Professional Documents
Culture Documents
Working with Check Point FireWall-1 and NG Revision 17, Manual reference: udoc-sps-00533-en Author(s): Documentation Team The information contained in this document may be subject to modification without prior notice and LogLogic assumes no responsibility for any errors that may appear in it. This documentation concerns LogLogic's software Security Change Manager 8.2. Copyright 2010 LogLogic. All rights reserved. The product described in this document is protected by French patent number FR97/13254 and may be protected by other US patents, foreign patents or pending applications. Solsoft and Exaprotect are trademarks of EPT Software Group. All other products mentioned herein are trademarks or registered trademarks of their respective owners.
Table of Contents
1. Installation ....................................................................................................... 1 1.1. System Requirements ............................................................................... 1 1.1.1. Device OS Versions Supported ........................................................ 1 1.1.2. Licenses ...................................................................................... 1 1.2. Installation ............................................................................................. 1 1.3. Limitations ............................................................................................ 1 1.3.1. Case Sensitivity ............................................................................ 1 2. Features supported on Check Point FireWall-1 ........................................................ 3 2.1. Global Features Support ........................................................................... 3 2.2. Firewall Features ..................................................................................... 3 2.3. NAT Features ......................................................................................... 5 2.4. VPN Features ......................................................................................... 6 2.5. Management Server Features ..................................................................... 7 3. Basic Concepts in Security Change Manager's Interaction with Check Point FireWall-1 .. 9 3.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction .. 9 3.2. Check Point FireWall-1 Management Server Object .....................................10 3.2.1. Management Server .....................................................................11 3.2.2. Management Station .....................................................................11 3.2.3. Two Kinds of PEPs ......................................................................11 3.2.4. Management Server/PEP Compatibility Matrix .................................11 3.3. Generation Process .................................................................................11 3.3.1. Process ......................................................................................11 3.3.2. Difference between a Translated Object and a Generated Object ...........12 3.4. Naming Rules for Check Point FireWall-1 Objects .......................................12 3.4.1. Example ....................................................................................12 3.4.2. Comments Generated for Traceability between Security Change Manager Objects and Check Point FireWall-1 Objects .............................................14 3.4.3. Object Colors ..............................................................................14 3.5. Upload Preparation .................................................................................14 3.6. Upload Process ......................................................................................14 4. How Security Change Manager Objects Map to Check Point FireWall-1 .....................15 4.1. Translation of Network Objects .................................................................15 4.2. Translation of Class Objects .....................................................................16 4.3. Translation of Management Server Objects .................................................16 4.3.1. Check Point Host Default Fields or Check Point Gateway ...................17 4.3.2. Check Point FireWall-1 Interoperable Default Fields ..........................18 4.4. Translation of Nexus Objects ....................................................................18 4.5. Translation of PEP Objects ......................................................................18 4.5.1. A Translated Security Change Manager Check Point FireWall-1 PEP ....18 4.5.2. Specific Translated Fields ..............................................................18 Log ...........................................................................................18 Interface Netmask ........................................................................19 Anti-Spoofing .............................................................................19 4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields ...19 Process ......................................................................................19 4.6. Translation of Services ............................................................................19 4.6.1. Generation Process .......................................................................19 Principle .....................................................................................19 Syntax of the Mapping Table ..........................................................20 Example .....................................................................................20 4.6.2. A Translated Security Change Manager Service .................................20 Naming Convention ......................................................................21 Security Change Manager IGMP Translated Fields .............................21 4.7. Translation of Implicit Generated Objects ...................................................21 4.7.1. Anti-spoofing ..............................................................................22 4.7.2. Expand Internet: Objects Generated ................................................22 4.8. Translation of Permissions .......................................................................22 v
Working with Check Point FireWall-1 and NG 4.9. Translation of Time Definition Rules .........................................................22 4.9.1. What cannot be translated ..............................................................22 4.10. Translation of NAT Rules ......................................................................22 4.10.1. Example ...................................................................................22 4.10.2. Rules .......................................................................................23 4.10.3. Security Change Manager NAT Rules Translated Fields ....................23 4.11. Translation of Limited Path Zones ...........................................................24 4.12. Translation of Default Objects .................................................................24 4.12.1. All Networks .............................................................................24 4.12.2. All PEPs ...................................................................................24 4.13. Translation of User Authentication ...........................................................24 5. How to Define and Deploy a Security Policy on Check Point FireWall-1 .....................27 5.1. First Use of Check Point FireWall-1 ..........................................................27 5.1.1. SSL Certification and Encryption Procedure .....................................27 5.1.2. Clear OPSEC Connection Type Procedure ........................................31 5.2. Configure a Check Point GX Management Server ........................................32 5.2.1. First step: Creating custom services and defining the policy .................33 5.2.2. Second step: Defining precisely the custom services ...........................33 5.3. Define and Deploy a Policy ......................................................................35 5.3.1. Step 1: Defining the Secure Topology ..............................................35 5.3.2. Step 2: Security Policy Definition ...................................................39 5.3.3. Step 3: Audit ...............................................................................39 5.3.4. Step 4: Define Rules .....................................................................39 5.3.5. Step 5: Compile the Security Policy ................................................39 5.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each Management Server ........................................................................................40 Prerequisites ...............................................................................40 Procedure ...................................................................................40 5.3.7. Step 7: Deploy the Policy ..............................................................40 5.4. Define and Manage an Existing Policy .......................................................41 5.4.1. Purpose ......................................................................................41 5.4.2. Prerequisites ...............................................................................41 5.4.3. Step 1: Perform a Check Point FireWall-1 Import ..............................41 5.4.4. Step 2: Secure Topology Definition, if You Do Not Perform an Import ..42 5.4.5. Other Steps .................................................................................43 5.5. Create an Authentication Rule ..................................................................43 6. How to Perform an Import from Check Point FireWall-1 ..........................................45 6.1. What will be Imported/ not Imported .........................................................45 6.2. Performing a Standard Import from Check Point FireWall-1 ...........................49 6.2.1. Step 1: Create and Configure a Management Server ...........................49 6.2.2. Step 2: Perform the Import ............................................................52 6.2.3. Step 3: Add the Missing Topology ..................................................54 6.2.4. Step 4: Connect and Group Attached Objects ....................................54 6.2.5. Step 5: Various Checks to Perform ..................................................55 6.3. Performing a Local Import of Check Point FireWall-1 Policy .........................56 6.4. Cleaning the Database Before Upload ........................................................60 7. How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager ...................................................................................................................63 7.1. First-Time: Define Non-supported Concepts on the Management Server ...........63 7.1.1. Step 1: Upload Security Change Manager Security Policy on the Management Server ........................................................................................63 7.1.2. Step 2: Add Specific Properties ......................................................64 7.1.3. Step 3: Add Other Objects not Supported by Security Change Manager ..64 7.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server ........................................................................................64 7.1.5. Step 5: Modify the Management Server Options ................................64 7.1.6. Step 6: Upload ............................................................................65 7.2. How to Manage User Groups ....................................................................65 8. Client-to-Gateway VPN on Check Point FireWall-1 NG ...........................................67 8.1. Procedure .............................................................................................67 8.1.1. On the Check Point FireWall-1 .......................................................67 8.1.2. On the Management Server ............................................................68 8.1.3. PEPs Supporting Remote Access ....................................................68 vi
Working with Check Point FireWall-1 and NG 8.1.4. Specific Parameters ......................................................................68 On the device VPN node ...............................................................68 8.1.5. Implicit Permissions .....................................................................69 8.2. VPN Limitations ....................................................................................70 8.2.1. Global Limitations .......................................................................70 VPN-1 Net ..................................................................................70 DES-40 and CAST-40 ..................................................................70 Multiple Entry Point VPNs (MEP) ..................................................70 8.2.2. Remote Access Limitations ...........................................................70 User Groups ................................................................................70 Office Mode is disabled on the gateway ............................................70 IP pool is defined though a DHCP server ..........................................70 Hybrid Mode ...............................................................................70 Enable VPN routing .....................................................................70 Desktop security policy .................................................................70 Visitor Mode ...............................................................................70 Transparent mode .........................................................................70 Clientless VPN ............................................................................71 IPsec/L2TP tunnels ......................................................................71 Number of tunnels ........................................................................71 8.2.3. First-time Upload of a VPN Policy ..................................................71 9. Gateway-to-Gateway VPN on Check Point FireWall-1 NG and NG AI .......................73 9.1. Procedure .............................................................................................73 9.1.1. On the Security Change Manager ....................................................73 9.1.2. On the Check Point FireWall-1 Management Server ...........................73 Procedure ...................................................................................73 9.1.3. VPN Domains .............................................................................74 9.2. VPN Limitations ....................................................................................74 9.2.1. Global Limitations .......................................................................75 VPN-1 Net ..................................................................................75 DES-40 and CAST-40 ..................................................................75 Multiple Entry Point VPNs (MEP) ..................................................75 9.2.2. Site-to-site limitation ....................................................................75 Usage of the Simplified Mode ........................................................75 10. Check Point FireWall-1 Cluster Management .......................................................77 10.1. Procedure ............................................................................................77 10.1.1. On the Check Point FireWall-1 Management Server .........................77 10.1.2. On the Security Change Manager Designer .....................................77 10.2. Limitations ..........................................................................................81 11. Provider-1 Management Server Installation ..........................................................83 11.1. Adding a Provider-1 Management Server ..................................................83 12. Check Point FireWall-1 Properties Windows ........................................................85 12.1. Description ..........................................................................................85 12.2. General Options ...................................................................................85 12.2.1. Security Profile ..........................................................................87 Common Security Parameters .........................................................88 Replace Address ..........................................................................90 Replace Service ...........................................................................92 12.2.2. Virtual System ...........................................................................93 12.2.3. Authentication ...........................................................................93 Enabled Authentication Schemes ....................................................93 Authentication Settings .................................................................93 HTTP Security Server ...................................................................94 12.3. Policy Learning Mode ...........................................................................95 12.4. Common Interface Options .....................................................................95 12.5. Interface Options ..................................................................................96 12.5.1. Security Profile ..........................................................................98 Common Security Parameters .........................................................98 Replace Address ........................................................................ 100 Replace Service ......................................................................... 101 12.5.2. IP Addresses ........................................................................... 102 Static IP Addresses ..................................................................... 102 Dynamic Addresses Pool ............................................................. 102 vii
Working with Check Point FireWall-1 and NG IP Addresses ............................................................................. 102 12.6. VPN Options ..................................................................................... 104 12.6.1. IKE Capabilities ...................................................................... 104 12.6.2. IPSec Capabilities .................................................................... 105 12.6.3. Remote Access VPN ................................................................. 105 12.7. Upload Configuration .......................................................................... 106 12.8. Tunnel Peer Options ............................................................................ 107 12.8.1. Interface ................................................................................. 108 12.9. Authentication User Definition .............................................................. 108 12.9.1. flowListIn ............................................................................... 111 12.9.2. flowListOut ............................................................................ 111 12.9.3. flowListExternal ...................................................................... 111 13. Check Point FireWall-1 Cluster Properties Windows ........................................... 113 13.1. Description ........................................................................................ 113 13.2. General Options ................................................................................. 113 13.2.1. Security Profile ........................................................................ 115 Common Security Parameters ....................................................... 116 Replace Address ........................................................................ 119 Replace Service ......................................................................... 120 13.2.2. Authentication ......................................................................... 121 Enabled Authentication Schemes .................................................. 121 Authentication Settings ............................................................... 122 HTTP Security Server ................................................................. 123 13.3. Cluster Options .................................................................................. 123 13.3.1. Availability Parameters ............................................................. 123 13.3.2. Synchronization ....................................................................... 126 Synchronization Networks ........................................................... 126 13.4. Policy Learning Mode ......................................................................... 126 13.5. Common Interface Options ................................................................... 127 13.6. Interface Options ................................................................................ 128 13.6.1. Security Profile ........................................................................ 130 Common Security Parameters ....................................................... 130 Replace Address ........................................................................ 131 Replace Service ......................................................................... 132 13.6.2. IP Addresses ........................................................................... 133 Static IP Addresses ..................................................................... 133 Dynamic Addresses Pool ............................................................. 133 IP Addresses ............................................................................. 134 13.7. VPN Options ..................................................................................... 135 13.7.1. IKE Capabilities ...................................................................... 135 13.7.2. IPSec Capabilities .................................................................... 136 13.7.3. Remote Access VPN ................................................................. 136 13.8. Tunnel Peer Options ............................................................................ 137 13.8.1. Interface ................................................................................. 139 13.9. Authentication User Definition .............................................................. 139 13.9.1. flowListIn ............................................................................... 142 13.9.2. flowListOut ............................................................................ 142 13.9.3. flowListExternal ...................................................................... 142 14. FireWall-1 Management Server Properties Windows ........................................... 143 14.1. Description ........................................................................................ 143 14.2. General Options ................................................................................. 143 14.2.1. Include Policy ......................................................................... 144 14.2.2. Security Server ........................................................................ 144 HTTP Servers ............................................................................ 145 HTTP Server ..................................................................... 145 14.2.3. Authentication ......................................................................... 145 Failed Authentication Attempts ..................................................... 145 Authentication of Users with Certificates ........................................ 146 Early Versions Compatibility ....................................................... 146 14.2.4. Local Security Policy ................................................................ 147 14.2.5. VPN ...................................................................................... 149 CRL Grace Period ...................................................................... 149 IKE Denial of Service protection ................................................... 150 viii
Working with Check Point FireWall-1 and NG Remote Access .......................................................................... 150 Certificates ....................................................................... 151 Secure Configuration Verification ......................................... 152 14.2.6. GTP Services .......................................................................... 153 GTP Service .............................................................................. 153 14.2.7. Import .................................................................................... 154 14.3. Upload Configuration .......................................................................... 155 14.3.1. Connection Options .................................................................. 155 14.3.2. Paths ..................................................................................... 156 14.3.3. Authentication ......................................................................... 156 14.3.4. Prompts .................................................................................. 157 14.3.5. FireWall-1 Options ................................................................... 157 15. Provider-1 Management Server Properties Windows ............................................ 159 15.1. Description ........................................................................................ 159 15.2. General Options ................................................................................. 159 15.2.1. Managed CMAs ....................................................................... 159 Index ............................................................................................................... 161
ix
List of Figures
3.1. Overview of the Security Change Manager and Check Point FireWall-1 Concepts ....... 9 3.2. Compilation, Preparation Upload, and Upload .....................................................10 4.1. An Example of a NAT Rule .............................................................................23 5.1. Creation of new OPSEC Application in SmartDashboard .......................................28 5.2. CPMI option enabled ......................................................................................28 5.3. SSL Certification and Encryption Option ............................................................29 5.4. Getting Certificate Dialog Box ..........................................................................30 5.5. Clear Option ..................................................................................................32 5.6. Creation of a custom gtpv1 service cloning the existing gtpv1 .................................... 5.7. Defining security policy using custom service ......................................................33 5.8. Activation of Check Point GX options in Management Server Properties ..................34 5.9. GTP Service options .......................................................................................34 5.10. Implicit Rules: Local Security Policy ................................................................36 5.11. Security Server .............................................................................................36 5.12. Authentication: Failed Authentication Attempts ..................................................37 5.13. Authentication: Users with certificates ..............................................................37 5.14. Authentication: Early Versions Compatibility ....................................................37 5.15. Upload Configuration: Connection Options .......................................................38 5.16. Add Managed PEPs ......................................................................................38 6.1. Management Server Properties: Identification ......................................................50 6.2. Management Server Properties: Upload Configuration: Connection Options ..............50 6.3. Management Server Properties: Upload Configuration: Authentication (NG) .............51 6.4. Management Server Properties: Upload Address ..................................................52 6.5. CheckPoint Import Dialog Box: Choose Elements to be Imported ............................52 6.6. CheckPoint Import Report ...............................................................................53 6.7. Synchronization Network on Cluster ..................................................................55 6.8. Policy Audit Through Report interface selection ..................................................56 6.9. CheckPoint Import Dialog Box: Import of objects_5_0.C file .................................56 6.10. CheckPoint Import Dialog Box: Import of rulebase.fws file ..................................57 6.11. CheckPoint Import Dialog Box: Choose Elements to be Imported ..........................58 6.12. CheckPoint Import Dialog Box: Choose Policy to be Imported ..............................58 6.13. CheckPoint Import Report ..............................................................................59 6.14. CheckPoint Import Terminated ........................................................................60 6.15. Options: Clean Database Before Upload ...........................................................60 7.1. Upload Configuration Set to Copy Only .............................................................65 9.1. VPN Domain Deduction ..................................................................................74 10.1. SIC Authentication Key Activated ...................................................................77 10.2. Management Server Referenced on the Cluster ...................................................78 10.3. Cluster XL Enabled Option ............................................................................78 10.4. Selection of Cluster Members .........................................................................79 10.5. Selection of Availability Operation Mode ..........................................................79 10.6. Selection of Synchronization Network ..............................................................80 10.7. Example of Cluster .......................................................................................81
xi
xii
List of Tables
2.1. Global Features Support ................................................................................... 3 2.2. Firewall Features ............................................................................................. 3 2.3. Description of Features listed in Table 2.2, Firewall Features ................................ 4 2.4. NAT Features ................................................................................................. 5 2.5. Description of Features listed in Table 2.4, NAT Features .................................... 5 2.6. VPN Features ................................................................................................. 6 2.7. Management Server Features ............................................................................. 7 3.1. Management Server/PEP Compatibility Matrix ....................................................11 3.2. Prefixes of the All Generated Objects .................................................................12 3.3. Example of the Translation of a Class into Check Point FireWall-1 group .................13 3.4. Comments Generated by Check Point FireWall-1 Objects ......................................14 4.1. Security Change Manager Network Object Rules .................................................15 4.2. Security Change Manager Class Object Rules ......................................................16 4.3. Translation of Specific Fields ...........................................................................16 4.4. SCM Log Numbers .........................................................................................18 4.5. Translated Security Change Manager Service ......................................................21 4.6. Security Change Manager Permission Fields .......................................................22 4.7. Security Change Manager NAT Fields ...............................................................24 5.1. Define a rule on the Management Server .............................................................41 6.1. What will be imported/ not imported from Check Point FireWall-1 NG and NG AI .....46 8.1. VPN: Specific Parameters ................................................................................68
xiii
xiv
Chapter 1. Installation
1.1. System Requirements ....................................................................................... 1 1.1.1. Device OS Versions Supported ................................................................ 1 1.1.2. Licenses .............................................................................................. 1 1.2. Installation ..................................................................................................... 1 1.3. Limitations .................................................................................................... 1 1.3.1. Case Sensitivity .................................................................................... 1 The synergy between Check Point FireWall-1 and Security Change Manager means increased productivity for the network administrator who must develop rational security policies for complex networks.
