Checkpoint FireWall 1

SECURITY CHANGE MANAGER WORKING WITH CHECK POINT FIREWALL-1 AND NG
DEVICE PACK 4.5

MARCH 2010
Working with Check Point FireWall-1 and NG Revision 17, Manual reference: udoc-sps-00533-en Author(s): Documentation Team The information contained in this document may be subject to modification without prior notice and LogLogic assumes no responsibility for any errors that may appear in it. This documentation concerns LogLogic's software Security Change Manager 8.2. Copyright 2010 LogLogic. All rights reserved. The product described in this document is protected by French patent number FR97/13254 and may be protected by other US patents, foreign patents or pending applications. Solsoft and Exaprotect are trademarks of EPT Software Group. All other products mentioned herein are trademarks or registered trademarks of their respective owners.
Working with Check Point FireWall-1 and NG
Table of Contents
1. Installation ....................................................................................................... 1 1.1. System Requirements ............................................................................... 1 1.1.1. Device OS Versions Supported ........................................................ 1 1.1.2. Licenses ...................................................................................... 1 1.2. Installation ............................................................................................. 1 1.3. Limitations ............................................................................................ 1 1.3.1. Case Sensitivity ............................................................................ 1 2. Features supported on Check Point FireWall-1 ........................................................ 3 2.1. Global Features Support ........................................................................... 3 2.2. Firewall Features ..................................................................................... 3 2.3. NAT Features ......................................................................................... 5 2.4. VPN Features ......................................................................................... 6 2.5. Management Server Features ..................................................................... 7 3. Basic Concepts in Security Change Manager's Interaction with Check Point FireWall-1 .. 9 3.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction .. 9 3.2. Check Point FireWall-1 Management Server Object .....................................10 3.2.1. Management Server .....................................................................11 3.2.2. Management Station .....................................................................11 3.2.3. Two Kinds of PEPs ......................................................................11 3.2.4. Management Server/PEP Compatibility Matrix .................................11 3.3. Generation Process .................................................................................11 3.3.1. Process ......................................................................................11 3.3.2. Difference between a Translated Object and a Generated Object ...........12 3.4. Naming Rules for Check Point FireWall-1 Objects .......................................12 3.4.1. Example ....................................................................................12 3.4.2. Comments Generated for Traceability between Security Change Manager Objects and Check Point FireWall-1 Objects .............................................14 3.4.3. Object Colors ..............................................................................14 3.5. Upload Preparation .................................................................................14 3.6. Upload Process ......................................................................................14 4. How Security Change Manager Objects Map to Check Point FireWall-1 .....................15 4.1. Translation of Network Objects .................................................................15 4.2. Translation of Class Objects .....................................................................16 4.3. Translation of Management Server Objects .................................................16 4.3.1. Check Point Host Default Fields or Check Point Gateway ...................17 4.3.2. Check Point FireWall-1 Interoperable Default Fields ..........................18 4.4. Translation of Nexus Objects ....................................................................18 4.5. Translation of PEP Objects ......................................................................18 4.5.1. A Translated Security Change Manager Check Point FireWall-1 PEP ....18 4.5.2. Specific Translated Fields ..............................................................18 Log ...........................................................................................18 Interface Netmask ........................................................................19 Anti-Spoofing .............................................................................19 4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields ...19 Process ......................................................................................19 4.6. Translation of Services ............................................................................19 4.6.1. Generation Process .......................................................................19 Principle .....................................................................................19 Syntax of the Mapping Table ..........................................................20 Example .....................................................................................20 4.6.2. A Translated Security Change Manager Service .................................20 Naming Convention ......................................................................21 Security Change Manager IGMP Translated Fields .............................21 4.7. Translation of Implicit Generated Objects ...................................................21 4.7.1. Anti-spoofing ..............................................................................22 4.7.2. Expand Internet: Objects Generated ................................................22 4.8. Translation of Permissions .......................................................................22 v
Working with Check Point FireWall-1 and NG 4.9. Translation of Time Definition Rules .........................................................22 4.9.1. What cannot be translated ..............................................................22 4.10. Translation of NAT Rules ......................................................................22 4.10.1. Example ...................................................................................22 4.10.2. Rules .......................................................................................23 4.10.3. Security Change Manager NAT Rules Translated Fields ....................23 4.11. Translation of Limited Path Zones ...........................................................24 4.12. Translation of Default Objects .................................................................24 4.12.1. All Networks .............................................................................24 4.12.2. All PEPs ...................................................................................24 4.13. Translation of User Authentication ...........................................................24 5. How to Define and Deploy a Security Policy on Check Point FireWall-1 .....................27 5.1. First Use of Check Point FireWall-1 ..........................................................27 5.1.1. SSL Certification and Encryption Procedure .....................................27 5.1.2. Clear OPSEC Connection Type Procedure ........................................31 5.2. Configure a Check Point GX Management Server ........................................32 5.2.1. First step: Creating custom services and defining the policy .................33 5.2.2. Second step: Defining precisely the custom services ...........................33 5.3. Define and Deploy a Policy ......................................................................35 5.3.1. Step 1: Defining the Secure Topology ..............................................35 5.3.2. Step 2: Security Policy Definition ...................................................39 5.3.3. Step 3: Audit ...............................................................................39 5.3.4. Step 4: Define Rules .....................................................................39 5.3.5. Step 5: Compile the Security Policy ................................................39 5.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each Management Server ........................................................................................40 Prerequisites ...............................................................................40 Procedure ...................................................................................40 5.3.7. Step 7: Deploy the Policy ..............................................................40 5.4. Define and Manage an Existing Policy .......................................................41 5.4.1. Purpose ......................................................................................41 5.4.2. Prerequisites ...............................................................................41 5.4.3. Step 1: Perform a Check Point FireWall-1 Import ..............................41 5.4.4. Step 2: Secure Topology Definition, if You Do Not Perform an Import ..42 5.4.5. Other Steps .................................................................................43 5.5. Create an Authentication Rule ..................................................................43 6. How to Perform an Import from Check Point FireWall-1 ..........................................45 6.1. What will be Imported/ not Imported .........................................................45 6.2. Performing a Standard Import from Check Point FireWall-1 ...........................49 6.2.1. Step 1: Create and Configure a Management Server ...........................49 6.2.2. Step 2: Perform the Import ............................................................52 6.2.3. Step 3: Add the Missing Topology ..................................................54 6.2.4. Step 4: Connect and Group Attached Objects ....................................54 6.2.5. Step 5: Various Checks to Perform ..................................................55 6.3. Performing a Local Import of Check Point FireWall-1 Policy .........................56 6.4. Cleaning the Database Before Upload ........................................................60 7. How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager ...................................................................................................................63 7.1. First-Time: Define Non-supported Concepts on the Management Server ...........63 7.1.1. Step 1: Upload Security Change Manager Security Policy on the Management Server ........................................................................................63 7.1.2. Step 2: Add Specific Properties ......................................................64 7.1.3. Step 3: Add Other Objects not Supported by Security Change Manager ..64 7.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server ........................................................................................64 7.1.5. Step 5: Modify the Management Server Options ................................64 7.1.6. Step 6: Upload ............................................................................65 7.2. How to Manage User Groups ....................................................................65 8. Client-to-Gateway VPN on Check Point FireWall-1 NG ...........................................67 8.1. Procedure .............................................................................................67 8.1.1. On the Check Point FireWall-1 .......................................................67 8.1.2. On the Management Server ............................................................68 8.1.3. PEPs Supporting Remote Access ....................................................68 vi
Working with Check Point FireWall-1 and NG 8.1.4. Specific Parameters ......................................................................68 On the device VPN node ...............................................................68 8.1.5. Implicit Permissions .....................................................................69 8.2. VPN Limitations ....................................................................................70 8.2.1. Global Limitations .......................................................................70 VPN-1 Net ..................................................................................70 DES-40 and CAST-40 ..................................................................70 Multiple Entry Point VPNs (MEP) ..................................................70 8.2.2. Remote Access Limitations ...........................................................70 User Groups ................................................................................70 Office Mode is disabled on the gateway ............................................70 IP pool is defined though a DHCP server ..........................................70 Hybrid Mode ...............................................................................70 Enable VPN routing .....................................................................70 Desktop security policy .................................................................70 Visitor Mode ...............................................................................70 Transparent mode .........................................................................70 Clientless VPN ............................................................................71 IPsec/L2TP tunnels ......................................................................71 Number of tunnels ........................................................................71 8.2.3. First-time Upload of a VPN Policy ..................................................71 9. Gateway-to-Gateway VPN on Check Point FireWall-1 NG and NG AI .......................73 9.1. Procedure .............................................................................................73 9.1.1. On the Security Change Manager ....................................................73 9.1.2. On the Check Point FireWall-1 Management Server ...........................73 Procedure ...................................................................................73 9.1.3. VPN Domains .............................................................................74 9.2. VPN Limitations ....................................................................................74 9.2.1. Global Limitations .......................................................................75 VPN-1 Net ..................................................................................75 DES-40 and CAST-40 ..................................................................75 Multiple Entry Point VPNs (MEP) ..................................................75 9.2.2. Site-to-site limitation ....................................................................75 Usage of the Simplified Mode ........................................................75 10. Check Point FireWall-1 Cluster Management .......................................................77 10.1. Procedure ............................................................................................77 10.1.1. On the Check Point FireWall-1 Management Server .........................77 10.1.2. On the Security Change Manager Designer .....................................77 10.2. Limitations ..........................................................................................81 11. Provider-1 Management Server Installation ..........................................................83 11.1. Adding a Provider-1 Management Server ..................................................83 12. Check Point FireWall-1 Properties Windows ........................................................85 12.1. Description ..........................................................................................85 12.2. General Options ...................................................................................85 12.2.1. Security Profile ..........................................................................87 Common Security Parameters .........................................................88 Replace Address ..........................................................................90 Replace Service ...........................................................................92 12.2.2. Virtual System ...........................................................................93 12.2.3. Authentication ...........................................................................93 Enabled Authentication Schemes ....................................................93 Authentication Settings .................................................................93 HTTP Security Server ...................................................................94 12.3. Policy Learning Mode ...........................................................................95 12.4. Common Interface Options .....................................................................95 12.5. Interface Options ..................................................................................96 12.5.1. Security Profile ..........................................................................98 Common Security Parameters .........................................................98 Replace Address ........................................................................ 100 Replace Service ......................................................................... 101 12.5.2. IP Addresses ........................................................................... 102 Static IP Addresses ..................................................................... 102 Dynamic Addresses Pool ............................................................. 102 vii
Working with Check Point FireWall-1 and NG IP Addresses ............................................................................. 102 12.6. VPN Options ..................................................................................... 104 12.6.1. IKE Capabilities ...................................................................... 104 12.6.2. IPSec Capabilities .................................................................... 105 12.6.3. Remote Access VPN ................................................................. 105 12.7. Upload Configuration .......................................................................... 106 12.8. Tunnel Peer Options ............................................................................ 107 12.8.1. Interface ................................................................................. 108 12.9. Authentication User Definition .............................................................. 108 12.9.1. flowListIn ............................................................................... 111 12.9.2. flowListOut ............................................................................ 111 12.9.3. flowListExternal ...................................................................... 111 13. Check Point FireWall-1 Cluster Properties Windows ........................................... 113 13.1. Description ........................................................................................ 113 13.2. General Options ................................................................................. 113 13.2.1. Security Profile ........................................................................ 115 Common Security Parameters ....................................................... 116 Replace Address ........................................................................ 119 Replace Service ......................................................................... 120 13.2.2. Authentication ......................................................................... 121 Enabled Authentication Schemes .................................................. 121 Authentication Settings ............................................................... 122 HTTP Security Server ................................................................. 123 13.3. Cluster Options .................................................................................. 123 13.3.1. Availability Parameters ............................................................. 123 13.3.2. Synchronization ....................................................................... 126 Synchronization Networks ........................................................... 126 13.4. Policy Learning Mode ......................................................................... 126 13.5. Common Interface Options ................................................................... 127 13.6. Interface Options ................................................................................ 128 13.6.1. Security Profile ........................................................................ 130 Common Security Parameters ....................................................... 130 Replace Address ........................................................................ 131 Replace Service ......................................................................... 132 13.6.2. IP Addresses ........................................................................... 133 Static IP Addresses ..................................................................... 133 Dynamic Addresses Pool ............................................................. 133 IP Addresses ............................................................................. 134 13.7. VPN Options ..................................................................................... 135 13.7.1. IKE Capabilities ...................................................................... 135 13.7.2. IPSec Capabilities .................................................................... 136 13.7.3. Remote Access VPN ................................................................. 136 13.8. Tunnel Peer Options ............................................................................ 137 13.8.1. Interface ................................................................................. 139 13.9. Authentication User Definition .............................................................. 139 13.9.1. flowListIn ............................................................................... 142 13.9.2. flowListOut ............................................................................ 142 13.9.3. flowListExternal ...................................................................... 142 14. FireWall-1 Management Server Properties Windows ........................................... 143 14.1. Description ........................................................................................ 143 14.2. General Options ................................................................................. 143 14.2.1. Include Policy ......................................................................... 144 14.2.2. Security Server ........................................................................ 144 HTTP Servers ............................................................................ 145 HTTP Server ..................................................................... 145 14.2.3. Authentication ......................................................................... 145 Failed Authentication Attempts ..................................................... 145 Authentication of Users with Certificates ........................................ 146 Early Versions Compatibility ....................................................... 146 14.2.4. Local Security Policy ................................................................ 147 14.2.5. VPN ...................................................................................... 149 CRL Grace Period ...................................................................... 149 IKE Denial of Service protection ................................................... 150 viii
Working with Check Point FireWall-1 and NG Remote Access .......................................................................... 150 Certificates ....................................................................... 151 Secure Configuration Verification ......................................... 152 14.2.6. GTP Services .......................................................................... 153 GTP Service .............................................................................. 153 14.2.7. Import .................................................................................... 154 14.3. Upload Configuration .......................................................................... 155 14.3.1. Connection Options .................................................................. 155 14.3.2. Paths ..................................................................................... 156 14.3.3. Authentication ......................................................................... 156 14.3.4. Prompts .................................................................................. 157 14.3.5. FireWall-1 Options ................................................................... 157 15. Provider-1 Management Server Properties Windows ............................................ 159 15.1. Description ........................................................................................ 159 15.2. General Options ................................................................................. 159 15.2.1. Managed CMAs ....................................................................... 159 Index ............................................................................................................... 161
ix
List of Figures
3.1. Overview of the Security Change Manager and Check Point FireWall-1 Concepts ....... 9 3.2. Compilation, Preparation Upload, and Upload .....................................................10 4.1. An Example of a NAT Rule .............................................................................23 5.1. Creation of new OPSEC Application in SmartDashboard .......................................28 5.2. CPMI option enabled ......................................................................................28 5.3. SSL Certification and Encryption Option ............................................................29 5.4. Getting Certificate Dialog Box ..........................................................................30 5.5. Clear Option ..................................................................................................32 5.6. Creation of a custom gtpv1 service cloning the existing gtpv1 .................................... 5.7. Defining security policy using custom service ......................................................33 5.8. Activation of Check Point GX options in Management Server Properties ..................34 5.9. GTP Service options .......................................................................................34 5.10. Implicit Rules: Local Security Policy ................................................................36 5.11. Security Server .............................................................................................36 5.12. Authentication: Failed Authentication Attempts ..................................................37 5.13. Authentication: Users with certificates ..............................................................37 5.14. Authentication: Early Versions Compatibility ....................................................37 5.15. Upload Configuration: Connection Options .......................................................38 5.16. Add Managed PEPs ......................................................................................38 6.1. Management Server Properties: Identification ......................................................50 6.2. Management Server Properties: Upload Configuration: Connection Options ..............50 6.3. Management Server Properties: Upload Configuration: Authentication (NG) .............51 6.4. Management Server Properties: Upload Address ..................................................52 6.5. CheckPoint Import Dialog Box: Choose Elements to be Imported ............................52 6.6. CheckPoint Import Report ...............................................................................53 6.7. Synchronization Network on Cluster ..................................................................55 6.8. Policy Audit Through Report interface selection ..................................................56 6.9. CheckPoint Import Dialog Box: Import of objects_5_0.C file .................................56 6.10. CheckPoint Import Dialog Box: Import of rulebase.fws file ..................................57 6.11. CheckPoint Import Dialog Box: Choose Elements to be Imported ..........................58 6.12. CheckPoint Import Dialog Box: Choose Policy to be Imported ..............................58 6.13. CheckPoint Import Report ..............................................................................59 6.14. CheckPoint Import Terminated ........................................................................60 6.15. Options: Clean Database Before Upload ...........................................................60 7.1. Upload Configuration Set to Copy Only .............................................................65 9.1. VPN Domain Deduction ..................................................................................74 10.1. SIC Authentication Key Activated ...................................................................77 10.2. Management Server Referenced on the Cluster ...................................................78 10.3. Cluster XL Enabled Option ............................................................................78 10.4. Selection of Cluster Members .........................................................................79 10.5. Selection of Availability Operation Mode ..........................................................79 10.6. Selection of Synchronization Network ..............................................................80 10.7. Example of Cluster .......................................................................................81
xi
xii
List of Tables
2.1. Global Features Support ................................................................................... 3 2.2. Firewall Features ............................................................................................. 3 2.3. Description of Features listed in Table 2.2, Firewall Features ................................ 4 2.4. NAT Features ................................................................................................. 5 2.5. Description of Features listed in Table 2.4, NAT Features .................................... 5 2.6. VPN Features ................................................................................................. 6 2.7. Management Server Features ............................................................................. 7 3.1. Management Server/PEP Compatibility Matrix ....................................................11 3.2. Prefixes of the All Generated Objects .................................................................12 3.3. Example of the Translation of a Class into Check Point FireWall-1 group .................13 3.4. Comments Generated by Check Point FireWall-1 Objects ......................................14 4.1. Security Change Manager Network Object Rules .................................................15 4.2. Security Change Manager Class Object Rules ......................................................16 4.3. Translation of Specific Fields ...........................................................................16 4.4. SCM Log Numbers .........................................................................................18 4.5. Translated Security Change Manager Service ......................................................21 4.6. Security Change Manager Permission Fields .......................................................22 4.7. Security Change Manager NAT Fields ...............................................................24 5.1. Define a rule on the Management Server .............................................................41 6.1. What will be imported/ not imported from Check Point FireWall-1 NG and NG AI .....46 8.1. VPN: Specific Parameters ................................................................................68
xiii
xiv
Chapter 1. Installation
1.1. System Requirements ....................................................................................... 1 1.1.1. Device OS Versions Supported ................................................................ 1 1.1.2. Licenses .............................................................................................. 1 1.2. Installation ..................................................................................................... 1 1.3. Limitations .................................................................................................... 1 1.3.1. Case Sensitivity .................................................................................... 1 The synergy between Check Point FireWall-1 and Security Change Manager means increased productivity for the network administrator who must develop rational security policies for complex networks.
1.1. System Requirements

1.1.1. Device OS Versions Supported
For the Check Point FireWall-1 PEPs: NG FP3, NG AI R55, NGX (R60, R62, R65), VSX NGX (R65), R70. For the Check Point FireWall-1 Cluster: NG FP3, NG AI, NGX (R60, R62, R65), VSX NGX (R65), R70. For the Firewall-1 Management Server: NG FP3, NG AI, NGX (R60, R62, R65), R70. For the Provider-1: NGX R65 is supported. The following devices are also supported: Nortel Networks Alteon Switched Firewall: NG FP3, NG AI R55, NGX (R60, R62, R65), VSX NGX (R65), R70 Nortel Networks ASF Cluster: NG FP3, NG AI R55, NGX (R60, R62, R65), VSX NGX (R65), R70
1.1.2. Licenses
You must have purchased and installed the special Security Change Manager option for use with Check Point FireWall-1. If you do not have this license, you will not be able to create a FireWall-1 PEP or a management server.
1.2. Installation
Follow the directions in the Security Change Manager Installation Guide.
1.3. Limitations
1.3.1. Case Sensitivity
Check Point FireWall-1 NG is case sensitive. Therefore, two objects can be created with the same name with different cases, but Security Change Manager will not manage them as two devices.
Chapter 2. Features supported on Check Point FireWall-1

2.1. Global Features Support ................................................................................... 3 2.2. Firewall Features ............................................................................................. 3 2.3. NAT Features ................................................................................................. 5 2.4. VPN Features ................................................................................................. 6 2.5. Management Server Features ............................................................................. 7 This chapter presents the various Check Point FireWall-1 NG SmartCenter Server features and indicates whether they are supported by Security Change Manager Legend for all the following tables: Yes: Supported by Security Change Manager No: Not supported by Security Change Manager N/A: Not Applicable
2.1. Global Features Support

Table 2.1. Global Features Support
Feature Firewall NAT VPN Management Import SCM Support Yes Yes Yes Yes Yes
2.2. Firewall Features

Table 2.2. Firewall Features
Feature ICMP Error Thorough Logging Central Filtering TCP Established SCM Support Yes Yes Yes Yes 3
Firewall Features
Feature ICMP Filtering Extended IP Filtering Stateful Filtering Time Control Filtering Flow Authentication Internal User DB External User DB Clustering Support Failover Load Balancing IPsec cluster
SCM Support Yes Yes Yes Yes Yes Yes Yes Yes Yes
Table 2.3. Description of Features listed in Table 2.2, Firewall Features (page 3)
Function ICMP Error Description The PEP is able to generate by default on denied access an ICMP error message (destination net unreachable) and Security Change Manager is able to configure the device accordingly. The PEP is able to log accepted and refused flows and Security Change Manager is able to configure the device accordingly. The PEP is able to perform filtering in its routing table, rather than in its interfaces and Security Change Manager is able to configure the device accordingly. The PEP is able to distinguish between a TCP packet used to request establishment of a connection and a standard TCP packet and Security Change Manager is able to configure the device accordingly. This makes it possible to specify the direction of the TCP flow. The PEP is able to filter the ICMP protocol and Security Change Manager is able to configure the device accordingly. The PEP is able to filter an arbitrary IP protocol other than ICMP, UDP, or TCP and Security Change Manager is able to configure the device accordingly.
Thorough Logging
Central Filtering
TCP Established
ICMP Filtering
Extended IP Filtering
NAT Features
Function Stateful Filtering
Description The PEP is able to perform dynamic filtering and Security Change Manager is able to configure the device accordingly. The PEP is able to use time filtering and Security Change Manager is able to configure the device accordingly. The PEP is able to use an external User DB for flow authentication. Security Change Manager is able to configure the device to use this DB.
Time-controlled Filtering
Flow Authentication
2.3. NAT Features

Table 2.4. NAT Features
Feature Source NAT Static Unistatic Pool PAT Masquerading Destination NAT Static Unistatic Pool Service NAT Restrict Application Point SCM Support Yes Yes N/A Yes Yes Yes Yes N/A Yes No
Table 2.5. Description of Features listed in Table 2.4, NAT Features (page 5)
Function Static Description Capacity to support bi-directional static translation. An address that is translated in this manner will be statically transformed for both outgoing connections and incoming connections. Capacity to support uni-directional static transla5
Unistatic support
VPN Features
Function
Description tion. A typical example is when one server is to be made available from outside with static translation for incoming communication and the server performing outgoing communication will be masqueraded.
Pool
Capacity to support address translation through an address pool. Capacity to support Port Address translation. Capacity to support Masquerading type of translation (use of the outgoing firewall interface as the source address). Ability to define NAT transformations restricted to selected IP services. Ability to apply a NAT rule on a specific interface of the Policy Enforcement Point, thus not affecting traffic not going through this interface.
PAT Masquerading
Service NAT
Restrict Application Point
2.4. VPN Features

Table 2.6. VPN Features
Feature Gateway - Gateway IPsec VPN PSK Auth Method SCM Support PSK set manually on SmartCenter (CPMI limitation) Yes Yes N/A No Yes (PSK set manually on SmartCenter (CPMI limitation)) Yes Yes Yes Yes Yes
RSA-Sig Auth Method (PKI) NAT Transversal IPsec Keepalive Dynamic Peer Address Client - Gateway IPsec VPN PSK Auth Method
RSA-Sig Auth Method (PKI) Internal User Database External User Database Split Tunnelling Management NAT Transversal 6
Management Server Features
Feature Encryption Support DES 3DES AES (multiple types)
SCM Support Yes Yes Yes
2.5. Management Server Features

