled Event Properties Window — Days Page

Deleting an Object from a Group


Select the objects to be deleted from the right listbox (labeled In Group), and then click on
Remove.

Chapter 9 Time and Scheduled Event Objects 355


Groups

356 Check Point SmartCenter Guide • September 2002


CHAPTER 10

Server Objects and


OPSEC Applications

In This Chapter

Server Objects page 357


RADIUS Servers page 360
TACACS Servers page 362
AXENT Pathways Defender Servers page 363
ACE (SecurID) Servers page 363
LDAP (Lightweight Directory Access Protocol) Account Units page 364
Certificate Authority page 368
SecuRemote DNS page 370
OPSEC Servers and Clients page 371

Server Objects
A server object represents a server running on a specific host. The available server objects are:
1 RADIUS
A RADIUS Server is used to provide authentication services. For information about defining
an Authentication scheme for a user, see “User Properties Window — Authentication tab” on
page 163.
2 RADIUS Server group
A RADIUS Server group consists of RADIUS Servers.
3 TACACS

357
Server Objects

A TACACS Server is used to provide authentication services. For information about defining
an Authentication scheme for a user, see “User Properties Window — Authentication tab” on
page 163.
4 AXENT Defender
An AXENT Defender Server is used to provide authentication services. For information about
defining an Authentication scheme for a user, see “User Properties Window — Authentication
tab” on page 163.
5 ACE (SecurID) Server
ACE Servers are used for authenticating SecurID users. For information about defining an
Authentication scheme for a user, see “User Properties Window — Authentication tab” on
page 163 of Check Point SmartCenter Guide.
6 LDAP Account Unit
The VPN-1/FireWall-1 Account Management system is an independent module that enables
the Security Manager to integrate an LDAP-compliant user database with VPN-1/FireWall-1
User Authentication. An LDAP Server can contain multiple branches (for example,
“o=University of Michigan,c=UK”). An LDAP Server and a subset of its branches constitute
a VPN-1/FireWall-1 Account Unit.
For information about Account Units, see “LDAP (Lightweight Directory Access Protocol)
Account Units” on page 364.
7 Certificate Authority
A Certificate Authority (CA) issues certificates to entities (users or computers) which then
use the certificates to identify themselves and provide verifiable information about
themselves.
For information about Certificate Authorities, see Chapter 3, “Certificate Authorities” of
Check Point Virtual Private Networks Guide.
8 SecurRemote DNS
The SecuRemote DNS GUI lets administrators configure DNS redirection and encryption.
For information about SecuRemote DNS, see “SecuRemote DNS” on page 370.

OPSEC Servers

CVP, UFP or AMON servers

9 URL Filtering Protocol (UFP)


A UFP server can be used in defining a URI Resource. For information about URI
Resources, see “URI Resources” on page 233.
10 Content Vectoring Protocol (CVP)
A CVP server examines the contents of a file or data stream. For examples of how to use CVP
servers in a resource definition, see Chapter 6, “Services and Resources.”

358 Check Point SmartCenter Guide • September 2002


Defining Server Objects

See “Implementing CVP Inspection” on page 234 of Check Point FireWall-1 Guide for
information about the CVP protocol.
11 Application Monitoring (AMON)
An AMON server enables network applications to report their status to Check Point
management.
See “OPSEC Definition Window— AMON Options Tab” on page 384, for information
about the AMON server.

Defining Server Objects


To define a Server object do one of the following:
• choose Servers from the Manage menu, or
The objects displayed depend on what you have selected from the Show drop-down list.

TABLE 10-1 Server Object Actions

for a description of how to ... see



create a new server object “Creating a New Server” on page 359
remove a server object “Removing a Server” on page 360
edit a server object “Editing a Server” on page 360

Creating a New Server


To create a new server:
1) Click on New. A menu is displayed, listing the types of servers you can create.
2) Choose a type from the menu and click OK. A window is displayed prompting you to enter
the properties of the selected server type.