1.1.2. Licenses
You must have purchased and installed the special Security Change Manager option for use with Check Point FireWall-1. If you do not have this license, you will not be able to create a FireWall-1 PEP or a management server.
1.2. Installation
Follow the directions in the Security Change Manager Installation Guide.
1.3. Limitations
1.3.1. Case Sensitivity
Check Point FireWall-1 NG is case sensitive. Therefore, two objects can be created with the same name with different cases, but Security Change Manager will not manage them as two devices.
Firewall Features
Feature ICMP Filtering Extended IP Filtering Stateful Filtering Time Control Filtering Flow Authentication Internal User DB External User DB Clustering Support Failover Load Balancing IPsec cluster
SCM Support Yes Yes Yes Yes Yes Yes Yes Yes Yes
Table 2.3. Description of Features listed in Table 2.2, Firewall Features (page 3)
Function ICMP Error Description The PEP is able to generate by default on denied access an ICMP error message (destination net unreachable) and Security Change Manager is able to configure the device accordingly. The PEP is able to log accepted and refused flows and Security Change Manager is able to configure the device accordingly. The PEP is able to perform filtering in its routing table, rather than in its interfaces and Security Change Manager is able to configure the device accordingly. The PEP is able to distinguish between a TCP packet used to request establishment of a connection and a standard TCP packet and Security Change Manager is able to configure the device accordingly. This makes it possible to specify the direction of the TCP flow. The PEP is able to filter the ICMP protocol and Security Change Manager is able to configure the device accordingly. The PEP is able to filter an arbitrary IP protocol other than ICMP, UDP, or TCP and Security Change Manager is able to configure the device accordingly.
Thorough Logging
Central Filtering
TCP Established
ICMP Filtering
Extended IP Filtering
NAT Features
Description The PEP is able to perform dynamic filtering and Security Change Manager is able to configure the device accordingly. The PEP is able to use time filtering and Security Change Manager is able to configure the device accordingly. The PEP is able to use an external User DB for flow authentication. Security Change Manager is able to configure the device to use this DB.
Time-controlled Filtering
Flow Authentication
Table 2.5. Description of Features listed in Table 2.4, NAT Features (page 5)
Function Static Description Capacity to support bi-directional static translation. An address that is translated in this manner will be statically transformed for both outgoing connections and incoming connections. Capacity to support uni-directional static transla5
Unistatic support
VPN Features
Function
Description tion. A typical example is when one server is to be made available from outside with static translation for incoming communication and the server performing outgoing communication will be masqueraded.
Pool
Capacity to support address translation through an address pool. Capacity to support Port Address translation. Capacity to support Masquerading type of translation (use of the outgoing firewall interface as the source address). Ability to define NAT transformations restricted to selected IP services. Ability to apply a NAT rule on a specific interface of the Policy Enforcement Point, thus not affecting traffic not going through this interface.
PAT Masquerading
Service NAT
RSA-Sig Auth Method (PKI) NAT Transversal IPsec Keepalive Dynamic Peer Address Client - Gateway IPsec VPN PSK Auth Method
RSA-Sig Auth Method (PKI) Internal User Database External User Database Split Tunnelling Management NAT Transversal 6
Management Authentication
Failsafe Rollback Log Logging Server Configuration Policy Learning Mode Import Clustering Support Failover Load Balancing IPsec cluster
Chapter 3. Basic Concepts in Security Change Manager's Interaction with Check Point FireWall-1
3.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction .......... 9 3.2. Check Point FireWall-1 Management Server Object .............................................10 3.2.1. Management Server .............................................................................11 3.2.2. Management Station .............................................................................11 3.2.3. Two Kinds of PEPs ..............................................................................11 3.2.4. Management Server/PEP Compatibility Matrix .........................................11 3.3. Generation Process .........................................................................................11 3.3.1. Process ..............................................................................................11 3.3.2. Difference between a Translated Object and a Generated Object ...................12 3.4. Naming Rules for Check Point FireWall-1 Objects ...............................................12 3.4.1. Example ............................................................................................12 3.4.2. Comments Generated for Traceability between Security Change Manager Objects and Check Point FireWall-1 Objects ................................................................14 3.4.3. Object Colors ......................................................................................14 3.5. Upload Preparation .........................................................................................14 3.6. Upload Process ..............................................................................................14 This section describes a number of concepts with which you should be familiar before you learn to upload and compile your policies to a Check Point FireWall-1 PEP.
3.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction
Figure 3.1. Overview of the Security Change Manager and Check Point FireWall-1 Concepts
With Security Change Manager Designer you can define a global security policy for all PEPs that Security Change Manager manages. To manage a Check Point FireWall-1, Security Change Manager will update and enforce the Secur9
ity Policy on the Check Point FireWall-1 Management Server using the OPSEC CPMI API on NG. Therefore with Security Change Manager, you can define all the permissions. For other PEPs, it will automatically figure out the enforcement points and the anti-spoofing rules attached to each interface. For all other concepts of Check Point FireWall-1 not supported on Security Change Manager, to be able to use them, we have implemented a specific generation process. Please see Chapter 7, How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager (page63 ) for further information.
Management Station
The process used when translating a SCM object to a Check Point FireWall-1 object is to generate Check Point FireWall-1 objects by using the properties set on the SCM network object and properties to patch the Check Point FireWall-1 object properties that are not managed in Security Change Manager. The Check Point FireWall-1 specific object properties can be objects provided by Security Change Manager with default values or an object where properties not managed by Security Change Manager have been set on the management server.
Note
When you look at a class or management server assigned inside a network, nexus, or a PEP it will be translated as in the example below: Network/class will be network_class. Recommendation: Create names that begin with a letter and have a length of less than 90 characters in order to locate them easily in the Check Point FireWall-1 Policy Editor. The following rules are applied for the name of a generated object. 1. Generated objects are prefixed by NP_<Letter>. Please see the table below. 2. The name have a <4 digit> suffix to differentiate each name of the generated Check Point FireWall-1 objects.
3.4.1. Example
When generating two Check Point FireWall-1 objects whose corresponding Security Change Manager network object is @loglogic.fr (domain), the first one is NP_N_Zloglogic_fr__domain__0000, and the second one is NP_N_Zloglogic_fr__domain__0001.
Example
Prefix NP_A
Comments For all generated Check Point FireWall-1 group objects from the Security Change Manager antispoofing option. For all generated Check Point FireWall-1 objects from Security Change Manager Class. For all generated Check Point FireWall-1 group objects from Security Change Manager expand internet option. For the interface name of the Check Point FireWall-1 Interoperable Device generated from the nexus. For all generated Check Point FireWall-1 objects from Security Change Manager Network3. For all generated objects for NAT and limited path zones. For all generated Check Point FireWall-1 range objects from the Security Change Manager NAT rule (For this case, the name is made like the following: NP_R<address range>). For all generated & translated Check Point FireWall-1 services. For all generated Check Point FireWall-1 time objects from the Security Change Manager Time definition.
NP_C
NP_E
NP_I
NP_N
NP_O_..VFP_..
NP_R
NP_S
NP_T
Warning
The Security Change Manager objects that become generated objects will be erased, while translated Security Change Manager objects will be patched. That is, all names will be prefixed by NP_<Letter>_.
Table 3.3. Example of the Translation of a Class into Check Point FireWall-1 group
Security Change Manager @example(ex) Check Point FireWall-1 Equivalent group will be: Zexample_ex_ Generated network: NP_C_Zexample_ex__001 Generated network: NP_C_Zexample_ex__002
13
Object
In this example, a Security Change Manager class is translated into a Check Point FireWall-1 group that contains two generated networks from the Security Change Manager class contents.
3.4.2. Comments Generated for Traceability between Security Change Manager Objects and Check Point FireWall-1 Objects
The following table shows the comments generated for traceability between Security Change Manager objects and Check Point FireWall-1 objects.
Generated object
14
Chapter 4. How Security Change Manager Objects Map to Check Point FireWall-1
4.1. Translation of Network Objects .........................................................................15 4.2. Translation of Class Objects .............................................................................16 4.3. Translation of Management Server Objects .........................................................16 4.3.1. Check Point Host Default Fields or Check Point Gateway ...........................17 4.3.2. Check Point FireWall-1 Interoperable Default Fields ..................................18 4.4. Translation of Nexus Objects ............................................................................18 4.5. Translation of PEP Objects ..............................................................................18 4.5.1. A Translated Security Change Manager Check Point FireWall-1 PEP ............18 4.5.2. Specific Translated Fields ......................................................................18 Log ...................................................................................................18 Interface Netmask ................................................................................19 Anti-Spoofing .....................................................................................19 4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields ...........19 Process ..............................................................................................19 4.6. Translation of Services ....................................................................................19 4.6.1. Generation Process ...............................................................................19 Principle .............................................................................................19 Syntax of the Mapping Table ..................................................................20 Example .............................................................................................20 4.6.2. A Translated Security Change Manager Service .........................................20 Naming Convention ..............................................................................21 Security Change Manager IGMP Translated Fields .....................................21 4.7. Translation of Implicit Generated Objects ...........................................................21 4.7.1. Anti-spoofing ......................................................................................22 4.7.2. Expand Internet: Objects Generated ........................................................22 4.8. Translation of Permissions ...............................................................................22 4.9. Translation of Time Definition Rules .................................................................22 4.9.1. What cannot be translated ......................................................................22 4.10. Translation of NAT Rules ..............................................................................22 4.10.1. Example ...........................................................................................22 4.10.2. Rules ...............................................................................................23 4.10.3. Security Change Manager NAT Rules Translated Fields ............................23 4.11. Translation of Limited Path Zones ...................................................................24 4.12. Translation of Default Objects .........................................................................24 4.12.1. All Networks .....................................................................................24 4.12.2. All PEPs ...........................................................................................24 4.13. Translation of User Authentication ...................................................................24 This chapter explains how each Security Change Manager object is translated into a Check Point FireWall-1 object.
Case #
Security Change Manager Net- Check Point FireWall-1 Objects work The Security Change Manager network is defined with more than one IP address and a netmask or with an IP address range that is not netmaskable A group that contains either a set of networks or ranges (only if the management server manages NG PEPs versions), defined with only one IP address and a netmask in order that the set of networks matches the Security Change Manager networks. Note: The name of the network created is prefixed by NP_N to remind you that it came from a Security Change Manager network.
A Security Change Manager Check Point FireWall-1 Any class containing a * or an object object. containing a * at any level
Note
The interface name will be automatically generated with the prefix NP_I.
16
Upload Configuration FireWall-1 Options This parameter will be used during the installa Upload Only if Successful on ALL Mantion of the security policy on the PEPs aged PEPs General Options Local Security Policy Log Implied Rules General Options Local Security Policy Accept VPN-1 & Check Point FireWall-1 Control Connections General Options Local Security Policy Accept Remote Access Control Connections General Options Local Security Policy Accept RIP General Options Local Security Policy Accept Domain Name Over UDP (Queries) General Options Local Security Policy Accept Domain Name Over TCP (Zone Transfer) General Options Local Security Policy Accept ICMP General Options Local Security Policy Accept Outgoing Packets Originating From Gateway General Options Local Security Policy Accept CPRID Connections (SmartUpdate) General Options Local Security Policy Accept Dynamic Address Modules' DHCP traffic Global Properties FireWall Log Implied Rules Global Properties FireWall Accept VPN-1 & FW-1 Control Connections Global Properties FireWall Accept Remote Access Control Connections Global Properties FireWall Accept RIP Global Properties FireWall Accept Domain Name Over UDP (Queries) Global Properties FireWall Accept Domain Name Over TCP (Zone Transfer) Global Properties FireWall Accept ICMP requests Global Properties FireWall Accept Outgoing Packets Originating From Gateway Global Properties FireWall Accept control connections Global Properties FireWall Accept dynamic address modules' DHCP traffic
17
Check Point FireWall-1 Interoperable Default Fields FireWall-1 GX logs and masters Capacity Optimization Advanced
Note
The interface name will be automatically generated with the prefix NP_I.