Table 2.7. Management Server Features
Feature Communication Method SNMP Refresh Encrypted Upload SCM Support No Yes, with SSL Certificate & Encryption (OPSEC) Yes, with definition of the OPSEC Application Distinguished Name (in the Management Server properties) Yes N/A
Upload Clear (less secure)
Management Authentication
Internal User database External Authentication Methods list
Failsafe Rollback Log Logging Server Configuration Policy Learning Mode Import Clustering Support Failover Load Balancing IPsec cluster
Yes No No Yes Yes Yes Yes Yes
Chapter 3. Basic Concepts in Security Change Manager's Interaction with Check Point FireWall-1
3.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction .......... 9 3.2. Check Point FireWall-1 Management Server Object .............................................10 3.2.1. Management Server .............................................................................11 3.2.2. Management Station .............................................................................11 3.2.3. Two Kinds of PEPs ..............................................................................11 3.2.4. Management Server/PEP Compatibility Matrix .........................................11 3.3. Generation Process .........................................................................................11 3.3.1. Process ..............................................................................................11 3.3.2. Difference between a Translated Object and a Generated Object ...................12 3.4. Naming Rules for Check Point FireWall-1 Objects ...............................................12 3.4.1. Example ............................................................................................12 3.4.2. Comments Generated for Traceability between Security Change Manager Objects and Check Point FireWall-1 Objects ................................................................14 3.4.3. Object Colors ......................................................................................14 3.5. Upload Preparation .........................................................................................14 3.6. Upload Process ..............................................................................................14 This section describes a number of concepts with which you should be familiar before you learn to upload and compile your policies to a Check Point FireWall-1 PEP.
3.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction
Figure 3.1. Overview of the Security Change Manager and Check Point FireWall-1 Concepts
With Security Change Manager Designer you can define a global security policy for all PEPs that Security Change Manager manages. To manage a Check Point FireWall-1, Security Change Manager will update and enforce the Secur9
Check Point FireWall-1 Management Server Object
ity Policy on the Check Point FireWall-1 Management Server using the OPSEC CPMI API on NG. Therefore with Security Change Manager, you can define all the permissions. For other PEPs, it will automatically figure out the enforcement points and the anti-spoofing rules attached to each interface. For all other concepts of Check Point FireWall-1 not supported on Security Change Manager, to be able to use them, we have implemented a specific generation process. Please see Chapter 7, How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager (page63 ) for further information.
Figure 3.2. Compilation, Preparation Upload, and Upload
3.2. Check Point FireWall-1 Management Server Object

10
Management Station
3.2.1. Management Server

Security policy is enforced directly on all other PEPs managed by Security Change Manager. However, on a Check Point FireWall-1 PEP, the security policy is uploaded to the Check Point FireWall-1 management server, then Security Change Manager sends the commands to the Check Point FireWall-1 management server to compile and install the security policy on the PEP that it manages. Therefore, a new object in the Security Change Manager map represents the management server object.
3.2.2. Management Station

In this document, when the term "management station" is used, it refers to the station where the management server is installed.
3.2.3. Two Kinds of PEPs

There are two kinds of PEPs: Directly Managed PEP: A PEP that can be managed directly from Security Change Manager. Security Change Manager can upload directly on this PEP. Indirectly Managed PEP: A PEP that can be managed only through a Management Server object. Security Change Manager can only upload on the management server. It is the management server that will upload on the PEPs.
3.2.4. Management Server/PEP Compatibility Matrix

The following table shows the PEPs that can be managed by each type and version of a management server. Note that Check Point FireWall-1 NGX R63 is not supported by Security Change Manager.
Table 3.1. Management Server/PEP Compatibility Matrix

Management Server Type & Version Check Point FireWall-1 NG FP3 Check Point FireWall-1 NG AI R55 Check Point FireWall-1 NGX R62 Check Point FireWall-1 4.1, NG FP1 to FP3 Check Point FireWall-1 4.1, NG FP1 to NG AI Check Point FireWall-1 NGX R60 to R62, NG FP3, NG AI to FP3 Check Point FireWall-1 NGX R60 to R65, NG FP3, NG AI to FP3 Check Point FireWall-1 NGX R60 to R65, NG FP3, NG AI to FP3 Indirectly Managed PEP Type & Version
Check Point FireWall-1 NGX R65
Provider-1 NGX R65
3.3. Generation Process

3.3.1. Process
11
Difference between a Translated Object and a Generated
The process used when translating a SCM object to a Check Point FireWall-1 object is to generate Check Point FireWall-1 objects by using the properties set on the SCM network object and properties to patch the Check Point FireWall-1 object properties that are not managed in Security Change Manager. The Check Point FireWall-1 specific object properties can be objects provided by Security Change Manager with default values or an object where properties not managed by Security Change Manager have been set on the management server.
3.3.2. Difference between a Translated Object and a Generated Object

A translated object is a SCM object that corresponds to one Check Point FireWall-1 object. This object can be used in security policy rules because it will not change its name, even if its contents (for instance, addresses) change. In other words, the object existed as an object in Security Change Manager and this object can be used in Check Point FireWall-1. A generated object is a SCM object that needed to be created to match the Security Change Manager set of IP addresses or to enforce an option such as anti-spoofing. In other words, the object did not exist as an object in Security Change Manager and this object had to be invented in order for it to be used in Check Point FireWall-1. Refer to Table 3.3, Example of the Translation of a Class into Check Point FireWall-1 group (page13 ).
3.4. Naming Rules for Check Point FireWall-1 Objects

The following rules are applied for the translated Security Change Manager name: 1. Each character that is not allowed by Check Point FireWall-1 is replaced by a '_' except for the first character (because this is not allowed) where a 'Z' is used instead. The character set allowed by Check Point FireWall-1 is: [A-z] [A-z 0-9_-.]* 2. The name is truncated to 90 characters.
Note
When you look at a class or management server assigned inside a network, nexus, or a PEP it will be translated as in the example below: Network/class will be network_class. Recommendation: Create names that begin with a letter and have a length of less than 90 characters in order to locate them easily in the Check Point FireWall-1 Policy Editor. The following rules are applied for the name of a generated object. 1. Generated objects are prefixed by NP_<Letter>. Please see the table below. 2. The name have a <4 digit> suffix to differentiate each name of the generated Check Point FireWall-1 objects.
3.4.1. Example
When generating two Check Point FireWall-1 objects whose corresponding Security Change Manager network object is @loglogic.fr (domain), the first one is NP_N_Zloglogic_fr__domain__0000, and the second one is NP_N_Zloglogic_fr__domain__0001.
Table 3.2. Prefixes of the All Generated Objects

12
Example
Prefix NP_A
Comments For all generated Check Point FireWall-1 group objects from the Security Change Manager antispoofing option. For all generated Check Point FireWall-1 objects from Security Change Manager Class. For all generated Check Point FireWall-1 group objects from Security Change Manager expand internet option. For the interface name of the Check Point FireWall-1 Interoperable Device generated from the nexus. For all generated Check Point FireWall-1 objects from Security Change Manager Network3. For all generated objects for NAT and limited path zones. For all generated Check Point FireWall-1 range objects from the Security Change Manager NAT rule (For this case, the name is made like the following: NP_R<address range>). For all generated & translated Check Point FireWall-1 services. For all generated Check Point FireWall-1 time objects from the Security Change Manager Time definition.
NP_C
NP_E
NP_I
NP_N
NP_O_..VFP_..
NP_R
NP_S
NP_T
Warning
The Security Change Manager objects that become generated objects will be erased, while translated Security Change Manager objects will be patched. That is, all names will be prefixed by NP_<Letter>_.
Table 3.3. Example of the Translation of a Class into Check Point FireWall-1 group
Security Change Manager @example(ex) Check Point FireWall-1 Equivalent group will be: Zexample_ex_ Generated network: NP_C_Zexample_ex__001 Generated network: NP_C_Zexample_ex__002
13
Object
In this example, a Security Change Manager class is translated into a Check Point FireWall-1 group that contains two generated networks from the Security Change Manager class contents.
3.4.2. Comments Generated for Traceability between Security Change Manager Objects and Check Point FireWall-1 Objects
The following table shows the comments generated for traceability between Security Change Manager objects and Check Point FireWall-1 objects.
Table 3.4. Comments Generated by Check Point FireWall-1 Objects

Check Point FireWall-1 object type Translated object Comments generated Translated from LogLogic <object type> '<object name>' at <Date> {<object comments content>} Generated from LogLogic <object type> '<object name>' at <Date>
Generated object
3.4.3. Object Colors

To differentiate easily translated objects from generated objects, the translated objects are blue and generated objects are cyan. These colors can be customized in the management server properties window (in Upload Configuration Firewall-1 Options). Please refer to the Security Change Manager Reference Guide for more information.
3.5. Upload Preparation

The Check Point FireWall-1 PEP requires an upload preparation step before upload is carried out. Upload preparation has one or both of the following functions: Merges a Security Change Manager policy with pre-existing filters loaded in the PEP's memory Creates filters combining a Security Change Manager policy definition with a Check Point FireWall-1 object definition that contains concepts not supported by Security Change Manager. Upload preparation on Check Point FireWall-1 takes many management server parameters into account.
3.6. Upload Process

The upload between Security Change Manager and the Check Point FireWall-1 Management Server uses secure communication through OPSEC CPMI. Upload on the management server allows you to stop the process at different steps by setting the policy parameter in the upload window. Copy Only: Stops immediately after copying. Upload on PEPs: Stops after copying, compiling, and uploading the security on the PEPs that it manages.
14
Chapter 4. How Security Change Manager Objects Map to Check Point FireWall-1
4.1. Translation of Network Objects .........................................................................15 4.2. Translation of Class Objects .............................................................................16 4.3. Translation of Management Server Objects .........................................................16 4.3.1. Check Point Host Default Fields or Check Point Gateway ...........................17 4.3.2. Check Point FireWall-1 Interoperable Default Fields ..................................18 4.4. Translation of Nexus Objects ............................................................................18 4.5. Translation of PEP Objects ..............................................................................18 4.5.1. A Translated Security Change Manager Check Point FireWall-1 PEP ............18 4.5.2. Specific Translated Fields ......................................................................18 Log ...................................................................................................18 Interface Netmask ................................................................................19 Anti-Spoofing .....................................................................................19 4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields ...........19 Process ..............................................................................................19 4.6. Translation of Services ....................................................................................19 4.6.1. Generation Process ...............................................................................19 Principle .............................................................................................19 Syntax of the Mapping Table ..................................................................20 Example .............................................................................................20 4.6.2. A Translated Security Change Manager Service .........................................20 Naming Convention ..............................................................................21 Security Change Manager IGMP Translated Fields .....................................21 4.7. Translation of Implicit Generated Objects ...........................................................21 4.7.1. Anti-spoofing ......................................................................................22 4.7.2. Expand Internet: Objects Generated ........................................................22 4.8. Translation of Permissions ...............................................................................22 4.9. Translation of Time Definition Rules .................................................................22 4.9.1. What cannot be translated ......................................................................22 4.10. Translation of NAT Rules ..............................................................................22 4.10.1. Example ...........................................................................................22 4.10.2. Rules ...............................................................................................23 4.10.3. Security Change Manager NAT Rules Translated Fields ............................23 4.11. Translation of Limited Path Zones ...................................................................24 4.12. Translation of Default Objects .........................................................................24 4.12.1. All Networks .....................................................................................24 4.12.2. All PEPs ...........................................................................................24 4.13. Translation of User Authentication ...................................................................24 This chapter explains how each Security Change Manager object is translated into a Check Point FireWall-1 object.
4.1. Translation of Network Objects

Since a Check Point FireWall-1 Network object can only be defined with only one IP address and a netmask, and since a SCM network may be linked to more than one Check Point FireWall-1 object, a SCM network will be translated into a group that will contain the Check Point FireWall-1 address ranges.
Table 4.1. Security Change Manager Network Object Rules

15
Translation of Class Objects
Case #
Security Change Manager Net- Check Point FireWall-1 Objects work The Security Change Manager network is defined with more than one IP address and a netmask or with an IP address range that is not netmaskable A group that contains either a set of networks or ranges (only if the management server manages NG PEPs versions), defined with only one IP address and a netmask in order that the set of networks matches the Security Change Manager networks. Note: The name of the network created is prefixed by NP_N to remind you that it came from a Security Change Manager network.
A Security Change Manager network containing a * address (internet)
Check Point FireWall-1 Any object.
4.2. Translation of Class Objects

The Security Change Manager Class objects are translated into Check Point FireWall-1 objects using the following rules:
Table 4.2. Security Change Manager Class Object Rules

Case # 1 Security Change Manager Class Check Point FireWall-1 Objects A set of objects and/or a set of addresses and/or a set of single IP addresses A group that contains all the objects specified in a Security Change Manager Class plus either all created networks or ranges.
A Security Change Manager Check Point FireWall-1 Any class containing a * or an object object. containing a * at any level
4.3. Translation of Management Server Objects

A management server is represented where each IP address of the Security Change Manager is translated into an interface.
Note
The interface name will be automatically generated with the prefix NP_I.
Table 4.3. Translation of Specific Fields
16
Check Point Host Default Fields or Check Point Gateway
SCM Management Server fields
Check Point FireWall-1 Mgt Server Properties NG FP3 and NG AI R55
Upload Configuration FireWall-1 Options This parameter will be used during the installa Upload Only if Successful on ALL Mantion of the security policy on the PEPs aged PEPs General Options Local Security Policy Log Implied Rules General Options Local Security Policy Accept VPN-1 & Check Point FireWall-1 Control Connections General Options Local Security Policy Accept Remote Access Control Connections General Options Local Security Policy Accept RIP General Options Local Security Policy Accept Domain Name Over UDP (Queries) General Options Local Security Policy Accept Domain Name Over TCP (Zone Transfer) General Options Local Security Policy Accept ICMP General Options Local Security Policy Accept Outgoing Packets Originating From Gateway General Options Local Security Policy Accept CPRID Connections (SmartUpdate) General Options Local Security Policy Accept Dynamic Address Modules' DHCP traffic Global Properties FireWall Log Implied Rules Global Properties FireWall Accept VPN-1 & FW-1 Control Connections Global Properties FireWall Accept Remote Access Control Connections Global Properties FireWall Accept RIP Global Properties FireWall Accept Domain Name Over UDP (Queries) Global Properties FireWall Accept Domain Name Over TCP (Zone Transfer) Global Properties FireWall Accept ICMP requests Global Properties FireWall Accept Outgoing Packets Originating From Gateway Global Properties FireWall Accept control connections Global Properties FireWall Accept dynamic address modules' DHCP traffic
4.3.1. Check Point Host Default Fields or Check Point Gateway

The following Check Point Host options will not be modified by Security Change Manager. General Modules Installed General Color General Web Server NAT Smart Directory Smart View Monitor User Authority Server User Authority Web Access
17
Check Point FireWall-1 Interoperable Default Fields FireWall-1 GX logs and masters Capacity Optimization Advanced
4.3.2. Check Point FireWall-1 Interoperable Default Fields

These fields in the interoperable device can be changed by the network administrator. They will not change during the generation process: General Colors FireWall-1 GX tab
4.4. Translation of Nexus Objects

This object is translated into a gateway node, where each IP address of the Security Change Manager will be translated into an interface.
Note
The interface name will be automatically generated with the prefix NP_I.
4.5. Translation of PEP Objects

4.5.1. A Translated Security Change Manager Check Point FireWall-1 PEP
A Firewall-1 NG PEP is represented by a Check Point Gateway on the Management Server that manages it and an externally managed Check Point gateway on a Management Server that does not manage it.
4.5.2. Specific Translated Fields

Log
Note
The anti-spoofing log is enforced when the Log Level for the Default Rule is set in Interfaces Interface Name Options or when the log is set in the permission. Note that when an Account is set on deny flow, it will be automatically transformed in the log because Accounting is not allowed for deny or dropped rules on Check Point FireWall-1.
Table 4.4. SCM Log Numbers

Case # 1 2 18 Security Change Manager Log Account Check Point FireWall-1 Log Log
Check Point Gateway or Externally Managed Gateway Default
Case # 3 4 5 6 7 8 Other numbers
Security Change Manager Alert Mail SnmpTrap User Defined User Defined2 User Defined3 Log
Check Point FireWall-1 Alert Log Log Log Log Log Log
Interface Netmask
In order to specify the interface netmask, you can type the interface IP address with the netmask. If not, the netmask of the object it is connected to will be used.
Anti-Spoofing
If the generated anti-spoofing rule is set on the Check Point FireWall-1 PEP, a group will be automatically generated and attached to the interface of the Check Point Gateway.
4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields

In NG, the following fields will be changed during generation.
Process
General->Color General->Additional Products Remote Access->Clientless VPN Smart Directory (LDAP) Log and Masters Capacity Organization Advanced
4.6. Translation of Services

4.6.1. Generation Process
Principle
The service mapping table is stored in the fw1MgtServer.xml file and defines the relation between Security Change Manager and Check Point FireWall-1 services. The table takes into account differences between the 4.0 version, the 4.1 version, NG FP3, NGAI| R55, NGX (R60, R62, R65) and R70 versions. 19
A Translated Security Change Manager Service
When the security policy is generated, for each service: If the service is in the mapping table, the entry will be used to find the corresponding Check Point FireWall-1 service name for the generation. If the service is not in the mapping table, a Check Point FireWall-1 custom service will be generated if possible.
Syntax of the Mapping Table

<SingleCapability name="service_<scm Service>" type="string" value=<FW-1 service >hidden="yes" const="yes"/> ... indicates that <scm service> is mapped with <FW-1 service> for any version of Check Point FireWall-1. To specify for which version that mapping is available, you can insert the following lines after each line (do not forget to suppress the "/" character at the end of the precedent line i.e. in <const="yes"/>): <Condition type="version" dependency="version" min="4.0.0" max="4.0.99"/> to indicate the range in which the mapping is right. <Condition type="version" dependency="version" min="4.0.0"/> to indicate from which version the mapping is right. <Condition type="version" dependency="version" max="4.1.0"/> to indicate the range until which the mapping is right. And add the </SingleCapability> tag at the end to close the <SingleCapability definition.
Note
Check Point FireWall-1 services are case sensitive while Security Change Manager services are case insensitive.
Example
<SingleCapability name="service_ike" type="string" value="IKE" hidden="yes" const="yes"> <Condition type="version" dependency="version" min="4.1.0"/> </SingleCapability> <SingleCapability name="service_ike" type="string" value="ISAKMP" hidden="yes" const="yes"> <Condition type="version" dependency="version" min="4.0.0" max="4.0.99"/> </SingleCapability>
4.6.2. A Translated Security Change Manager Service
20
Fields
Table 4.5. Translated Security Change Manager Service

Case # Security Change Manager Service If the service contains one protocol permission Check Point FireWall-1 objects Corresponding Check Point FireWall-1 service that maps to Security Change Manager service type
If the service contains more A group of services than one protocol permission or service If the service contains a service Error not translatable into Check Point FireWall-1 (flux server-> client)
Naming Convention
Note
All generated and translated Check Point FireWall-1 services will be prefixed by NP_S_ because they will be generated at each compilation. Check Point FireWall-1 does not allow the permission from server to client to be easily defined, so when a Security Change Manager service contains only such a permission, the following error message will occur: Error: The Security Change Manager service <service name> couldn't be described in the Check Point FireWall-1 <PEP name> database. Associate it with an existing Check Point FireWall-1 service in the mapping table (refer to the documentation for more information). When the service contains a permission from server to client, but also another type of permission, the following message will occur: Warning: The return flow of scm service <service name> couldn't be well described in the Check Point FireWall-1 <PEP name> database. It is recommended to associate it with an existing Check Point FireWall-1 service in the mapping table (refer to the documentation for more information).
Security Change Manager IGMP Translated Fields

The IGMP message name/number will be ignored, so the filter will be less accurate than in Security Change Manager. Therefore, a warning message will occur: Warning: IGMP message name is not supported by Check Point FireWall-1. It is recommended to associate it with an existing Check Point FireWall-1 service in the mapping table (refer to the documentation for more information).
4.7. Translation of Implicit Generated Objects

21
Expand Internet: Objects Generated
4.7.1. Anti-spoofing
To manage anti-spoofing, Security Change Manager must generate a group that will contain all network objects allowed to pass through that interface. All networks (that are allowed) already exist in Check Point FireWall-1 objects created by Security Change Manager. It is only necessary to define the group that will contain them. The generated name is NP_A_<PEP FW-1>_<interface name>_<4 digits>.
4.7.2. Expand Internet: Objects Generated

To implement the Expand Internet PEP option, objects that match all networks except the internal network are generated. To do that a group of networks that matches "all networks possible - internal network" is created with the name NP_E__INTERNET. These generated objects will be prefixed with NP_E__INTERNET.
4.8. Translation of Permissions

Security Change Manager permission objects are translated into Check Point FireWall-1 security rules.
Note
Some Security Change Manager permissions could be merged into a single FireWall-1 security rule after the reduction compilation phase.
Table 4.6. Security Change Manager Permission Fields

Security Change Manager Permission fields Options->Allow/Deny Check Point FireWall-1 rule fields - Allow -> accept - Deny + Generate ICMP Error Message option on PEP or on flow-> reject - Deny -> drop Options->Log Track (See Table 4.4, SCM Log Numbers (page 18).)
4.9. Translation of Time Definition Rules

Security Change Manager Time Definitions are translated into a group of time definitions.
4.9.1. What cannot be translated

Year: Year is ignored. Day of the week in a specific month (all Mondays of March for example). The month is ignored in this case.
4.10. Translation of NAT Rules

4.10.1. Example
22
Rules
Figure 4.1. An Example of a NAT Rule
The NAT rule on Check Point FireWall-1 indicates that the class P of network N1 will be translated into 124.2.*. The rule between N1 and N2 must be enforced on: FW1 has: allow N1 -> N2 (because on Check Point FireWall-1 NAT is enforced after IP filtering). On FW2 and CISCO: N1 can be viewed as {121.* except 121.2.* + 124.2.*} Rules. Therefore, the allowed rule is N1' {121.1.*+121.3.0.0/121.255.255.255 + 124.2.} -> N2
4.10.2. Rules
An object corresponding to this will be created on FW2 as NP_0_N1_VFP_FW2_<service name>_N2. In each rule enforced on a Check Point FireWall-1 PEP where a source or destination is used in a NAT rule a new object must be created to represent the source or the destination in the point of view of that PEP. The name used to describe these new objects will be: NP_O_<object name>_VFP_<PEP name>_<service name>_<destination object> where "object name" can be any kind of Security Change Manager object (a network, a class, a nexus, a PEP or a management server).
Note
VFP is an abbreviation for "View from PEP". The object that will be generated will be a group that will contain networks even if the SCM object is a PEP or a management server. For each NAT Rule a destination object and a source object will be created.
4.10.3. Security Change Manager NAT Rules Translated Fields

23
Translation of Limited Path Zones
Table 4.7. Security Change Manager NAT Fields

Security Change Manager NAT fields Static on Source or Destination Pool on Source or Destination PAT Check Point FireWall-1 rule fields Static on Source or Destination Not supported Hide (there is an error if the PAT range contains more than one address.) Hide with the interface address
Masquerading
4.11. Translation of Limited Path Zones

When you have a permission between an object source and a destination class that contains two objects (A and B), if you have different limited path zones on the object source and object A, that do not allow traffic between them, the permission will be enforced only from the source to B. To reflect this in the Check Point FireWall-1 database, a Check Point FireWall-1 group named NP_O_<object name>_VFP_<PEP name>, where the <object name> represents the PEP where this rule is enforced. In the previous example, the generated object will contain only object A.
4.12. Translation of Default Objects

4.12.1. All Networks
The class "all networks" is translated into a Check Point FireWall-1 group object that contains all networks defined in Security Change Manager except the networks that contain '*' as an IP address. The name of the generated object is Zall_internal_domains
4.12.2. All PEPs

The class "all PEPs" is translated into a Check Point FireWall-1 group object that contains all PEPs defined in Security Change Manager. The name of the generated object is Zall_routers.
4.13. Translation of User Authentication