TABLE 10-2 Server Types

to create a server of ... which is used for... ... see


type...
RADIUS RADIUS authentication “RADIUS Servers” on page 360
RADIUS Group RADIUS authentication “RADIUS Server Groups” on
page 361
TACACS TACACS authentication “TACACS Servers” on page 362
DEFENDER AXENT Defender “AXENT Pathways Defender
authentication Servers” on page 363
ACE (SecurID) Server SecurID authentication “ACE (SecurID) Servers” on page
363

Chapter 10 Server Objects and OPSEC Applications 359


RADIUS Servers

TABLE 10-2 Server Types

to create a server of ... which is used for... ... see


type...
LDAP Account Unit maintaining an LDAP user “LDAP Account Unit Properties
database Window — General Tab” on page
365
Certificate Authority defining a Certificate “Certificate Authority Properties
Authority Window — General Tab” on page
368
SecuRemote DNS configuring DNS “SecuRemote DNS General Tab”
redirection and encryption on page 370
OPSEC Server checking content data, “OPSEC Servers and Clients” on
screening URLs, reporting page 371
third party application status
to VPN-1/FireWall-1

Removing a Server
To delete a server, select the server and click Remove.

Editing a Server
To edit or modify a server, select the server and click Edit, or double-click the server.

RADIUS Servers
RADIUS servers are used for authenticating users. For information about defining an
Authentication scheme for a user, see “User Properties Window — Authentication tab” on page
163 of Check Point SmartCenter Guide.
For information about Authentication schemes in general, see “Authentication Schemes” on
page 125.

RADIUS Server Properties Window — General Tab


Name — the server’s name
Comment — descriptive text
This text is displayed on the bottom of the Server Object window when this item is selected.
Color — the color of the server’s icon
Select the desired color from the drop-down list.
Priority — Specify the priority level when more than one RADIUS server is contacted

360 Check Point SmartCenter Guide • September 2002


Creating a RADIUS Server Group

When more than one RADIUS server is contacted (that is, when a group of RADIUS servers
or Any is specified for a RADIUS user) then they are contacted in the sequence defined by
their priorities, where a lower number specifies a higher priority.
Host — Select the host on which the server is running.
The host should have already been defined as a network object (see “Overview” on page 173).
Shared Secret — Enter a string of up to 15 nonspace characters.
The shared secret is a key that authenticates communication between the FireWalled machine
and the RADIUS server. You must use the same shared secret you defined in the clients
file on the RADIUS server.
Service — Select the service for communication with the server.
For RADIUS servers, the service is RADIUS.
Version — Select the version from the drop-down list.
The items in the list are given under radius_versions in the file
$FWDIR/lib/setup.C.

RADIUS Server Groups


You can simplify the Rule Base by defining a group of RADIUS servers and using the group in
rules. If a RADIUS server group is defined in a user’s Authentication properties,
VPN-1/FireWall-1 sends authentication requests to the servers in the group according to their
priority, as defined in the General tab of the RADIUS Server Properties window. If two servers
have the same priority, their order is determined arbitrarily.
RADIUS groups can be used for High Availability only, not for chaining. To achieve chaining,
use a RADIUS proxy (between the chain and the FireWall Module).

Creating a RADIUS Server Group


To create a group, create an object of type RADIUS Group using the Server Object Manager (see
“Creating a New Server” on page 359). Next, add objects to the group using the Group
Properties window.

To display the Group Properties window, double-click the group’s name in the Server Object
Manager window.

Adding a Server to a RADIUS Server Group


In the left listbox (labeled Not in Group), select the servers you wish to include in the group.
Use the Add button to add individual servers or groups to the group.

Note - All the servers in a server group must be of the same type.

Chapter 10 Server Objects and OPSEC Applications 361


TACACS Servers

You can add a group to another group in one of two ways:


1) You can individually add all the users in one group to another group, without nesting
groups within groups. Click on Yes in reply to the question in the window (FIGURE 10-
1).
2) You can nest groups inside groups to create a group hierarchy of any desired complexity.
Click on No in reply to the question in the window.
FIGURE 10-1Adding a Group to a Group

If you nest groups, you can see a nested group’s members by selecting the group in the right
listbox (labeled In Group) and clicking View expanded group.