Note
The anti-spoofing log is enforced when the Log Level for the Default Rule is set in Interfaces Interface Name Options or when the log is set in the permission. Note that when an Account is set on deny flow, it will be automatically transformed in the log because Accounting is not allowed for deny or dropped rules on Check Point FireWall-1.
Security Change Manager Alert Mail SnmpTrap User Defined User Defined2 User Defined3 Log
Check Point FireWall-1 Alert Log Log Log Log Log Log
Interface Netmask
In order to specify the interface netmask, you can type the interface IP address with the netmask. If not, the netmask of the object it is connected to will be used.
Anti-Spoofing
If the generated anti-spoofing rule is set on the Check Point FireWall-1 PEP, a group will be automatically generated and attached to the interface of the Check Point Gateway.
Process
General->Color General->Additional Products Remote Access->Clientless VPN Smart Directory (LDAP) Log and Masters Capacity Organization Advanced
When the security policy is generated, for each service: If the service is in the mapping table, the entry will be used to find the corresponding Check Point FireWall-1 service name for the generation. If the service is not in the mapping table, a Check Point FireWall-1 custom service will be generated if possible.
Note
Check Point FireWall-1 services are case sensitive while Security Change Manager services are case insensitive.
Example
<SingleCapability name="service_ike" type="string" value="IKE" hidden="yes" const="yes"> <Condition type="version" dependency="version" min="4.1.0"/> </SingleCapability> <SingleCapability name="service_ike" type="string" value="ISAKMP" hidden="yes" const="yes"> <Condition type="version" dependency="version" min="4.0.0" max="4.0.99"/> </SingleCapability>
20
Fields
If the service contains more A group of services than one protocol permission or service If the service contains a service Error not translatable into Check Point FireWall-1 (flux server-> client)
Naming Convention
Note
All generated and translated Check Point FireWall-1 services will be prefixed by NP_S_ because they will be generated at each compilation. Check Point FireWall-1 does not allow the permission from server to client to be easily defined, so when a Security Change Manager service contains only such a permission, the following error message will occur: Error: The Security Change Manager service <service name> couldn't be described in the Check Point FireWall-1 <PEP name> database. Associate it with an existing Check Point FireWall-1 service in the mapping table (refer to the documentation for more information). When the service contains a permission from server to client, but also another type of permission, the following message will occur: Warning: The return flow of scm service <service name> couldn't be well described in the Check Point FireWall-1 <PEP name> database. It is recommended to associate it with an existing Check Point FireWall-1 service in the mapping table (refer to the documentation for more information).
4.7.1. Anti-spoofing
To manage anti-spoofing, Security Change Manager must generate a group that will contain all network objects allowed to pass through that interface. All networks (that are allowed) already exist in Check Point FireWall-1 objects created by Security Change Manager. It is only necessary to define the group that will contain them. The generated name is NP_A_<PEP FW-1>_<interface name>_<4 digits>.
Note
Some Security Change Manager permissions could be merged into a single FireWall-1 security rule after the reduction compilation phase.
Rules
The NAT rule on Check Point FireWall-1 indicates that the class P of network N1 will be translated into 124.2.*. The rule between N1 and N2 must be enforced on: FW1 has: allow N1 -> N2 (because on Check Point FireWall-1 NAT is enforced after IP filtering). On FW2 and CISCO: N1 can be viewed as {121.* except 121.2.* + 124.2.*} Rules. Therefore, the allowed rule is N1' {121.1.*+121.3.0.0/121.255.255.255 + 124.2.} -> N2
4.10.2. Rules
An object corresponding to this will be created on FW2 as NP_0_N1_VFP_FW2_<service name>_N2. In each rule enforced on a Check Point FireWall-1 PEP where a source or destination is used in a NAT rule a new object must be created to represent the source or the destination in the point of view of that PEP. The name used to describe these new objects will be: NP_O_<object name>_VFP_<PEP name>_<service name>_<destination object> where "object name" can be any kind of Security Change Manager object (a network, a class, a nexus, a PEP or a management server).
Note
VFP is an abbreviation for "View from PEP". The object that will be generated will be a group that will contain networks even if the SCM object is a PEP or a management server. For each NAT Rule a destination object and a source object will be created.
Masquerading
24
An authentication rule is defined by a source where the user group is appended to the network location of the user, a destination and one of the 3 authentication methods (User Authentication, Client Authentication, or Session Authentication). In Security Change Manager Designer, define the authentication on the permission in the Permission Properties window by selecting Actions Authentication Application Point and adding the required PEPs.
Note
The user authentication method appears only for http, ftp, rlogin and telnet. For each method, implicit permissions are created. Authentication parameters on the management server and Check Point FireWall-1 can be defined on the corresponding Security Change Manager objects.
25
26
Chapter 5. How to Define and Deploy a Security Policy on Check Point FireWall-1
5.1. First Use of Check Point FireWall-1 ..................................................................27 5.1.1. SSL Certification and Encryption Procedure .............................................27 5.1.2. Clear OPSEC Connection Type Procedure ................................................31 5.2. Configure a Check Point GX Management Server ................................................32 5.2.1. First step: Creating custom services and defining the policy .........................33 5.2.2. Second step: Defining precisely the custom services ...................................33 5.3. Define and Deploy a Policy ..............................................................................35 5.3.1. Step 1: Defining the Secure Topology ......................................................35 5.3.2. Step 2: Security Policy Definition ...........................................................39 5.3.3. Step 3: Audit .......................................................................................39 5.3.4. Step 4: Define Rules .............................................................................39 5.3.5. Step 5: Compile the Security Policy ........................................................39 5.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each Management Server ........................................................................................................40 Prerequisites .......................................................................................40 Procedure ...........................................................................................40 5.3.7. Step 7: Deploy the Policy ......................................................................40 5.4. Define and Manage an Existing Policy ...............................................................41 5.4.1. Purpose ..............................................................................................41 5.4.2. Prerequisites .......................................................................................41 5.4.3. Step 1: Perform a Check Point FireWall-1 Import ......................................41 5.4.4. Step 2: Secure Topology Definition, if You Do Not Perform an Import ..........42 5.4.5. Other Steps .........................................................................................43 5.5. Create an Authentication Rule ..........................................................................43 This section lists the steps required to define a security policy in Security Change Manager Designer, and to deploy that policy on a Check Point FireWall-1 PEP.
27
3.
In the OPSEC Application Properties window: a. b. c. Give a name to the OPSEC Application and remember it. Select a host using the Host pull-down menu. Tick the CPMI checkbox in the Client Entities panel to enable the CPMI.
Note
Select no other options. For instance, no Server Entities and no other Client Entities than CPMI.
28
d. e. f. g. 4. 5. 6.
Click the Communication button. In the Communication dialog box, enter a password ("activation key" in this GUI) and remember it. Click the Initialize button and click Close to close the Communication dialog box. Click OK to close the OPSEC Application Properties window.
Save your settings by using File Save and close the SmartDashboard. Connect to the Security Change Manager Designer. Create your map, open the Management Server Properties window and select the Upload Configuration Connection Options view. a. Set the OPSEC Connection Type option to SSL Certification and Encryption.
29
b. c. 7.
For the OPSEC Application name option, type in the same name than the one you set in the SmartDashboard. Click OK to validate your settings and close the Management Server Properties window.
Right-click on the Management Server object and select Import FW1-Import... from the contextual menu. The Import in Progress window opens. Several dialog boxes shall then prompt you for information: a. b. When prompted for username/password, enter those you previously used to connect to the SmartCenter with the SmartDashboard, and click OK. When prompted for a new certificate in the Getting Certificate dialog box, select Yes from the pull-down menu and click OK.
8.
30
c.
When prompted for the certificate's password, enter the one you provided during the OPSEC Application's creation and click OK.
Note
During the first preparation upload, Security Change Manager will request the password that you wrote down in step 3 to get the certificate for the Check Point FireWall-1 Management Server. In the case where the certificate is changed on the Check Point FireWall-1 Management Server, Security Change Manager will detect this and request the new certificate. If for some reason this method fails, you may receive an error beginning with "SIC error..." The certificate has already been given to Security Change Manager. You will need to reset the certificate by deleting the certificate in Security Change Manager, and following the steps described above again. To delete the certificate in Security Change Manager: 1. Go to the Manager8.2\data\authentication\certificate directory 2. Delete the <Management Server name>_<OPSEC Application name>.p12 file and the corresponding .sicname file. For more information on this topic, please see the LogLogic Knowledge Base available at: http://www.loglogic.com/services/support/index.php (for registered customers only).
31
2. 3.
4.
d.
Click OK to validate your settings and close the Management Server Properties window.
32
The main feature of GX for telcos is the protocol inspection of GTP tunnels. The way of configuring GTP traffic inspection recommended by Check Point, is to create new services inheriting one of the 4 predefined GTP services and then fine tuning them with some specific settings (only gtp_v0_default and gtp_v1_default have meaningful options). These services are: gtp_mm_v0_default gtp_mm_v1_default gtp_v0_default gtp_v1_default
The feature is activated by creating permissions having: a GTP service as service, and either hosts as source or destination (host representing SGSN and GGSN in GTP terminology) or handover group as source or destination. Handover groups represent a new kind of objects introduced in GX. They are groups of hosts with a special flag identifying them as handover groups. In Security Change Manager, they are represented as meta-classes on which we add "Handover Group" optional flags.
5.2.1. First step: Creating custom services and defining the policy
1. 2. You must first create custom services in Security Change Manager Designer Service Editor using existing GTP services. You can then define your security policy as usual using the newly created service.
Second step: Defining precisely the custom services group of options you can: add a new custom GTP service, choose which existing service to customize, and select the appropriate options, that is to say the options which have been selected in the SmartDashboard.
1. 2.
Open the Management Server Properties window (by double-clicking the Management Server object). In the General Options view, set the Is the management server a Check Point GX? option to Yes.
3.
A GTP Services sub-node appears under the General Options node. In the GTP Services view, click the AddGTPServiceTemplate icon
A list of options appears allowing you to define a custom GTP Service. See Section 14.2.6, GTP Services (page153 ) for further information about these options.
34
b.
35
3.
Select the General Options Security Server view and define the Security Server options.
4.
Select the General Options Authentication view to define authentication Properties on the Management Server. On NG, you can define 3 screens of authentication properties: Failed Authentication Attempts Users with Certificates Early Versions Compatibility
36
37
5.
User Authentication Session Time Out: If this number of minutes elapses between a Security Change Manager request and the management server's response, the session is dropped. (default: 1 minute) Select the Upload Configuration Connection Options view and define the upload parameters.
6.
Select the Managed PEPs view and add all FireWall-1s or Nokia PEPs that shall be managed by the Management Server (this association can also be done in the Properties window of each PEP).
38
7.
Create the appropriate Class you need. See "Representing a Set of IP Addresses via a Class" in the Security Change Manager User Guide.)
Note
An implicit permission between the Management Server and the managed PEP is automatically added for the FW-1 service.
Step 6: Prepare Upload on Each Directly-Managed PEP and Each 2. The Compilation Result dialog box appears. It will state whether the compilation has been successful or not. Read the Errors and Messages.
5.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each Management Server Warning
If the FW-1 management server manages PEPs that are on the path between Security Change Manager and the Management Server or are on the Management Server itself, we recommend that a policy is installed on these PEPs before upload. If not, the communication between the Management Server and Security Change Manager will be interrupted.
Warning
If Security Change Manager contains an address defined as '*', the upload may fail. Avoid using '*' as the address.
Prerequisites
The filters for the current workspace map have been successfully compiled.
Procedure
1. Prepare upload. The purpose of the upload preparation is to generate a Check Point FireWall-1 security policy that comes from: SCM Server object definition Check Point FireWall-1 object definition that contains concepts not supported by Security Change Manager. 2. Select Action Upload Preparation for selection from the menu bar. The Upload Preparation in Progress window opens and the upload preparation starts automatically. Once the preparation is terminated, a message appears displaying whether it has been successful. Click the Close button to close the Upload Preparation in Progress window. The Upload Preview window opens displaying the .confpatch file that will be applied when uploading the configuration.
3.
40
4.
An Upload Message dialog box opens, asking if you wish to continue. Click Continue to proceed with the upload process. When the upload has completed successfully, the Upload in Progress window displays a message saying "Upload terminated (successful)".
5.4.1. Purpose
This section describes a situation where you have just bought Security Change Manager and want to configure your security policy with Security Change Manager. In this case, you will want to: Read your security policy. Adapt it in Security Change Manager to define a global security policy. Check that the security policy is what you want to do. Then, implement that policy.
The following steps are explained in detail in the Security Change Manager User Guide and in the previous sections of this chapter.
5.4.2. Prerequisites
The first upload of the scm generated security policy on the Check Point FireWall-1 Management Server will change the existing security policy files. It is therefore recommended to backup the directory containing the security policy definition ($FW1\conf) before installing the new one. 1. 2. Duplicate this directory under the name BeforeInstallation (for example) Define a rule on the management server that allows the services CPMI and ica_pull_cert and install it on the managed PEP. source= Security Change Manager Designer destination= Check Point FireWall-1 Management Server
LogLogic
Gateways
Management Server
Warning
Do not perform an import on an untitled map. Always name the .npl file first.
Other Steps
Note
For all the rules that couldn't be created because they are not supported by Security Change Manager see Chapter 7, How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager (page63 ).
This task has to be done only to get the user group definition and the authentication server associated. The next upload will not need these tasks except if a new user group has to be managed.
43
44
Warning
Security Change Manager cannot manage all the concepts supported in Check Point FireWall-1. Therefore, when importing a Check Point FireWall-1 security policy, some objects and rules will not be imported. All objects that are not supported will be kept in the objects.C file and all rules not supported will be kept in a specific policy file in the rulebases.fws file. When generating a policy: The objects that have the same name are updated by Security Change Manager and the others do not change. The "include" rules are added before and after the generated security policy. If you change an object name in Security Change Manager, when generating a new policy in the objects.C file, there will be two objects: The old one (the old one is not removed because it may be referred to by objects in the security policy). The new one. If this happens, you must change the old object for the new one to maintain the synchronization between the Security Change Manager definition and the Check Point FireWall-1 definition.
45
Table 6.1. What will be imported/ not imported from Check Point FireWall-1 NG and NG AI
Check Point FireWall-1 categories Networks Objects Detail Imported Comment
Check Point FireWall-1 Partially Gateway Check Point FireWall-1 Host Check Point FireWall-1 Gateway cluster Check Point FireWall-1 Embedded Device Check Point FireWall-1 Externally Managed Gateway Gateway Node Host Node Interoperable Device Network Domain OSE Devices Group Logical server Address range Dynamic Object VoIP domains VPN-1 Edge/Embedded Gateway VPN-1 Edge/Embedded Profile
N/A
Services objects
Partially
Note that some flows will need to have a specific declaration in the mapping table if it couldn't be imported. Negate service will not be supported. Services of type 'Other' will not be imported if
46
Detail
Imported
Comment
Group DCE-RPC Resources URI URI for QoS SMTP FTP TCP OPSEC Applications OPSEC Application CVP Group UFP Group CPMI Group Server RADIUS RADIUS Group TACAS DEFENDER LDAP Account Unit Certificate Authority SecuRemote DNS Users objects Administrator External group Group User LDAP Account Unit Time objects Time definition Time group Scheduled Event Virtual Links VPN Communities Virtual Links Intranet Meshed Intranet Star Extranet No No Partially Partially No No No
This implies that all implicit flows between these servers and Check Point FireWall-1 hosts will be not imported.