To define a user authentication permission, please refer to "Authenticate Users on a Permission" in the Security Change Manager User Guide or on-line help. Security Change Manager supports the authentication implementation of Check Point FireWall-1 NG. On both Check Point FireWall-1 and Security Change Manager there are actually 3 types of authentication: User Authentication Client Authentication Session Authentication
24
Translation of User Authentication
An authentication rule is defined by a source where the user group is appended to the network location of the user, a destination and one of the 3 authentication methods (User Authentication, Client Authentication, or Session Authentication). In Security Change Manager Designer, define the authentication on the permission in the Permission Properties window by selecting Actions Authentication Application Point and adding the required PEPs.
Note
The user authentication method appears only for http, ftp, rlogin and telnet. For each method, implicit permissions are created. Authentication parameters on the management server and Check Point FireWall-1 can be defined on the corresponding Security Change Manager objects.
25
26
Chapter 5. How to Define and Deploy a Security Policy on Check Point FireWall-1
5.1. First Use of Check Point FireWall-1 ..................................................................27 5.1.1. SSL Certification and Encryption Procedure .............................................27 5.1.2. Clear OPSEC Connection Type Procedure ................................................31 5.2. Configure a Check Point GX Management Server ................................................32 5.2.1. First step: Creating custom services and defining the policy .........................33 5.2.2. Second step: Defining precisely the custom services ...................................33 5.3. Define and Deploy a Policy ..............................................................................35 5.3.1. Step 1: Defining the Secure Topology ......................................................35 5.3.2. Step 2: Security Policy Definition ...........................................................39 5.3.3. Step 3: Audit .......................................................................................39 5.3.4. Step 4: Define Rules .............................................................................39 5.3.5. Step 5: Compile the Security Policy ........................................................39 5.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each Management Server ........................................................................................................40 Prerequisites .......................................................................................40 Procedure ...........................................................................................40 5.3.7. Step 7: Deploy the Policy ......................................................................40 5.4. Define and Manage an Existing Policy ...............................................................41 5.4.1. Purpose ..............................................................................................41 5.4.2. Prerequisites .......................................................................................41 5.4.3. Step 1: Perform a Check Point FireWall-1 Import ......................................41 5.4.4. Step 2: Secure Topology Definition, if You Do Not Perform an Import ..........42 5.4.5. Other Steps .........................................................................................43 5.5. Create an Authentication Rule ..........................................................................43 This section lists the steps required to define a security policy in Security Change Manager Designer, and to deploy that policy on a Check Point FireWall-1 PEP.
5.1. First Use of Check Point FireWall-1

You will need to establish communication between Security Change Manager and Check Point FireWall-1 either via SSL Certification and Encryption (recommended) or in Clear (not recommended). This can be set in the SCM Management Server Properties window by defining the OPSEC Connection Type option in Upload Configuration Connection Options.
5.1.1. SSL Certification and Encryption Procedure

Procedure 5.1. Using SSL Certification and Encryption
1. 2. Log onto the SmartCenter with the SmartDashboard. Select the Servers and OPSEC Applications OPSEC Applications node in the Objects Tree list, right-click it and select New OPSEC Application to create a new OPSEC Application .
27
SSL Certification and Encryption Procedure
Figure 5.1. Creation of new OPSEC Application in SmartDashboard
3.
In the OPSEC Application Properties window: a. b. c. Give a name to the OPSEC Application and remember it. Select a host using the Host pull-down menu. Tick the CPMI checkbox in the Client Entities panel to enable the CPMI.
Note
Select no other options. For instance, no Server Entities and no other Client Entities than CPMI.
Figure 5.2. CPMI option enabled
28
d. e. f. g. 4. 5. 6.
Click the Communication button. In the Communication dialog box, enter a password ("activation key" in this GUI) and remember it. Click the Initialize button and click Close to close the Communication dialog box. Click OK to close the OPSEC Application Properties window.
Save your settings by using File Save and close the SmartDashboard. Connect to the Security Change Manager Designer. Create your map, open the Management Server Properties window and select the Upload Configuration Connection Options view. a. Set the OPSEC Connection Type option to SSL Certification and Encryption.
Figure 5.3. SSL Certification and Encryption Option
29
b. c. 7.
For the OPSEC Application name option, type in the same name than the one you set in the SmartDashboard. Click OK to validate your settings and close the Management Server Properties window.
Right-click on the Management Server object and select Import FW1-Import... from the contextual menu. The Import in Progress window opens. Several dialog boxes shall then prompt you for information: a. b. When prompted for username/password, enter those you previously used to connect to the SmartCenter with the SmartDashboard, and click OK. When prompted for a new certificate in the Getting Certificate dialog box, select Yes from the pull-down menu and click OK.
8.
Figure 5.4. Getting Certificate Dialog Box
30
Clear OPSEC Connection Type Procedure
c.
When prompted for the certificate's password, enter the one you provided during the OPSEC Application's creation and click OK.
The import will begin with the last opened policy.
Note
During the first preparation upload, Security Change Manager will request the password that you wrote down in step 3 to get the certificate for the Check Point FireWall-1 Management Server. In the case where the certificate is changed on the Check Point FireWall-1 Management Server, Security Change Manager will detect this and request the new certificate. If for some reason this method fails, you may receive an error beginning with "SIC error..." The certificate has already been given to Security Change Manager. You will need to reset the certificate by deleting the certificate in Security Change Manager, and following the steps described above again. To delete the certificate in Security Change Manager: 1. Go to the Manager8.2\data\authentication\certificate directory 2. Delete the <Management Server name>_<OPSEC Application name>.p12 file and the corresponding .sicname file. For more information on this topic, please see the LogLogic Knowledge Base available at: http://www.loglogic.com/services/support/index.php (for registered customers only).
5.1.2. Clear OPSEC Connection Type Procedure
31
Configure a Check Point GX Management Server
Procedure 5.2. Using Clear

It is not recommended to use the Clear option since it is neither authenticated nor encrypted. 1. Create an OPSEC application on the Management Server through the Check Point FireWall-1 SmartDashboard with the CPMI option enabled (in the Client Entities panel of the OPSEC Application Properties window). Create the associated certificates by clicking the Communicate button. Write down and remember the Application Distinguished Name. Modify the SIC file (sic_policy.conf) to allow the communication between the Check Point FireWall-1 Management Server and Security Change Manager to accept clear. Please refer to the Check Point FireWall-1 OPSEC connection configuration guideline at: http://www.opsec.com/developer/gw_comm_mode.html In Security Change Manager Designer, open the Management Server object Properties window and: a. b. c. Select the Upload Configuration Connection Options view. Set the OPSEC Connection Type option to Clear. For the OPSEC Application Distinguished Name option, type in the same name than the one you set in the SmartDashboard.
2. 3.
4.
Figure 5.5. Clear Option
d.
Click OK to validate your settings and close the Management Server Properties window.
5.2. Configure a Check Point GX Management Server

This section describes how to define a Check Point GX Management Server in Security Change Manager.
32
First step: Creating custom services and defining the policy
The main feature of GX for telcos is the protocol inspection of GTP tunnels. The way of configuring GTP traffic inspection recommended by Check Point, is to create new services inheriting one of the 4 predefined GTP services and then fine tuning them with some specific settings (only gtp_v0_default and gtp_v1_default have meaningful options). These services are: gtp_mm_v0_default gtp_mm_v1_default gtp_v0_default gtp_v1_default
The feature is activated by creating permissions having: a GTP service as service, and either hosts as source or destination (host representing SGSN and GGSN in GTP terminology) or handover group as source or destination. Handover groups represent a new kind of objects introduced in GX. They are groups of hosts with a special flag identifying them as handover groups. In Security Change Manager, they are represented as meta-classes on which we add "Handover Group" optional flags.
5.2.1. First step: Creating custom services and defining the policy
1. 2. You must first create custom services in Security Change Manager Designer Service Editor using existing GTP services. You can then define your security policy as usual using the newly created service.
Figure 5.7. Defining security policy using custom service
5.2.2. Second step: Defining precisely the custom services

The Management Server properties in scm display a group of GTP Services options allowing you to add/ create new Check Point-specific GTP-inspecting services. After having selected a SCM service and Check Point specific GTP inspection options, custom services will then be created when the upload is made on the Check Point management server. See the implementation example displayed in Figure 5.9, GTP Service options (page34 ). Through this 33
Second step: Defining precisely the custom services group of options you can: add a new custom GTP service, choose which existing service to customize, and select the appropriate options, that is to say the options which have been selected in the SmartDashboard.
1. 2.
Open the Management Server Properties window (by double-clicking the Management Server object). In the General Options view, set the Is the management server a Check Point GX? option to Yes.
Figure 5.8. Activation of Check Point GX options in Management Server Properties
3.
A GTP Services sub-node appears under the General Options node. In the GTP Services view, click the AddGTPServiceTemplate icon
A list of options appears allowing you to define a custom GTP Service. See Section 14.2.6, GTP Services (page153 ) for further information about these options.
Figure 5.9. GTP Service options
34
Define and Deploy a Policy
5.3. Define and Deploy a Policy

This is the procedure to define and deploy a security policy.
5.3.1. Step 1: Defining the Secure Topology Note

Some of the screens that follow may appear slightly different on your computer depending on the version of Check Point FireWall-1 devices you are using. Recommendation: Create names that begin with a letter and have a length of less than 90 characters in order to locate them easily in the Check Point FireWall-1 Policy Editor. Please refer to the Security Change Manager User Guide and perform the following tasks: 1. 2. Create the "physical" level: Network, Nexus, PEPs etc. Create the "Conceptual" Level. a. Create the Management Server on the map. Select the icon in the toolbar or select Mode Add Management Server. After the object has been created, you must define its IP address and attach it to a network or a PEP. Select the General Options Local Security Policy view and define implicit rules. Implicit rules must be used with caution: They are not represented on the map. They are enforced only on PEPs managed by the Management Server, not on the PEP directly managed by Security Change Manager. So when a PEP controlled by SCM is between the source and the destination of an implicit rule, you must create the corresponding permission between that source and that destination. They are not considered in the Security Change Manager audit.
b.
35
Step 1: Defining the Secure Topology
Figure 5.10. Implicit Rules: Local Security Policy
3.
Select the General Options Security Server view and define the Security Server options.
Figure 5.11. Security Server
4.
Select the General Options Authentication view to define authentication Properties on the Management Server. On NG, you can define 3 screens of authentication properties: Failed Authentication Attempts Users with Certificates Early Versions Compatibility
36
Figure 5.12. Authentication: Failed Authentication Attempts
Figure 5.13. Authentication: Users with certificates
Figure 5.14. Authentication: Early Versions Compatibility
37
5.
User Authentication Session Time Out: If this number of minutes elapses between a Security Change Manager request and the management server's response, the session is dropped. (default: 1 minute) Select the Upload Configuration Connection Options view and define the upload parameters.
Figure 5.15. Upload Configuration: Connection Options
6.
Select the Managed PEPs view and add all FireWall-1s or Nokia PEPs that shall be managed by the Management Server (this association can also be done in the Properties window of each PEP).
Figure 5.16. Add Managed PEPs
38
Step 2: Security Policy Definition
7.
Create the appropriate Class you need. See "Representing a Set of IP Addresses via a Class" in the Security Change Manager User Guide.)
5.3.2. Step 2: Security Policy Definition

Please see the Security Change Manager User Guide to perform the following actions. 1. 2. 3. 4. 5. Create the time definitions needed. Create the NAT rules needed, then attach them to each PEPs. Create all limited path zones needed and attach them to each object. Create all the new services needed. Create the security policy: Draw all security permissions between the object with their properties.
Note
An implicit permission between the Management Server and the managed PEP is automatically added for the FW-1 service.
5.3.3. Step 3: Audit

Use Audit (Action Policy Audit view) to analyze security permissions object by object.
5.3.4. Step 4: Define Rules

Define a rule on the Management Server that allows the CPMI and ica_pull_cert services. Then, install it on the managed PEP.
5.3.5. Step 5: Compile the Security Policy

1. Make a compilation of the policies. Select Action Generate Global Policy from the menu bar. The Expecting Compilation message box appears. 39
Step 6: Prepare Upload on Each Directly-Managed PEP and Each 2. The Compilation Result dialog box appears. It will state whether the compilation has been successful or not. Read the Errors and Messages.
5.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each Management Server Warning
If the FW-1 management server manages PEPs that are on the path between Security Change Manager and the Management Server or are on the Management Server itself, we recommend that a policy is installed on these PEPs before upload. If not, the communication between the Management Server and Security Change Manager will be interrupted.
Warning
If Security Change Manager contains an address defined as '*', the upload may fail. Avoid using '*' as the address.
Prerequisites
The filters for the current workspace map have been successfully compiled.
Procedure
1. Prepare upload. The purpose of the upload preparation is to generate a Check Point FireWall-1 security policy that comes from: SCM Server object definition Check Point FireWall-1 object definition that contains concepts not supported by Security Change Manager. 2. Select Action Upload Preparation for selection from the menu bar. The Upload Preparation in Progress window opens and the upload preparation starts automatically. Once the preparation is terminated, a message appears displaying whether it has been successful. Click the Close button to close the Upload Preparation in Progress window. The Upload Preview window opens displaying the .confpatch file that will be applied when uploading the configuration.
3.
5.3.7. Step 7: Deploy the Policy

1. 2. 3. Select Action Device Manager from the menu bar. The Device Manager window appears. In the Deployment tab, select the PEPs that should be uploaded in the top panel. Click the Upload icon. .
40
Define and Manage an Existing Policy
4.
An Upload Message dialog box opens, asking if you wish to continue. Click Continue to proceed with the upload process. When the upload has completed successfully, the Upload in Progress window displays a message saying "Upload terminated (successful)".
5.4. Define and Manage an Existing Policy

This section discusses tasks for managing a security policy that is already in production on a Check Point FireWall-1 PEP, and which you want to manage with Security Change Manager.
5.4.1. Purpose
This section describes a situation where you have just bought Security Change Manager and want to configure your security policy with Security Change Manager. In this case, you will want to: Read your security policy. Adapt it in Security Change Manager to define a global security policy. Check that the security policy is what you want to do. Then, implement that policy.
The following steps are explained in detail in the Security Change Manager User Guide and in the previous sections of this chapter.
5.4.2. Prerequisites
The first upload of the scm generated security policy on the Check Point FireWall-1 Management Server will change the existing security policy files. It is therefore recommended to backup the directory containing the security policy definition ($FW1\conf) before installing the new one. 1. 2. Duplicate this directory under the name BeforeInstallation (for example) Define a rule on the management server that allows the services CPMI and ica_pull_cert and install it on the managed PEP. source= Security Change Manager Designer destination= Check Point FireWall-1 Management Server
Table 5.1. Define a rule on the Management Server

No. Source Destination Service Action Track Install on Comments
LogLogic
Manage- CPMI accept ment Serv- ica_pull_ce er rt
Gateways
5.4.3. Step 1: Perform a Check Point FireWall-1 Import

41
Management Server
Warning
Do not perform an import on an untitled map. Always name the .npl file first.
5.4.4. Step 2: Secure Topology Definition, if You Do Not Perform an Import

1. Create objects on the map. Edit the current policy on each management server. For each object involved in a rule, you will create an object (if it does not exist) in Security Change Manager: Objects involved in Source, Destination: Case of a Group: Create a SCM network or a SCM Class with all objects inside. Case of a network or range: Create a SCM network. Case of a Check Point Gateway or Check Point Host: If it is a Check Point Gateway or Check Point Host, create a SCM Check Point FireWall-1 PEP. If not, create a Nexus. Note that anti-spoofing will be generated automatically by Security Change Manager. Case of an embedded device or OSE device: Create a SCM PEP for the corresponding type. In the case where the type does not exist in SCM create an "Unknown" PEP (its Managed option must be set to Yes). Case of Check Point Gateway Cluster: Create a Check Point FireWall-1 Cluster. Case of a domain: Create the corresponding network in SCM. The concept of domain is not supported in SCM. Case of other network object: Create a class with the IP address or objects contains in this object. Objects involved in Time: Case of a time definition: Create a time definition in Security Change Manager Objects involved in Service: Case of a service: If that service does not exist in Security Change Manager, create it. 2. Create connections between objects. After all objects have been created, connect them: Connect the network with PEPs or nexus. Connect the class with the network. 3. Create the NAT rules and associate them to each FW-1 PEP involved. Create the security policy. For each rule in the management server, create a permission in Security Change Manager Designer with the right properties: 42 Log Time definition Deny or allow Generate ICMP Error Message: flag in the case of a deny rule
Other Steps
Note
For all the rules that couldn't be created because they are not supported by Security Change Manager see Chapter 7, How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager (page63 ).
5.4.5. Other Steps

1. 2. 3. 4. Audit. Compile the Security Policy. Prepare Upload on Each directly-managed PEP and Each Management Server. Deploy the Security Policy.
5.5. Create an Authentication Rule

When making a user authentication on a Check Point FireWall-1 through Security Change Manager, the user will have to perform the following procedure:
Procedure 5.3. Creating an Authentication Rule

1. 2. Define a User Group and reference the Management Server as the "authentication server". If an authentication server needs to be created on the Check Point FireWall-1 Management Server, create a Nexus or a PEP that contains the IP address of the RADIUS server. This object will be used on the Check Point FireWall-1 Management Server to be referenced by the Check Point FireWall-1 radius server object. 3. Create a permission to authenticate. 4. Edit the permission properties and reference the FW-1 PEP(s) on which the authentication must be applied. 5. Fill the authentication parameters associated with this PEP as it is made on the Check Point FireWall-1 Management Server. 6. Compile. 7. Upload the policy. 8. On the Check Point FireWall-1 Management Server, check if a warning appears during the upload. This would mean that a User Group is empty. 9. Define the External User Profiles, LDAP Groups and/or the Users that will be referenced by the User Group created by Security Change Manager. 10. Define the related authentication servers needed (RADIUS, TACACS...) and reference a Security Change Manager object as host of these server. 11. Save and install the policy.
This task has to be done only to get the user group definition and the authentication server associated. The next upload will not need these tasks except if a new user group has to be managed.
43
44
Chapter 6. How to Perform an Import from Check Point FireWall-1

6.1. What will be Imported/ not Imported .................................................................45 6.2. Performing a Standard Import from Check Point FireWall-1 ...................................49 6.2.1. Step 1: Create and Configure a Management Server ...................................49 6.2.2. Step 2: Perform the Import ....................................................................52 6.2.3. Step 3: Add the Missing Topology ..........................................................54 6.2.4. Step 4: Connect and Group Attached Objects ............................................54 6.2.5. Step 5: Various Checks to Perform ..........................................................55 6.3. Performing a Local Import of Check Point FireWall-1 Policy .................................56 6.4. Cleaning the Database Before Upload ................................................................60 An import can be performed on either an empty security policy or an already-existing security policy. This chapter explains the entire concept beginning with an empty security policy. An import can be done using one or multiple Management Servers. We have used only one Management Server in this example for ease of understanding. If you use an already-existing security policy, the attachment of classes and connections are done automatically.
Warning
Security Change Manager cannot manage all the concepts supported in Check Point FireWall-1. Therefore, when importing a Check Point FireWall-1 security policy, some objects and rules will not be imported. All objects that are not supported will be kept in the objects.C file and all rules not supported will be kept in a specific policy file in the rulebases.fws file. When generating a policy: The objects that have the same name are updated by Security Change Manager and the others do not change. The "include" rules are added before and after the generated security policy. If you change an object name in Security Change Manager, when generating a new policy in the objects.C file, there will be two objects: The old one (the old one is not removed because it may be referred to by objects in the security policy). The new one. If this happens, you must change the old object for the new one to maintain the synchronization between the Security Change Manager definition and the Check Point FireWall-1 definition.
6.1. What will be Imported/ not Imported

Objects that will be imported/ not imported into Check Point FireWall-1 will be:
45
What will be Imported/ not Imported
Table 6.1. What will be imported/ not imported from Check Point FireWall-1 NG and NG AI
Check Point FireWall-1 categories Networks Objects Detail Imported Comment
Check Point FireWall-1 Partially Gateway Check Point FireWall-1 Host Check Point FireWall-1 Gateway cluster Check Point FireWall-1 Embedded Device Check Point FireWall-1 Externally Managed Gateway Gateway Node Host Node Interoperable Device Network Domain OSE Devices Group Logical server Address range Dynamic Object VoIP domains VPN-1 Edge/Embedded Gateway VPN-1 Edge/Embedded Profile
N/A
Services objects
TCP Compound TCP UDP RPC ICMP Other
Partially
Note that some flows will need to have a specific declaration in the mapping table if it couldn't be imported. Negate service will not be supported. Services of type 'Other' will not be imported if
46
Check Point FireWall-1 categories
Detail
Imported
Comment
Group DCE-RPC Resources URI URI for QoS SMTP FTP TCP OPSEC Applications OPSEC Application CVP Group UFP Group CPMI Group Server RADIUS RADIUS Group TACAS DEFENDER LDAP Account Unit Certificate Authority SecuRemote DNS Users objects Administrator External group Group User LDAP Account Unit Time objects Time definition Time group Scheduled Event Virtual Links VPN Communities Virtual Links Intranet Meshed Intranet Star Extranet No No Partially Partially No No No
they reference Inspection macro.
This implies that all implicit flows between these servers and Check Point FireWall-1 hosts will be not imported.
47
Detail
Imported
Comment
Partner Check Point FireWall-1 All those defined in the Yes Implied Rules General Options Local Security Policy view. Security Rules Allow Drop Reject User Auth Client Auth Session Auth Yes All security rules associating "allow" permissions with negate objects (on source and/or destination) will be imported as two distinct rules, i.e. the first rule will be a "deny" permission and the second rule an "allow" permission. For example, if an "allow" permission is set between A and B, where B is a negate object, the generated rules will be: deny A -> B allow A -> any A security rule e.g.(src_1,...,src_X);(sr v_1,...,srv_Y);(dst_1,..., dst_Z), is imported as only one optimized rule with: One metaclass for SRC One metaclass for DST One service group for SRV The naming convention for the metaclasses and the service group is the following: SRC_n, SRV_n, DST_n where n is the security rule ID number. The IF VIA property is ignored. Address Translation Rules Static Hide Yes
48
Performing a Standard Import from Check Point FireWall-1
Detail
Imported
Comment
Desktop Security Rules Inbound Rules Outbound Rules Web Access Web Sites Security Requirements Authorization Requirements Application Settings Floodgate Rules
No
No
No
6.2. Performing a Standard Import from Check Point FireWall-1

This section describes a situation where you want to configure a Check Point FireWall-1 without taking into account the existing security policy on it because: You have just installed Check Point FireWall-1 and want to configure it with Security Change Manager. You want to configure Check Point FireWall-1 again so as to make all your security policies with Security Change Manager and optimize them. In this case, consider that there is no security policy on the Check Point FireWall-1 to take into account. If Security Change Manager is installed on the same workstation as the Check Point FireWall-1 Management Server, no prerequisites will be used for the Localhost Upload Method.
Warning
In order to keep track of your firewalls and see their names clearly in both the Security Change Manager and Check Point FireWall-1 displays, choose a short name (less than 10 characters) in Security Change Manager because a longer name will not be completely displayed in the Check Point FireWall-1 Policy Editor.
6.2.1. Step 1: Create and Configure a Management Server

To be able to make an import, you must give Security Change Manager all the information necessary for the connection (IP address, login, password) for retrieving Check Point FireWall-1 information (installation path, etc.). So to simplify this situation, you need to create a Management Server that contains at least the following information: Version number in the Identification view. Upload IP address in the Upload Configuration Upload Addresses view. Login/Password is optional in the Upload Configuration Authentication view. 49
Step 1: Create and Configure a Management Server OPSEC Application Name or OPSEC Application Distinguished Name depending on whether you selected the SSL Certificate & Encryption or Clear for the OPSEC Connection Type option in the Upload Configuration Connection Options view. Security Change Manager will import only objects involved in rules, a NAT rule or an implicit NAT rule. For objects that cannot be imported, the objects will remain in the objects.C file. for rules that Security Change Manager cannot manage, the rules stay in rulebases.fws and are referred to by the include policy in Security Change Manager.
Warning
Do not perform an import on an untitled map. Always name the project first in the Project Manager window. 1. 2. Create a Management Server by selecting the Add Management Server icon in the tool-
bar and clicking once on the map. Open the Management Server Properties window, click the Identification view and select a Management Server Version from the pull-down menu.
Figure 6.1. Management Server Properties: Identification
3. 4.
In the Addresses view, click the Add button to add the IP address(es) of the Management Server. In the Upload Configuration Connection Options view, set the Upload Method option to OPSECand the OPSEC Connection Type option to SSL Certificate & Encryption.
Figure 6.2. Management Server Properties: Upload Configuration: Connection Options
50
Step 1: Create and Configure a Management Server
Type in the OPSEC Application Name.
Note
5. The OPSEC Application Name must have been created, saved but never used on the SmartDashboard before being connected from Security Change Manager. Select the Upload Configuration Authentication view and specify a Login/ Password for authentication.
Figure 6.3. Management Server Properties: Upload Configuration: Authentication (NG)
6. 7.
Select the Upload Configuration Firewall-1 Options view and specify the Check Point FireWall-1 options. Select the Upload Configuration Upload Addresses view and specify the upload addresses i.e. the address(es) used by Security Change Manager to connect to Check Point FireWall-1.
51
Step 2: Perform the Import
Figure 6.4. Management Server Properties: Upload Address
6.2.2. Step 2: Perform the Import

