20 March 2012 Administration Guide Security Management Server R75.40 Classification: [Protected] © 2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=13953 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the R75.40 home page (http://supportcontent.checkpoint.com/solutions?id=sk67581). Revision History Date Description 20 March 2012 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Security Management Server R75.40 Administration Guide). Contents Important Information 3 Security Management Overview 9 Introduction 9 Deployments 9 Glossary 10 Management Software Blades 10 Logging In 12 Authenticating the Administrator 12 Authenticating the Security Management Server Using its Fingerprint 12 SmartDashboard Access Modes 12 Using SmartDashboard 13 The SmartDashboard User Interface 13 Objects Tree 14 Rule Base 18 Objects List 18 Identity Awareness 18 SmartWorkflow 18 SmartMap 19 Secure Internal Communication (SIC) 19 The Internal Certificate Authority (ICA) 19 Initializing the Trust Establishment Process 19 Testing the SIC Status 20 Resetting the Trust State 20 Troubleshooting SIC 20 LDAP and User Directory 22 The Check Point Solution for LDAP Servers 22 User Directory Considerations 22 User Directory Deployment 23 Enhancements 23 Account Units 24 Defining LDAP Account Units 24 Defining User Directory Server 26 Account Units and High Availability 26 Setting High Availability Priority 27 Authenticating with Certificates 27 Managing Users on a User Directory Server 27 User Directory Groups 27 Distributing Users in Multiple Servers 28 Retrieving Information from a User Directory Server 28 Using User Directory Queries 28 Example of Query 29 Querying Multiple LDAP Servers 29 Microsoft Active Directory 29 Updating the Registry Settings 30 Delegating Control 30 Extending the Active Directory Schema 30 Adding New Attributes to the Active Directory 31 Netscape LDAP Schema 31 The User Directory Schema 32 The Check Point Schema 32 Schema Checking 32 OID Proprietary Attributes 32 User Directory Schema Attributes 33 User Directory Profiles 40 Default User Directory Profiles 40 Modifying User Directory Profiles 40 Fetch User Information Effectively 41 Setting User-to-Group Membership Mode 41 Profile Attributes 42 Managing Users and Administrators Internally 51 Glossary 51 SmartDashboard 52 Users Database 52 User Templates 52 Configuring Users 53 Creating or Changing a User 53 General Properties 53 Setting the Expiration Date 54 Assigning a Permissions Profile 54 Authentication 55 Locations 55 Connection Times 55 Certificates 55 Encryption 56 Managing User Groups 56 Configuring Administrators 57 Creating or Changing an Administrator 57 Configuring General Properties 57 Setting the Expiration Date 57 Selecting a Permissions Profile 58 Administrator Groups 58 Configuring Authentication 59 Certificates 59 Configuring Administrator Groups 59 Managing User and Administrator Expiration 60 Working with Expiration Warnings 60 Configuring Default Expiration Parameters 61 Working with Permissions Profiles 62 Creating and Changing Permission Profiles 62 Managing Permissions Profiles 64 Policy Management 65 The Need for an Effective Policy Management Tool 65 Policy Management Overview 66 Policy Management Considerations 66 Creating a New Policy Package 66 Defining the Policy Package's Installation Targets 67 Adding a Policy to an Existing Policy Package 67 Adding a Section Title 67 Configuring a New Query 68 Intersecting Queries 68 Querying Objects 69 Sorting Objects in the Objects List Pane 69 Policy Packages 69 File Operations 70 Installation Targets 70 Dividing the Rule Base into Sections using Section Titles 71 Querying Rules 71 Querying Network Objects 72 Sorting the Objects Tree and the Objects List Pane 72 Working with Policies 72 To Install a Policy Package 73 To Uninstall a Policy Package 73 Installing the User Database 74 Managing Policy Versions 74 Create a Version 74 Export and Import a Version 75 View a Version 75 Revert to a Previous Version 75 Delete a Version 75 Version Configuration 75 Configure Automatic Deletion 75 Database Revision Control and Version Upgrade 76 Version Diagnostics 76 Manual versus Automatic Version Creation 76 Backup and Restore the Security Management server 76 SmartMap 77 Overview of SmartMap 77 The SmartMap Solution 77 Working with SmartMap 77 Enabling and Viewing SmartMap 77 Adjusting and Customizing SmartMap 78 Working with Network Objects and Groups in SmartMap 79 Working with SmartMap Objects 80 Working with Folders in SmartMap 82 Integrating SmartMap and the Rule Base 83 Troubleshooting with SmartMap 84 Working with SmartMap Output 85 The Internal Certificate Authority 87 The Need for the ICA 87 The ICA Solution 87 Introduction to the ICA 87 ICA Clients 87 Certificate Longevity and Statuses 88 SIC Certificate Management 89 Gateway VPN Certificate Management 89 User Certificate Management 89 CRL Management 90 ICA Advanced Options 91 The ICA Management Tool 91 ICA Configuration 92 Retrieving the ICA Certificate 92 Management of SIC Certificates 92 Management of Gateway VPN Certificates 93 Management of User Certificates via SmartDashboard 93 Invoking the ICA Management Tool 93 Search for a Certificate 94 Certificate Operations Using the ICA Management Tool 95 Initializing Multiple Certificates Simultaneously 96 CRL Operations 97 CA Cleanup 97 Configuring the CA 97 Management Portal 102 Overview of Management Portal 102 Deploying the Management Portal on a Dedicated Server 102 Deploying the Management Portal on the Security Management server 103 Management Portal Commands 103 Limiting Access to Specific IP Addresses 103 Management Portal Configuration 103 Client Side Requirements 104 Connecting to the Management Portal 104 Using the Management Portal 104 Troubleshooting Tools 104 Management High Availability 105 The Need for Management High Availability 105 The Management High Availability Solution 105 Backing Up the Security Management server 105 Management High Availability Deployment 106 Active versus Standby 106 What Data is Backed Up by the Standby Security Management servers? 