47
Detail
Imported
Comment
Partner Check Point FireWall-1 All those defined in the Yes Implied Rules General Options Local Security Policy view. Security Rules Allow Drop Reject User Auth Client Auth Session Auth Yes All security rules associating "allow" permissions with negate objects (on source and/or destination) will be imported as two distinct rules, i.e. the first rule will be a "deny" permission and the second rule an "allow" permission. For example, if an "allow" permission is set between A and B, where B is a negate object, the generated rules will be: deny A -> B allow A -> any A security rule e.g.(src_1,...,src_X);(sr v_1,...,srv_Y);(dst_1,..., dst_Z), is imported as only one optimized rule with: One metaclass for SRC One metaclass for DST One service group for SRV The naming convention for the metaclasses and the service group is the following: SRC_n, SRV_n, DST_n where n is the security rule ID number. The IF VIA property is ignored. Address Translation Rules Static Hide Yes
48
Detail
Imported
Comment
Desktop Security Rules Inbound Rules Outbound Rules Web Access Web Sites Security Requirements Authorization Requirements Application Settings Floodgate Rules
No
No
No
Warning
In order to keep track of your firewalls and see their names clearly in both the Security Change Manager and Check Point FireWall-1 displays, choose a short name (less than 10 characters) in Security Change Manager because a longer name will not be completely displayed in the Check Point FireWall-1 Policy Editor.
Step 1: Create and Configure a Management Server OPSEC Application Name or OPSEC Application Distinguished Name depending on whether you selected the SSL Certificate & Encryption or Clear for the OPSEC Connection Type option in the Upload Configuration Connection Options view. Security Change Manager will import only objects involved in rules, a NAT rule or an implicit NAT rule. For objects that cannot be imported, the objects will remain in the objects.C file. for rules that Security Change Manager cannot manage, the rules stay in rulebases.fws and are referred to by the include policy in Security Change Manager.
Warning
Do not perform an import on an untitled map. Always name the project first in the Project Manager window. 1. 2. Create a Management Server by selecting the Add Management Server icon in the tool-
bar and clicking once on the map. Open the Management Server Properties window, click the Identification view and select a Management Server Version from the pull-down menu.
3. 4.
In the Addresses view, click the Add button to add the IP address(es) of the Management Server. In the Upload Configuration Connection Options view, set the Upload Method option to OPSECand the OPSEC Connection Type option to SSL Certificate & Encryption.
50
Note
5. The OPSEC Application Name must have been created, saved but never used on the SmartDashboard before being connected from Security Change Manager. Select the Upload Configuration Authentication view and specify a Login/ Password for authentication.
6. 7.
Select the Upload Configuration Firewall-1 Options view and specify the Check Point FireWall-1 options. Select the Upload Configuration Upload Addresses view and specify the upload addresses i.e. the address(es) used by Security Change Manager to connect to Check Point FireWall-1.
51
3. 4.
52
Click OK. The Import process is launched and, once completed, an Import Report is generated in the Import Report window. Read this import report carefully, to see what the import accomplished.
53
5.
Check the report and click the Close button. Once the Import process is finished, the bottom panel of the Import in Progress window displays Configuration Import Terminated.
1.
Use the contextual menu on the map or on the selected objects to connect the following objects: PEPs to Networks Nexus to Networks Additionally, on an NG cluster, you should synchronize the networks (Refer to the Security Change Manager User Guide for further information).
Note
If there is a network Internet '*', all classes not connected to a network become attached to this network, so that you must check which class may be attached to the Internet network. A warning message appears at the end of the automatic attachment of class to a network to indicate that a class has been attached to the Internet network. You must check that this is really the action you wanted. Right-click on a PEP or a network and select the Connect to ... Objects functionality in the contextual menu to group all attached objects around a network or a PEP inside the same network.
2.
2.
Check the Deny Permissions that have been imported. Optimization of rules will automatically be done by Security Change Manager. You must put a priority > 5000 on deny permissions to be used for logging purposes to be sure that they are 55
3. 4.
placed at the end of the generated rules. Also check the meaning of "Any" and the permissions attached to it, where it has been imported. Select Action Policy Audit Throughto launch a "Policy Audit Through" operation on the Check Point FireWall-1 PEP and select which interface you want to audit.
5.
Check the information displayed in the Audit Results window. Check whether Security Change Manager imported OSE Devices from the Check Point FireWall-1 Management Server as PEP devices (3Com, Nortel or Cisco). If they have been imported, remove them on the Check Point FireWall-1 Management Server to avoid conflicts of this type when uploading.
5.
56
6.
Type in the location of the rulebase.fws file (i.e. path including the file name) and click OK.
7.
All Objects: To import all the objects excluding rules. Used Objects: To import only the objects used in rules excluding rules themselves. Rules & All Objects: To import all the objects and rules. Rules & Used Objects : To import only the objects used in rules and rules themselves.
Click OK.
Note
8. Please note that whatever the option selected, only the objects supported by Security Change Manager will be imported. Choose the policy to be imported from the pull-down menu. The ACL names are those that have been defined on the Management Server (e.g. Standard or Custom Policy in the figure below) and click the corresponding button.
58
The Import process is launched and, once completed, an Import Report is generated in the Import Report window. Read this import report carefully, to see what the import accomplished.
59
9.
Check the report and click the Close button. Once the Import process is finished, the bottom panel of the Import in Progress window displays Configuration Import Terminated
60
Note
The database will be cleaned at the beginning of the next upload and the option will then be set back to No (the default). Therefore, you have to reset it to Yes each time you want to clean it. The generated rules will not be the same as those imported because: Anti-spoofing has been lost and automatically found by Security Change Manager. Enforcement points have been lost and automatically found by Security Change Manager. Rule order has been lost. The position of the include policy (set of rules that have not been imported) at the head of all other rules.
61
62
Chapter 7. How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager
7.1. First-Time: Define Non-supported Concepts on the Management Server ...................63 7.1.1. Step 1: Upload Security Change Manager Security Policy on the Management Server ........................................................................................................63 7.1.2. Step 2: Add Specific Properties ..............................................................64 7.1.3. Step 3: Add Other Objects not Supported by Security Change Manager ..........64 7.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server ........................................................................................................64 7.1.5. Step 5: Modify the Management Server Options ........................................64 7.1.6. Step 6: Upload ....................................................................................65 7.2. How to Manage User Groups ............................................................................65 This chapter describes how you should configure your Check Point FireWall-1 device to account for concepts that Security Change Manager does not manage.
Warning
This chapter gives a manual solution for managing Check Point FireWall-1 concepts not supported by Security Change Manager. The directions in this chapter can be used on a Security Policy that has already been built with Security Change Manager. It is recommended that the first time you want to incorporate Check Point FireWall-1 concepts, you use the Import Function. See Chapter 6, How to Perform an Import from Check Point FireWall-1 (page 45). Thereafter, use the directions in this chapter to modify your already-existing Security Policy.
The Patch Process and Security Include allow you to manage these concepts on the Check Point FireWall-1 Management Server.
7.1.1. Step 1: Upload Security Change Manager Security Policy on the Management Server
Upload Security Change Manager Security Policy on the Management Server in order to have the 63
7.1.3. Step 3: Add Other Objects not Supported by Security Change Manager
Add other objects not supported by Security Change Manager: Users Servers Resources Keys for IPsec
7.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server
1. On the real Management Server through the Policy Editor, create a new policy for the First and/or Last include security policy that will manage all the concepts that can't be managed through Security Change Manager. Save the policy with a new name (for instance "My Policy").
2.
Warning
The security policy name is case-sensitive. This policy is the one you will include in the Include Rules window, shown in Section 7.1.4, Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server (page 64), either as the First include Policy or the Last include Policy. You must take into account the implications of these includes on the global security policy: A rule in the include will not be considered in the Security Change Manager audit: therefore, you are not able to check the global validity of its model with audit. A rule in the include will not be enforced in PEPs other than these that are managed by the Management Server. If there is an equipment managed by Security Change Manager between the source and the destination of the rule, the permission may be filtered. To avoid this situation, you must define a rule that allows the permission on PEPs directly controlled by Security Change Manager. NAT rules that may have an impact on equipment directly managed by Security Change Manager are prohibited.
Step 6: Upload
1. 2.
In Security Change Manager Designer, open the Management Server Properties window. Select the General Options Include Policy view and type in the names of the include policy.
Warning
The include policy names must relate to an existing security policy name on the Management Server and has to be different from the Security Change Manager generated policy name. Please refer to the Security Change Manager Reference Guide.
2. 3.
Right-click the Management Server icon and from the contextual menu, select the Device Manager menu item. In the Deployment tab of the Device Manager window, check that the Management Server is selected and click the Upload icon to start the upload. After this step, the final security policy (objects and rules) will be generated and copied onto the Management Server. You can then upload it on the managed PEPs via the SmartDashboard using the Policy Install menu.
Note
If you want to use the previous security policy, you can manually copy the back-up files. Please see (page 41).
User Groups are used through User Authentication and the remote VPN feature in Security Change Manager. Only the name of the group is known in Security Change Manager and all other properties must be defined on the Management Server. During the import, User Groups are imported in Security Change Manager. During an upload, the creation of an empty User group is made when no User Group or LDAP group with the same name exists. The content of a User Group must be defined through the SmartDashBoard: that is to say the users referenced by this group. To manage servers objects and specifically authentication servers (RADIUS, TACACS) and LDAP servers, they must be defined via the SmartDashBoard. But before creating it, it is recommended that you create a Nexus in Security Change Manager Designer that represents the location of the server object in order to manage a permission from or to it and IP modifications through Security Change Manager too. This nexus will be translated into a node that you will reference on the Smart Dash Board as the host on which the server is defined. On Security Change Manager Designer: 1. 2. 3. 4. Create the nexus that has the IP address of the server (RADIUS, TACACS or LDAP servers). Add the necessary permissions between the Check Point FireWall-1 PEP and the nexus. Select the Copy Only option (see Figure 7.1, Upload Configuration Set to Copy Only (page 65)) and upload the configuration. On the Check Point FireWall-1 SmartDashBoard, edit the policy on the Management Server and add a server that references the Check Point FireWall-1 interoperable device that represents the nexus.
66
8.1. Procedure
When making a remote access on a Check Point FireWall-1 through Security Change Manager, the user will do the following tasks:
Note
This task has to be done only to create user group definition and authentication server associated. The next upload will not need these tasks except if a new user group has to be managed. Set the certificates and/or pre-shared key on the users concerned, if this is not the case. The certificates and/or pre-shared key parameters must be set on users' and/or external users' profiles the first time they are to be used. Install the database on the Check Point FireWall-1 gateway that makes a remote VPN.
4.
If a warning appears during the compilation stating that some IPsec parameters must be set on the user, set the IPsec proposals on the user of concerned User Group(s). You can customize the following global parameters: Remote Access Remote Access -> VPN-Basic except: Pre-shared secret IPcompression
68
Implicit Permissions
Parameter
Type
Comment WINS servers and supply the Domain name. All the following parameters in italics depends on this value.
Switched IP address Switched IP address Appears when the Primary DNS is set. Appears when first backup DNS is set
Switched IP address
Switched IP address Switched IP address Switched IP address Appears when first backup WINS is set
Domain Name String User Group Global Pool Lease Duration (in minutes) Support NAT-Traversal NAT-Traversal Service Integer (min:2 max:32767)
(Yes/No*) VPN1_IPsec_encapsulation all services listed Appears if Yes is selected for Support NAT-Traversal.
Tunnel
When enabled, the Gateway agrees to act as a VPN router for the client.
2.
Other parameters will be set by Security Change Manager: Allow office mode for all users. Office Mode Method - Manual (using IP pool): always set Allocate IsP from network: (defined by the pool on the PEP)
69
Global Limitations
Hybrid Mode
Security Change Manager does not manage hybrid mode. You can enable hybrid mode, through the option on the Smart Dashboard, in Global Properties Remote Access VPN Basic.
Visitor Mode
Security Change Manager does not support visitor mode.
Transparent mode
70
Security Change Manager does not support transparent mode since this mode is not possible with Office Mode.
Clientless VPN
We do not support Clientless VPN.
IPsec/L2TP tunnels
Security Change Manager does not support IPsec/L2TP tunnels.
Number of tunnels
Only one tunnel can be created to a Check Point FireWall-1 PEP.
71
72
9.1. Procedure
When making a gateway-to-gateway VPN on a Check Point FireWall-1 through Security Change Manager, the user will do the following tasks:
Procedure
1. Set the Authentication parameters: a. b. In the case of a pre-shared secret, open the community named NP_V__<PEP1>-<PEP2>. In the shared secret field, copy the pre-shared key written in the 0. In the case of certificates, there is nothing to do except to use a Certificate Authority. When the Certificate Authority of the device is different from that of its Check Point Management Server, you must create this Certificate Authority object in the Management Server and then enrol the Check Point FireWall-1 gateway in this Certificate Authority. 73
VPN Domains
For more information, refer to the Check Point FireWall-1 documentation. 2. Save and install the policy.
Note
This task must be done after the VPN community is created. The next upload will not need these tasks to be done again except in the cases where the pre-shared key changed, the certificate authorities changed, or the policy on the tunnel changed from PSK to RSA-Sig or RSA-Sig to PSK.
The source (respectively destination) of all permissions that enter (respectively leave) one side of a tunnel will be part of the VPN domain of that side. Since each gateway has only one VPN domain, it will be a group that contains all the networks that needed to be reached via IPsec, maybe from different tunnels.
Site-to-site limitation
75
76
10.1. Procedure
10.1.1. On the Check Point FireWall-1 Management Server
If the cluster object does not already exist, you must create it on the Check Point Management Server. The cluster members do not need to be created. They will be created by the Security Change Manager.
77
2.
Create the cluster via the menu Mode Add Cluster. Make sure it is named with the same name that is used in the Check Point FireWall-1 Management Server. a. Open the Cluster Properties window, and in the Identification view, reference the Management Server from the cluster using the Managed By pull-down menu.
b.
Select Cluster Options view and set the Cluster XL Enabled to Yes if you are not using a 3rd-party application to handle clustering.
c.
Select the Cluster Options Cluster Members view, add the cluster members and sort them according to the priority in which you want them to be available (the top one in the list is the master).
d.
Select the Cluster Options Availability Parameters view, and set the Operating Mode option as needed. Set other availability parameters depending on whether you have chosen the cluster XL feature or not.
79
e.
Select the Cluster Options Synchronization Synchronization Networks view and reference a network to synchronize the cluster members. This network must have the following characteristics: It is recommended that you reference a dedicated network that is not connected to any of the cluster's virtual interfaces. You can define more than one synchronization network for backup purposes. Since synchronization networks are used to pass sensitive data such as encryption keys, it is important that these networks are secured. The network must be linked to one interface of each cluster member.
80
Limitations
f.
Add the virtual interfaces and connect them to the same network as the cluster members' interfaces. The virtual interfaces will make the cluster members' interfaces redundant.
Note
3. 4. Implicit Permissions will be automatically activated between the Cluster members (this is also the case for Nokia IP clusters). Add an NTP permission between cluster members and the NTP server to ensure the clusters have the same date. Upload the configuration.