Now, you are ready to perform the actual import. 1. 2. Make sure you have already saved the project. Select the Management Server on which you want to import. Then, select Tools Import FW-1 Import... or right-click on the Management Server and select Import FW1-import from the contextual menu. A Checkpoint Import dialog box opens with the Import in Progress window in the background. The Checkpoint Import dialog box displays the name of the ACL that will be imported. This is the one used by default on the Management Server. Click the Yes button. Choose the elements to be imported from the pull-down menu: All Objects: To import all the objects excluding rules. Used Objects: To import only the objects used in rules excluding rules themselves. Rules & All Objects: To import all the objects and rules. Rules & Used Objects : To import only the objects used in rules and rules themselves.
3. 4.
Figure 6.5. CheckPoint Import Dialog Box: Choose Elements to be Imported
52
Step 2: Perform the Import
Click OK. The Import process is launched and, once completed, an Import Report is generated in the Import Report window. Read this import report carefully, to see what the import accomplished.
Figure 6.6. CheckPoint Import Report
53
Step 3: Add the Missing Topology
5.
Check the report and click the Close button. Once the Import process is finished, the bottom panel of the Import in Progress window displays Configuration Import Terminated.
6.2.3. Step 3: Add the Missing Topology

Add the missing topology, particularly networks and connections; add/change icons and addresses to agree with your configuration. To solve the situation of objects and rules that it does not manage, Security Change Manager creates a new rulebases.fws and a new Objects.C files. These files contain the definition of all objects and rules that were not imported and are located in the following directory: work/ pre-upload/<npl file name>/<mgtServer name>. This directory is already used to store the files objects_5_0.C and rulebases.fws. You can transform one object into another, for instance a class into a network. 1. Select the object. 2. Perform a right-click and select Transform Into in the pop-up menu. 3. Select one option. The object will change. You can also merge networks via Action Merge Selected Networks
6.2.4. Step 4: Connect and Group Attached Objects

54
Step 5: Various Checks to Perform
1.
Use the contextual menu on the map or on the selected objects to connect the following objects: PEPs to Networks Nexus to Networks Additionally, on an NG cluster, you should synchronize the networks (Refer to the Security Change Manager User Guide for further information).
Note
If there is a network Internet '*', all classes not connected to a network become attached to this network, so that you must check which class may be attached to the Internet network. A warning message appears at the end of the automatic attachment of class to a network to indicate that a class has been attached to the Internet network. You must check that this is really the action you wanted. Right-click on a PEP or a network and select the Connect to ... Objects functionality in the contextual menu to group all attached objects around a network or a PEP inside the same network.
2.
6.2.5. Step 5: Various Checks to Perform

1. If the security policy contains a Cluster, open its Properties window and reference the synchronization network.
Figure 6.7. Synchronization Network on Cluster
2.
Check the Deny Permissions that have been imported. Optimization of rules will automatically be done by Security Change Manager. You must put a priority > 5000 on deny permissions to be used for logging purposes to be sure that they are 55
Performing a Local Import of Check Point FireWall-1 Policy
3. 4.
placed at the end of the generated rules. Also check the meaning of "Any" and the permissions attached to it, where it has been imported. Select Action Policy Audit Throughto launch a "Policy Audit Through" operation on the Check Point FireWall-1 PEP and select which interface you want to audit.
Figure 6.8. Policy Audit Through Report interface selection
5.
Check the information displayed in the Audit Results window. Check whether Security Change Manager imported OSE Devices from the Check Point FireWall-1 Management Server as PEP devices (3Com, Nortel or Cisco). If they have been imported, remove them on the Check Point FireWall-1 Management Server to avoid conflicts of this type when uploading.
6.3. Performing a Local Import of Check Point FireWall-1 Policy

It is possible to import a Check Point FireWall-1 policy without a CPMI connection (local import method). This feature allows you to select what policy needs to be imported and define precisely what needs to be imported from this policy. To perform a FW1 local import, follow the procedure below: 1. 2. 3. 4. Copy the FW1 objects_5_0.c and the rulebase_5_0.fws files in your local file system. In the Security Change Manager Designer, select the Management Server object from which you want to make the import and open its Properties window. In the Upload Configuration Connection Options view, set the Upload Method property to None. Select the Management Server on which you want to import. Then, select Tools Import FW-1 Import... or right-click on the Management Server and select Import FW1-import from the contextual menu. A Checkpoint Import dialog box opens with the Import in Progress window in the background. Type in the location of the objects_5_0.C file (i.e. path including the file name) and click OK.
5.
Figure 6.9. CheckPoint Import Dialog Box: Import of objects_5_0.C file
56
6.
Type in the location of the rulebase.fws file (i.e. path including the file name) and click OK.
Figure 6.10. CheckPoint Import Dialog Box: Import of rulebase.fws file
7.
Choose the elements to be imported from the pull-down menu: 57
All Objects: To import all the objects excluding rules. Used Objects: To import only the objects used in rules excluding rules themselves. Rules & All Objects: To import all the objects and rules. Rules & Used Objects : To import only the objects used in rules and rules themselves.
Figure 6.11. CheckPoint Import Dialog Box: Choose Elements to be Imported
Click OK.
Note
8. Please note that whatever the option selected, only the objects supported by Security Change Manager will be imported. Choose the policy to be imported from the pull-down menu. The ACL names are those that have been defined on the Management Server (e.g. Standard or Custom Policy in the figure below) and click the corresponding button.
Figure 6.12. CheckPoint Import Dialog Box: Choose Policy to be Imported
58
The Import process is launched and, once completed, an Import Report is generated in the Import Report window. Read this import report carefully, to see what the import accomplished.
Figure 6.13. CheckPoint Import Report
59
Cleaning the Database Before Upload
9.
Check the report and click the Close button. Once the Import process is finished, the bottom panel of the Import in Progress window displays Configuration Import Terminated
Figure 6.14. CheckPoint Import Terminated
6.4. Cleaning the Database Before Upload

If the database is corrupted for any reason whatsoever, you might need to clean it so as to get back to a reliable Security Change Manager security policy. To do so: 1. 2. Open the Management Server Properties window and select the Upload Configuration FireWall-1 Options view. Set the Clean Database Before Next Upload option to Yes.
Figure 6.15. Options: Clean Database Before Upload
60
Cleaning the Database Before Upload
Note
The database will be cleaned at the beginning of the next upload and the option will then be set back to No (the default). Therefore, you have to reset it to Yes each time you want to clean it. The generated rules will not be the same as those imported because: Anti-spoofing has been lost and automatically found by Security Change Manager. Enforcement points have been lost and automatically found by Security Change Manager. Rule order has been lost. The position of the include policy (set of rules that have not been imported) at the head of all other rules.
61
62
Chapter 7. How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager
7.1. First-Time: Define Non-supported Concepts on the Management Server ...................63 7.1.1. Step 1: Upload Security Change Manager Security Policy on the Management Server ........................................................................................................63 7.1.2. Step 2: Add Specific Properties ..............................................................64 7.1.3. Step 3: Add Other Objects not Supported by Security Change Manager ..........64 7.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server ........................................................................................................64 7.1.5. Step 5: Modify the Management Server Options ........................................64 7.1.6. Step 6: Upload ....................................................................................65 7.2. How to Manage User Groups ............................................................................65 This chapter describes how you should configure your Check Point FireWall-1 device to account for concepts that Security Change Manager does not manage.
Warning
This chapter gives a manual solution for managing Check Point FireWall-1 concepts not supported by Security Change Manager. The directions in this chapter can be used on a Security Policy that has already been built with Security Change Manager. It is recommended that the first time you want to incorporate Check Point FireWall-1 concepts, you use the Import Function. See Chapter 6, How to Perform an Import from Check Point FireWall-1 (page 45). Thereafter, use the directions in this chapter to modify your already-existing Security Policy.
7.1. First-Time: Define Non-supported Concepts on the Management Server

The Check Point FireWall-1 objects that are not supported in Security Change Manager are: domain user servers key resources
The Patch Process and Security Include allow you to manage these concepts on the Check Point FireWall-1 Management Server.
7.1.1. Step 1: Upload Security Change Manager Security Policy on the Management Server
Upload Security Change Manager Security Policy on the Management Server in order to have the 63
Step 2: Add Specific Properties
translated objects on the Check Point FireWall-1 Management Server.
7.1.2. Step 2: Add Specific Properties

Edit each Check Point Gateway or Check Point Host and add the specific parameters that will not be managed by Security Change Manager on the Check Point FireWall-1 Management Server: Certificates' list SNMP parameters Account unit parameters
7.1.3. Step 3: Add Other Objects not Supported by Security Change Manager
Add other objects not supported by Security Change Manager: Users Servers Resources Keys for IPsec
7.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server
1. On the real Management Server through the Policy Editor, create a new policy for the First and/or Last include security policy that will manage all the concepts that can't be managed through Security Change Manager. Save the policy with a new name (for instance "My Policy").
2.
Warning
The security policy name is case-sensitive. This policy is the one you will include in the Include Rules window, shown in Section 7.1.4, Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server (page 64), either as the First include Policy or the Last include Policy. You must take into account the implications of these includes on the global security policy: A rule in the include will not be considered in the Security Change Manager audit: therefore, you are not able to check the global validity of its model with audit. A rule in the include will not be enforced in PEPs other than these that are managed by the Management Server. If there is an equipment managed by Security Change Manager between the source and the destination of the rule, the permission may be filtered. To avoid this situation, you must define a rule that allows the permission on PEPs directly controlled by Security Change Manager. NAT rules that may have an impact on equipment directly managed by Security Change Manager are prohibited.
7.1.5. Step 5: Modify the Management Server Options

64
Step 6: Upload
1. 2.
In Security Change Manager Designer, open the Management Server Properties window. Select the General Options Include Policy view and type in the names of the include policy.
Warning
The include policy names must relate to an existing security policy name on the Management Server and has to be different from the Security Change Manager generated policy name. Please refer to the Security Change Manager Reference Guide.
7.1.6. Step 6: Upload

1. Select the Upload Configuration FireWall-1 Options view and set the FireWall-1 Upload Policy to Copy Only and click OK.
Figure 7.1. Upload Configuration Set to Copy Only
2. 3.
Right-click the Management Server icon and from the contextual menu, select the Device Manager menu item. In the Deployment tab of the Device Manager window, check that the Management Server is selected and click the Upload icon to start the upload. After this step, the final security policy (objects and rules) will be generated and copied onto the Management Server. You can then upload it on the managed PEPs via the SmartDashboard using the Policy Install menu.
Note
If you want to use the previous security policy, you can manually copy the back-up files. Please see (page 41).
7.2. How to Manage User Groups

65
How to Manage User Groups
User Groups are used through User Authentication and the remote VPN feature in Security Change Manager. Only the name of the group is known in Security Change Manager and all other properties must be defined on the Management Server. During the import, User Groups are imported in Security Change Manager. During an upload, the creation of an empty User group is made when no User Group or LDAP group with the same name exists. The content of a User Group must be defined through the SmartDashBoard: that is to say the users referenced by this group. To manage servers objects and specifically authentication servers (RADIUS, TACACS) and LDAP servers, they must be defined via the SmartDashBoard. But before creating it, it is recommended that you create a Nexus in Security Change Manager Designer that represents the location of the server object in order to manage a permission from or to it and IP modifications through Security Change Manager too. This nexus will be translated into a node that you will reference on the Smart Dash Board as the host on which the server is defined. On Security Change Manager Designer: 1. 2. 3. 4. Create the nexus that has the IP address of the server (RADIUS, TACACS or LDAP servers). Add the necessary permissions between the Check Point FireWall-1 PEP and the nexus. Select the Copy Only option (see Figure 7.1, Upload Configuration Set to Copy Only (page 65)) and upload the configuration. On the Check Point FireWall-1 SmartDashBoard, edit the policy on the Management Server and add a server that references the Check Point FireWall-1 interoperable device that represents the nexus.
66
Chapter 8. Client-to-Gateway VPN on Check Point FireWall-1 NG

8.1. Procedure .....................................................................................................67 8.1.1. On the Check Point FireWall-1 ...............................................................67 8.1.2. On the Management Server ....................................................................68 8.1.3. PEPs Supporting Remote Access ............................................................68 8.1.4. Specific Parameters ..............................................................................68 On the device VPN node .......................................................................68 8.1.5. Implicit Permissions .............................................................................69 8.2. VPN Limitations ............................................................................................70 8.2.1. Global Limitations ...............................................................................70 VPN-1 Net ..........................................................................................70 DES-40 and CAST-40 ..........................................................................70 Multiple Entry Point VPNs (MEP) ..........................................................70 8.2.2. Remote Access Limitations ...................................................................70 User Groups ........................................................................................70 Office Mode is disabled on the gateway ....................................................70 IP pool is defined though a DHCP server ..................................................70 Hybrid Mode .......................................................................................70 Enable VPN routing .............................................................................70 Desktop security policy .........................................................................70 Visitor Mode .......................................................................................70 Transparent mode .................................................................................70 Clientless VPN ....................................................................................71 IPsec/L2TP tunnels ..............................................................................71 Number of tunnels ................................................................................71 8.2.3. First-time Upload of a VPN Policy ..........................................................71 This chapter discusses how to use Security Change Manager to manage client-to-gateway VPNs for Check Point FireWall-1 PEPs.
8.1. Procedure
When making a remote access on a Check Point FireWall-1 through Security Change Manager, the user will do the following tasks:
8.1.1. On the Check Point FireWall-1

1. 2. 3. 4. 5. 6. 7. 8. 9. Define a User Group and reference the Management Server as the "authentication server". Create a Mapped User Group, add the User Group and locate it on a network or metaclass. Create a tunnel between this Mapped User Group and the Check Point FireWall-1 gateway. Edit the Check Point FireWall-1 PEP and define the IP Pool and other VPN parameters. Associate the Mapped User Group, the gateway and all networks the User Group will reach to the same Trust Zone. If NAT Traversal is enabled, add a permission for that service between the Mapped User Group and the Check Point FireWall-1 PEP. Compile. Perform Upload Preparation on the policy. Upload the policy. 67
PEPs Supporting Remote Access
8.1.2. On the Management Server

If a warning appears during the upload stating that a User Group is empty, for each empty User Group: 1. 2. 3. Define the External User Profiles, LDAP Groups and/or Users that will be referenced by the User Group created by Security Change Manager. Define the related authentication servers needed (RADIUS, TACACS...) and reference a Security Change Manager object as host of these servers. Save and install the policy.
Note
This task has to be done only to create user group definition and authentication server associated. The next upload will not need these tasks except if a new user group has to be managed. Set the certificates and/or pre-shared key on the users concerned, if this is not the case. The certificates and/or pre-shared key parameters must be set on users' and/or external users' profiles the first time they are to be used. Install the database on the Check Point FireWall-1 gateway that makes a remote VPN.
4.
If a warning appears during the compilation stating that some IPsec parameters must be set on the user, set the IPsec proposals on the user of concerned User Group(s). You can customize the following global parameters: Remote Access Remote Access -> VPN-Basic except: Pre-shared secret IPcompression
8.1.3. PEPs Supporting Remote Access

Security Change Manager supports only Remote Access on a PEP that has the VPN-1 Pro feature enabled.
8.1.4. Specific Parameters

On the device VPN node
1. Add the node Remote Access VPN
Table 8.1. VPN: Specific Parameters

Parameter Type Comment Help: allow the user to specify the DNS and WINS addresses by selecting the appropriate Network Objects. In addition, specify the backup DNS and
Set Optional Office Mode Para- Boolean (Yes*/No) meters
68
Implicit Permissions
Parameter
Type
Comment WINS servers and supply the Domain name. All the following parameters in italics depends on this value.
Primary DNS First Backup DNS
Switched IP address Switched IP address Appears when the Primary DNS is set. Appears when first backup DNS is set
Second Backup DNS
Switched IP address
Primary WINS First Backup WINS Second Backup WINS
Switched IP address Switched IP address Switched IP address Appears when first backup WINS is set
Domain Name String User Group Global Pool Lease Duration (in minutes) Support NAT-Traversal NAT-Traversal Service Integer (min:2 max:32767)
(Yes/No*) VPN1_IPsec_encapsulation all services listed Appears if Yes is selected for Support NAT-Traversal.
Tunnel
Only Trust Zone Everything
Hub Mode Configuration
When enabled, the Gateway agrees to act as a VPN router for the client.
2.
Other parameters will be set by Security Change Manager: Allow office mode for all users. Office Mode Method - Manual (using IP pool): always set Allocate IsP from network: (defined by the pool on the PEP)
8.1.5. Implicit Permissions

The IKE and ESP implicit permissions are created.
69
Global Limitations
8.2. VPN Limitations

VPN Limitations and their workarounds (if they exist) are listed below:
8.2.1. Global Limitations

VPN-1 Net
The VPN-1 Net module is not supported in Security Change Manager.
DES-40 and CAST-40

Security Change Manager does not manage the DES-40 and CAST-40 encryption algorithms.
Multiple Entry Point VPNs (MEP)

Multiple Entry Point VPNs (MEP) are not supported.
8.2.2. Remote Access Limitations

User Groups
Security Change Manager defines only the names of user groups on the Check Point FireWall-1, but does not define the content of the groups. See Section 7.2, How to Manage User Groups (page 65) for further information.
Office Mode is disabled on the gateway

The case where the remote user keeps its IP address (Office Mode is disabled on the gateway) is not managed.
IP pool is defined though a DHCP server

The case where the IP pool is defined though a DHCP server is not managed.
Hybrid Mode
Security Change Manager does not manage hybrid mode. You can enable hybrid mode, through the option on the Smart Dashboard, in Global Properties Remote Access VPN Basic.
Enable VPN routing

Enable VPN routing will not work since we do not distinguish hub and spoke and star model.
Desktop security policy

Desktop security policy is not generated by the Security Change Manager implementation.
Visitor Mode
Security Change Manager does not support visitor mode.
Transparent mode
70
First-time Upload of a VPN Policy
Security Change Manager does not support transparent mode since this mode is not possible with Office Mode.
Clientless VPN
We do not support Clientless VPN.
IPsec/L2TP tunnels
Security Change Manager does not support IPsec/L2TP tunnels.
Number of tunnels
Only one tunnel can be created to a Check Point FireWall-1 PEP.
8.2.3. First-time Upload of a VPN Policy

The first time we upload a VPN policy, the installation of the policy on the Check Point FireWall-1 devices may fail with the following message: Can't install policy. Reason: The SR Community member <Check Point Gateway name> must have a signed certificate..: Failed - Unspecified error. In this case, you must open the policy with the SmartDashBoard, open the property box of the <Check Point Gateway name> and validate it (click the OK button). This will create the internal certificate needed. Then you can install the policy by Security Change Manager.
71
72
Chapter 9. Gateway-to-Gateway VPN on Check Point FireWall-1 NG and NG AI

9.1. Procedure .....................................................................................................73 9.1.1. On the Security Change Manager ............................................................73 9.1.2. On the Check Point FireWall-1 Management Server ...................................73 Procedure ...........................................................................................73 9.1.3. VPN Domains .....................................................................................74 9.2. VPN Limitations ............................................................................................74 9.2.1. Global Limitations ...............................................................................75 VPN-1 Net ..........................................................................................75 DES-40 and CAST-40 ..........................................................................75 Multiple Entry Point VPNs (MEP) ..........................................................75 9.2.2. Site-to-site limitation ............................................................................75 Usage of the Simplified Mode ................................................................75 This chapter discusses how to use Security Change Manager to manage gateway-to-gateway VPNs for Check Point FireWall-1 PEPs.
9.1. Procedure
When making a gateway-to-gateway VPN on a Check Point FireWall-1 through Security Change Manager, the user will do the following tasks:
9.1.1. On the Security Change Manager

1. 2. 3. 4. Define a gateway-to-gateway tunnel as described in the Security Change Manager User Guide. Compile. Perform Upload Preparation on the policy. Upload the policy.
9.1.2. On the Check Point FireWall-1 Management Server

On the management server, if it is the first time you upload this VPN, you must set the pre-shared secret and/or certificates.
Procedure
1. Set the Authentication parameters: a. b. In the case of a pre-shared secret, open the community named NP_V__<PEP1>-<PEP2>. In the shared secret field, copy the pre-shared key written in the 0. In the case of certificates, there is nothing to do except to use a Certificate Authority. When the Certificate Authority of the device is different from that of its Check Point Management Server, you must create this Certificate Authority object in the Management Server and then enrol the Check Point FireWall-1 gateway in this Certificate Authority. 73
VPN Domains
For more information, refer to the Check Point FireWall-1 documentation. 2. Save and install the policy.
Note
This task must be done after the VPN community is created. The next upload will not need these tasks to be done again except in the cases where the pre-shared key changed, the certificate authorities changed, or the policy on the tunnel changed from PSK to RSA-Sig or RSA-Sig to PSK.
9.1.3. VPN Domains

The VPN domain will be deduced in the following manner:
Figure 9.1. VPN Domain Deduction
The source (respectively destination) of all permissions that enter (respectively leave) one side of a tunnel will be part of the VPN domain of that side. Since each gateway has only one VPN domain, it will be a group that contains all the networks that needed to be reached via IPsec, maybe from different tunnels.
9.2. VPN Limitations

VPN Limitations and their workarounds (if they exist) are listed below: 74
Site-to-site limitation
9.2.1. Global Limitations

VPN-1 Net
The VPN-1 Net module is not supported in Security Change Manager.
DES-40 and CAST-40

Security Change Manager does not manage the DES-40 and CAST-40 encryption algorithms.
Multiple Entry Point VPNs (MEP)

Multiple Entry Point VPNs (MEP) are not supported.
9.2.2. Site-to-site limitation

Usage of the Simplified Mode
The usage of the simplified mode prevent to have permission that pass through a tunnel and permission outside the tunnel for a given service.
75
76
Chapter 10. Check Point FireWall-1 Cluster Management

10.1. Procedure ....................................................................................................77 10.1.1. On the Check Point FireWall-1 Management Server .................................77 10.1.2. On the Security Change Manager Designer .............................................77 10.2. Limitations ..................................................................................................81 This chapter discusses how to use Security Change Manager to manage clusters of Check Point FireWall-1 PEPs.
10.1. Procedure
10.1.1. On the Check Point FireWall-1 Management Server
If the cluster object does not already exist, you must create it on the Check Point Management Server. The cluster members do not need to be created. They will be created by the Security Change Manager.
10.1.2. On the Security Change Manager Designer

1. Create the map with the cluster members defined as PEPs. a. b. c. Reference the Management Server from each PEP. Define each PEP's interfaces (other parameters will be hidden when the PEP is referenced as cluster member). Select the Upload configuration view and tick the SIC Authentication Key checkbox to initiate communication between the Management Server and the module if you have not yet initiated it via the Check Point FireWall-1 Smart Dashboard.
Figure 10.1. SIC Authentication Key Activated
77
On the Security Change Manager Designer
2.
Create the cluster via the menu Mode Add Cluster. Make sure it is named with the same name that is used in the Check Point FireWall-1 Management Server. a. Open the Cluster Properties window, and in the Identification view, reference the Management Server from the cluster using the Managed By pull-down menu.
Figure 10.2. Management Server Referenced on the Cluster
b.
Select Cluster Options view and set the Cluster XL Enabled to Yes if you are not using a 3rd-party application to handle clustering.
Figure 10.3. Cluster XL Enabled Option

78
c.
Select the Cluster Options Cluster Members view, add the cluster members and sort them according to the priority in which you want them to be available (the top one in the list is the master).
Figure 10.4. Selection of Cluster Members
d.
Select the Cluster Options Availability Parameters view, and set the Operating Mode option as needed. Set other availability parameters depending on whether you have chosen the cluster XL feature or not.
Figure 10.5. Selection of Availability Operation Mode
79
e.
Select the Cluster Options Synchronization Synchronization Networks view and reference a network to synchronize the cluster members. This network must have the following characteristics: It is recommended that you reference a dedicated network that is not connected to any of the cluster's virtual interfaces. You can define more than one synchronization network for backup purposes. Since synchronization networks are used to pass sensitive data such as encryption keys, it is important that these networks are secured. The network must be linked to one interface of each cluster member.
Figure 10.6. Selection of Synchronization Network
80
Limitations
f.
Add the virtual interfaces and connect them to the same network as the cluster members' interfaces. The virtual interfaces will make the cluster members' interfaces redundant.
Your workspace should look like this:
Figure 10.7. Example of Cluster
Note
3. 4. Implicit Permissions will be automatically activated between the Cluster members (this is also the case for Nokia IP clusters). Add an NTP permission between cluster members and the NTP server to ensure the clusters have the same date. Upload the configuration.
10.2. Limitations
High Availability Legacy Mode is not supported, but Check Point FireWall-1 supports High Availability New Mode.
81
82
Chapter 11. Provider-1 Management Server Installation