107 Synchronization Modes 107 Synchronization Status 107 Changing the Status of the Security Management server 108 Synchronization Diagnostics 109 Management High Availability Considerations 109 Remote versus Local Installation of the Secondary SMS 109 Different Methods of Synchronization 109 Data Overload During Synchronization 109 Management High Availability Configuration 110 Secondary Management Creation and Synchronization - the First Time 110 Changing the Active SMS to the Standby SMS 111 Changing the Standby SMS to the Active SMS 111 Refreshing the Synchronization Status of the SMS 112 Selecting the Synchronization Method 113 Tracking Management High Availability Throughout the System 113 Working with SNMP Management Tools 114 The Need to Support SNMP Management Tools 114 The Check Point Solution for SNMP 114 Understanding the SNMP MIB 114 Handling SNMP Requests on Windows 115 Handling SNMP Requests on Unix 115 Handling SNMP Requests on SecurePlatform 116 SNMP Traps 116 Special Consideration for the Unix SNMP Daemon 116 Configuring Security Gateways for SNMP 116 Configuring Security Gateways for SNMP Requests 116 Configuring Security Gateways for SNMP Traps 117 SNMP Monitoring Thresholds 118 Types of Alerts 119 Configuring SNMP Monitoring 119 Configuration Procedures 119 Monitoring SNMP Thresholds 121 Security Management Servers on DHCP Interfaces 123 Requirements 123 Enabling and Disabling 123 Using a Dynamic IP Address 123 Licensing a Dynamic Security Management 124 Limitations for a Dynamic Security Management 124 Network Objects 125 Introduction to Objects 125 The Objects Creation Workflow 125 Viewing and Managing Objects 125 Network Objects 126 Check Point Objects 126 Nodes 127 Interoperable Device 127 Networks 127 Domains 127 Groups 128 Open Security Extension (OSE) Devices 128 Logical Servers 130 Address Ranges 130 Dynamic Objects 131 VoIP Domains 131 CLI Appendix 132 Index 143 Security Management Server Administration Guide R75.40 | 9 Chapter 1 Security Management Overview In This Chapter Introduction 9 Logging In 12 Using SmartDashboard 13 Introduction To make the most of Check Point products and all their capabilities and features, become familiar with some basic concepts and components. This is an overview of usage, terms, and tasks to help you manage your Check Point Security Gateways. Deployments Basic deployments:  Standalone deployment - Gateway and the Security Management server are installed on the same machine.  Distributed deployment - Gateway and the Security Management server are installed on different machines. Assume an environment with gateways on different sites. Each gateway connects to the Internet on one side, and to a LAN on the other. You can create a Virtual Private Network (VPN) between the two gateways, to secure all communication between them. The Security Management server is installed in the LAN, and is protected by a Security Gateway. The Security Management server manages the gateways and lets remote users connect securely to the Security Management Overview Security Management Server Administration Guide R75.40 | 10 corporate network. SmartDashboard can be installed on the Security Management server or another computer. There can be other OPSEC-partner modules (for example, an AntiVirus Server) to complete the network security with the Security Management server and its gateways. Glossary  Administrators are responsible for managing the Security Management environment. They have access permissions to use the SmartConsole clients. At least one administrator must have full Read/Write permissions to manage Security Policies.  The Check Point Configuration Tool lets you configure Check Point products after the installation completes. You can also use this tool to change specified configuration parameters after the initial configuration. The configuration tool lets you configure important parameters such as Administrators, licenses, management High Availability and GUI Clients.  Installation is the process of installing Check Point product components are installed on a computer.  Standalone deployment - You install a Security Gateway and the Security Management server on one computer.  Distributed deployment - You install the Security Gateways and the Security Management server on different computers.  Login is the procedure by which the administrator connects to the Security Management server using a SmartConsole client.  Objects are defined and managed in SmartDashboard to show physical network components such as a Security Management servers, Security Gateways and networks.  A Policy Package is a collection of policies that enforce security on specified gateways.  A Security Policy is a collection of rules and conditions that enforce security.  