Deleting a Server from a RADIUS Server Group


Select the servers to be deleted from the right listbox (labeled In Group), and then click
Remove.

TACACS Servers

TACACS Server Properties Window — General Tab


Name — the server’s name
Comment — descriptive text
This text is displayed on the bottom of the Server Object window when this item is selected.
Color — the color of the server’s icon
Select the desired color from the drop-down list.
Host — From the menu, select the host on which the server is running.
The host should have already been defined as a network object (see “Overview” on page 173).
Type — Select TACACS or TACACS +.

Secret Key — For more information on this field, see the TACACS server documentation.
Service — From the menu, select the service for communication with the
server Type.

For TACACS+ Servers, for example, the service is “TACACS+”.

362 Check Point SmartCenter Guide • September 2002


Defender Server Properties Windows — General Tab

AXENT Pathways Defender Servers

Defender Server Properties Windows — General Tab


Name — the server’s name
Comment — descriptive text
This text is displayed on the bottom of the Server Object window when this server is selected.
Color — the color of the server’s icon
Select the desired color from the drop-down list.
Host — the host on which the primary Axent Defender server is running
Select the host from the drop-down list. The host should have already been defined as a
network object’.
Backup Host — the host of the backup Axent Defender server
The Backup Host is not a separate Axent server, but is a backup server to the primary server
defined under Host. Because it is not a separate server, it does not have its own Agent Name
and Agent ID.
Agent ID — the Agent ID of the VPN/FireWall Module, as defined on the Axent Pathways
Defender Server
Agent Key — a 16 hexadecimal digit key
This key is defined on the Axent Pathways Defender Server and is used to encrypt
communication between the VPN/FireWall Module and the Axent Pathways Defender Server.

Note - The VPN-1/FireWall-11 Security Servers support the SecureNet Keys (SNK)
authentication scheme.

ACE (SecurID) Servers


ACE Servers are used for authenticating users. For information about defining an Authentication
scheme for a user, see “User Properties Window — Authentication tab” on page 163 of Check
Point SmartCenter Guide.
ACE Servers are not defined as Check Point Server objects, but there are some issues of which
you should be aware.

Configuring ACE (SecurID) Servers


VPN-1/FireWall-1 uses the standard client library of the ACE Server. In order to use SecurID,
proceed as follows:
1 Install and configure the ACE Server.

Chapter 10 Server Objects and OPSEC Applications 363


LDAP (Lightweight Directory Access Protocol) Account Units

You will need an ACE Server somewhere in your network. The ACE Server does not have to
reside on the VPN/FireWall Module machine. For information about how to install and
configure your ACE server, refer to the SecurID documentation.
2 In VPN-1/FireWall-1, create a user whose authentication scheme is SecurID.
3 Configure your VPN/FireWall Module machine as an ACE Client.
VPN-1/FireWall-1 uses the standard client library of the ACE/Server. This means that you
don't have to do anything special in order to integrate the software. All you have to do is to
prepare the VPN/FireWall Module machine as an ACE Client.
For information about how to install and configure an ACE Client, refer to the SecurID
documentation.
VPN-1/FireWall-1 reads the sdconf.rec file to determine the ACE Server and other
parameters involving ACE Client-Server communications, so you must copy sdconf.rec from
the ACE Server to the ACE Client.

TABLE 10-3 sdconf.rec directory

sdconf.rec directory
Unix /var/ace
Windows NT WINNT/SYSTEM32

Note - If you make any changes to sdconf.rec, stop and restart the VPN/FireWall Module
(using the cpstop and cpstart commands).

ACE and DES


VPN-1/FireWall-1 supports the DES option of the SecurID ACE Server.