10.2. Limitations
High Availability Legacy Mode is not supported, but Check Point FireWall-1 supports High Availability New Mode.
81
82
Click on the background of the Security Change Manager Designer map to add a Management Server and enter its IP address in the pop-up menu. Double-click the Management Server icon on the map to open its Properties window and select the type Provider-1 in the Identification view. Select the General Options Managed CMAs view and click the Add ManagedCMA icon to add the CMA servers that should be managed by the Provider-1 Management Server.
83
84
12.1. Description
Option Note Allows you to enter a description of the current PEP. Description
General Options
Option
Description * Choice "No" Set to "No" if you do not want SCM Server to manage this PEP.
Apply Flow To/From PEP on Relevant InEnables you to choose how the PEP applies flows to terfaces Only its various interfaces. * Choice "Yes *" Limits an authorized flow, having the PEP as its destination, so that incoming packets through an interface cannot reach any other interface. * Choice "No" Enables an authorized flow, having the PEP as its destination, to reach all interfaces of the PEP. This setting is a general default which can be overridden for a specific instance using the Permission Properties window: Global Properties View. Has IPSec Module * Choice "Yes" Indicates that the device supports the IPSec module for VPNs. * Choice "No" Indicates that the device does not support IPSec. supportsEncapsulatedTunnel Enforce Time Filtering Specifies whether the PEP is to perform time filtering. For further information on Time Filtering, see the SCM Server User Guide. Generate NAT Rules * Choice "Yes *" NAT rules are generated by the compiler and included in the filters. A warning message is displayed if the PEP cannot implement the rules. * Choice "Comment" NAT rules are written to the filters file as comments and ignored by the upload module. * Choice "No" NAT rules are not generated. At upload time, when the No or Comment option is selected, the rule modifications are uploaded to the device without changing the existing NAT rules (if these exist). This is important because NAT rules are changed much less often than other filtering rules, and rewriting them interrupts communication. However the compiler will take into account the NAT rules to 86
Security Profile
Option
Description generate the filters for the PEPs beyond the NAT application point.
Check Point Suite Type The suite type that matches the one you installed with your Check Point software. VSX Type Lets you choose the type of VSX device. * Choice "Gateway *" The VSX device will be a VSX gateway. * Choice "Virtual System" The VSX device will be a virtual system.
87
Security Profile
Option
Description * Choice "No Filtering" Disables filtering, and reduces security on this PEP to zero.
Broad Filtering Lets you choose to enable faster configurations at the expense of reduced security. You must set Security Level to "Custom Filtering" to use this option. * Choice "Disabled *" Indicates that filtering is not broadened, and security is at its highest level. * Choice "By Address" Reveals the Replace Address view, which lets you configure broad filtering by address. * Choice "By Service" Reveals the Replacy Service view, which lets you configure broad filtering by service.
Security Profile
Option
'Securing PEP' rules * Choice "Yes *" Denies access to the PEP's interface addresses, except for the default administration flows, thereby securing the PEP. * Choice "No" Permits access to the PEP's interface addresses. Suppress 'Internet Restriction' Indicates if SCM Server will add extra deny filters when the Internet object is defined as "Any". This option is activated by selecting "No" for the Expand Internet option on the PEP window: General Options View. * Choice "Yes *" Any permission you draw to/from Internet causes the compiler to implicitly generate all necessary denies to prevent permissions to/from all other internal addresses. * Choice "No" Any permission you draw to/from Internet will also implicitly allow permissions to/from all other internal addresses, which may lead to lower security. Attention: This option should be modified by an expert user only. Expand Internet This option is an optimization that controls how SCM Server defines the Internet object. This option can create very finely-tuned filters, but at the price of increased size. * Choice "Yes" SCM Server will use a more precise, "expanded" definition of Internet. It defines the Internet as "all addresses outside the internal networks". This creates very fine, but slower, filters. * Choice "No *" SCM Server will define Internet as "Any". The generated filters are thus faster, but less secure. Default Rule Lets you change the default rule on this device. By default SCM Server will write a "deny all" rule at the end of a device's configuration. With this option, you have the possibility to change this behavior: SCM Server will not write a default "deny all" rule, and, on this device, all access that is not explicitly denied will be allowed. * Choice "Policy Default *" 89
Security Profile
Option
Description Uses the value defined in the Tools > Properties for the Current Policy window. * Choice "Deny" Keeps the standard behavior. Every access that is not defined is not allowed on this device. * Choice "Allow" Lets you easily define policies where the goal is to prohibit a set of given protocols in the network. If you choose the "Allow" option, make sure that you explicitly deny every access point that you want to close, or, make sure that you have another device in series denies everything by default.
Generate Anti-Spoofing Lets you choose if the PEP or SCM Server should generate anti-spoofing rules. * Choice "Yes *" The PEP will generate anti-spoofing rules. * Choice "No" The PEP will not generate anti-spoofing rules. * Choice "Unmanaged" Takes the computed anti-spoofing into account, but does not generate the related configuration so as, at the end, the anti-spoofing defined on the Smartcenter will not be changed by the upload. Spoof Tracking Indicates whether the CheckPoint anti-spoofing tracking option (in the Interface Properties) should be activated and how information about spoofed connections should be logged. * Choice "None *" * Choice "Log" * Choice "Alert" * Choice "Disabled" Disables the anti-spoofing option.
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses. SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller or faster configurations. "Broadening" an address means that when your map contains permissions with addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission with the address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On 90
Security Profile
Address" in the Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Source This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the source IP addresses of the permissions managed by this PEP such that the IP addresses can be represented by a netmask. You can enter this netmask in the Source Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the source IP addresses of the permissions that this PEP manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Source Network Netmask Allows you to enter the netmask to apply to source permissions. Restrict Source Replacement to Topology When used with the above option, this option will restrict the enlargement to the address of the network from which each permission originates, in your policy map. Replace Destination This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the destination IP addresses of the permissions managed by this PEP such that the IP addresses can be represented by a netmask. You can enter this netmask in the Destination Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the destination IP addresses of the permissions that this PEP manages by Any. In most situations, these options mean that SCM Serv91 Description
Security Profile
Option
Description er will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path.
Destination Network Netmask Allows you to enter the netmask to apply to destination permissions. Restrict Destination Replacement to TopoWhen used with the "Enlarge Destination to Netlogy maskable Address" option, this option will restrict the enlargement to the address of the network where each permission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services. SCM Server can "broaden" the allowed services on permissions in order to generate smaller or faster configurations. "Broadening" a service means that when your map contains permissions for services FTP and HTTP, for example, SCM Server will generate one permission for the service TCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" in the Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Service This is an optimization that enlarges the service of a permission. For example, an http and an ftp permission may be enlarged to tcp. Since this optimization can reduce your security level, you should only use it if you have another PEP in the path that does not use this option. * Choice "No *" Will not enlarge services. This option maintains the highest level of security. * Choice "by TCP" Replaces TCP permissions by TCP. * Choice "by UDP" Replaces UDP permissions by UDP. * Choice "by TCP and UDP" Replaces all TCP-based or UDP-based permissions by TCP and UDP permissions. A TCP-based permission will be replaced by two permissions: a permit TCP and a permit UDP. A UDPbased permission will also be replaced by two permissions: a permit TCP and a permit UDP. * Choice "by IP" Replaces permissions by IP. 92 Description
Virtual System
Option
12.2.3. Authentication
This view does not let you change any parameters. Expand this node in the tree list to see the configurable views.
Authentication Settings
Use this view to configure how the PEP behaves during authentication sessions. 93
Authentication
Option User Authentication Session Timeout (min) Enable wait mode for Client Authentication
Description Indicates the number of minutes after which the PEP closes the authentication session. If the user opens an authentication session over telnet on port 259, this option indicates if the PEP will keeps the telnet session open during the time the authentication session is open. If you select this option, the PEP will close the authentication session when the telnet session closes. If you do not select this option, the PEP will close the telnet session once the user signs on, and the user will have to reopen the telnet session to sign off.
Authentication Failure Track Indicates how the PEP will react to errors during authentication. * Choice "None" The PEP will not inform the user of errors. * Choice "Log" The PEP will log errors. * Choice "Popup Alert" The PEP will open a popup window; you can define the popup alert once in the Check Point(TM) FireWall-1(R) software Global properties window, and afterwards reference it from SCM Server. * Choice "Mail Alert" The PEP will send an email of the error. * Choice "SNMP Trap Alert" The PEP will send an SNMP alert. * Choice "User defined alert no." The PEP will send a user-defined alert; you can define alerts once using the Check Point(TM) FireWall-1(R) software, and afterwards reference them from SCM Server.
Option
Description The host name and port number of the HTTP proxy server.
Interface Options
Option
Description * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching the default policy, to the default log level of current PEP type. Note: Some PEPs allow selection of different log levels.
Application Point * Choice "Incoming *" The filters will be generated for the packets entering the interface. * Choice "Outgoing" The filters will be generated for the packets leaving the interface. * Choice "Both Directions if Possible" SCM Server will choose the application point with respect to the PEP capabilities and the PEP options settings. Allow Forwarding Indicates if this device will perform forwarding. Enable this option to allow the device to forward packets.
Interface Options
Option
Description The interface only does packet sniffing. * Choice "Sensor + Filtering Interface" The interface can do both.
Is Loopback Interface Specifies if this interface is a "loopback" interface. A loopback is a special type of interface used to represent a virtual range of IP addresses. This may be useful, for example, when your device is connected to the internet through two redundant ISPs. The loopback interface can be used to accept outside connections, which it then routes to one of the real interfaces. Note: SCM Server will not allow you to connect a loopback interface to any object. Policy Learning Mode * Choice "Yes" Indicates that Policy Learning Mode is enabled on this interface. * Choice "No *" Indicates that Policy Learning Mode is disabled on this interface. Log Level for Deny Rules * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching a deny rule, to the default log level of the current PEP type. Some PEPs allow selection of different log levels. Managed * Choice "Yes *" Specifies that filters will be produced for this interface and the configuration of the interface will be managed by SCM Server. * Choice "No" Specifies that no filters will be produced for this interface and the configuration of the interface will not be managed by SCM Server. Allow Forwarding Indicates if this interface will perform forwarding. Enable this option to allow the interface to forward packets. Use as Tunnel Peer Indicates if this interface can be used to mount a tunnel.
97
Security Profile
Option
Description * Choice "Always" Indicates that the PEP will always try to use this interface when mounting a tunnel. * Choice "Never" The PEP will never try to use this interface when mounting a tunnel. * Choice "Automatic *" SCM Server will choose either "always" or "never" depending on whether the interface forms part of a possible path for the tunnel. Note: You should only need this option if you use Tunnel Groups.
Application Point * Choice "Incoming *" Only incoming filters will be applied. * Choice "Outgoing" Only outgoing filters will be applied. * Choice "Device Default" Incoming/outgoing filters are applied according to the value as specified in the Interfaces: Options View. * Choice "Both Directions if Possible" SCM Server will choose the application point according to the PEP capabilities and the PEP options settings. Interface is external (leads out to the InterSpecifies that the interface leads to the Internet. This net) means that IP addresses behind this interface will not be counted in the license enforcement.
Security Profile
Option
Description * Choice "No" SCM Server will generate filters for this interface. * Choice "Yes" SCM Server will generate a permit any any rule on this interface. By disabling the filtering on one (or several) interface(s), you create a rule that permits all flows, which can reduce the level of security, but improves performance. Note: This option will not disable the "Securing PEP" and "Anti-Spoofing" filters. To disable those filters as well: - choose "No" in the "Generate Anti-Spoofing" option - in the General Options: Security Profile: Common Security Parameters view, enable the option "Suppress Securing PEP".
Generate Anti-Spoofing Lets you choose if the PEP or SCM Server should generate anti-spoofing rules. * Choice "Yes *" The PEP will generate anti-spoofing rules. * Choice "No" The PEP will not generate anti-spoofing rules. * Choice "Unmanaged" Takes the computed anti-spoofing into account, but does not generate the related configuration so as, at the end, the anti-spoofing defined on the Smartcenter will not be changed by the upload. Spoof Tracking Indicates whether the CheckPoint anti-spoofing tracking option (in the Interface Properties) should be activated and how information about spoofed connections should be logged. * Choice "Device Default *" * Choice "None" * Choice "Log" * Choice "Alert" * Choice "Disabled" Disables the anti-spoofing option.
99
Security Profile
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses, on a single interface only. SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller or faster configurations. "Broadening" an address means that when your map contains permissions with addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission with the address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On Address" in the General Options > Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Source This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. To use this option, you must enable the Broad Filtering option in the General Options: Security Profile view. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the source IP addresses of the permissions managed by this interface such that the IP addresses can be represented by a netmask. You can enter this netmask in the Source Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the source IP addresses of the permissions that this interface manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Source Network Netmask Allows you to enter the netmask to apply to source permissions. Restrict Source Replacement to Topology When used with the above option, this option will restrict the enlargement to the address of the network from which each permission originates, in your policy map. Replace Destination This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. To use this option, you must enable the Broad Filtering option in the General Options: Security Profile view. Description
100
Security Profile
Option
Description Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the destination IP addresses of the permissions managed by this interface such that the IP addresses can be represented by a netmask. You can enter this netmask in the Destination Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the destination IP addresses of the permissions that this interface manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path.
Destination Network Netmask Allows you to enter the netmask to apply to destination permissions. Restrict Destination Replacement to TopoWhen used with the "Enlarge Destination to Netlogy maskable Address" option, this option will restrict the enlargement to the address of the network where each permission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services, on a single interface only. SCM Server can "broaden" the allowed services on permissions in order to generate smaller or faster configurations. "Broadening" a service means that when your map contains permissions for services FTP and HTTP, for example, SCM Server will generate one permission for the service TCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" in the General Options > Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Service This is an optimization that enlarges the service of a permission on one interface. For example, an http and an ftp permission may be enlarged to tcp. Since this optimization can reduce your security level, you should only use it if you have another PEP in the path that does not use this option. * Choice "No *" Will not enlarge services. This option maintains the highest level of security. * Choice "by TCP" 101 Description
IP Addresses
Option
Description Replaces TCP permissions by TCP. * Choice "by UDP" Replaces UDP permissions by UDP. * Choice "by TCP and UDP" Replaces all TCP-based or UDP-based permissions by TCP and UDP permissions. A TCP-based permission will be replaced by two permissions: a permit TCP and a permit UDP. A UDPbased permission will also be replaced by two permissions: a permit TCP and a permit UDP. * Choice "by IP" Replaces permissions by IP. * Choice "by Any" Replaces all permissions by Any.
12.5.2. IP Addresses
Use this view to set the interface's IP addresses.
Static IP Addresses
Use this section to configure the interface's static IP addresses. Option Interface IP Addresses Specifies the static IP address of the interface. Description
IP Addresses
Use this view to configure the interface's IP addresses. Option Use Dynamic Addresses Specifies whether this interface will have static or dynamic IP addresses. 102 Description
IP Addresses
Description Indicates the range from which the PEP can pick an IP address to assign to the interface. * Choice "Network" The PEP can assign any IP address contained in the interface's attached network. You must have connected the interface to a network on the workspace in order to pick this option. * Choice "Any" The PEP can assign any IP address to the interface. * Choice "User defined pool" The PEP can assign any address from the pool that you define in the Interface View.