11.1. Adding a Provider-1 Management Server ..........................................................83
11.1. Adding a Provider-1 Management Server

1. 2. 3. 4. Click on the Mgt server icon in the toolbar.
Click on the background of the Security Change Manager Designer map to add a Management Server and enter its IP address in the pop-up menu. Double-click the Management Server icon on the map to open its Properties window and select the type Provider-1 in the Identification view. Select the General Options Managed CMAs view and click the Add ManagedCMA icon to add the CMA servers that should be managed by the Provider-1 Management Server.
83
84
Chapter 12. Check Point FireWall-1 Properties Windows

12.1. Description ..................................................................................................85 12.2. General Options ...........................................................................................85 12.2.1. Security Profile ..................................................................................87 Common Security Parameters .................................................................88 Replace Address ..................................................................................90 Replace Service ...................................................................................92 12.2.2. Virtual System ...................................................................................93 12.2.3. Authentication ...................................................................................93 Enabled Authentication Schemes ............................................................93 Authentication Settings .........................................................................93 HTTP Security Server ...........................................................................94 12.3. Policy Learning Mode ...................................................................................95 12.4. Common Interface Options .............................................................................95 12.5. Interface Options ..........................................................................................96 12.5.1. Security Profile ..................................................................................98 Common Security Parameters .................................................................98 Replace Address ................................................................................ 100 Replace Service ................................................................................. 101 12.5.2. IP Addresses ................................................................................... 102 Static IP Addresses ............................................................................. 102 Dynamic Addresses Pool ..................................................................... 102 IP Addresses ..................................................................................... 102 12.6. VPN Options ............................................................................................. 104 12.6.1. IKE Capabilities .............................................................................. 104 12.6.2. IPSec Capabilities ............................................................................ 105 12.6.3. Remote Access VPN ......................................................................... 105 12.7. Upload Configuration .................................................................................. 106 12.8. Tunnel Peer Options .................................................................................... 107 12.8.1. Interface ......................................................................................... 108 12.9. Authentication User Definition ...................................................................... 108 12.9.1. flowListIn ....................................................................................... 111 12.9.2. flowListOut .................................................................................... 111 12.9.3. flowListExternal .............................................................................. 111
12.1. Description
Option Note Allows you to enter a description of the current PEP. Description
12.2. General Options

Use this view to examine and modify general PEP options. Option Managed * Choice "Yes *" Indicates that SCM Server will produce filters for this PEP. 85 Description
General Options
Option
Description * Choice "No" Set to "No" if you do not want SCM Server to manage this PEP.
Apply Flow To/From PEP on Relevant InEnables you to choose how the PEP applies flows to terfaces Only its various interfaces. * Choice "Yes *" Limits an authorized flow, having the PEP as its destination, so that incoming packets through an interface cannot reach any other interface. * Choice "No" Enables an authorized flow, having the PEP as its destination, to reach all interfaces of the PEP. This setting is a general default which can be overridden for a specific instance using the Permission Properties window: Global Properties View. Has IPSec Module * Choice "Yes" Indicates that the device supports the IPSec module for VPNs. * Choice "No" Indicates that the device does not support IPSec. supportsEncapsulatedTunnel Enforce Time Filtering Specifies whether the PEP is to perform time filtering. For further information on Time Filtering, see the SCM Server User Guide. Generate NAT Rules * Choice "Yes *" NAT rules are generated by the compiler and included in the filters. A warning message is displayed if the PEP cannot implement the rules. * Choice "Comment" NAT rules are written to the filters file as comments and ignored by the upload module. * Choice "No" NAT rules are not generated. At upload time, when the No or Comment option is selected, the rule modifications are uploaded to the device without changing the existing NAT rules (if these exist). This is important because NAT rules are changed much less often than other filtering rules, and rewriting them interrupts communication. However the compiler will take into account the NAT rules to 86
Security Profile
Option
Description generate the filters for the PEPs beyond the NAT application point.
Check Point Suite Type The suite type that matches the one you installed with your Check Point software. VSX Type Lets you choose the type of VSX device. * Choice "Gateway *" The VSX device will be a VSX gateway. * Choice "Virtual System" The VSX device will be a virtual system.
12.2.1. Security Profile

Use this view to select the PEP's level of security. By default, the PEP's profile is set to maximum security. Option Security Level Lets you choose the default level of security that SCM Server will generate for this PEP. You can choose to generate faster configurations on certain PEPs at the expense of reduced security. * Choice "Custom Filtering *" Lets you choose a custom level of filtering by setting options in the Replace Address or Replace Service views. * Choice "Deny few, Permit all" Same as "Custom Filtering" but with default policy set as "Permit". * Choice "Full Filtering" This level configures the PEP parameters to offer maximum security. The parameters contained in the Common Security Parameters view will be set in order to ensure maximum security and will lock them to prevent changes. This option also: - prevents you from choosing the Broad Filtering option (see Replace Address and Replace Service node) * Choice "PEP Access Security Only" Disables filtering on this PEP, except for the rules that protect the PEP itself. Therefore, the PEP will allow all traffic to pass through it, but it will not allow unauthorized access to itself. Description
87
Security Profile
Option
Description * Choice "No Filtering" Disables filtering, and reduces security on this PEP to zero.
Broad Filtering Lets you choose to enable faster configurations at the expense of reduced security. You must set Security Level to "Custom Filtering" to use this option. * Choice "Disabled *" Indicates that filtering is not broadened, and security is at its highest level. * Choice "By Address" Reveals the Replace Address view, which lets you configure broad filtering by address. * Choice "By Service" Reveals the Replacy Service view, which lets you configure broad filtering by service.
Common Security Parameters

Use this view to configure common security parameters for the PEP. Option Suppress Filtering on TCP Direction Sets up the flow rules for traffic returning appropriately with the "ack" (acknowledged) bit set. * Choice "Yes *" Only the packets belonging to an established connection will be permitted to flow back through the PEP. * Choice "No" The filtering rules will not verify the ack bit status. These filters will be more compact but more permissive for the return traffic which may lead to degraded security. Attention: This option should be modified by an expert user only. Suppress Filtering on ICMP Message Type * Choice "Yes *" Indicates that the PEP will do filtering by ICMP message type. * Choice "No" Indicates that the PEP will not do filtering by ICMP 88 Description
Security Profile
Option
Description message type.
'Securing PEP' rules * Choice "Yes *" Denies access to the PEP's interface addresses, except for the default administration flows, thereby securing the PEP. * Choice "No" Permits access to the PEP's interface addresses. Suppress 'Internet Restriction' Indicates if SCM Server will add extra deny filters when the Internet object is defined as "Any". This option is activated by selecting "No" for the Expand Internet option on the PEP window: General Options View. * Choice "Yes *" Any permission you draw to/from Internet causes the compiler to implicitly generate all necessary denies to prevent permissions to/from all other internal addresses. * Choice "No" Any permission you draw to/from Internet will also implicitly allow permissions to/from all other internal addresses, which may lead to lower security. Attention: This option should be modified by an expert user only. Expand Internet This option is an optimization that controls how SCM Server defines the Internet object. This option can create very finely-tuned filters, but at the price of increased size. * Choice "Yes" SCM Server will use a more precise, "expanded" definition of Internet. It defines the Internet as "all addresses outside the internal networks". This creates very fine, but slower, filters. * Choice "No *" SCM Server will define Internet as "Any". The generated filters are thus faster, but less secure. Default Rule Lets you change the default rule on this device. By default SCM Server will write a "deny all" rule at the end of a device's configuration. With this option, you have the possibility to change this behavior: SCM Server will not write a default "deny all" rule, and, on this device, all access that is not explicitly denied will be allowed. * Choice "Policy Default *" 89
Security Profile
Option
Description Uses the value defined in the Tools > Properties for the Current Policy window. * Choice "Deny" Keeps the standard behavior. Every access that is not defined is not allowed on this device. * Choice "Allow" Lets you easily define policies where the goal is to prohibit a set of given protocols in the network. If you choose the "Allow" option, make sure that you explicitly deny every access point that you want to close, or, make sure that you have another device in series denies everything by default.
Generate Anti-Spoofing Lets you choose if the PEP or SCM Server should generate anti-spoofing rules. * Choice "Yes *" The PEP will generate anti-spoofing rules. * Choice "No" The PEP will not generate anti-spoofing rules. * Choice "Unmanaged" Takes the computed anti-spoofing into account, but does not generate the related configuration so as, at the end, the anti-spoofing defined on the Smartcenter will not be changed by the upload. Spoof Tracking Indicates whether the CheckPoint anti-spoofing tracking option (in the Interface Properties) should be activated and how information about spoofed connections should be logged. * Choice "None *" * Choice "Log" * Choice "Alert" * Choice "Disabled" Disables the anti-spoofing option.
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses. SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller or faster configurations. "Broadening" an address means that when your map contains permissions with addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission with the address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On 90
Security Profile
Address" in the Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Source This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the source IP addresses of the permissions managed by this PEP such that the IP addresses can be represented by a netmask. You can enter this netmask in the Source Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the source IP addresses of the permissions that this PEP manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Source Network Netmask Allows you to enter the netmask to apply to source permissions. Restrict Source Replacement to Topology When used with the above option, this option will restrict the enlargement to the address of the network from which each permission originates, in your policy map. Replace Destination This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the destination IP addresses of the permissions managed by this PEP such that the IP addresses can be represented by a netmask. You can enter this netmask in the Destination Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the destination IP addresses of the permissions that this PEP manages by Any. In most situations, these options mean that SCM Serv91 Description
Security Profile
Option
Description er will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path.
Destination Network Netmask Allows you to enter the netmask to apply to destination permissions. Restrict Destination Replacement to TopoWhen used with the "Enlarge Destination to Netlogy maskable Address" option, this option will restrict the enlargement to the address of the network where each permission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services. SCM Server can "broaden" the allowed services on permissions in order to generate smaller or faster configurations. "Broadening" a service means that when your map contains permissions for services FTP and HTTP, for example, SCM Server will generate one permission for the service TCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" in the Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Service This is an optimization that enlarges the service of a permission. For example, an http and an ftp permission may be enlarged to tcp. Since this optimization can reduce your security level, you should only use it if you have another PEP in the path that does not use this option. * Choice "No *" Will not enlarge services. This option maintains the highest level of security. * Choice "by TCP" Replaces TCP permissions by TCP. * Choice "by UDP" Replaces UDP permissions by UDP. * Choice "by TCP and UDP" Replaces all TCP-based or UDP-based permissions by TCP and UDP permissions. A TCP-based permission will be replaced by two permissions: a permit TCP and a permit UDP. A UDPbased permission will also be replaced by two permissions: a permit TCP and a permit UDP. * Choice "by IP" Replaces permissions by IP. 92 Description
Virtual System
Option
Description * Choice "by Any" Replaces all permissions by Any.
12.2.2. Virtual System

Option Container Name Specifies the name of the container/VirtualSystemBox that contains this virtual system. You must have configured the container device with virtual systems for scm to be able to communicate with it. Description
12.2.3. Authentication
This view does not let you change any parameters. Expand this node in the tree list to see the configurable views.
Enabled Authentication Schemes

Use this view to enable the different types of authentication servers with which the PEP may communicate. Option S/Key Indicates if the PEP will prompt the user to enter his/ her S/Key during authentication (Not on NG AI). VPN-1 and FireWall-1 Password Indicates if the PEP will prompt the user to enter his/ her internal Check Point(TM) FireWall-1(R) password during authentication. SecurID Indicates if the PEP will prompt the user to enter the number shown on the SecurID card during authentication. RADIUS Indicates if the PEP will prompt the user to answer the RADIUS question during authentication. The question is defined on a RADIUS server. TACACS Indicates if the PEP will prompt the user to answer the TACACS question during authentication. The question is defined on a TACACS or TACACS+ server. OS Password Indicates if the PEP will prompt the user to enter his/ her operating system password during authentication. Description
Authentication Settings
Use this view to configure how the PEP behaves during authentication sessions. 93
Authentication
Option User Authentication Session Timeout (min) Enable wait mode for Client Authentication
Description Indicates the number of minutes after which the PEP closes the authentication session. If the user opens an authentication session over telnet on port 259, this option indicates if the PEP will keeps the telnet session open during the time the authentication session is open. If you select this option, the PEP will close the authentication session when the telnet session closes. If you do not select this option, the PEP will close the telnet session once the user signs on, and the user will have to reopen the telnet session to sign off.
Authentication Failure Track Indicates how the PEP will react to errors during authentication. * Choice "None" The PEP will not inform the user of errors. * Choice "Log" The PEP will log errors. * Choice "Popup Alert" The PEP will open a popup window; you can define the popup alert once in the Check Point(TM) FireWall-1(R) software Global properties window, and afterwards reference it from SCM Server. * Choice "Mail Alert" The PEP will send an email of the error. * Choice "SNMP Trap Alert" The PEP will send an SNMP alert. * Choice "User defined alert no." The PEP will send a user-defined alert; you can define alerts once using the Check Point(TM) FireWall-1(R) software, and afterwards reference them from SCM Server.
HTTP Security Server

Use this view to configure how the PEP communicates with its associated HTTP security server. Option Use Next Proxy Indicates whether there is an HTTP proxy server behind the Check Point(TM) FireWall-1(R) HTTP Security Server. HTTP Next Proxy 94 Description
Policy Learning Mode
Option
Description The host name and port number of the HTTP proxy server.
12.3. Policy Learning Mode

Use this view to change the policy of a device and open it sufficiently to guarantee that the flows will pass until complete policy discovery has been made by the security team. Option Enable Policy Learning Mode * Choice "Yes" Indicates that Policy Learning Mode is enabled. * Choice "No *" Indicates that Policy Learning Mode is disabled. Log Level for Allow Rule * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching the default policy, to the default log level of current PEP type. Note: Some PEPs allow selection of different log levels. Description
12.4. Common Interface Options

Use this view to manage options that are common to all the PEP's interfaces. Option Generate ICMP Error Message * Choice "Yes" Sets the error option for all interfaces on the PEP. This option triggers the transmission of the error message ICMP unreachable, for any IP packet that is not authorized by the filters. This action is carried out for both incoming and outgoing interface traffic. * Choice "No *" The error option is not set. Log Level for the Default Rule Sets the log level for the default rule for all interfaces on the PEP. This option will not show packets transiting in violation of a specific denial. To see that information, you must set the Log option on the Permission Properties window: Log view, or on the concerned interface. 95 Description
Interface Options
Option
Description * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching the default policy, to the default log level of current PEP type. Note: Some PEPs allow selection of different log levels.
Application Point * Choice "Incoming *" The filters will be generated for the packets entering the interface. * Choice "Outgoing" The filters will be generated for the packets leaving the interface. * Choice "Both Directions if Possible" SCM Server will choose the application point with respect to the PEP capabilities and the PEP options settings. Allow Forwarding Indicates if this device will perform forwarding. Enable this option to allow the device to forward packets.
12.5. Interface Options

Use this view to manage the options for a single interface. Option Upload Target * Choice "Yes *" Specifies that the selected interface will be used for uploading filter files. * Choice "No" Specifies that the selected interface is not to be used for uploading filter files. Interface Type Indicates if the interface's purpose is to filter or to sniff the packets. * Choice "Filtering Interface" The interface only does packet filtering. * Choice "Sensor" 96 Description
Interface Options
Option
Description The interface only does packet sniffing. * Choice "Sensor + Filtering Interface" The interface can do both.
Is Loopback Interface Specifies if this interface is a "loopback" interface. A loopback is a special type of interface used to represent a virtual range of IP addresses. This may be useful, for example, when your device is connected to the internet through two redundant ISPs. The loopback interface can be used to accept outside connections, which it then routes to one of the real interfaces. Note: SCM Server will not allow you to connect a loopback interface to any object. Policy Learning Mode * Choice "Yes" Indicates that Policy Learning Mode is enabled on this interface. * Choice "No *" Indicates that Policy Learning Mode is disabled on this interface. Log Level for Deny Rules * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching a deny rule, to the default log level of the current PEP type. Some PEPs allow selection of different log levels. Managed * Choice "Yes *" Specifies that filters will be produced for this interface and the configuration of the interface will be managed by SCM Server. * Choice "No" Specifies that no filters will be produced for this interface and the configuration of the interface will not be managed by SCM Server. Allow Forwarding Indicates if this interface will perform forwarding. Enable this option to allow the interface to forward packets. Use as Tunnel Peer Indicates if this interface can be used to mount a tunnel.
97
Security Profile
Option
Description * Choice "Always" Indicates that the PEP will always try to use this interface when mounting a tunnel. * Choice "Never" The PEP will never try to use this interface when mounting a tunnel. * Choice "Automatic *" SCM Server will choose either "always" or "never" depending on whether the interface forms part of a possible path for the tunnel. Note: You should only need this option if you use Tunnel Groups.
Application Point * Choice "Incoming *" Only incoming filters will be applied. * Choice "Outgoing" Only outgoing filters will be applied. * Choice "Device Default" Incoming/outgoing filters are applied according to the value as specified in the Interfaces: Options View. * Choice "Both Directions if Possible" SCM Server will choose the application point according to the PEP capabilities and the PEP options settings. Interface is external (leads out to the InterSpecifies that the interface leads to the Internet. This net) means that IP addresses behind this interface will not be counted in the license enforcement.

Use this view to select the level of security on this interface. By default, the interface's profile is set to maximum security.

Use this view to configure common security parameters for this interface. Option Disable Filtering * Choice "Device Default *" This option uses the value set in the General Options: Security Profile: Common Security Parameters view. 98 Description
Security Profile
Option
Description * Choice "No" SCM Server will generate filters for this interface. * Choice "Yes" SCM Server will generate a permit any any rule on this interface. By disabling the filtering on one (or several) interface(s), you create a rule that permits all flows, which can reduce the level of security, but improves performance. Note: This option will not disable the "Securing PEP" and "Anti-Spoofing" filters. To disable those filters as well: - choose "No" in the "Generate Anti-Spoofing" option - in the General Options: Security Profile: Common Security Parameters view, enable the option "Suppress Securing PEP".
Generate Anti-Spoofing Lets you choose if the PEP or SCM Server should generate anti-spoofing rules. * Choice "Yes *" The PEP will generate anti-spoofing rules. * Choice "No" The PEP will not generate anti-spoofing rules. * Choice "Unmanaged" Takes the computed anti-spoofing into account, but does not generate the related configuration so as, at the end, the anti-spoofing defined on the Smartcenter will not be changed by the upload. Spoof Tracking Indicates whether the CheckPoint anti-spoofing tracking option (in the Interface Properties) should be activated and how information about spoofed connections should be logged. * Choice "Device Default *" * Choice "None" * Choice "Log" * Choice "Alert" * Choice "Disabled" Disables the anti-spoofing option.
99
Security Profile
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses, on a single interface only. SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller or faster configurations. "Broadening" an address means that when your map contains permissions with addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission with the address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On Address" in the General Options > Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Source This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. To use this option, you must enable the Broad Filtering option in the General Options: Security Profile view. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the source IP addresses of the permissions managed by this interface such that the IP addresses can be represented by a netmask. You can enter this netmask in the Source Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the source IP addresses of the permissions that this interface manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Source Network Netmask Allows you to enter the netmask to apply to source permissions. Restrict Source Replacement to Topology When used with the above option, this option will restrict the enlargement to the address of the network from which each permission originates, in your policy map. Replace Destination This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. To use this option, you must enable the Broad Filtering option in the General Options: Security Profile view. Description
100
Security Profile
Option
Description Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the destination IP addresses of the permissions managed by this interface such that the IP addresses can be represented by a netmask. You can enter this netmask in the Destination Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the destination IP addresses of the permissions that this interface manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path.
Destination Network Netmask Allows you to enter the netmask to apply to destination permissions. Restrict Destination Replacement to TopoWhen used with the "Enlarge Destination to Netlogy maskable Address" option, this option will restrict the enlargement to the address of the network where each permission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services, on a single interface only. SCM Server can "broaden" the allowed services on permissions in order to generate smaller or faster configurations. "Broadening" a service means that when your map contains permissions for services FTP and HTTP, for example, SCM Server will generate one permission for the service TCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" in the General Options > Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Service This is an optimization that enlarges the service of a permission on one interface. For example, an http and an ftp permission may be enlarged to tcp. Since this optimization can reduce your security level, you should only use it if you have another PEP in the path that does not use this option. * Choice "No *" Will not enlarge services. This option maintains the highest level of security. * Choice "by TCP" 101 Description
IP Addresses
Option
Description Replaces TCP permissions by TCP. * Choice "by UDP" Replaces UDP permissions by UDP. * Choice "by TCP and UDP" Replaces all TCP-based or UDP-based permissions by TCP and UDP permissions. A TCP-based permission will be replaced by two permissions: a permit TCP and a permit UDP. A UDPbased permission will also be replaced by two permissions: a permit TCP and a permit UDP. * Choice "by IP" Replaces permissions by IP. * Choice "by Any" Replaces all permissions by Any.
12.5.2. IP Addresses
Use this view to set the interface's IP addresses.
Static IP Addresses
Use this section to configure the interface's static IP addresses. Option Interface IP Addresses Specifies the static IP address of the interface. Description
Dynamic Addresses Pool

Use this section to configure the interface's dynamic IP addresses. Option Dynamic Addresses Pool Specifies the pool of IP addresses from which the interface will get its IP address. Description
IP Addresses
Use this view to configure the interface's IP addresses. Option Use Dynamic Addresses Specifies whether this interface will have static or dynamic IP addresses. 102 Description
IP Addresses
Option Dynamic Addresses from
Description Indicates the range from which the PEP can pick an IP address to assign to the interface. * Choice "Network" The PEP can assign any IP address contained in the interface's attached network. You must have connected the interface to a network on the workspace in order to pick this option. * Choice "Any" The PEP can assign any IP address to the interface. * Choice "User defined pool" The PEP can assign any address from the pool that you define in the Interface View.
DHCP Server Indicates the range from which the PEP can pick an IP address to assign to the interface. * Choice "Network" The PEP can assign any IP address contained in the interface's attached network. You must have connected the interface to a network on the workspace in order to pick this option. * Choice "Any" The PEP can assign any IP address to the interface. * Choice "User defined pool" The PEP can assign any address from the pool that you define in the Interface View. Resolve IP Address Using When you use dynamic interface addresses, this option indicates how SCM Server will resolve the interface's address when it is uploading the PEP's configuration. * Choice "PEP FQDN" To resolve the address, SCM Server will contact the DNS server that you specified in the FQDN field of the "PEP Properties>General" Options View. * Choice "Interface Specific FQDN" To resolve the address, SCM Server will contact the DNS server that you specify in the "Specify Interface FQDN" option below. * Choice "Prompt IP Address" SCM Server will prompt the user for the interface's IP address at the moment of upload. Interface FQDN Enter the fully qualified domain name of the DNS 103
VPN Options
Option
Description server that SCM Server will contact to resolve this interface's IP address.
12.6. VPN Options

Use this view to configure the main cryptographic characteristics of a VPN tunnel. Option NULL Encryption Enabled Indicates if the NULL algorithm is enabled. DES Encryption Enabled Indicates if this algorithm is enabled. 3DES Encryption Enabled Indicates if this algorithm is enabled. CAST Encryption Enabled Indicates if this algorithm is enabled. AES-128 Encryption Enabled Indicates if this algorithm is enabled. AES-256 Encryption Enabled Indicates if this algorithm is enabled. Description
12.6.1. IKE Capabilities

Use this view to consult a VPNs IKE capabilities. Option Maximum Proposals Allowed Indicates the maximum number of IKE proposals before the device considers the key exchange failed. Minimum Lifetime (seconds) Indicates the minimum lifetime of the exchanged keys. Maximum Lifetime (seconds) Indicates the maximum lifetime of the exchanged keys. Pre-Shared Key Method Enabled Indicates the the pre-shared key method is enabled when the device performs key exchange. RSA Sig Key Method Enabled Indicates that the RSA-Signature method is enabled when the device performs key exchange. SHA-1 Hash Enabled Indicates that the SHA-1 algorithm is enabled when the device performs key exchange. MD5 Hash Enabled Indicates that the MD5 algorithm is enabled when the device performs key exchange. DH Group 1 Enabled Indicates that the Diffie-Hellman group 1 is enabled when the device performs key exchange. DH Group 2 Enabled Indicates that the Diffie-Hellman group 2 is enabled 104 Description
IPSec Capabilities
Option
Description when the device performs key exchange.
DH Group 5 Enabled Indicates that the Diffie-Hellman group 5 is enabled when the device performs key exchange.
12.6.2. IPSec Capabilities