ACE and the Rule Base


SecurID services are not automatically added to the Implied Rules within the
VPN-1/FireWall-1 Security Policy Rule Base, as other authentication servers are. Rather, you
must create a Rule Base that allows SecurID service connections to pass between the FireWall
Module and the SecurID Ace Server.

LDAP (Lightweight Directory Access Protocol) Account Units


In VPN-1/FireWall-1, users can be managed using an LDAP (Lightweight Directory Access
Protocol) Server. The LDAP Server and VPN-1/FireWall-1 SmartCenter Server usually reside
on different hosts and are maintained by different people. Separating the functionality of the two
systems provides the following benefits:
• The system administrator can use existing LDAP-compliant directories.

364 Check Point SmartCenter Guide • September 2002


LDAP Account Unit Properties Window — General Tab

• A single VPN-1/FireWall-1 SmartCenter Server can be used by several departments or


customers, each of which can manage its own users independently.
• Users can maintain and change their own passwords.
There is no limit to the number of users that can be defined on an LDAP Server.
An LDAP Server can contain multiple branches (“o=University of Michigan,c=UK”, for
example, is a branch). A Check Point Account Unit consists of a subset of the branches defined
on an LDAP Server. A user database can be made up of more than one Account Unit. Any
number of Account Units can be defined to VPN-1/FireWall-1.
For complete instructions and information about how LDAP Account Units are used in
VPN-1/FireWall-1, see the book, Check Point User SmartCenter Guide.

LDAP Account Unit Properties Window — General Tab


Name — the Account Unit’s name
Comment — descriptive text
This text is displayed on the bottom of the Server Object window when this LDAP Server is
selected.
Color — the color of the server’s icon
Select the desired color from the drop-down list.
CRL Retrieval — This Account Unit is used for Certificate Revocation List (CRL) retrieval,
that is, it is the CRL depository for OPSEC PKI-enabled Certificate Authorities (see Chapter 3,
“Certificate Authorities” of Check Point Virtual Private Networks Guide).
If you check CRL Retrieval, you only need to specify Host, Port, and server Branches in this
window.
User Management — this Account Unit is used for managing users in an LDAP directory.
User Management is enabled only if Use LDAP Account Management is checked in the
LDAP tab of the Global Properties window ( on page 283).
Host — the host on which the LDAP Server is running
Select the host from the drop-down list. The host should have already been defined as a
network object (see “Overview” on page 173).
Port — the port on which the LDAP Server is listening for non-encrypted communication
Login DN — the DN that will be used to bind (login) to the Account Unit
Password — the password for binding
LDAP Rights — the VPN/FireWall Module’s access privileges on the LDAP Server
Check R(ead) or W(rite) or both.
If Write is checked, users can update their VPN-1/FireWall-1 passwords on the LDAP Server.

Chapter 10 Server Objects and OPSEC Applications 365


LDAP (Lightweight Directory Access Protocol) Account Units

If the LDAP Server is a slave, uncheck W.

Priority — this Account Unit’s priority in relation to other Account Units


LDAP Server Type — different LDAP servers offer different features by using different
“languages” and by defining the kind of server used, LDAP Account Management knows how
to “talk” to the LDAP server.
Branches— the branches of the LDAP directory which will be searched when querying to this
LDAP Server

Managing LDAP Branches

Fetching All Branches


If your LDAP Server is Version 3.0 or higher, you can fetch all the branches (suffixes) supported
by the LDAP Server by clicking on Fetch.

Adding a New Branch


To add a new branch, click Add. The LDAP Branch Definition window is displayed.
FIGURE 10-2LDAP Branch Definition

Enter the branch and click OK. The branch is added to the listbox in the General tab of the
Account Unit Properties window.

Changing a Branch
To change a branch definition, select the branch and click Edit.

Deleting a Branch
To delete a branch from the list, select the branch and click Delete.