DHCP Server Indicates the range from which the PEP can pick an IP address to assign to the interface. * Choice "Network" The PEP can assign any IP address contained in the interface's attached network. You must have connected the interface to a network on the workspace in order to pick this option. * Choice "Any" The PEP can assign any IP address to the interface. * Choice "User defined pool" The PEP can assign any address from the pool that you define in the Interface View. Resolve IP Address Using When you use dynamic interface addresses, this option indicates how SCM Server will resolve the interface's address when it is uploading the PEP's configuration. * Choice "PEP FQDN" To resolve the address, SCM Server will contact the DNS server that you specified in the FQDN field of the "PEP Properties>General" Options View. * Choice "Interface Specific FQDN" To resolve the address, SCM Server will contact the DNS server that you specify in the "Specify Interface FQDN" option below. * Choice "Prompt IP Address" SCM Server will prompt the user for the interface's IP address at the moment of upload. Interface FQDN Enter the fully qualified domain name of the DNS 103
VPN Options
Option
Description server that SCM Server will contact to resolve this interface's IP address.
IPSec Capabilities
Option
DH Group 5 Enabled Indicates that the Diffie-Hellman group 5 is enabled when the device performs key exchange.
Upload Configuration
Option
Description Enter the address of the primary DNS server for the remote users.
First Backup DNS Enter the address of the first backup DNS server for the remote users. Second Backup DNS Enter the address of the secondary backup DNS server for the remote users. Primary WINS Enter the address of the primary WINS server for the remote users. First Backup WINS Enter the address of the first backup WINS server for the remote users. Second Backup WINS Enter the address of the secondary backup WINS server for the remote users. Domain Name Enter the domain name of the remote users. This should match your internal network's domain. Perform an organized shutdown of tunnels Allows the PEP to keep an authentication session open upon gateway restart with a remote access VPN client even if the PEP restarts. Perform anti-spoofing on pool addresses Indicates that the PEP will perform anti-spoofing on all pool addresses. Support connectivity enhancement for gateways with multiple external interfaces Allows the PEP to resolve traffic from one Remote Access client to another. If your PEP has only one external interface, you should disable this option to get better performance. If your PEP has multiple interfaces, you should enable this option to allow different remote users to communicate.
106
Interface
Option
Description nel. For example, the remote users will have to go through the tunnel to surf the internet. * Choice "Everything except local addresses" Choose this option to allow addresses on the remote user's local network to pass outside the tunnel. For example, this option lets the remote user access his or her local printer without passing through the VPN.
12.8.1. Interface
Use this view to select the interfaces to which the tunnel can connect. Option Interface Use this view to select the interfaces to which the tunnel can connect. Description
Option
Description any HTTP servers. * Choice "Predefined" Indicates that the PEP will restrict user access to those servers that you defined in the Check Point(TM) FireWall-1(R) Management Server properties >General options >Security server >HTTP servers view.
Contact Agent At Indicates where the authentication agent is located. The authentication agent is usually a piece of software that checks the user's login and password. The agent may reside either on the user's machine, or at a remote location. This option tells the PEP where to contact the authentication agent when validating a user's attempt to connect. * Choice "Src *" The PEP will contact the authentication agent at the permission's source. * Choice "Dst" The PEP will contact the authentication agent at the permission's destination. * Choice "Host" This option lets you choose a different PEP, which the authenticating PEP will contact when validating a user's connection. This option applies to Session Authentication only. See the Check Point(TM) FireWall-1(R) documentation on "Session Authentication" for more information. PEP Lets you choose the PEP on which the authentication agent is running. This option applies to Session Authentication only. Query User Identity from UserAuthority Indicates that the PEP will contact UserAuthority to authenticate the user. To use this feature, you must have configured UserAuthority in your Check Point(TM) product. See the Check Point(TM) documentation on UserAuthority for more information. This option applies to Session Authentication only. Apply Rule Only if Desktop Configuration The PEP will verify that the SmartDashboard desktop Options are Verified is properly configured before applying the rule. For more information on these and the following options, see the Check Point(TM) FireWall-1(R) reference documentation. 109
Description Applies to Client Authentication only. * Choice "Standard *" When the user signs on, the PEP permits all services to all destination hosts. * Choice "Specific" The PEP forces the user to specify each service and destination host to which he or she wants to connect.
Sign On Method * Choice "Manual *" The PEP will require the user to initiate the Client Authentication session over TELNET on port 259 or over HTTP on port 900. * Choice "Partially automatic" The PEP will require the user to initiate the Client Authentication session as above, unless the user requests an RLOGIN, TELNET, HTTP or FTP service. * Choice "Fully automatic" If the user connects over RLOGIN, TELNET, HTTP or FTP, the PEP will sign on the user through User Authentication. For other services, the PEP will sign on the user through Session Authentication. * Choice "Agent automatic sign-on" If the Session Authentication Agent is installed on the client, the PEP will sign on the user through the Session Authentication Agent. * Choice "Single sign-on" The PEP will verify the user name with the UAM server, before deciding whether to allow the connection to continue. Successful Authentication Tracking * Choice "None *" The PEP will not track the sign-on session. * Choice "Log" The PEP creates a log of the authentication session. * Choice "Alert" The PEP will launch the Authentication Alert command that you specify in the Check Point(TM) FireWall-1(R) SmartCenter Global Properties window. Authorization Timeout Indicates the amount of time that a user's connection will be available after he/she performs client authentication. 110
flowListIn
Option
Description * Choice "Indefinite *" The user's connection will be available until he/she expicitly signs off, or the administrator resets the firewall. * Choice "Specific" Lets you enter a specific timeout.
Hours Lets you enter the number of hours that a client authenticated-connection will be available. Minutes Lets you enter the number of minutes that a client authenticated-connection will be available. Refreshable Timeout Indicates if the timeout countdown restarts upon each new connection. For example, if connection #1 has already been up for 1 hour, and the user makes connection #2, the timeout will restart counting at zero. Number of Sessions Allowed Indicates the number of connections the user can make before his/her in a single client authentication session. Number of Sessions Lets you enter the number of sessions.
12.9.1. flowListIn
Option mugpep1_flow mugpep2_flow Description
12.9.2. flowListOut
Option pepmug1_flow pepmug2_flow Description
12.9.3. flowListExternal
Option sessionAuth_flow Description
111
112
13.1. Description
Option Note Allows you to enter a description of the current PEP. Description
113
General Options
Option Managed
Description Indicates that no filters will be produced for this Cluster. The Cluster icon will be displayed with a red slash to identify it as unmanaged.
Apply Flow To/From PEP on Relevant InEnables you to choose how the PEPs in the Cluster apterfaces Only ply flows to their various interfaces. * Choice "Yes *" Limits an authorized flow, having the PEP as its destination, so that incoming packets through an interface cannot reach any other interface. * Choice "No" Enables an authorized flow, having the PEP as its destination, to reach all interfaces of the PEP. This setting is a general default which can be overridden for a specific instance using the Permission Properties window: Global Properties View. Has IPSec Module * Choice "Yes" Indicates that the device supports the IPSec module for VPNs. * Choice "No" Indicates that the device does not support IPSec. Enforce Time Filtering Specifies whether the PEPs in the Cluster are to perform time filtering. This option is only available on PEPs that are capable of performing time filtering. For further information on Time Filtering, see the scm User Guide. Generate NAT Rules * Choice "Yes *" NAT rules are generated by the compiler and included in the filters. A warning message is displayed if any of the PEPs in the cluster cannot implement the rules. * Choice "Comment" NAT rules are written to the filters file as comments and ignored by the upload module. * Choice "No" NAT rules are not generated. At upload time, when the No or Comment option is selected, the rule modifications are uploaded to the devices without changing the existing NAT rules (if these exist). This is important because NAT rules are changed much less often than other filtering rules, and rewriting them interrupts communication. However 114
Security Profile
Option
Description the compiler will take into account the NAT rules to generate the filters for the PEPs beyond the NAT application point.
Check Point Suite Type Indicates which Check Point(TM) product you use. This should match the version you installed. VSX Type Lets you choose the type of VSX device. * Choice "Cluster *" The VSX device will be a VSX cluster. * Choice "Virtual System" The VSX device will be a virtual system.
Security Profile
Option
Description * Choice "No Filtering" Disables filtering, and reduces security on this PEP to zero.
Broad Filtering Lets you choose to enable faster configurations at the expense of reduced security. You must set Security Level to "Custom Filtering" to use this option. * Choice "Disabled *" Indicates that filtering is not broadened, and security is at its highest level. * Choice "By Address" Reveals the Replace Address view, which lets you configure broad filtering by address. * Choice "By Service" Reveals the Replacy Service view, which lets you configure broad filtering by service.
Security Profile
Option
'Securing PEP' rules * Choice "Yes *" Denies access to the PEP's interface addresses, except for the default administration flows, thereby securing the PEP. * Choice "No" Permits access to the PEP's interface addresses. Suppress 'Internet Restriction' Indicates if SCM Server will add extra deny filters when the Internet object is defined as "Any". This option is activated by selecting "No" for the Expand Internet option on the PEP window: General Options View. * Choice "Yes *" Any permission you draw to/from Internet causes the compiler to implicitly generate all necessary denies to prevent permissions to/from all other internal addresses. * Choice "No" Any permission you draw to/from Internet will also implicitly allow permissions to/from all other internal addresses, which may lead to lower security. Attention: This option should be modified by an expert user only. Expand Internet This option is an optimization that controls how SCM Server defines the Internet object. This option can create very finely-tuned filters, but at the price of increased size. * Choice "Yes" SCM Server will use a more precise, "expanded" definition of Internet. It defines the Internet as "all addresses outside the internal networks". This creates very fine, but slower, filters. * Choice "No *" SCM Server will define Internet as "Any". The generated filters are thus faster, but less secure. Default Rule Lets you change the default rule on this device. By default SCM Server will write a "deny all" rule at the end of a device's configuration. With this option, you have the possibility to change this behavior: SCM Server will not write a default "deny all" rule, and, on this device, all access that is not explicitly denied will be allowed. * Choice "Policy Default *" 117
Security Profile
Option
Description Uses the value defined in the Tools > Properties for the Current Policy window. * Choice "Deny" Keeps the standard behavior. Every access that is not defined is not allowed on this device. * Choice "Allow" Lets you easily define policies where the goal is to prohibit a set of given protocols in the network. If you choose the "Allow" option, make sure that you explicitly deny every access point that you want to close, or, make sure that you have another device in series denies everything by default.
Generate Anti-Spoofing Lets you choose if the PEP or SCM Server should generate anti-spoofing rules. * Choice "Yes *" The PEP will generate anti-spoofing rules. * Choice "No" The PEP will not generate anti-spoofing rules. * Choice "Unmanaged" Takes the computed anti-spoofing into account, but does not generate the related configuration so as, at the end, the anti-spoofing defined on the Smartcenter will not be changed by the upload. Spoof Tracking Indicates whether the CheckPoint anti-spoofing tracking option (in the Interface Properties) should be activated and how information about spoofed connections should be logged. * Choice "None *" * Choice "Log" * Choice "Alert" * Choice "Disabled" Disables the anti-spoofing option. Enable Extended Cluster Anti-Spoofing When a cluster member communicates with another cluster member, the packets may pass from the source member's external interface, through the external (virtual) cluster interface, to the external interface of the destination cluster member. This could allow an address spoofing attack. Extended cluster-anti spoofing prevents this attack, by 118
Security Profile
Option
Description allowing the cluster member to accept packets that actually originate on a cluster member, and reject spoofed packets that originate in the Internet. The cluster member does this by giving packets that it sends to another member a TTL (Time to live) of 255 (the highest possible value). * Choice "Yes *" Enables extended cluster anti-spoofing. * Choice "No" Disables extended cluster anti-spoofing.
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses. SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller or faster configurations. "Broadening" an address means that when your map contains permissions with addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission with the address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On Address" in the Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Source This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the source IP addresses of the permissions managed by this PEP such that the IP addresses can be represented by a netmask. You can enter this netmask in the Source Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the source IP addresses of the permissions that this PEP manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Source Network Netmask Allows you to enter the netmask to apply to source permissions. 119 Description
Security Profile
Description When used with the above option, this option will restrict the enlargement to the address of the network from which each permission originates, in your policy map.
Replace Destination This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the destination IP addresses of the permissions managed by this PEP such that the IP addresses can be represented by a netmask. You can enter this netmask in the Destination Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the destination IP addresses of the permissions that this PEP manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Destination Network Netmask Allows you to enter the netmask to apply to destination permissions. Restrict Destination Replacement to TopoWhen used with the "Enlarge Destination to Netlogy maskable Address" option, this option will restrict the enlargement to the address of the network where each permission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services. SCM Server can "broaden" the allowed services on permissions in order to generate smaller or faster configurations. "Broadening" a service means that when your map contains permissions for services FTP and HTTP, for example, SCM Server will generate one permission for the service TCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" in the Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Service This is an optimization that enlarges the service of a permission. For example, an http and an ftp permission may be enlarged to tcp. Since this optimization can reduce your security level, you should only use it if you have another PEP in the path that does not use 120 Description
Authentication
Option
Description this option. * Choice "No *" Will not enlarge services. This option maintains the highest level of security. * Choice "by TCP" Replaces TCP permissions by TCP. * Choice "by UDP" Replaces UDP permissions by UDP. * Choice "by TCP and UDP" Replaces all TCP-based or UDP-based permissions by TCP and UDP permissions. A TCP-based permission will be replaced by two permissions: a permit TCP and a permit UDP. A UDPbased permission will also be replaced by two permissions: a permit TCP and a permit UDP. * Choice "by IP" Replaces permissions by IP. * Choice "by Any" Replaces all permissions by Any.
13.2.2. Authentication
This view does not let you change any parameters. Expand this node in the tree list to see the configurable views.
Authentication
Option
Description RADIUS question during authentication. The question is defined on a RADIUS server.
TACACS Indicates if the PEP will prompt the user to answer the TACACS question during authentication. The question is defined on a TACACS or TACACS+ server. OS Password Indicates if the PEP will prompt the user to enter his/ her operating system password during authentication. For more information on these and the following options, see the Check Point(TM) FireWall-1(R) reference documentation.
Authentication Settings
Use this view to configure how the PEP behaves during authentication sessions. Check Point(TM) FireWall-1(R) NG Cluster properties: General options: Authentication: Authentication settings view. Option User Authentication Session Timeout (min) Enable wait mode for Client Authentication Description Indicates the number of minutes after which the PEP closes the authentication session. If the user opens an authentication session over telnet on port 259, this option indicates if the PEP will keeps the telnet session open during the time the authentication session is open. If you select this option, the PEP will close the authentication session when the telnet session closes. If you do not select this option, the PEP will close the telnet session once the user signs on, and the user will have to reopen the telnet session to sign off. Authentication Failure Track Indicates how the PEP will react to errors during authentication. * Choice "None *" The PEP will not inform the user of errors. * Choice "Log" The PEP will log errors. * Choice "Popup Alert" The PEP will open a popup window; you can define the popup alert once in the Check Point(TM) FireWall-1(R) software Global properties window, and afterwards reference it from SCM Server. * Choice "Mail Alert" 122
Cluster Options
Option
Description The PEP will send an email of the error. * Choice "SNMP Trap Alert" The PEP will send an SNMP alert. * Choice "User defined alert no. n" The PEP will send a user-defined alert; you can define alerts once using the Check Point(TM) FireWall-1(R) software, and afterwards reference them from SCM Server. For more information on these and the following options, see the Check Point(TM) FireWall-1(R) reference documentation.