Use this view to consult a VPNs IPSec capabilities. Option Maximum Proposals Allowed Indicates the maximum number of IPSec proposals before the device considers the authentication failed. Minimum Lifetime (seconds) Indicates the minimum lifetime of the IPSec session. Maximum Lifetime (seconds) Indicates the maximum lifetime of the IPSec session. HMAC-SHA-1 Authentication Enabled Indicates that the HMAC-SHA-1 algorithm is enabled when the device performs IPSec authentication. HMAC-MD5 Authentication Enabled Indicates that the HMAC-MD5 algorithm is enabled when the device performs IPSec authentication. AH Protocol Enabled Indicates that the AH protocol is enabled when the device performs IPSec authentication. ESP Protocol Enabled Indicates that the ESP protocol is enabled when the device performs IPSec authentication. Deflate Compression Enabled Indicates that the Deflate compression algorithm is enabled when the device performs IPSec authentication. Description
12.6.3. Remote Access VPN

Use this view to configure the PEP's Remote Access VPN options. Option User Group Global Pool The PEP will use the address pool in this field to assign addresses to users who connect from a remote location. Enter this address pool as a netmask, for example 10.1.1.0/24. User Group Global Pool Lease Time (minutes) Enter the time, in seconds, that the Remote Access client will use its assigned IP address. When this time elapses, the client will request a new address from the PEP. The default value 600 equals 10 minutes. Allows you to set additional options for the user group pool, such as DNS and WINS addresses. Primary DNS 105 Description
Set Optional Office Mode Parameters
Upload Configuration
Option
Description Enter the address of the primary DNS server for the remote users.
First Backup DNS Enter the address of the first backup DNS server for the remote users. Second Backup DNS Enter the address of the secondary backup DNS server for the remote users. Primary WINS Enter the address of the primary WINS server for the remote users. First Backup WINS Enter the address of the first backup WINS server for the remote users. Second Backup WINS Enter the address of the secondary backup WINS server for the remote users. Domain Name Enter the domain name of the remote users. This should match your internal network's domain. Perform an organized shutdown of tunnels Allows the PEP to keep an authentication session open upon gateway restart with a remote access VPN client even if the PEP restarts. Perform anti-spoofing on pool addresses Indicates that the PEP will perform anti-spoofing on all pool addresses. Support connectivity enhancement for gateways with multiple external interfaces Allows the PEP to resolve traffic from one Remote Access client to another. If your PEP has only one external interface, you should disable this option to get better performance. If your PEP has multiple interfaces, you should enable this option to allow different remote users to communicate.
12.7. Upload Configuration

Use this view to configure how SCM Server uploads your work to the device. Option SIC Authentication Key Represents the password that will also be used when defining the module in the module configuration using the cpconfig utility. This is a one-time password that is used to set up or re-establish a trust relationship between the Module and the SmartCenter Server. It is the SAME Activation Key as you entered when configuring the Module. This key will be enforced on the management server when the trust state of the communication with the module is "Uninitialized" or "Initialized but trust not established". Description
106
Tunnel Peer Options
12.8. Tunnel Peer Options

This view lets you configure one of the tunnel endpoints. On client-to-gateway tunnels, this view lets you configure the mapped user group's IP address pool. On GRE tunnels, you can use this view to configure how the PEP sets up the tunnel IP addresses. Option Generate Static Routing * Choice "Yes" Indicates that SCM Server will generate the routing for the tunnel. This may conflict with pre-existing routing that you entered on the device. * Choice "No *" Does not generate routing for the tunnel. Use this option if you have pre-existing routing on the device. * Choice "Comment" SCM Server generates the routing in the .app file, but the rules are commented out. Use this option if you want to verify the rules before uploading them. Auto Generate Tunnel IP Address Indicates if SCM Server will automatically choose an IP address for the tunnel interfaces. You can choose the range SCM Server will use for these addresses in Properties for the Current Policy >GRE Parameters for Automation >Tunnel interfaces IP address ranges view. IP Address Lets you manually enter an IP address for the tunnel. Netmask For information: this is the netmask SCM Server uses to construct the networks for the interfaces on GRE tunnels. Support NAT-Traversal Lets the VPN client connect to the server PEP via UDP through a firewall or router using NAT. NAT-Traversal Service Defines the service to use if you allow use IPSec over UDP. Tunnel Lets you choose to use split-tunneling. * Choice "Only Trust Zone *" If you choose this option, the remote user will not go through the tunnel when he/she accesses an address outside the tunnel's trust zone. You can define this trust zone; see the documentation on the Zone Editor in the Security Change Manager Designer User Guide for more information. * Choice "Everything" Choose this option to force all traffic through the tun107 Description
Interface
Option
Description nel. For example, the remote users will have to go through the tunnel to surf the internet. * Choice "Everything except local addresses" Choose this option to allow addresses on the remote user's local network to pass outside the tunnel. For example, this option lets the remote user access his or her local printer without passing through the VPN.
12.8.1. Interface
Use this view to select the interfaces to which the tunnel can connect. Option Interface Use this view to select the interfaces to which the tunnel can connect. Description
12.9. Authentication User Definition

Use this view to manage the list of PEPs that will authenticate users of this permission. Add an item to the tree list to see the configurable views. Option Type * Choice "Client Auth *" Indicates that the PEP will authenticate each user with a specific IP address who attempts to make this connection. If two users connect from the same IP address, the PEP will only authenticate once. * Choice "Session Auth" Indicates that the PEP will authenticate each service over which a user attempts to make this connection. The PEP intercepts each connection and activates a session authentication agent to get the user's password. The agent may run on the source, the destination, or another host. * Choice "User Auth" Works for FTP, HTTP, RLOGIN and TELNET. This option indicates that the PEP will authenticate each user who attempts to make this connection, regardless of the user's IP address. The authentication method is built in to these protocols. HTTP Servers If you choose User Auth, you can restrict users to a set of HTTP servers. * Choice "All *" Indicates that the PEP will not restrict user access to 108 Description
Authentication User Definition
Option
Description any HTTP servers. * Choice "Predefined" Indicates that the PEP will restrict user access to those servers that you defined in the Check Point(TM) FireWall-1(R) Management Server properties >General options >Security server >HTTP servers view.
Contact Agent At Indicates where the authentication agent is located. The authentication agent is usually a piece of software that checks the user's login and password. The agent may reside either on the user's machine, or at a remote location. This option tells the PEP where to contact the authentication agent when validating a user's attempt to connect. * Choice "Src *" The PEP will contact the authentication agent at the permission's source. * Choice "Dst" The PEP will contact the authentication agent at the permission's destination. * Choice "Host" This option lets you choose a different PEP, which the authenticating PEP will contact when validating a user's connection. This option applies to Session Authentication only. See the Check Point(TM) FireWall-1(R) documentation on "Session Authentication" for more information. PEP Lets you choose the PEP on which the authentication agent is running. This option applies to Session Authentication only. Query User Identity from UserAuthority Indicates that the PEP will contact UserAuthority to authenticate the user. To use this feature, you must have configured UserAuthority in your Check Point(TM) product. See the Check Point(TM) documentation on UserAuthority for more information. This option applies to Session Authentication only. Apply Rule Only if Desktop Configuration The PEP will verify that the SmartDashboard desktop Options are Verified is properly configured before applying the rule. For more information on these and the following options, see the Check Point(TM) FireWall-1(R) reference documentation. 109
Option Required Sign On
Description Applies to Client Authentication only. * Choice "Standard *" When the user signs on, the PEP permits all services to all destination hosts. * Choice "Specific" The PEP forces the user to specify each service and destination host to which he or she wants to connect.
Sign On Method * Choice "Manual *" The PEP will require the user to initiate the Client Authentication session over TELNET on port 259 or over HTTP on port 900. * Choice "Partially automatic" The PEP will require the user to initiate the Client Authentication session as above, unless the user requests an RLOGIN, TELNET, HTTP or FTP service. * Choice "Fully automatic" If the user connects over RLOGIN, TELNET, HTTP or FTP, the PEP will sign on the user through User Authentication. For other services, the PEP will sign on the user through Session Authentication. * Choice "Agent automatic sign-on" If the Session Authentication Agent is installed on the client, the PEP will sign on the user through the Session Authentication Agent. * Choice "Single sign-on" The PEP will verify the user name with the UAM server, before deciding whether to allow the connection to continue. Successful Authentication Tracking * Choice "None *" The PEP will not track the sign-on session. * Choice "Log" The PEP creates a log of the authentication session. * Choice "Alert" The PEP will launch the Authentication Alert command that you specify in the Check Point(TM) FireWall-1(R) SmartCenter Global Properties window. Authorization Timeout Indicates the amount of time that a user's connection will be available after he/she performs client authentication. 110
flowListIn
Option
Description * Choice "Indefinite *" The user's connection will be available until he/she expicitly signs off, or the administrator resets the firewall. * Choice "Specific" Lets you enter a specific timeout.
Hours Lets you enter the number of hours that a client authenticated-connection will be available. Minutes Lets you enter the number of minutes that a client authenticated-connection will be available. Refreshable Timeout Indicates if the timeout countdown restarts upon each new connection. For example, if connection #1 has already been up for 1 hour, and the user makes connection #2, the timeout will restart counting at zero. Number of Sessions Allowed Indicates the number of connections the user can make before his/her in a single client authentication session. Number of Sessions Lets you enter the number of sessions.
12.9.1. flowListIn
Option mugpep1_flow mugpep2_flow Description
12.9.2. flowListOut
Option pepmug1_flow pepmug2_flow Description
12.9.3. flowListExternal
Option sessionAuth_flow Description
111
112
Chapter 13. Check Point FireWall-1 Cluster Properties Windows

13.1. Description ................................................................................................ 113 13.2. General Options ......................................................................................... 113 13.2.1. Security Profile ................................................................................ 115 Common Security Parameters ............................................................... 116 Replace Address ................................................................................ 119 Replace Service ................................................................................. 120 13.2.2. Authentication ................................................................................. 121 Enabled Authentication Schemes .......................................................... 121 Authentication Settings ....................................................................... 122 HTTP Security Server ......................................................................... 123 13.3. Cluster Options .......................................................................................... 123 13.3.1. Availability Parameters ..................................................................... 123 13.3.2. Synchronization ............................................................................... 126 Synchronization Networks ................................................................... 126 13.4. Policy Learning Mode ................................................................................. 126 13.5. Common Interface Options ........................................................................... 127 13.6. Interface Options ........................................................................................ 128 13.6.1. Security Profile ................................................................................ 130 Common Security Parameters ............................................................... 130 Replace Address ................................................................................ 131 Replace Service ................................................................................. 132 13.6.2. IP Addresses ................................................................................... 133 Static IP Addresses ............................................................................. 133 Dynamic Addresses Pool ..................................................................... 133 IP Addresses ..................................................................................... 134 13.7. VPN Options ............................................................................................. 135 13.7.1. IKE Capabilities .............................................................................. 135 13.7.2. IPSec Capabilities ............................................................................ 136 13.7.3. Remote Access VPN ......................................................................... 136 13.8. Tunnel Peer Options .................................................................................... 137 13.8.1. Interface ......................................................................................... 139 13.9. Authentication User Definition ...................................................................... 139 13.9.1. flowListIn ....................................................................................... 142 13.9.2. flowListOut .................................................................................... 142 13.9.3. flowListExternal .............................................................................. 142
13.1. Description
Option Note Allows you to enter a description of the current PEP. Description

Use this view to examine and modify general PEP options.
113
General Options
Option Managed
Description Indicates that no filters will be produced for this Cluster. The Cluster icon will be displayed with a red slash to identify it as unmanaged.
Apply Flow To/From PEP on Relevant InEnables you to choose how the PEPs in the Cluster apterfaces Only ply flows to their various interfaces. * Choice "Yes *" Limits an authorized flow, having the PEP as its destination, so that incoming packets through an interface cannot reach any other interface. * Choice "No" Enables an authorized flow, having the PEP as its destination, to reach all interfaces of the PEP. This setting is a general default which can be overridden for a specific instance using the Permission Properties window: Global Properties View. Has IPSec Module * Choice "Yes" Indicates that the device supports the IPSec module for VPNs. * Choice "No" Indicates that the device does not support IPSec. Enforce Time Filtering Specifies whether the PEPs in the Cluster are to perform time filtering. This option is only available on PEPs that are capable of performing time filtering. For further information on Time Filtering, see the scm User Guide. Generate NAT Rules * Choice "Yes *" NAT rules are generated by the compiler and included in the filters. A warning message is displayed if any of the PEPs in the cluster cannot implement the rules. * Choice "Comment" NAT rules are written to the filters file as comments and ignored by the upload module. * Choice "No" NAT rules are not generated. At upload time, when the No or Comment option is selected, the rule modifications are uploaded to the devices without changing the existing NAT rules (if these exist). This is important because NAT rules are changed much less often than other filtering rules, and rewriting them interrupts communication. However 114
Security Profile
Option
Description the compiler will take into account the NAT rules to generate the filters for the PEPs beyond the NAT application point.
Check Point Suite Type Indicates which Check Point(TM) product you use. This should match the version you installed. VSX Type Lets you choose the type of VSX device. * Choice "Cluster *" The VSX device will be a VSX cluster. * Choice "Virtual System" The VSX device will be a virtual system.

Use this view to select the PEP's level of security. By default, the PEP's profile is set to maximum security. Option Security Level Lets you choose the default level of security that SCM Server will generate for this PEP. You can choose to generate faster configurations on certain PEPs at the expense of reduced security. * Choice "Custom Filtering *" Lets you choose a custom level of filtering by setting options in the Replace Address or Replace Service views. * Choice "Deny few, Permit all" Same as "Custom Filtering" but with default policy set as "Permit". * Choice "Full Filtering" This level configures the PEP parameters to offer maximum security. The parameters contained in the Common Security Parameters view will be set in order to ensure maximum security and will lock them to prevent changes. This option also: - prevents you from choosing the Broad Filtering option (see Replace Address and Replace Service node) * Choice "PEP Access Security Only" Disables filtering on this PEP, except for the rules that protect the PEP itself. Therefore, the PEP will allow all traffic to pass through it, but it will not allow unauthorized access to itself. 115 Description
Security Profile
Option
Description * Choice "No Filtering" Disables filtering, and reduces security on this PEP to zero.
Broad Filtering Lets you choose to enable faster configurations at the expense of reduced security. You must set Security Level to "Custom Filtering" to use this option. * Choice "Disabled *" Indicates that filtering is not broadened, and security is at its highest level. * Choice "By Address" Reveals the Replace Address view, which lets you configure broad filtering by address. * Choice "By Service" Reveals the Replacy Service view, which lets you configure broad filtering by service.

Use this view to configure common security parameters for the PEP. Option Suppress Filtering on TCP Direction Sets up the flow rules for traffic returning appropriately with the "ack" (acknowledged) bit set. * Choice "Yes *" Only the packets belonging to an established connection will be permitted to flow back through the PEP. * Choice "No" The filtering rules will not verify the ack bit status. These filters will be more compact but more permissive for the return traffic which may lead to degraded security. Attention: This option should be modified by an expert user only. Suppress Filtering on ICMP Message Type * Choice "Yes *" Indicates that the PEP will do filtering by ICMP message type. * Choice "No" Indicates that the PEP will not do filtering by ICMP 116 Description
Security Profile
Option
Description message type.
'Securing PEP' rules * Choice "Yes *" Denies access to the PEP's interface addresses, except for the default administration flows, thereby securing the PEP. * Choice "No" Permits access to the PEP's interface addresses. Suppress 'Internet Restriction' Indicates if SCM Server will add extra deny filters when the Internet object is defined as "Any". This option is activated by selecting "No" for the Expand Internet option on the PEP window: General Options View. * Choice "Yes *" Any permission you draw to/from Internet causes the compiler to implicitly generate all necessary denies to prevent permissions to/from all other internal addresses. * Choice "No" Any permission you draw to/from Internet will also implicitly allow permissions to/from all other internal addresses, which may lead to lower security. Attention: This option should be modified by an expert user only. Expand Internet This option is an optimization that controls how SCM Server defines the Internet object. This option can create very finely-tuned filters, but at the price of increased size. * Choice "Yes" SCM Server will use a more precise, "expanded" definition of Internet. It defines the Internet as "all addresses outside the internal networks". This creates very fine, but slower, filters. * Choice "No *" SCM Server will define Internet as "Any". The generated filters are thus faster, but less secure. Default Rule Lets you change the default rule on this device. By default SCM Server will write a "deny all" rule at the end of a device's configuration. With this option, you have the possibility to change this behavior: SCM Server will not write a default "deny all" rule, and, on this device, all access that is not explicitly denied will be allowed. * Choice "Policy Default *" 117
Security Profile
Option
Description Uses the value defined in the Tools > Properties for the Current Policy window. * Choice "Deny" Keeps the standard behavior. Every access that is not defined is not allowed on this device. * Choice "Allow" Lets you easily define policies where the goal is to prohibit a set of given protocols in the network. If you choose the "Allow" option, make sure that you explicitly deny every access point that you want to close, or, make sure that you have another device in series denies everything by default.
Generate Anti-Spoofing Lets you choose if the PEP or SCM Server should generate anti-spoofing rules. * Choice "Yes *" The PEP will generate anti-spoofing rules. * Choice "No" The PEP will not generate anti-spoofing rules. * Choice "Unmanaged" Takes the computed anti-spoofing into account, but does not generate the related configuration so as, at the end, the anti-spoofing defined on the Smartcenter will not be changed by the upload. Spoof Tracking Indicates whether the CheckPoint anti-spoofing tracking option (in the Interface Properties) should be activated and how information about spoofed connections should be logged. * Choice "None *" * Choice "Log" * Choice "Alert" * Choice "Disabled" Disables the anti-spoofing option. Enable Extended Cluster Anti-Spoofing When a cluster member communicates with another cluster member, the packets may pass from the source member's external interface, through the external (virtual) cluster interface, to the external interface of the destination cluster member. This could allow an address spoofing attack. Extended cluster-anti spoofing prevents this attack, by 118
Security Profile
Option
Description allowing the cluster member to accept packets that actually originate on a cluster member, and reject spoofed packets that originate in the Internet. The cluster member does this by giving packets that it sends to another member a TTL (Time to live) of 255 (the highest possible value). * Choice "Yes *" Enables extended cluster anti-spoofing. * Choice "No" Disables extended cluster anti-spoofing.
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses. SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller or faster configurations. "Broadening" an address means that when your map contains permissions with addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission with the address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On Address" in the Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Source This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the source IP addresses of the permissions managed by this PEP such that the IP addresses can be represented by a netmask. You can enter this netmask in the Source Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the source IP addresses of the permissions that this PEP manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Source Network Netmask Allows you to enter the netmask to apply to source permissions. 119 Description
Security Profile
Option Restrict Source Replacement to Topology
Description When used with the above option, this option will restrict the enlargement to the address of the network from which each permission originates, in your policy map.
Replace Destination This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the destination IP addresses of the permissions managed by this PEP such that the IP addresses can be represented by a netmask. You can enter this netmask in the Destination Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the destination IP addresses of the permissions that this PEP manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Destination Network Netmask Allows you to enter the netmask to apply to destination permissions. Restrict Destination Replacement to TopoWhen used with the "Enlarge Destination to Netlogy maskable Address" option, this option will restrict the enlargement to the address of the network where each permission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services. SCM Server can "broaden" the allowed services on permissions in order to generate smaller or faster configurations. "Broadening" a service means that when your map contains permissions for services FTP and HTTP, for example, SCM Server will generate one permission for the service TCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" in the Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Service This is an optimization that enlarges the service of a permission. For example, an http and an ftp permission may be enlarged to tcp. Since this optimization can reduce your security level, you should only use it if you have another PEP in the path that does not use 120 Description
Authentication
Option
Description this option. * Choice "No *" Will not enlarge services. This option maintains the highest level of security. * Choice "by TCP" Replaces TCP permissions by TCP. * Choice "by UDP" Replaces UDP permissions by UDP. * Choice "by TCP and UDP" Replaces all TCP-based or UDP-based permissions by TCP and UDP permissions. A TCP-based permission will be replaced by two permissions: a permit TCP and a permit UDP. A UDPbased permission will also be replaced by two permissions: a permit TCP and a permit UDP. * Choice "by IP" Replaces permissions by IP. * Choice "by Any" Replaces all permissions by Any.
Enabled Authentication Schemes

Use this view to enable the different types of authentication servers with which the PEP may communicate Option S/Key Indicates if the PEP will prompt the user to enter his/ her S/Key during authentication(Not on NG AI). VPN-1 and FireWall-1 Password Indicates if the PEP will prompt the user to enter his/ her internal Check Point(TM) FireWall-1(R) password during authentication. SecurID Indicates if the PEP will prompt the user to enter the number shown on the SecurID card during authentication. RADIUS Indicates if the PEP will prompt the user to answer the 121 Description
Authentication
Option
Description RADIUS question during authentication. The question is defined on a RADIUS server.
TACACS Indicates if the PEP will prompt the user to answer the TACACS question during authentication. The question is defined on a TACACS or TACACS+ server. OS Password Indicates if the PEP will prompt the user to enter his/ her operating system password during authentication. For more information on these and the following options, see the Check Point(TM) FireWall-1(R) reference documentation.
Authentication Settings
Use this view to configure how the PEP behaves during authentication sessions. Check Point(TM) FireWall-1(R) NG Cluster properties: General options: Authentication: Authentication settings view. Option User Authentication Session Timeout (min) Enable wait mode for Client Authentication Description Indicates the number of minutes after which the PEP closes the authentication session. If the user opens an authentication session over telnet on port 259, this option indicates if the PEP will keeps the telnet session open during the time the authentication session is open. If you select this option, the PEP will close the authentication session when the telnet session closes. If you do not select this option, the PEP will close the telnet session once the user signs on, and the user will have to reopen the telnet session to sign off. Authentication Failure Track Indicates how the PEP will react to errors during authentication. * Choice "None *" The PEP will not inform the user of errors. * Choice "Log" The PEP will log errors. * Choice "Popup Alert" The PEP will open a popup window; you can define the popup alert once in the Check Point(TM) FireWall-1(R) software Global properties window, and afterwards reference it from SCM Server. * Choice "Mail Alert" 122
Cluster Options
Option
Description The PEP will send an email of the error. * Choice "SNMP Trap Alert" The PEP will send an SNMP alert. * Choice "User defined alert no. n" The PEP will send a user-defined alert; you can define alerts once using the Check Point(TM) FireWall-1(R) software, and afterwards reference them from SCM Server. For more information on these and the following options, see the Check Point(TM) FireWall-1(R) reference documentation.
HTTP Security Server

Use this view to configure how the PEP communicates with its associated HTTP security server. Option Use Next Proxy Indicates whether there is an HTTP proxy server behind the Check Point(TM) FireWall-1(R) HTTP Security Server. HTTP Next Proxy The host name and port number of the HTTP proxy server. For more information on these and the following options, see the Check Point(TM) FireWall-1(R) reference documentation. Description
13.3. Cluster Options

Use this view to configure the capabilities of a cluster. Option Cluster XL Enabled Select the ClusterXL feature if you are not using a 3rd-party application to handle clustering. Description
13.3.1. Availability Parameters