LDAP Account Unit Properties Window — Users Tab


The Users tab specifies the following:
• The default template that will be used to provide VPN-1/FireWall-1-specific attributes to
LDAP users maintained with a third-party LDAP Client.
• The authentication schemes that will be supported by the VPN/FireWall Module for users
defined on this LDAP Account Unit.
Use Default User Template — Specifies the VPN-1/FireWall-1 user template from which to
obtain VPN-1/FireWall-1-specific attributes for LDAP users for whom these attributes are not
defined, that is, users maintained with a third-party LDAP Client.

366 Check Point SmartCenter Guide • September 2002


LDAP Account Unit Properties Window — Encryption Tab

When users are maintained with a third-party LDAP Client in which


VPN-1/FireWall-1-specific attributes are not defined, the missing VPN-1/FireWall-1-specific
attributes are retrieved at run-time from the VPN-1/FireWall-1 template specified in Use
Default User Template. This template should not define attributes that vary from user to user,
because there is no way to define these values — they don’t appear in the LDAP Client and the
user is not defined in the VPN-1/FireWall-1 User Database.
For example, the template should not specify IKE with shared-secret (because the secret is
different for each user), but it can specify IKE with certificates. Note that the template can
specify internal (VPN-1/FireWall-1) password authentication scheme, even though this is
different for each user, because all LDAP servers support password authentication.
Warning - VPN-1/FireWall-1-specific attributes will not be visible in the LDAP Client for
users to whom the default user template is applied.
This option is not supported by VPN-1/FireWall-1 Modules prior to Version 4.1, but Use
Default Scheme is supported.

Authentication Schemes — specifies the authentication schemes enabled on the LDAP


Account Unit.
Use Default Scheme — specifies the authentication scheme to be used when no authentication
scheme is defined for the user on the Account Unit, for example, when users are maintained
with a third-party LDAP Client in which VPN-1/FireWall-1-specific attributes are not defined.
This option is enabled only if Use Default User Template is not checked, because the
template specified in Use Default User Template includes an authentication scheme.
If you select TACACS or RADIUS, you will be prompted to enter the server name.
S/Key is not available here, because it includes user-specific information, and there is no way
to define user-specific information in this case (see Use Default User Template above).
Limit Login Failures — if checked, the feature prevents password attacks by limiting the
number of failed login attempts in a defined period of time, (the default is 180 seconds).

LDAP Account Unit Properties Window — Encryption Tab


Use Encryption (SSL) — whether to connect to this Server using SSL
Encryption Port — the port on the LDAP Server to which to connect using SSL
The default port number is 389 for a standard connection and 636 for an LDAP SSL
connection.
Verify that the server has the following Fingerprint — verify the Server’s DN or key.
Fetch — Fetch the fingerprint from the Server.
Min/Max Encryption Strength — Select the weakest (under Min) and strongest (under Max)
encryption method the Account Unit is prepared to use.

Chapter 10 Server Objects and OPSEC Applications 367


Certificate Authority

TABLE 10-4 lists the methods used for each Strength. Note that Strong in the GUI
corresponds to Very Strong in the table.

TABLE 10-4 Encryption Method Parameters

Strength Authentication Encryption and Data Integrity


Method Methods
Authentication RSA (512 bit) no encryption
data integrity: MD5 or SHA-1,
depending on the other side
Export RSA (512 bit) • RC4 (40 bit) and MD5, or
• DES (40 bit) and SHA-1

Strong (this cannot be RSA (1024 bit) • RC4 (64 bit) and MD5, or
specified in • DES (40 bit) and MD5 or SHA-
VPN-1/FireWall-1 but 1, depending on the other side
can be negotiated)
Very Strong (this is RSA (1024 bit) • RC4 (128 bit) and MD5 or SHA-1,
indicated in depending on the other side, or
VPN-1/FireWall-1 by • 3DES and MD5 or SHA-1,
Strong) depending on the other side
Authentication — the weakest method
Export— the strongest exportable method
Strong — the strongest method
IKE Key — the key with which users’ IKE pre-shared secrets are encrypted on the Account Unit

Certificate Authority
A Certificate Authority (CA) issues certificates to entities (users or computers) which then use
the certificates to identify themselves and provide verifiable information about themselves. After
two entities exchange and validate each others’ certificates, they can begin encrypting
communications between them using the public keys in the certificates. There are two kinds of
entities that can identify themselves using certificates:
• encrypting gateways (network objects), when encrypting with other (peer) encrypting
gateways or with SecuRemote Clients
• people (using SecuRemote Clients) — the SecuRemote Client and the site confirm each
others’ identities with certificates
Fore more information see “Certificate Authorities” on page 40 of Check Point Virtual Private
Networks Guide.