SmartConsole is a suite of GUI clients that manage different aspects of your security environment.  A Log Server is a repository for log entries created by Security Gateways and management servers.  SmartDashboard is the SmartConsole client that lets you manage security policies and network objects.  Users are personnel that use applications and network resources. Users cannot access SmartConsole clients or manage Check Point security resources. Management Software Blades Software Blades are independent and flexible security modules that enable you to select the functions you want to build a custom Check Point Security Gateways. Software Blades can be purchased independently or as pre-defined bundles. The following Security Management Software Blades are available: [...]... Blades are currently installed on the Security Management Server, look at the SmartDashboard representation of the Security management server In the General Properties Security Management Server Administration Guide R75.40 | 11 Security Management Overview page of the Security management server, the Management tab of the Software Blades section shows all enabled management Software Blades In a High... connectivity between the gateway and Security Management server 2 Verify that server and gateway use the same SIC activation key Security Management Server Administration Guide R75.40 | 20 Secure Internal Communication (SIC) 3 If the Security Management server is behind another gateway, make sure there are rules that allow connections between the Security Management server and the remote gateway, including... administrator authenticates the Security Management server using the Security Management server' s Fingerprint This Fingerprint, shown in the Fingerprint tab of the Check Point Configuration Tool, is obtained by the administrator before attempting to connect to the Security Management server The first time the administrator connects to the Security Management server, the Security Management server displays a Fingerprint... User Directory server replication (6) 6 User Directory server replication Security Management Server Administration Guide R75.40 | 26 LDAP and User Directory Setting High Availability Priority With multiple replications, define the priority of each LDAP server in the Account Unit Then you can define a server list on the Security Gateways Select one LDAP server for the Security Management server to connect... List, select CRL retrieval The Security Management server manages how the CA sends data of revoked licenses to the gateway  If it is a user database, select User Management Make sure the User Management blade is enabled on the Security Management Note - Single Sign On for LDAP users works only if User management is selected Security Management Server Administration Guide R75.40 | 24 LDAP and User Directory... Directory Profiles" on page 40) Security Management Server Administration Guide R75.40 | 23 LDAP and User Directory Account Units An Account Unit is the interface between the Security Management server / Security Gateways, and the LDAP servers An Account Unit represents one or more branches of the data on the LDAP server You can have several Account Units, for one or multiple LDAP servers The users in the... Security Management server SmartDashboard Access Modes Many administrators can use SmartDashboard to connect to a Security Management server simultaneously But only one administrator can have Read/Write access to change object definitions, security rules or Security Management server settings at one time All other administrators connected at the same time have Read Only access Security Management Server. .. connect to the Security Management server, the administrator must manually authenticate the Security Management server using its Fingerprint  If this SmartConsole connected to the Security Management server before, and an administrator already authenticated the Security Management server, Fingerprint authentication is done automatically Authenticating the Security Management Server Using its Fingerprint... have Read Only access Security Management Server Administration Guide R75.40 | 12 Security Management Overview If you connect to a Security Management server while another administrator is connected in the Read/Write mode, this message shows:  Connect in the Read Only mode to see the current object definitions, security rules and Security Management server settings  Ask to get a notification when... tab, you can change:  Encryption settings between Security Management server / Security Gateways and LDAP server If the connections are encrypted, enter the encryption port and strength settings  Verify the Fingerprints Compare the fingerprint shown with the Security Management fingerprint Security Management Server Administration Guide R75.40 | 25 LDAP and User Directory Note - User Directory connections . the Security management server. In the General Properties Security Management Overview Security Management Server Administration Guide R75. 40 | 12 page of the Security management server, . securely to the Security Management Overview Security Management Server Administration Guide R75. 40 | 10 corporate network. SmartDashboard can be installed on the Security Management server or. Security Management Overview Security Management Server Administration Guide R75. 40 | 11 Security Management Software Blades Description Network Policy Management Gives you control over