Use this view to configure the way in which the cluster members will assure availability. Option Operating Mode * Choice "High Availability *" Used as a back-up at all times. Description
123
Availability Parameters
Option
Description * Choice "Load Sharing" Expands the performance capability of VPN deployments by distributing traffic between multiple gateways. Up to five gateways may be added to a cluster.
3rd Party Solution Use this option to select the 3rd-party solution that will perform the clustering. Support non-sticky connections Use this option to indicate which mechanism will identify non-sticky connections. Non-sticky connections are those where packets do not pass through the same cluster member on their way in and out of the cluster. You should activate this option when your 3rd-party clustering solution does not support nonsticky connections. * Choice "No" * Indicates that the cluster's synchronization mechanism will not recognize non-sticky connections. Use this option if your 3rd-party clustering solution supports non-sticky connetions. * Choice "Yes" Indicates that the cluster's synchronization mechanism will recognize non-sticky connections. Use this option if your 3rd-party clustering solution does not support non-sticky connetions. Hide Cluster Member's outgoing traffic beUse this option to indicate whether the source IP adhind the Cluster's IP Address dress of outgoing packets will be the external virtual IP address of the cluster instead of the physical IP address of the cluster member. Forward Cluster's incoming traffic to Cluster Member's IP Addresses Use this option to indicate whether the destination IP address of incoming connection to the external virtual address of the cluster will be replaced with the physical external address of one of the cluster members. Indicates the cluster's High Availability mode. See the Check Point documentation about ClusterXL High Availability for a description of the High Availability modes. Upon Gateway Recovery Indicates what the cluster will do when its active PEP recovers after a secondary PEP has already taken its place. * Choice "Maintain Active *" Indicates that the secondary PEP will remain active, even though the primary PEP has recovered. * Choice "Switch to Higher Priority" Indicates that the cluster will give the active role back to the primary PEP. 124
High Availability Mode
Availability Parameters
Option Load Sharing
Description Indicates how the cluster will distribute traffic among the cluster members. * Choice "Multicast Mode" The cluster will send distribute traffic using multicast. * Choice "Unicast Mode" The cluster will distribute traffic to each cluster member individually. This mode is useful if some cluster member PEPs don't support multicast.
Base Shared Method Indicates how the cluster will decide how to share packets among the cluster members. * Choice "IPs, Ports, SPIs *" The cluster will distribute packets based on IPs, ports and IPSec SPIs. * Choice "IPs, Ports" The cluster will distribute packets based on IPs and ports only. This increases the chance that inbound and outbound connections will use the same cluster member. * Choice "IPs" The cluster distributes packets based on IPs only. This yields the highest chance that inbound and outbound connections will use the same cluster member. See the Check Point(TM) documentation on Advanced Load Sharing Configuration for more information. Fail Over Tracking Lets you select how the cluster will track failover events. * Choice "None" The cluster will not track failover events. * Choice "Log *" The cluster will enter failover events in its SmartView Tracker log. * Choice "Alert" The cluster will open a popup window upon failover. * Choice "Mail" The cluster will send an email upon failover. You can specify the recipient's address on the Check Point SmartDashboard in the Policy > Global Properties > Log and Alert > Alert Commands view. * Choice "SNMP Trap" 125
Synchronization
Option
Description The cluster will send an SNMP trap upon failover. * Choice "User Alert" The cluster will execute a user-defined script upon failover. You can define this script on the Check Point SmartDashboard in the Policy > Global Properties > Log and Alert > Alert Commands view. * Choice "User Alert 2" The cluster will execute a user-defined script upon failover. * Choice "User Alert 3" The cluster will execute a user-defined script upon failover.
13.3.2. Synchronization
Use this view to manage how the cluster keeps its PEPs synchronized. Option Use State Synchronization Indicates if the cluster will use state synchronization. State synchronization coordinates state information about packets travelling through different PEPs in the cluster. You cannot change this option if you have set the Cluster Options > Availability Parameters > Operation Mode to "Load Sharing". If you have set the Cluster Options > Availability Parameters > Operation Mode to "High Availability", you can choose to turn off state synchronization; in this case connections will be lost upon failover. Description
Synchronization Networks
Use this view to manage the networks the cluster uses to keep its member PEPs synchronized.
13.4. Policy Learning Mode

Use this view to change the policy of a device and open it sufficiently to guarantee that the flows will pass until complete policy discovery has been made by the security team. Option Enable Policy Learning Mode * Choice "Yes" Indicates that Policy Learning Mode is enabled. * Choice "No *" Indicates that Policy Learning Mode is disabled. 126 Description
Common Interface Options
Option Log Level for Allow Rule
Description * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching the default policy, to the default log level of current PEP type. Note: Some PEPs allow selection of different log levels.
13.5. Common Interface Options

Use this view to manage options that are common to all the PEP's interfaces. Option Generate ICMP Error Message * Choice "Yes" Sets the error option for all interfaces on the PEP. This option triggers the transmission of the error message ICMP unreachable, for any IP packet that is not authorized by the filters. This action is carried out for both incoming and outgoing interface traffic. * Choice "No *" The error option is not set. Log Level for the Default Rule Sets the log level for the default rule for all interfaces on the PEP. This option will not show packets transiting in violation of a specific denial. To see that information, you must set the Log option on the Permission Properties window: Log view, or on the concerned interface. * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching the default policy, to the default log level of current PEP type. Note: Some PEPs allow selection of different log levels. Application Point "Incoming" * The filters will be generated for the packets entering the interface. * Choice "Outgoing" 127 Description
Interface Options
Option
Description The filters will be generated for the packets leaving the interface. * Choice "Both Directions if Possible" SCM Server will choose the application point with respect to the PEP capabilities and the PEP options settings.
Allow Forwarding Indicates if this device will perform forwarding. Enable this option to allow the device to forward packets.
13.6. Interface Options

Use this view to manage the options for a single interface. Option Upload Target * Choice "Yes *" Specifies that the selected interface will be used for uploading filter files. * Choice "No" Specifies that the selected interface is not to be used for for uploading filter files. Interface Type Indicates if the interface's purpose is to filter or to sniff the packets. * Choice "Filtering Interface" The interface only does packet filtering. * Choice "Sensor" The interface only does packet sniffing. * Choice "Sensor + Filtering Interface" The interface can do both. Is Loopback Interface Specifies if this interface is a "loopback" interface. A loopback is a special type of interface used to represent a virtual range of IP addresses. This may be useful, for example, when your device is connected to the internet through two redundant ISPs. The loopback interface can be used to accept outside connections, which it then routes to one of the real interfaces. Note: SCM Server will not allow you to connect a loopback interface to any object. Policy Learning Mode 128 Description
Security Profile
Option
Description * Choice "Yes" Indicates that Policy Learning Mode is enabled on this interface. * Choice "No *" Indicates that Policy Learning Mode is disabled on this interface.
Log Level for Deny Rules * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching a deny rule, to the default log level of each PEP type. Managed * Choice "Yes *" Specifies that filters will be produced for this interface and the configuration of the interface will be managed by SCM Server. * Choice "No" Specifies that no filters will be produced for this interface and the configuration of the interface will not be managed by SCM Server. Allow Forwarding Indicates if this interface will perform forwarding. Enable this option to allow the interface to forward packets. Application Point * Choice "Incoming *" Only incoming filters will be applied. * Choice "Outgoing" Only outgoing filters will be applied. * Choice "Device Default" Incoming/outgoing filters are applied according to the value as specified in the Interfaces: Options View. * Choice "Both Directions if Possible" SCM Server will choose the application point according to the PEP capabilities and the PEP options settings. Interface is external (leads out to the InterSpecifies that the interface leads to the Internet. This net) means that IP addresses behind this interface will not be counted in the license enforcement.
129
Security Profile

Use this view to select the level of security on this interface. By default, the interface's profile is set to maximum security.

Use this view to configure common security parameters for this interface. Option Disable Filtering * Choice "Device Default *" This option uses the value set in the General Options: Security Profile: Common Security Parameters view. * Choice "No" SCM Server will generate filters for this interface. * Choice "Yes" SCM Server will generate a permit any any rule on this interface. By disabling the filtering on one (or several) interface(s), you create a rule that permits all flows, which can reduce the level of security, but improves performance. Note: This option will not disable the "Securing PEP" and "Anti-Spoofing" filters. To disable those filters as well: - choose "No" in the "Generate Anti-Spoofing" option - in the General Options: Security Profile: Common Security Parameters view, enable the option "Suppress Securing PEP". Generate Anti-Spoofing Lets you choose if the PEP or SCM Server should generate anti-spoofing rules. * Choice "Yes *" The PEP will generate anti-spoofing rules. * Choice "No" The PEP will not generate anti-spoofing rules. * Choice "Unmanaged" Takes the computed anti-spoofing into account, but does not generate the related configuration so as, at the end, the anti-spoofing defined on the Smartcenter will not be changed by the upload. Spoof Tracking Indicates whether the CheckPoint anti-spoofing tracking option (in the Interface Properties) should be activated and how information about spoofed connections should be logged. 130 Description
Security Profile
Option
Description * Choice "None *" * Choice "Log" * Choice "Alert" * Choice "Disabled" Disables the anti-spoofing option.
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses, on a single interface only. SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller or faster configurations. "Broadening" an address means that when your map contains permissions with addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission with the address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On Address" in the General Options > Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Source This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. To use this option, you must enable the Broad Filtering option in the General Options: Security Profile view. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the source IP addresses of the permissions managed by this interface such that the IP addresses can be represented by a netmask. You can enter this netmask in the Source Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the source IP addresses of the permissions that this interface manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Source Network Netmask Allows you to enter the netmask to apply to source permissions. Restrict Source Replacement to Topology 131 Description
Security Profile
Option
Description When used with the above option, this option will restrict the enlargement to the address of the network from which each permission originates, in your policy map.
Replace Destination This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. To use this option, you must enable the Broad Filtering option in the General Options: Security Profile view. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the destination IP addresses of the permissions managed by this interface such that the IP addresses can be represented by a netmask. You can enter this netmask in the Destination Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the destination IP addresses of the permissions that this interface manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Destination Network Netmask Allows you to enter the netmask to apply to destination permissions. Restrict Destination Replacement to TopoWhen used with the "Enlarge Destination to Netlogy maskable Address" option, this option will restrict the enlargement to the address of the network where each permission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services, on a single interface only. SCM Server can "broaden" the allowed services on permissions in order to generate smaller or faster configurations. "Broadening" a service means that when your map contains permissions for services FTP and HTTP, for example, SCM Server will generate one permission for the service TCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" in the General Options > Security Profile view, you can use the current view to put constraints on this optimization.
132
IP Addresses
Option Replace Service
Description This is an optimization that enlarges the service of a permission on one interface. For example, an http and an ftp permission may be enlarged to tcp. Since this optimization can reduce your security level, you should only use it if you have another PEP in the path that does not use this option. * Choice "No *" Will not enlarge services. This option maintains the highest level of security. * Choice "by TCP" Replaces TCP permissions by TCP. * Choice "by UDP" Replaces UDP permissions by UDP. * Choice "by TCP and UDP" Replaces all TCP-based or UDP-based permissions by TCP and UDP permissions. A TCP-based permission will be replaced by two permissions: a permit TCP and a permit UDP. A UDPbased permission will also be replaced by two permissions: a permit TCP and a permit UDP. * Choice "by IP" Replaces permissions by IP. * Choice "by Any" Replaces all permissions by Any.
13.6.2. IP Addresses
Use this view to set the interface's IP addresses.
Static IP Addresses
Use this section to configure the interface's static IP addresses. Option Interface IP Addresses Specifies the static IP address of the interface. Description
Dynamic Addresses Pool

Use this section to configure the interface's dynamic IP addresses. Option Dynamic Addresses Pool 133 Description
IP Addresses
Option
Description Specifies the pool of IP addresses from which the interface will get its IP address.
IP Addresses
Use this view to configure the interface's IP addresses. Option Use Dynamic Addresses Specifies whether this interface will have static or dynamic IP addresses. Dynamic Addresses from Indicates the range from which the PEP can pick an IP address to assign to the interface. * Choice "Network" The PEP can assign any IP address contained in the interface's attached network. You must have connected the interface to a network on the workspace in order to pick this option. * Choice "Any" The PEP can assign any IP address to the interface. * Choice "User defined pool" The PEP can assign any address from the pool that you define in the Interface View. DHCP Server Indicates the range from which the PEP can pick an IP address to assign to the interface. * Choice "Network" The PEP can assign any IP address contained in the interface's attached network. You must have connected the interface to a network on the workspace in order to pick this option. * Choice "Any" The PEP can assign any IP address to the interface. * Choice "User defined pool" The PEP can assign any address from the pool that you define in the Interface View. Resolve IP Address Using When you use dynamic interface addresses, this option indicates how SCM Server will resolve the interface's address when it is uploading the PEP's configuration. * Choice "PEP FQDN" To resolve the address, SCM Server will contact the DNS server that you specified in the FQDN field of 134 Description
VPN Options
Option
Description the "PEP Properties>General" Options View. * Choice "Interface Specific FQDN" To resolve the address, SCM Server will contact the DNS server that you specify in the "Specify Interface FQDN" option below. * Choice "Prompt IP Address" SCM Server will prompt the user for the interface's IP address at the moment of upload.
Interface FQDN Enter the fully qualified domain name of the DNS server that SCM Server will contact to resolve this interface's IP address.
13.7. VPN Options

Use this view to configure the main cryptographic characteristics of a VPN tunnel. Option NULL Encryption Enabled Indicates if the NULL algorithm is enabled. DES Encryption Enabled Indicates if this algorithm is enabled. 3DES Encryption Enabled Indicates if this algorithm is enabled. CAST Encryption Enabled Indicates if this algorithm is enabled. AES-128 Encryption Enabled Indicates if this algorithm is enabled. AES-256 Encryption Enabled Indicates if this algorithm is enabled. Description
13.7.1. IKE Capabilities

Use this view to consult a VPNs IKE capabilities. Option Maximum Proposals Allowed Indicates the maximum number of IKE proposals before the device considers the key exchange failed. Minimum Lifetime (seconds) Indicates the minimum lifetime of the exchanged keys. Maximum Lifetime (seconds) Indicates the maximum lifetime of the exchanged keys. Pre-Shared Key Method Enabled Indicates the the pre-shared key method is enabled when the device performs key exchange. RSA Sig Key Method Enabled 135 Description
IPSec Capabilities
Option
Description Indicates that the RSA-Signature method is enabled when the device performs key exchange.
SHA-1 Hash Enabled Indicates that the SHA-1 algorithm is enabled when the device performs key exchange. MD5 Hash Enabled Indicates that the MD5 algorithm is enabled when the device performs key exchange. DH Group 1 Enabled Indicates that the Diffie-Hellman group 1 is enabled when the device performs key exchange. DH Group 2 Enabled Indicates that the Diffie-Hellman group 2 is enabled when the device performs key exchange. DH Group 5 Enabled Indicates that the Diffie-Hellman group 5 is enabled when the device performs key exchange.
13.7.2. IPSec Capabilities

Use this view to consult a VPNs IPSec capabilities. Option Maximum Proposals Allowed Indicates the maximum number of IPSec proposals before the device considers the authentication failed. Minimum Lifetime (seconds) Indicates the minimum lifetime of the IPSec session. Maximum Lifetime (seconds) Indicates the maximum lifetime of the IPSec session. HMAC-SHA-1 Authentication Enabled Indicates that the HMAC-SHA-1 algorithm is enabled when the device performs IPSec authentication. HMAC-MD5 Authentication Enabled Indicates that the HMAC-MD5 algorithm is enabled when the device performs IPSec authentication. AH Protocol Enabled Indicates that the AH protocol is enabled when the device performs IPSec authentication. ESP Protocol Enabled Indicates that the ESP protocol is enabled when the device performs IPSec authentication. Deflate Compression Enabled Indicates that the Deflate compression algorithm is enabled when the device performs IPSec authentication. Description
13.7.3. Remote Access VPN

Use this view to configure the PEP's Remote Access VPN options. Option User Group Global Pool Lease Time 136 Description
Tunnel Peer Options
Option (minutes)
Description Enter the time, in seconds, that the Remote Access client will use its assigned IP address. When this time elapses, the client will request a new address from the PEP. The default value 600 equals 15 minutes.
Set Optional Office Mode Parameters Allows you to set additional options for the user group pool, such as DNS and WINS addresses. Primary DNS Enter the address of the primary DNS server for the remote users. First Backup DNS Enter the address of the first backup DNS server for the remote users. Second Backup DNS Enter the address of the secondary backup DNS server for the remote users. Primary WINS Enter the address of the primary WINS server for the remote users. First Backup WINS Enter the address of the first backup WINS server for the remote users. Second Backup WINS Enter the address of the secondary backup WINS server for the remote users. Domain Name Enter the domain name of the remote users. This should match your internal network's domain. Perform an organized shutdown of tunnels Allows the PEP to keep an authentication session open upon gateway restart with a remote access VPN client even if the PEP restarts. Perform anti-spoofing on pool addresses Indicates that the PEP will perform anti-spoofing on all pool addresses. Support connectivity enhancement for gateways with multiple external interfaces Allows the PEP to resolve traffic from one Remote Access client to another. If your PEP has only one external interface, you should disable this option to get better performance. If your PEP has multiple interfaces, you should enable this option to allow different remote users to communicate.
13.8. Tunnel Peer Options

This view lets you configure one of the tunnel endpoints. On client-to-gateway tunnels, this view lets you configure the mapped user group's IP address pool. On GRE tunnels, you can use this view to configure how the PEP sets up the tunnel IP addresses. Option Generate Static Routing * Choice "Yes" 137 Description
Interface
Option
Description Indicates that SCM Server will generate the routing for the tunnel. This may conflict with pre-existing routing that you entered on the device. * Choice "No *" Does not generate routing for the tunnel. Use this option if you have pre-existing routing on the device. * Choice "Comment" SCM Server generates the routing in the .app file, but the rules are commented out. Use this option if you want to verify the rules before uploading them.
Auto Generate Tunnel IP Address Indicates if SCM Server will automatically choose an IP address for the tunnel interfaces. You can choose the range SCM Server will use for these addresses in Properties for the Current Policy >GRE Parameters for Automation >Tunnel interfaces IP address ranges view. IP Address Lets you manually enter an IP address for the tunnel. Netmask For information: this is the netmask SCM Server uses to construct the networks for the interfaces on GRE tunnels. Support NAT-Traversal Lets the VPN client connect to the server PEP via UDP through a firewall or router using NAT. NAT-Traversal Service Defines the service to use if you allow use IPSec over UDP. Tunnel Lets you choose to use split-tunneling. * Choice "Only Trust Zone *" If you choose this option, the remote user will not go through the tunnel when he/she accesses an address outside the tunnel's trust zone. You can define this trust zone; see the documentation on the Zone Editor in the Security Change Manager Designer User Guide for more information. * Choice "Everything" Choose this option to force all traffic through the tunnel. For example, the remote users will have to go through the tunnel to surf the internet. * Choice "Everything except local addresses" Choose this option to allow addresses on the remote user's local network to pass outside the tunnel. For example, this option lets the remote user access his or her local printer without passing through the VPN.
138
13.8.1. Interface
Use this view to select the interfaces to which the tunnel can connect. Option Interface Use this view to select the interfaces to which the tunnel can connect. Description
13.9. Authentication User Definition

Use this view to manage the list of PEPs that will authenticate users of this permission. Add an item to the tree list to see the configurable views. Option Type * Choice "Client Auth *" Indicates that the PEP will authenticate each user with a specific IP address who attempts to make this connection. If two users connect from the same IP address, the PEP will only authenticate once. * Choice "Session Auth" Indicates that the PEP will authenticate each service over which a user attempts to make this connection. The PEP intercepts each connection and activates a session authentication agent to get the user's password. The agent may run on the source, the destination, or another host. * Choice "User Auth" Works for FTP, HTTP, RLOGIN and TELNET. This option indicates that the PEP will authenticate each user who attempts to make this connection, regardless of the user's IP address. The authentication method is built in to these protocols. HTTP Servers If you choose User Auth, you can restrict users to a set of HTTP servers. * Choice "All *" Indicates that the PEP will not restrict user access to any HTTP servers. * Choice "Predefined" Indicates that the PEP will restrict user access to those servers that you defined in the Check Point(TM) FireWall-1(R) Management Server properties >General options >Security server >HTTP servers view. Contact Agent At Indicates where the authentication agent is located. The authentication agent is usually a piece of software that checks the user's login and password. The agent may reside either on the user's machine, or at a remote location. This option tells the PEP where to contact the 139 Description
Option
Description authentication agent when validating a user's attempt to connect. * Choice "Src *" The PEP will contact the authentication agent at the permission's source. * Choice "Dst" The PEP will contact the authentication agent at the permission's destination. * Choice "Host" This option lets you choose a different PEP, which the authenticating PEP will contact when validating a user's connection. This option applies to Session Authentication only. See the Check Point(TM) FireWall-1(R) documentation on "Session Authentication" for more information.
PEP Lets you choose the PEP on which the authentication agent is running. This option applies to Session Authentication only. Query User Identity from UserAuthority Indicates that the PEP will contact UserAuthority to authenticate the user. To use this feature, you must have configured UserAuthority in your Check Point(TM) product. See the Check Point(TM) documentation on UserAuthority for more information. This option applies to Session Authentication only. Apply Rule Only if Desktop Configuration The PEP will verify that the SmartDashboard desktop Options are Verified is properly configured before applying the rule. For more information on these and the following options, see the Check Point(TM) FireWall-1(R) reference documentation. Required Sign On Applies to Client Authentication only. * Choice "Standard *" When the user signs on, the PEP permits all services to all destination hosts. * Choice "Specific" The PEP forces the user to specify each service and destination host to which he or she wants to connect. Sign On Method * Choice "Manual *" 140
Option
Description The PEP will require the user to initiate the Client Authentication session over TELNET on port 259 or over HTTP on port 900. * Choice "Partially automatic" The PEP will require the user to initiate the Client Authentication session as above, unless the user requests an RLOGIN, TELNET, HTTP or FTP service. * Choice "Fully automatic" If the user connects over RLOGIN, TELNET, HTTP or FTP, the PEP will sign on the user through User Authentication. For other services, the PEP will sign on the user through Session Authentication. * Choice "Agent automatic sign-on" If the Session Authentication Agent is installed on the client, the PEP will sign on the user through the Session Authentication Agent. * Choice "Single sign-on" The PEP will verify the user name with the UAM server, before deciding whether to allow the connection to continue.
Successful Authentication Tracking * Choice "None *" The PEP will not track the sign-on session. * Choice "Log" The PEP creates a log of the authentication session. * Choice "Alert" The PEP will launch the Authentication Alert command that you specify in the Check Point(TM) FireWall-1(R) SmartCenter Global Properties window. Authorization Timeout Indicates the amount of time that a user's connection will be available after he/she performs client authentication. * Choice "Indefinite *" The user's connection will be available until he/she expicitly signs off, or the administrator resets the firewall. * Choice "Specific" Lets you enter a specific timeout. Hours Lets you enter the number of hours that a client authenticated-connection will be available. Minutes 141
flowListIn
Option
Description Lets you enter the number of minutes that a client authenticated-connection will be available.
Refreshable Timeout Indicates if the timeout countdown restarts upon each new connection. For example, if connection #1 has already been up for 1 hour, and the user makes connection #2, the timeout will restart counting at zero. Number of Sessions Allowed Indicates the number of connections the user can make before his/her in a single client authentication session. Number of Sessions Lets you enter the number of sessions.
13.9.1. flowListIn
Option mugpep1_flow mugpep2_flow Description
13.9.2. flowListOut
Option pepmug1_flow pepmug2_flow Description
13.9.3. flowListExternal
Option sessionAuth_flow Description
142
Chapter 14. FireWall-1 Management Server Properties Windows

14.1. Description ................................................................................................ 143 14.2. General Options ......................................................................................... 143 14.2.1. Include Policy ................................................................................. 144 14.2.2. Security Server ................................................................................ 144 HTTP Servers .................................................................................... 145 HTTP Server ............................................................................. 145 14.2.3. Authentication ................................................................................. 145 Failed Authentication Attempts ............................................................. 145 Authentication of Users with Certificates ................................................ 146 Early Versions Compatibility ............................................................... 146 14.2.4. Local Security Policy ........................................................................ 147 14.2.5. VPN .............................................................................................. 149 CRL Grace Period .............................................................................. 149 IKE Denial of Service protection ........................................................... 150 Remote Access .................................................................................. 150 Certificates ............................................................................... 151 Secure Configuration Verification ................................................. 152 14.2.6. GTP Services .................................................................................. 153 GTP Service ...................................................................................... 153 14.2.7. Import ............................................................................................ 154 14.3. Upload Configuration .................................................................................. 155 14.3.1. Connection Options .......................................................................... 155 14.3.2. Paths ............................................................................................. 156 14.3.3. Authentication ................................................................................. 156 14.3.4. Prompts .......................................................................................... 157 14.3.5. FireWall-1 Options ........................................................................... 157
14.1. Description
Option Note Description

Use this view to examine and modify general management server options. Option Generate Comments in Filters * Choice "Yes *" Indicates to the compiler that it should include comments in the generated filtering files. This option makes it easier to read the generated filter files. * Choice "No" Comments are not included. This allows a reduction in 143 Description
Include Policy
Option
Description the size of the filters.
Result in Case Hidden Rules are Detected Indicates the type of message that SCM Server will generate if it encounters hidden rules. Is the management server a Check Point GX? Specifies whether the Management Server is a CheckPoint GX or not. Ticking the "Yes" radio button adds a "GTP Services" sub-node to the "General Options" node.
14.2.1. Include Policy