Certificate Authority Properties Window — General Tab


Name — the Certificate Authority’s name

368 Check Point SmartCenter Guide • September 2002


Certificate Authority Properties Window — VPN-1 CM Tab

Comment — descriptive text


This text is displayed on the bottom of the Server Object window when this Certificate
Authority is selected.
Color — the color of the server’s icon
Select the desired color from the drop-down list.
Certificate Authority — the type of Certificate Authority (Entrust or VPN-1 Certificate
Manager)

Certificate Authority Properties Window — VPN-1 CM Tab


VPN-1 CM Version — specifies the version of Entrust PKI on which the VPN-1 Certificate
Manager is based.
Configuration — the entrust.ini file (provided by your Entrust CA administrator) specifies
the location and other parameters of an Entrust CA. Click on one of the following (under
Configuration):
• Get — get the CA’s configuration from the entrust.ini file.

You can browse for the entrust.ini file.


• View — view the entrust.ini file.

Certificate— Before you can validate certificates issued by the CA you have just defined, you
must obtain the CA’s own certificate.
• If a SmartCenter Server will be generating certificates on this CA (see “Certificate
Authority” on page 368), then the CA sends the SmartCenter Server its own certificate
together with the network object’s certificate. In this case, there is no need to explicitly
obtain the CA’s own certificate — it is obtained as a by-product of generating other
certificates.
• If a SmartCenter Server will not be generating certificates on the CA but only validating
them, then you must explicitly obtain the CA’s own certificate by clicking on Get (see
below).
• Get — get the CA’s certificate from a file that contains the CA’s certificate.

The CA’s certificate can be provided by another VPN-1/FireWall-1 administrator (who


has already generated a certificate from the CA) using the Save As button (see below).
View — View the CA’s certificate.
Save As — Save the CA’s certificate to a file, which can be read by another SmartCenter
Server using the Get button.
Profile— A file created either by the user or by a Certificate Authority. For more information
on the profiles, see “Using Certificates” on page 40 of Check Point Virtual Private Networks
Guide.
File — Enter the name of the user profile.

Chapter 10 Server Objects and OPSEC Applications 369


SecuRemote DNS

For more information on Certificate Authorites and creating Certificates, see Chapter 3,
“Certificate Authorities” of Check Point Virtual Private Networks Guide.

Certificate Authority Properties Window — Advanced Tab


CRL Caching — A CRL cache is maintained by modules that validate certificates, in order to
eliminate repeating CRL retrieval from the repository, an action that slows the validation process
very much. This section enables the administrator configure the various CRL cache properties.
Cach CRL on the Module — A CRL is stored in the cache only if this property is set. Otherwise,
it is not kept, and a CRL fetch operation is done whenever a CRL is required for certificate
validation.
Fetch new CRL when expires — The CRL is stored in the cache for its whole life time.
When the CRL expires (current time is later then the nextUpdate field in the CRL), the CRL
is dropped from the cache.
Fetch new CRL after — The CRL is dropped from the cache after X seconds, when X is the
value configured by the user. The number of seconds is measured from the time the CRL is
fetched.
Certificate Authority

Allow only certificates from the listed branches — When validating certificates, only
certificates that belong to the specified branches are accepted as valid. Branches are designated
by combination of various DN fields (for example, “ou”).
Add — Add a new DN or branch.
When a Certificate Authority is selected, you must then enter the DN for the branch you
want to add by clicking Add.
Edit — Edit the selected DN or branch.
Remove — Remove the selected branch.