123
Availability Parameters
Option
Description * Choice "Load Sharing" Expands the performance capability of VPN deployments by distributing traffic between multiple gateways. Up to five gateways may be added to a cluster.
3rd Party Solution Use this option to select the 3rd-party solution that will perform the clustering. Support non-sticky connections Use this option to indicate which mechanism will identify non-sticky connections. Non-sticky connections are those where packets do not pass through the same cluster member on their way in and out of the cluster. You should activate this option when your 3rd-party clustering solution does not support nonsticky connections. * Choice "No" * Indicates that the cluster's synchronization mechanism will not recognize non-sticky connections. Use this option if your 3rd-party clustering solution supports non-sticky connetions. * Choice "Yes" Indicates that the cluster's synchronization mechanism will recognize non-sticky connections. Use this option if your 3rd-party clustering solution does not support non-sticky connetions. Hide Cluster Member's outgoing traffic beUse this option to indicate whether the source IP adhind the Cluster's IP Address dress of outgoing packets will be the external virtual IP address of the cluster instead of the physical IP address of the cluster member. Forward Cluster's incoming traffic to Cluster Member's IP Addresses Use this option to indicate whether the destination IP address of incoming connection to the external virtual address of the cluster will be replaced with the physical external address of one of the cluster members. Indicates the cluster's High Availability mode. See the Check Point documentation about ClusterXL High Availability for a description of the High Availability modes. Upon Gateway Recovery Indicates what the cluster will do when its active PEP recovers after a secondary PEP has already taken its place. * Choice "Maintain Active *" Indicates that the secondary PEP will remain active, even though the primary PEP has recovered. * Choice "Switch to Higher Priority" Indicates that the cluster will give the active role back to the primary PEP. 124
Availability Parameters
Description Indicates how the cluster will distribute traffic among the cluster members. * Choice "Multicast Mode" The cluster will send distribute traffic using multicast. * Choice "Unicast Mode" The cluster will distribute traffic to each cluster member individually. This mode is useful if some cluster member PEPs don't support multicast.
Base Shared Method Indicates how the cluster will decide how to share packets among the cluster members. * Choice "IPs, Ports, SPIs *" The cluster will distribute packets based on IPs, ports and IPSec SPIs. * Choice "IPs, Ports" The cluster will distribute packets based on IPs and ports only. This increases the chance that inbound and outbound connections will use the same cluster member. * Choice "IPs" The cluster distributes packets based on IPs only. This yields the highest chance that inbound and outbound connections will use the same cluster member. See the Check Point(TM) documentation on Advanced Load Sharing Configuration for more information. Fail Over Tracking Lets you select how the cluster will track failover events. * Choice "None" The cluster will not track failover events. * Choice "Log *" The cluster will enter failover events in its SmartView Tracker log. * Choice "Alert" The cluster will open a popup window upon failover. * Choice "Mail" The cluster will send an email upon failover. You can specify the recipient's address on the Check Point SmartDashboard in the Policy > Global Properties > Log and Alert > Alert Commands view. * Choice "SNMP Trap" 125
Synchronization
Option
Description The cluster will send an SNMP trap upon failover. * Choice "User Alert" The cluster will execute a user-defined script upon failover. You can define this script on the Check Point SmartDashboard in the Policy > Global Properties > Log and Alert > Alert Commands view. * Choice "User Alert 2" The cluster will execute a user-defined script upon failover. * Choice "User Alert 3" The cluster will execute a user-defined script upon failover.
13.3.2. Synchronization
Use this view to manage how the cluster keeps its PEPs synchronized. Option Use State Synchronization Indicates if the cluster will use state synchronization. State synchronization coordinates state information about packets travelling through different PEPs in the cluster. You cannot change this option if you have set the Cluster Options > Availability Parameters > Operation Mode to "Load Sharing". If you have set the Cluster Options > Availability Parameters > Operation Mode to "High Availability", you can choose to turn off state synchronization; in this case connections will be lost upon failover. Description
Synchronization Networks
Use this view to manage the networks the cluster uses to keep its member PEPs synchronized.
Description * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching the default policy, to the default log level of current PEP type. Note: Some PEPs allow selection of different log levels.
Interface Options
Option
Description The filters will be generated for the packets leaving the interface. * Choice "Both Directions if Possible" SCM Server will choose the application point with respect to the PEP capabilities and the PEP options settings.
Allow Forwarding Indicates if this device will perform forwarding. Enable this option to allow the device to forward packets.
Security Profile
Option
Description * Choice "Yes" Indicates that Policy Learning Mode is enabled on this interface. * Choice "No *" Indicates that Policy Learning Mode is disabled on this interface.
Log Level for Deny Rules * Choice "None *" Disables logging. * Choice "Default" Triggers the logging of any IP packet matching a deny rule, to the default log level of each PEP type. Managed * Choice "Yes *" Specifies that filters will be produced for this interface and the configuration of the interface will be managed by SCM Server. * Choice "No" Specifies that no filters will be produced for this interface and the configuration of the interface will not be managed by SCM Server. Allow Forwarding Indicates if this interface will perform forwarding. Enable this option to allow the interface to forward packets. Application Point * Choice "Incoming *" Only incoming filters will be applied. * Choice "Outgoing" Only outgoing filters will be applied. * Choice "Device Default" Incoming/outgoing filters are applied according to the value as specified in the Interfaces: Options View. * Choice "Both Directions if Possible" SCM Server will choose the application point according to the PEP capabilities and the PEP options settings. Interface is external (leads out to the InterSpecifies that the interface leads to the Internet. This net) means that IP addresses behind this interface will not be counted in the license enforcement.
129
Security Profile
Security Profile
Option
Description * Choice "None *" * Choice "Log" * Choice "Alert" * Choice "Disabled" Disables the anti-spoofing option.
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses, on a single interface only. SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller or faster configurations. "Broadening" an address means that when your map contains permissions with addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission with the address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On Address" in the General Options > Security Profile view, you can use the current view to put constraints on this optimization. Option Replace Source This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. To use this option, you must enable the Broad Filtering option in the General Options: Security Profile view. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the source IP addresses of the permissions managed by this interface such that the IP addresses can be represented by a netmask. You can enter this netmask in the Source Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the source IP addresses of the permissions that this interface manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Source Network Netmask Allows you to enter the netmask to apply to source permissions. Restrict Source Replacement to Topology 131 Description
Security Profile
Option
Description When used with the above option, this option will restrict the enlargement to the address of the network from which each permission originates, in your policy map.
Replace Destination This is an optimization that allows you to generate fewer ACLs, but at the risk of reducing your security level. To use this option, you must enable the Broad Filtering option in the General Options: Security Profile view. Note: if your permission includes logging, time or authorization actions, the optimization will not occur. * Choice "by Netmaskable Network" Indicates that SCM Server will attempt to replace the destination IP addresses of the permissions managed by this interface such that the IP addresses can be represented by a netmask. You can enter this netmask in the Destination Network Netmask field, below. * Choice "by Any" Indicates that SCM Server will replace the destination IP addresses of the permissions that this interface manages by Any. In most situations, these options mean that SCM Server will permit more addresses than your policy specifies. You should only use these options if you have another PEP with a tighter restriction on the same path. Destination Network Netmask Allows you to enter the netmask to apply to destination permissions. Restrict Destination Replacement to TopoWhen used with the "Enlarge Destination to Netlogy maskable Address" option, this option will restrict the enlargement to the address of the network where each permission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services, on a single interface only. SCM Server can "broaden" the allowed services on permissions in order to generate smaller or faster configurations. "Broadening" a service means that when your map contains permissions for services FTP and HTTP, for example, SCM Server will generate one permission for the service TCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" in the General Options > Security Profile view, you can use the current view to put constraints on this optimization.
132
IP Addresses
Description This is an optimization that enlarges the service of a permission on one interface. For example, an http and an ftp permission may be enlarged to tcp. Since this optimization can reduce your security level, you should only use it if you have another PEP in the path that does not use this option. * Choice "No *" Will not enlarge services. This option maintains the highest level of security. * Choice "by TCP" Replaces TCP permissions by TCP. * Choice "by UDP" Replaces UDP permissions by UDP. * Choice "by TCP and UDP" Replaces all TCP-based or UDP-based permissions by TCP and UDP permissions. A TCP-based permission will be replaced by two permissions: a permit TCP and a permit UDP. A UDPbased permission will also be replaced by two permissions: a permit TCP and a permit UDP. * Choice "by IP" Replaces permissions by IP. * Choice "by Any" Replaces all permissions by Any.
13.6.2. IP Addresses
Use this view to set the interface's IP addresses.
Static IP Addresses
Use this section to configure the interface's static IP addresses. Option Interface IP Addresses Specifies the static IP address of the interface. Description
IP Addresses
Option
Description Specifies the pool of IP addresses from which the interface will get its IP address.
IP Addresses
Use this view to configure the interface's IP addresses. Option Use Dynamic Addresses Specifies whether this interface will have static or dynamic IP addresses. Dynamic Addresses from Indicates the range from which the PEP can pick an IP address to assign to the interface. * Choice "Network" The PEP can assign any IP address contained in the interface's attached network. You must have connected the interface to a network on the workspace in order to pick this option. * Choice "Any" The PEP can assign any IP address to the interface. * Choice "User defined pool" The PEP can assign any address from the pool that you define in the Interface View. DHCP Server Indicates the range from which the PEP can pick an IP address to assign to the interface. * Choice "Network" The PEP can assign any IP address contained in the interface's attached network. You must have connected the interface to a network on the workspace in order to pick this option. * Choice "Any" The PEP can assign any IP address to the interface. * Choice "User defined pool" The PEP can assign any address from the pool that you define in the Interface View. Resolve IP Address Using When you use dynamic interface addresses, this option indicates how SCM Server will resolve the interface's address when it is uploading the PEP's configuration. * Choice "PEP FQDN" To resolve the address, SCM Server will contact the DNS server that you specified in the FQDN field of 134 Description
VPN Options
Option
Description the "PEP Properties>General" Options View. * Choice "Interface Specific FQDN" To resolve the address, SCM Server will contact the DNS server that you specify in the "Specify Interface FQDN" option below. * Choice "Prompt IP Address" SCM Server will prompt the user for the interface's IP address at the moment of upload.
Interface FQDN Enter the fully qualified domain name of the DNS server that SCM Server will contact to resolve this interface's IP address.
IPSec Capabilities
Option
Description Indicates that the RSA-Signature method is enabled when the device performs key exchange.
SHA-1 Hash Enabled Indicates that the SHA-1 algorithm is enabled when the device performs key exchange. MD5 Hash Enabled Indicates that the MD5 algorithm is enabled when the device performs key exchange. DH Group 1 Enabled Indicates that the Diffie-Hellman group 1 is enabled when the device performs key exchange. DH Group 2 Enabled Indicates that the Diffie-Hellman group 2 is enabled when the device performs key exchange. DH Group 5 Enabled Indicates that the Diffie-Hellman group 5 is enabled when the device performs key exchange.
Option (minutes)
Description Enter the time, in seconds, that the Remote Access client will use its assigned IP address. When this time elapses, the client will request a new address from the PEP. The default value 600 equals 15 minutes.
Set Optional Office Mode Parameters Allows you to set additional options for the user group pool, such as DNS and WINS addresses. Primary DNS Enter the address of the primary DNS server for the remote users. First Backup DNS Enter the address of the first backup DNS server for the remote users. Second Backup DNS Enter the address of the secondary backup DNS server for the remote users. Primary WINS Enter the address of the primary WINS server for the remote users. First Backup WINS Enter the address of the first backup WINS server for the remote users. Second Backup WINS Enter the address of the secondary backup WINS server for the remote users. Domain Name Enter the domain name of the remote users. This should match your internal network's domain. Perform an organized shutdown of tunnels Allows the PEP to keep an authentication session open upon gateway restart with a remote access VPN client even if the PEP restarts. Perform anti-spoofing on pool addresses Indicates that the PEP will perform anti-spoofing on all pool addresses. Support connectivity enhancement for gateways with multiple external interfaces Allows the PEP to resolve traffic from one Remote Access client to another. If your PEP has only one external interface, you should disable this option to get better performance. If your PEP has multiple interfaces, you should enable this option to allow different remote users to communicate.
Interface
Option
Description Indicates that SCM Server will generate the routing for the tunnel. This may conflict with pre-existing routing that you entered on the device. * Choice "No *" Does not generate routing for the tunnel. Use this option if you have pre-existing routing on the device. * Choice "Comment" SCM Server generates the routing in the .app file, but the rules are commented out. Use this option if you want to verify the rules before uploading them.
Auto Generate Tunnel IP Address Indicates if SCM Server will automatically choose an IP address for the tunnel interfaces. You can choose the range SCM Server will use for these addresses in Properties for the Current Policy >GRE Parameters for Automation >Tunnel interfaces IP address ranges view. IP Address Lets you manually enter an IP address for the tunnel. Netmask For information: this is the netmask SCM Server uses to construct the networks for the interfaces on GRE tunnels. Support NAT-Traversal Lets the VPN client connect to the server PEP via UDP through a firewall or router using NAT. NAT-Traversal Service Defines the service to use if you allow use IPSec over UDP. Tunnel Lets you choose to use split-tunneling. * Choice "Only Trust Zone *" If you choose this option, the remote user will not go through the tunnel when he/she accesses an address outside the tunnel's trust zone. You can define this trust zone; see the documentation on the Zone Editor in the Security Change Manager Designer User Guide for more information. * Choice "Everything" Choose this option to force all traffic through the tunnel. For example, the remote users will have to go through the tunnel to surf the internet. * Choice "Everything except local addresses" Choose this option to allow addresses on the remote user's local network to pass outside the tunnel. For example, this option lets the remote user access his or her local printer without passing through the VPN.
138
13.8.1. Interface
Use this view to select the interfaces to which the tunnel can connect. Option Interface Use this view to select the interfaces to which the tunnel can connect. Description
Option
Description authentication agent when validating a user's attempt to connect. * Choice "Src *" The PEP will contact the authentication agent at the permission's source. * Choice "Dst" The PEP will contact the authentication agent at the permission's destination. * Choice "Host" This option lets you choose a different PEP, which the authenticating PEP will contact when validating a user's connection. This option applies to Session Authentication only. See the Check Point(TM) FireWall-1(R) documentation on "Session Authentication" for more information.
PEP Lets you choose the PEP on which the authentication agent is running. This option applies to Session Authentication only. Query User Identity from UserAuthority Indicates that the PEP will contact UserAuthority to authenticate the user. To use this feature, you must have configured UserAuthority in your Check Point(TM) product. See the Check Point(TM) documentation on UserAuthority for more information. This option applies to Session Authentication only. Apply Rule Only if Desktop Configuration The PEP will verify that the SmartDashboard desktop Options are Verified is properly configured before applying the rule. For more information on these and the following options, see the Check Point(TM) FireWall-1(R) reference documentation. Required Sign On Applies to Client Authentication only. * Choice "Standard *" When the user signs on, the PEP permits all services to all destination hosts. * Choice "Specific" The PEP forces the user to specify each service and destination host to which he or she wants to connect. Sign On Method * Choice "Manual *" 140
Option
Description The PEP will require the user to initiate the Client Authentication session over TELNET on port 259 or over HTTP on port 900. * Choice "Partially automatic" The PEP will require the user to initiate the Client Authentication session as above, unless the user requests an RLOGIN, TELNET, HTTP or FTP service. * Choice "Fully automatic" If the user connects over RLOGIN, TELNET, HTTP or FTP, the PEP will sign on the user through User Authentication. For other services, the PEP will sign on the user through Session Authentication. * Choice "Agent automatic sign-on" If the Session Authentication Agent is installed on the client, the PEP will sign on the user through the Session Authentication Agent. * Choice "Single sign-on" The PEP will verify the user name with the UAM server, before deciding whether to allow the connection to continue.