Use this view to specify the names of the FireWall-1(R) security policies to be included before and after generated rules. Use this view to specify the names of the FireWall-1(R) security policies to be included before and after generated rules. Option First Policy Specifies the name of a security policy to be included before the generated rules. Last Policy Specifies the name of a security policy to be included after the generated rules. Description
14.2.2. Security Server

Use this view to enable the different types of authentication servers with which the PEP may communicate. Option Telnet Welcome Message File The name of the file from which the PEP will get the welcome message for users connecting over telnet. FTP Welcome Message File The name of the file from which the PEP will get the welcome message for users connecting over FTP. Rlogin Welcome Message File The name of the file from which the PEP will get the welcome message for users connecting over rlogin. Client Welcome Message File The name of the file from which the PEP will get the welcome message for users who perform a manual sign-on to the authentication session. SMTP Welcome Message File The name of the file from which the PEP will get the welcome message for users connecting over SMTP. HTTP Next Proxy If there is an HTTP proxy server behind the Check Point(TM) FireWall-1(R) Security Server, this option lets you pick one. Description
144
Authentication
Option
Description * Choice "Select" Lets you choose the HTTP proxy server from those defined in your policy map.
HTTP Servers
Use this view to configure how the PEP redirects connections to an HTTP security server.
HTTP Server
Option Reauthentication * Choice "Standard *" The PEP will not ask the user to reenter his/her password as long as the User Authentication Session Timeout has not expired. This value is specified in the PEP Properties > General Options >Authentication >Authentication Settings View. * Choice "POST request" The PEP will ask the user to reenter his/her password each time the user sends a request that may change the server's configuration. This option only has an effect on S/Key or SecurID passwords, which change continually. * Choice "Every request" The PEP will ask the user to reenter his/her password each time the user sends any request. This option only has an effect on S/Key or SecurID passwords, which change continually. Host The host name of the HTTP server. Port The HTTP server's port number. Server For Null Request Indicates if the PEP will convert addresses given as "http://<PEP-name>" to "/" before sending them to the HTTP server. Description
Failed Authentication Attempts

Use this view to configure how the PEP behaves when users fail to authenticate.
145
Authentication
Option Terminate rlogin Connection After (attempts)
Description Indicates the number of times the user can fail to identify him/herself before the PEP will terminate an rlogin connection. Indicates the number of times the user can fail to identify him/herself before the PEP will terminate a telnet connection. Indicates the number of times the user can fail to identify him/herself before the PEP will terminate the client authentication connection. Indicates the number of times the user can fail to identify him/herself before the PEP will terminate the session connection.
Terminate telnet Connection After (attempts)
Terminate Client Connection After (attempts)
Terminate Session Connection After (attempts)
Authentication of Users with Certificates

Use this view to configure how to PEP will react to users who authenticate with certificates. Option Authenticates Internal Users With Suffix Only Description Indicates if the PEP will only authenticate users who have a certain suffix in their certificate's qualified name. Enter the suffix in the Suffix option on this view. Users's certificates which were initiated but All certificates not used in this number of days will not pulled will expire after expire.
Early Versions Compatibility

Use this view to configure the PEP's compatibility with earlier versions. Option User Authentication Session Timeout (min) Description This option has a different effect depending on the type of connection. For rlogin, telnet and FTP, this option indicates the number of minutes of inactivity after which the PEP will close the connection. This is different from the option with the same name in the PEP properties > General options > Authentication > Authentication Settings View. For HTTP, this option indicates the number of minutes after which the PEP closes the authentication session. This is equivalent to the option with the same name in the PEP properties > General options > Authentication > Authentication Settings View. Enable wait mode for Client Authentication 146 If the user opens an authentication session over telnet
Local Security Policy
Option
Description on port 259, this option indicates if the PEP will keeps the telnet session open during the time the authentication session is open. If you select this option, the PEP will close the authentication session when the telnet session closes. If you do not select this option, the PEP will close the telnet session once the user signs on, and the user will have to reopen the telnet session to sign off.
Authentication Failure Track Indicates how the PEP will react to errors during authentication. * Choice "None" The PEP will not inform the user of errors. * Choice "Log" The PEP will log errors. * Choice "Alert" The PEP will open a popup window; you can define the popup alert once in the Check Point(TM) FireWall-1(R) software Global properties window, and afterwards use it in SCM Server.
14.2.4. Local Security Policy

Use this view to examine and modify the Local Security Policy. These properties link to the implicit rules that you can define through the properties menu of the FireWall-1(R) management server as described in the section "Create the Conceptual Level" in the Working with FireWall-1 Device Pack document. Option Log Implied Rules Indicates whether implied rules are included in the log. Accept VPN-1 & FireWall-1 Control Con* Choice "First" nections Enables FireWall-1(R) GUI Clients to communicate with the Management Server and specifies the position in the Rule Base for the implied rule. * Choice "No" Prevents FireWall-1(R) GUI Clients from communicating with the Management Server. Accept Remote Access Control Connections * Choice "First *" Accepts remote access control connections. * Choice "No" Description
147
Local Security Policy
Option
Description Disables accepting remote access control connections.
Accept RIP * Choice "No" Specifies that Routing Information Protocol used by the routed daemon is not accepted. * Choice "First/Last/Before Last" Specifies that Routing Information Protocol used by the routed daemon is accepted and specifies the position in the Rule Base for the implied rule. Accept Domain Name Over UDP (Queries) * Choice "No" Specifies that Domain Name queries over UDP are not accepted. * Choice "First/Last/Before Last" Specifies that Domain Name queries over UDP are accepted and specifies the position in the Rule Base for the implied rule. Accept Domain Name Over TCP (Zone Transfer) * Choice "No" Specifies that Domain Name queries over TCP are not accepted. * Choice "First/Last/Before Last" Specifies that Domain Name queries over TCP are accepted and specifies the position in the Rule Base for the implied rule. Accept ICMP * Choice "No" Specifies that Internet Control Messages are not accepted. * Choice "First/Last/Before Last" Specifies that Internet Control Messages are accepted and specifies the position in the Rule Base for the implied rule. Accept Outgoing Packets Originating From * Choice "No" Gateway Specifies that outgoing packets (from the firewall, not from the internal network) are not accepted. * Choice "First/Last/Before Last" Specifies that all outgoing packets (from the firewall, not from the internal network) are accepted and specifies the position in the Rule Base for the implied rule. Accept CPRID Connections (SmartUpdate) * Choice "No" 148
VPN
Option
Description Specifies that CPRID Connections are not accepted. * Choice "First" Specifies that they are accepted.
Accept Dynamic Address Modules' DHCP * Choice "No" Traffic Specifies that Dynamic Address Module DHCP traffic is not accepted. * Choice "First" Specifies that it is accepted.
14.2.5. VPN
Use this view to examine and modify Management Server VPN. Option Resolving Mechanism VPN peers must select a particular interface if a PEP has more than one interface through which a VPN tunnel can be created. Use this option to choose the method the PEP will use to select this interface. * Choice "Calculate Statically *" According to the Gateway topology settings. * Choice "Dynamic Interface Resolving" By sending RDP packets to both interfaces and choosing the first to respond. Description
CRL Grace Period

Use this view to examine and modify Management Server CRL Grace Period. This view allows you to set a buffer zone in case the Management Server's clock is not synchronized with the Certificate Authrority server's clock. Option Grace period before the CRL is valid (seconds) Description Indicates how long before the validity time the Management Server will extend the expiration of the CRLs. Enter the grace period in seconds. Indicates how long Management Server will extend the expiration of the CRLs that it receives from the Certification Authority server. Enter the grace period in seconds. Indicates the additional time that the Management Server will add to the CRL Grace Period when authenticating remote clients. 149
Grace period after the CRL is no longer valid (seconds)
Grace period extension for SecuRemote/ SecureClient (seconds)
VPN
Option
Description
IKE Denial of Service protection

Use this view to examine and modify IKE Denial of Service Protection. See the "IKE DoS Protection" section in your Check Point(TM) doumentation for more information. Option Support IKE DoS protection from identified source Description Indicates how the PEP will respond to denial of service (DoS) attacks from valid IP addresses. * Choice "None" The PEP will not defend against denial of service attacks. * Choice "Stateless *" When the PEP thinks it is under a DoS attack, it sends a unique number to each IP that tried to initiate an IKE session. This choice is appropriate for DoS attacks from valid IP addresses. * Choice "Puzzles" The PEP will send a computationally-intensive puzzle to each IP that tries to initiate an IKE session. Support IKE DoS protection from unidentiIndicates how the PEP will respond to denial of serfied source vice (DoS) attacks from unknown IP addresses. * Choice "None" The PEP will not defend against denial of service attacks. * Choice "Stateless" When the PEP thinks it is under a DoS attack, it sends a unique number to each IP that tried to initiate an IKE session. * Choice "Puzzles *" The PEP will send a computationally-intensive puzzle to each IP that tries to initiate an IKE session. This choice is appropriate for DoS attacks from unknown IP addresses.
Remote Access
Use this view to examine and modify Management Server remote access. Option Support remote access VPN using Nokia clients 150 Description Indicates that the PEP will allow Nokia clients to par-
VPN
Option
Description ticipate in remote VPN connections.
When disconnected, traffic to the encryption domain, will be
Indicates how traffic will be treated when the SecuRemote/SecureClient is not connected to the PEP. * Choice "Dropped *" The traffic will be dropped. * Choice "Sent in clear" The traffic will be sent in the clear.
Resolving Mechanism Indicates how the remote client should choose the PEP interface over which to mount the tunnel. * Choice "Calculate Statically *" The client will use the interface defined in the PEP's topology. * Choice "Dynamic Interface Resolving" The client will send RDP packets to the available interfaces and mount the tunnel with the interface that responds first. Update Topology Indicates if the PEP will send the remote client updates of the topology behind the PEP. This allows the client to be aware of changes. Authentication Timeout (min) Indicates the amount of time that the remote client's password is valid. Enter a value in minutes. Allow Caching of static passwords on client Indicates if the remote client stores its password in cache after authenticating with the PEP. This is useful when the remote client uses the same password for multiple PEPs. If you set this option, the PEP will read the remote client's password directly from the client's cache rather than asking the user to enter it. Set this option to enable the PEP to re-initiate a tunnel that has already been authenticated, if the tunnel times-out. This requires the remote client's details to be stored on all the devices between the PEP and the remote client. Encrypt DNS traffic Indicates if the remote client's DNS queries are sent through the tunnel. Enable Hybrid Mode Authentication Indicates if the PEP will allow other authentication schemes than those specified in this view.
Enable tunnel refresh
Certificates
151
VPN
Use this view to configure how the Management Server handles user certificates. Option Client check gateway cert against CRL Indicates if the remote client checks the Certificate Revocation List (CRL) upon validation. Renew users internal CA certificates Indicates if the Managment Server's Internal Certificate Authority (ICA) will automatically re-issue certificates before they expire. The ICA's user certificates are valid for two years. Renewal starting process delay Enter the time before the certificate expiration date before which the ICA will re-issue a user's certificate. Enter a value in days. Description
Secure Configuration Verification

This view does not let you change any parameters. Expand this node in the tree list to see the configurable views. Secure Configuration Options Use this view to configure Secure Configuration Verification (SCV). SCV is a series of tests that the PEP performs on the remote client upon connection. Option Apply Secure Configuration Verifications on Simplified mode Security Policies Description Indicates if the PEP will apply Secure Configuration Verification (SCV) on the remote client during connection time. Indicates how the PEP will react if the remote client fails the Secure Configuration Verification test. * Choice "Accept and log client's connection *" The PEP will accept the client's connection and log the failure. You can set how the failure will be logged in the Configuration Violation Notification view. * Choice "Block client's connection" The PEP will deny the client's connection. Policy is installed on all interfaces Indicates if the PEP will check that the Desktop Security Policy is installed on all the interfaces of the remote client. See the your Check Point(TM) product's documentation on Secure Configuration Verification (SCV) for more information. Only TCP/IP protocols are used Indicates if the PEP will check that the remote client only uses TCP/IP protocols.
Upon verification failure
152
GTP Services
Configuration Violation Notification Use this view to set how the PEP will log the failure when a remote client fails the Secure Configuration Verification test. Option Generate log on client Indicates if the failure will be logged on the remote client. Notify the user Indicates if the user will receive a notification. Description
14.2.6. GTP Services

Use this view to add GTP services that will allow you to configure GTP traffic inspection.
GTP Service
Option GTP Service Type in the name of the GTP Service. GTP Service Name Select an existing service to customize in a list displaying all customized gtp services. GTP Version Select the GTP version * Choice "GTP version 0" * Choice "GTP version 1" Match IMSI Prefix Name * Choice "Any *" * Choice "Custom" Tick this radio button to define a custom IMSI prefix (an "Allowed IMSI Prefix" free-form field will appear to let you do so). Allowed IMSI Prefix Type in your custom IMSI Prefix. Match Access Point Name * Choice "Any *" * Choice "Custom" Tick this radio button to define a custom Access Point name (an "Allowed Access Point Name" free-form field will appear to let you do so). Allowed Access Point Name Type in your custom Access Point Name. Allowed Selection Mode Name * Choice "Any *" * Choice "Custom" Tick this radio button to specify the Selection Mode. Selection Mode 153 Description
Import
Option
Description Use the pull-down menu to choose the Selection Mode. * Choice "0 - verified *" * Choice "1 - MS - not verified" * Choice "2 - Network - not verified"
Match MS-ISDN Prefix Name * Choice "Any" * Choice "Custom" Tick this radio button to define a custom MS-ISDN Prefix Name (a "MS-ISDN Prefix Name free-form field will appear to let you do so). MS-ISDN Prefix Name Type in your custom MS-ISDN Prefix Name. Match LDAP Group Name * Choice "Any" * Choice "Custom" Tick this radio button to define the User Group name and the matching criteria i.e. IMSI* or MS-ISDN. Allowed LDAP Group Name Type in the LDAP Group Name. according to Choose the matching criteria of the LDAP Group Name i.e. IMSI* or MS-ISDN. Allow Usage of Static IP Addresses Choose whether the PEP's interfaces should use static IP addresses or not.
14.2.7. Import
Option Import Host as Indicates how to import a CheckPoint host, i.e. as a nexus, a class or an unknown device. * Choice "Class" The CheckPoint host will be imported as a Class (that is to say as an IP address container). Auto-Connect Objects Indicates if the auto-connect must be performed at the end of the import process Import Disabled Rules Indicates if disabled rules are imported. Import Section Titles in Notes Indicates that rules section titles are imported in permission note. Import Rule Details in Notes (verbose) 154 Description
Upload Configuration
Option
Description Indicated that verbose details are imported in permission note: (index, action, service, source, destination, policy target). The local import completes the rule detail with the rule UID.
14.3. Upload Configuration

Use this view to configure how SCM Server uploads your work to the device. Option Which PEPs should be uploaded? Lets you choose the PEPs on which the Management Server will upload the configuration. * Choice "All on map *" All the PEPs present on the map will be uploaded. * Choice "Only selected" Only the selected PEPs will be uploaded. If you choose this value, the "Uploaded PEPs" sub-node will appear in the tree list to let you select the PEPs that should be uploaded. Description
14.3.1. Connection Options

Use this view to specify the protocols to be used for uploading filters. Option Upload Method Specifies the protocol to be used for uploading filters. CPMI+Certificate Flow Creates an implicit CPMI+certificate flow. OPSEC Connection Type Specifies whether the connection will be SSL with certificates or "clear." Reset certificate Specifies whether your OPSEC application certificate has been reset. OPSEC Application Distinguished Name The distinguished name of the OPSEC application, if the OPSEC connection type is clear. OPSEC Application Name The name of the OPSEC application, if the OPSEC connection is SSL+certificates. OPSEC Port Specifies the OPSEC Port number. OPSEC SIC Entity Common Name (CN) Indicates the Common Name (CN) part of the OPSEC SIC Entity. 155 Description
Paths
Option OPSEC Debug Level
Description Specifies the opsec debug level. This value is not saved in any project version.
Session Time Out (ms) If this number of milliseconds elapses between a SCM Server request and the management server's response, the session is dropped. Full Path to SmartDashboard directory Lets you enter the path to the SmartDashboard directory.
14.3.2. Paths
Use this view to set the Check Point(TM) FireWall-1(R) installation directory.
Use this view to record the username and password for management servers that need to be connected prior to giving access to the configuration account. This username and password must link to an account that can be used through the SSH connection. The Root Password is never used on the management server. To log in as root set User Name to "root" and set User Password to root's password. Option Use session credentials for user(login,password) Description Activates the user authentication on the PEP from the credentials (login, password) of the user currently logged in SCM Server. Note that both the "User Login" and "User Password" options will be ignored although they are still displayed in the view. Use session credentials for root(login,password) Activates the super-user authentication (for privileged mode) on the PEP from the credentials (login, password) of the user currently logged in SCM Server. Note that both the "Enable Login" and "Enable Password" options will be ignored although they are still displayed in the view. User Login Allows you to record the username that will be used on the management server to copy, compile and upload the security policy. The user must have the privilege to copy files in the $FWDIR/conf and to execute the command $FWDIR/bin/fw. This user name is used to make the SSH connection on the management server and may be different to the name used to connect to the management server from the Check Point(TM) FireWall-1(R) Policy Editor. The root password is needed when you want to be connected as root, but the SSH server installation prevents you from connecting directly as root. Using the root password, SCM Server will first connect to the 156
Prompts
Option
Description Management Server using the user login and password and then perform the command "su-" specifying the root password.
User Password Allows you to record the user password.
14.3.4. Prompts
Use this view to indicate what the management server's prompts look like, which allows SCM Server to interpret them during communication.
14.3.5. FireWall-1 Options

Use this view to configure FireWall-1 translation options. Option Generated Policy Name Specifies the name of the generated policy. The default name is "Custom_Policy". If changing this, you must use a policy name different to the name used for the included policies in the Include Policy View. Suffix Objects Names For This Policy? Indicates whether a suffix should be appended to the object names. This allows to identify the same objects in different security policies. Object Name Suffix Lets you type in the suffix that should be appended to the object names. Translated Object Color Selects an alternative display color to more easily differentiate between translated and generated objects. Generated Object Color Selects an alternative display color to more easily differentiate between translated and generated objects. Upload if Only Successful on ALL Managed PEPs Clean Database Before Next Upload Indicates if the Management Server should empty its database before starting upload preparation. This option resets to "No" after every upload. FireWall-1 Upload Policy Lets you choose how to perform the upload. * Choice "Upload on PEPs *" scm will copy objects and rules on the Management Server and the configuration will then be uploaded from the Management Server to its managed PEP(s). Indicates that the Management Server will not upload any PEPs if one PEP upload fails. Description
157
158
Chapter 15. Provider-1 Management Server Properties Windows

15.1. Description ................................................................................................ 159 15.2. General Options ......................................................................................... 159 15.2.1. Managed CMAs ............................................................................... 159
15.1. Description
Option Note Description

Use this view to examine and modify general management server options.
15.2.1. Managed CMAs

References the CMA servers managed by the Provider-1.
159
160
Hybrid Mode, 70
Index
A
all networks PEP, 24 Anti-Spoofing, 19 Anti-spoofing, 22 Any, 56 Audit Through Report, 56 Authentication, 24 Client authentication, 24 Session authentication, 24 User authentication, 24 Authentication parameters, 43 Authentication Rule Create, 43
I
ICMP, 4 Implicit permissions, 69 Import perform, 52 Imported/not imported (NG), 46 Include Rules, 64 Installation, 1 Interoperable Default Fields, 18 IP Address range, 16 IPSec/L2TP tunnels, 71
L
LDAP, 66, 66, 66 Licenses, 1 Limitations, 1 Case Sensitivity, 1 Log, 18
B
Back-up files, 65
C
CAST-40, 70, 75 Check Point Gateway, 19 Class all PEPs, 24 Clear, 27, 32, 32 procedure, 31 Client-to-Gateway VPN, 67 Clientless VPN, 71 Communicate, 32 Compilation of the security policy, 39 Connections PEPs to networks, 55 connections Nexus to networks, 55
M
Management Server Features, 7 Mapping, 15 table syntax, 20 Multiple Entry Point VPNs (MEP), 70, 75
N
Naming convention, 21 NAT Features, 5 Non-supported concepts, 63 NP_A, 13 NP_C, 13 NP_E, 13 NP_I, 13 NP_N, 13, 16 NP_O, 23 NP_O_..VFP_.., 13 NP_R, 13 NP_S, 13 NP_T, 13
D
DES-40, 70, 75 Desktop security policy, 70 DHCP server, 70 domain, 63
E
Enable VPN routing, 70
O
Object generated, 12 nexus, 18 translated, 12 Object Colors, 14 Office Mode, 70 OPSEC, 27
F
Filters Upload Preparation, 14 Firewall Features, 3
G
Gateway-to-Gateway VPN, 71 Generation Process, 11, 27 Global Features, 3
P
Patch Process, 63 PEP, 18 Indirectly Managed, 11 Permissions deny, 55 161
R
RADIUS, 66, 66 Remote Access, 68
S
Security Include, 63 Service type, 21 Session Time Out, 38 SIC file, 32 sic_policy.conf, 32 Site-to-site VPN, 73 SmartDashBoard, 66 Specific translated fields, 18 SSL Certification and Encryption, 27, 29 Procedure, 27 Supported Versions, 1
T
TACACS, 66, 66 Topology missing, 54 Translated PEP, 18 Translated service, 20 Transparent mode, 70
U
Upload addresses, 51 User Groups, 65
V
VIA property, 48 Visitor Mode, 70 VPN Specifics parameters, 68 VPN Features, 6 VPN node, 68 VPN-1 Net, 70
162

Checkpoint FireWall 1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Checkpoint FireWall 1

Uploaded by

Copyright:

Available Formats

SECURITY CHANGE MANAGER WORKING WITH CHECK POINT FIREWALL-1 AND NG

DEVICE PACK 4.5

Working with Check Point FireWall-1 and NG

1.1. System Requirements

Chapter 2. Features supported on Check Point FireWall-1

2.1. Global Features Support

2.2. Firewall Features

Function Stateful Filtering

2.3. NAT Features

Restrict Application Point

2.4. VPN Features

Management Server Features

Feature Encryption Support DES 3DES AES (multiple types)

SCM Support Yes Yes Yes

2.5. Management Server Features

Upload Clear (less secure)

Internal User database External Authentication Methods list

Yes No No Yes Yes Yes Yes Yes

Check Point FireWall-1 Management Server Object

Figure 3.2. Compilation, Preparation Upload, and Upload

3.2. Check Point FireWall-1 Management Server Object

3.2.1. Management Server

3.2.2. Management Station

3.2.3. Two Kinds of PEPs

3.2.4. Management Server/PEP Compatibility Matrix

Table 3.1. Management Server/PEP Compatibility Matrix

Check Point FireWall-1 NGX R65

Provider-1 NGX R65

3.3. Generation Process

Difference between a Translated Object and a Generated

3.3.2. Difference between a Translated Object and a Generated Object

3.4. Naming Rules for Check Point FireWall-1 Objects

Table 3.2. Prefixes of the All Generated Objects

Table 3.4. Comments Generated by Check Point FireWall-1 Objects

3.4.3. Object Colors

3.5. Upload Preparation

3.6. Upload Process

4.1. Translation of Network Objects

Table 4.1. Security Change Manager Network Object Rules

Translation of Class Objects

A Security Change Manager network containing a * address (internet)

Check Point FireWall-1 Any object.

4.2. Translation of Class Objects

Table 4.2. Security Change Manager Class Object Rules

4.3. Translation of Management Server Objects

Table 4.3. Translation of Specific Fields

Check Point Host Default Fields or Check Point Gateway

SCM Management Server fields

Check Point FireWall-1 Mgt Server Properties NG FP3 and NG AI R55

4.3.1. Check Point Host Default Fields or Check Point Gateway

4.3.2. Check Point FireWall-1 Interoperable Default Fields

4.4. Translation of Nexus Objects

4.5. Translation of PEP Objects

4.5.2. Specific Translated Fields

Table 4.4. SCM Log Numbers

Check Point Gateway or Externally Managed Gateway Default

Case # 3 4 5 6 7 8 Other numbers

4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields

4.6. Translation of Services

A Translated Security Change Manager Service

Syntax of the Mapping Table

4.6.2. A Translated Security Change Manager Service

Table 4.5. Translated Security Change Manager Service