SecuRemote DNS
The SecuRemote DNS Server is an internal server that can resolve internal names with
unregistered, (RFC 1981-style) IP addresses. It is best to encrypt the DNS resolution of these
internal names. Not all DNS traffic should be encrypted, as this would mean that every DNS
resolution would require authentication.

SecuRemote DNS General Tab


Name— the name of the SecuRemote DNS Server
Comment — descriptive text
This text is displayed on the bottom of the Server Object window when this SecuRemote
DNS Server is selected.
Color — the color of the server’s icon

370 Check Point SmartCenter Guide • September 2002


SecuRemote DNS General Tab

Select the desired color from the drop-down list. The SecuRemote DNS Server will be then
be represented by this color throughout the SmartMap.
Host — You must select the host on which the SecuRemote DNS Server is running from the
drop-down menu. The host must be defined as a network object.
SecuRemote DNS Properties Window — Domains Tab
Name — the name of the domain for which the DNS Server resolves names, e.g.
checkpoint.com.
Maximum Prefix Label Count — the maximum number of labels to resolve (for example, three
(3) for xxx.hello.com) that may precede the domain.
For example, if the domain name is “checkpoint.com” and the maximum prefix label count is
“1” then the SecuRemote DNS Server will try to resolve and encrypt
“www.checkpoint.com” or “whatever.checkpoint.com” but not
“www.internal.checkpoint.com.”
To add a new Domain, click the Add button.
FIGURE 10-3SecuRemote DNS Server Domain window

Domain Suffix: — the domain suffix for which the DNS Server resolves names
Match only *.suffix — If this option is selected, the maximum number of labels resolved will be
1.
Match up to...labels preceding the suffix — Select the maximum number of labels to
Domains can also be edited or deleted by selecting either the Edit or Remove button.

OPSEC Servers and Clients

In This Section

OPSEC Application Properties Window — General Tab page 373


Managing OPSEC Products From the SmartDashboard page 377
OPSEC Definition Window — UFP Options Tab page 383

Chapter 10 Server Objects and OPSEC Applications 371


OPSEC Servers and Clients

OPSEC Definition Window— AMON Options Tab page 384


OPSEC Definition Window— CPMI Permissions page 384
OPSEC UFP and CVP Groups page 384

Open Platform for Security (OPSEC) is the industry standard for integrated internet security.
An OPSEC application is an application developed by a third party which provides additional
functionality to VPN-1/FireWall-1. This section explains the OPSEC server applications.
OPSEC Server applications provides added functionality for scanning the content of data
streamed through the VPN-1/FireWall-1, disallowing connections to selected URL’s based on
third party software definitions, and enabling third party applications to export their status to
VPN-1/FireWall-1.
OPSEC continually delivers the broadest range of integrated security solutions for a variety of
deployment platforms. For more information on OPSEC products see:
http://www.checkpoint.com/opsec/.
An OPSEC session is a dialog between two OPSEC entities (example: a Client and a Server).
Use the General tab to define an OPSEC application.
When a Check Point Module or SmartCenter Server is upgraded to Next Generation, the
information in the fwopsec.conf file about the associated OPSEC application is used to update
the objects.C file. The OPSEC object in the OPSEC Definition window is automatically
defined, and all the parameters are set.

Note - The objects.C file should not be edited directly. Instead, use dbedit (see
“dbedit” on page 587) to edit the objects_5_0.C file on the SmartCenter Server.