Successful Authentication Tracking * Choice "None *" The PEP will not track the sign-on session. * Choice "Log" The PEP creates a log of the authentication session. * Choice "Alert" The PEP will launch the Authentication Alert command that you specify in the Check Point(TM) FireWall-1(R) SmartCenter Global Properties window. Authorization Timeout Indicates the amount of time that a user's connection will be available after he/she performs client authentication. * Choice "Indefinite *" The user's connection will be available until he/she expicitly signs off, or the administrator resets the firewall. * Choice "Specific" Lets you enter a specific timeout. Hours Lets you enter the number of hours that a client authenticated-connection will be available. Minutes 141
flowListIn
Option
Description Lets you enter the number of minutes that a client authenticated-connection will be available.
Refreshable Timeout Indicates if the timeout countdown restarts upon each new connection. For example, if connection #1 has already been up for 1 hour, and the user makes connection #2, the timeout will restart counting at zero. Number of Sessions Allowed Indicates the number of connections the user can make before his/her in a single client authentication session. Number of Sessions Lets you enter the number of sessions.
13.9.1. flowListIn
Option mugpep1_flow mugpep2_flow Description
13.9.2. flowListOut
Option pepmug1_flow pepmug2_flow Description
13.9.3. flowListExternal
Option sessionAuth_flow Description
142
14.1. Description
Option Note Description
Include Policy
Option
Result in Case Hidden Rules are Detected Indicates the type of message that SCM Server will generate if it encounters hidden rules. Is the management server a Check Point GX? Specifies whether the Management Server is a CheckPoint GX or not. Ticking the "Yes" radio button adds a "GTP Services" sub-node to the "General Options" node.
144
Authentication
Option
Description * Choice "Select" Lets you choose the HTTP proxy server from those defined in your policy map.
HTTP Servers
Use this view to configure how the PEP redirects connections to an HTTP security server.
HTTP Server
Option Reauthentication * Choice "Standard *" The PEP will not ask the user to reenter his/her password as long as the User Authentication Session Timeout has not expired. This value is specified in the PEP Properties > General Options >Authentication >Authentication Settings View. * Choice "POST request" The PEP will ask the user to reenter his/her password each time the user sends a request that may change the server's configuration. This option only has an effect on S/Key or SecurID passwords, which change continually. * Choice "Every request" The PEP will ask the user to reenter his/her password each time the user sends any request. This option only has an effect on S/Key or SecurID passwords, which change continually. Host The host name of the HTTP server. Port The HTTP server's port number. Server For Null Request Indicates if the PEP will convert addresses given as "http://<PEP-name>" to "/" before sending them to the HTTP server. Description
14.2.3. Authentication
This view does not let you change any parameters. Expand this node in the tree list to see the configurable views.
145
Authentication
Description Indicates the number of times the user can fail to identify him/herself before the PEP will terminate an rlogin connection. Indicates the number of times the user can fail to identify him/herself before the PEP will terminate a telnet connection. Indicates the number of times the user can fail to identify him/herself before the PEP will terminate the client authentication connection. Indicates the number of times the user can fail to identify him/herself before the PEP will terminate the session connection.
Option
Description on port 259, this option indicates if the PEP will keeps the telnet session open during the time the authentication session is open. If you select this option, the PEP will close the authentication session when the telnet session closes. If you do not select this option, the PEP will close the telnet session once the user signs on, and the user will have to reopen the telnet session to sign off.
Authentication Failure Track Indicates how the PEP will react to errors during authentication. * Choice "None" The PEP will not inform the user of errors. * Choice "Log" The PEP will log errors. * Choice "Alert" The PEP will open a popup window; you can define the popup alert once in the Check Point(TM) FireWall-1(R) software Global properties window, and afterwards use it in SCM Server.
147
Option
Accept RIP * Choice "No" Specifies that Routing Information Protocol used by the routed daemon is not accepted. * Choice "First/Last/Before Last" Specifies that Routing Information Protocol used by the routed daemon is accepted and specifies the position in the Rule Base for the implied rule. Accept Domain Name Over UDP (Queries) * Choice "No" Specifies that Domain Name queries over UDP are not accepted. * Choice "First/Last/Before Last" Specifies that Domain Name queries over UDP are accepted and specifies the position in the Rule Base for the implied rule. Accept Domain Name Over TCP (Zone Transfer) * Choice "No" Specifies that Domain Name queries over TCP are not accepted. * Choice "First/Last/Before Last" Specifies that Domain Name queries over TCP are accepted and specifies the position in the Rule Base for the implied rule. Accept ICMP * Choice "No" Specifies that Internet Control Messages are not accepted. * Choice "First/Last/Before Last" Specifies that Internet Control Messages are accepted and specifies the position in the Rule Base for the implied rule. Accept Outgoing Packets Originating From * Choice "No" Gateway Specifies that outgoing packets (from the firewall, not from the internal network) are not accepted. * Choice "First/Last/Before Last" Specifies that all outgoing packets (from the firewall, not from the internal network) are accepted and specifies the position in the Rule Base for the implied rule. Accept CPRID Connections (SmartUpdate) * Choice "No" 148
VPN
Option
Description Specifies that CPRID Connections are not accepted. * Choice "First" Specifies that they are accepted.
Accept Dynamic Address Modules' DHCP * Choice "No" Traffic Specifies that Dynamic Address Module DHCP traffic is not accepted. * Choice "First" Specifies that it is accepted.
14.2.5. VPN
Use this view to examine and modify Management Server VPN. Option Resolving Mechanism VPN peers must select a particular interface if a PEP has more than one interface through which a VPN tunnel can be created. Use this option to choose the method the PEP will use to select this interface. * Choice "Calculate Statically *" According to the Gateway topology settings. * Choice "Dynamic Interface Resolving" By sending RDP packets to both interfaces and choosing the first to respond. Description
VPN
Option
Description
Remote Access
Use this view to examine and modify Management Server remote access. Option Support remote access VPN using Nokia clients 150 Description Indicates that the PEP will allow Nokia clients to par-
VPN
Option
Indicates how traffic will be treated when the SecuRemote/SecureClient is not connected to the PEP. * Choice "Dropped *" The traffic will be dropped. * Choice "Sent in clear" The traffic will be sent in the clear.
Resolving Mechanism Indicates how the remote client should choose the PEP interface over which to mount the tunnel. * Choice "Calculate Statically *" The client will use the interface defined in the PEP's topology. * Choice "Dynamic Interface Resolving" The client will send RDP packets to the available interfaces and mount the tunnel with the interface that responds first. Update Topology Indicates if the PEP will send the remote client updates of the topology behind the PEP. This allows the client to be aware of changes. Authentication Timeout (min) Indicates the amount of time that the remote client's password is valid. Enter a value in minutes. Allow Caching of static passwords on client Indicates if the remote client stores its password in cache after authenticating with the PEP. This is useful when the remote client uses the same password for multiple PEPs. If you set this option, the PEP will read the remote client's password directly from the client's cache rather than asking the user to enter it. Set this option to enable the PEP to re-initiate a tunnel that has already been authenticated, if the tunnel times-out. This requires the remote client's details to be stored on all the devices between the PEP and the remote client. Encrypt DNS traffic Indicates if the remote client's DNS queries are sent through the tunnel. Enable Hybrid Mode Authentication Indicates if the PEP will allow other authentication schemes than those specified in this view.
Certificates
151
VPN
Use this view to configure how the Management Server handles user certificates. Option Client check gateway cert against CRL Indicates if the remote client checks the Certificate Revocation List (CRL) upon validation. Renew users internal CA certificates Indicates if the Managment Server's Internal Certificate Authority (ICA) will automatically re-issue certificates before they expire. The ICA's user certificates are valid for two years. Renewal starting process delay Enter the time before the certificate expiration date before which the ICA will re-issue a user's certificate. Enter a value in days. Description
152
GTP Services
Configuration Violation Notification Use this view to set how the PEP will log the failure when a remote client fails the Secure Configuration Verification test. Option Generate log on client Indicates if the failure will be logged on the remote client. Notify the user Indicates if the user will receive a notification. Description
GTP Service
Option GTP Service Type in the name of the GTP Service. GTP Service Name Select an existing service to customize in a list displaying all customized gtp services. GTP Version Select the GTP version * Choice "GTP version 0" * Choice "GTP version 1" Match IMSI Prefix Name * Choice "Any *" * Choice "Custom" Tick this radio button to define a custom IMSI prefix (an "Allowed IMSI Prefix" free-form field will appear to let you do so). Allowed IMSI Prefix Type in your custom IMSI Prefix. Match Access Point Name * Choice "Any *" * Choice "Custom" Tick this radio button to define a custom Access Point name (an "Allowed Access Point Name" free-form field will appear to let you do so). Allowed Access Point Name Type in your custom Access Point Name. Allowed Selection Mode Name * Choice "Any *" * Choice "Custom" Tick this radio button to specify the Selection Mode. Selection Mode 153 Description
Import
Option
Description Use the pull-down menu to choose the Selection Mode. * Choice "0 - verified *" * Choice "1 - MS - not verified" * Choice "2 - Network - not verified"
Match MS-ISDN Prefix Name * Choice "Any" * Choice "Custom" Tick this radio button to define a custom MS-ISDN Prefix Name (a "MS-ISDN Prefix Name free-form field will appear to let you do so). MS-ISDN Prefix Name Type in your custom MS-ISDN Prefix Name. Match LDAP Group Name * Choice "Any" * Choice "Custom" Tick this radio button to define the User Group name and the matching criteria i.e. IMSI* or MS-ISDN. Allowed LDAP Group Name Type in the LDAP Group Name. according to Choose the matching criteria of the LDAP Group Name i.e. IMSI* or MS-ISDN. Allow Usage of Static IP Addresses Choose whether the PEP's interfaces should use static IP addresses or not.
14.2.7. Import
Option Import Host as Indicates how to import a CheckPoint host, i.e. as a nexus, a class or an unknown device. * Choice "Class" The CheckPoint host will be imported as a Class (that is to say as an IP address container). Auto-Connect Objects Indicates if the auto-connect must be performed at the end of the import process Import Disabled Rules Indicates if disabled rules are imported. Import Section Titles in Notes Indicates that rules section titles are imported in permission note. Import Rule Details in Notes (verbose) 154 Description
Upload Configuration
Option
Description Indicated that verbose details are imported in permission note: (index, action, service, source, destination, policy target). The local import completes the rule detail with the rule UID.
Paths
Description Specifies the opsec debug level. This value is not saved in any project version.
Session Time Out (ms) If this number of milliseconds elapses between a SCM Server request and the management server's response, the session is dropped. Full Path to SmartDashboard directory Lets you enter the path to the SmartDashboard directory.
14.3.2. Paths
Use this view to set the Check Point(TM) FireWall-1(R) installation directory.
14.3.3. Authentication
Use this view to record the username and password for management servers that need to be connected prior to giving access to the configuration account. This username and password must link to an account that can be used through the SSH connection. The Root Password is never used on the management server. To log in as root set User Name to "root" and set User Password to root's password. Option Use session credentials for user(login,password) Description Activates the user authentication on the PEP from the credentials (login, password) of the user currently logged in SCM Server. Note that both the "User Login" and "User Password" options will be ignored although they are still displayed in the view. Use session credentials for root(login,password) Activates the super-user authentication (for privileged mode) on the PEP from the credentials (login, password) of the user currently logged in SCM Server. Note that both the "Enable Login" and "Enable Password" options will be ignored although they are still displayed in the view. User Login Allows you to record the username that will be used on the management server to copy, compile and upload the security policy. The user must have the privilege to copy files in the $FWDIR/conf and to execute the command $FWDIR/bin/fw. This user name is used to make the SSH connection on the management server and may be different to the name used to connect to the management server from the Check Point(TM) FireWall-1(R) Policy Editor. The root password is needed when you want to be connected as root, but the SSH server installation prevents you from connecting directly as root. Using the root password, SCM Server will first connect to the 156
Prompts
Option
Description Management Server using the user login and password and then perform the command "su-" specifying the root password.
14.3.4. Prompts
Use this view to indicate what the management server's prompts look like, which allows SCM Server to interpret them during communication.
157
158
15.1. Description
Option Note Description
159
160
Hybrid Mode, 70
Index
A
all networks PEP, 24 Anti-Spoofing, 19 Anti-spoofing, 22 Any, 56 Audit Through Report, 56 Authentication, 24 Client authentication, 24 Session authentication, 24 User authentication, 24 Authentication parameters, 43 Authentication Rule Create, 43
I
ICMP, 4 Implicit permissions, 69 Import perform, 52 Imported/not imported (NG), 46 Include Rules, 64 Installation, 1 Interoperable Default Fields, 18 IP Address range, 16 IPSec/L2TP tunnels, 71
L
LDAP, 66, 66, 66 Licenses, 1 Limitations, 1 Case Sensitivity, 1 Log, 18
B
Back-up files, 65
C
CAST-40, 70, 75 Check Point Gateway, 19 Class all PEPs, 24 Clear, 27, 32, 32 procedure, 31 Client-to-Gateway VPN, 67 Clientless VPN, 71 Communicate, 32 Compilation of the security policy, 39 Connections PEPs to networks, 55 connections Nexus to networks, 55
M
Management Server Features, 7 Mapping, 15 table syntax, 20 Multiple Entry Point VPNs (MEP), 70, 75
N
Naming convention, 21 NAT Features, 5 Non-supported concepts, 63 NP_A, 13 NP_C, 13 NP_E, 13 NP_I, 13 NP_N, 13, 16 NP_O, 23 NP_O_..VFP_.., 13 NP_R, 13 NP_S, 13 NP_T, 13
D
DES-40, 70, 75 Desktop security policy, 70 DHCP server, 70 domain, 63
E
Enable VPN routing, 70
O
Object generated, 12 nexus, 18 translated, 12 Object Colors, 14 Office Mode, 70 OPSEC, 27
F
Filters Upload Preparation, 14 Firewall Features, 3
G
Gateway-to-Gateway VPN, 71 Generation Process, 11, 27 Global Features, 3
P
Patch Process, 63 PEP, 18 Indirectly Managed, 11 Permissions deny, 55 161
R
RADIUS, 66, 66 Remote Access, 68
S
Security Include, 63 Service type, 21 Session Time Out, 38 SIC file, 32 sic_policy.conf, 32 Site-to-site VPN, 73 SmartDashBoard, 66 Specific translated fields, 18 SSL Certification and Encryption, 27, 29 Procedure, 27 Supported Versions, 1
T
TACACS, 66, 66 Topology missing, 54 Translated PEP, 18 Translated service, 20 Transparent mode, 70
U
Upload addresses, 51 User Groups, 65
V
VIA property, 48 Visitor Mode, 70 VPN Specifics parameters, 68 VPN Features, 6 VPN node, 68 VPN-1 Net, 70
162