FIGURE 10-4 shows the interplay between the OPSEC Environment, entities and sessions.
FIGURE 10-4OPSEC Environment, Entity and Session
m achine B
process

O PSEC
environm ent
m achine C
O PSEC process
entity

LE A S erver O PSEC
environm ent
m achine A
O PSEC
process entity

O PSEC LE A S erv er
environm ent O PSEC
session
O PSEC process
entity
O PSEC O PSEC
LE A C lient session environm ent
O PSEC O PSEC
entity entity

S A M C lient O PSEC S A M S erver


session

372 Check Point SmartCenter Guide • September 2002


Defining OPSEC Applications

Defining OPSEC Applications


To define an OPSEC Application Server or Client entity, choose OPSEC Application(s) in one
of the following three ways:
• Select from the Object Tree, right-click OPSEC Applications and select new OPSEC
Application, or
• select Properties from the Manage menu and open the OPSEC Application window .
If you selected the OPSEC Applications via the Manage menu or the toolbar, the objects
displayed depend on what you have selected from the Show drop-down list. If you selected the
OPSEC from the Object Tree, you will skip seeing the Opsec Applications window.

TABLE 10-5 OPSEC applications actions

for a description of how to … ... see


create a New OPSEC application object “Creating a New OPSEC Application” on
page 373
Edit an OPSEC application object “Editing an OPSEC Application” on page 373
Delete an OPSEC application object “Editing an OPSEC Application” on page 373

Creating a New OPSEC Application


To create a new OPSEC application from the toolbar or from the Manage menu, click New. A
menu is displayed, listing the types of servers you can create. The same menu is displayed if you
created your application via the Object Tree by right-clicking.
A window is displayed prompting you to enter the properties of the selected server type.
Choose OPSEC Application from the menu and click OK.

Note - Both CVP and UFP Groups enable Load Sharing. CVP groups also enable chaining.
For information about creating CVP or UFP Groups see “Implementation of Chaining and
Load Sharing” on page 386.

Editing an OPSEC Application


To edit an OPSEC Application Object, select the OPSEC Application and click Edit, or
double-click the OPSEC Application.

Deleting an OPSEC Application


To delete an OPSEC Application Object, select the OPSEC Application Object and click
Remove .

OPSEC Application Properties Window — General Tab


Name — the OPSEC Application name

Chapter 10 Server Objects and OPSEC Applications 373


OPSEC Servers and Clients

Comment — descriptive text


This text is displayed in the Objects list and in the Object window when this item is selected.
Color — the color of the object’s icon
Select the desired color from the drop-down list.
Host — the host on which the server is running
Several OPSEC applications can reside on a single host.

Note - The host should have already been defined as a network object (see “Network
Objects” on page 180).

Application properties — There are two ways to define OPSEC application objects. One is by
manually defining OPSEC properties; the other is by referencing predefined OPSEC product
objects.
• Manually Defining an OPSEC Application Object
Choose User Defined as the Vendor (this is the default). Manually choose the applicable server
and client entities by checking the relevant boxes.
• Referencing an OPSEC Product Object
Choose the vendor, product and version from the predefined list. All server and client entities
will be chosen for you and you cannot change them. If you want to add to the predefined
OPSEC Product Object list, see the RA documentation. (Check Point Roaming Administrator
Utility NG FP2).
Vendor — Select a vendor.
Product — Selecting a product will automatically select the appropriate entities.
Version — When applicable, a choice of product version numbers will appear.
Activate — Specific products include certain actions
For more information, see “Selecting an OPSEC Command” on page 377.

374 Check Point SmartCenter Guide • September 2002


OPSEC Application Properties Window — General Tab

OPSEC Services Server and Client Entities — An OPSEC application can contain both client
and server entities.

TABLE 10-6 Description of OPSEC Server and Client Entities

entit- server expansion of ...which is ...see


ies or client acronym used
CVP server Content for scanning the “Definition Window —
Vectoring content of data CVP Options Tab” in
Protocol streamed Chapter 10, “Server
through Objects and OPSEC
VPN-1/ Applications”
FireWall-1
UFP server URL Filtering for disallowing “OPSEC Definition
Protocol connections to Window — UFP Options
selected URLs Tab” in Chapter 10,
based on third “Server Objects and
party software OPSEC Applications”
definitions
AMON server Application for enabling “OPSEC Definition
Monitoring API third party Window— AMON
Specification applications to Options Tab” in
export their Chapter 10, “Server
status to